WAP & CAP Series
Outdoor Wireless
AP/Bridge/Mesh/Router/CPE
Quick User Guide
Version 6.30.1
WiBorne, Inc.
© Copyright 2005-2017 WiBorne, Inc. All rights reserved.
This product or document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, decryption, decompilation, and reverse engineering. No part of this product or document may be
reproduced in any form by any means without prior written authorization of WiBorne, Inc., or its licensors, if
any.
The information in this document is subject to change without notice. This documentation is provided “as is”
and all express or implied conditions, representations and warranties, including any implied warranty of
merchantability, fitness for a particular purpose or non-infringement, are disclaimed, except to the extent that
such disclaims are held to be legally invalid.
2
Table of Content
Preface...................................................................................................................................................................... 12
Installation Requirements .................................................................................................................................... 12
Packing List ......................................................................................................................................................... 12
CAP-2400 / CAP-5000/N Series ..................................................................................................................... 12
WAP-240 / WAP-500/N Series ........................................................................................................................ 12
WAP-520N ....................................................................................................................................................... 13
System Requirements........................................................................................................................................... 13
Hardware Overview ................................................................................................................................................. 14
Field Installation .................................................................................................................................................. 14
CAP-2400 / CAP-5000 Series ......................................................................................................................... 14
WAP-240 / WAP-500 Series ............................................................................................................................ 15
RJ45 Ethernet Connector System (ECS) ............................................................................................................. 16
Power over Ethernet Unit..................................................................................................................................... 18
Lighten Protector / Surge Protector ..................................................................................................................... 19
Introduction .............................................................................................................................................................. 20
Overview .............................................................................................................................................................. 20
Getting Started ......................................................................................................................................................... 22
Management ......................................................................................................................................................... 22
Password .............................................................................................................................................................. 22
Interfaces .............................................................................................................................................................. 23
Web Based (Browser) Interface ........................................................................................................................... 23
Browser Interface Login Screen .......................................................................................................................... 23
Primary Features and Pages of the Browser Interface (Webbox) ........................................................................ 24
WebFig (Web Browser) Interface ........................................................................................................................ 26
Connecting to WAP/CAP ................................................................................................................................. 27
Interface Overview........................................................................................................................................... 27
Item configuration ............................................................................................................................................ 28
Skins................................................................................................................................................................. 30
Designing skins ............................................................................................................................................ 30
Skin Example to Configure Wireless Interface->Status Page...................................................................... 31
Skin design examples ................................................................................................................................... 32
Using skins ................................................................................................................................................... 33
Winbox (Windows GUI) Interface ....................................................................................................................... 33
Primary Features and Pages of the Winbox Interface .......................................................................................... 35
Command Line Interface ..................................................................................................................................... 36
Telnet.................................................................................................................................................................... 37
Console (Serial) Port ............................................................................................................................................ 39
Basic Configuration through Web Browser ............................................................................................................. 41
Quick Setup.......................................................................................................................................................... 41
Web Browser Interface page ................................................................................................................................ 42
Port Web Configuration ....................................................................................................................................... 42
Port Name Web Configuration ............................................................................................................................. 42
Interface Web Graphing ....................................................................................................................................... 43
System Web Configuration .................................................................................................................................. 43
Firewall Web Configuration................................................................................................................................. 44
DHCP Server Web Configuration ........................................................................................................................ 44
Upgrading Firmware through Web Browser ........................................................................................................ 45
Remote Firmware Upgrade .................................................................................................................................. 47
3
Section 5 Basic Configuration through Winbox ...................................................................................................... 50
Configuring an IP address .................................................................................................................................... 50
Configuring the Wireless Card............................................................................................................................. 51
Configuring Firewall ............................................................................................................................................ 51
Configuring DHCP Server ................................................................................................................................... 53
Configuring Queues ............................................................................................................................................. 55
Introduction ...................................................................................................................................................... 55
Assumptions..................................................................................................................................................... 55
Packets marking - configuration ...................................................................................................................... 56
New queue type creating.................................................................................................................................. 57
The main queue creating .................................................................................................................................. 58
Adding proper queues ...................................................................................................................................... 58
Optimization .................................................................................................................................................... 59
Per Connection Queue (PCQ) Examples ......................................................................................................... 60
Alignment Tool .................................................................................................................................................... 66
Antenna Positioning (Audio Alignment, or Aiming) for WAP/CAP ............................................................... 66
Method 1 (Audio mode)............................................................................................................................... 66
Method 2: Alignment-Only Mode ............................................................................................................... 70
Method 3: CLI command: ............................................................................................................................ 71
Audio and Video (LED) Aiming Script ........................................................................................................... 71
Power / NAND / User LED ..................................................................................................................... 76
Audio-only Aiming Script................................................................................................................................ 77
The EoIP Bridge................................................................................................................................................... 79
Introduction ...................................................................................................................................................... 79
The core unit configuration.............................................................................................................................. 79
The client unit configuration............................................................................................................................ 83
The WDS Bridge.................................................................................................................................................. 87
Output Support File (supout.rif) .......................................................................................................................... 92
Upgrading Firmware through Winbox ................................................................................................................. 93
Basic Configuration through CLI ............................................................................................................................ 97
Launching CLI “Setup” ....................................................................................................................................... 97
Configuring IP Address through CLI Setup ......................................................................................................... 97
Configuring Gateway through CLI Setup ............................................................................................................ 98
Configuring DHCP Client through CLI Setup ..................................................................................................... 99
Configuring DHCP Server through CLI Setup .................................................................................................... 99
Sample Default Configuration ............................................................................................................................... 101
Restoring Default Configuration from WinBox ................................................................................................ 102
Restoring Default Configuration from CLI ....................................................................................................... 103
Settings for Wireless Access Point & Clients ........................................................................................................ 104
Wireless Station Modes ..................................................................................................................................... 104
Overview ........................................................................................................................................................ 104
802.11 limitations for L2 bridging ................................................................................................................. 104
Applicability Matrix....................................................................................................................................... 105
Mode station .................................................................................................................................................. 106
Mode station-wds ........................................................................................................................................... 106
Mode station-pseudobridge ........................................................................................................................... 106
Mode station-pseudobridge-clone ................................................................................................................. 107
Mode station-bridge....................................................................................................................................... 107
Station and Access Point .................................................................................................................................... 107
AP Bridge / Station Pseudo-bridge .................................................................................................................... 112
4
Single Radio on One WAP ............................................................................................................................. 112
Configuration for Access Point (WAP) ...................................................................................................... 113
Dual Radios on One WAP.............................................................................................................................. 118
Configuration for the 1st Access Point (WAP) ........................................................................................... 119
Configuration for the 2nd Access Point (WAP) .......................................................................................... 128
L2 Transparently Bridge (WDS-Bridge, or station-wds Mode) ........................................................................ 128
AP Side (COM) .............................................................................................................................................. 129
Station side (CPEM) ...................................................................................................................................... 131
Full Scripts ..................................................................................................................................................... 136
Pre-configured .rsc file....................................................................................................................................... 138
Firewall .................................................................................................................................................................. 141
Security Information sources ............................................................................................................................. 141
How to configure a router .................................................................................................................................. 141
The CLI .......................................................................................................................................................... 141
Structure ..................................................................................................................................................... 141
Basic commands ........................................................................................................................................ 143
print ........................................................................................................................................................ 143
export ..................................................................................................................................................... 143
remove.................................................................................................................................................... 143
set ........................................................................................................................................................... 144
disable .................................................................................................................................................... 145
enable ..................................................................................................................................................... 145
find ......................................................................................................................................................... 146
move....................................................................................................................................................... 147
Context ....................................................................................................................................................... 148
Example network ........................................................................................................................................... 148
Router interfaces (ports) ................................................................................................................................ 149
Physical interfaces ..................................................................................................................................... 149
Switch Chip................................................................................................................................................ 149
Bridging vs routing .................................................................................................................................... 150
Named interfaces ....................................................................................................................................... 150
Example network ....................................................................................................................................... 150
IP addresses .................................................................................................................................................... 150
DHCP client ............................................................................................................................................... 151
PPPoE client............................................................................................................................................... 151
Example network ....................................................................................................................................... 151
IP routes ......................................................................................................................................................... 152
Adding a default route ............................................................................................................................... 152
Example network ....................................................................................................................................... 153
DHCP server .................................................................................................................................................. 153
IP Pools ...................................................................................................................................................... 153
DHCP Server Networks ............................................................................................................................. 153
DHCP Servers ............................................................................................................................................ 154
Lease time considerations .......................................................................................................................... 155
The wizard ................................................................................................................................................. 155
Example network ....................................................................................................................................... 155
IP firewall ....................................................................................................................................................... 156
Filters ......................................................................................................................................................... 156
Chains .................................................................................................................................................... 156
State........................................................................................................................................................ 157
5
Example network ................................................................................................................................... 157
NAT ............................................................................................................................................................ 158
Source NAT ........................................................................................................................................... 159
Masquerade ........................................................................................................................................ 159
Static source NAT .............................................................................................................................. 159
Destination NAT .................................................................................................................................... 159
Example network ................................................................................................................................... 160
Bruteforce login prevention (FTP / SSH) .......................................................................................................... 160
DoS attack protection ......................................................................................................................................... 162
Diagnose ........................................................................................................................................................ 162
Protection ....................................................................................................................................................... 162
Limit incoming connections ...................................................................................................................... 162
Action tarpit ............................................................................................................................................... 162
SYN filtering .............................................................................................................................................. 162
SYN cookies .............................................................................................................................................. 163
Setup firewall rules to protect your router ......................................................................................................... 163
Securing your router .......................................................................................................................................... 163
Change admin's password .............................................................................................................................. 163
Add users to the system ................................................................................................................................. 164
Set up packet filtering .................................................................................................................................... 164
Setup MAC filtering (Mac locking) ............................................................................................................... 165
Connections Tracking ........................................................................................................................................ 166
Basic universal firewall script ............................................................................................................................ 167
Minimum Firewall Rules ................................................................................................................................... 169
Basic firewall rules ............................................................................................................................................ 169
Firewall Basic ................................................................................................................................................ 169
Setup basic firewall rules ............................................................................................................................... 172
Allow only needed icmp codes in icmp chain ........................................................................................... 172
Another Basic Firewall .................................................................................................................................. 174
Home Firewall ................................................................................................................................................... 175
Other Router Firewall Script .............................................................................................................................. 177
Automatically find unauthorized devices and block it on firewall .................................................................... 179
How to Lock MAC and IP Address ................................................................................................................... 180
How To: Block Facebook, Twitter, Youtube ...................................................................................................... 180
Assign fixed/static IP address via WAP/CAP DHCP server .............................................................................. 181
Disable Access during Certain Hours ................................................................................................................ 182
Secure your router from invalid login attempts / Virus Flooding Attacks ......................................................... 183
HOWTO PREVENT VIRUS / PORTS FLOODING? .................................................................................. 185
A BETTER APPROACH ON BLOCKING PORTS!.................................................................................... 187
How to block Winbox Discovery + Limit Winbox Access ............................................................................ 187
How to Block Torrent / P2P ........................................................................................................................... 188
Limit number connection based on user profile with Hotspot ........................................................................... 188
WAP/CAP block from the Scan Winbox and Neighbour .................................................................................. 191
Howto block Winbox Discovery + Limit Winbox Access ................................................................................. 192
Hotspot, Block website based on User Profile................................................................................................... 193
Layer 7 Protocol ............................................................................................................................................. 193
Example new RegExp .................................................................................................................................... 193
Hotspot, Limit YouTube based on user profile .................................................................................................. 195
Regexp ........................................................................................................................................................... 195
2nd mangle rule (mark packet) ...................................................................................................................... 196
6
Add Queue Tree ............................................................................................................................................. 197
More.. ............................................................................................................................................................. 198
Firewall customizations for Hotspot .................................................................................................................. 198
Summary ........................................................................................................................................................ 198
NAT ................................................................................................................................................................ 198
Packet Filtering .............................................................................................................................................. 200
Redirection (Port Forwarding) ........................................................................................................................... 202
Forwarding a port to an internal IP ................................................................................................................ 202
Changing WAP/CAP settings to provide access to internal devices .............................................................. 202
Redirect Mail Traffic to a Specified Server ................................................................................................... 204
Utilizing Port Forwarding on WAP/CAP Router ........................................................................................... 204
Assumptions:.............................................................................................................................................. 205
Allowing Ports Through A WAP/CAP Firewall............................................................................................. 206
Allow Invited Traffic Back In .................................................................................................................... 206
Problem Report .............................................................................................................................................. 207
NAT redirection to a local web server not working ....................................................................................... 207
Hotspot ................................................................................................................................................................... 209
Hardware ............................................................................................................................................................ 209
Quick Access Guide ........................................................................................................................................... 209
Web Browser (webfig GUI) ........................................................................................................................... 209
Winbox Access ............................................................................................................................................... 210
Winbox Remote Access ..................................................................................................................................... 211
Access Router from anywhere in the world ................................................................................................... 212
ADSL router that is in front of firewall ......................................................................................................... 212
Windows Domain Active Directory as Radius Server ....................................................................................... 214
Network Policy Server (NPS) ........................................................................................................................ 214
W2K8 ............................................................................................................................................................. 214
Dude ................................................................................................................................................................... 214
More Detailed Example: ................................................................................................................................ 217
Health of HP printer (192.168.1.116) ........................................................................................................ 220
Show activities for ERP (192.168.1.105) .................................................................................................. 220
Send email notification if server or service is down .................................................................................. 221
Any Outages? ............................................................................................................................................. 222
See if any dropped devices: ....................................................................................................................... 223
Syslog server: ............................................................................................................................................. 224
To change password for Dude agent on Firewall........................................................................................... 224
Firewall setting to allow Dude connection .................................................................................................... 225
Dude as a Windows service ........................................................................................................................... 226
Initial Setup ........................................................................................................................................................ 227
Quick Setup.................................................................................................................................................... 227
Install Dude agent on Firewall ........................................................................................................................... 230
Setup Internet Connection (WAN) ................................................................................................................. 231
Change the Admin Password ......................................................................................................................... 234
Disable services that you are not using ...................................................................................................... 234
Setting NTP services for time synchronization.............................................................................................. 235
System Clock ............................................................................................................................................. 235
NTP Services (SNTP Client)...................................................................................................................... 235
Enable DNS Remote Requests....................................................................................................................... 236
Select the menu at the Bridge, the Bridge tab, click Settings. ................................................................... 236
Setting Bridge Port ..................................................................................................................................... 237
7
Setting DHCP Server ................................................................................................................................. 238
Date and Time ................................................................................................................................................ 240
Setup Hotspot ................................................................................................................................................. 240
Server Setup ................................................................................................................................................... 240
User and User profile ..................................................................................................................................... 247
IP Bindings ..................................................................................................................................................... 253
How to Block a Customer .......................................................................................................................... 254
Customization ................................................................................................................................................ 256
Customize hotspot Login Page .................................................................................................................. 257
How to Redirect User to your selected site after successful Login ........................................................... 258
Howto Allow URL for some destinations for non authenticated Users ..................................................... 259
HOTSPOT users can’t communicate with each other on LAN or PROXY-ARP issue............................. 259
Howto Bypass authentication for Few Clients with MAC and IP addresses ............................................. 259
Hourly checking for up status .................................................................................................................... 260
Ping dropped .............................................................................................................................................. 260
Client Login ................................................................................................................................................... 261
Command Line to show connected hosts....................................................................................................... 261
Logs................................................................................................................................................................ 262
Storing logs in files .................................................................................................................................... 263
Other useful commands ............................................................................................................................. 264
Firewall action to log and drop .................................................................................................................. 265
Using Dude for Syslog Server ................................................................................................................... 266
WAP/CAP System Logging .................................................................................................................. 267
Ubuntu / Linux Syslog Server................................................................................................................ 267
Dude Syslog Server................................................................................................................................ 268
RouterOS as Agent ................................................................................................................................ 270
Export and Backup / Restore Configuration .................................................................................................. 271
Export Configuration ................................................................................................................................. 271
Export Firewall Rules ................................................................................................................................ 271
Backup / Restore Configuration................................................................................................................. 272
Create Support File .................................................................................................................................... 272
Secure WAP/CAP Hotspot ............................................................................................................................. 273
Advanced Topics .................................................................................................................................................... 274
Configuring Mesh-WDS with Nstreme Protocol ............................................................................................... 274
Internet Wired Connection for Ethernet Port ................................................................................................. 275
Radio Power ................................................................................................................................................... 275
2.4GHz (Atheros AR5413) ........................................................................................................................ 276
5.0 GHz (Atheros AR5213) ....................................................................................................................... 276
Radio Channels .............................................................................................................................................. 278
CLI Configuration.......................................................................................................................................... 278
Config.txt ................................................................................................................................................... 278
What Wireless Clients see .......................................................................................................................... 280
Snapshot for MAC Address Wireless radio for each AP ........................................................................... 281
Configuring Layer 2 Mesh Network .................................................................................................................. 282
CLI Configuration.......................................................................................................................................... 285
GUI Configuration ......................................................................................................................................... 288
Configuring OSPF Mesh.................................................................................................................................... 296
Dual Setup with OSPF for Failover / Redundancy ............................................................................................ 299
Configuration of AP-A ................................................................................................................................... 300
Configuration of AP-B ................................................................................................................................... 301
8
Loopback........................................................................................................................................................ 301
GUI Setting for OSPF .................................................................................................................................... 302
Pinging from direct connected PC ................................................................................................................. 303
Debug inside AP-A and AP-B ........................................................................................................................ 303
/ip addr print ............................................................................................................................................... 303
/routing ospf interface print status ............................................................................................................. 304
/routing ospf neighbor print ....................................................................................................................... 305
/routing ospf network print ........................................................................................................................ 306
/ip route print.............................................................................................................................................. 306
VRRP High Availability..................................................................................................................................... 308
General Information ....................................................................................................................................... 308
Summary .................................................................................................................................................... 308
Specifications ............................................................................................................................................. 308
Description ................................................................................................................................................. 309
Notes .......................................................................................................................................................... 309
VRRP Routers ................................................................................................................................................ 309
Description ................................................................................................................................................. 309
Property Description .................................................................................................................................. 309
Notes .......................................................................................................................................................... 310
A simple example of VRRP fail over............................................................................................................. 311
Description ................................................................................................................................................. 311
Configuring Master VRRP router .............................................................................................................. 311
Configuring Backup VRRP router ............................................................................................................. 312
Testing fail over ......................................................................................................................................... 312
VRRP: More examples ...................................................................................................................................... 313
Configuring Bonding ......................................................................................................................................... 317
Configuring Nstreme Protocol ........................................................................................................................... 317
Nstreme Dual Configuration .............................................................................................................................. 319
Introduction .................................................................................................................................................... 319
Example ......................................................................................................................................................... 322
The Nstreme Dual configuration ................................................................................................................... 322
The First Platform (WAP-520)................................................................................................................... 323
The Second Platform (CAP-520W) ........................................................................................................... 329
Configuration Print Out ................................................................................................................................. 337
Tower Side AP: (WAP-520) ....................................................................................................................... 337
Client Side Bridge (CAP-520W) ............................................................................................................... 338
Optimizing Bandwidth (Throughput) ................................................................................................................ 338
Network Management & Monitoring Systems .................................................................................................. 341
Spam Trojan Detection ...................................................................................................................................... 348
Basic ............................................................................................................................................................... 348
Extension........................................................................................................................................................ 352
MPLS - Bridge Distant Networks ...................................................................................................................... 354
VLAN: 802.1q and Q-in-Q (double tagging) .................................................................................................... 357
What is a VLAN?........................................................................................................................................... 357
Network Diagram........................................................................................................................................... 357
Some Cisco switches with IOS... ................................................................................................................... 358
Configuration for Switch 2950 .................................................................................................................. 358
Configuration for Switch 3524 .................................................................................................................. 360
Configuration of L2 WDS Transparent Bridge for Wireless WAP/CAP ....................................................... 361
Verification ..................................................................................................................................................... 363
9
Q-in-Q (double tagging) ................................................................................................................................ 364
Example of VLAN Tunneling (Q-in-Q)..................................................................................................... 365
Bandwidth Control (QoS) .................................................................................................................................. 367
DSCP based QoS with HTB .......................................................................................................................... 367
DSCP marking/mangling ............................................................................................................................... 367
Set up the queue tree ...................................................................................................................................... 368
Further Refinements by BrotherDust ............................................................................................................. 369
Comment on difference between this solution and first solution................................................................... 372
DiffServ for Quality of Service...................................................................................................................... 373
What is DiffServ ........................................................................................................................................ 373
Implementing DiffServ .............................................................................................................................. 374
How to Configure MIMO / 802.11N Links ....................................................................................................... 376
802.11n Features ............................................................................................................................................ 376
Frame Aggregation..................................................................................................................................... 376
Aggregation of Mac Service Data Units (AMSDU) .................................................................................. 376
Aggregation of Mac Protocol Data Units (AMPDU) ................................................................................ 376
Channel Bonding, Chains .......................................................................................................................... 376
Discussion & Tips .......................................................................................................................................... 377
AP Bridge and Station Mode ......................................................................................................................... 379
AP Bridge Side (COM) .............................................................................................................................. 379
Configuration Script............................................................................................................................... 387
Station (APClient) Side (CPEM) ............................................................................................................... 388
Configuration Script............................................................................................................................... 389
Bandwidth on the Air ................................................................................................................................. 390
802.11n and WDS .......................................................................................................................................... 391
Nstreme Version 2 (Nv2) ................................................................................................................................... 393
What is Nv2 ................................................................................................................................................... 393
Nv2 Compatibitily ......................................................................................................................................... 393
Nv2 Co-existence ........................................................................................................................................... 394
Nv2 Key Points .............................................................................................................................................. 394
Nv2 vs 802.11 ................................................................................................................................................ 394
Nv2 vs Nstreme.............................................................................................................................................. 394
Nstreme / NV2 Rates ..................................................................................................................................... 395
TDMA – Time Slot Transmission .................................................................................................................. 395
TDMA settings ........................................................................................................................................... 395
Nv2 Troubleshooting ..................................................................................................................................... 396
Nv2 Configuration ......................................................................................................................................... 397
Tips to Improve Performance .................................................................................................................... 397
Data Rates .................................................................................................................................................. 397
Tweaks ....................................................................................................................................................... 397
Configuration Script................................................................................................................................... 398
Time Division Multiple Access (TDD) & Time Division Multiple Access (TDMA) ....................................... 399
Monitoring ......................................................................................................................................................... 402
Winbox or Webfig .......................................................................................................................................... 402
See all online machine ............................................................................................................................... 402
See all active IP addresses ......................................................................................................................... 402
Log ............................................................................................................................................................. 403
Firewall Health........................................................................................................................................... 403
CPU Usage ................................................................................................................................................. 403
Logging ...................................................................................................................................................... 404
10
Traffic and system resource graphing ........................................................................................................ 405
Troubleshooting tools ................................................................................................................................ 406
SNMP......................................................................................................................................................... 407
Dude ........................................................................................................................................................... 407
Configuration for WAP-520N with MIMO 2.4GHz .............................................................................................. 408
Default Configuration ........................................................................................................................................ 408
GUI MODE .................................................................................................................................................... 408
SCRIPT MODE ............................................................................................................................................. 409
Scripts for initial setting ............................................................................................................................. 410
Wireless Configuration ...................................................................................................................................... 411
Network Setting ................................................................................................................................................. 414
Password Setting ................................................................................................................................................ 414
Bandwidth Test .................................................................................................................................................. 415
2412MHz N-only ........................................................................................................................................... 415
2357MHz N-only ........................................................................................................................................... 415
5850 MHz N-only .......................................................................................................................................... 416
Configure WAP-350N ............................................................................................................................................ 417
Configuration Script........................................................................................................................................... 417
Appendix A: Power Offset Table ........................................................................................................................... 419
Standard 600mW 802.11a/n MIMO radio card ................................................................................................. 419
Standard 600mW 802.11a and 800mW 802.11b/g radio card ........................................................................... 419
Ubiquiti SR / XR................................................................................................................................................ 420
Unex CM10H ..................................................................................................................................................... 422
Appendix B: Setting for ACK Timeout ................................................................................................................. 422
11
Preface
This manual covers the basic configuration and installation of the WAP-520 / WAP-520N (or WAP-240 / WAP500), WAP-350N, and CAP-5000 / CAP-5000N systems (here named “devices”). These devices may be used in
conjunction with any WiBorne Point to Point (P2P) backhaul, or Point to Multiple Points (P2MP) wireless
broadband equipment to provided access to Wifi Hotspot as well as the local devices for Wireless
telecommunications that provide a reliable, redundant, high capacity wireless connection.
Installation Requirements
This guide is for the networking professional who installs and manages the WiBorne WAP/CAP series line of
outdoor products hereafter referred to as the ‘device’. To use this guide, you should have experience working with
the TCP/IP configuration and be familiar with the concepts and terminology of wireless local area networks.
Warning: to avoid damage of radio, please plug antenna(s) onto WAP or CAP units prior of power on radio
Packing List
Before you start to install the device, make sure the package contains the following items:
• WAP (or CPE) unit * 1
• AC/DC adapter with wall-plug power cable
• Inline Power Injector (PoE)
• User’s manual CD-ROM or downloaded from web site
• Mounting Kit * 1
CAP-2400 / CAP-5000/N Series
RJ45 Ethernet with PoE connector
WAP-240 / WAP-500/N Series
This side up when pole is
toward sky vertically
RJ45 Ethernet with PoE connector
External Antenna Connector
12
WAP-520N
RJ45 Ethernet with PoE connector
This side up when pole is
toward sky vertically
External Antenna Connectors
System Requirements
The following are the minimum system requirements in order configure the device.
•
•
PC/AT compatible computer with an Ethernet interface.
Operating system that supports HTTP web-browser, Windows prefer.
13
Hardware Overview
Field Installation
CAP-2400 / CAP-5000 Series
After you install the bracket, you can choose any of following 4 types for mounting. The pictures below will help in determining the
proper bracket orientation to give the desired results.
WiBorne
Logo
HPOL with
VPOL with Uptilt
VPOL with Downtilt
HPOL with
Instruction for Feedthru Connector
Step 1: Install the Cable Feed thru with the rubber washer on the
outside of the unit. The cable feedthru is designed for sealing outdoor
rated CAT5 cable. Other cables can be used, just check for good seal.
The feedthru accepts an assembled RJ45 connector. Be sure to slip
the loose cylindrical rubber seal over the RJ45 before slipping the
RJ45 thru the feedthru.
Specification for Enclosure
Parameter
Frequency Range
Gain
3dB Beam Angle
(E-Plane)
3dB Beam Angle
(H-Plane)
CAP-2415 /
CAP-5019
2400-2700/
4940-5850
CAP-2419 /
CAP-5024
2400-2485 /
4940-5850
Units
15 /19
19 / 24
dBi
30 / 15
15 / 9
deg
30 / 15
20 / 9
deg
30
dB
1.5:1
VSWR
Front to Back
MHz
20
Impedance
50
OHM
Input Power
20
W
Outside
Dimension
Weight
Operating
Temperature
Wind Loading
(Lbs)
10.75’ x 10.75’ x
3.5’
(267 x 267 x 89)
18.5’ x 16.8’ x
2.5’
(470 x 427 x
64)
Inch
(mm)
2.4 (0.8)
6 (2.7)
Lb
(Kg)
77.8/121
100/12
5 mph
-45 to +70
27.8 / 43.4
Deg C
Step 2: Install cable assembly to the SMA female connector. Install
electronics equipment. There are 4 8-32 standoffs installed inside
unit, these can be used for attaching a radio or amplifier inside the
unit. The user should supply a mounting plate to attach to the
standoffs. The standoffs are on 6.45inch (164mm) center to center
spacing
Step 3: The backpanel comes with an integral gasket attached.
Attach the backpanel with screws. Tighten all the screws lightly, then
perform final tightening in a criss-cross pattern so that all screws are
tightened evenly. DO NOT OVERTIGHTEN, only light pressure is
required to create a seal.
NOTE: The back panel can only be
installed in one orientation. Horizontal or Vertical polarization and
uptilt or downtilt is determined by the mounting of the RT to the
bracket.
Step 4: Decide if installation will be Vertically Polarized (VPOL)
or Horizontally Polarized (HPOL). The antenna is vertically
polarized when the cable feedthru is in the lower left corner.
Likewise the antenna is horizontally polarized when the cable
feedthru is in the lower right corner. (as viewed from the back of the
antenna). NOTE: The antenna must always be oriented so that the
cable feedthru is on the bottom to avoid any moisture buildup within
the compartment.
14
WAP-240 / WAP-500 Series
There have one RJ45 connector and one N-type RF connector as
standard packaging.
The enclosure can be mounted to a wall using lag bolts or
masonry screws. It can also be attached to a pole using the
included pole clamps and U-bolts. When attaching to a pole
always makes sure the pole clamp is between the enclosure
and the pole as shown in the picture. This prevents stress
on the flange which could lead to cracking.
Note:
• Security screws, such as torx head screws, can be used
if it’s desired that the cover be removed only by qualified
personnel.
• Grounding is normally accomplished thru the pole
attach. If wall mounting, the installer should make sure
there is a ground wire running from one of the lag bolts
to an earth ground. Some paint may need to be scraped
from the flange area to affect a strong ground.
• Any feedthru connections like bulkhead connectors or
RJ45 feedthru should be gasketed so that they are
weatherproof.
Metal pole for grounding
RJ45 PoE and External
Antenna Connector toward
ground to avoid rain
Specification for Enclosure
Cover Attachment
1” to 2” pole using included bracket kit, or wall mount using user supplied
screws
Qty 8 8-32 x ¼” screws
Cover Seal
High Performance EPDM Gasket
Solar Heat Rise
Overall Size (L x W x
H)
Weight
Internal Temperature ≤ 4 deg C above External Ambient
Mounting
10” x 7.1” x 2.25” (254 x 180 x 57mm)
40oz (1.13kg)
15
RJ45 Ethernet Connector System (ECS)
Assembly
•
•
•
•
•
Remove the thin enclosure nut from the feedthru assembly. This can be
discarded. Loosen the compression nut completely.
Insert the RJ45 connector thru the feedthru assembly
Tighten the compression nut loosely
Screw the entire feedthru assembly into the RJ45 housing which is
already mounted in the enclosure. There should be a rubber gasket
between the two assemblies. Tighten the feedthru assembly to create a
seal.
The final step is to tighten the compression nut until the gaskets are
tight around the Cat5 cable. Always push the cable toward the
connector while tightening to ensure good strain relief of cable to
connector.
Disassembly
•
•
•
Loosen the compression nut to relieve pressure on the Cat5 cable.
Unscrew the feedthru assembly from the RJ45 housing
Using a small screwdriver depress the RJ45 bayonet lock to release the
RJ45 connector from the socket.
Specification for RJ45 ECS Connector
Data
Mechanical
Sealing
Salt Spray
Flammability
Thermal Shock
Temperature Range
Installation Hole Dia
Overall Size (L x Dia)
Weight
10BaseT, 100BaseT and 1000BaseT Networks
CAT5e per TIA/EIA 568B
Class D per ISO/IEC 11801
Mating Cycles >500
Positive RJ45 bayonet coupling
Cat5 Cable Strain Relief
IP68
>1000h
UL94VO
10 cycles -40 to +100 deg C
-40 deg C to +85 deg C
0.787’ (20mm)
3.75’ x 1.18’ (95 x 30mm)
2 oz (57gm)
16
RJ45 Field Installable Feedthru Connector
Please follow up following instruction if your CAP / WAP comes with such connector which is lack of RJ45 ECS
Installation
Assembly
•
•
•
•
The RJ45 Field Installable Feedthru system is used to
waterproof cable entries into outdoor enclosures to IP68
waterproofing standards. The material is UV stabilized for
long term outdoor applications.
The unique design is “Field Installable” because it
accepts a fully pre-assembled Ethernet cable connector.
There is no need to terminate the cable during
installation. This gives the installer flexibility to use
standard pre-assembled Ethernet cables.
The Feedthru can be pre-installed into an outdoor
enclosure such as a WAP-192 or a CAP-1920 Integrated
Antenna.
The RJ45 Field Installable Feedthru allows for assembly
or disassembly of the Ethernet cable which gives the
installers the ability to change out the entire enclosure
Disassembly
•
•
•
•
•
Specification for RJ45 Field Connector
Effective Cable Clamping
Range
Enclosure Hole Size
Certifications
Waterproofing
0.2” to 0.5” (5mm to
12.7mm)
8125” [13/16”], (20mm)
CE
IEC 529 Level 8 , IP68
•
Loosen and remove the Compression Nut
Remove the Compression Gasket Assembly
from the Feedthru Body.
Slide the RJ45 connector out of the enclosure
thru the Feedthru Body.
If needed, the Ethernet cable can be removed
from the Compression Gasket Assembly but this
isn’t recommended because of possible damage
to the Compression Gasket Insert.
To Remove the Ethernet cable from the
Compression Gasket Assembly, first remove the
Compression Gasket Insert and then slide the
RJ45 Connector thru the Compression Gasket
Assembly, then slide the Compression Gasket
Insert and the Compression Nut over the RJ45
connector body.
Inspect the Compression Gasket Insert for
damage before reuse.
17
Power over Ethernet Unit
Plug the other end of the waterproof RJ-45 cable to the PoE device. The PoE device is
guaranteed only in indoor environment.
Caution: DON’T plug the power cord into PoE device before you finish install the
antenna and Ground wire to ensure the safety. If you are using WAP (Access Point)
then make sure that you connect to external antenna before power up device.
If the RJ-45 cable’s length is not long enough to connect to your network device for
indoor parts installation, you can extend the cable length. However, make sure the
maximum length of the RJ-45 cable is shorter than 100M (about 109 yards) for normal
operation under IEEE 802.3 standards.
When you plug the regular RJ-45 cable into the PoE device, you should use the regular
RJ-45 cable to plug into the ‘DATA IN’ of ‘Power Over Ethernet Kit’ to connect to
hub/switch or use the crosslink RJ-45 cable (Not included in the Packing List) to connect
with user’s PC. The waterproof RJ-45 cable must be connected to the ‘P+DATA OUT’
port.
Caution: Don’t plug the two cables inversely. It will damage the devices
We recommend you refer to the following illustration as a guideline for hardware
installation.
18
Lighten Protector / Surge Protector
WAP / CAP come with built in lighten or surge protectors:
WAP-240:
• Surge protection for 2.4GHz antenna systems
• Gas discharge tube design with multi-strike capability
• Allows DC voltage to pass, suitable for tower-top electronics
• Bi-directional protection
• Durable and waterproof aluminum body with ground lug terminal
WAP-500 / 520N Series:
• Handle multiple lightning strikes while requiring no maintenance
• Narrow band: 20% BW - 100MHz - 6GHz
• Wideband: .82 to 2.2GHz and 2.4 to 6GHz
• Ultra-low let-through
• Multiple strike 60kA transient capability
• RF Power capability to 3kW
CAP-2400 / CAP-5000 Series:
• Built in protector that is designed to protect Power-Over-Ethernet antenna
• Data Line Protection: 7.5V (pins 1,2,3,6)
• Power Line Protection: 60VDC (pins 4,5,7,8)
• Peak Pulse Current (10/1000us): 132 amp
• Response Time: < 5ns
• Maximum Shunt Capacitance: < 25pf
• Operating Temperature: -40C to +70C
19
Introduction
WiBorne has developed deployments that maximizes up time reliability, while
minimizing the constraints on actual data throughput. The WiBorne solution focuses the
fail-safe functions at the most important element of the network, the backbone.
Maintaining a robust, hi-speed and redundant backbone is the most critical aspect of the
network. The result is that device provides system performance and reliability well
beyond that of competing technologies.
Overview
WiBorne's device wireless backbone radios are available in 900MHz, 2.4, 3.65, 4.9, and 5
GHz frequency bands. Each device micro cell base station includes an environmentally
controlled enclosure with thermostat controlled heater and fan, nine port router, and can
support up to six additional Ethernet devices (cameras, access points, etc.). Device is also
designed to support Pre-802.11n radio with software upgradeable to 802.11n, PreWiMAX radio (3.65GHz), and 802.11 a/b/g for WiFi hotspots. This highly flexible and
scalable system is built to grow with the needs of any network. Like all WiBorne
equipments, device is designed for easy installation and maintenance.
The device node box provides an innovative and easy method to create a self-healing hispeed backbone ring for reliable delivery of wireless broadband connectivity. The device
20
system is ideal for high-capacity metro backhaul, broadband access, systems bandwidth
injection, WiMAX systems, VOIP traffic and IP-based video surveillance.
The device is an outdoor NEMA rated box that houses a customized firmware. The router
provides OSPF functionality on the routed ports that connect to two WiBorne Point to
Point wireless backhaul radios which results in a layer 3 self-healing wireless networks.
The devices can also act as base radio or CPE for Point-to-Multiple-Points (P2MP). The
other three internal Ethernet (PoE) ports can be used in conjunction with any WiBorne
Access Point to provide wireless connections in a P2MP format. Each one of these
Ethernet (PoE) ports connects to an individual port on the router. This results in a unique
broadcast domain for each Access Point yielding higher performance at each cell. The
router board also connects to one or multiple MiniPCI radios wireless board that
functions as a WiFi Access Point. This device uses either an integrated panel antenna or
external sector / omni antenna to provide a hotspot solution. The other internal Ethernet
ports on the router can be used with any Ethernet or IP devices and can be configured as
bridge ports or router ports, for meeting different application requirements. It even can
connect with a daughter for additional radio modules. The device box is powered by 110240 Volts AC, 24 or 48 VDC, and is design to operate in temperatures between -40º C to
60º C.
21
Getting Started
It is always a good idea to first provision and test the equipment on the bench before
deploying them in the field. This is a particularly useful exercise for the novice user.
Management
The device can be configured using a Command Line Interface (CLI) from
HyperTerminal or console windows, Web Browser (HTTP) interface, or Winbox (GUI)
interface. Although all methods are comprehensive and powerful, the CLI method
provides more functionality
Password
The device unit is pre-configured with the following default account (admin) and
password. This user name and password will allow you to gain access through CLI, FTP,
HTTP, or Winbox.
User Name
Password
admin
Note: The password will default to a blank password if the unit is set to factory defaults.
The user name will still be admin.
Change admin's password
Just select the Password menu within the winbox GUI, for example:
Or, type the following command in the CLI:
[admin@WAP-520] > / password
old password:
new password: ******
retype new password: ******
This will change your current admin's password to what you have entered twice. Make
sure you remember the password! If you forget it, there is no recovery. You need to
reinstall firmware of the WAP-520!
22
Interfaces
We have three levels of interface, Web based, Windows based, and command line
interface through telnet or ssh remotely
• Web Based Interface: This is a web based configuration interface for wireless
firmware. Log in above to connect to this router - some of the most important
firmware features can be controlled within this interface. This is easy interface for
purpose of setting and routine maintain. We are improving Web based GUI
gradually.
• Windows Based Interface: is the graphical configuration application for firmware.
Run it and connect to your WAP - all firmware functionality can be controlled with
this application.
• Command Line Interface (CLI): remotely connect with telnet or ssh and you will
have access to the CLI of firmware, every function of firmware can be controlled with
it. This is particular useful for batch job to modify all sites remotely without much of
interface by human.
Web Based (Browser) Interface
The device features a convenient and easy-to-use web based configuration and
management tool. No additional software is needed on your computer other than a web
browser. The browser interface offers limited and basic functions, although the majority
can only be performed through command line interface (CLI).
To use the browser interface, the following must be present:
• An Ethernet (wired or wireless) connection between a PC and the device unit.
• Ethernet PC connection with IP/subnet that is routable to the device unit.
• A web browser on the PC (i.e. Microsoft Internet Explorer)
In order to use the browser interface – simply connect the device unit to a PC and type
the device’s IP address into the web browser (i.e. Microsoft Internet Explorer). This will
bring up the Login page.
Browser Interface Login Screen
The first page of the web browser is called the configuration page. The configuration
page offers the following options.
• Downloading Winbox
• Displaying Graphs
• Telnet into the device
• Documentation & License Information
Winbox can be downloaded from the router itself under the configuration page of the web
23
browser. The top left side of the configuration page offers a link to download the Winbox
application. The application can also be downloaded from website or associated CD.
Type the username (default: admin) and password (default wiborne [or blank if factory
reset]) and continue. This will bring up the router’s Interface page (Webbox)
You would see following menu for Quick Setup:
By clicking Advanced, it then goes to next menu.
Primary Features and Pages of the Browser Interface
(Webbox)
24
Navigation Column: Each page features a navigation column that runs along the lefthand side of the page. On the bottom of the navigation column is the current status of
the router including its System ID, IP address, Time, Date, CPU Utilization, Uptime, Disk
Space Free, Disk Space Total, Memory Free, Memory Total, Rx, Tx, AP, Clients, and
Timeout.
The navigation column also features buttons to each of the following pages:
•
Quick Setup: This configures
o Wireless SSID/Band/WPA with either PPPoE client, DHCP client, or static
IP.
o Ethernet IP address, NAT, and parameters that acts as DHCP server.
•
System: This page shows ID, Version, System Reset, Reboot, Change password,
and Web page refresh period.
Interface: The interface name, type, IP address, enable/disable and graph are seen
on this page.
o Gateway IP, option for bridge interface
o Individual interference such as ether1, wlan1.
o For each ethernet, configure IP with static or DHCP
o For each wireless, configure: ssid/mode/band/authentication/forwarding,
security (WPA or none)
•
•
Firewall: This page allows you to setup a basic firewall by selecting the Public
25
interface and check boxes of Protect customer, Protect router, and NAT.
•
Routes: This page will display all routing information with capabilities of
adding static routes for each destination / netmask/gateway.
•
Simple Queues: Simple Queues (QoS) page allows you to rate limit traffic on
the router. You can define Name, In/Out separated limitation, Target IP, Time and
Date for 7 x 24 or specific heavy traffic period during the day.
•
PPPoE: Allows you to enable PPPoE on an interface and add users and
passwords.
•
Reg Table: This page will show you current registered clients.
•
Access List: This page will allow adding an Access List based on MAC
address, Interface, Authenticate and Forward settings.
•
DHCP Server: This page will show you current DHCP server settings to
include current DHCP leases, with enable/disable, address range, Gateway IP,
DNS
•
Upgrade: This page will allow you to upload an upgrade package or
downgrade.
•
Logout: This link will end the current browser session with the router.
•
Status and Graphics: showing
WebFig (Web Browser) Interface
WebFig is a web based WAP/CAP configuration utility available from OS V5.0. It is
accessible directly from the router and no additional software is required (except web
26
browser with JavaScript, of course).
As WebFig is platform independent, it can be used to configure router directly from
various mobile devices without need of software developed for specific platform.
WebFig is designed as an alternative of Winbox as shown on below.
layouts and both have access to almost any feature of WAP/CAP.
Both have similar
Connecting to WAP/CAP
WebFig can be launched from the home page which is accessible by entering routers IP
address in the browser. For example, if you define IP address to be 10.1.1.31, then you
can access WebFig by entering http://10.1.1.31/webfig:
Default Login is ‘admin’ (without quote), and blank Password
Interface Overview
WebFig interface is designed to be very intuitive especially for WinBox users. It has very
similar layout: menu bar on the left side, undo/redo at the top and work are at the rest of
available space.
27
Menu bar has almost the same design as WinBox menu bar. Little arrow on the right side
of the menu item indicates that this menu has several sub-menus.
When clicking on such menu item, sub-menus will be listed and the arrow will be
pointing down, indicating that sub-menus are listed.
At the top you can see three common buttons Undo/Redo buttons similar to winbox
and one additional button Log Out. In the top right corner, you can see WebFig logo
and WAP/CAP model name.
Work area has tab design, where you can switch between several configuration tabs,
for example in screenshot there are listed all tabs available in Interface menu
(Interface, Ethernet, EoIP Tunnel, IP Tunnel,…).
Below the tabs are listed buttons for all menu specific commands, for example Add
New and Settings
The last part is table of all menu items. First column of an item has item specific
command buttons:
•
•
- enable current item
disable current item
Item configuration
When clicking on one of the listed items, webfig will open new page showing all
configurable parameters, item specific commands and status.
28
On the top you can see item type and item name. In example screenshot you can see that
item is an interface with name bridge1
There are also item specific command buttons (Ok, Cancel, Apply, Remove and Torch).
These can vary between different items. For example Torch is available only for
interfaces.
Common Item buttons:
•
•
•
•
Ok - apply changes to parameters and exit;
Cancel - exit and do not apply changes;
Apply - apply changes and stay on current page;
Remove - remove current item.
Status bar similar to winbox shows current status of item specific flags (e.g running flag).
Grey-ed out flag means that it is not active. In example screenshot you can see that
running is in solid black and slave is grey-ed, which means that interface is running and
is not a slave interface.
List of properties is divided in several sections, for example "General", "STP", "Status",
"Traffic". In winbox these sections are located in separate tabs, but WebFig lists them all
in one page specifying section name. In screenshot you can see "General" section. Greyed out properties means that they are read-only and configuration is not possible.
29
Skins
Webfig skins is handy tool to make interface more user friendly. It is not a security tool.
If user has sufficient rights it is possible to access hidden features by other means.
Designing skins
If user has sufficient permissions (group has policy edit permissions) Design Skin button
becomes available. Pressing that toggle button will open interface editing options.
Possible operations are:
• Hide menu - this will hide all items from menu and its submenus;
• Hide submenu - only certain submenu will be hidden
• Hide tabs - if submenu details have several tabs, it is possible to hide them this
way;
• Rename menus, items - make some certain features more obvious or translate
them into your launguage;
• Add note to to item (in detail view) - to add comments on filed;
• Make item read-only (in detail view) - for user safety very sensitive fields can be
made read only
• Hide flags (in detail view) - while it is only possible to hide flag in detail view,
this flag will not be visible in list view and in detailed view;
• Add limits for field - (in detail view) where it is list of times that are comma or
newline separated list of allowed values:
o number interval '..' example: 1..10 will allow values from 1 to 10 for fiels
with numbers, example, MTU size.
o field prefix (Text fields, MAC address, set fields, combo-boxes). If it is
required to limit prefix length $ should be added to the end, for example,
limiting wireless interface to "station" only will contain
• Add Tab - will add grey ribbon with editable label that will separate the fields.
Ribbon will be added before field it is added to;
• Add Separator - will add low height horizontal separator before the field it is
added to.
Note:
•
•
•
Number interval cannot be set to extend limitations set by OS for that field
Set fields are argument that consist of set of check-boxes, for example, setting up
policies for user groups, RADIUS "Service"
Limitations set for combo-boxes will values selectable from dropdown
30
Skin Example to Configure Wireless Interface->Status Page
This is new functions from OS 5.7 that adds capability for users to create status page
where fields from anywhere can be added and arranged.
Status page can be created by users (with sufficient permissions) and fields on the page
can be reordered. When status page is created it is default page that opens when logging
in the router through WebFig interface.
Addition of fields
To add field to status page user has to enter "Design skin" mode and from drop-down
menu at the field choose option - "Add to status page"
As the result of this action desired field in read-only mode will be added to status page. If
at the time Status page is not present at the time, it will be created for the user
automatically.
31
Two columns
Fields in Status page can be arranged in two columns. Columns are filled from top to
bottom.
When you have only one column then first item intended for second should be dragged to
the top of the first item when black line appear on top of the first item, then drag mouse
to the left until shorter black line is displayed as showed in screenshot. Releasing mouse
button will create second column. Rest of the fields afterwards can be dragged and
dropped same way as with one column design.
Skin design examples
Set field: Setting limits
32
The result would be:
Using skins
To use skins you have to assign skin to group, when that is done users of that group will
automatically use selected skin as their default when logging into WebFig.
Note: WebFig is only configuration interface that can use skins
If it is required to use created skin on other router you can copy files to skins folder on
the other router. On new router it is required to add copied skin to user group to use it.
Winbox (Windows GUI) Interface
The device features a convenient and easy-to-use GUI interface tool. The Winbox
interface offers the closest functionality to the Command Line Interface (CLI). The
Winbox interface provides a lot more functionality than the Web Interface. Winbox is
improving with each release but CLI still provides the most functionality
To use the Winbox, the following must be present:
33
•
•
An Ethernet (wired or wireless) connection between a PC and the device unit.
Ethernet PC connection to the device unit. You don’t need to define IP address
of ethernet on the PC side.
In order to use the Winbox simply connect the device unit to a PC and type the device’s
IP address into the “Connect To” space. Clicking on the dotted square will perform a
broadcast scan and show MAC addresses and IP addresses of device Nodes discovered on
the network. Supply a Login Name “admin” without password
Choose device that you want to edit by double clicking corresponding row if you don’t
setup password, or single click then key in password and click Connect. You can either
click MAC Address or IP Address, dependent on setting of your PC connected with PoE.
If you are not sure with original setting of WAP then always click MAC Address.
Note: If you don’t see such list comes out then please check connection of your ethernet
cables for both PoE cable and wired cable connected with your PC.
34
Primary Features and Pages of the Winbox Interface
Menu Bar: Winbox has a menu bar that runs along the left-hand side of the page.
•
Interface: General information of the interface, Status, Ethernet port settings
and traffic.
•
Wireless: Wireless status, Access List, Registration, Connect List, Security
Profiles, and wireless settings.
•
Bridge: Shows Bridge status, Ports in the Bridge, Filters, Broute, NAT and
Hosts.
•
PPP: Configure PPP interface, Secrets, Profiles, and Active Connections.
•
IP: Includes the following Menus: Addresses, Routers, Pool, ARP, VRRP,
Firewall, Socks, UPnP, Traffic Flow, Accounting, Services, Packing, Neighbors,
DNS, DHCP Client, DHCP Server, DHCP Relay, Hotspot, IPSec, and Proxy.
•
Routing: Display menus for the following: BGP, RIP, OSPF, and prefix.
•
Ports: Displays the serial port where the following setting can be changed. Name,
Baud Rate, Data Bits, Parity, Stop Bits and Flow Control.
•
Queues: Display Simple Queues, Interface Queues, Queue Tree, and Queue
35
Types.
•
Drivers:
•
System: This button shows setting for Identity, Clock, Resources, License,
Packages, Auto Upgrade, Logging, History, Console, Scripts, Scheduler,
Watchdog, Reboot, Shutdown, NTP Client and NTP Server.
•
Files: Displays files on your router which include backups and hotspot html
pages.
•
Log: Display the log information of the router.
•
SNMP: SNMP Server setting. By default public has read only access.
•
Users: Displays Users information. By default there is only one account admin
which has full access.
Radius: Radius information is displayed and can be configured.
•
Displays drivers for the Ethernet and Wireless chip set.
•
Tools: Tools menu has the following tools: Ping, MAC Ping, Traceroute,
Bandwidth Test, BTest Server, Traffic monitor, Packet Sniffer, Torch, MAC
Server, Graphing, IP Scan, Ping Speed, Flood Ping, and Netwatch.
•
New Terminal: Opens a CLI session to the router. This is the console window if
you don’t plan to connect device with Windows’ HyperTerminal tool.
•
Telnet: Allows to telnet to an IP address using the following methods of telnet.
Telnet, SSH, and MAC Telnet.
•
Password: Changes the password of the account that is currently being used.
•
Certificate: This menu allows you to see the current Keys, Import, Decrypt and
Reset keys.
•
Make Supout.rif: This will prompt for a file name that will be created with
troubleshooting information.
•
Manual: The Manual button is a direct link to Microtik’s manual.
•
Exit: This will close the Winbox session.
Command Line Interface
The Web browser interface covers very basic features in a limited role. The command
line interface (CLI) provides much more functionality, and is usually the management
tool of choice for experienced users. The CLI can be accessed through Telnet or
36
Console cable.
Telnet
Open a command prompt (DOS) session on your PC. Open a Telnet session by typing:
telnet [ip address of router]
All device units are pre-configured at the factory. The factory default username is admin
without password. Once you connect to the router you will be greeted with the current
Firmware version information and prompted for a login.
First, make sure that you have IP address of ether1 setting correctly. For example,
following setting of IP address for ether1 is 10.1.1.200:
Now type ‘telnet 10.1.1.200’ (without quote) from Windows console:
37
You can also use Windows native telnet program. Open and Windows console then type
‘telnet 10.1.1.201’:
Or you can see following from HyperTeminal with 115200 8/N/1 xon/xoff:
Another option is to use Winbox with ‘New Terminal’ option:
38
To terminate a CLI session (Telnet or Serial) type the command quit.
Note: Type ? for a listing of CLI commands and directories. More basic information on
the CLI will be covered throughout this text for advanced CLI commands by clicking
“Manual” from above menu list.
Console (Serial) Port
The device unit features a serial port. The serial port is useful in the event that the router
cannot be accessed through TCP/IP (HTTP, Telnet, or Winbox). A Terminal Emulation
program (such as HyperTerminal on the Windows operating system) can be used to
access the device’s CLI using the serial port, which is located in the top right side of the
enclosure. The serial 9 pin db female connector can be used with a standard null-modem
cable to manage the device unit.
39
Access of Console Port may be varied that
is dependent on housing. Setting for
HyperTerminal is:
115200
8/N/1
xon/xoff
(for early version V2.9+, , use Flow
Control to as ‘Hardware’)
Management serial cable
The console cable needs to be a 9 pin db female to 9 pin db female connector cable. A
null modem cable can be used to manage the device unit. You can also use the pin outs
below to manufacture your own serial cable.
DB9
Female
1+6
2
3
4
5
7
8
Function
CD+DSR
RxD
TxD
DTR
GND
RTS
CTS
DB 9
Female
4
3
2
1+6
5
8
7
40
Basic Configuration through Web Browser
This section describes a few basic concepts, as well as how to configure basic settings
using the Browser (HTTP) Interface, or Webbox. This section is written to address only
the most basic steps. It is highly recommended that you visit and read detailed manual to
gain an understanding of all important configuration parameters.
In this section you will learn the following:
• Quick Setup
• Configure an IP address
• Configure Firewall
• Configure DHCP Server
• Upgrading the Firmware
The initial page once you have login is the Interface page. Clicking on the IP address will
allow you to assign the interface an IP address. Clicking on the Interface will allow you
to change the interface name from the standard naming convention:
Quick Setup
This configures basic
• Wireless SSID, frequency mode, encryption mode, with either PPPoE client,
DHCP client, or static IP.
• Ethernet IP address, NAT, and parameters that acts as DHCP server.
41
Web Browser Interface page
Port Web Configuration
Clicking on the IP address of the interface will bring up the port configuration page. The
port can be disabled, configured to obtain an IP address from a DHCP server, or manually
configured with an IP address and Netmask:
Port Name Web Configuration
Clicking on the name of the port will allow you to change the name of the port.
42
Interface Web Graphing
The Interface page has a graph link which will display the in and out traffic of an
interface. The graph is broken down into daily, weekly, monthly and yearly results.
System Web Configuration
The System page will allow you to change the password simply by clicking the password
link. The ID of the device can also be changed from the system page. The unit can also be
rebooted. The system page also provides you with a system RESET.
Note: The system reset defaults the unit completely to system default configuration. You
will then need to reload WiBorne’s default configuration.
43
Firewall Web Configuration
The device node by default is configured to use public interface ether 1 and NAT enabled.
The web browser is the easiest way to create a firewall. Simply select a public interface
and check the NAT box. Checking Protect Router and Protect Customer adds additional
rules to strength the firewall.
• Public Interface
• Protect Router
• Protect Customer
• NAT
DHCP Server Web Configuration
The device node is configured by default as a DHCP server. DHCP Services can be
applied to any interface. DHCP leases are also shown on this page. The following
information must be to be provided.
• The DHCP interface
• The IP address range that will be issues to DHCP clients
• Primary & Secondary DNS Server
• The Gateway IP address
44
Upgrading Firmware through Web Browser
The firmware can be upgraded from the web browser upgrade page. The firmware can be
downloaded from our web site or original manufacture’s web site. Click on the
UPGRADE from the navigation menu on the left side of the web page:
A window browser will open for you to select the NPK file to upload. Once the file is
selected, click the upload button to begin transferring the file from you computer to the
router.
Note: This will only transfer the file to the router
45
Once the file has been successfully uploaded to the router the upgrade and downgrade
button can be used:
The upgrade procedure will log out the current web session. The process will take a few
minutes for the upgrade procedure to complete.
Note: DO NOT POWER OFF router during this process
To verify the upgrade procedure was successful. Log back into the router and check the
version under the system page.
46
Remote Firmware Upgrade
WAP supports remote upgrade from Winbox, FTP, or EMS (Dude).
A typical remote software upgrade can be done from Winbox->Systems->Auto Upgrade->Upgrade
Package Sources.
It can be done from Dude (EMS) as well:
47
Upgrading groups of routers
You can define Groups of routers in the RouterOS --> Group. It is suggested to group
routers that are in one network, because if you upgrade all your routers at one time, some
of them might reboot while others are still downloading new files from Dude - this would
interrupt the upgrade process for some devices because they could lose connectivity.
48
Then, you can upgrade many routers with one click:
49
Section 5 Basic Configuration through Winbox
This section describes how to configure basic settings using Winbox. This section is
written to address only the basic steps. It is highly recommended that you study manual
to gain an understanding of all important configuration parameters.
In this section you will learn the following:
• Configure an IP address
• Configure Wireless Card
• Configure Firewall
• Configure DHCP Server
• Configure OSPF
Configuring an IP address
Once you have logged into Winbox the Menu bar on the left will appear. Clicking on the
IP and then addresses will display all interfaces and IP addresses of the interfaces.
Double clicking on the IP address will bring up the IP address configuration window.
Select the interface; assign an IP address followed by a slash and the bits of the subnet
mask. If you provide the bits of the subnet mask the Network and Broadcast will be
populated automatically once apply is clicked. Multiple IP addresses can be assigned to a
single interface:
50
Configuring the Wireless Card
Clicking the Wireless menu option from the menu bar will bring up the Wireless Tables.
Double clicking on the wireless interface will bring up the Interface configuration menu.
Once in the configuration menu there are a number of tabs General, Wireless, Data Rates,
Advance and Status are just a few. For more information on settings consult manual:
Configuring Firewall
The firewall configuration offers many options but this section will only cover creating
NAT on an interface using masquerading. In the Winbox session select IP menu then
Firewall menu option. This will open the Firewall Windows.
51
The following tabs are presented in the firewall window: Filter Rules, NAT, Mangle,
Connections, and Address Lists. Select the NAT table and click on the red plus sign to
open the New NAT Rule window. Once the New NAT Rule window is open the Chain
must be set to srcnat and the Out Interface.
Next in the New NAT Rule select the ACTION tab. The ACTION needs to be set to MASQUERADE.
Click APPLY then OK and the NAT masquerade is configured. (Figure 25)
52
Configuring DHCP Server
By default the DHCP Server service is enabled in WiBorne Broadband configuration on
Ether1, 2, 3, 4, 5, WLAN, and the bridge interfaces. In order to create a DHCP Server
from within Winbox select IP then DHCP Server. This will open the DHCP Server
window
53
Clicking the Setup button in the DHCP Server window will bring up the DHCP Server
Setup window. Select the interface on which to run DHCP services.
Once the interface is selected, the DHCP Address Space will need to be added.
This will be followed by the Gateway for DHCP Network.
Note:
• The DHCP Gateway is the IP address of the interface.
• If not filled out properly the Setup will end without creating the DHCP server
The next prompt will be for the range of IP addresses to give out. This will create an IP
pool automatically.
After the IP address range is given, a DNS server IP address is required.
54
\
Note: If not filled out properly the Setup will end without creating the DHCP server
Lastly the Lease Time will need to be given. The default is 3 days. The format is
days:hours:minutes:seconds. If this is filled out properly a success windows will open.
Configuring Queues
Introduction
The bandwidth- manager is one of essential elements in a computer networks, which
ensures comfort of work. This device limits the movement of one type, usually in order to
give place for another one. If a bandwidth control is not used, one movement type will
have to take allotment from main link.
At this system it is possible to easy bandwidth limiting with the simple queues.
However, it is necessary to make more advanced allotment of bandwidth sometimes (the
movement forming with using of queue tree), especially when we want to have more
movement control, options choice of movement type, or give priority and guarantee the
bandwidth according to ours assumptions.
Assumptions
Firstly, we have to make movement marking.
Marking is a process consisting in virtually data mark, which has some distinctive
features (e.g. IP address or port).In order to form dynamic movement for users group,
there are two ways:
by IP address – it is a effective way in case of routing and NAT.
by MAC address – very effective way in case of transparent bridge.
55
We will take up first way – the marking by user IP address.
A few words about scripts:
We would like to recommend using of scripts with a lot of entries generating, because the
script makes it more comfortable.
In order to use of scripts (winbox) one should choose 'System -> Scripts' from left menu.
At follow up of report, the script made by internal scripts interpreter at the system will be
marked as “(script)”.
Then, at new window, click on “+” symbol.
Entry the script content to field “Source”. One should avoid too much spaces in the
script.
After accepting, one should mark script chosen and click the “Run Script” button.
Packets marking - configuration
The first script we have to make is:
(script)
for x from 2 to 254 do={ /ip firewall mangle add chain=prerouting src-
56
address=(192.168.0. . $x ) action=mark-packet new-packet-mark=( $x . upload )
passthrough=no }
This script marks movement from user, that is its upload.
In order to change address class from 192.168.0 one should entry edit “srcaddress=(192.168.0.)”. It is very important to put full stops at the same place as at above
example.
The situation is similar in case of scope from 2 to 254. We might edit that scope very
easily by entering value, which are satisfied for us.
(script)
:for x from 2 to 254 do={ /ip firewall mangle add chain=postrouting dstaddress=(192.168.0. . $x ) action=mark-packet new-packet-mark=( $x . download )
passthrough=no }
and this is the mark at the internet -> user direction, that is its download.
New queue type creating
The preceded entries (terminal) one should make by entering from terminal:
57
(terminal)
/queue type add name="sfq" kind=sfq sfq-perturb=5 sfq-allot=1514
The element above has decided about the algorithm, which enables bandwidth division
process at range of one group/ category.
The main queue creating
The process of clearly forming movement occure at the main queue, which are consistent
with htb on algorithm rule. This algorithm is defined by “queue type”.
The bandwidth limiting : “input” <=> “output” at the system is made ours purpose up.
So, we ought to create the main queue (parent), which will take control at secondary
queues “(children)”, and also appropriately on:
external interface (Internet) – forming queue UPLOAD
local interface – LAN – forming queue DOWNLOAD
By the way, we will use from possible of maximal bandwidth control, acessing for given
transmit direction, in order to control eventually global transgressions.
(terminal)
/queue tree add name="Download" parent=Lan queue=sfq max-limit=1730k
The new queue will be come into, which will be assigned to interial LAN.
(terminal)
/queue tree add name="Upload" parent=Internet queue=sfq max-limit=1730k
The new queue will be come into, which will be assigned to external Internet interface.
The above example assumes use of symmetrical connection POLPAK 2Mbps. As we
could see, the 2048 Kbps was reduced at about 10%, in order to ensure service level by
maximal queue use. Additional upload protection for DSL connections is very
important, that is why we suggest maximal (real) value reducing by even 30%.
Adding proper queues
Having the main queues (parent), the subscribers are assigned to 'parent' and at
appropriately priorities they would divide theirs band. The scripts, which are selected
well, will make the situation effectively and quickly for entire range: from 2 to 254.
(script)
:for z from 2 to 254 do={ /queue tree add parent=Download packet-mark=( $z .
download ) limit- at=32000 queue=sfq priority=7 max-limit=256000 }
58
The script will generate 254 queues. Each of those will be limiting the download for
single mark (IP address), guaranteeing it the 32Kbps bandwidth and limiting to 256Kbps.
The guarantee would be consisted in accounting two virtually queues: first, the limit-at
counting (guaranteed speed), and the second one, max-limit (maximal speed), taking into
consideration that limit-at queue will proceed through separate and higher prioritised path
for the moment of limit-at value exceeding.
After limit-at exceeding, the value of priority becomes ignorable (an equal as lowest: 8).
It means, that users who blocking up the link would be ignored at the moment, when new
user will have wanted to use to 32Kbps of bandwidth. Thanks to such action- one might
receive a quite steady put of link and also appropriate access level for service. The limitat value should be equal to divided real value of link by users number and multiplied by
simultaneity ratio (at about 3).
(script)
:for b from 2 to 254 do={ /queue tree add parent=Upload packet-mark=( $b . upload )
limit-at=32000 queue=sfq priority=7 max-limit=220000 }
Now, the Upload. we recommend saving of upload, even for symmetrical links,
especially by large overbooking (when we send more than we have), because lower of
upload in p2p programs causes low of download load.
After finishing ours queues should look like follow example:
(this example comes from working router, which was analogous configured with a little
differents only).
Optimization
59
We might remove the ICMP movement from the mark. It is very useful when we want to
provide good PINGs, regardless of exploit degree for link and individula queues of users.
In this case, one have to add following (terminal) at the beginnig (before others rules
at/IP firewall mangle):
(terminal)
/ip firewall mangle add chain=prerouting protocol=icmp action=accept
The rule above will remove the ICMP movement from the rest of disguise rules.
We also may use a few of another marks for every user, individually set amount of given
movement type, which user can operate.However one should remember that a lot of
entries number is not necessarily good. All depends on movement generating and
computational power of device.
The test device based on the Pentium III 1000MHz processor will be proved useful even
by movement of 1000 users ,but on condition we resign many additional functions, (as
'connection tracking' or wide use of firewall) and create almost transparently bandwidth –
manger.
At the firmware 3.0 system it is possible to use multithreading and theoretically the
additional processor should performance redouble, but in practise, we would not raly on
that. The strong devices by Intel with one-kernel are the best for the movement
forming with WAP-520.
Per Connection Queue (PCQ) Examples
This is for bandwidth control, or Quality of Service. Such Queues are created from AP
side, you don’t need to create Queues from Station (CPE) side.
Per Connection Queue (PCQ) is a queuing discipline that can be used to dynamically
equalize or shape traffic for multiple users, using little administration. It is possible to
divide PCQ scenarios into three major groups: equal bandwidth for a number of users,
certain bandwidth equal distribution between users, unknown bandwidth equal
distribution between users
Following example shows to use PCQ to define different up/down bandwidth.
First from Bridge, enable use-ip-firewall:
60
Next, Mark all packets with packet-mark all. create Mangle: IP->Firewall->Mangle:
/ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=all
passthrough=no
61
Now Setup two PCQ queue types - one for download and one for upload. dst-address
is classifier for user's download traffic, src-address for upload traffic:
/queue type add name="PCQ_download" kind=pcq pcq-rate=64000 pcq-classifier=dst-
62
address
/queue type add name="PCQ_upload" kind=pcq pcq-rate=32000 pcq-classifier=srcaddress
63
Finally, two queue rules are required, one for download and one for upload:
/queue tree add parent=global-in queue=PCQ_download packet-mark=all
64
/queue tree add parent=global-out queue=PCQ_upload packet-mark=all
Now you can turn bandwidth tool by using Tools->Bandwidth Test:
65
Alignment Tool
It provides an "antenna alignment tool" that shows you a moving bar representing the
received power. When the bar is at the maximum, the antenna is aligned. With some
routers, you can also enable an audio feedback mode. This causes the router to emit a
loud tone, changing the pitch according to the received power.
Antenna Positioning (Audio Alignment, or Aiming) for WAP/CAP
Assume there has one link with SSID=master and SSID=slave for P2P
deployment, you want to align both antennas with best signal strength by
positioning antennas
Method 1 (Audio mode)
If there have couple of wireless devices with same SSID or interference exist, you can
choose MAC address from scanned node and align with this chosen node by using mac
address of chosen node. This ensures that you are aiming correct node.
Winbox->Wireless->choose corresponding wireless card by double clicking it, say,
66
wlan1:
From Interface (wlan1), choose Wireless tab, and choose frequency that you want to scan,
then click “Scan…” button:
Click Start to scan wireless network.
Now choose the wireless node that you are going to perform alignment with:
We will use Mac address of selected node for alignment utility with current
WAP/CAP.Double click selected node (SSID is ‘master’ here). Right mouse click Copy
to save this Mac address, then click Ok to close this window:
67
Back to Scan window, now click ‘Connect’ button:
We will now use the obtained MAC address in the Alignment utility. Once this is done,
you should hear your WAP/CAP’s speaker start beeping and as you start to move the
antenna around, the beep should vary in delay or increase according to the signal strength
of your link.
Now click Align:
Then click Settings:
Enable “Receive All”, “SSID All”, and paste obtained MAC onto Audio Monitor field,
click Ok to close this window:
68
Now click Start:
You should hear current WAP/CAP is beeping according to strength of link, and aligned
far side of WAP/CAP (“master”) here is shown:
Alignment Tool with other branding Devices
When you got to the remote site, you set the MAC address of the opposite (nonWAP/CAP) end of the connection into the alignment settings and turned the alignment
feature on. You were rewarded with a geiger-like ticking from the radio box, which sped
up as you moved the antenna into the optimum position. A very, very nice feature, and
easy to use (as long as you remember to supply the target's MAC address).
No Audio mode:
if you leave MAC address to be 0 then you can still use Align mode:
69
Now click Align button then you would see signal strength of associated node:
Method 2: Alignment-Only Mode
alignment-only - Put interface in a continuous transmit mode that is used for aiming
remote antenna.
Once you have configure Settings in Align tab, you can switch to ‘alignment only’ mode
and beep would be varied based on strength of link.
70
Method 3: CLI command:
You can also enter this command,
Set mode=alignment-only and specify,
audio-monitor (MAC address; default: 00:00:00:00:00:00) - MAC address of the
remote host which will be 'listened'
ssid-all=yes
Then run 'interface wireless align monitor'.
The interface will automatically go into the alignment-only mode. however. You may
have always had to set the mode on both sides for the audio to work right!
Audio and Video (LED) Aiming Script
Scripts for audio / video (LED) aiming purpose is available.
on following:
An example can be shown
#
# for WAP and CAP "Lights and Sound" alignment script
#
# This script recognizes 9 different "signal levels"
# and 3 assoc. statuses (connected, searching, other)
# Currently, "signal levels" indicate the SNR/margin
# measurement. Higher signal-to-noise measurements
# correspond to higher levels. So level 8 would be
# the best, below 1 would be the worst. The better
# the signal-to-noise, the more LEDs you get, and
# the faster the beeps get. Only 4 LEDs are used,
# (the 5th being left alone, for NAND access ind.)
# with intermediate signal levels resulting in a
# combination of solid and flashing LEDs, shown
# here:
71
#
# >= Level 8 : 4 solid (100ms beeps)
# >= Level 7 : 3 solid, 4th flashing (300ms beeps)
# >= Level 6 : 3 solid (500ms beep cycle)
# >= Level 5 : 2 solid, 3rd flashing (700ms beeps)
# >= Level 4 : 2 solid (900ms beeps)
# >= Level 3 : 1 solid, 2nd flashing (1100ms beeps)
# >= Level 2 : 1 solid (1300ms beeps)
# >= Level 1 : 1 flashing (1500ms beeps)
# < Level 1 : no LEDs, beeps only (1700ms beeps)
#
# The user-LED (green LED above the blue power LED)
# is used to display the association status. If the
# wireless interface is associated, the user-LED is
# solid. If the wireless interface is actively
# searching, but not yet associated, the user-LED is
# blinking twice a second, with a pause while a
# rising trill of 3 beeps is played. If the wireless
# interface is neither associated, nor searching
# (like disabled, or something weird) then the light
# will flicker rapidly every 2 seconds, and a
# falling trill of 2 beeps is played.
# Finally, the script plays startup (rising) and
# shutdown (falling) tones.
# For reference, the delay times associated with the
# different signal levels are shown here:
#:local lnsdelaytime 100ms; <---signals at/above lvl 8
#:local lnsdelaytime 300ms; <---signals between 7 and 8
#:local lnsdelaytime 500ms; <---signals between 6 and 7
#:local lnsdelaytime 700ms; <---signals between 5 and 6
#:local lnsdelaytime 900ms: <---signals between 4 and 5
#:local lnsdelaytime 1100ms; <---signals between 3 and 4
#:local lnsdelaytime 1300ms; <---signals between 2 and 3
#:local lnsdelaytime 1500ms; <---signals between 1 and 2
#:local lnsdelaytime 1750ms; <---signals below lvl 1
#:local lnsdelaytime 2000ms; <---signal not available
# default delaytime
:local lnsdelaytime "2000ms";
# name of wireless interface to monitor (default wlan1)
:local lnsintname "wlan1";
# frequency (as in pitch) of beep (recommend 700 - 1000)
:local lnsbeepfreq 800;
# Here, the different signal levels are assigned to
# signal-to-noise measurements. we haven't really tweaked
# these yet to be in line with field testing, so they
# may need quite a bit of adjusting.
:local lnslevel8 70;
:local lnslevel7 65;
:local lnslevel6 60;
:local lnslevel5 55;
72
:local lnslevel4 50;
:local lnslevel3 45;
:local lnslevel2 40;
:local lnslevel1 35;
# The (very approximate) running time of the script
# is set here.
:local lnsrunningtime 60m;
# Here, we set how long the script will beep. NOTE that
# startup/shutdown tones will still be played.
# we like this feature when using an access point where
# the LEDs are clearly visible. If you don't want this
# feature, set it to the same as $lnsrunningtime
# (above).
:local lnsbeeptime 10m;
# figure out beep cutoff time
:local lnsrunbeepdiff;
:set lnsrunbeepdiff ($lnsrunningtime - $lnsbeeptime);
# initialize LEDs, play starting tones
:delay 50ms;
:led user-led=no led4=no led3=no led2=no led1=no;
:delay 50ms;
:beep frequency=($lnsbeepfreq - 300) length=50ms;
:delay 50ms;
:beep frequency=($lnsbeepfreq - 200) length=50ms;
:delay 50ms;
# main monitoring cycle
:while ($lnsrunningtime > 0s) do={
/interface wireless monitor "$lnsintname" once do={
:if ($"status" = "connected-to-ess") do={
:if ($"signal-to-noise" >= $lnslevel8) do={
:set lnsdelaytime 100ms;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=($lnsdelaytime / 2);
}
:led user-led=yes led4=yes led3=yes led2=yes led1=yes;
:delay $lnsdelaytime;
}
:if ($"signal-to-noise" >= $lnslevel7 && $"signal-to-noise" < $lnslevel8) do={
:set lnsdelaytime 300ms;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=($lnsdelaytime / 2);
}
:for i from=1 to=3 do={
:led user-led=yes led4=no led3=yes led2=yes led1=yes;
:delay ($lnsdelaytime / 6);
:led user-led=yes led4=yes led3=yes led2=yes led1=yes;
:delay ($lnsdelaytime / 6);
}
}
:if ($"signal-to-noise" >= $lnslevel6 && $"signal-to-noise" < $lnslevel7) do={
73
:set lnsdelaytime 500ms;
:led user-led=yes led4=no led3=yes led2=yes led1=yes;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=($lnsdelaytime / 2);
}
:delay $lnsdelaytime;
}
:if ($"signal-to-noise" >= $lnslevel5 && $"signal-to-noise" < $lnslevel6) do={
:set lnsdelaytime 700ms;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=($lnsdelaytime / 2);
}
:for i from=1 to=3 do={
:led user-led=yes led4=no led3=no led2=yes led1=yes;
:delay ($lnsdelaytime / 6);
:led user-led=yes led4=no led3=yes led2=yes led1=yes;
:delay ($lnsdelaytime / 6);
}
}
:if ($"signal-to-noise" >= $lnslevel4 && $"signal-to-noise" < $lnslevel5) do={
:set lnsdelaytime 900ms;
:led user-led=yes led4=no led3=no led2=yes led1=yes;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=($lnsdelaytime / 2);
}
:delay $lnsdelaytime;
}
:if ($"signal-to-noise" >= $lnslevel3 && $"signal-to-noise" < $lnslevel4) do={
:set lnsdelaytime 1100ms;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=($lnsdelaytime / 2);
}
:for i from=1 to=3 do={
:led user-led=yes led4=no led3=no led2=no led1=yes;
:delay ($lnsdelaytime / 6);
:led user-led=yes led4=no led3=no led2=yes led1=yes;
:delay ($lnsdelaytime / 6);
}
}
:if ($"signal-to-noise" >= $lnslevel2 && $"signal-to-noise" < $lnslevel3) do={
:set lnsdelaytime 1300ms;
:led user-led=yes led4=no led3=no led2=no led1=yes;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=($lnsdelaytime / 2);
}
:delay $lnsdelaytime;
}
:if ($"signal-to-noise" >= $lnslevel1 && $"signal-to-noise" < $lnslevel2) do={
:set lnsdelaytime 1500ms;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=($lnsdelaytime / 2);
}
:for i from=1 to=3 do={
:led user-led=yes led4=no led3=no led2=no led1=no;
:delay ($lnsdelaytime / 6);
:led user-led=yes led4=no led3=no led2=no led1=yes;
74
:delay ($lnsdelaytime / 6);
}
}
:if ($"signal-to-noise" < $lnslevel1) do={
:set lnsdelaytime 1700ms;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=($lnsdelaytime / 2);
}
:led user-led=yes led4=no led3=no led2=no led1=no;
:delay $lnsdelaytime;
}
} else={
:if ($"status" = "searching-for-network") do={
:set lnsdelaytime 2000ms;
:led user-led=no led4=no led3=no led2=no led1=no;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=$lnsbeepfreq length=100ms;
}
:delay 100ms;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=($lnsbeepfreq + 100) length=75ms;
}
:delay 75ms;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=($lnsbeepfreq + 200) length=50ms;
}
:delay 50ms;
:for i from=1 to=4 do={
:led user-led=no;
:delay ($lnsdelaytime / 8)
:led user-led=yes;
:delay ($lnsdelaytime / 8)
}
:set lnsdelaytime ($lnsdelaytime + (50ms + 75ms + 100ms));
} else={
:set lnsdelaytime 2000ms;
:led user-led=no led4=no led3=no led2=no led1=no;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=($lnsbeepfreq - 150) length=150ms;
}
:delay 150ms;
:if ($lnsrunningtime > $lnsrunbeepdiff) do={
:beep frequency=($lnsbeepfreq - 350) length=100ms;
}
:delay 100ms;
:for i from=1 to=4 do={
:led user-led=yes;
:delay 50ms;
:led user-led=no;
:delay 50ms;
}
:delay 1550ms;
}
}
}
:set lnsrunningtime ("$lnsrunningtime" - "$lnsdelaytime");
75
}
# shut off LEDs, play shutdown tones
:delay 50ms;
:led user-led=no led4=no led3=no led2=no led1=no;
:delay 50ms;
:beep frequency=($lnsbeepfreq - 200) length=50ms;
:delay 50ms;
:beep frequency=($lnsbeepfreq - 300) length=50ms;
:delay 50ms;
Power / NAND / User LED
Power LED
Power LED (blue) is on when the board is powered. NAND LED (Green) for disk activity.
User LED
User LED may be programmed at user's option. It is lit by default when the board starts up,
then it is turned off when the bootloader runs kernel. Please refer to our Quick User Guide for
how to program such User LED for signal indicators as example.
76
Audio-only Aiming Script
# 10 sec delay required by ROS3 for startup scripts?
:delay 10
# set the interface you want to monitor
:local interface "wlan1";
#set the sound frequency you want to use (in Hz)
:local beepfreq "523.251";
#set the number of iterations - approx 1-2 seconds per iteration
:local iterations "150";
:local beep "10ms";
:local no "2400ms";
:local s90 "1290ms";
:local s85 "790ms";
:local s80 "590ms";
:local s77 "390ms";
:local s74 "290ms";
:local s71 "240ms";
:local s68 "190ms";
:local s65 "140ms";
:local s62 "90ms";
:local s59 "60ms";
:local s56 "40ms";
:local s53 "20ms";
77
:local s50 "10ms";
:for i from=1 to=$iterations do={
/interface wireless monitor $interface once do={
:if ($"signal-strength" <= -90) do={
:delay $no;
}
:if ($"signal-strength" -90) do={
:for i from=1 to=2 do={ :beep length=$beep frequency=$beepfreq; :delay $s90; }
}
:if ($"signal-strength" -85) do={
:for i from=1 to=3 do={ :beep length=$beep frequency=$beepfreq; :delay $s85; }
}
:if ($"signal-strength" -80) do={
:for i from=1 to=4 do={ :beep length=$beep frequency=$beepfreq; :delay $s80; }
}
:if ($"signal-strength" -77) do={
:for i from=1 to=6 do={ :beep length=$beep frequency=$beepfreq; :delay $s77; }
}
:if ($"signal-strength" -74) do={
:for i from=1 to=8 do={ :beep length=$beep frequency=$beepfreq; :delay $s74; }
}
:if ($"signal-strength" -71) do={
:for i from=1 to=10 do={ :beep length=$beep frequency=$beepfreq; :delay $s71; }
}
:if ($"signal-strength" -68) do={
:for i from=1 to=12 do={ :beep length=$beep frequency=$beepfreq; :delay $s68; }
}
:if ($"signal-strength" -65) do={
:for i from=1 to=16 do={ :beep length=$beep frequency=$beepfreq; :delay $s65; }
}
:if ($"signal-strength" -62) do={
:for i from=1 to=24 do={ :beep length=$beep frequency=$beepfreq; :delay $s62; }
}
:if ($"signal-strength" -59) do={
:for i from=1 to=34 do={ :beep length=$beep frequency=$beepfreq; :delay $s59; }
}
:if ($"signal-strength" -56) do={
:for i from=1 to=48 do={ :beep length=$beep frequency=$beepfreq; :delay $s56; }
}
:if ($"signal-strength" -53) do={
:for i from=1 to=80 do={ :beep length=$beep frequency=$beepfreq; :delay $s53; }
}
:if ($"signal-strength" -50) do={
:for i from=1 to=120 do={ :beep length=$beep frequency=$beepfreq; :delay $s50; }
}
}
}
78
The EoIP Bridge
Introduction
There are some kind of movement which has to be separated from another one, which
move on the already existing logical link. One of the most simply method of gaining
satisfied separation is to create parallel virtual link – tunnel. The tunnel enables data
transmission and depending on the kind of tunnel, we may additionally profit by that- for
example, data encryption, packets compression.
Making the transparent tunnel, based on common wireless link, is composed by our
assumption of configuration. In order to do it, the system will data transmitting from first
device to another one with using of the EoIP tunnel (Ethernet over IP), which, in logic
way, will be put between two wireless cards, working in the same address subnet and will
transmitting the movement of entire second layer and by that – will make transparent
bridge.
The core unit configuration
Before the configuration beginning, one should reset the device to factory presets (the
console command: /system reset – configuration).
After logging in on device with the Winbox, the first thing to do is to assign the IP
address for Ethernet and Wireless interfaces. In order to do it, one should choose the 'IP'
tab from the 'Address' menu. The next click on “+”, what enables assign IP to ours
interfaces.
In case the of EoIP tunnel, the class which this tunnel works should not be agree with
hand IP class. After assigning the properly address, the 'Address List' field should be
appear as follows:
79
Now, we have already been creating the wireless interface configuration. At the beginnig
you have to turn the wireless card ON (cause it is OFF in the default settings) by clicking
on the icon of given card with right mouse button and choose the „enable” option.
Change the card settngs to 'ap bridge' work mode, select the proper frequency, channel
and entry „ssid”.
80
We have been creating the EoIP tunnel at this moment. In order to do it, choose „+” from
interface list and then „EoIP Tunnel” from avilable interfaces list.
81
This time we have to assign the IP address of wireless interface, placed in client unit, and
the ID Tunnel identificator (the same for both side).
It is worth to remember that it might appear two identical MAC addresses in the network.
Additionally, if one would like to use many tunnels for single device, one should
remember that every tunnel have to have the diffrent ID Tunnel parameter. In our case it
looks, as follows:
The Bridge creating.
The Ethernet port and the EoIP Tunnel have been added to the bridge by. In order to do it,
choose the „Bridge” option, and then add interface by clicking „+”.
82
Next at the „Ports” tab, where in the already bridge created, one should add the EoIP and
Ethernet ports by clicking „+”. After the ports adding the window should look like
following picture:
The client unit configuration
Before the configuration beginning, one should reset the device to factory presets (the
console command: /system reset – configuration).
Log in on the device with the Winbox. The first thing to do is assigning IP address to the
Ethernet and Wireless interfaces. In order to do it, choose the 'IP' tab from the 'Address”
menu. Clicking on “+” enables assigning the IP addresses to ours interfaces. After
assigning the proper addresses, the 'Address List” field should like as follows:
83
We have started the wireless interface configuration. Firstly, one should turn the wireless
card ON (cause it is OFF in default settings) by clicking on the given card icon with right
mouse button and choosing the “enable” option.
Set the card to „station” work mode, choose the properly frequency, channel and then
enter „ssid”.
84
The EoIP tunnel creating.
Choose „+” at the interface list and then „EoIP Tunnel” from available inteface list.
85
This time we have to assign the IP address of wireless interface, placed in client unit, and
the ID Tunnel identificator, as the same as the previous time,however one have to change
the MAC address for another one.
The Bridge creating.
The Ethernet port and the EoIP Tunnel have been added to the bridge by. In order to do it,
choose the „Bridge” option, and then add interface by clicking „+”.
Next at the „Ports” tab, where in the already bridge created, one should add the EoIP and
Ethernet ports by clicking „+”. After the ports adding the window should look like
following picture:
86
Now, between the Ethernet interface of two devices the communication should be run,
what is pictured below:
The WDS Bridge
Creating the transparent bridge is one of main assumptions of our configuration. In order
to make it the system will be moving data from one interface to another one with the
bridge.
Before the configuration beginning, one should reset the device to factory presets (the
console command: /system reset ).
87
After logging onto device with the Winbox (more description in guide „first logging on”)
firstly we have to create the bridge. Choose „Bridge” from the main menu (on the left)
and then click on „+” from already appeared 'Bridge submenu' and „OK”.
Next, in the 'Port' tab we have been configuring the interfaces belonged to the bridge. For
example, if the ether1 and wlan1 is added, the transparent bridge will be created between
the ether1 and wlan1.
One should remember that the bridge cannot carry the movement if one of wireless
interface works on 'station' mode, what rules out using of 'station' mode for creating the
wireless bridge. The solution is using of the WDS mode.
The link with MAC address would be unstable, so it is worth to give the IP address to
bridge.
The main IP menu, then 'Address' submenu.
It is also worthwhile to add the gateway. The fastest way is using the consola:
/ip route add gateway=address_IP_gateway
The same as above action we can make with the Winbox: In the 'IP' tab -> 'Routes', click
88
on „+” and our gateway is added.
Creating wireless link.
The first card will be presented in the 'ap bridge' mode.
We may test the ether as regard of prescence other networks with using of the snooper. It
will be helpful at choice of work channnel.
Firstly find the free frequency and choose that. One should remember about identical ssid
on both devices connected with one another.
89
It is worth to protect the access to WAP-520 by ticking off „default authenticate”. Only
added MAC address (from wireless card of WAP-520) would be connected at this
moment.
We have to add it at 'wireless' tab, where we should add the address to the fields od
'Access list' and to the connect list. After all it have to look like follows:
Now, we return to configuration of wireless intefaces.
Go to 'Data rates' tab:
If we have strong signals, then set it as on the picture belong, in order to our device will
be connected at 48Mbps only (do not set on '54' in odrer to have security in stuck, in case
strong distrubances. At the beginnig, we recommend 'auto'.
Then choose the 'WDS' and 'WDS mode' tab, tick „dynamic”. Next change 'WDS default
bridge' to „bridge1”
90
At the 'Nstreme' tab set, as below:
If one use the routerboard and would like to uprate at maximal degree, then one should
turn off the 'connection tracking'.
In order to do it choose the 'IP' -> Firewall -> 'Connections' tab -> click on „tracking”
button.
Tick off 'Enabled' at the new window, as at the picture:
Do the same things, as for the other side, with the exeption setting the device on 'stationwds' wireless mode.
If the configuration is correct, devices will connect in the WDS mode.
91
Please remember to configure all cards according to this mini instruction.
Please not forget about adding MAC addresses to the Access and Connect list.
Output Support File (supout.rif)
'The support file is used for debugging WAP/CAP and to solve the support questions
faster. All Router information is saved in a binary file, which is stored on the router and
can be downloaded from the router using ftp.
This file contains all your routers configuration, logs and some other details that will help
the Support team to solve your issue.
To generate this file, you must type:
/system sup-output
From command line (CLI).
Be patient to let it finish or you could produce an empty file.
You will see one supout.rif produced from Winbox->Files->
92
Then drag such supout.rif to Windows Explorer and send to Support Team.
You can also use Winbox->Make Supout.rif shown on left menu bar of above snapshot,
then go to File to drag & drop supout.rif and send it out for support.
Of course, it is also possible to download the file with FTP/SFTP or to automate this
process with scripting, and have the file emailed to you.
Upgrading Firmware through Winbox
If you have firmware release V5 and above, please apply below steps for upgrade. This
applies to both WAP and CAP series.
1. connect WAP / CAP with Windows and run Winbox. Click MAC Address or IP
Address of corresponding WAP/CAP that you plan to upgrade firmware:
2. drag new version of firmware (e.g., version 5.24) from Windows Explorer onto
Winbox:
93
Below window then pop up for sending firmware files:
Once above window closed itself, you will see File List from Winbox that
indicated these two files are transferred:
94
3. Now from Terminal window, type
/system reboot
y
It may take up to 30 seconds or more to finish rebooting.
4. Upgrade BIOS. Once system is booted back, open Winbox->Terminal, type
below commands:
/system routerboard print
/system routerboard upgrade
y
/system reboot
y
This will update your bios from 2.41 onto 3.02, you are done. All previous
95
configuration will be the same as original.
96
Basic Configuration through CLI
This section describes a Command Line Interface configuration. This section is written to
address only the basic steps. It is highly recommended that you visit and read Manual to
gain an understanding of all configuration parameters.
In this section you will learn the following:
• Configure an IP address and Gateway
• Configure DHCP client
• Configure DHCP server
The easiest and safest way to configure the router from the CLI is to use the “setup”. This
will allow you to configure the router with simple menu driven options. If an invalid
command entered then the setup program will terminate and no setting will take effect.
Launching CLI “Setup”
Configuring IP Address through CLI Setup
In the setup menu you can configure an IP address simply by supplying the interface
name and the IP address with the NetMask.
Example of configuring an IP address
97
Configuring Gateway through CLI Setup
Simply selecting an option will bring the next menu prompt. The only information
needed to set the Gateway is the gateway IP address.
Example of configuring the Gateway on the router
98
Configuring DHCP Client through CLI Setup
Follow the menu options and supply the interface which is to be configured as a DHCP
client.
Configuring DHCP Server through CLI Setup
Following the menu option the following information will need to be provided in order to
create the DHCP Server
• DHCP server interface:
• DHCP address space:
• gateway for DHCP network:
• DHCP relay
• addresses to give out:
• DNS servers:
• lease time:
Example of a configured DHCP server:
99
100
Sample Default Configuration
Following is sample default configuration for device. Actual default configuration is
saved with backup file (factory.backup). The device node is configured with the wired
ports (EtherN) as router ports, each with their own IP address. The ports are also
configured to give out DHCP IP addresses. It could be that your Ether ports are
configured to act as a single bridge which is dependent on your deployment. The bridge
is configured with an IP Address and also as a DHCP server. The wireless card is
configured with its own IP address and also as a DHCP Server. The last Ether port can be
configured as a DHCP client:
Note: Default configuration may be varied that is dependent on your deployment while
you receive your order.
Port
IP address
Bridge
Comments
DHCP Server disabled
Ether 1
Ether 2
(if available)
Ether 3
(if available)
10.1.1.20/24
Yes
10.1.1.20/24
Yes
10.1.1.20/24
Yes
Disabled, or Bridge port, or DHCP
Client- NAT
Disabled, or Bridge port, or DHCP
Client- NAT
WLAN 1
WLAN 2
(if available)
10.1.1.20/24
Yes
802.11a or b/g SSID: [model number]
10.1.1.20/24
Yes
802.11a or b/g SSID: [model number]
Bridge 1
10.1.1.20/24
101
Restoring Default Configuration from WinBox
Each router has a backup of this configuration stored in its file system. The backup file
can be seen through Winbox by selecting files. The name of the backup file is
“factory.backup”. Select this file and click on Restore and the unit will prompt you to
restore and reboot.
Click Yes when it asks for confirmation.
Note that you can use Copy / Paste icons to Windows Clipboard interface with Windows
File folder for export / import between CAP/WAP and Windows.
102
\
or visa versa, copy Windows files to Clipboard and paste it onto devices
Restoring Default Configuration from CLI
The default configuration can also be reloaded through the command line. Simply login
to the devices and type the following command:
/system backup load
name=factory.backup
You can save your backup with CLI: /system backup save name=mybackup
103
Settings for Wireless Access Point & Clients
Here we illustrate some simple examples for deployment of P2MP or P2P.
Wireless Station Modes
Overview
Wireless interface in any of station modes will search for acceptable access point (AP)
and connect to it. The connection between station and AP will behave in slightly different
way depending on type of station mode used, so correct mode must be chosen for given
application and equipment. This article attempts to describe differences between
available station modes.
Primary difference between station modes is in how L2 addresses are processed and
forwarded across wireless link. This directly affects the ability of wireless link to be part
of L2 bridged infrastructure.
If L2 bridging over wireless link is not necessary - as in case of routed or MPLS switched
network, basic mode=station setup is suggested and will provide highest efficiency.
Availability of particular station mode depends on wireless-protocol that is used in
wireless network. Please refer to following applicability matrix for information on mode
support in protocols. It is possible that connection between station and AP will be
established even if particular mode is not supported for given protocol. Beware that such
connection will not behave as expected with respect to L2 bridging.
802.11 limitations for L2 bridging
Historically 802.11 AP devices were supposed to be able to bridge frames between wired
network segment and wireless, but station device was not supposed to do L2 bridging.
Consider the following network:
[X]---[AP]-(
)-[STA]---[Y]
where X-to-AP and STA-to-Y are ethernet links, but AP-to-STA are connected
wirelessly. According to 802.11, AP can transparently bridge traffic between X and STA,
but it is not possible to bridge traffic between AP and Y, or X and Y.
802.11 standard specifies that frames between station and AP device must be transmitted
in so called 3 address frame format, meaning that header of frame contains 3 MAC
addresses. Frame transmitted from AP to station has the following addresses:
104
•
•
•
destination address - address of station device, also radio receiver address
radio transmitter address - address of AP
source address - address of originator of particular frame
Frame transmitted from station to AP has the following addresses:
•
•
•
radio receiver address - address of AP
source address - address of station device, also radio transmitter address
destination address
Considering that every frame must include radio transmitter and receiver address, it is
clear that 3 address frame format is not suitable for transparent L2 bridging over station,
because station can not send frame with source address different from its address - e.g.
frame from Y, and at the same time AP can not format frame in a way that would include
address of Y.
802.11 includes additional frame format, so called 4 address frame format, intended for
"wireless distribution system" (WDS) - a system to interconnect APs wirelessly. In this
format additional address is added, producing header that contains the following
addresses:
•
•
•
•
radio receiver address
radio transmitter address
destination address
source address
This frame format includes all necessary information for transparent L2 bridging over
wireless link. Unluckily 802.11 does not specify how WDS connections should be
established and managed, therefore any usage of 4 address frame format (and WDS) is
implementation specific.
Different station modes attempt to solve shortcomings of standard station mode to
provide support for L2 bridging.
Applicability Matrix
The following matrix specifies station modes available for each wireless-protocol. Note
that there are 2 columns for 802.11 protocol: 802.11 specifies availability of mode in
"pure" 802.11 network (when connecting to any vendor AP) and ROS 802.11 specifies
availability of mode when connecting to WAP/CAP AP that implements necessary
proprietary extensions for mode to work.
802.11 ROS 802.11 nstreme nv2
station
V
V
V
V
105
station-wds
V
V
station-pseudobridge
V
V
V
station-pseudobridgeclone
V
V
V
station-bridge
V
V
Mode station
This is standard mode that does not support L2 bridging on station - attempts to put
wireless interface in bridge will not produce expected results. On the other hand this
mode can be considered the most efficient and therefore should be used if L2 bridging on
station is not necessary - as in case of routed or MPLS switched network. This mode is
supported for all wireless protocols.
Mode station-wds
This mode works only with WAP/CAP APs. As a result of negotiating connection,
separate WDS interface is created on AP for given station. This interface can be thought
of point-to-point connection between AP and given station - whatever is sent out WDS
interface is delivered to station (and only to particular station) and whatever station sends
to AP is received from WDS interface (and not subject to forwarding between AP
clients), preserving L2 addresses.
This mode is supported for all wireless protocols except when 802.11 protocol is used in
connection to non-WAP/CAP device. Mode uses 4 address frame format when used with
802.11 protocol, for other protocols (such as nstreme or nv2), protocol internal means are
used.
This mode is safe to use for L2 bridging and gives most administrative control on AP by
means of separate WDS interface, for example use of bridge firewall, RSTP for loop
detection and avoidance, etc.
Mode station-pseudobridge
This mode from wireless connection point of view is the same as standard station mode.
It has limited support for L2 bridging by means of some services implemented in station:
•
MAC address translation for IPv4 packets - station maintains IPv4-to-MAC
mapping table and replaces source MAC address with its own address when
sending frame to AP (in order to be able to use 3 address frame format), and
replaces destination MAC address with address from mapping table for frames
106
•
received from AP. IPv4-to-MAC mappings are built also for VLAN encapsulated
frames.
single MAC address translation for the rest of protocols - station learns source
MAC address from first forwarded non-IPv4 frame and uses it as default for
reverse translation - this MAC address is used to replace destination MAC address
for frames received from AP if IPv4-to-MAC mapping can not be performed (e.g.
- non-IPv4 frame or missing mapping).
This mode is limited to complete L2 bridging of data to single device connected to station
(by means of single MAC address translation) and some support for IPv4 frame bridging
- bridging of non-IP protocols to more than one device will not work. Also MAC address
translation limits access to station device from AP side to IPv4 based access - the rest of
protocols will be translated by single MAC address translation and will not be received
by station itself.
This mode is available for all protocols except nv2 and should be avoided when
possible. The usage of this node can only be justified if AP does not support better mode
for L2 bridging (e.g. when non-WAP/CAP AP is used) or if only one end-user device
must be connected to network by means of station device.
Mode station-pseudobridge-clone
This mode is the same as station-pseudobridge mode, except that it connects to AP using
"cloned" MAC address - that is either address configured in station-bridge-clone-mac
parameter (if configured) or source address of first forwarded frame. This essentially
appears on AP as if end-user device connected to station connected to AP.
Mode station-bridge
This mode works only with WAP/CAP APs and provides support for transparent
protocol-independent L2 bridging on station device. WAP/CAP AP accepts clients in
station-bridge mode when enabled using bridge-mode parameter. In this mode AP
maintains forwarding table with information on what MAC addresses are reachable over
which station device.
This mode is only supported for nv2 protocol (as of now).
This mode is safe to use for L2 bridging and should be used whenever there are sufficient
reasons to not use station-wds mode.
Station and Access Point
This example shows how to configure combo of WAP and CAP - one as Access Point
(WAP) and the other one as a station (CAP) on 2.4GHz (802.11b/g standard).
107
On Access Point:
•
•
•
•
•
mode=ap-bridge
frequency=2142
band=2.4GHz-B/G
ssid=WAP
disabled=no
On client (station):
•
•
•
•
mode=station
band=2.4GHz-B/G
ssid=WAP
disabled=no
Bring up winbox.exe and search connected WAP/CAP nodes by clicking highlighted
widget then click Connect widget:
Configuration for Access Point (WAP)
Select Wireless and double click wlan1
108
Choose Wireless from pull-down widget:
Set Mode, SSID, Band, and Frequency, then click OK.
109
Now assign IP address:
Click Add button:
Assign IP, Network, and Broadcast, and choose Interface to be wlan1, click Ok.
110
Leave rest as default options and You are done for setting of AP mode
Configuration for Station (CAP)
Set Mode, SSID, Band, and Frequency, then click OK.
Assign IP, Network, and Broadcast, and choose Interface to be wlan1, click Ok
111
Check whether you can ping the Access Point from Station:
Tools->Ping
AP Bridge / Station Pseudo-bridge
Single Radio on One WAP
You have one radio on each side of WAP or CAP, and use such radio as backhaul to
create bridging (transparent) mode of wireless LAN network.
You can bridge WAP and CAP such that all clients IP addresses are transparent that can
reach each other. This usually applies to WiFi or VoIP for billing systems. To solve this
problem, the ap-bridge and station pseudo-bridge modes are created - it works just like
a station, but connects to APs without additional routing. This example shows you how
to make a transparent network, using the ap-bridge and station pseudo-bridge features.
You can ping individual PCs behind AP and Stations from each other by using this mode
On both Access Points, use Bridge to bridge all necessary ether and wlan port(s) together.
• On Access Point (10.1.1.100): Configure AP to ap-bridge mode (access point)
• On another Access Point (or CPE, 10.1.1.200): Configure AP to station pseudobridge mode (client / station)
112
Once configuration is done, you would be able to ping between 10.1.1.101 and
10.1.1.201
Configuration for Access Point (WAP)
Create a bridge1 to bridge ether1 and wlan1 by using default parameters:
Double click bridge1:
You can take all default parameter for bridge1.
To add Ports onto Bridge. Make sure ether1 and wlan1 are added, as shown here:
Setting wlan1: Now Choose Wireless->wlan1
If you see above wlan1 is grayed out, you can click check mark √ to enable it.
113
Setup wireless information for wlan1:
You must hit Apply or Ok to save change. Note that SSID string shows blue which means
that you already made change but not been saved yet. You can keep rest as default.
Define IP address of either1 to be 10.1.1.100: IP->Address then click “+” sign to add
address:
114
You can key in 10.1.1.100/24 for single subnet:
Once hit Apply, it would assign Network and Broadcast automatically:
Back to Interfaces, you should see following available interface List:
115
“R” shows such interface is running. It is ok if you don’t see “R” shown on wlan, which
means no association from wireless client, is available.
Configuration for Station (CAP)
If you don’t use any CAP for Client CPE, you can ignore following.
Create a bridge1 to bridge ether1 and wlan1 by using default parameters:
Add interface (either1 and wlan1) onto ports of bridge
116
Now you should see bridge1 that bridges both ether1 and wlan1 together:
Configuring wlan1: Wireless->wlan1. Choose Station pseudobridge Mode.
use Scan function to scan corresponding AP. Hit Apply.
You can
117
Define IP address of bridge1: IP->Addresses, choose “+” if IP address of ether1 is not
defined yet:
Now you should be able to ping between two PCs (10.1.1.101 and 10.1.1.201)
Additional reference: WAP-520_CAP-500_UG.pdf
Dual Radios on One WAP
You have two radios on each side of WAP or CAP, and use one of radios, say, 5 GHz
frequency of radio, to act as backhaul connection between two sites. The remaining radio,
say, 2.4 GHz, is for broadcast on each site.
118
Here shows bridging transparent mode that communicates two sites onto single LAN.
You can bridge WAP and CAP such that all clients IP addresses are transparent that can
reach each other. This usually applies to WiFi or VoIP for billing systems. To solve this
problem, the ap-bridge and station pseudo-bridge mode was created - it works just like
a station, but connects to APs without additional routing. This example shows you how
to make a transparent network, using the ap-bridge and station pseudo-bridge features.
You can ping individual PCs behind AP and Stations from each other by using this mode
On both Access Points, use Bridge to bridge all necessary ether and wlan ports together.
For 5 GHz backhaul link:
• On Access Point (10.1.1.100): Configure AP to ap-bridge mode (access point)
• On another Access Point (or CPE, 10.1.1.200): Configure AP to station pseudobridge mode (client / station)
For 2.4GHz broadcast, use ap-bridge mode for both WAPs.
Once configuration is done, you would be able to ping between 10.1.1.101 and
10.1.1.201
Configuration for the 1st Access Point (WAP)
Create a bridge1 to bridge ether1, wlan1, and wlan2 by using default parameters:
Double click bridge1:
119
You can take all default parameter for bridge1.
To add Ports onto Bridge, make sure ether1, wlan1, and wlan2 are added shown here:
Setting wlan1: 2.4 GHz
Now Choose Wireless->wlan1
You would not see wlan2 if you only have one wireless radio available.
If you see above wlan2 is grayed out, you can click check mark √ to enable it.
120
Setup wireless information for wlan1:
You must hit Apply or Ok to save change. Note that SSID string shows blue which means
that you already made change but not been saved yet. You can keep rest as default.
Setting wlan2: 5 GHz
Similar with 2.4GHz, you can define wireless parameter:
121
Nstreme model – optional
If you plan to have higher throughput then you can enable Nstreme protocol on both
WAP and CAP backhaul. You must enable it on both side such that microwave can go
through.
See also next Chapter for “Configuring Nstreme”.
122
Ack Timeout
For long range greater than 10KM, you would need to adjust Ack Timing for best
performance:
Interface->wlan2->Wireless, then choose Advanced Mode:
Choose Advanced tab:
123
Here you can use Scan function to find associated client, and adjust Ack Timeout:
124
Refer to Appendix B: Setting for Ack Timeout.
Note:
• Under nstreme it is not necessary to set ack timeout. Just leave it as dynamic.
• ack-timeout must be set to same value for both end of WAPs.
To improve performance, you can turn off Tracking from Firewall: IP->Firewall>Connection:
125
Uncheck Enabled, hit Apply:
Define IP address of either1 to be 10.1.1.100: IP->Address then click “+” sign to add
address:
126
You can key in 10.1.1.100/24 for single subnet:
Once hit Apply, it would assign Network and Broadcast automatically:
Back to Interfaces, you should see following available interface List:
“R” shows such interface is running. It is ok if you don’t see “R” shown on wlan, which
means no association from client(s) is available.
127
Configuration for the 2nd Access Point (WAP)
Bridge: same configuration with the 1st WAP
2.4GHz: same configuration with the 1st WAP
5 GHz: choose station pseudobridge mode:
IP address of ether1: same with the 1st WAP, but use 10.1.1.200/24 instead.
L2 Transparently Bridge (WDS-Bridge, or station-wds Mode)
Remote networks can be easily bridged using L2 WDS-bridging feature of WAP or CAP.
We will show it for the case when the networks are connected. This could be applied to
multiple E1 streaming, or V.35 bit error rate tester (BERT).
Let us assume the following network setup:
128
Let us configure Master Link (COM and CPEM), here COM means ODU with AP mode,
while CPEM means ODU with Station (or Client) mode.
Follow the steps below to create transparent bridge using WDS:
AP Side (COM)
First, reset what you have done:
/system reset
Reboot,
# set ID
/system identity set name=COM
1. Create a bridge interface on AP (COM) and add ether1 interface to the bridge in
WinBox
129
Once click Apply:
Then click Ports and add ether1 onto bridge1:
130
or in console
/interface bridge add name=bridge1
/interface bridge port add interface=ether1 bridge=bridge1
You do not need to bridge WLAN1 at this moment.
Station side (CPEM)
Do the same on the Station (CPEM), and add ether1 and wlan1 interfaces to the bridge in
Winbox
or in console
/int bridge add name=bridge1
/int bridge port add interface=ether1 bridge=bridge1
/int bridge port add interface=wlan1 bridge=bridge1
131
2. Make sure you have communication between WAP routers, i.e., one router is
configured as server (AP, or COM), the other one as client (station, or CPEM). Configure
wireless interface wlan1 on AP in WinBox
or in conslole
/interface wireless set wlan1 disabled=no ssid=master frequency=5825 band=5ghz-a \
mode=bridge channel-width=40mhz scan-list=5825-5875 wireless-protocol=nstreme \
frequency-mode=superchannel dfs-mode=none country=india
/int wireless nstreme set wlan1 enable-nstreme=yes disable-csma=yes \
framer-policy=best-fit framer-limit=3200
Do the same configuration on CPEM Client wireless interface (wlan1) in Winbox
132
or in console
/interface wireless set wlan1 disabled=no ssid=master frequency=5825 band=5ghz-a \
mode=station-wds channel-width=40mhz scan-list=5825-5875 \
wireless-protocol=nstreme frequency-mode=superchannel dfs-mode=none
country=india
/int wireless nstreme set wlan1 enable-nstreme=yes disable-csma=yes \
framer-policy=best-fit framer-limit=3200
3. Create wds interface on AP (COM) and add the interface to the bridge in WinBox
133
or in console
/interface wireless set wlan1 wds-mode=dynamic wds-default-bridge=bridge1
4. Check whether the WDS link (on COM side) is established in WinBox
or in console
[admin@COM] > /int wireless wds print
Flags: X - disabled, R - running, D - dynamic
0 RD name="wds1" mtu=1500 l2mtu=2290 mac-address=00:02:6F:76:01:A0
arp=enabled master-interface=wlan1 wds-address=00:02:6F:76:01:A6
4. Add IP address on COM AP in WinBox
134
or in COM console
/ip address add address=10.1.1.31/24 broadcast=10.1.1.255 interface=bridge1
And in CPEM conole:
/ip address add address=10.1.1.32/24 broadcast=10.1.1.255 interface=bridge1
# disable firewall tracking for better performance for both AP COM and Client CPEM:
/ip firewall connection tracking set enabled=no
5. Test the bridge by pinging from 10.1.1.31 to 10.1.1.32. Note, that the bridge needs
10...30s to learn addresses and start passing through traffic.
While running Tools->Bandwidth test, with Tx Power = 5 dB (if equipped with 600mW
radio), and 70 dB Attenuation in between COM and CPEM, you should see TCP
bandwidth to be 36/36Mbps around, and UDP with 40/40Mbps around:
135
Full Scripts
#----------------------------------------------------------------------# Transparently Bridge two Networks for P2P
# based on V4.14
#----------------------------------------------------------------------#----------------------------------------------------------------------# COM ODU (AP)
#----------------------------------------------------------------------# uncommon this line to reset system, prior of running following script
#/system reset
# change password
#/ password
# set ID
/system identity set name=COM
# create bridge for ether1 (later for wlan1)
/int bridge add name=bridge1 protocol-mode=rstp
/int bridge port add interface=ether1 bridge=bridge1
# create wlan1
136
/interface wireless set wlan1 disabled=no ssid=master frequency=5825 band=5ghz-a \
mode=bridge channel-width=40mhz scan-list=5825-5875 wireless-protocol=nstreme \
frequency-mode=superchannel dfs-mode=none country=india
# enable nstreme propritary
/int wireless nstreme set wlan1 enable-nstreme=yes disable-csma=yes \
framer-policy=best-fit framer-limit=3200
#Create wds interface for wlan1 and add the interface to the bridge
/interface wireless set wlan1 wds-mode=dynamic wds-default-bridge=bridge1
#add ip address
/ip address add address=10.1.1.31/24 broadcast=10.1.1.255 interface=bridge1
# disable firewall tracking for better performance
/ip firewall connection tracking set enabled=no
# backup as 'factory'
/system backup save name=factory
#----------------------------------------------------------------------# CPEM ODU (Client, or Station)
#----------------------------------------------------------------------#reset every setting
#/system reset
/system identity set name=CPEM
# create bridge for ether1 and wlan1.
/int bridge add name=bridge1 protocol-mode=rstp
/int bridge port add interface=ether1 bridge=bridge1
/int bridge port add interface=wlan1 bridge=bridge1
# create wlan1
/interface wireless set wlan1 disabled=no ssid=master frequency=5825 band=5ghz-a \
mode=station-wds channel-width=40mhz scan-list=5825-5875 \
wireless-protocol=nstreme frequency-mode=superchannel dfs-mode=none
country=india
# enable nstreme propritary
/int wireless nstreme set wlan1 enable-nstreme=yes disable-csma=yes \
framer-policy=best-fit framer-limit=3200
#add ip address
137
/ip address add address=10.1.1.32/24 broadcast=10.1.1.255 interface=bridge1
# disable firewall tracking for better performance
/ip firewall connection tracking set enabled=no
# backup as 'factory'
/system backup save name=factory
Pre-configured .rsc file
If you need help to setup a script that will reset a customers CPE and then run a edited
custom script with SSID of AP + NV2,etc setting to re-associate with AP, you can do this:
Create your configuration script:
/int wirel set wlanX ssid=blabla
/system iden set blablabla and upload it to /files like "conf.rsc"
Then:
/system reset-configuration run-after-reset blablabla
Description
The command clears all configuration of the router and sets it to the default including the
login name and password ('admin' and no password), IP addresses and other
configuration is erased, interfaces will become disabled. After the reset command router
will reboot.
Command Description
keep-users: keeps router users and passwords
no-defaults: doesn't load any default configurations, just clears everything
skip-backup: automatic backup is not created before reset, when yes is specified
run-after-reset: specify export file name to run after reset
You can a pre-configured .rsc file to load our full config to new CPE's (i.e default or no
configuration). As we run on static IP's, we use a text editor like notepad to "find and
replace" the IP addresses/client side DHCP server info, so we can config 10-15 units in an
hour. We have failover scripts; upgrade schedules and netwatches on the CPE's, so the
script is quite long.
The first few lines of the script (with instructions for the new techies):
######################################################################################
138
#############
# 1. Edit the file below.
# 2. Replace all instances of 230.60 with 230.x , x being the new IP allocated for this unit. Use the
Edit>>Replace Function (Ctrl H)
# 3. Replace all instances of 253.60 with 253.x
# 4. Replace all instances of 168.60 with 168.x
# 5. Crtl S to save this editted file.
# 6. Find Wireless Unit using Neighbourhood Viewer
# 7. Mac-Telnet into Unit with user admin and no password
# 8. Accept default config by hitting enter and wait for prompt >
# 9. Type: /ip address add
and enter.......At prompt address: 192.168.0.55/24 enter
interface:
ether1
enter
# 10. Login to Unit via Winbox (now on IP address 192.168.0.55) with user admin and no password
# 11. Open the file tab on left menu.
# 12. Upload this correctly editted file to the file screen by "dragging" from desktop and dropping in file
window on router
# 13. Drag contents of folder from Desktop Folder .npk to file window.
# 14. /system reboot
y
Reboot takes about 3-5 minutes.......
# 14. Open a terminal window in Winbox and type: import setup50.rsc
# 15. If loaded succesfully, /system reboot
y
Reboot takes about 1 minute.......
######################################################################################
#############
#
# Replace the name=xxxxxxxxx below with the client surname or business name
######################################################################################
#############
/system identity
set name=Smurfette
#
#DO NOT CHANGE ANYTHING BELOW THIS LINE - ALL CHANGES HAVE BEEN MADE BY USING
CTRL H REPLACE COMMANDS
######################################################################################
#############
/interface ethernet
set 0 name="ether1"
/interface wireless
set 0 name="wlan1"
/ip address
add address=10.254.230.60/32 disabled=yes interface=wlan1 network=10.254.230.254
add address=192.168.60.1/24 interface=ether1
add address=10.254.253.60/32 interface=wlan1 network=10.254.253.254
/interface wireless security-profiles
add authentication-types=wpa-psk group-ciphers=tkip mode=dynamic-keys name=es supplicantidentity=WAP unicast-ciphers=tkip wpa-pre-shared-key=startrekraider
/interface wireless
set 0 adaptive-noise-immunity=client-mode band=2ghz-b/g basic-rates-a/g=6Mbps,9Mbps basic-ratesb=1Mbps,2Mbps disabled=no disconnect-timeout=7s frequency=2412 \
hw-retries=4 l2mtu=2290 nv2-preshared-key=startrekraider nv2-security=enabled on-fail-retrytime=500ms rate-selection=legacy security-profile=es ssid=\
"ES1" supported-rates-a/g=6Mbps,9Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps wirelessprotocol=nv2-nstreme-802.11
/system clock
set time-zone-name=Africa/Harare
139
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=3 disk-file-name=log disk-lines-per-file=300 \
disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 \
syslog-facility=daemon syslog-severity=auto target=remote
/system logging
set 0 action=disk disabled=no prefix="" topics=info
set 1 action=disk disabled=no prefix="" topics=error
set 2 action=disk disabled=no prefix="" topics=warning
set 3 action=disk disabled=no prefix="" topics=critical
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.254.253.254 secondary-ntp=10.2.0.1
And so for another few hundred lines........
140
Firewall
Security Information sources
ENISA – http://www.enisa.europa.eu/
OWASP http://owasp.org
Rits Group – http://www.ritsgroup.com/
ISAS – http://www.isas.ie/
SANS Institute – http://sans.org
CIS Centre for Internet Security – http://cisecurity.org/
NIST Computer Security http://csrc.nist.gov/
Open BSD – http://OpenBSD.org/
Spamhaus.org – http://spamhaus.org
nmap.org – http://nmap.org
ha.ckers.org – http://ha.ckers.org/
How to configure a router
The CLI
Winbox is a fantastic program. It is extremely powerful, and is a very quick way to edit
or monitor RouterOS routers. It is, however, also a fairly poor tool for sharing
configuration across the Internet. You can take screenshots, but screenshots are large files
and might not display right. Depending on where they are hosted they might not stay
around for very long as the file host takes them down. Most importantly there simply isn't
enough space in most Winbox dialogs to show all the relevant information in one small
area. Firewall rules in Winbox, for example, consist of many tabs. To adequately show all
properties of a rule - when troubleshooting it, for example - you'd have to share one
screenshot for each tab. CLI output, on the other hand, shows all that information in just
one line. Text is also universal - everything can display text. You can also copy and paste
text, which means it's much easier to apply a firewall rule that someone gave you as a
CLI command than it is to click through all the tabs in Winbox and set all the fields
accordingly.
The CLI may initially seem somewhat daunting but actuallt organized very well. There
are only 9 different commands that really are important for basic configuration tasks.
Structure
The RouterOS CLI mirrors the GUI (or rather, the GUI mirrors the CLI). The
configuration is divided into menu structures, several levels deep. For example, IP
services are configured under "/ip" with subsections for the specific related tasks: ARP is
configured under "/ip arp", the firewall is configured under "/ip firewall", and so on.
141
All commands can be prefaced with an absolute or relative reference to the context in
which the command is to be executed. If no context is given, the current context is used.
Below three examples:
[admin@WAP] /ip address> print
This "print" command will be executed in the "/ip address" context, and will therefore
print all configured IP addresses.
[admin@WAP] /ip address> /ip arp print
This "print" command is prefaced with an absolute context of "/ip arp" and will be
executed in that context, and will therefore print all ARP entries the router knows about.
[admin@WAP] /ip address> .. arp print
This "print" command is prefaced with a relative context of ".. arp". The current context
is "/ip address", ".." goes one level up to "/ip", and "arp" goes into "/ip arp". Therefore the
command will print all ARP entries the router knows about.
The <tab> key triggers auto completion, if the current word cannot be auto completed
because several possibilities exist pressing <tab> a second time shows all possible
completions. '?' shows help for existing options at the current position of the command.
Commands are syntax highlighted - command words are pink, items are cyan, and
parameter names are green. When syntax highlighting stops the OS cannot parse the
command, and the command will not execute properly.
Commands can be abbreviated when they are unambiguous. For example, "/ip address
add address=1.1.1.2/24 interface=WAN" can - at an extreme - be abbreviated as "/ip ad a
a=1.1.1/24 i=WAN".
Parameters are passed as key/value pairs separated by '=' signs. In the example above the
address parameter is set to 1.1.1.2/24, and the interface parameter is set to the interface
named "WAN".
There are two different types of configuration: one simply exists and has parameters set
on it (e.g., the internal DNS server can be turned on or off), others are items added to a
section as instances in a list of items in the same context (e.g., VLAN interfaces that can
be freely created, or IP addresses assigned to interfaces).
For purposes of displaying commands it is possible to split one very long line over
several lines. This is indicated by a backslash at the end of a line - the next line continues
that line. Here an example:
[admin@WAP] > /ip address add \
interface=outside \
address=1.1.1.2/30
This is used in this tutorial to wrap long configuration commands.
142
Basic commands
The same basic commands are used to configure all aspects of the OS. Commands exist
to look at configuration, to add configuration, to remove configuration, and to edit
existing configuration.
print
The "print" command prints configuration items in the current context. It has several
qualifiers that can be used to change what information is output, and how it is formatted.
The most important qualifier is "print detail". "print detail"'" shows all properties of an
item, ensures that everything gets printed ("print" by default shows everything neatly
organized into rows and columns of a table, but may truncate strings to make them all fit
on the screen), and outputs everything as neat key/value pairs. This is especially valuable
when sharing information on the forums when asking for help.
[admin@WAP] > /ip arp print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
#
ADDRESS
MAC-ADDRESS
INTERFACE
0 D 1.1.1.2
00:0B:BF:93:68:1B outside
[admin@WAP] >
[admin@WAP] > /ip arp print detail
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
0 D address=1.1.1.2 mac-address=00:0B:BF:93:68:1B interface=outside
[admin@WAP] >
The print command in its first column returns an item number. In subsequent commands
the item number can be used to refer to that item.
export
The "export" command prints the configuration applied in a format that can be copied
and pasted to duplicate the same configuration on another router. The "export" command
will return the configuration of the current section, and all child sections. For example,
the "/ip firewall" context has child contexts for NAT and filters. "/ip firewall export"
would return those child section configurations as well.
remove
The "remove" command deletes an item from a list of configuration items. It refers to an
item number, or the result of a "find" command.
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
143
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] > /ip address remove 2
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
[admin@WAP] >
add
The "add" command adds an item to a list of configuration items. It will ask for all
parameters that are required but not specified.
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
[admin@WAP] > /ip address add address=10.2.0.1/24 interface=dmz
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] >
set
The "set" command edits parameters of an existing item.
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] > /ip address set 2 interface=inside
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
144
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
inside
[admin@WAP] > /ip address set 2 interface=dmz
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] >
disable
The "disable" command disables a configuration item rendering it inoperative, but
leaving it in the configuration.
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] > /ip address disable 2
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2 X 10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] >
enable
The "enable" command enables a previously disabled item.
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2 X 10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] > /ip address enable 2
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
145
#
ADDRESS
INTERFACE
0
10.1.0.1/24
1
1.1.1.2/29
2
10.2.0.1/24
[admin@WAP] >
NETWORK
10.1.0.0
1.1.1.0
10.2.0.0
BROADCAST
10.1.0.255
1.1.1.7
10.2.0.255
inside
outside
dmz
find
The "find" command returns a set of items that can then be acted on by other commands.
When "find" is executed without any parameters, it returns all items. When "find" is
executed with parameters only items that match the parameters are returned. The most
common matcher is "=" to exactly match a parameter value, it is also possible to match
regular expressions with the "~" operator.
The below enables all IP addresses that exist:
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2 X 10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] > /ip address enable [/ip address find]
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] >
The below disables all IP addresses that are on interface "dmz":
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] > /ip address disable [/ip address find interface=dmz]
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
146
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2 X 10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] >
The below enables all IP addresses that are on interfaces that start with the letter "d":
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2 X 10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] > /ip address enable [/ip address find interface~"^d"]
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] >
move
The "move" command moves items in ordered lists where order is important for flow of
execution. Order is especially important for rules in the IP firewall filter, mangle, and
NAT facilities. Items can be moved by referring to the ID of the item that is being moved,
and the ID of the item the rule should be moved to. The below moves rule number 3 into
the place of rule number 0, and all other rules shift down. The firewall rules shown are
non-sensical and only for demonstration of the "move" command:
[admin@WAP] > /ip firewall mangle print where action="mark-routing"
Flags: X - disabled, I - invalid, D - dynamic
0
chain=prerouting action=mark-routing new-routing-mark="mark-a"
1
chain=prerouting action=mark-routing new-routing-mark="mark-b"
2
chain=prerouting action=mark-routing new-routing-mark="mark-c"
3
chain=prerouting action=mark-routing new-routing-mark="mark-d"
[admin@WAP] > /ip firewall mangle move 3 0
[admin@WAP] >
[admin@WAP] > /ip firewall mangle print where action="mark-routing"
Flags: X - disabled, I - invalid, D - dynamic
0
chain=prerouting action=mark-routing new-routing-mark="mark-d"
1
chain=prerouting action=mark-routing new-routing-mark="mark-a"
2
chain=prerouting action=mark-routing new-routing-mark="mark-b"
3
chain=prerouting action=mark-routing new-routing-mark="mark-c"
[admin@WAP] >
147
Context
Contexts can also be set for a set of commands by enclosing a set in braces, saving
keystrokes. The below enables all IP addresses:
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2 X 10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] > /ip address { enable [find] };
[admin@WAP] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
2
10.2.0.1/24
10.2.0.0
10.2.0.255
dmz
[admin@WAP] >
Example network
This tutorial uses an example network to explain configuration. The router has a public IP
address of 1.1.1.2/30 with a default gateway of 1.1.1.1, and port 'ether1' (later renamed to
'outside') is used to connect to the ISP. Port 'ether2' (later renamed to 'dmz') is a network
that is a true DMZ, this network uses IP address 10.2.0.1/24. Ports 'ether3' through
'ether5' are switched together and all are available for use on the LAN network, later
renamed to 'inside'. This network uses 10.1.0.1/24.
Other SoHo routers refer to unconditional port forwarding to a LAN machine as a DMZ.
In more advanced networks DMZ refers to a third network other than WAN and LAN,
where hosts run services accessible to the Internet at large. Running this in a different
network further protects the LAN network: hosts in the DMZ are exposed to the Internet
and may be under attach. If breached this doesn't gain the attached access to the LAN
network as a firewall doesn't permit DMZ hosts to establish new connections to the LAN.
148
Router interfaces (ports)
Physical interfaces
Different router models have different sets of physical interfaces. RB1000s have a total of
4 1000Base-TX ports. RB1100s have 10 1000Base-TX ports (2 groups of 5 ports with a
1Gbps pipe to the CPU per group, each group has a switch chip for wire speed layer 2
throughput), and 3 100Base-TX ports. RB750Gs have 5 total 1000Base-TX ports with a
switch chip for wire speed layer 2 throughput. routerboard.com has all the data sheets and
specs.
Switch Chip
Some routers have a built in switch chip that can be activated on physical interfaces to
permit wire speed throughput between those interfaces. Those interfaces will essentially
act like a switch would. By default this is enabled in the SoHo models. While more
advanced configuration is possible most small networks simply need to activate or
deactivate the feature. Within the switch chips interfaces are either master ports or slave
ports. The master port is where all the router configuration happens (such as the IP
address), and the slave ports refer to the master port. The below configures interfaces
ether3, ether4, and ether5 as slaves to interface ether2:
/interface ethernet
set [find name=ether3] master-port=ether2
set [find name=ether4] master-port=ether2
149
set [find name=ether5] master-port=ether2
The switch chip is capable for small networks, but can't do advanced VLAN
configurations.
Bridging vs routing
Bridging (which is what switches do) is something that switches do a lot better than
routers. This is just a personal opinion, but whenever I find myself thinking that I should
bridge wired interfaces I almost always end up using a switch instead. One
counterexample are wireless interfaces, which are commonly bridged into wired
networks.
Named interfaces
All configurations of interfaces in RouterOS is done against the name of an interface.
Names can be arbitrarily set.
It is good practice to make the names informative. A good name for the interface used to
connect to the Internet is 'outside' or 'WAN', a good name for the the interface used to
connect to inside customers or your home network is 'inside' or 'LAN'. When using the
switch chip the names for the slaved interfaces are unimportant in all but fairly advanced
configurations since any router configuration will be limited to the master port. It can still
make good sense to name the interfaces after what they connect to.
Example network
In our example network we want ether1 to be named 'outside', ether2 to be named 'dmz',
and ether3 - ether5 to be switched with an interface name of 'inside'.
/interface ethernet
set [find name=ether1] name=outside
set [find name=ether2] name=dmz
set [find name=ether3] name=inside
set [find name=ether4] name=inside-slave master-port=inside
set [find name=ether5] name=inside-slave2 master-port=inside
IP addresses
Each interface can carry one or more IP addresses on it. Usually only one IP address per
interface is defined. While viewing IP addresses shows parameters for the network and
broadcast address of the network, these should usually not be defined manually and will
automatically be added when left out. When adding the IP address the subnet mask is
given in CIDR notation.
[admin@WAP] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
INTERFACE
BROADCAST
150
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
[admin@WAP] /ip address> add address=1.1.1.2/29 interface=outside
[admin@WAP] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
inside
1
1.1.1.2/29
1.1.1.0
1.1.1.7
outside
[admin@WAP] /ip address>
DHCP client
In many small environments the router will receive a dynamic IP address via DHCP on
its WAN interface from the ISP. The DHCP client can also be used to populate the routing
table with a default route via the ISP, and pull in DNS servers for the router - and the
networks behind it - to use. The DHCP client must be given an interface to run on, as well
as whether to listen to the DHCP options for DNS and a default route.
/ip dhcp-client
add interface=outside add-default-route=yes use-peer-dns=yes
PPPoE client
The other common method for SoHo routers to receive a public IP address is via PPPoE,
which is used in DSL connections. Most DSL modems can be set into a bridge mode
where the modem performs the translation between the DSL network and regular
Ethernet, the router then becomes the PPPoE client and directly talks to the ISP network
through the modem. PPPoE assigns an IP address to the interface the PPPoE client is
running on, and can also be used to learn about a default route as well as DNS servers. It
is very important to note that the PPPoE client creates a new logical interface (in the
example below it is named 'pppoe-WAN') which now becomes the interface to refer to for
WAN traffic. The 'outside' interface will only be used for the PPPoE encapsulated traffic,
as far as the router is concerned IP traffic will be leaving the router via the PPPoE client
interface.
/interface pppoe-client
add name=pppoe-WAN interface=outside add-default-route=yes use-peer-dns=yes
Example network
In our example network we want the 'outside' interface to have a static IP address of
1.1.1.2/29, the 'dmz' interface to have a static IP address of 10.2.0.1/24, and the 'inside'
interface to ave a static IP address of 10.1.0.1/24.
/ip address
add address=1.1.1.2/29 interface=outside
add address=10.2.0.1/24 interface=dmz
add address=10.1.0.1/24 interface=inside
151
IP routes
Just like on other routing platforms dynamic connected routes are created for all networks
that the router has IP addresses to - after all, if the router has an IP address in the
10.1.0.1/24 network on the "inside" interface then it can reach hosts on that network via
that interface. Static routes can be added by defining a destination address and a gateway.
Usually at least one static route is required: a default route for the router pointing out to
the ISP network. RouterOS can of course also run dynamic routing protocols such as RIP,
OSPF, and BGP, but that is outside the scope of this article.
[admin@WAP] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
#
DST-ADDRESS
PREF-SRC
GATEWAY
DISTANCE
0 ADC 10.1.0.0/24
10.1.0.1
inside
0
1 ADC 1.1.1.0/29
1.1.1.2
outside
0
[admin@WAP] >
While RouterOS will let you configure an IP address within the same network on two
different routed interfaces it would be very bad to do so. The router now would think that
it can reach the hosts within that network via either interface, which is unlikely to be the
case.
Adding a default route
New static routes can be added as per below. The example shows adding a default route
(a route for destination 0.0.0.0/0) via the ISP gateway 1.1.1.1:
[admin@WAP] > /ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1
[admin@WAP] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
#
DST-ADDRESS
PREF-SRC
GATEWAY
DISTANCE
0 A S 0.0.0.0/0
1.1.1.1
1
1 ADC 10.1.0.0/24
10.1.0.1
inside
0
2 ADC 1.1.1.0/29
1.1.1.2
outside
0
[admin@WAP] >
It is interesting to note that technically two routes are now involved for traffic to the
Internet: the router looks at the packet and finds that the default route matches, and that it
should send traffic via 1.1.1.1. It then needs to figure out how to send traffic to 1.1.1.1,
looks at its routing table again, and finds that it can get to 1.1.1.1 via the "outside"
interface via the directly connected route for that network.
Also note that it is not necessary or recommended to add a static default route if your
router receives its WAN IP address via DHCP or PPPoE. Static default routes should only
152
be used when the public IP address on the WAN interface is also static.
Example network
In our example network we want the router to use 1.1.1.1 as a default gateway:
/ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.1
DHCP server
DHCP server services consist of three components: the IP pool that defines the range of
IP addresses clients can receive a lease for, the DHCP server network that defines the
parameters clients are passed (such as gateway IP address and DNS servers), and the
DHCP server instance itself that ties a pool to an interface.
IP Pools
IP pools define the range of IP addresses available for users to obtain as a DHCP lease.
Any IP address in a subnet not covered by the pool range is available for static use.
IP pools simply consist of a name that they can be referred to by, as well as a range of IP
addresses. The OS will let you set a range that is out of the bounds of the subnet of the
network users will actually be on, leading to IP addresses unable to reach their default
gateway. Be careful when adjusting ranges to check that the range chosen is actually
covered by the IP network configured on the interface.
To add a pool:
[admin@WAP] /ip pool> export
/ip pool
add name=DHCP-Pool-inside ranges=10.1.0.10-10.1.0.100
[admin@WAP] /ip pool>
To edit a pool:
[admin@WAP] /ip pool> print
# NAME
RANGES
0 DHCP-Pool-inside 10.1.0.10-10.1.0.100
[admin@WAP] /ip pool> set [find name="DHCP-Pool-inside"] ranges=10.1.0.10010.1.0.200
[admin@WAP] /ip pool> print
# NAME
RANGES
0 DHCP-Pool-inside 10.1.0.100-10.1.0.200
[admin@WAP] /ip pool>
DHCP Server Networks
DHCP server networks define parameters (DHCP options) to pass on to DHCP clients.
153
The minimum set of options include the default gateway and name servers. The default
gateway is usually the IP address of the router on the network interface, and the name
servers usually is as well - at least as long as the router is configured as a DNS caching
resolver. That is covered in a different section of this document.
To add a DHCP server network:
[admin@WAP] /ip dhcp-server network> export
/ip dhcp-server network
add address=10.1.0.0/24 comment=inside dns-server=10.1.0.1 gateway=10.1.0.1
[admin@WAP] /ip dhcp-server network>
Note that multiple DNS servers are specified as a comma separated list without spaces.
To edit a DHCP server network:
[admin@WAP] /ip dhcp-server network> print
# ADDRESS
GATEWAY
DNS-SERVER
WINSSERVER
DOMAIN
0 ;;; inside
10.1.0.0/24
10.1.0.1
10.1.0.1
[admin@WAP] /ip dhcp-server network> set [find comment="inside"] dnsserver=8.8.8.8
[admin@WAP] /ip dhcp-server network> print
# ADDRESS
GATEWAY
DNS-SERVER
WINSSERVER
DOMAIN
0 ;;; inside
10.1.0.0/24
10.1.0.1
8.8.8.8
[admin@WAP] /ip dhcp-server network>
DHCP Servers
DHCP server instances cause the DHCP server process in the router to listen for client
requests on the specified interfaces. Each interface that is to offer DHCP to clients must
have a dedicated DHCP server instance. The instance sets basic parameters such as
whether the server is authoritative and the client lease time, and ties IP pools to
interfaces.
To add a DHCP server instance:
[admin@WAP] /ip dhcp-server> export
/ip dhcp-server
add address-pool=DHCP-Pool-inside authoritative=yes bootp-support=static \
disabled=no interface=inside lease-time=3h name=DHCP-inside
[admin@WAP] /ip dhcp-server>
To edit a DHCP server instance:
[admin@WAP] /ip dhcp-server> print
154
Flags: X - disabled, I - invalid
#
NAME
INTERFACE
RELAY
ADDRESS-POOL
LEASE-TIME ADD-ARP
0
DHCP-... inside
DHCP-Pool-Ins... 3h
[admin@WAP] /ip dhcp-server> set [find interface=inside] lease-time=1h
[admin@WAP] /ip dhcp-server> print
Flags: X - disabled, I - invalid
#
NAME
INTERFACE
RELAY
ADDRESS-POOL
LEASE-TIME ADD-ARP
0
DHCP-... inside
DHCP-Pool-Ins... 1h
[admin@WAP] /ip dhcp-server>
Lease time considerations
The below usually isn't really very important for home networks, but can become worth
considering for routers that serve constantly changing clients.
Client's renew their DHCP lease after half the lease time interval has passed. It is
generally better to create larger networks so that stale leases for clients no longer attached
don't eat up all available IP addresses on the netowrk, and set long lease times.
By way of example, if a network has 1,200 users attached to it and a DHCP lease time of
just 10 minutes each user will send lease renewal requests to the DHCP server on the
router every 5 minutes. On average the DHCP server would see (1,200 users / 300
seconds) = 4 DHCP requests per second. With a lease time set to 2 hours the DHCP
server would only see (1,200 users / 3600 seconds) = one DHCP request every 3 seconds,
which leaves more router resources available to route packets, rate limit users, or do
whatever else the router is configured to do. Private IP address space is free, it is better to
optimize for router utilization than for IP address conservation.
The wizard
The above explained how DHCP servers work internally. Alternatively you can simply let
the router create all the configuration items for you by running "/ip dhcp-server setup"
and answering the interactive prompts, many of which will have pre-filled values that you
can accept.
Example network
In our example network we want the router to act as a DHCP server for the 'inside'
network on 10.1.0.0/24. The pool of DHCP leases is to be 10.1.0.200-10.1.0.254. The
router will act as the default gateway for the DHCP clients, and will also act as the DNS
server.
/ip pool
add name=DHCP-Pool-inside ranges=10.1.0.200-10.1.0.254
/ip dhcp-server network
add address=10.1.0.0/24 comment=inside dns-server=10.1.0.1 gateway=10.1.0.1
/ip dhcp-server
155
add address-pool=DHCP-Pool-inside authoritative=yes bootp-support=static \
disabled=no interface=inside lease-time=3h name=DHCP-inside
IP firewall
The IP firewall is responsible for filtering packets (accepting or dropping them), as well
as changing their properties. Three facilities exist: filter, mangle, and NAT. Only filter
and NAT are discussed here.
Filters
Filters are used to drop or accept packets going through the router or going to the router.
All packets that the router sees will traverse a series of chains. The default action - i.e.,
the action that is taken if the packet doesn't match any of the rules in a chain - is to accept
the packet. This is called a 'default permit' firewall. 'Default permit' firewalls are related
to the concept of blacklisting, which refers to the practice of explicitly identifying all
things that are bad and accepting everything else as implicitly good. Blacklisting is
generally not a very good or secure approach as it is very easy to forget to define a known
bad thing. Additionally new bad things are continuously being developed. A more secure
approach is white listing in 'default deny' firewall: first everything that is known to be
good is permitted, and then everything else is denied. Because the RouterOS firewall
filters are 'default permit' we will have to explicitly drop everything we didn't explicitly
permit before.
Chains
The mangle and filter facilities have 5 built in chains:
• prerouting
• input
• forward
• output
• postrouting
It is also possible to define custom chains and jump into them. That approach is very
useful when the same actions should be applied to packets identified in different rules.
However, custom chains are outside the scope of this article.
All packets being sent to the router always traverse the 'prerouting' chain. At the end of
'prerouting' the router determines whether a packet is destined to the router itself (for
example a packet that is part of a Winbox connection going from the management host to
the router), or whether the packet should be sent out another interface. Packets to the
router itself will then traverse the 'input' chain. Packets that will go through the router
will traverse the 'forward' chain. Packets to the router itself will never be in the 'forward'
chain, and packets through the router will never be in the 'input' chain. Packets that are
generated by the router itself (for example a packet that is part of a Winbox connection
going from the router to the management station) will traverse the 'output' chain. Both
packets through the router as well as packets from the router will then traverse the
156
'postrouting' chain.
Though somewhat complicated, realistically only two chains are important for simple
SoHo routers: the router itself is secured in the 'input' chain, and the hosts on networks
behind the router are secured in the 'forward' chain.
To learn about all the details of chains and how packets move through the firewall refer to
the single best page on the wiki: the Packet Flow page. While daunting at first it becomes
easier to decipher the more time you spend with RouterOS, and answers most questions
about where and when to do something.
State
Like other advanced firewall platforms RouterOS can keep state of connections by
tracking them. That means that it knows what connection a packet belongs to, and can
make decisions on the packet based on how other packets in the connection have been
treated. This is very useful in that it allows a firewall approach where the only decisions
being made are which connections can be established in the first place. All packets in
connections that were allowed to be established are then simply permitted, and all other
packets are dropped.
There are three connection states: 'established' means the packet is part of an already
established connection, 'related' means that the packet is part of a connection that is
related to an already established connection. The canonical example here is FTP, which
has both a data and a control channel: first a control channel is established, which then
negotiates the details of the data channel that will actually transfer files. By inspecting the
control channel the router can learn about the dynamically negotiated data channel. And
'invalid' means that the packet is part of a connection that the router doesn't know
anything about.
Example network
In our example network we want the router to permit devices on the 'inside' network to
establish connections to the Internet behind the 'outside' interface, as well as to the web
server in the DMZ. The web server is allowed to establish connections to the Internet
behind the 'outside' interface, but can not establish connections to the 'inside' network.
The Internet can establish HTTP and HTTPS connections to the web server in the DMZ,
but cannot establish any other connections to local devices.
The router itself can only be managed from the 'inside' network - devices on the Internet
or in the DMZ cannot establish any management connections to the router at all.
Those policies are all implement via connection state. The rules are surprisingly readable
in English:
/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
157
add chain=input connection-state=invalid action=drop
add chain=input in-interface=inside action=accept
add chain=input action=drop
First all packets in established and related connections are permitted. Then all invalid
packets are dropped. Then packets coming in via the 'inside' interface are permitted - this
allows hosts on the 'inside' network to establish connections to the router. Finally any
packets that don't match those rules are dropped.
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=inside action=accept
add chain=forward in-interface=dmz out-interface=outside action=accept
add chain=forward dst-address=10.2.0.10 protocol=tcp dst-port=80,443 action=accept
add chain=forward action=drop
First all packets in established and related connections are permitted. Then all invalid
packets are dropped. Then packets coming in via the 'inside' interface are permitted - this
allows hosts on the 'inside' network to establish connections to anywhere, including the
Internet and the DMZ. Then any packets coming in via the 'dmz' interface are permitted
as long as the router is going to send them out the 'outside' interface - this allows the
DMZ hosts to access the Internet, but keeps them out of the 'inside' network. Then
connections to 10.2.0.10 (the web server IP) on tcp/80 and tcp/443 are permitted - this
allows the Internet to connect to the web server. Finally any packets that don't match
those rules are dropped.
NAT
NAT refers to changing IP addresses in IP packet headers. This is often a requirement
when private IP addresses from the RFC1918 range are used on a network: private IP
addresses cannot be routed across the Internet, so the router has to substitute its own
public IP address in their places. There are two types of NAT: destination NAT changes
the IP address in the destination header field, and source NAT changes the IP address in
the source header field. They are processed in the 'srcnat' and 'dstnat' chains of the NAT
facility. NAT requires connection tracking, and NAT is only evaluated for the first packet
in a connection. All other packets in the same connection will then have the same action
as the first packet applied to them, for the lifetime of the connection. For packets flowing
in the other direction the opposite source NAT action is taken. This is best illustrated with
an example:
10.1.0.10 on the 'inside' network is sending a packet to a web server with an IP address of
5.5.5.5 on the Internet. When the packet leaves the host it has a destination IP address of
5.5.5.5 and a source IP address of 10.1.0.10. When the packet gets to the router and sent
out the 'outside' interface to the Internet the router applies source NAT and changes the
source IP address from 10.1.0.10 to 1.1.1.2, the IP address on its WAN interface. When
158
the packet gets to the web server and the server replies it sends the packet with a source
IP address of 5.5.5.5 and a destination IP address of 1.1.1.2. Once the packet gets to the
router it is found to be part of an existing connection, and that the original source address
was 10.1.0.10. The router replaces the destination IP address in the packet header with
10.1.0.10 and sends the packet out the 'inside' interface to the host. It is important to note
that this destination NAT action doesn't have to be configured - it happens automatically,
as part of undoing the original source NAT action that was explicitly configured. Each
explicit source NAT rule has an implicit destination NAT action that undoes the
translation in the other direction, and each explicit destination NAT rule has an implicit
source NAT action for the same reason.
It is also important to know when NAT happens: because NAT changes the IP address in
the packet headers different chains see different IP addresses for the same packet.
Destination NAT (both explicit and implicit) happens after the 'prerouting' chain. Source
NAT happens after the 'postrouting' chain. Because of the sequence of actions the
prerouting chain always sees packets with their original IP address, and the 'input' and
'forward' chains see packets with destination IPs as changed by destination NAT.
Source NAT
Source NAT comes in two different flavors: 'masquerade' and 'src-nat'. Both change the
source IP address in a packet header, but use different mechanisms to derive the new IP
address. 'masquerade' dynamically looks at the primary IP address on the interface that
the packet will leave the router through, and uses that as the new source IP address. This
is perfect for interfaces that received their IP address via DHCP or PPPoE. 'src-nat'
requires a parameter called 'to-addresses' that statically configures the source IP address
to use. This is perfect for interfaces with static IP addresses. Source NAT should only
ever be applied when absolutely needed at the border where private IP addresses can no
longer be routed. In most small networks that means source NAT should only be applied
on the WAN interface.
Masquerade
The below configures an interface for masquerade source NAT, and refers to the
outbound interface to make sure only traffic leaving through the WAN interface is subject
to source NAT:
/ip firewall nat
add chain=srcnat out-interface=outside action=masquerade
Static source NAT
The below configures an interface for static source NAT, and again refers to the outbound
interface. The only additional information required is the static address:
/ip firewall nat
add chain=srcnat out-interface=outside action=src-nat to-address=1.1.1.2
Destination NAT
159
Unlike source NAT all destination NAT is static. Destination NAT is often used for port
forwarding to allow Internet resources to access devices on the local network. It is
possible to forward all IP traffic, or just specific ports for specific protocols. It is
important to be very specific when writing destination NAT rules: for example, it is easily
possible to forget to specify a destination IP address and to just apply destination NAT to
all HTTP and HTTPS traffic. This would break web browsing for other computers behind
the router. The below forwards ports tcp/80 and tcp/443 (HTTP and HTTPS) to the web
server with IP address 10.2.0.10 in the DMZ network.
/ip firewall nat
add chain=dstnat dst-address=1.1.1.2 prototocol=tcp dst-port=80,443 \
action=dst-nat to-addresses=10.2.0.10
Example network
In our example network we need to source NAT out to the Internet and translate all inside
and DMZ traffic to our static IP address, and forward web traffic to the web server in the
DMZ as shown above.
/ip firewall nat
add chain=srcnat out-interface=outside action=src-nat to-address=1.1.1.2
add chain=dstnat dst-address=1.1.1.2 prototocol=tcp dst-port=80,443 \
action=dst-nat to-addresses=10.2.0.10
Bruteforce login prevention (FTP / SSH)
These are 2 basic scripts are used frequently that are from the forum (written by other
users)
Allows only 10 FTP login incorrect answers per minute
in /ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login
incorrect" \
address-list=ftp_blacklist address-list-timeout=3h
This will prevent a SSH brute forcer to be banned for 2 hours (or 10d for 10 days) after
repetitive attempts. Change the timeouts as necessary.
160
/ip firewall filter
Deny any one who is on the ssh_blacklist a new session on any protocol.
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
Allow anyone who was on the "ssh_stage3" to connect a new session on port
22 and add the address to the "ssh_blacklist " with a time out of 2 hour
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=2h comment="" disabled=no
Allow anyone who was on the "ssh_stage2" to connect a new session on port
22 and add the address to the "ssh_stage3" with a time out of 1 minute
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
Allow anyone who was on the "ssh_stage1" to connect a new session on port
22 and add the address to the "ssh_stage2" with a time out of 1 minute
add chain=input protocol=tcp dst-port=22 connection-state=new src-addresslist=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m
comment="" disabled=no
Allow anyone who creates a first session on port 22 and add the address to the
"ssh_stage1" with a time out of 1 minute
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-toaddress-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
If you want to block downstream access as well, you need to block it with the forward
chain:
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop
\
161
comment="drop ssh brute downstream" disabled=no
DoS attack protection
Diagnose
Are there too many connections with syn-sent state present?
/ip firewall connection print
Are there too many packets per second going through any interface?
/interface monitor-traffic ether3
Is CPU usage 100%?
/system resource monitor
Are there too many suspicious connections?
/tool torch
Protection
Limit incoming connections
An IP address with too many connections can be added to a 'black-list' type address list
for further blocking.
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \
action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d
where LIMIT is the max. number of connection per IP. LIMIT should be a value of 100
or even higher as many services use multiple connection (HTTP, Torrent, other P2P
programs).
Action tarpit
Instead of simply dropping attacker's packets (with 'action=drop') router can capture and
hold connections and with a powerful enough router it can slow the attacker down.
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \
connection-limit=3,32 action=tarpit
SYN filtering
Some advanced filtering can by applied to tcp packet state.
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5
connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connectionstate=new \
162
action=drop comment="" disabled=no
'syn limit=400' is a threshold, just enable rule in forward chain for syn packets to get
dropped (for excessive amount of new connections)
SYN cookies
/ip firewall connection tracking set tcp-syncookie=yes
Setup firewall rules to protect your router
First thing is to set address list of IP’s that include the local network and static IP
addresses for remote access to the router in case need to setup something for the client.
/ ip firewall address-list
add list=remote_access address=10.10.10.0/24 comment="Local Netowork"
disabled=no
add list=remote_access address=1.1.1.1/32 comment="My Remote IP" disabled=no
Then the firewall rules
/ ip firewall filter
add chain=input connection-state=established comment="Accept established
connections" disabled=no
add chain=input connection-state=related comment="Accept related connections"
disabled=no
add chain=input connection-state=invalid action=drop comment="Drop invalid
connections" disabled=no
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
disabled=no
add chain=input protocol=icmp action=drop comment="Drop excess pings"
disabled=no
add chain=input src-address-list=remote_access action=accept comment="Allow access
to router from known networks and remote servers" disabled=no
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything
else" disabled=no
add chain=input action=drop comment="Drop everything else" disabled=no
Securing your router
To protect your WAP/CAP RouterOS™, you should do following things:
Change admin's password
Just select the Password menu within the winbox GUI, for example:
163
Or, type the following command in the CLI:
[admin@WAP] > / password
old password:
new password: ******
retype new password: ******
This will change your current admin's password to what you have entered twice. Make
sure you remember the password! If you forget it, there is no recovery. You need to
reinstall the router!
Add users to the system
You should add each user that is going to log on to the router as a separate user and
specify group of privileges. Add yourself as user of group full (same as for admin), for
example, Systems->Users:
You may create new groups for users with specific tasks.
Set up packet filtering
164
All packets with destination to the router are processed against the ip firewall filter's
input chain. Note, that the input chain does not affect packets which are being transferred
through the router!
You can add following rules to the input chain under /ip firewall filter (just 'copy and
paste' to the router using Terminal Console or configure the relevant arguments in
WinBox):
/ ip firewall filter
add chain=input connection-state=established comment="Accept established
connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid
connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"
add chain=input protocol=tcp dst-port=8291 comment="winbox"
# Edit these rules to reflect your actual IP addresses! #
add chain=input src-address=159.148.172.192/28 comment="From WAP/CAPls
network"
add chain=input src-address=10.0.0.0/8 comment="From our private LAN"
# End of Edit #
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything
else"
add chain=input action=drop comment="Drop everything else"
Use /ip firewall filter print input stats command to see how many packets have been
processed against these rules. Use reset-counters-all command to reset the counters.
Examine the system log file /log print to see the packets which have been dropped.
You may need to include additional rules to allow access from certain hosts, etc.
Remember that firewall rules are processed in the order they appear on the list! After a
rule matches the packet, no more rules are processed for it. After adding new rules, move
them up using the move command.
Note, if you mis-configured the firewall and have locked yourselves out from the router,
you may use MAC telnet from another router or workstation on the same LAN to connect
to your router and correct the problem.
Setup MAC filtering (Mac locking)
Either from firewall rule:
165
/ip firewall filter
add chain=forward src-mac-address=aa:bb:cc:dd:ee:ff action=drop
Or:
IP --> DHCP Server --> Leases --> Add new --> General="Pool_Name", MAC Address="MAC
address of desired blocked", Server="Name of DHCP Server failing", Block access = yes, Address
List = Black-list
Connections Tracking
You can disable or enable connection tracking. Disabling connection tracking will cause
several firewall features to stop working. Default value is auto. Which means that
connection tracing is disabled until at least one firewall rule is added. Disabling of
Connection Tracking would increase bandwidth.
166
Basic universal firewall script
This is a basic firewall that can be applied to any Router.
This script has basic rules to protect your router and avoid some unnecessary forwarding
traffic. Pay attention for all comments before apply each DROP rules.
First we need to create our ADDRESS LIST with all IPs we will use most times
Below you need to change x.x.x.x/x for your technical subnet. This subnet will have full
access to the router.
/ip firewall address-list add address=x.x.x.x/x disabled=no list=support
Below we have the bogon list.
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before
enable it"\
disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" disabled=no list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet
before enable it"\
disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet
before enable it"\
disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons
167
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable
it"\
disabled=yes list=bogons
Now we have protection against: SynFlood, ICMP Flood, Port Scan, Email Spam and
much more. For more information read the comments.
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-addresslist=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input
comment="Port Scanner Detect"\
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no src-addresslist=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP
protocol=icmp
add action=drop chain=input\
comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE
BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP
protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward
comment="Add Spammers to the list for 3 hours"\
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connectionstate=established\
disabled=no protocol=tcp
add action=accept chain=input comment="Accept to related connections" connection-state=related
disabled=no protocol=tcp
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no srcaddress-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE
YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\
disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmpoptions=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1
protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP
protocol=icmp
168
Minimum Firewall Rules
Below are minimum Firewall Rules to prevent our network from hacker attack.
/ip firewall filter
add action=drop chain=input comment="" disabled=no dst-port=20-21 protocol=\
tcp src-address-list=!allow
add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp \
src-address-list=!allow
add action=drop chain=input comment="" disabled=no dst-port=23 protocol=tcp \
src-address-list=!allow
add action=drop chain=input comment="" disabled=no dst-port=80 protocol=tcp \
src-address-list=!allow
add action=drop chain=forward comment="" disabled=no dst-port=445 \
out-interface=public_interface protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=137-139 \
out-interface=public_interface protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=137-139 \
out-interface=public_interface protocol=udp
add action=drop chain=forward comment="block spammer or infected users" \
disabled=no dst-address=!xxx.xxx.xxx.xxx/xx dst-port=25 protocol=tcp \
src-address-list=spammer
add action=log chain=forward comment="trap spammers" connection-limit=30,32 \
disabled=no dst-address=!xxx.xxx.xxx.xxx/xx dst-port=25 limit=50,5 \
log-prefix=spammertrap protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
1d chain=forward comment="trap spammers" connection-limit=30,32 disabled=\
no dst-address=!xxx.xxx.xxx.xxx/xx dst-port=25 limit=50,5 protocol=tcp
Basic firewall rules
Firewall Basic
Chain & Action
Firewall filter rules are organized in chains. There are default and user-defined chains.
There are three default chains:
• input – processes packets sent to the router. (DST address of the router)
• output – processes packets sent by the router
• forward – processes packets sent through the router (SRC and DST is not on the
router)
Every user-defined chain should subordinate to at least one of the default chains.
Chain Input
Protecting the router – allowing only necessary services from reliable source addresses
with agreeable load.
169
To deny access to router to the router via Telnet (TCP port 23)
/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop
Chain Forward
Protecting the customers from viruses and protecting the Internet from the customers.
Block IP addreses called "bogons":
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
Condition: Connection State
•
•
•
•
•
Connection state is a status assigned to each packet by conntrack system:
New – packet is opening a new connection
Related – packet is also opening a new connection, but it is in some kind of relation to
an already established connection
Established – packet belongs to an already known connection
Invalid – packet does not belong to any of the known connections
•
Connection state ≠ TCP state
Address List
Firewall address lists allow user to create lists of IP addresses grouped together. Firewall
filter, mangle and NAT facilities can use address lists to match packets against them.
The address list records could be updated dynamically via the action=add-src-to-addresslist or action=add-dst-to-address-list items found in NAT mangle and filter facilities.
The following example creates an address list of people thet are connecting to port 23
(telnet) on the router and drops all further traffic from them. Additionally, the address list
will contain one static entry of address=192.0.34.166/32 (www.example.com):
/ip firewall address-list add list=drop_traffic address=192.0.34.166/32
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=23 action=add-src-toaddress-list address-list=drop_traffic
/ip firewall filter add action=drop chain=input src-address-list=drop_traffic
NAT Type
As there are 2 IP addresses and ports in an IP packet header, there are 2 types of NAT.
•
which rewrites source IP address and/or port is called source NAT (src-nat)
o performed on packet that are originated from natted network
170
a NAT router replace the private source address of an IP packet with anew public
IP Address as it travel trough the router.
• which rewrites destination IP address and/or port is called destination NAT (dst-nat)
o performed on packet that a destined to the natted network,
o it’s most commonly used to make a host on private network to be accessible from
internet
o
Firewall NAT Structure
Firewall NAT rules are organized in chains, there are two default chains:
• dstnat – processes traffic sent to and through the router, before it divides in to “input”
and “forward” chain of firewall filter.
• srcnat – processes traffic sent from and through the router, after it merges from
“output” and “forward” chain of firewall filter.
There are also user-defined chains; Firewall NAT rules process only the first packet of
each connection (connection state “new” packets)
NAT Action (6 specific action NAT)
•
•
•
•
dst-nat and redirect
src-nat and masquarade
netmap
same
Source NAT Action
•
•
•
Action “src-nat” changes packet's source address and/or port to specified address
and/or Port
This action can take place only in chain srcnat
Typical application: hide specific LAN resources behind specific public IP address
Masquerade Action
•
•
•
Action “masquerade” changes packet's source address router's address and specified
port
This action can take place only in chain srcnat
Typical application: hide specific LAN resources behind one dynamic public IP
address
Destination NAT Action
•
•
•
Action “dst-nat” changes packet's destination address and port to specified address
and port
This action can take place only in chain dstnat
Typical application: ensure access to local network services from public network
Redirect NAT Action
•
•
Action “redirect” changes packet's destination address to router's address and
specified port
This action can take place only in chain dstnat
171
•
Typical application: transparent proxying of network services (DNS,HTTP)
Netmap & Same
•
•
Netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often
used to distribute public IP addresses to hosts on private networks
Same - gives a particular client the same source/destination IP address from the
supplied range for any connection. Used for services that expect constant IP address
for multiple connections from the same client
Setup basic firewall rules
Before starting any new setting, ALWAYS backup the current good setting first.
Select & copy those codes (from the list below after this section), please do it one portion
at a time, DO NOT select all at one go!!
Note: Enter "/ip firewall filter" at Terminal window before copy & paste the following
codes
Please note this setup is based on the assumption that:
Default network segment: 192.168.88.0/24
Internet interface: UniFi-Internet
You may need to change the above value according to your actual setup.
For first time setup, it's easier to use Terminal and enter codes.
Click New Terminal and it will show you the command entry screen
Allow only needed icmp codes in icmp chain
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
Drop port scanners
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="Port scanners to list " disabled=no
Various combinations of TCP flags can also indicate port scanner activity:
172
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port
scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port
scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list addresslist="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list addresslist="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
Drop those IPs in both Input & Forward chains:
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners"
disabled=no
add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners"
disabled=no
Router protection :
add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \ comment="Allow Established connections"
add chain=input src-address=192.168.88.0/24 action=accept \ in-interface=!UniFi-Internet
add chain=input action=drop comment="Drop everything else"
Customer protection (forward chain - traffic passing through the router):
add chain=forward connection-state=invalid \ action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \ comment="allow already established
connections"
add chain=forward connection-state=related action=accept \ comment="allow related connections"
Block Bogon IP addresses:
add chain=forward src-address=0.0.0.0/8 action=drop \ comment="Block Bogon IP addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp \ comment="Make jumps to new chains"
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
Create TCP chain and deny some TCP ports in it (revise port numbers as needed):
add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
173
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
Create UDP chain and deny some UDP ports in it (revise port numbers as needed):
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
Another Basic Firewall
The basic of all firewall is simple, that is “Allow What You Want then DROP
EVERYTHING ELSE”. Got it? I’ll try to implement that for WAP/CAP
Just for example:
WAN = Internet Interface
LAN = LAN / Local Network Interface, i.e., 192.168.0.0/24.
/ip firewall filter
add chain=input comment=”drop invalid” connection-state=invalid disabled=no
add chain=input in-interface=WAN protocal=tcp dst-port=8291 action=accept comment=”accept
winbox” disabled=no
add action=accept chain=input comment=”accept dns” disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment=”" disabled=no protocol=udp src-port=53
add action=accept chain=input comment=”accept ntp” disabled=no dst-port=123 protocol=udp
add action=accept chain=input comment=”accept lan network” disabled=no in-interface=LAN srcaddress=192.168.0.0/24
add action=accept chain=input comment=”accept WAN – est & rel conn” connection-state=established
disabled=no in-interface=WAN
add action=accept chain=input comment=”" connection-state=related disabled=no in-interface=WAN
add action=log chain=input comment=”default log & drop” disabled=yes log-prefix=-inputadd action=drop chain=input comment=”" disabled=no
add chain=forward comment=”drop invalid” connection-state=invalid disabled=no
add action=accept chain=forward comment=”accept lan network” disabled=no in-interface=LAN srcaddress=192.168.0.0/24
add action=accept chain=forward comment=”accept WAN – est & rel conn” connection-state=established
disabled=no in-interface=WAN
add action=accept chain=forward comment=”" connection-state=related disabled=no in-interface=WAN
add action=log chain=forward comment=”default log & drop” disabled=yes log-prefix=-forwardadd action=drop chain=forward comment=”" disabled=no
Done! Must be remember, if the rules change from other line to another, it has different
meaning. The concept of the firewall here:
1. allow what you want, and then drop everything
2. the firewall read and run the first rules first, running from above to below, so if the
rules changed it will have another meaning, example “drop everything” in input chain
174
become no.1 rules, than you can’t do anything else ^.^ so be carefull with firewall rules.
Want to test your firewall rules for the security?
go to http://www.grc.com, click “services”, then “ShieldsUP!”, then “Proceed”, and then
“All Ports”
Home Firewall
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-waittimeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-senttimeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=accept_list comment="Forward HTTP to webserver" dst-address=192.168.11.10
dst-port=80 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTPS to webserver" dstaddress=192.168.11.10 dst-port=443 \
protocol=tcp
add action=accept chain=accept_list comment="Forward FTP to Server" dst-address=192.168.11.10 dstport=21 protocol=tcp
add action=accept chain=accept_list comment="Forward RDP to Server" dst-address=192.168.11.10 dstport=3389 protocol=tcp \
src-port=3389
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" dst-port=135-139
protocol=tcp
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" dst-port=135-139
protocol=udp
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" dst-port=445
protocol=udp
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" dst-port=445
protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" dst-port=593 protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" dst-port=4444 protocol=tcp
add action=drop chain=known_viruses comment="WITTY worm" dst-port=4000 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" dst-port=995-999 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" dst-port=8998 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" dst-port=2745 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" dst-port=4751 protocol=tcp
add action=drop chain=known_viruses comment="SQL Slammer" dst-port=1434 protocol=tcp
add action=drop chain=bad_people comment="Known Spammer" src-address=81.180.98.3
add action=drop chain=bad_people comment="Known Spammer" src-address=24.73.97.226
add action=drop chain=bad_people comment="http://isc.incidents.org/top10.html listed" srcaddress=67.75.20.112
175
add action=drop chain=bad_people src-address=218.104.138.166
add action=drop chain=bad_people src-address=212.3.250.194
add action=drop chain=bad_people src-address=203.94.243.191
add action=drop chain=bad_people src-address=202.101.235.100
add action=drop chain=bad_people src-address=58.16.228.42
add action=drop chain=bad_people src-address=58.248.8.2
add action=drop chain=bad_people src-address=202.99.11.99
add action=drop chain=bad_people src-address=218.52.237.219
add action=drop chain=bad_people src-address=222.173.101.157
add action=drop chain=bad_people src-address=58.242.34.235
add action=drop chain=bad_people src-address=222.80.184.23
add action=accept chain=forward comment="Allow WIFI access to ALL" src-address=192.168.22.0/24
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-addresslist=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input
connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input
connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input
connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input
connection-state=new \
dst-port=22 protocol=tcp
add action=drop chain=input comment="allows only 10 FTP login incorrect answers per minute" dstport=21 protocol=tcp \
src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output
content="530 Login \
incorrect" protocol=tcp
add action=drop chain=forward comment="drop invalid connections DELETE" connection-state=invalid
add action=drop chain=forward comment="Blocks SSH" dst-port=22 protocol=tcp
add action=jump chain=forward comment="Known virus ports DELETE" jump-target=known_viruses
add action=jump chain=forward comment="kill known bad source addresses DELETE" jumptarget=bad_people
add action=jump chain=forward comment="Jump to Accepted List" jump-target=accept_list
add action=accept chain=forward comment="allow established connections DELETE" connectionstate=established
add action=accept chain=forward comment="allow related connections DELETE" connectionstate=related
add action=accept chain=forward comment="Allow All"
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.11.0/24
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=3389 protocol=tcp toaddresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=80 protocol=tcp toaddresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=21 protocol=tcp toaddresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=443 protocol=tcp toaddresses=192.168.11.10
176
Other Router Firewall Script
Here’s a firewall script that blocks spoofed traffic inbound, has some portknock rules
included, SMTP spam blocking, some ICMP rate-limiting, blocks some port scans and
DOS attacks.
In the below script replace X.X.X.X, Y.Y.Y.Y, and Z.Z.Z.Z with your own values. Port
knocking starts at line 34 and continues to 42, so if you would like to disable it those are
your lines to adjust. You will most likely want to adjust the port and protocols on the port
knock if you choose to use it
/ip firewall address-list
#rfc 1918, loopback, and multicast
add address=10.0.0.0/8 comment="" disabled=no list=rfc-1918
add address=127.0.0.1 comment="" disabled=no list=rfc-1918
add address=192.168.0.0/16 comment="" disabled=no list=rfc-1918
add address=172.16.0.0/20 comment="" disabled=no list=rfc-1918
add address=10.0.0.0/8 comment="" disabled=no list=rfc-1918
add address=172.16.0.0/12 comment="" disabled=no list=rfc-1918
add address=192.168.0.0/16 comment="" disabled=no list=rfc-1918
add address=224.0.0.0/4 comment="" disabled=no list=rfc-1918
add address=240.0.0.0/4 comment="" disabled=no list=rfc-1918
#my public addressing
add address=X.X.X.X comment="" disabled=no list=public-add
#any port knock exclusions
add address=Y.Y.Y.Y comment="" disabled=no list=port-knock-3
#any SMTP exclusions
add address=Z.Z.Z.Z comment="" disabled=no list=smtp-bypass
/ip firewall filter
#match more than 5 pings in 5 seconds. Then drop the traffic inbound and forward.
add action=accept chain=input comment="start of greg rules up to 5 pings in 5 seconds" disabled=no
limit=5,5 protocol=icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=12h chain=input
comment="add all other icmp input into icmp-attack address list." \
disabled=no protocol=icmp
add action=drop chain=input comment="drop excessive icmp traffic for 12 hours" disabled=no srcaddress-list=icmp-attack protocol=icmp
add action=drop chain=forward comment="drop excessive icmp traffic for 12 hours" disabled=yes srcaddress-list=icmp-attack protocol=icmp
#drop 1918 inbound
add action=drop chain=forward comment="block rfc 1918 and multicast inbound" disabled=no ininterface=ether1 src-address-list=rfc-1918
add action=drop chain=forward comment="block our addressing inbound - spoofed" disabled=no ininterface=ether1 src-address-list=public-add
add action=drop chain=input comment="block rfc 1918 and multicast inbound" disabled=no ininterface=ether1 src-address-list=rfc-1918
add action=drop chain=input comment="block our addressing inbound - spoofed" disabled=no in-
177
interface=ether1 src-address-list=public-add
#start port knocking
add action=add-src-to-address-list address-list=port-knock-1 address-list-timeout=15s chain=input
comment="port knock step 1 - udp 444" disabled=no \
dst-port=444 protocol=udp
add action=add-src-to-address-list address-list=port-knock-2 address-list-timeout=15s chain=input
comment="port knock step 2 - udp 117" disabled=no \
dst-port=117 protocol=udp src-address-list=port-knock-1
add action=add-src-to-address-list address-list=port-knock-3 address-list-timeout=5h chain=input
comment="port knock step 3 - tcp 600 - final" disabled=no \
dst-port=600 protocol=tcp src-address-list=port-knock-2
add action=accept chain=input comment="allow winbox in via port knock" disabled=no dst-port=8291
protocol=tcp src-address-list=port-knock-3
add action=drop chain=input comment="allow winbox in via port knock" disabled=no dst-port=8291
protocol=tcp
#port scans and DOS
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input
comment="add port scannes to port-scan list" disabled=no \
in-interface=ether1 protocol=tcp psd=21,3s,3,1 src-address-list=!internal-nets
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input
comment="NMAP FIN Stealth scan" disabled=no protocol=tcp \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input
comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=\
fin,syn
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input
comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=\
syn,rst
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input
comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input
comment="ALL/ALL scan" disabled=no protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input
comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=tarpit chain=input comment="tarpit port-scan address list to router" disabled=no
protocol=tcp src-address-list=port-scan
add action=drop chain=input comment="drop port-scan address list to our router" disabled=no srcaddress-list=port-scan
add action=drop chain=forward comment="drop port-scan address list to our infrastructure" disabled=no
src-address-list=port-scan
add action=drop chain=forward comment="drop windows ports" disabled=no port=135-139 protocol=tcp
add action=accept chain=forward comment="allow smtp-bypass list to create multiple sessions"
disabled=no dst-port=25 protocol=tcp src-address-list=smtp-bypass
add action=drop chain=forward comment="drop smtp traffic marked as spam" disabled=no dst-port=25
protocol=tcp src-address-list=spam-block
add action=add-src-to-address-list address-list=spam-block address-list-timeout=2h chain=forward
comment=\
"more than 5 smtp connections out as spam. add to address list" connection-limit=30,32
disabled=no dst-port=25 limit=50,5 protocol=tcp \
src-address-list=rfc-1918
add action=accept chain=input comment="allow 80 and 8080 from portknock" disabled=no dstport=80,8080 protocol=tcp src-address-list=port-knock-3
add action=drop chain=input comment="block 80 and 8080 from everyone else" disabled=no dst-
178
port=80,8080 protocol=tcp
Automatically find unauthorized devices and block it on
firewall
One of the features I like most in WAP/CAP RouterOS is the ability to run custom scripts
that will enable you to automate some things on router side. In a workplace where “bring
your own device” is practiced, being able to control the registration of these devices on
your network is very important especially for mobile devices - laptops, tablets and
smartphones.
It’s becoming harder to control these devices especially if they are in large number.
Smartphone can be just placed inside a bag or pocket while it automatically connect
through your access points where wireless key is known to the user and download
unnecessary files on the internet thus wasting network bandwidth while increasing
network security risk.
Now, if you happen to have a WAP/CAP RouterOS in your network and is facing the
same dilemma then probably the script below will help you solve it or least get you
started on a better solution.
# Tested to work on RouterOS 5.19
:foreach i in=[/ip dhcp-server lease find dynamic=yes] do={
:local dynamicIP [/ip dhcp-server lease get $i address];
:local dynamicMAC [/ip dhcp-server lease get $i mac-address];
:local dynamicHOST [/ip dhcp-server lease get $i host-name];
:local macfound [/ip firewall filter find src-mac-address=$dynamicMAC];
:if ($macfound != "") do={
:log info ($dynamicMAC. " already filtered")
} else= {
/ip firewall filter add chain=forward src-mac-address=$dynamicMAC
action=drop comment=($dynamicHOST . " - " . $dynamicMAC . " Unregistered device")
:log info ("Added " . $dynamicMAC. " to firewall filter")
}
}
Basically, the script will look for dynamic ip addresses inside the dhcp server leases table
and search their mac address in the firewall filter table. If it’s not yet blocked then it will
create an entry blocking the mac address to prevent it from sending traffic through your
network.
To automatically execute the script periodically, you will need to add it on the scheduler,
see example below:
/system scheduler add comment="Find unauthorized devices and block" disabled=no
interval=5m name=block_unauthorized_devices on-event=block_unauthorized_devices
179
policy=read,write,test
You should be able to see on your log what devices are being blocked as the script finds
one.
How to Lock MAC and IP Address
Think you have a policy for your office local area network (LAN) which is based on IP
address of the hosts or workstations inside the LAN. To make sure your policy working
smoothly, one thing you have to do is to prevent users from changing their workstations
IP address. So you have to lock their IP address to match with the hardware MAC
address. If they change the IP address then it will not match with the MAC address set up
in the WAP/CAP router so they will be blocked.
This tutorial shows you how to lock MAC and IP Address in WAP/CAP router. Here is
what you have to do.
1. Login to the WAP/CAP router via Winbox or Telnet/SSH.
2. Run the below commands in the Terminal
/ip firewall filter add chain=input src-address=A.B.C.D \
src-mac-address=!1A:2B:3C:4D:5E:6F action=drop disabled=no
/ip firewall filter add chain=input src-address=!A.B.C.D \
src-mac-address=1A:2B:3C:4D:5E:6F action=drop disabled=no
The commands above mean that if the source IP address is A.B.C.D but the MAC address
is not 1A:2B:3C:4D:5E:6F or the source MAC address is 1A:2B:3C:4D:5E:6F but the IP
address is not A.B.C.D then drop the packet.
Now you can test using your laptop / computer. Make sure to change the IP and MAC
address to meet your device configurations.
How To: Block Facebook, Twitter, Youtube
In case you want to block access to Facebook, Twitter, Youtube or other websites, it is
easy to do this job on WAP/CAP RouterOS. You can use either web proxy or directly
from firewall rule to block websites.
According to WAP/CAP Wiki, you can block users from accessing websites using content
option in WAP/CAP Firewall rule. One rule per content you want to block. So if you want
to block, for example, Facebook, Youtube, and Twitter, you have to create rule for each
content.
Here’s I show you how to block websites (e.g. Facebook, Youtube, and Twitter) using
Firewall Rule in WAP/CAP RouterOS. Change the src-address value to the source of IP
addresses you want to block.
Drop Access to Facebook
180
/ip firewall filter add chain=forward src-address=192.168.1.0/24 protocol=tcp \
dst-port=80 content="facebook" action=drop comment="Block Facebook HTTP"
/ip firewall filter add chain=forward src-address=192.168.1.0/24 protocol=tcp \
dst-port=443 content="facebook" action=drop comment="Block Facebook HTTPS"
Drop Access to Youtube
/ip firewall filter add chain=forward src-address=192.168.1.0/24 protocol=tcp \
dst-port=80 content="youtube" action=drop comment="Block Youtube HTTP"
/ip firewall filter add chain=forward src-address=192.168.1.0/24 protocol=tcp \
dst-port=443 content="youtube" action=drop comment="Block Youtube HTTPS"
Drop Access to Twitter
/ip firewall filter add chain=forward src-address=192.168.1.0/24 protocol=tcp \
dst-port=80 content="twitter" action=drop comment="Block Twitter HTTP"
/ip firewall filter add chain=forward src-address=192.168.1.0/24 protocol=tcp \
dst-port=443 content="twitter" action=drop comment="Block Twitter HTTPS"
Now try to access those websites above. If the above rules work properly, you should not
be able to access those websites now.
Assign fixed/static IP address via WAP/CAP DHCP server
DHCP is basically a protocol to assign dynamic IP address to clients. It means you don’t
need to touch the clients’ computer / laptop to manually set with a static IP address. The
IP address will be assigned dynamically to the clients.
However in some cases, you may need to assign static IP address to clients to do policy
access to the clients such as firewalling, bandwidth allocation, or monitoring the clients’
internet activities. As an administrator, you can assign the IP address without touching the
computers / laptops. The thing you have to know is the hardware (MAC) address of each
PC / laptop that you want to set fixed IP addresses.
Here is the way how to set fixed IP address via DHCP server configuration in WAP/CAP
RouterOS.
For example, you want to assign a computer with a MAC address 70:F1:A1:D1:49:49
with an IP address 192.168.100.10 and clientID ‘client10’, use the following command:
/ip dhcp-server lease
add address=192.168.100.10 mac-address=70:F1:A1:D1:49:49 client-id="client10"
You can add more clients by adding the ‘add address’ command as example above.
If using Winbox is as follows:
181
Disable Access during Certain Hours
Recently I have needed to restrict access to the internet during certain hours. This is
very easy to achieve with WAP/CAP using a few mangle and filter rules. I currently
have this configuration on a RB751 so I am using a bridge for the LAN. I have ports 25 switched together and then bridged the wlan1 and ether2 (the master port) together.
Instead of just restricting everything on the bridge I wanted to be able to allow access to
myself and certain others during “restricted times”, and this is why I used mangle to mark
connections and filter via the connection marks.
Here you can see the two rules mark the connections from my allowed devices.
two rules mark everything else in and out of the DHCP bridge.
The last
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark CBrown Computer"
disabled=no in-interface=DHCP \
new-connection-mark=Allowed passthrough=no src-macaddress=XX:XX:XX:XX:XX:XX
add action=mark-connection chain=forward comment="Mark CBrown iPhone"
disabled=no in-interface=DHCP \
new-connection-mark=Allowed passthrough=no src-macaddress=XX:XX:XX:XX:XX:XX
add action=mark-connection chain=prerouting comment="DHCP Upload" disabled=no
in-interface=DHCP \
new-connection-mark=DHCP passthrough=no
add action=mark-connection chain=postrouting comment="DHCP Download"
182
disabled=no new-connection-mark=DHCP \
out-interface=DHCP passthrough=no
Now for the filter rules. This is where the actual time restrictions take place. The first
two rules allow my devices access all the time and as you can see in the third and fourth
rules I take my connection mark (DHCP) and “jump” it into my “times” chain from both
my input and forward chains. Once in the “times” chain rules 6,7, and 8 block access
during the times I want the internet turned off. Rules 5 and 9 allow me to enable the
internet during a restricted time or disable it during an allowed time. You could only
block the the forward chain if you are not using a web proxy and it will restrict the traffic
but to block ALL communication (even to the router) is only 1 more rule.
/ip firewall filter
add action=accept chain=input connection-mark=Allowed disabled=no
add action=accept chain=forward connection-mark=Allowed disabled=no
add action=jump chain=input comment="Jump to Times" connection-mark=DHCP
disabled=no jump-target=times
add action=jump chain=forward comment="Jump to Times" connection-mark=DHCP
disabled=no jump-target=times
add action=return chain=times comment="********TURN ON********" disabled=no
add action=drop chain=times comment="Drop 2300-2400" disabled=no time=\
23h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=times comment="Drop 2400-0500" disabled=no time=\
1s-4h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=times comment="Drop Weekday 0800-1630" disabled=no
time=\
8h1s-16h29m59s,mon,tue,wed,thu,fri
add action=drop chain=times comment="********TURN OFF********" disabled=yes
It is also very important to make sure you have setup your SNTP client and set your time
zone on your WAP/CAP. If you don’t your time restrictions will obviously not work.
Below is setup for EST.
/system ntp client
set enabled=yes mode=unicast primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
/system clock
set time-zone-name=America/New_York
Secure your router from invalid login attempts / Virus
Flooding Attacks
Sometimes, in WAP/CAP logs, you will see that some IPs from WAN/LAN try to login to
your WAP box using SSH, Winbox etc. To secure your router, the best solution would be
to come up with a list of networks that should be allowed to access the router
administratively, and block everything else. Following code might help you in this
situation.
183
/ip firewall address-list add list=management-servers address=10.10.0.1/24
/ip firewall filter
add chain=input src-address-list=management-servers protocol=tcp dstport=21,22,23,80,443,8291 action=accept
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop
Now scenario will be like below.
It is strongly advised to DISABLE all unnecessary Services on the WAP/CAP Router
specially SSH/FTP which is highly used for brute force attacks.
This reduces the attack surface of your router the less services there are to attack the less
likely your router could be compromised or overloaded.
Remotely Accessible Router Services should be limited to few addresses. This is a simple
and very effective way of controlling who can attempt to access the WAP/CAP router.
One could check from which addresses or networks the WAP/CAP Router would be
administered. Then one could create firewall rules that only allow access to the router
services from the management networks.
Deny all unwanted inbound Traffic and allow only related traffic.
approach***)
(***The best
By restricting inbound traffic to the router, you can prevent the accidental opening up of
184
services on the router. Also by restricting all types of services except for the services you
know about & you want, you prevent any services (that you may not be aware of ) being
accessible remotely on the WAP/CAP router.
HOWTO PREVENT VIRUS / PORTS FLOODING?
A basic WAP/CAP Firewall Script to secure box from virus and flooding!
/ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
# Blocking ICMP Traffic, saves you from many headaches
add action=drop chain=input comment="DROP PING REPLY" disabled=no protocol=icmp
src-address=!10.10.0.4
# Blocking Common Virus Ports
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger
Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
185
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot,
Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
#Drop port scanners
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port
scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-addresslist address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list addresslist="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list addresslist="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-addresslist address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port
scanners" disabled=no
#Bruteforce login prevention
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect"
address-list=ftp_blacklist address-list-timeout=3h
#This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts.
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3
action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=3d comment=""
disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2
action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment=""
disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=""
disabled=no
186
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
#If you want to block downstream access as well, you need to block it with the forward chain:
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop
comment="drop ssh brute downstream" disabled=no
A BETTER APPROACH ON BLOCKING PORTS!
/ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-listtimeout=1h chain=prerouting connection-state=new disabled=no dst-port=445
limit=5,10 protocol=tcp
/ip firewall filter
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-addresslist=Worm-Infected-p445
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-addresslist=Worm-Infected-p445
The above Rules allow 5 packets per second with a burst of 10 specific to new
connections. The mangle rule will put addresses on a list when it exceeds that limit. That
way legitimate use isn’t blocked but something like a virus or worm sending out mass
amounts will be detected and stopped. It’s a much more elegant solution than blocking a
bunch of ports for all users. It also gives you a list of user IPs that needs to clean up their
pc.
How to block Winbox Discovery + Limit Winbox Access
To hide your WAP/CAP from being appearing in WINBOX scan neighbors list, & to limit
WINBOX access from your admin PC only, use the Following.
/tool mac-server add disabled=yes interface=all
/tool mac-server ping set enabled=no
/ip firewall filter
add action=drop chain=input comment="block WAP/CAP discovery" disabled=no dstport=5678 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC
Address" disabled=no dst-port=20561 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT
FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6
You can Also Disable Network Neighbor Discovery on the interface to which your
187
network users are connected
Example:
/ip neighbor discovery set ether1 discover=no
Personnel Recommendation:
Always disable un-necessary Like FTP / SSH / TELNET etc. or if its necessary to enable
services, at least Limit there access to specific pcs only. Allow only WINBOX.
How to Block Torrent / P2P
Block in 100% torrent is impossible as nowadays new torrents application are using
encrypted method and it’s nearly impossible to inspect the SSL traffic. However you can
block basic torrents access by using following.
<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[8]"
/>ip firewall layer7-protocol add comment="" name=p2p_www regexp="^.*(get|GET).+\<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[10]"
/>(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|\<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[12]"
/>zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[14]"
/><br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[15]"
/>ip firewall layer7-protocol add comment="" name=p2p_dns regexp="^.+\<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[17]"
/>(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|\<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[19]"
/>zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[21]"
/><br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[22]"
/>ip firewall filter add action=drop chain=forward comment="block p2p_www" disabled=no
\<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[24]"
/>layer7-protocol=p2p_www<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[26]"
/><br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[27]"
/>ip firewall filter add action=drop chain=forward comment="block p2p_dns" disabled=no \<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[29]"
/>dst-port=53 layer7-protocol=p2p_dns protocol=udp<br
id=".reactRoot[1].[1][2][1]{comment359445157478770_71586232}..[1]..[1]..[0].[0][2]..[31]"
/>
Limit number connection based on user profile with Hotspot
188
Managing WAP/CAP hotspot firewall rule can be tricky, the WAP/CAP hotspot always
ignored mangle rules. If we create a mangle rule for WAP/CAP hotspot and then open the
statistic menu, there will be no activity. Since mangle firewall not help us on managing
hotspot traffic for every user, there is one easy way to catch users traffic by automatically
trap their IP address to a group of address list. When their address trapped we can then set
any rules to them for example limiting their number connections.
Let’s start trapping user’s IP Address
•
•
•
•
•
•
Open winbox and connect to the WAP/CAP hotspot server.
On hotspot menu, create a new user profile (Let say we want to create a public
hotspot which 75 people can use the same login name and password).
Set everything up such as profile name, bandwidth limit or anything else suit your
need and then set shared users = 75 to allow max 75 user use the same login name
and pasword.
Set an address name list (this is how we trap their ip addresses).
Apply and close.
Create a user name and use the above created profile (75 user can use this login name
and password at the same time).
Test your setting by login using user’s login, your ip address should be shown on Firewall
address lists.
189
At this moment any rules can be set to all logged user either on Firewall or Queue setting.
Let’s try to limit their number of tcp connections (we used to use this limitation to reduce
problem for hotspot network, i.e. viruses traffics which sometime flooding our internet
with thousands of connection from single computer).
Create a firewall filter rules and set:
•
•
•
•
•
on general tab : Chain = forward, Protocol = Tcp.
on Advanced tab : Src. Address Lists = “address list name (look at how to trap section
no. 4)”, Tcp Flag = syn.
on Extra tab : Limit = (max number connection + 1, for example 20 maks connection,
then fill it with 21), Netmask = 32.
on Action tab : Action = drop.
Apply and close.
There still many things we can do with this address list through firewall filter, for
190
example we can block specified port number for public hotspot user to prevent viruses
infection trough our network on that port. We also blocked access to some web address to
specific users (mostly public), and also limiting YouTube streaming to specific users.
Because many of our public hotspot users are unknown users, so we think trapping their
address is the only way to handle it.
WAP/CAP block from the Scan Winbox and Neighbour
Sometime the ISP or service provider is not too sharp to protect customers. Especially
when the souter to protect customers useing WAP/CAP RouterOS. By running the IP>>
Neighbor, we can see the router WAP/CAP other physically connected to the router via
our network provider in us.
For that we can protect the various ways such as a block form the scan winbox and our
neighbor. Here is the easy way:
[admin@WAP] interface bridge> filter print
Flages: X - disabled, I - invalid, D - dynamic
0 ;;; block discovery WAP/CAP
chain=forward in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop
1 ;;; block discovery WAP/CAP
chain=input in-interface=ether1 mac-protocol=ip dst-port=5678 ip-protocol=udp
action=drop
2 ;;; block discovery WAP/CAP
chain=output mac-protocol=ip dst-port=5678 ip-protocol=udp action=drop
3 ;;; block discovery WAP/CAP
chain=input in-interface=ether1 mac-portocol=ip dst-port=8291ip-protocol=tcp
action=drop
4 ;;; block winbox WAP/CAP
chain=forward in-interface=ether1 mac-protocol=ip dst-port=8291ip-protocol=tcp
action=drop
5 ;;; block request DHCP
chain=input mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
6 ;;; block request DHCP
chain=forward mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
7 ;;; block request DHCP
chain=output mac-protocol=ip dst-port=68 ip=protocol=udp action=drop
191
With this command we can close some scans, especially the use the winbox and ip
neighbor. Above the port is part of the share WAP/CAP RouterOS who are in need for
monitoring.
Howto block Winbox Discovery + Limit Winbox Access
To hide your WAP/CAP from being appearing in WINBOX scan neighbor list, & to limit
WINBOX access from your specific IP address or admin PC only,
Use the Following.
To disable winbox access using mac address you have to disable mac-server on the NIC
Go to Tools -> MAC Server
Click on the WinBox Interfaces Tab
By default this is set to all
You can add specific interfaces, and disable the all entry
OR using CLI, use the following command
/tool mac-server add disabled=yes interface=all
/tool mac-server ping set enabled=no
Or disable MAC Discovery for all interfaces by using following
/ip firewall filter
add action=drop chain=input comment="Block WAP/CAP discovery/zaib"
disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC
Address" disabled=no dst-port=20561 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT
FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6
The above rules will disable WAP/CAP discovery via winbox, and also it will allow
192.168.2.6 to access WAP/CAP. Make sure to change this ip address to match your
management pc ip.
192
You can also disable Network Neighbor Discovery on the interface to which your
network users are connected
Example:
/ip neighbor discovery set ether3 discover=no
TIP:
I recommend to block all UN-necessary services like www, ftp, ssh. Also do change the
WINBOX Default port via IP > Services console just to make WAP/CAP more secure
and allow only specific IP Address to be able to connect to WAP/CAP via winbox
Hotspot, Block website based on User Profile
Today we are going to block specific website based on user profile. Please kindly re-read
my previous for for instruction on trapping user address into address list. Since we also
use the address list for current post.
Our local internet regulation forced us to block specific websites for specific users.
Mostly social media and adults’ website. Blocking adults’ website are the easier task. It’s
applied to all of us, i just need to put the list into squid proxy server. Blocking social
media in the other hand are harder then it seems. Since it applied only to specifics user,
the rule have to be placed on WAP/CAP hotspot firewall.
The problem is the social media website used multiple ip address and WAP/CAP hotspot
also ignoring mangle rule. That’s mean i have to find all the ip address of the social
media website and put all the ip address to firewall address list manually. Yup, not an
easy task, and i’m not kind of person who like manually do a computer things.
Layer 7 Protocol
There is a layer 7 protocol which is used to search pattern with regular expressions
(RegExp) filter for ICMP, TCP and UDP connection streams. In this way we can put part
of url address of a website using regular expression on layer 7 and all matched pattern
can be proceed into firewall rule.
Example new RegExp
1. Go to IP->Firewal->Layer 7 Protocols
2. Click “+” button to add new RegExp.
3. A small windows will poped up, put a name for the new RegExp (for example
Facebook).
4. In RegExp form put: ^.+(facebook.com).*$
This will match all facebook.com address
193
5. Click Apply
New Firewall Filter Rule
1. Go to IP->Firewall->Filter Rules
2. Click “+” button to add new Filter Rule
3. Set:
General Tab
Chain = "Forward"
Src. Address = "your client network address here"
Advanced Tab
Please read how to trap user address based on profile in related to address list
Src. Address List = "User Address List"
Layer 7 Protocol = "facebook" #the RegExp name you've create before.
Action Tab
Action = "Reject" #you can also simply put Drop on it
Reject With = "ICMP Network Unreachable" #Only if you choose Reject
4. Click Apply.
This filter will apply only to user’s ip address who trapped into the above address list.
194
Other users will normally access the website without any limitation. If you want to block
more website simply copy the the RegExp on layer 7 protocol and change the RegExp
name and website name into the name of website to be blocked. And you need also copy
the firewall rule and change the Layer 7 Protocol to the new protocol created.
Hotspot, Limit YouTube based on user profile
I used to use this limitation on public hotspot. Where everyone free to connect while
we’re on limited bandwidth. Video stream usually use high bandwidth, at least 384kbps
for SD quality (not HD) and you can imagine if 15 peoples stream YouTube video at the
same time while we only have 5MB bandwidth. On busy hours, we got more than 40
public user using our WAP/CAP hotspot (our highest record 93 users), and most of them
are teenagers who connect with their Tablets and MobilePhones.
This method use Layer 7 protocol of miktorik firewall and also trapping user ip address.
So first we need to add YouTube address into Layer 7 Protocol list. Let’s start.
Regexp
Add the following to Layer 7 Regexp:
^.+(c.youtube.com).*$
Name it as YouTube-Stream
Add 1st mangle rule (mark connection)
[General Tab]
Chain = prerouting
in. interface = your hotspot interface
[Advanced Tab]
Src. Address List = user hotspot address list (read how to trap user ip address)
Layer7 Protocol = YouTube-Stream
[Action Tab]
action = mark connection
195
New connection mark = video_stream
Passthrough = checked
We’re going to apply this rule only to IP Address on Src. Address List. This address list
was generated automatically every time a user login with WAP/CAP hotspot (we called
trapping user ip into address list).
2nd mangle rule (mark packet)
[General Tab]
Chain = prerouting
Connection Mark = video_stream
[Action Tab]
Action = mark packet
New Packet Mark = video_stream_packet
Passthrough = checked
196
This will mark packet from connection marked by previous mangle rule so we can use
this marked packet on Queue Tree.
Add Queue Tree
This will limit stream at 384kbps, max Burst at 512kbps for 15 sec and threshold
128kbps.
• Click on + button to add new rule
• Name = youtube-stream
• Parent = global-out
• Packet Marks = video_stream_packet
• Max Limit = 384k
• Burst Limit = 512k
• Burst Threshold = 128k
• Burst Time = 15
197
Click apply to save the rule and see the result.
More..
You can also set limit to another video stream website such as dailymotion, metacafe and
mccont. All we need is to knowing what address used on streaming url. For example
dailymotion use cdn.dailymotion.com on streaming address. Next add those address into
youtube-stream regex on layer 7 protocol. The complete regexp will be:
^.+(c.youtube.com|cdn.dailymotion.com|metacafe.com|mccont.com).*$
Find another streaming address and add them into layer 7 list. Remember, main website
url address doesn’t always mean the same address for streaming url. If you put the main
website into layer 7 list, you’ll also limiting access speed to the main website.
Firewall customizations for Hotspot
Summary
Apart from the obvious dynamic entries in the /ip hotspot submenu itself (like hosts and
active users), some additional rules are added in the firewall tables when activating a
HotSpot service. Unlike RouterOS version 2.8, there are relatively few firewall rules
added in the firewall as the main job is made by the one-to-one NAT algorithm.
NAT
From /ip firewall nat print dynamic command, you can get something like this (comments
follow after each of the rules):
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
Putting all HotSpot-related tasks for packets from all HotSpot clients into a separate
198
chain.
1 I chain=hotspot action=jump jump-target=pre-hotspot
Any actions that should be done before HotSpot rules apply, should be put in the prehotspot chain. This chain is under full administrator control and does not contain any
rules set by the system, hence the invalid jump rule (as the chain does not have any rules
by default).
2 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=udp
3 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=tcp
Redirect all DNS requests to the HotSpot service. The 64872 port provides DNS service
for all HotSpot users. If you want HotSpot server to listen also to another port, add rules
here the same way, changing dst-port property.
4 D chain=hotspot action=redirect to-ports=64873 hotspot=local-dst dst-port=80
protocol=tcp
Redirect all HTTP login requests to the HTTP login servlet. The 64873 is HotSpot HTTP
servlet port.
5 D chain=hotspot action=redirect to-ports=64875 hotspot=local-dst dst-port=443
protocol=tcp
Redirect all HTTPS login requests to the HTTPS login servlet. The 64875 is HotSpot
HTTPS servlet port.
6 D chain=hotspot action=jump jump-target=hs-unauth hotspot=!auth
protocol=tcp
All other packets except DNS and login requests from unauthorized clients should pass
through the hs-unauth chain.
7 D chain=hotspot action=jump jump-target=hs-auth hotspot=auth protocol=tcp
And packets from the authorized clients - through the hs-auth chain.
8 D chain=hs-unauth action=return dst-address=66.228.113.26 dst-port=80
protocol=tcp
First in the hs-unauth chain is put everything that affects TCP protocol in the /ip hotspot
walled-garden ip submenu (i.e., everything where either protocol is not set, or set to
TCP). Here we are excluding www.WAP/CAP.com from being redirected to the login
page.
9 D chain=hs-unauth action=redirect to-ports=64874 dst-port=80 protocol=tcp
All other HTTP requests are redirected to the Walled Garden proxy server which listens
the 64874 port. If there is an allow entry in the /ip hotspot walled-garden menu for an
HTTP request, it is being forwarded to the destination. Otherwise, the request will be
automatically redirected to the HotSpot login servlet (port 64873).
199
10 D chain=hs-unauth action=redirect to-ports=64874 dst-port=3128 protocol=tcp
11 D chain=hs-unauth action=redirect to-ports=64874 dst-port=8080 protocol=tcp
HotSpot by default assumes that only these ports may be used for HTTP proxy requests.
These two entries are used to "catch" client requests to unknown proxies (you can add
more rules here for other ports). I.e., to make it possible for the clients with unknown
proxy settings to work with the HotSpot system. This feature is called "Universal Proxy".
If it is detected that a client is using some proxy server, the system will automatically
mark that packets with the http hotspot mark to work around the unknown proxy
problem, as we will see later on. Note that the port used (64874) is the same as for HTTP
requests in the rule #9 (so both HTTP and HTTP proxy requests are processed by the
same code).
12 D chain=hs-unauth action=redirect to-ports=64875 dst-port=443 protocol=tcp
HTTPS proxy is listening on the 64875 port.
13 I chain=hs-unauth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp
Redirect for SMTP protocol may also be defined in the HotSpot configuration. In case it
is, a redirect rule will be put in the hs-smtp chain. This is done so that users with
unknown SMTP configuration would be able to send their mail through the service
provider's (your) SMTP server instead of going to the [possibly unavailable outside their
network of origin] SMTP server users have configured on their computers. The chain is
empty by default, hence the invalid jump rule.
14 D chain=hs-auth action=redirect to-ports=64874 hotspot=http protocol=tcp
Providing HTTP proxy service for authorized users. Authenticated user requests may
need to be subject to transparent proxying (the "Universal Proxy" technique and
advertisement feature). This http mark is put automatically on the HTTP proxy requests
to the servers detected by the HotSpot HTTP proxy (the one that is listening on the 64874
port) as HTTP proxy requests for unknown proxy servers. This is done so that users that
have some proxy settings would use the HotSpot gateway instead of the [possibly
unavailable outside their network of origin] proxy server users have configured in their
computers. This mark is also applied when advertisement is due to be shown to the user,
as well as on any HTTP requests done form the users whose profile is configured to
transparently proxy their requests.
15 I chain=hs-auth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp
Providing SMTP proxy for authorized users (the same as in rule #13).
Packet Filtering
From /ip firewall filter print dynamic command, you can get something like this
(comments follow after each of the rules):
0 chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
Any packet that traverse the router from an unauthorized client will be sent to the hsunauth chain. The hs-unauth implements the IP-based Walled Garden filter.
1 chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
200
Everything that comes to clients through the router, gets redirected to another chain,
called hs-unauth-to. This chain should reject unauthorized requests to the clients.
2 chain=input action=jump jump-target=hs-input hotspot=from-client
Everything that comes from clients to the router itself, gets to yet another chain, called
hs-input.
3 I chain=hs-input action=jump jump-target=pre-hs-input
Before proceeding with [predefined] dynamic rules, the packet gets to the
administratively controlled pre-hs-input chain, which is empty by default, hence the
invalid state of the jump rule.
4 chain=hs-input action=accept dst-port=64872 protocol=udp
5 chain=hs-input action=accept dst-port=64872-64875 protocol=tcp
Allow client access to the local authentication and proxy services (as described earlier).
6 chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
All other traffic from unauthorized clients to the router itself will be treated the same way
as the traffic traversing the routers.
7 chain=hs-unauth action=return protocol=icmp
8 chain=hs-unauth action=return dst-address=66.228.113.26 dst-port=80
protocol=tcp
Unlike NAT table where only TCP-protocol related Walled Garden entries were added, in
the packet filter hs-unauth chain is added everything you have set in the /ip hotspot
walled-garden ip menu. That is why although you have seen only one entry in the NAT
table, there are two rules here.
9 chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
10 chain=hs-unauth action=reject reject-with=icmp-net-prohibited
Everything else that has not been while-listed by the Walled Garden will be rejected.
Note usage of TCP Reset for rejecting TCP connections.
11 chain=hs-unauth-to action=return protocol=icmp
12 chain=hs-unauth-to action=return src-address=66.228.113.26 src-port=80
protocol=tcp
Same action as in rules #7 and #8 is performed for the packets destined to the clients
(chain hs-unauth-to) as well.
13 chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
Reject all packets to the clients with ICMP reject message.
201
Redirection (Port Forwarding)
Forwarding a port to an internal IP
This example will show you how to forward Windows Remote Desktop port (tcp 3389) to
an internal IP using destination NAT. 61.219.45.xxx is the example wan IP, 192.168.1.102
is the desired internal destination.
To allow multiple address (address lists) as selected IPs that can perform remote desktop
(or other functions), we'll create an Address List, and group them together that way. In
RouterOS, click on IP > Firewall > Address Lists:
/ip firewall address-list add address=175.182.64.37 list=dev_list \
comment=" external allowable development list"
/ip firewall address-list add address=1.34.156.44
list=dev_list
/ip firewall address-list add address=114.33.213.47 list=dev_list
Add rule allowing access to the internal server from external networks:
/ip firewall nat add chain=dstnat disabled=no src-address-list=dev_list \
dst-address=61.219.45.xxx protocol=tcp dst-port=3389 action=dst-nat toaddresses=192.168.1.102 \
to-ports=3389 place-before=0 comment=”Remote Desktop”
My test script would be:
/ip firewall nat add chain=dstnat disabled=no src-address-list=dev_list \
dst-address=10.1.1.227 protocol=tcp dst-port=3389 action=dst-nat toaddresses=192.168.1.253 \
to-ports=3389 place-before=0 comment=”Remote Desktop”
Changing WAP/CAP settings to provide access to internal
devices
202
Our main network uses a gateway box running WAP/CAP software. If we want to
monitor boxes via snmp or access the admin interfaces of a device within the network, we
configure WAP/CAP to forward traffic appropriately.
The general approach is to pick a port number and then have WAP/CAP forward all
traffic that comes into that port on the main IP to the specific device, remapping the port
in the process.
Typically we need either http, https or ssh access and also snmp. As the former are tcp
protocols and the latter is udp, we use the same port number for both to simplify things a
little.
Here are the basic steps for adding a new device to forwarded list sing the WAP/CAP
winbox interface.
For the following example, we assume port 1234 and an internal destination IP of
10.0.0.250.
1. Go to IP -> Firewall -> Destination NAT
2. click on the '+' symbol and fill in the following on the resulting dialog
1. 'In Interface' choose Wan
2. 'Dst Address' enter the outside IP, 66.93.33.41 / 32
3. 'Protocol' select tcp
4. 'Dst Port' select the right hand side checkbox and enter 1234
3. Click on the 'Action' tab (previously on General) and
1. Action is set to nat
2. Both to Dst Addresses are set to 10.0.0.250
3. To Dst Ports is set to 80 for http (or 22 for ssh, or 443 for https)
4. Click on OK to save the rule
5. Scroll to the bottom of the list where the new rule will appear
6. Select the rule by clicking on it, then click on the yellow 'comment' button on the
toolbar and name the rule (e.g. HTTP to SH ap2)
7. drag the rule up match to the other similar rules.
Note that the winbox UI gets confused with dragging sometimes. If you suspect this, log
out of winbox and log back in again - its possible to cause major damage to rulesets by
dragging them when the UI is messed up.
Now the outside world can get into the AP, but it can't get out because of the captive
portal. The following steps allow it to bypass the portal:
1.
2.
3.
4.
5.
On the IP -> Firewall window, click on the Filter Rules tab
In the dropdown on the right hand side, choose "Hotspot temp"
Click on the red '+' and in the resulting box:
Under the 'Action' tab, change Action to 'return'
Under the 'General' tab change, set Src Address to 10.0.0.250 / 32
203
6. Click on OK
7. In the resulting rule list, drag the rule above the last rule and add a comment using
the Yellow comment button
That's it. You should now be able to access the box from the outside using an url like
https://66.93.33.41:1234.
Redirect Mail Traffic to a Specified Server
This is if you want to redirect all traffic through your router to your own specified mail
server. This is useful if you have many clients from different locations connecting to your
network at different times. (Note that if you are using Hotspot you can do this in the
Hotspot settings instead)
/ip firewall nat add chain=dstnat dst-address=61.219.45.XXX protocol=tcp dst-port=25
action=dst-nat to-addresses=192.168.1.199 to-ports=25 comment=”forward mail
server” place-before=0
This will redirect all smtp (port 25) traffic out the router to ip address 10.0.0.1
Use 192.168.1.1 as DNS Name other than ‘wireless1’. Thus, customers can connect it
directly without setting of ‘wireless1’ on Windows hosts file.
Utilizing Port Forwarding on WAP/CAP Router
Port Forwarding is a feature on the proxy to forward specific IP with port specified, all
other IP port specified as well. Generally used to direct public ip to the client ip (local ip).
There are so many benefits of this feature, of which we can access the webserver on the
204
local network even if we are not in a local network. This can also be done not only on
service webserver only, but it can also be applied to other service2, such as File Server,
Mail Server, SSH Server, VNC Server, and more.
Assumptions:
Public IP from your ISP: 180 241 111 312
Local IP:
- Webserver IP: 192.168.1.10
- Fileserver IP: 192.168.1.20
- SSH Server IP: 192.168.1.30
Forward IP to Web Server
Because web servers generally listen on port 80, so in this case we forward port 80.
Open New Terminal in Winbox then type the following command:
/ip firewall nat add chain=dstnat dst-address=180.241.111.312 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.1.10 to-ports=80 comment=”forward web server”
Forward IP for File Server
Such as SAMBA fileserver or else generally listen on port 139. We are here to change the
port to 139.
Open New Terminal of Winbox then type the following command:
/ip firewall nat add chain=dstnat dst-address=180.241.111.312 protocol=tcp dstport=139 action=dst-nat to-addresses=192.168.1.20 to-ports=139 comment=”forward
file server
For other services can be done in the example above . just by our changing the direction
where the ip in forward and change the port.
Note:
We should not dst-port according to the port listen on its service each. For example, we
want to make ip_public: 3000 forwarded to the SSH server (port 22), we can make the
following:
/ip firewall nat add chain=dstnat dst-address=180.241.111.312 protocol=tcp dstport=3000 action=dst-nat to-addresses=192.168.1.30 to-ports=22 comment=”forward
SSH server”
It is important to keep the default port is not compromised. So in this case when we want
to SSH to WAP/CAP Router. Use enough access to the SSH client public ip, it will go
directly to the SSH server on the proxy, but if we access the public ip to port 3000 via
SSH client, it will be forwarded to the SSH server on the local computer to 192.168.1.30
205
Allowing Ports Through A WAP/CAP Firewall
As the Internet as about sharing information, at some point you’ll want to allow specific
traffic through your router. Generally you want these rules sandwiched between your
rules looking for bad traffic and the final rules to drop any leftover unknown traffic (in
essence, drop traffic that we don’t explicitly allow here). Listed below are some
examples:
Assumptions:
Router LAN IP: 192.168.25.1
Server LAN IP: 192.168.25.50
Server WAN IP: 10.0.0.20
Redundant Router WAN IP: 10.0.0.10
Allow Invited Traffic Back In
This emulates basic NAT traversal theory, as we want to block uninvited incoming traffic,
but allow traffic across those ports to come back in once the connection is established (in
short, don’t allow people inside your network unless someone inside your network has
invited the traffic in).
/ip firewall filter
add chain=forward connection-state=established action=accept comment="Play nice with
invited traffic, part 1"
add chain=forward connection-state=related action=accept comment="Play nice with
invited traffic, part
Ping Responder (ICMP)
/ip firewall filter
add chain=input protocol=icmp action=accept comment="Respond to ICMP"
add chain=forward dst-to-address="192.168.25.50" protocol=icmp action=accept
comment="If I have a public IP I'm forwarding directly to a server, I may want to add
this, otherwise leave this out"
FTP Server
/ip firewall filter
add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=21
action=accept comment="Allow FTP Control Port"
add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=20
action=accept comment="Allow FTP Transfer Port"
add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=10000-10019
action=accept comment="Allow limited Passive FTP port range"
206
VRRP Traffic
/ip firewall filter
add chain=input protocol=ipsec-ah src-address=10.0.0.10/32 action=accept
comment="Allow Encrypted VRRP Traffic"
HTTP/HTTPS Traffic
/ip firewall filter
add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=80
action=accept comment="Allow HTTP"
add chain=forward dst-to-address="192.168.25.50" protocol=tcp dst-port=443
action=accept comment="Allow HTTPS"
Problem Report
Specific answers require specific questions. When in doubt, post the output of "/ip
address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export",
and an accurate network diagram.
NAT redirection to a local web server not working
The Hotspot uses the dstnat chain as well - you can see the rules if you issue "/ip firewall
nat print all",
You can't redirect users just like that because the Hotspot grabs the traffic first. You will
have to use on the hook chains to redirect before that happens. RouterOS provides a 'prehotspot' custom chain that the Hotspot will execute before doing its own work. Shift your
rule into that chain instead.
That said, you're redirecting all TCP traffic to a webserver. That's probably not the best of
ideas. You should redirect HTTP only, and the firewal can identify that for you. An
adjusted rule is below. Also, your web server has to be set up to pretend to be any web
server in the world since clients will think they're talking to the real thing. That can be
problematic. You may want to use the proxy to overcome that problem. Whether that's
necessary depends on your web server.
Here the corrected rule:
/ip firewall nat
add chain=pre-hotspot hotspot=http src-address-list=Blacklisted action=dst-nat toaddresses=192.168.100.4
With the proxy approach it would look like this:
/ip proxy
set enabled=yes
set port=8081
/ip proxy access
207
add action=allow disabled=no dst-address=192.168.100.4
add action=deny disabled=no redirect-to="http://192.168.100.4/whatever.html"
/ip firewall nat
add chain=pre-hotspot hotspot=http src-address-list=Blacklisted action=redirect toports=8081
208
Hotspot
Hardware
WAP/CAP 1100Hx2. It has PowerPC 1066Mhz CPU (dual core) and 1GB RAM, as well
as thirteen Gigabit Ethernet ports. Hardware encryption is not supported.
Quick Access Guide
Web Browser (webfig GUI)
Type http://192.168.1.1 or http://192.168.1.1/webfig from intranet, or pre-defined ip of
your firewall:
After authentication, you will access to main page of firewall. Please follow up
WAP/CAP wiki shown on above link for details of each functions
209
Winbox Access
You can download winbox program from CD utilities\winbox.exe, or WAP/CAP web
site:
You can install winbox.exe on any Windows machines.
available as well.
Associated Linux winbox is
Both Winbox and Webfig GUI are exactly the same.
Neighborhood button “…”
210
Once click Connect and authenticated, you will be redirect to main page:
You can also type in external IP address for remote authentication, with firewall rules
restricted.
Winbox Remote Access
Create an Input rule to allow Port 8291 from the internet.
/ip firewall filter add action=accept chain=input disabled=no dst-port=8291
protocol=tcp place-before=0 comment=”Winbox”
Here place-before=0, is to be sure to place it above any rules dropping Input.
211
Optional:
/ip firewall filter add action=accept chain=input disabled=no dst-port=80 protocol=tcp
place-before=3
/ip firewall filter add action=accept chain=input disabled=no dst-port=22 protocol=tcp
place-before=3
I would also consider specifying which hosts can connect rather than leaving it wide
open.
If you have a live IP then just configure that on your WAN Interface otherwise if you are
using some DSL connection then contact your ISP to configure Port address translation
on DSL modem.
This works if I disable the drop rule in filter, but I believe its not a good idea to do that.
How do I move this nat rule above the filter rule to drop? In Winbox you can simply drag
the rule with your mouse to a position above the other rules
I think the confusion is everyone is assuming your drop rule is in filter not nat, as that is
typically where it would be.
Perhaps if you provide the rules we can clear up the confusion.
Paste the out put of these commands into a reply.
In terminal window:
/ip firewall filter export
/ip firewall nat export
Access Router from anywhere in the world
It is possible to use command line to pass connect to user and password parameters
automatically:
winbox.exe [<connect-to> [<login> [<password>]]]
Accessing a WAP/CAP router through WinBox over the internet
ADSL router that is in front of firewall
Example with Dlink DIR-825:
port forwarding, http://support.dlink.com/emulators/dir825/Advanced.html#Gaming
212
Now from your winbox, type in external address of your gateway:
213
Windows Domain Active Directory as Radius Server
Network Policy Server (NPS)
You have to use radius, in the older server versions, you would use IAS services. This
would approve MAC addresses etc. You can also use 802.1.x as well.
http://nejc.skoberne.net/2011/03/WAP/CAP-sstp-with-windows-sbs-2008-nps-radius/
How to setup RADIUS authentication on a Microsoft Windows Server 2012
http://www.youtube.com/watch?v=YmmObbL24lA
Securing Wireless Networks with Windows Server 2008 and NPS
http://techblog.mirabito.net.au/?p=87
Enabling support for Windows Network Policy Server (NPS)
http://windowsfortechs.blogspot.com/2010/05/understanding-new-windows-server2008.html
W2K8
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=5023
How to extend the Windows Server 2008 evaluation period
http://support.microsoft.com/kb/948472
In the event the 30 day trial expires before you have finished with your research you
can extend the trial period 3 times from a command window with elevated privileges
using:
Slmgr –rearm
http://mscerts.programming4.us/windows_server/windows%20server%202008%20%20
%20configuring%20network%20authentication%20(part%201).aspx
authentication in Windows Server 2008 is provided by numerous infrastructure
components including Active Directory Domain Services, Group Policy, Public Key
Infrastructure, and RADIUS.
http://www.networkingnut.net/configuring-radius-server-on-windows-2008-r2-for-ciscodevice-logins/
Dude
c:\Program Files (x86)\Dude\dude.exe),
214
right mouse select Properties click on the Compatibility tab then check the "Run this
program as an administrator" Kill service, start again and vuala
1. Install the dude agent package on the remote ROS device (done)
2. Install "the Dude" software on my windows 7 machine (done)
3. setup a remote connection on "The Dude" software of my windows machine by going
to "Settings", clicking on the "Agents" tab, and adding a new agent. Address is the
external, routable IP of the ROS device hosting the remote network, Username and
Password are the same as the Username and Password used to connect to ROS either
through winbox or web or whatever. (done)
4. Once I have hit "Apply" in the "New Agent" window it should connect and give me a
pretty little blue checkmark. (no blue checkmark, only red x)
Example: my dude service is a windows 2003 x64 1,5gb ram (sphere VM) the server is in
a domain and have remote desktop enabled.
normally dude open a socket on 2210 tcp and 2211 tcp(both also udp) when a user
connect from a remote network with the client all goes well.
here the problem :) when someone go in remote desktop session and open dude directly
from the server the dude open a new socket 2210 and 2211 but not close them after exit.
then i had 8 socket from port 2210 and from port 2211. now when i try to establish a
connection, i suppose that the client ask to a wrong socket and sometimes got the right
one and let me login.
to solve this problem and let my user use remote desktop i have created a remoteapp
windows server and i have published dude client as remote app(in a different server) the
wherever the user need they can connect to dude via rdpweb as the application is locally
installed on the client.
So I've got the Dude module installed at a deployment and seem to be having some
difficulty with it. The package is running and can be observed in Tools>Profile.
I can telnet to ports 2210 and 2211. There is no banner to confirm that it's The Dude
accepting the connection, but I can tell that it is being established.
click Connect button to disconnect Local Server
215
Now click Connect button again:
You will have choice to select different server. Choose Remote, then type in password. If
you are a new installation for Dude on Firewall as remote agent then it could be
blank as password.
216
More Detailed Example:
Once connected, you can choose network range for Discover:
You can scan 192.168.1.0/24 and 192.168.4/24 to shorten the Discover time
Now you would see below session showed up:
217
(from 192.168.1.102)
218
We choose Scan network to be 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, and
192.168.4.0/24
219
Health of HP printer (192.168.1.116)
For example, you can see health of HP printer 192.168.1.116
Show activities for ERP (192.168.1.105)
Dude->Devices, choose 192.168.1.105:
220
(time shows California PST time if from in CA)
Send email notification if server or service is down
Notification-> choose “+” to add new notification->email->fill in below body:
221
Any Outages?
You can see that HP4600 is low with memory / disk:
222
See if any dropped devices:
223
Syslog server:
Syslog files are saved on c:\programm files\Dude\data\files
To change password for Dude agent on Firewall
Click on the admins panel in the list, add users as needed.
224
You can click Settings next to Discover, and define a new map:
Firewall setting to allow Dude connection:
You can add a firewall rule to allow specific IP for connection with Dude agent:
add chain=input protocol=tcp dst-port=2110 src-address-list=dev_list action=accept \
comment="Dude Agent allowed "
225
Dude as a Windows service
Use this option:
One thing: dude appears on process list and not in the services list of task manager.
226
Initial Setup
This is initial setup configuration that you can secure your router, create internet
connection and share it with rest of the network .
Quick Setup
This guide will help you in setting up . . .
# HOTSPOT server,
# It will also configure DHCP to assign users IP Address from 172.16.0.1172.16.0.255 ip pool .
Change it accordingly.
# I will add two Speed / Rate Limit Profiles, 256k and 512k, it will add a new user ‘zaib‘
password=test with 512k profile and user ‘test‘ Password=test with 256k Limit.
# It will Add Default Route to internet which is DSL router ip 192.168.2.2 , Change it
accordingly.
In this examples, WAP/CAP have two interface cards.
Ether1 LAN = 172.16.0.1 / Connected with LAN/Hotspot users
Ether2 WAN = 192.168.2.1 / Connected with DSL router
DSL Router = 192.168.2.2
Script Starts Below.
/ip address
add address=172.16.0.1/24 comment=LAN disabled=no interface=ether1
network=172.16.0.0
add address=192.168.2.1/24 comment=WAN disabled=no interface=ether2
network=192.168.2.0
/ip pool
add name=hs-pool-1 ranges=172.16.0.10-172.16.0.255
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packetsize=512 servers=192.168.2.2
/ip dhcp-server
add address-pool=hs-pool-1 authoritative=after-2sec-delay bootp-support=static
disabled=no interface=ether1 lease-time=1h name=dhcp1
227
/ip dhcp-server config set store-leases-disk=5m
/ip dhcp-server network add address=172.16.0.0/24 comment="hotspot network"
gateway=172.16.0.1
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookielifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit=""
smtp-server=0.0.0.0 split-user-domain=no use-radius=no
add dns-name=login.aacable.net hotspot-address=172.16.0.1 html-directory=hotspot
http-cookie-lifetime=1d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=hsprof1
rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot
add address-pool=hs-pool-1 addresses-per-mac=2 disabled=no idle-timeout=5m
interface=ether1 keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1
status-autorefresh=1m transparent-proxy=no
add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalive-timeout=2m
name="512k Limit" open-status-page=always rate-limit=512k/512k shared-users=1
status-autorefresh=1m transparent-proxy=yes
add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalive-timeout=2m
name="256k Limit" open-status-page=always rate-limit=256k/256k shared-users=1
status-autorefresh=1m transparent-proxy=yes
/ip hotspot service-port set ftp disabled=yes ports=21
/ip hotspot walled-garden ip add action=accept disabled=no dst-address=172.16.0.1
(may not needed)
/ip hotspot set numbers=hotspot1 address-pool=none
/ip firewall nat add action=masquerade chain=srcnat disabled=no
/ip hotspot user
add disabled=no name=admin password=123 profile=default
add disabled=no name=zaib password=test profile="512k Limit" server=hotspot1
add disabled=no name=test-256k password=test profile="256k Limit" server=hotspot1
228
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=30 targetscope=10
(must have above one then you can ping outside url!!!)
Other example:
229
Install Dude agent on Firewall
Drag dude-3.6-ppc.npk onto Winbox (any blank area), you will see this package is shown
on File:
System reboot
System->Packages:
230
Setup Internet Connection (WAN)
Basic requirement is to configure ether1 with the following steps. For example, your
WAN IP can be assigned as 10.1.1.228 for ether1: IP->Addresses
Below is ETH13 been assigned to WAN (external), rest to be LAN port (192.168.0.0/16)
231
/ip address
add address=10.1.1.228/24 comment=WAN disabled=no interface=ether1
network=10.1.1.0
add address=192.168.1.1/16 comment=LAN disabled=no interface=bridge1
network=192.168.0.0
If your ISP is using DHCP use this command
/ip dhcp-client add interface=ether1 add-default-route=yes use-peer-dns=yes
disabled=no
If your ISP is using PPPoE use this command
/interface pppoe-client add user=<pppoe_username> password=<pppoe_password>
interface=ether1 add-default-route=yes use-peer-dns=yes disabled=no
Set your masquerade rules for allowing internet traffic to your network
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
Assume IP address of DSL Router is 10.1.1.1:
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.1
scope=30 target-scope=10
232
Once an IP address is assigned, use Winbox (download from the first time setup page) to
do the remainder of the setup, or use web browser with http://10.1.1.228/webfig/ :
233
Change the Admin Password
System->Password
Script to change the admin user password, and add new username with full privileges.
/user set admin password=putpasshere
/user add name=<myusername> password=<mypassword> group=full disabled=no
Disable services that you are not using
IP->Services
Script:
List the services on your router
/ip services print
This will return something like this
Flags: X - disabled, I - invalid
#
NAME
PORT ADDRESS
CERTIFICATE
0 X telnet
23
1 X ftp
21
2
www
80
3
ssh
22
4 X www-ssl
443
5 X api
8728
6
winbox
8291
none
Disable the services you don’t need
/ip service disable <name>
234
Setting NTP services for time synchronization
System Clock
You can find the closest time server from this page.
Setup your timezone and NTP servers: System->Clock
/system clock set time-zone=Asia/Taipei
NTP Services (SNTP Client)
/system ntp client set enabled=yes primary-ntp=<Server_IP_1> secondaryntp=<Server_IP_2> mode=unicast
e.g., pool.ntp.org, time.stdtime.gov.tw; tw.pool.ntp.org
/system ntp client set enabled=yes primary-ntp=220.133.13.3 secondary-ntp=59.124.196.84 mode=unicast
To verify it: /system ntp client print
It depends on whether you have ntp package installed or not, you can check it in /system
packages.
If it is installed you can configure ntp client, if not you can configure sntp client, which is
practically the same. Now to configure ntp client go to System ntp client, there select
enabled, mode=unicast, primary server=europe.pool.ntp.org and secondary
server=time.nist.gov
System->SNTP Client:
Once you click Apply, it would show:
235
Enable DNS Remote Requests
To be able to use your router as DNS server you need to enable DNS Remote Requests
on your router
IP->DNS
/ip dns set allow-remote-requests=yes
Setup Intranet Connection (lan ports, or bridge1)
We want to bridge rest of ethernet ports (ether) for intranet connectivity, other than ether1
which is WAN ports
Select the menu at the Bridge, the Bridge tab, click Settings.
click (add), it would appear New Interface window – General tab, in this section we do
not need to change the default settings provided by RouterOS, simply replace the bridge
236
of his name alone. Finish with Apply and OK.
To avoid bridge loops, we use the STP / RSTP feature Choose protocol mode to be RSTP.
Setting Bridge Port
Select the Ports tab, click the (add), then the window will pop up New Bridge Port. That
needs to be changed only Interface section alone, according to the ether which would be
the bridge interface.
237
Add ether1 to ether12 for bridge1
Setting DHCP Server
(we may need to configure below hotspot first, then set up DHCP server later!)
IP->DHCP Server
238
/ip dhcp-server
add address-pool=hs-pool-4 authoritative=after-2sec-delay bootp-support=static
disabled=no interface=bridge1 lease-time=1h name=dhcp1
/ip dhcp-server config set store-leases-disk=5m
/ip dhcp-server network add address=192.168.2.0/16 comment="hotspot network"
gateway=192.168.1.1
You will see IP->Addresses shown as:
239
Date and Time
RouterBOARDs do not have batteries that keep time when the routers shut down or are
power cycled. Because of this the routers will reset their internal time to January 1st,
1970 when they reboot. NTP is a protocol that allows devices to sync their time over the
network. This is necessary for the router to have the correct time. Having the correct time
is usually a good idea simply because it allows log entries (which are timestamped) to
make sense when troubleshooting. It's hard to do the math and figure out what the real
timestamps are hwn the router is the current date showing March 19, 1971 and the log
shows an interface went down on March 17, 1971 12:05.
To configure NTP requires NTP servers to sync again. The best option for this is to go to
the NTP Pool Project web site and find a pool close to you.
There are two different NTP options: you can install the NTP package and get a full NTP
server and client, or you can use the simple NTP client built into the base package. This
manual only shows the simple client.
Example network
Because people tend to blindly copy and paste from tutorials the below NTP server
addresses do not work: 2.2.2.2 and 3.3.3.3 are not a valid NTP server. Please find one or
more public NTP servers near you instead and replace their IP addresses below.
/system ntp client
set enabled=yes primary-ntp=2.2.2.2 secondary-ntp=3.3.3.3
Setup Hotspot
Server Setup
Add the hotspot service to bridge1 (or any other ether port - just replace references
whatever ethernet port you are using below) by going IP -> Hotspot and then clicking
Hotspot Setup:
Step 1
Let's add the hotspot service to bridge1 Click IP -> HotSpot and the hotspot Setup box,
choose bridge1 as hotspot interface. You can accept default values but choose none for
240
certificate. Leave the IP as it is (192.168.x.x). If you change this IP, the LOGIN and
LOGOUT links will not work on your splash page.
Select the interface which you want the hotspot server to run on. In this guide, we run it
on our wireless network (wlan1), you can select any Ethernet interface, bridge and others
in the list.
/ip hotspot profile
set default dns-name="hotspot.com" hotspot-address=192.168.1.1 htmldirectory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,httpchap name=default rate-limit="" smtp-server=192.168.1.199 split-user-domain=no useradius=no
add dns-name=hotspot.com hotspot-address=192.1688.1.1 html-directory=hotspot httpcookie-lifetime=1d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=hsprof1 ratelimit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot
add address-pool=hs-pool-4 addresses-per-mac=2 disabled=no idle-timeout=5m
interface=bridge1 keepalive-timeout=none name=hotspot1 profile=hsprof1
Step 2
241
In step 2 it will ask you the IP of the server, by default it will detect the IP which is set on
the interface that we selected in step 1. Just press NEXT
Step 3
In step 3 it will ask you the IP range that will be used by the DHCP server for providing
IP's to clients. Here you can modify the IP range, make sure that it should be acceptable
by SERVER. You can increase and decrease the length of the IP range. When done press
NEXT
192.168.1.8-192.168.1.98
192.168.2.1-192.168.4.254
/ip pool
add name=hs-pool-14 ranges=192.168.1.8-192.168.1.98,192.168.2.1-192.168.4.254
Later you can also modify it from Winbox: IP->IP Pool,
242
[admin@Wireless1] /ip pool> print
# NAME
0 hs-pool-14
192.168.2.1-192.168.4.254
RANGES
Step 4
In step 4 it will ask you to select any certificate that will be used by the server. Select
NONE and press NEXT.
Step 5
In step 5, enter IP of email server if any. Otherwise use 0.0.0.0 as default.
In step 6 it will as you your DNS Server's IP Address. This was the first task that we
finished. So Here no need to change any thing. Just PRESS NEXT.
Or
243
Next, fill in your hostname of the hotspot login page. You can put any domain name here
but remember that it will be turned into your login page.
Next, create the very first user account that allows to login to this hotspot network.
The hotspot server is created successfully now.
Now you can connect your computer or smartphone to the interface with your hotspot
server to try it. In this case, it’s the intranet or wireless network.
244
You can see corresponding hotspot profile:
DNS Name: DNS name or IP address (if DNS name is not given) of the HotSpot Servlet
("hotspot.example.net"). if you don’t have DNS name setup, then use IP address such
client can redirect to login page without setting DNS name of hotspot on his/her hosts file
inside Windows System directory.
Limitation of data rate is used as the default setting for users who have not been in setting
the bandwidth usage limit. Where X is the Client is the Client TX upload and download.
For example the default settings in 64k/128k data rate (upload / download).
Your Hotspot server is ready and configured. Now if you recieve a message saying
Router Disconnected, don’t worry it’s just the security of HOTSPOT. First login to the
HOTSPOT with user name and password that you created in STEP 8. Now again open
the WINBOX and again goto IP > Hotspot.
Now we will do some changes in the default settings to make our HOTSPOT work in a
better way.
245
In the Server TAB you will now see a server will be showing up by the name "hotspot1",
double click it and change the value "Address per MAC" to 1, for more security.
(or use Address Pool as ‘none’, other than created hs-pool-14?)
To allow hotspot users to communicate with each other on LAN, use Address Pool to be
‘none’. See following section “HOTSPOT users can’t communicate with each other on
LAN or PROXY-ARP issue”
You will see a LOGIN tab in the same window, and make sure that only "HTTP CHAP"
is selected in the Login By section. Now APPLY and OK.
Or
246
User and User profile
Now we will create a new User Profile. Goto User Profile TAB, press the Plus Sign,
name it what ever you want. Select the IP Pool, hotspot creates a pool by default with the
IP Range that we set during the HOTSPOT Server Setup. Now we will set the Download
and Upload Bandwidth restriction. In the Rate Limit (tx/rx) set the limit (i have set it to
512k up/down). Now press APPLY and OK.
Hotspot users are user names that will be authenticated on the system hotspot. Some
things can be done in the configuration of the hotspot user: username and password,
Limiting user based on time and package data to be used, only certain ip address dhcp ip
address from being offered or only allow a user to connect to a hotspot system from a
particular MAC address.
247
248
Below is script to create hotspot users:
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1
status-autorefresh=1m transparent-proxy=no
add address-pool=hs-pool-14 advertise=no idle-timeout=none keepalive-timeout=2m
name="512k Limit" open-status-page=always rate-limit=512k/512k shared-users=1
status-autorefresh=1m transparent-proxy=yes
add address-pool=hs-pool-14 advertise=no idle-timeout=none keepalive-timeout=2m
name="256k Limit" open-status-page=always rate-limit=256k/256k shared-users=1
status-autorefresh=1m transparent-proxy=yes
/ip hotspot service-port set ftp disabled=yes ports=21
/ip hotspot walled-garden ip add action=accept disabled=no dst-address=192.168.1.1
/ip hotspot set numbers=hotspot1 address-pool=none
249
To add more users to the hotspot server, click “Users” on top.
/ip hotspot user
add disabled=no name=admin password=123 profile=default
add disabled=no name=sales password=test profile="512k Limit" server=hotspot1
add disabled=no name=test-256k password=test profile="256k Limit" server=hotspot1
To create new User Profiles:
250
Press the plus button.
251
Create User named ‘guest’
Routes (string) Routes added to HotSpot gateway when client is connected. The route
format dst-address gateway metric (for example, 192.168.1.0/24 192.168.0.1 1)
192.168.0.0/16 192.168.1.1 1
Difference between idle timeout and keepalive timeout
Idle timeout checks traffic, keepalive timeout checks availability.
Keepalive timeout for authorized HotSpot clients. Used to detect, that the computer of the
client is alive and reachable. User is logged out, when timeout value is reached
252
'idle-timeout' is used to detect, if client is not using Router networks, reaching timeout
user will be logged out, etc.
'keep-alive-timeout' used to detect, if is available and reachable, if check fails client will
be dropped out, etc.
status-autorefresh - WWW status page autorefresh time
IP Bindings
IP Bindings are used to allow certain ip to bypass authentication hotspot, this is very
useful when we want to run the service server, or IP telephony system under hotspots. For
example, PC or your notebook to be able to bypass the hotspot system, so you can browse
without authentication.
Note, to allow hotspot intranet ip to support Remote Desktop functions, you have to
configure such IP Binding IPs with Server to be your hotspot1
253
How to Block a Customer
How to Block a Customer and tell him/her to pay the Bill
Sometimes you may need to cut off a customer and tell him to pay his bill. It's best done
by redirecting his http requests to a page with information telling to pay in order to get
reconnected. You can do it with a simple destination NAT rule that captures all http
requests from a specific address and sends them to a server with webpage telling to pay
the bill. However, it's quite easy to make this using the HotSpot feature of RouterOS.
Please note that this don't work with PPPoE connections.
To make this setup, you should have Hotspot package enabled on the RouterOS. This
example will cover how to block customer's computer. When he tries to open a webpage
he would be redirected to the hotspot page which will contain info that he hasn't paid the
bill for the Internet access. Your router should have already been configured and working
(customer should have access to the Internet), you should have the DNS server specified
in the router.
First you should edit the Hotspot login.html page with the text that contains information
that will be shown to the customers who haven't paid their bills. It could be something
like this: "Service not available, please pay the bill and contact us by phone to get
reconnected
Next, add an ip-binding rule that will allow all customers to bypass the hotspot page. It is
done using such a command:
/ip hotspot ip-binding add type=bypassed address=0.0.0.0/0 \
comment="bypass the hotspot for all the paying customers"
254
After that add the Hotspot server on the interface where your clients are connected. It can
be done using such command:
/ip hotspot add interface=local disabled=no
Now you can add ip-binding rules for the customers that haven't paid their bill. You can
match them by IP address or MAC address. Here is an example using MAC address:
/ip hotspot ip-binding add mac-address=00:0C:42:00:00:90 type=regular comment "Non
paying client 1"
Now we have such configuration:
[admin@WAP] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
#
MAC-ADDRESS
ADDRESS
0 P ;;; bypass the hotspot for all the paying customers
0.0.0.0/0
1
;;; Non paying client 1
00:0C:42:00:00:90
TO-ADDRESS
SERVER
There is one more step to make it work, you should change the order of these rules, the
first rule should be above the bypass rule so it could be processed. You can move it using
move command:
[admin@WAP] ip hotspot ip-binding> move 1 0
Now the ip-binding configuration should look like this:
[admin@WAP] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
#
MAC-ADDRESS
ADDRESS
0
;;; Non paying client 1
00:0C:42:00:00:90
1 P ;;; bypass the hotspot for all the paying customers
0.0.0.0/0
TO-ADDRESS
SERVER
If the customers can pay their bill using internet you can modify the login.html by adding
some links to clients bank web-page where they can pay their bill. After you add these
links in the login page you should also add them in the hotspot configuration so the
blocked customer could access that page. This can be done in the 'ip hotspot walledgarden ip' menu. Here is an example:
/ip hotspot walled-garden ip add dst-host=www.paypal.com
255
Another workaround is to add this code:
/ip firewall nat add chain=pre-hotspot dst-address-type=!local hotspot=auth
action=accept
While clients aren't logged into the Hotspot the Hotspot itself will block access. Once
they're logged in that rule will prevent the internal proxy from taking over, traffic will be
in the forward chain, and web traffic should be blocked just like ICMP since the proxy no
longer interferes.
Assuming the network you want to block is behind an interface called 'my-network' and
the WAN interface is called 'WAN-network':
/ip firewall filter
add chain=forward in-interface=my-network out-interface=WAN-network time=0h6h,sun,mon,tue,wed,thu,fri,sat action=drop
Customization
You should see hotspot folders from File->
256
If u loss login.html from file structure, click Reset HTML button shown on above.
All you needed to do was under the IP>Hotspot>Server Tab was select my hotspot server
and click on the "Reset HTML" button.
Customize hotspot Login Page
1. go to inside of your routerboard via winbox
2. open Files
3. there is a file by this name: hotspot/login.html drag it to your desktop and change the
logo and the design of the page as you wish.
4. drag the file with this image that you used in your design into your winbox >Files (the
same place) again.
and reboot your routerboard to see your design ...
257
Simple way: Copy the Folder called "Hotspot" to your desktop.
Edit the file Called "login.htm",
Make sure that the New Logo/ Pictures are available at the destination folder. After
Testing It Just copy the Folder again and paste it in to Router.
You can Copy & Paste with scp:
The ssh command to copy it is as follows:
scp admin@<ip of WAP/CAP>:/hotspot/login.html login.html
To copy it back, use
scp login.html admin@<ip of WAP/CAP>:/hotspot/login.html
Now open it using any html editor, customize it according to your need, you must have
some prior knowledge of some website / html editing. You can insert your logo,
advertisement and lot more in this page. After you are done, simply upload the file back
from where you downloaded it. use drag n drop feature. For beginners, I recommend you
not to change any default variable, just add your logo and text. After you are familiarized
with the structure, you can build your own customized login page.
How to Redirect User to your selected site after successful Login
If you want that after successful login to hotspot , user must be redirected to your
advertisement web site / any other web, then You will need to replace a variable on the
hotspot/login.html document on the router.
258
You must replace $(link-orig) with the url of the website you want them to get after
login.
There are two links that you have to replace, and both look like this:
<input type="hidden" name="dst" value="$(link-orig)">
Change them to
<input type="hidden" name="dst"
value="http://yoursite.hotspot.com">
Now after successful login, user will automatically redirected to yoursite.com, you can
also create your customized page showing users details using the variables available.
Howto Allow URL for some destinations for non authenticated Users
Sometimes it is required to allow access to some destinations / URLs for non
authenticated users, for example if you have a web / radius server and you want that
user can access it without login to hotspot, then you can add its ip address in walled
garden.
/ip hotspot walled-garden add dst-host=www.website.com
/ip hotspot walled-garden ip add dst-address=192.168.2.2 action=accept
OR
/ip firewall nat add chain=pre-hotspot dst-address=192.168.2.2 action=accept
For example:
HOTSPOT users can’t communicate with each other on LAN or
PROXY-ARP issue
If you face hotspot broadcast issue / arp-poisoning problem, or file sharing been blocked,
remove the address pool from the Hotspot to turn off Universal (1:1) NAT,
/ip hotspot set address-pool=none
OR
/ip hotspot set numbers=hotspot1 address-pool=none
OR
/ip firewall nat add chain=pre-hotspot dst-address-type=!local hotspot=auth
action=accept
Howto Bypass authentication for Few Clients with MAC and IP
259
addresses
This bypasses the hotspot by mac address
/ip hotspot ip-binding add address=xxx.xxx.xxx.xxx macaddress=xx:xx:xx:xx:xx:xx comment=”guest11” type=bypassed
(change xx:xx:xx:xx:xx:xx with your user's mac address. You can also use the ip address
to bypass.
Other options:
set up walled garden rules with dst-address networks specified.
Hourly checking for up status
As the last step you have to add hourly checking for up status for the Router Alert
feature.
Go to System > Scheduler and add a new task by pressing the plus sign.
Name: up
Interval: 01:00:00
On Event:
/tool fetch keep-result=no mode=http address=tech.hotspotsystem.com srcpath=("up.php?mac=".[/interface ethernet get 0 mac-address]."&nasid=".[/system
identity get name]."&os_date=MT&uptime=".[/system clock get
time]."%20up%20".[/system resource get uptime].",%20load%20average:%20".[/system
resource get cpu-load]."%")
Policy: enable all
Press Apply and OK.
Ping dropped
Queue also limits ICMP packets i.e ping , You will see high ping delay if you are using
downloading/surfing at full bandwidth capacity. to bypass ICMP from the queue, try this:
/ip firewall mangle
add chain=prerouting protocol=icmp action=mark-connection new-connectionmark=icmp-con passthrough=yes comment="" disabled=no
add chain=prerouting protocol=icmp connection-mark=icmp-con action=mark-packet
new-packet-mark=icmp-pkt passthrough=no comment="" disabled=no
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1024k maxlimit=2048k name=Hi-Prio-to-icmp-aacable packet-mark=icmp-pkt parent=global-in
priority=1 queue=default
260
Client Login
From any browser, if you need to key in user name and password from web browser, your
web browser will be redirect to default login page. Assume your wireless server ip is
192.168.1.1, and then you can also type in http://192.168.1.1/login for such
authentication.
You can check your login status with http://192.168.1.1/status :
If After configuration, client’s login page is not comming up. Most Possible Reason:
DNS not configured properly. re-check your configuration – ensure that client’s device
can ping with above DNS name, e.g., ‘ping wireless1’ is reachable.
To logoff current session, you can click ‘log off’ button shown on above status menu, or
type http://192.168.1.1/logoff
Command Line to show connected hosts
host shows all users connected to the HotSpot interface.
/ip hotspot print
D without A means that client is connected to HotSpot interface, but it is not
authorized.
if P - bypassed, then you have that host in ip binding... /ip hotspot ip-binding> pr
show hotspot active table should authorized HotSpot users.
/ip hotspot active print
address (read-only: IP address) - client's IP address
261
to-address (read-only: IP address) - IP address to translate the address to
the "Address" column is the ip address of the device. The "To Address" column is the ip
the hotspot is translating your device ip to.
use-dhcp (yes | no; default: yes) - do not translate the addresses assigned by DHCP server
Logs
system logging> add topics=wireless,debug action=memory
I added wireless, hotspot, firewall
/log print
target (disk, echo, email, memory, remote;
Default: memory)
storage facility or target of log messages
disk - logs are saved to the hard
drive more>>
you can check your storage from Systems->Stores->Disks. You have to format it during
the 1st usage:
Once formatted:
262
Storing logs in files
To log everything to file, add new log action:
/system logging action add name=file target=disk disk-file-name=log
then make everything log using this new action:
/system logging action=file
you can log only errors there by issuing command:
/system logging topics=error action=file
This will log into files log.0.txt and log.1.txt. You can specify maximum size of file in
lines by specifying disk-lines-per-file. <file>.0.txt is active file were new logs are going
to be appended and once it size will reach maximum it will become <file>.1.txt, and new
empty <file>.0.txt will be created.
You can log into USB flashes or into MicroSD/CF (on RouterBOARDs) by specifying
it’s directory name before file name. For example, if you have accessible usb flash as
usb1 directory under /files, you should issue following command:
/system logging action add name=usb target=disk disk-file-name=usb1/log
Or
/system logging action add name=file target=disk disk-file-name=<directory of
microSD>/log
The directory should be visible under /file print
e.g.,
disk-file-name=micro-sd1/log
You can change setting of existing disk
to be:
263
a good example with a USB drive would be something to the effect of
disk-file-name=usb1/log
you can print your log file:
/log print file=filename
Other useful commands
[admin@hotspot] /system logging> export
...
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote=10.20.20.1:514 src-address=\
0.0.0.0 syslog-facility=daemon syslog-severity=auto target=remote
add disk-file-count=1000 disk-file-name=log1 disk-lines-per-file=1000 \
disk-stop-on-full=yes name=action1 target=disk
add disk-file-count=1000 disk-file-name=log2 disk-lines-per-file=1000 \
disk-stop-on-full=yes name=action2 target=disk
add disk-file-count=1000 disk-file-name=log3 disk-lines-per-file=1000 \
disk-stop-on-full=yes name=action3 target=disk
/system logging
add action=action2 disabled=no prefix=HOTSPOT topics=firewall
Another one:
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote=10.0.0.49:514 src-address=\
0.0.0.0 syslog-facility=daemon syslog-severity=auto target=remote
/system logging
add action=remote disabled=no prefix="" topics=info
add action=remote disabled=no prefix="" topics=error
add action=remote disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
add action=remote disabled=no prefix="" topics=hotspot
add action=remote disabled=no prefix="" topics=firewall,ppp,pppoe
#
# download kiwi
# www.easynetwork.co.th/download/Kiwi_Syslogd_8.1.6.setup.exe.zip
264
Logging everything we need:
/system logging add action=disk disabled=no prefix="" \
topics=info,error,warning,critical,hotspot,firewall,dhcp,watchdog,event
OR
!async to log everything
Firewall action to log and drop
Adding action=log increases the options. You can use custom chain if you need to log and
265
drop different kinds of traffic. For example, add chain "log and drop" that logs and drops
all traffic that is processed through it. Place it before the drop rule.
/ip firewall filter
add chain="log and drop" action=log
add chain="log and drop" action=drop
Then use single rule with
action=jump jump-target="log and drop"
for traffic that need to be logged and dropped.
Or (2008)
/ip firewall rule input add action=drop log=yes comment="Log and drop everything else"
Using Dude for Syslog Server
In some situations, you might need to save logs for record / tracking purpose regarding
firewall actions and users connectivity. It’s much easier to intercept info using Dude or
Linux base logs. Following is a simple article explaining you how to send WAP/CAP logs
to remote Ubuntu / Linux base syslog server.
Assume IP of your Firewall is 10.1.1.228; Dude or Linux Syslog server is 10.1.1.13
First we have to configure WAP/CAP. Open Terminal & paste the following.
/system logging action \
set remote bsd-syslog=yes name=remote remote=192.168.2.1 remoteport=514 src-address=0.0.0.0 syslog-facility=local0 syslogseverity=auto target=remote
/system logging add action=remote disabled=no prefix="" topics=!async
Optional log rules can be:
#Logging features, I used this to store necessary info of WAP/CAP
# written to DISK for record purpose.
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=14 disk-file-name=MyWAP/CAP-log disk-lines-per-file=10000
disk-stop-on-full=no name=disk target=disk
/system logging
add action=memory disabled=no prefix="" topics=info,!firewall
add action=echo disabled=no prefix="" topics=error
add action=echo disabled=no prefix="" topics=warning
266
add action=echo disabled=no prefix="" topics=critical
add action=remote disabled=no prefix="" topics=firewall
add action=disk disabled=no prefix="" topics=pppoe,ppp,info
add action=disk disabled=no prefix="" topics=critical
add action=disk disabled=no prefix="" topics=system,info
add action=disk disabled=no prefix="" topics=pppoe,info
WAP/CAP System Logging
From Winbox: System->Logging
Choose “+” to add a Rule:
Choose Action to add remote:
!asyn is to log everything.
Ubuntu / Linux Syslog Server
If you already don’t have syslog server installed, install it by
apt-get install syslogd
After installation is completed, edit its configuration file available in /etc/syslog.conf
nano /etc/syslog.conf
and add following lines at the end.
!*
+10.1.1.228
local0.*
/var/log/mt.log
267
Now Save & Exit.
Create a new file by touch command so that syslog can store WAP/CAP logs in separate
file.
touch /var/log/mt.log
chmod 600 /var/log/mt.log
Restart the syslog service by
/etc/init.d/sysklogd restart
Now monitor the newly created file by following command
tail -f /var/log/mt.log
Howto Prevent Duplicate LOG Entries
By Default there will be duplicate entries for WAP/CAP logs in /var/log/mt.log &
/var/log/messages
To prevent duplicate entries, you have to tell syslog to ignore local0.* to be placed in
/var/log/messages. To do this, you have to add an entry ‘local0.none’ in the following
section in /etc/syslog.conf
Look for following Lines
mail,news.none
-/var/log/messages
Remove above Line and Add the following syntax
mail,news.none;\
local0.none
-/var/log/messages
Dude Syslog Server
Open the Dude's main user interface, Choose main Settings and then tab Syslog:
268
Now setup period and file size that you prefer: Syslog->Setting:
You can also change your file property from Files:
269
You can find your files from C:\Program Files\Dude\data\files
Always turn it on if on production mode:
RouterOS as Agent
To scan and monitor a network which is behind another router, in some other location, it
is possible to install the Dude Server/Agent onto a RouterOS device.
To do this, you need to install the Dude package onto RouterOS:
• Download package from the Dude download page
• Upload the package to RouterOS with FTP or Winbox
• Reboot the router to install the package
• After install is complete, connect to the Dude server IP from the Dude windows
program
Note: The only sign that the Dude package is installed in RouterOS, is that the Dude
package will appear in the/system packages menu. There is no separate Dude
configuration interface in RouterOS command line
270
After you have connected to the Dude Server/Agent in RouterOS, you can then enable its
web interface if you wish.
Examples
Here is our understanding/experience of Dude agents for what it is worth:
First you set up the main Dude server, lets say in the head office part of your enterprise
network. You create maps of all the things in that part of the network that you want to
monitor and in the "General" tab for each device you set the agent to default. This means
that each device is being probed by the main Dude server.
Then you have a branch office somewhere behind a firewall and you want to monitor the
network at that site. You install a Dude server on the network at that site and then on the
main Dude server in the global settings "Agents" tab you add the branch office Dude
server as an agent.
Then you need to configure your firewall rules so that the main Dude server can
communicate with the Dude agent at the branch office.
On the main Dude server you make a map for the branch office and for each device on
that map in the "General" tab you specify the agent as the dude server at the branch
office.
We have set up our monitoring in this way, with one main Dude server that all of our
Dude clients connect to and 9 different agents all monitoring different network segments.
Export and Backup / Restore Configuration
Export Configuration
from terminal, type:
/
(“/” without quote, means go to top menu)
export file=config
you will see config.rsc from File->File List, then drag it onto your Windows folder
Export Firewall Rules
/ip firewall export file=firewall
You then see file name as firewall.rsc
271
Backup / Restore Configuration
/system backup save name=factory
/system backup load name=factory
(restore)
You will see factory.backup if you perform backup, from File->File List:
Create Support File
Click Make Supout.rif, then click Make it!
Wait until this window finish (disappeared):
Then from File->File List, on the bottom you would find supout.rif, drag it onto your
Windows Folder:
272
Secure WAP/CAP Hotspot
•
•
•
•
•
•
•
•
‘ip hotspot user profile’ contains ‘shared-users’ option, ‘shared-users=1′ allows only
1 client to use the same login/password simultaneously.
Use login/password for the HotSpot authentication; Do not use mac address
authentication.
Enabled AP isolation on all AP’s.
Use Mac filtering in your wireless devices.
Allow only 1 mac-address per IP in the hotspot
Added firewall rules to prevent traffic between devices on the same interface (i.e.
hotspot).
Changed ARP to reply-only on hotspot interface. However, importantly you need to
change the default ARP setting for DHCP scope to dynamic (add dynamic ARP
entry) otherwise clients experience problems.
Set the netmask to /32 on the DHCP scope. The hotspot interface addres remains
10.5.50.1/24, but the Netmask provided to DHCP clients are: 255.255.255.255. The
result is that hotspot clients are treated like Point to Point links and as such are no
longer affected by arp poisoning.
Duplicate IP and MAC-addresses on the newtork cause problem for ‘good’ and ‘bad’
clients, internet will not work correctly for both them, if clients simultaneously exists
on the same network.
•
PPPoE server should be used instead, to protect network from un.authorized access.
PPPoE is the most secure authentication method which requires the user to login
through dial up instead of loging through browser.
273
Advanced Topics
Configuring Mesh-WDS with Nstreme Protocol
This is Mesh-WDS that allows you to connect more than 20 AP nodes together without
backhaul wired connection for middle and the last nodes.
Be aware that following operation guide is based on version 2.9 and may not be applied
to 3.0 or above for every step.
Four WAP equipped with 802.11a and 802.11b/g radios are applied here.
• 2.4 GHz (Atheros AR5213) is for AP-Clients as broadcast.
• 5 GHz (Atheros AR5413) is for AP-AP as backhaul by running Mesh-WDS with
Nstreme Protocol.
274
Internet Wired Connection for Ethernet Port
Since all APs are preconfigured, you simply plug in internet Ethernet onto the PoE of
AP1 (172.16.120.11). There is no needed to connect wired Ethernet onto PoE of rest APs,
except that you use PoE to power up rest APs.
To be compatible with predefined wireless subnet in your HSG-200, followings are
preconfigured network for your mesh nodes (AP1-AP4)
AP1 IP=172.16.120.11; subnet=255.255.255.0; broadcast=172.16.120.255;
gateway=172.16.120.254
Either1, wlan1, and wlan2 are bridged together.
AP2 IP=172.16.120.12; rest is the same with AP1
AP3 IP=172.16.120.13; rest is the same with AP1
AP4 IP=172.16.120.14; rest is the same with AP1
Radio Power
You would need to re-adjust radio power of 5GHz and 2.4GHz based on location of
antennas. Since both sector antennas for these two bands are smaller gain, you can use
next maximum power, say, 300mW for both 5GHz and 2.4GHz to start with.
Remember to connect to Antennas before you swap to high power to avoid damage from
radio.
Default setting of power is shown as follow.
You can run winbox.exe to adjust power:
275
2.4GHz (Atheros AR5413)
From winbox.exe, choose Wireless
Double click wlan1 (AR5413) and choose TX Power. Default is All Rates fixed with 20
dBm. You can increase (up to 26 dBm for 802.11b mode) or decrease it. Default to 20
dBm is safe as long as this is sufficient for your broadcasting range.
5.0 GHz (Atheros AR5213)
Maximum power is 26 dBm (400mW). If you set power manually, don't overdrive the
radio card. You have to set the power lower than the specs by a few dBs.
Default configuration is All Rated Fixed with 19 dBm:
276
You can change it to default if desired:
You can change it with following options:
277
You can change it to 19 dBm which is (19+8) which is the maximum power.
reflect to actual manufacturers spec during later release of V3.0
It would
Radio Channels
We are running mesh-WDS mode, with Nstreme / polling for 802.11a:
• For 2.4 GHz, you would need to setup the same channel for all b/g radio.
• For 5.0 GHz, it’s mesh-WDS and would take same channel for all.
CLI Configuration
All APs are configured with same script except that different IP address each AP.
172.16.120.0/24 is also the pre-configured wireless subnet for your HSG Access
Controller.
Backhaul 5GHz is pre-encrypted with WPA2. 2.4GHz has no encryption, either you can
add it, or you simply hook up with HSG for authentication.
Config.txt
All APs are the same configuration except IP address is different as highlighted:
#
# Configuration for Queens Projects by using Mesh-WDS. 2.9.35
#
278
# reset all parameters if needed
#/system reset
/system identity set name=WN_QUEENS_1
# Rapid Spanning Tree Protocols (RSTP)
/interface bridge add name=bridge1 protocol-mode=rstp
# initial assignment of wired IP for Main gateway - for debugging purpose
# The 2.4GHz AP-client wireless interface has the name 'wlan1'
# The 5GHz backhaul
wireless interface has the name 'wlan2'
# change following 172.16.120.0/24 to your flavoriate subnets
/ip address add address=172.16.120.11/24 broadcast=172.16.120.255 interface=bridge1
/ip dhcp-relay add name=relay local-address=172.16.120.11 interface=bridge1 dhcpserver=172.16.120.254
/ip route add gateway=172.16.120.254
# Add Ethernet and Wireless interfaces to the bridge group
/interface bridge port add interface=ether1 bridge=bridge1
/interface bridge port add interface=wlan1 bridge=bridge1
/interface bridge port add interface=wlan2 bridge=bridge1
# Configure the Wireless card as AP and to support Mesh-WDS:
# the trick is to add both WDS and wireless onto bridge!!
# for 2.4GHz (WLAN1, NMP-8602+), be careful not to overpower or card would be
damaged!!!
# also, while setting to high-power, make sure that you have antenna connecte with. see
# Power output for Senao NMP-8602.pdf. for Queens, we set it to be 30dBm while on
production mode.
/interface wireless set wlan1 mode=ap-bridge band=2.4ghz-b/g frequency=2437
ssid=wirelessnation \
wds-mode=dynamic wds-default-bridge=bridge1 country="new zealand" \
tx-power-mode=all-rates-fixed tx-power=20 disabled=no
# for 5ghz WPA2-EAP security profile
/interface wireless security-profiles add name=5ghz-sec mode=dynamic-keys \
authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm eapmethods=eap-tls \
tls-mode=no-certificates
# Configure backhaul 5GHz radio
/interface wireless set wlan2 mode=ap-bridge band=5ghz frequency=5240
ssid=wirelessnation \
security-profiles=5ghz-sec \
wds-mode=dynamic wds-default-bridge=bridge1 country="new zealand" disabled=no
279
/interface wireless nstreme set wlan2 enable-nstreme=yes enable-polling=yes \
framer-policy=best-fit framer-limit=3200
# Specify the connect list to apply WPA2 security profile for the WDS links
/interface wireless connect-list add interface=wlan2 security-profile=5ghz-sec
# you can add similar security profile also for the 2.4 band, if without HSG
#/ip address print detail
#/interface bridge port print
#/ping 10.1.1.1
#ping wireless gateway
What Wireless Clients see
Client adpater sees 802.11 b/g:
Client see WPA2 encrypted backhaul 802.11a:
280
Snapshot for MAC Address Wireless radio for each AP
These illustrate what MAC address you would see:
802.11B/G: 06
802.11A: 87
for 802.11 b/g radio with mac address ended with Hex :06
for 802.11a radio with mac address ended with Hex :87
281
Configuring Layer 2 Mesh Network
The Hybrid Wireless Mesh Protocol (HWMP) is a IEEE 802.11s draft standard. Our
282
specific HWMP+ is based on HWMP with layer-2 routing protocol for wireless mesh
networks. It can be used instead of (Rapid) Spanning Tree protocols in mesh setups to
ensure loop-free optimal routing.
Note that the distribution system you use for your network need not to be Wireless
Distribution System (WDS). HWMP+ mesh routing supports not only WDS interfaces,
but also Ethernet interfaces inside the mesh. So you can use simple Ethernet based
distribution system, or you can combine both WDS and Ethernet links!
Additional reading can be found from
www.wiborne.com/techpubs/Mesh_deployment_with_WAP.pdf
Following illustration shows each community has its own mesh nodes for broadcast,
while point to point (P2P) shows extension of backhaul among communities.
Dual radio WAP nodes (10.1.1.1 to 10.1.1.28) are equipped with 802.11a and 802.11b/g
radios:
• 2.4 GHz is for AP-Clients as broadcast, with SSID VIO
• 5 GHz is for AP-AP as backhaul by running HWMP+ Mesh Protocol.
Single radio (10.1.1.29) for P2P connection:
• 5 GHz for main internet connection from infrastructure base to adjacent
communities, with nstreme protocol enabled for best performance, SSID is VIOP2P
Triple radio (10.1.1.30) has 3 radio equipped:
• 2.4 GHz is for AP-Clients as broadcast, with SSID VIO
• 5 GHz is for AP-AP as backhaul by running HWMP+ Mesh Protocol. SSID is
VIO-MESH
• 5 GHz for main internet connection from infrastructure base to adjacent
communities, with nstreme protocol enabled for best performance, SSID is VIOP2P
283
It should be more easy to run CLI configuration for this deployment since you can copy /
paste scripts with New Terminal shown on left of winbox configuration:
284
CLI Configuration
#---------------------------------------------#
# for dual radio ( one 2.4Ghz, and one 5GHz)
#
# uncommon this line to reset system, prior of running following script
#/system reset
# set up mesh interface
/int mesh add name=mesh1 disabled=no
# set up IP address for ether1(PoE)
/ip address add address=10.1.1.27/24 broadcast=10.1.1.255 interface=mesh1
# set ID
/system identity set name=WAP-520
# mesh two radios and ether1
/int mesh port add interface=wlan1 mesh=mesh1
/int mesh port add interface=wlan2 mesh=mesh1
/int mesh port add interface=ether1 mesh=mesh1
# disable ether2 and ether3 that we dont use
/int ethernet set ether2 disabled=yes
/int ethernet set ether3 disabled=yes
# WPA2 encryption for backhaul
/interface wireless security-profiles add name=vio-sec mode=dynamic-keys \
authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm \
eap-methods=eap-tls tls-mode=no-certificates
# interface used for AP interconnections (backhaul)
/int wireless set wlan1 disabled=no ssid=VIO-MESH frequency=5800 band=5ghz-turbo
\
mode=ap-bridge security-profile=vio-sec wds-mode=dynamic-mesh wds-defaultbridge=mesh1
# Specify the connect list to apply WPA2 security profile for link
/interface wireless connect-list add interface=wlan1 security-profile=vio-sec
# interface used for client connections
/int wireless set wlan2 disabled=no ssid=VIO frequency=2462 band=2.4ghz-b/g
mode=ap-bridge \
scan-list=2412-2462 dfs-mode=radar-detect periodic-calibration=enabled
285
# disable firewall tracking
/ip firewall connection tracking set enabled=no
#backup
/system backup save name=factory
#--------------------------------------------------#
# for 1 radio (P2P as backhaul)
#
#/system reset
/int mesh add name=mesh1 disabled=no
/ip address add address=10.1.1.29/24 broadcast=10.1.1.255 interface=mesh1
/system identity set name=WAP-520
/int mesh port add interface=wlan1 mesh=mesh1
/int mesh port add interface=ether1 mesh=mesh1
/int ethernet set ether2 disabled=yes
/int ethernet set ether3 disabled=yes
/interface wireless security-profiles add name=vio-sec mode=dynamic-keys \
authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm \
eap-methods=eap-tls tls-mode=no-certificates
/int wireless set wlan1 disabled=no ssid=VIO-P2P frequency=5210 band=5ghz-turbo \
mode=ap-bridge security-profile=vio-sec scan-list=5180-5825 dfs-mode=radar-detect \
periodic-calibration=enabled wds-mode=dynamic-mesh wds-default-bridge=mesh1
/int wireless nstreme set wlan1 enable-nstreme=yes disable-csma=yes \
framer-policy=best-fit framer-limit=3200
/interface wireless connect-list add interface=wlan1 security-profile=vio-sec
/ip firewall connection tracking set enabled=no
/system backup save name=factory
#---------------------------------------------#
# for 3 radio (1 X 2.4GHz broadcast, 1 X 5GHz mesh backhaul, 1 X 5GHz P2P for
backhaul)
#
#/system reset
/int mesh add name=mesh1 disabled=no
/ip address add address=10.1.1.30/24 broadcast=10.1.1.255 interface=mesh1
286
/system identity set name=WAP-520
/int mesh port add interface=wlan1 mesh=mesh1
/int mesh port add interface=wlan2 mesh=mesh1
/int mesh port add interface=wlan3 mesh=mesh1
/int mesh port add interface=ether1 mesh=mesh1
/int ethernet set ether2 disabled=yes
/int ethernet set ether3 disabled=yes
/int wireless set wlan2 disabled=no ssid=VIO frequency=2412 band=2.4ghz-b/g
mode=ap-bridge \
scan-list=2412-2462 dfs-mode=radar-detect periodic-calibration=enabled
/interface wireless security-profiles add name=vio-sec mode=dynamic-keys \
authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm \
eap-methods=eap-tls tls-mode=no-certificates
/int wireless set wlan1 disabled=no ssid=VIO-MESH frequency=5800 band=5ghz-turbo
\
mode=ap-bridge security-profile=vio-sec wds-mode=dynamic-mesh wds-defaultbridge=mesh1
/int wireless set wlan3 disabled=no ssid=VIO-P2P frequency=5210 band=5ghz-turbo \
mode=station-pseudobridge security-profile=vio-sec dfs-mode=radar-detect \
periodic-calibration=enabled
/int wireless nstreme set wlan3 enable-nstreme=yes disable-csma=yes framerpolicy=best-fit \
framer-limit=3200
/interface wireless connect-list add interface=wlan1 security-profile=vio-sec
/interface wireless connect-list add interface=wlan3 security-profile=vio-sec
/ip firewall connection tracking set enabled=no
/system backup save name=factory
#----------------------------------# debugging purpose
#/int mesh pr
#/int mesh port p detail
#/int mesh fdb print detail
#/int mesh port print stats
#/int mesh fdb print
#/ping 10.1.1.30
287
#/ping 00:0C:42:00:00:CC
#-----------------------------------
GUI Configuration
Setup mesh interface:
Set up IP address for ether1: IP->Address, then click “+” add button:
288
Setup System ID from System->ID
Establish mesh interface for two radio and Ethernet ether1: Mesh->Port, then click “+”
button:
289
Disable ether2 and ether3:
Enable wlan1 and wlan2:
Now configure WPA2 encryption for backhaul 5GHz link:
290
Then click “+” to add profile:
291
Now configure 5GHz backhaul (VIO-MESH). Double click above wlan1:
Now specify the connect list to apply WPA2 security profile for link. Click Wireless
menu, choose wlan1:
then click Connection List:
292
Then choose interface wlan1 with vio-sec:
Now configure wlan2 for 2.4GHz broadcast (VIO), with auto scanning channel (DFS
mode) to reduce interference. To see DFS options, you need to use Advanced Mode
available on right panel of Wireless:
293
294
Now disable firewall tracking for better performance:
IP->Firewall->Connection, click Tracking:
You can backup system configuration if wish:
New Terminal, then type following command:
/system backup save name=factory
You may need to reboot system by System->Reboot, or cycling power, if redundant
operations had been applied during above creation.
Perform same configuration with other Dual mesh node, you are done.
295
You should be able to see mesh interface forwarding database (FDB) from:
Additional CLI commands are applied for mesh topology print out:
# debugging purpose
/int mesh pr
/int mesh port p detail
/int mesh fdb print detail
/int mesh port print stats
/int mesh fdb print
/ping 10.1.1.28
/ping 00:0C:42:00:00:CC
Configuring OSPF Mesh
OSPF stands for Open Shortest Path First. This routing protocol is the key to creating
redundancy by the device node, i.e., mesh network. This Section will cover how to
configure OSPF. The OSPF configuration window can be opened by selecting Routing
then OSPF:
296
Note: above ether1 and wlan1 are just for illustration. You should choose correct
interfaces for OSFP, e.g., ether1 and ether2.
Create an area by clicking on the ‘area’ tab and then clicking on the red plus sign. This
will open the New OSPF Area. The following information will need to be supplied. The
Area NAME, AREA ID in dotted format. The rest of the options can remain the same.
Note: THIS INFORMATION MUST BE THE SAME FOR ALL ROUTERS
PARTICAPTING IN THE MESH
Once the Area is created, the OSPF Networks that will be distributed in the OSPF link
need to be added. In the OSPF window shown on above, go to the Network tab and click
on the Red Plus sign. This will open the OSPF network. The Network needs to be added
to include the mask. Select the Area which was created:
Now that the Area and Network have been added we need to configure which interfaces
will pass OSPF information. In the OSPF window under the interface tab click on the
297
Red Plus Sign to open the New OSPF interface window. Select the interface and click
APPLY then OK.
Note: THE FOLLWING SETTING MUST BE THE SAME FOR ALL ROUTERS
PARTICAPTING IN THE MESH
• Retransmit Interval
• Transmit Delay
• Hello Interval
• Router Dead Interval
The final step is to configure the OSPF settings. In the Interface tab click on settings to
bring up the OSPF settings windows. The setting will vary depending on the role of the
router. If the router has a connection to the Internet then the following settings are
recommended.
• Redistribute Default Route = if installed (as type 2)
• Redistribute Connected Route = as type 1
• Redistribute Static Routes = as type 2
298
If your router is just participating in the OSPF then the following OSPF settings are
recommended.
•
•
•
Redistribute Default Route = never
Redistribute Connected Route = as type 1
Redistribute Static Routes = no
Dual Setup with OSPF for Failover / Redundancy
One reality that all WISPs face is that all radio communications are half-duplex. When
one end of a link is “speaking”, the other end must be “listening”. For many applications,
this is sufficient for our purpose. When a link becomes busy, however, some types of
communications are negatively impacted by the delays caused by this behavior. WAP OS
offers some options to help you alleviate this congestion without breaking the bank. In
this article, We will discuss the details for how to configure WAP OS and OSPF to
provide a simulated full-duplex link with the added benefit of failover to half-duplex in
the event of a single link failure.
299
Some of the advantages with this method include:
• Full Duplex
• Automatic Failover
• No delay of packets. The same set up utilizing NStreme-Dual can cause delay,
which can be a problem if you're dealing with VoIP or applications that requires
maximum response.
• This set up can make use of two radios at each end, so the availability becomes
even more robust in case of a radio failure.
Each WAP-520 comes with two radios. Use the following diagram as a reference:
This set will cause the incoming traffic to use wlan1 on AP-A and wlan2 on AP-B .
This also will use any available path to get to the other side (Failover with OSPF).
Configuration of AP-A
/system identity set name=AP-A
/ip address add address=10.1.1.31/24 interface=ether1
/ip address add address=10.1.10.1/24 interface=wlan1
/ip address add address=10.1.20.1/24 interface=wlan2
/interface wireless set wlan1 disabled=no ssid=ID-A frequency=5825 band=5ghz
mode=ap-bridge \
scan-list=5825-5875 dfs-mode=none country="india"
/interface wireless set wlan2 disabled=no ssid=ID-B frequency=5860 band=5ghz
300
mode=station \
scan-list=5825-5875
dfs-mode=none country="india"
#loopback
/interface bridge add name=loopback
/ip address add address=10.255.255.1/32 interface=loopback
/routing ospf instance set default redistribute-connected=as-type-1 routerid=10.255.255.1
/routing ospf network add network=10.1.1.0/24 area=backbone
/routing ospf network add network=10.1.10.0/24 area=backbone
/routing ospf network add network=10.1.20.0/24 area=backbone
/routing ospf interface add interface=wlan1 cost=100
Configuration of AP-B
/system identity set name=AP-B
/ip address add address=10.1.2.31/24 interface=ether1
/ip address add address=10.1.20.2/24 interface=wlan1
/ip address add address=10.1.10.2/24 interface=wlan2
/interface wireless set wlan1 disabled=no ssid=ID-B frequency=5860 band=5ghz
mode=ap-bridge \
scan-list=5825-5875 dfs-mode=none country="india"
/interface wireless set wlan2 disabled=no ssid=ID-A frequency=5825 band=5ghz
mode=station \
scan-list=5825-5875 dfs-mode=none country="india"
#loopback
/interface bridge add name=loopback
/ip address add address=10.255.1.1/32 interface=loopback
/routing ospf instance set default redistribute-connected=as-type-1 router-id=10.255.1.1
/routing ospf network add network=10.1.1.0/24 area=backbone
/routing ospf network add network=10.1.10.0/24 area=backbone
/routing ospf network add network=10.1.20.0/24 area=backbone
/routing ospf interface add interface=wlan2 cost=100
Loopback
Default router-id is 0.0.0.0, it means that router will use one of router's IP addresses as
router-id. In most cases it is recommended to set up loopback IP address as router-id.
Loopback IP address is virtual, software address that is used for router identification in
network. The benefits are that loopback address is always up (active) and can’t be down
as physical interface. OSPF protocol used it for communication among routers that
identified by router-id. Loopback interface are configured as follows:
301
Create bridge interface named, for example, “loopback”:
/interface bridge add name=loopback
Add IP address:
/ip address add address=10.255.255.1/32 interface=loopback
Configure router-id as loopback:
/routing ospf instance set default redistribute-connected=as-type-1 routerid=10.255.255.1
This can be done on AP-B as well.
GUI Setting for OSPF
From AP-A:
302
Pinging from direct connected PC
You can verify your OSPF operation as follows.
Configure IP address of your PC to be 10.1.1.13 / 255.255.255.0, with IP address of
Ether1 from AP-A, as gateway IP address of PC (10.1.1.31)
Ethernet adapter Intel:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Desktop Adapter
Physical Address. . . . . . . . . : 00-1B-21-35-E5-A1
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.1.14
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.31
<< ip of ether1 from AP-A
Now you should be able to ping any interfaces (ether1, wlan1, and wlan2) from AP-A and
AP-B, while from PC with above IP setting.
Once you are done with above configuration, you should be able to bring up both WAP520 by using Winbox.
Note: Neighborhood Discovery from Winbox started from PC, can see direct connection
AP-A only. This is because neighbor discovery works only on the same broadcast
domain (bridged network). In this case routers are routed and you can connect to them
only by IP address.
When you press [..] button in winbox loader it starts neighbor discovery and tries to find
all routers in the same broadcast domain. As now it is routed network you will see only
directly connected router.
If you want to bring up AP-B, simply type its IP address of AP-B:
Debug inside AP-A and AP-B
/ip addr print
AP-A Output:
[admin@AP-A] > /ip addr print
Flags: X - disabled, I - invalid, D - dynamic
303
#
ADDRESS
NETWORK
BROADCAST
0
10.1.1.31/24
10.1.1.0
10.1.1.255
ether1
1
10.1.10.1/24
10.1.10.0
10.1.10.255
wlan1
2
10.1.20.1/24
10.1.20.0
10.1.20.255
wlan2
3
10.255.255.1/32
10.255.255.1
10.255.255.1
loopback
[admin@AP-A] > ping 10.1.10.2
10.1.10.2 64 byte ping: ttl=64 time=7 ms
10.1.10.2 64 byte ping: ttl=64 time=9 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 7/8.0/9 ms
[admin@AP-A] > ping 10.1.20.2
10.1.20.2 64 byte ping: ttl=64 time=1 ms
10.1.20.2 64 byte ping: ttl=64 time=1 ms
10.1.20.2 64 byte ping: ttl=64 time=9 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1/3.6/9 ms
INTERFACE
AP-B Output:
[admin@AP-B] > /ip addr print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
10.1.2.31/24
10.1.2.0
10.1.2.255
ether1
1
10.1.20.2/24
10.1.20.0
10.1.20.255
wlan1
2
10.1.10.2/24
10.1.10.0
10.1.10.255
wlan2
3
10.255.1.1/32
10.255.1.1
10.255.1.1
loopback
[admin@AP-B] > ping 10.1.10.1
10.1.10.1 64 byte ping: ttl=64 time=10 ms
10.1.10.1 64 byte ping: ttl=64 time=9 ms
10.1.10.1 64 byte ping: ttl=64 time=9 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 9/9.3/10 ms
[admin@AP-B] > ping 10.1.20.1
10.1.20.1 64 byte ping: ttl=64 time=7 ms
10.1.20.1 64 byte ping: ttl=64 time=2 ms
10.1.20.1 64 byte ping: ttl=64 time=9 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/6.0/9 ms
INTERFACE
/routing ospf interface print status
This appeared that one wireless is standby, which is fine.
AP-A Output:
[admin@AP-A] > /routing ospf interface print
Flags: X - disabled, I - inactive, D - dynamic, P - passive
#
INTERFACE
COST PRI NETWORK-TYPE
AUT... AUTHENTICATIO...
0
wlan1
100 1
default
none
1 D wlan2
10
1
broadcast
none
2 D ether1
10
1 broadcast
none
[admin@AP-A] > /routing ospf interface print status
Flags: X - disabled, I - inactive, D - dynamic, P - passive
0
interface=wlan1 cost=100 priority=1 authentication=none
authentication-key="" authentication-key-id=1 network-type=default
304
instance-id=0 retransmit-interval=5s transmit-delay=1s
hello-interval=10s dead-interval=40s use-bfd=no ip-address=10.1.10.1
used-network-type=broadcast state=designated-router instance=default
area=backbone neighbors=1 adjacent-neighbors=1
designated-router=10.1.10.1 backup-designated-router=10.1.10.2
1D
interface=wlan2 cost=10 priority=1 authentication=none
authentication-key="" authentication-key-id=1 network-type=broadcast
instance-id=0 retransmit-interval=5s transmit-delay=1s
hello-interval=10s dead-interval=40s use-bfd=no ip-address=10.1.20.1
used-network-type=broadcast state=designated-router instance=default
area=backbone neighbors=1 adjacent-neighbors=1
designated-router=10.1.20.1 backup-designated-router=10.1.20.2
2D
interface=ether1 cost=10 priority=1 authentication=none
authentication-key="" authentication-key-id=1 network-type=broadcast
instance-id=0 retransmit-interval=5s transmit-delay=1s
hello-interval=10s dead-interval=40s use-bfd=no ip-address=10.1.1.31
used-network-type=broadcast state=designated-router instance=default
area=backbone neighbors=0 adjacent-neighbors=0
designated-router=10.1.1.31 backup-designated-router=0.0.0.0
AP-B Output:
[admin@AP-B] > /routing ospf interface print
Flags: X - disabled, I - inactive, D - dynamic, P - passive
#
INTERFACE
COST PRI NETWORK-TYPE
AUT... AUTHENTICATIO...
0
wlan2
100 1
default
none
1 D wlan1
10
1
broadcast
none
[admin@AP-B] > /routing ospf interface print status
Flags: X - disabled, I - inactive, D - dynamic, P - passive
0
interface=wlan2 cost=100 priority=1 authentication=none
authentication-key="" authentication-key-id=1 network-type=default
instance-id=0 retransmit-interval=5s transmit-delay=1s
hello-interval=10s dead-interval=40s use-bfd=no ip-address=10.1.10.2
used-network-type=broadcast state=backup instance=default area=backbone
neighbors=1 adjacent-neighbors=1 designated-router=10.1.10.1
backup-designated-router=10.1.10.2
1D
interface=wlan1 cost=10 priority=1 authentication=none
authentication-key="" authentication-key-id=1 network-type=broadcast
instance-id=0 retransmit-interval=5s transmit-delay=1s
hello-interval=10s dead-interval=40s use-bfd=no ip-address=10.1.20.2
used-network-type=broadcast state=backup instance=default area=backbone
neighbors=1 adjacent-neighbors=1 designated-router=10.1.20.1
backup-designated-router=10.1.20.2
/routing ospf neighbor print
AP-A Output:
[admin@AP-A] > /routing ospf neighbor print
0 instance=default router-id=10.255.1.1 address=10.1.10.2 interface=wlan1
305
priority=1 dr-address=10.1.10.1 backup-dr-address=10.1.10.2 state="Full"
state-changes=5 ls-retransmits=0 ls-requests=0 db-summaries=0
adjacency=2h54m8s
1 instance=default router-id=10.255.1.1 address=10.1.20.2 interface=wlan2
priority=1 dr-address=10.1.20.1 backup-dr-address=10.1.20.2 state="Full"
state-changes=5 ls-retransmits=0 ls-requests=0 db-summaries=0
adjacency=2h54m4s
AP-B Output:
[admin@AP-B] > /routing ospf neighbor print
0 instance=default router-id=10.255.255.1 address=10.1.20.1 interface=wlan1
priority=1 dr-address=10.1.20.1 backup-dr-address=10.1.20.2 state="Full"
state-changes=5 ls-retransmits=0 ls-requests=0 db-summaries=0
adjacency=2h54m26s
1 instance=default router-id=10.255.255.1 address=10.1.10.1 interface=wlan2
priority=1 dr-address=10.1.10.1 backup-dr-address=10.1.10.2 state="Full"
state-changes=5 ls-retransmits=0 ls-requests=0 db-summaries=0
adjacency=2h54m30s
/routing ospf network print
AP-A Output:
[admin@AP-A] > /routing ospf network print
Flags: X - disabled, I - invalid
#
NETWORK
AREA
0
10.1.1.0/24
backbone
1
10.1.10.0/24
backbone
2
10.1.20.0/24
backbone
AP-B Output:
[admin@AP-B] > /routing ospf network print
Flags: X - disabled, I - invalid
#
NETWORK
AREA
0
10.1.1.0/24
backbone
1
10.1.10.0/24
backbone
2
10.1.20.0/24
backbone
/ip route print
AP-A Output:
[admin@AP-A] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
#
DST-ADDRESS
PREF-SRC
GATEWAY
0 ADC 10.1.1.0/24
10.1.1.31
ether1
1 ADo 10.1.2.0/24
10.1.20.2
2 ADC 10.1.10.0/24
10.1.10.1
wlan1
3 ADC 10.1.20.0/24
10.1.20.1
wlan2
4 ADo 10.255.1.1/32
10.1.20.2
5 ADC 10.255.255.1/32
10.255.255.1
loopback
DISTANCE
0
110
0
0
110
0
AP-B Output:
[admin@AP-B] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
306
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
#
DST-ADDRESS
PREF-SRC
GATEWAY
0 ADo 10.1.1.0/24
10.1.20.1
1 ADC 10.1.2.0/24
10.1.2.31
ether1
2 ADC 10.1.10.0/24
10.1.10.2
wlan2
3 ADC 10.1.20.0/24
10.1.20.2
wlan1
4 ADC 10.255.1.1/32
10.255.1.1
loopback
5 ADo 10.255.255.1/32
10.1.20.1
DISTANCE
110
0
0
0
0
110
While running Network Monitoring tool – Dude, set up Scan Networks for Ether and
WLAN on both WAP-520:
It would discover all associated OSPF networking
307
VRRP High Availability
General Information
Summary
Virtual Router Redundancy Protocol (VRRP) implementation in the WAP-520 is
RFC2338 compliant. VRRP protocol is used to ensure constant access to some resources.
Two or more routers (referred as VRRP Routers in this context) create a highly available
cluster (also referred as Virtual routers) with dynamic fail over. Each router can
participate in not more than 255 virtual routers per interface. Many modern routers
support this protocol.
Network setups with VRRP clusters provide high availability for routers without using
clumsy ping-based scripts.
Specifications
Packages required: system
License required: Level1
Submenu level: /interface vrrp
Standards and Technologies: VRRP, AH, HMAC-MD5-96 within ESP and AH
Hardware usage: Not significant
308
Description
Virtual Router Redundancy Protocol is an election protocol that provides high availability
for routers. A number of routers may participate in one or more virtual routers. One or
more IP addresses may be assigned to a virtual router. A node of a virtual router can be in
one of the following states:
•
•
MASTER state, when the node answers all the requests to the instance's IP
addresses. There may only be one MASTER node in a virtual router. This node
sends VRRP advertisement packets to all the backup routers (using multicast
address) every once in a while (set in interval property).
BACKUP state, when the VRRP router monitors the availability and state of the
Master Router. It does not answer any requests to the instance's IP addresses.
Should master become unavailable (if at least three sequential VRRP packets are
lost), election process happens, and new master is proclaimed based on its
priority. For more details on virtual routers, see RFC2338.
Notes
VRRP does not currently work on VLAN interfaces, as it is impossible to have the MAC
address of a VLAN interface different from the MAC address of the physical interface it
is put on.
VRRP Routers
Submenu level: /interface vrrp
Description
A number of VRRP routers may form a virtual router. The maximal number of clusters
on one network is 255 each having a unique VRID (Virtual Router ID). Each router
participating in a VRRP cluster must have it priority set to a valid value. Each VRRP
instance is configured like a virtual interface that bound to a real interface (in a similar
manner VLAN is). VRRP addresses are then put on the virtual VRRP interface normally.
The VRRP master has running flag enabled, making the address (and the associated
routes and other configuration) active. A backup instance is not 'running', so all the
settings attached to that interface are inactive.
Property Description
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution
Protocolauthentication (none | simple | ah; default: none) - authentication method to use
for VRRP advertisement packets
none - no authentication
simple - plain text authentication
ah - Authentication Header using HMAC-MD5-96 algorithm
backup (read-only: flag) - whether the instance is in the backup stateinterface (name) interface name the instance is running oninterval (integer: 1..255; default: 1) - VRRP
309
update interval in seconds. Defines how frequently the master of the given cluster sends
VRRP advertisement packetsmac-address (MAC address) - MAC address of the VRRP
instance. According to the RFC, any VRRP instance should have its unique MAC
addressmaster (read-only: flag) - whether the instance is in the master statemtu (integer;
default: 1500) - Maximum Transmission Unitname (name) - assigned name of the VRRP
instanceon-backup (name; default: "") - script to execute when the node switch to
backup stateon-master (name; default: "") - script to execute when the node switch to
master statepassword (text; default: "") - password required for authentication
depending on method used can be ignored (if no authentication used), 8-character long
text string (for plain-text authentication) or 16-character long text string (128-bit key
required for AH authentication)preemption-mode (yes | no; default: yes) - whether
preemption mode is enabled
no - a backup node will not be elected to be a master until the current master fail even if
the backup node has higher priority than the current master
yes - the master node always has the priority
priority (integer: 1..255; default: 100) - priority of the current node (higher values mean
higher priority)
255 - RFC requires that the router that owns the IP addresses assigned to this instance had
the priority of 255
vrid (integer: 0..255; default: 1) - Virtual Router Identifier (must be unique on one
interface)
Notes
All the nodes of one cluster must have the same vrid, interval, preemption-mode,
authentication and password.
To add a VRRP instance on ether1 interface, forming (because priority is 255) a virtual
router with vrid of 1:
[admin@WAP-520] interface vrrp> add interface=ether1 vrid=1
priority=255
[admin@WAP-520] interface vrrp> print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
0
RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled
interface=ether1 vrid=1 priority=255 interval=1 preemptionmode=yes
authentication=none password="" on-backup="" on-master=""
[admin@WAP-520] ip vrrp>
Note that the instance is active at once. This is because it has the priority of 255. The
instance would wait in backup mode for a new master election process to complete in its
favour before assuming the master role otherwise. This also means that there must not be
other VRRP routers with the maximal priority
310
A simple example of VRRP fail over
Description
VRRP protocol may be used to make a redundant Internet connection with seamless failover. Let us assume that we have 192.168.1.0/24 network and we need to provide highly
available Internet connection for it. This network should be NATted (to make fail-over
with public IPs, use such dynamic routing protocols as BGP or OSPF together with
VRRP). We have connections to two different Internet Service Providers (ISPs), and one
of them is preferred (for example, it is cheaper or faster).
This example shows how to configure VRRP on the two routers shown on the diagram.
The routers must have initial configuration: interfaces are enabled, each interface have
appropriate IP address (note that each of the two interfaces should have an IP address),
routing table is set correctly (it should have at least a default route). SRC-NAT or
masquerading should also be configured before. See the respective manual chapters on
how to make this configuration.
We will assume that the interface the 192.168.1.0/24 network is connected to is named
local on both VRRP routers
Configuring Master VRRP router
First of all we should create a VRRP instance on this router. We will use the priority of
255 for this router as it should be preferred router.
[admin@WAP-520] interface vrrp> add interface=local priority=255
[admin@WAP-520] interface vrrp> print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
0
RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled
interface=local vrid=1 priority=255 interval=1 preemptionmode=yes
authentication=none password="" on-backup="" on-master=""
311
[admin@WAP-520] interface vrrp>
Next the IP address should be added to this VRRP instance
[admin@WAP-520] ip address> add address=192.168.1.1/24 interface=vrrp1
[admin@WAP-520] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.1/24
10.0.0.0
10.0.0.255
public
1
192.168.1.2/24
192.168.1.0
192.168.1.255
local
2
192.168.1.1/24
192.168.1.0
192.168.1.255
vrrp1
[admin@WAP-520] ip address>
Configuring Backup VRRP router
Now we will create VRRP instance with lower priority (we can use the default value of
100), so this router will back up the preferred one:
[admin@WAP-520] interface vrrp> add interface=local
[admin@WAP-520] ip vrrp> print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
0
B name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled
interface=local vrid=1 priority=100 interval=1 preemptionmode=yes
authentication=none password="" on-backup="" on-master=""
[admin@WAP-520] interface vrrp>
Now we should add the same address as was added to the master node:
[admin@WAP-520] ip address> add address=192.168.1.1/24 interface=vrrp1
Testing fail over
Now, when we will disconnect the master router, the backup one will switch to the master
state after a few seconds:
[admin@WAP-520] interface vrrp> print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
0
RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled
interface=local vrid=1 priority=100 interval=1 preemptionmode=yes
authentication=none password="" on-backup="" on-master=""
[admin@WAP-520] interface vrrp>
312
VRRP: More examples
What is VRRP? In essence it works like such. You have two of your routers connected to
the same layer 2 segments. You have a subnet configured that is /29 or larger. You
configure a physical IP on the interfaces, and then you create a VRRP interface on each
router associated with those connected interfaces. You then assign the same VRRP IP
address on both routers to the VRRP interface.
The VRRP router that has the higher priority(default is 100) is the master. The master
responds to ARP requests for the VRRP IP. If the master router fails, then the backup
router takes over and owns the VRRP IP. So, your default gateway points towards the
VRRP IP so that if the master fails and the backup takes over your default route is still
valid. By default preemption will migrate the VRRP IP over to the router with the highest
priority.
Here are some examples:
313
So here’s our demo config:
So what happens when one of our providers fail?
314
Provider fails on one link. The backup guy takes over the VRRP IP. Our default route
points to 10.0.0.1 so we still route out!
We drop half of our network gear, but have no fear. The ISP was pointing towards
10.0.0.6 to route to me, so all is good in the hood.
315
Router 10.0.0.4
Create the VRRP interface *assign it higher priority – default is 100*:
/interface vrrp
1 add arp=enabled authentication=none comment="" disabled=no
2 interface=ether1 \
3
interval=1 mtu=1500 name=vrrp1 on-backup="" on-master=""
4 password="" \
preemption-mode=yes priority=150 vrid=1
Configure our IPs:
1
2
3
4
5
/ip address
add address=10.0.0.4/29 broadcast=10.0.0.7 comment="" disabled=no
interface=\
ether1 network=10.0.0.0
add address=10.0.0.6/32 broadcast=10.0.0.6 comment="" disabled=no
interface=\
vrrp1 network=10.0.0.6
Our default route:
/ip route
1
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0
2
gateway=10.0.0.1 \
3
scope=30 target-scope=10
Router 10.0.0.5
Create the VRRP interface:
1
2
3
4
/interface vrrp
add arp=enabled authentication=none comment="" disabled=no
interface=ether1 \
interval=1 mtu=1500 name=vrrp1 on-backup="" on-master=""
password="" \
preemption-mode=yes priority=100 vrid=1
Configure our IPs:
316
1
2
3
4
5
/ip address
add address=10.0.0.5/29 broadcast=10.0.0.7 comment="" disabled=no
interface=\
ether1 network=10.0.0.0
add address=10.0.0.6/32 broadcast=10.0.0.6 comment="" disabled=no
interface=\
vrrp1 network=10.0.0.6
Our default route:
/ip route
1
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0
2
gateway=10.0.0.1 \
3
scope=30 target-scope=10
This is great for the WAN side, but is quite often used for the LAN also! You can also run
two separate VRRP groups on a single interface which will allow you to load balance
with redundancy.
Cisco has a tracking system for HSPR and VRRP. If you lose a tracked interface you
deduct a specified amount of points from that group’s priority. If you are running
preemption this will allow the backup to take over.
A similar system could be fashioned for the WAP-520 using scripts.
Note: Other than VRRP, if you plan radio redundancy with Connect-list you can get
much faster fail-over to other AP, or with WDS you can get all APs work as one and if
one goes down other automatically takes it over.
Configuring Bonding
This is to aggregate multiple network interfaces into a single pipe. In particular, it is
shown how to aggregate multiple virtual (EoIP) interfaces to get maximum throughput
(MT) with emphasis on availability.
Configuring Nstreme Protocol
This is a proprietary protocol to improve security and performance.
Click “Wireless” Will be able to demonstrate the “Wireless Tables” Then Double-clicks
“wlan1” will be show “Interface” from.
317
Choose “Nstreme” from pull-down widget
enable-nstreme ( yes | no ; default: no ) - whether to switch the card into the nstreme
mode
enable-polling ( yes | no ; default: yes ) - whether to use polling for clients
318
disable-csma (yes | no; default: no) - disable CSMA/CA (better performance). Setting
this to “yes” will cause the protocol to disable the csma functionality in the radio card.
framer-limit ( integer ; default: 3200 ) - maximal frame size
framer-policy ( none | best-fit | exact-size | dynamic-size ; default: none ) - the method
how to
combine frames (like fast-frames setting in interface configuration). A number of frames
may be
combined into a bigger one to reduce the amount of protocol overhead (and thus increase
speed).
The card is not waiting for frames, but in case a number of packets are queued for
transmitting, they
can be combined. There are several methods of framing:
• none - do nothing special, do not combine packets. BEST CPU, LOWEST
PERFORMANCE.
• best-fit - put as much packets as possible in one frame, until the framer-limit limit is
met, but
do not fragment packets. MIDDLE PERFORMANCE AND CPU.
• exact-size - put as much packets as possible in one frame, until the framer-limit limit is
met,
even if fragmentation will be needed (best performance). MOST CPU AND BEST
PERFORMANCE.
• dynamic-size - choose the best frame size dynamically
name ( name ) - reference name of the interface
Note
Such settings as enable-polling, framer-policy and framer-limit are relevant only on
Access
Point, they are ignored for client devices! The client automatically adapts to AP settings.
WDS for Nstreme protocol requires using station-wds mode on one of the peers.
Configurations with WDS between AP modes (bridge and ap-bridge) will not work.
Nstreme Dual Configuration
NOTE: it is recommanded to connect with any antennas with same frequency while
operating high power radio modules.
Introduction
You can build a true full duplex link with WAP by using Nstreme Dual protocol.
You will need two WAP-520/500 APs with dual radio for each AP One of the nice things
about the Nstreme Dual protocol is that the actual link frequencies are independent of
each other. What that means is that you can have one of the two links running at 5.8GHz
319
and the other running in the 2.4GHz band. Any combination of frequencies will work.
If you are planning to run the links in the same band (5.8GHz for example) you may want
to consider the dual polarity dishes such as OA-5029DP.
Before you actually configure the Nstreme dual link, we suggest using just a single link
on each antenna to do the alignment. You can use Alignment Tool option or just set up
an access point on one end and “scan” on the other end to find the AP. Once you get the
single link connected, you can tweak the antennas for maximum signal levels. You may
wish to use the Audio Alignment Script to align the antennas.
One other consideration before deciding to use the Nstreme Dual connection is the fact
that if one of your links goes down, then the whole link goes down. In this QUG that
describes using OSPF to simulate FDX behavior, we gave a detailed description of
another method to gain some of the same benefits as the Nstreme Dual configuration.
There are, however, some significant differences. With the OSPF method, you have the
benefit of a failover if one link goes down. For some, this may be enough of a benefit to
forgo the use of Nstreme dual altogether. One further consideration is the CPU load when
using Nstreme Dual. Because Nstreme does the entire packet processing on the host
CPU, you need to watch the processor utilization when using Nstreme (single OR dual
mode).
Using Nstreme Dual, you will have a true full duplex link. One real limitation to
wireless technology is the fact that a radio device is either transmitting or it is receiving.
With Nstreme Dual, one side of the link is the transmitter and the other side is the
receiver. This is not only true for the data that passes over the link, but it is true for the
protocol and link state information. This fact offers a real benefit in terms of
performance and latency.
Beyond the FDX nature of the link, the Nstreme protocol offers a huge benefit in the way
it handles packet traffic. With the 802.11 protocols, every IP packet that is to be
transmitted over the link must be encapsulated in a protocol frame. Nstreme will
aggregate multiple IP packets in a single frame. This gives you a link with lower
protocol overhead and better data throughput. There are various options you can choose
for how the router will handle the aggregation (this is called the “framer-policy” in the
configuration). There are other options that we won’t list here, but we will say that
Nstreme in general, and Nstreme Dual specifically, is a very nice option to consider if
you are looking for a high capacity wireless link.
Let’s take a look at the configuration. Configuration really is quite simple once you
understand some of the basic terminology. First, you must decide which of the 2 radios
you will use as transmitter and which will be used for the receiver. For both of these
radios, the radio will be controlled (and managed) by the Nstreme-Dual interface.
Because of that, the only configuration done with the radio itself is to set it as “nstremedual-slave” mode. This is done with commands similar to the following:
/interface wireless
320
set wlan1 mode=nstreme-dual-slave
set wlan2 mode=nstreme-dual-slave
This code will configure both radios to be controlled by the nstreme-dual interface. Next,
we need to set up the Nstreme-dual interface. It is rather simple to configure. Here is a
sample configuration with explanation of the options to follow:
/interface wireless nstreme-dual
add tx-radio=wlan1 rx-radio=wlan2 \
remote-mac=XX:XX:XX:XX:XX:XX \
tx-band=5GHz tx-frequency=5180 \
rx-band=5GHz rx-frequency=5320 \
disable-csma=no \
framer-policy=exact-size framer-limit=4000
Here is an explanation of the above options:
tx-radio (and rx-radio): This simply tells the nstreme dual interface which radio will be
the transmitter and receiver
remote-mac: This option is very important. The Mac address you need here is the Mac
address of the RECEIVE radio on the remote side of the link. The nstreme dual
interface will take on the Mac address of the rx-radio. Since Nstreme Dual links are
only point to point, there is no need for ARP, however, you DO need to tell the nstreme
dual interface which Mac address is on the other end.
tx-band/rx-band: One of the really nice features of Nstreme Dual is that the individual
link bands (and frequencies) do not matter. In other words, you can use 2.4 GHz for the
transmit and 5 GHz for the receive side (or any other combination of bands supported by
your radio card). Obviously, you need cards on the remote side that can use the same
bands.
frequency: You must specify a supported frequency for both the transmitter and receiver.
(See note above regarding the bands)
disable-csma: This is a “yes” or “no” option. Setting this to “yes” will cause the
protocol to disable the csma functionality in the radio card.
framer-policy: This option is set to one of:
• none – disable the aggregation feature – BEST CPU, LOWEST
PERFORMANCE
• best-fit – put as many packets as possible in one frame (until the framer-limit limit
is met), but do not fragment packets – MIDDLE PERFORMANCE AND CPU
• exact-size - put as many packets as possible in one frame (until the framer-limit
limit is met), even if fragmentation will be needed. MOST CPU AND BEST
PERFORMANCE
321
In order to use Nstreme (dual OR single mode), you will require a radio cards shown on
Appendix A.
Example
The Nstreme Dual is a transmission way, which enables creating of completely full
duplex link 'point-to-point' type. It requires using of two antennas and two wireless
modules working at many frequencies for every side and so, it is necessarily to create two
totally separated and independent radio bands. Dual polarity antenna is also available
for single antenna on each side, this reduce interference with compact installation.
Mac addresses of radio for each side:
1st platform 10.1.1.200/24
System Id: WAP-520
2nd platform 10.1.1.201/24
System Id: CAP-520W
WLAN1 Tx (1): 00026FBEF32E (5210MHz)
WLAN2 Rx (3) 00026F01010B
(5800MHz)
WLAN1 Tx (2) 00:02:6F:BE:F3:2C (5800MHz)
WLAN2 Rx (4): 00:02:6F:01:01:0C (5210MHz)
ether1:
00:0C:42:3D:3C:02
00:0C:42:3B:EE:7D
First of these two radio for each WAP-520, requires for transmitting (Tx) only, the second
one is for receiving (Rx) only. The Nstreme Dual is very elastic, even in the
environment of large dimensions level- every retransmission runs swimmingly- without
stopping transmission. It enables creating of very capacities P2P links on a very large
distances. At optimal wireless conditions, on performance hardware platforms, the
practical results amounts to even 160Mbps full duplex in the turbo mode.
The Nstreme Dual configuration
322
One should to log in on the device with two wireless card installed by using of the
Winbox program.
The First Platform (WAP-520)
Let us start to configure 1st platform first.
We have started by giving the IP address to the Ethernet interface.
Open 'IP' tab, choose „Addresses” and then at the window click “+”. Next entry the IP
address (and the mask optionally) for ether1 port.
Accept by “Apply” button.
Afer Apply:
We create new Bridge interface:
Click on “Bridge”, then “+” and then “Apply”.
323
Next we add the Ethernet port:
Choose the 'Ports” tab, click “+” and then “Apply”.
Note that it is not necessary for WLAN1 and WLAN2 to be added onto above Ports of
Bridge.
After the Ethernet Port configuring we will go into wireless interfaces. By 'Interfaces'
clicking we activate by turns both wireless cards by marking and clicking “v” button.
324
Both cards are activated now:
Now, we will set the working mode of both cards on 'nstreme dual slave'. Double click on
'wlan1' then choose and accept according to picture below. Choose ‘nstreme dual slave’
and keep rest as default. Click ‘Apply’ or ‘Ok’.
You can click ‘Advanced Mode’ shown on right menu to expand all options.
Similarly procedure for wlan2.
WLAN1:
325
WLAN2:
It is not important for whether we specify turbo mode or option of Nstreme from
WLAN1 and WLAN2 menu here since it would be overwritten from Nstreme-Dual
menu.
We have not chosen working frequency of individual cards yet. We will do it at the next
step during the Nstreme Dual interface configuration.
You can disable interfaces ether2 and ether3 if none is not used.
from Interfaces->interface List, click “+” button and choose “Nstreme Dual”:
326
Now, we define which wireless interface will response for transmission and which
receive for. Then choose working frequency and eventually, activate the packet
aggregation (Framer Policy) and accept the changes. The entry field 'Remote MAC' we
will fill in after platform configuring, which works on the other side of link (at the time
we will know the MAC address of its Nstreme Dual interface). E.g., the Remote MAC is
WLAN2 Rx: 00026F01010C (5210MHz) shown on the 2nd platform (CAP-520W)
We check out the MAC interface of Nstreme Dual at present platform (we enter that
during configuration of the 2nd platform), so, click the 'General' tab and copy MAC
Address:
327
(Interface List for the 1st platform WAP-520)
328
To optimize bandwidth with nstreme-dual-slave, try setting framer-policy to best-fit and
slowly increase the framer-limit up to 4000 with 100 or 200 step. For example, we use
3200 for this case.
The last things we should to do is adding wlan1, wlan2, and nstreme1 to bridge. By
analogy as in the ether1 port case, click on 'Bridge' tab, choose “Ports”, “nstreme1” and
“Apply”.
For best performance, you can turn off Firewall tracking by disable it:
IP->Firewall->Connections->Tracking-> uncheck it:
The Second Platform (CAP-520W)
At this time we will configure the 2nd platform (CAP-520W)
329
Log in on this platform with using of the Winbox and repeat every steps which have done
for this time at the 1st platform (WAP-520). Of course, during the configuration of
Nstreme Dual interface, in entry field “Remote MAC” one should enter MAC address of
Tx radio copied earlier from the 1st platform. It means, that Tx Frequency of the 1st
platform is the same as Rx Frequency of the 2nd platform, and similarly: the Rx
Frequency of the 1st platform matches for Tx Frequency of second one.
For WLAN1 on the 2nd platform:
For WLAN2 on the 2nd platform:
330
After that configuration, create Nstreme-Dual with following option and push the
“Apply' button in order to accept entered changes.
Here the Remote MAC address is from the 2nd WLAN of the 1st platform (WAP-520):
WLAN2 Rx: 00026F01010B (5800MHz).
331
As similarly as earlier one should to add ether1, wlan1, wlan2, and 'nstreme1' to 'bridge1':
First, create bridge1:
332
Then add ether1, wlan1, wlan2, and nstreme1 onto bridge1:
333
Note that it is not necessary for WLAN1 and WLAN2 to be added onto above Ports of
Bridge.
The last thing we need is MAC address of nstreme1 interface. It is needed for entering it
to configuration of earlier configured platform (WAP-520). So, one should copy MAC
from 'General' tab:
(Interface list on the 2nd platform CAP-520W)
334
Next, switch over the 1st platform and enter copied MAC address to configure the
Remote MAC by using the MAC address of WLAN2 on above 2nd platform (WLAN2
Rx: 00:02:6F:01:01:0C (5210MHz))
(Interface list on the 1st platform)
Also, uncheck IP->Firewall->Tracking to improve performance:
335
That is all. The communication of devices should be connected, at this moment. In the
nstreme1 status we may see the signal level and gained bit rate for individual bands.
By running Tools->Bandwidth Test, you can see around 80Mbps half duplex or 160 Mbps
full duplex with UDP protocol:
336
Be aware that above performance is depends on signal strength, under power or over
power could reduce performance. You need to use attenuators or reduce power to very
low if tested in lab range.
Configuration Print Out
Here is configuration for above setting
Tower Side AP: (WAP-520)
[admin@WAP-520] > /interface wireless print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:02:6F:BE:F3:2E arp=enabled
interface-type=Atheros AR5413 mode=nstreme-dual-slave ssid="WAP-520"
frequency=5210 band=5ghz-turbo scan-list=default antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default compression=no
1
name="wlan2" mtu=1500 mac-address=00:02:6F:01:01:0B arp=enabled
interface-type=Atheros AR5413 mode=nstreme-dual-slave ssid="WAP-520"
frequency=5800 band=5ghz-turbo scan-list=default antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default compression=no
[admin@WAP-520] > /interface wireless nstreme-dual print
337
Flags: X - disabled, R - running
0 R name="nstreme1" mtu=1500 mac-address=00:02:6F:01:01:0B arp=enabled
disable-running-check=no tx-radio=wlan1 rx-radio=wlan2
remote-mac=00:02:6F:01:01:0C tx-band=5ghz-turbo tx-frequency=5210
rx-band=5ghz-turbo rx-frequency=5800 disable-csma=yes
rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
ht-rates=1,2,3,4,5,6,7,8 ht-guard-interval=long ht-channel-width=20mhz
ht-streams=single framer-policy=exact-size framer-limit=3200
Client Side Bridge (CAP-520W)
[admin@CAP-520W] > /interfae wireless print
bad command name interfae (line 1 column 2)
[admin@CAP-520W] > /interface wireless print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:02:6F:BE:F3:2C arp=enabled
interface-type=Atheros AR5413 mode=nstreme-dual-slave ssid="WAP-520"
frequency=5800 band=5ghz-turbo scan-list=default antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default compression=no
1
name="wlan2" mtu=1500 mac-address=00:02:6F:01:01:0C arp=enabled
interface-type=Atheros AR5413 mode=nstreme-dual-slave ssid="WAP-520"
frequency=5210 band=5ghz-turbo scan-list=default antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default compression=no
[admin@CAP-520W] > /interface wireless nstreme-dual print
Flags: X - disabled, R - running
0 R name="nstreme1" mtu=1500 mac-address=00:02:6F:01:01:0C arp=enabled
disable-running-check=no tx-radio=wlan1 rx-radio=wlan2
remote-mac=00:02:6F:01:01:0B tx-band=5ghz-turbo tx-frequency=5800
rx-band=5ghz-turbo rx-frequency=5210 disable-csma=yes
rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
ht-rates=1,2,3,4,5,6,7,8 ht-guard-interval=long ht-channel-width=20mhz
ht-streams=single framer-policy=exact-size framer-limit=3200
Optimizing Bandwidth (Throughput)
These are several tips that can increase your bandwidth for up to 80Mbps half duplex, or
40/40 Mbps full duplex.
338
339
• Aiming angle: this is the most important issue to have best performance. Make sure
that you have right aiming angle. You can performance Site Survey functions for best
RSSI signal.
• Change Channel to avoid interference
• Use Turbo mode for 802.11a or 802.11g if available, choose such mode for both AP
and client nodes.
• Enable Nstreme for both AP and client nodes
o Enable Polling (default)
o Disable CSMA (from AP node)
o Frame Policy (from AP node): use either exact size (with fragmentation)
or best fit (no fragmentation)
o Turn on Compression (if option is available)
• If you don’t use Queues (QoS) then disabling use-ip-firewall to increase bridge
performance: bridge settings set use-ip-firewall=no
• Disabling connection tracking: ip firewall connection tracking set enabled=no
• Adjust Tx Power for not to over-powered. Check client’s node with Wireless->Status>Tx/Rx Signal Strength to be around -50 to -60 dBm, with CCQ values are up around
80+
• Use higher CPU of radio board if available.
• To optimize bandwidth with nstreme-dual-slave, try setting framer-policy to best-fit
and slowly increase the framer-limit up to 4000 with 100 or 200 step. Also Disable
CSMA:
Performance from Nstreme Dual mode, can up to 80Mbps half duplex:
340
It is also possible to reach 160M full duplex at 50 km, please inform us for suitable
equipments.
Network Management & Monitoring Systems
WiBorne supports the Dude network monitoring & management systems (NMS), is a
network monitor which can dramatically improve the way you manage your network
environment. It will automatically scan all devices within specified subnets, draw and
layout a map of your networks, monitor services of your devices and alert you in case
some service has problems.
Following briefs major functions for this NMS:
1. NMS (Network Monitoring System)
a. Provides Metrics for overall Network Performance. Provides Up/Down
Status Information of a Network- Graphical and Logical Network Maps.
b. Device includes: device list and map, discovering devices, adding and
editing devices, links, and networks.
c. Monitoring DNS services, mail servers, for both business and residential
clients
d. Provides Notifications via audio/graphics/E-mail of outages.
i. Provides Outage information: Start Time, Duration
e. Graphing of Services: Ping Times, DNS Query Times, Web Server Times
f. Graphing of Link Bandwidth: Information such as bandwidth usage across
connections etc.
g. Alerting: Beeps, video, outages, sounds, email.
2. Network Management
a. Auto Discovery of associated WAP/CAP devices, so and all devices. You
341
can also create your own device type, appearance.
b. Ability to Use Tools to Gain Access to Devices, by using Winbox,
terminal, remote connection, or your customization tools.
c. Winbox into Network Routers
d. Web/Telnet Access
e. Graphing client signal strength
f. Alternate SMTP port for notification
g. Spectrum analyzer tool with specific radio modules
3. SysLog Server Built In: ability to send logs to single logging location
4. Full SNMP Support: ability to Graph, monitor SMNP OIDs
Other features include:
• Auto network discovery and layout
• Discovers any type or brand of device
• Device, Link monitoring, and notifications
• Includes SVG icons for devices, and supports custom icons and backgrounds
• Easy installation and usage
• Allows you to draw your own maps and add custom devices
• Supports SNMP, ICMP, DNS and TCP monitoring for devices that support it
• Individual Link usage monitoring and graphs
• Direct access to remote control tools for device management
• Supports remote Dude server and local client
• Runs in Linux Wine enviroment, MacOS Darwine, and Windows
Dude is fully integrated with WiBorne’s WAP-500 and CAP-5000 series for large scale of
outdoor wifi deployment. From the full range of features and capabilities, the
WAP/CAP software is a powerhouse of features and capabilities. This is a fully highend solution that has the support and reliability that Enterprise-Grade wireless / wired
networks required.
Once you start Dude, you can import your geographic map and arrange individual
services, devices, network maps, by setting ping probe with retry count, retry interval,
poll settings, probe down count, etc. You can monitor large number of nodes by setting
these parameters correctly.
342
343
344
You can operate individual nodes by using GUI Interface:
You can see all event logs or configure Notification actions for all alarms:
345
Additional SNMP MIB parser and SNMP Walk are available for new devices, and can
import new MIBs for any devices:
346
Dude also supports spectrum analyzer tool for checking frequency spectrum in air:
347
Spam Trojan Detection
Basic
One major issue facing ISPs today is the difficulty in obtaining sufficient IP space for
every customer. For many, it’s a matter of cost and for some it is simply a choice to
NAT their customers behind their router/firewall. For the most part, NAT behaves much
better today than in days gone by, but there is one issue that is very problematic for those
that choose to NAT their customers. There is a significant proliferation of a new
generation of trojans that turns a user’s computer into a menace to the Internet
community. This new generation of trojans (collectively known as “botnets”) can cause
problems for not only the owner, but for other customers of the ISP that chooses to NAT.
Since a significant number of these botnets are used to send spam all over the internet,
we, as service providers, have to find a way to protect our networks from being
blacklisted, while still allowing our customers to utilize the internet in a way that does not
set too many boundaries. We will discuss two approaches to setting these limits which
348
have shown to be both effective AND relatively maintenance free.
Before we launch into a fix, let me begin by helping you to understand WHY these
approaches work. For the largest number of customers, the mail server that they use to
send email through (their SMTP server) is the same server on which they check email
(their POP/IMAP server). One of the methods we will use to defend against these bots
takes advantage of that fact. Another thing that we notice about “normal” SMTP traffic
is that a user typically does not make more than a few outbound connections when they
are sending email. This fact will permit us to limit the outbound connection count to
some reasonable number and “assume” that a count beyond that MUST be spam activity.
There are SOME ISPs out there who have taken another approach. One such approach
is to require that all users of the system utilize the ISP’s mail server for all outbound
SMTP connections. While this approach is not a “bad” plan, it does impose some
limitations that many customers (especially some business customers) are not happy with.
Another approach, which we WOULD call a bad plan, is redirecting of all outbound
SMTP connections to a single SMTP server on the local network. This approach,
generally, requires that the ISP have a GOOD spam filter running in front of the SMTP
server to prevent THAT server from being blacklisted. I’ve had ISPs tell me that this
problem does not have any impact on their network because they use SMTP auth. This
is NOT the case. If these spambots were using your server, it MAY tell you who is
sending the spam, but it would be too little, too late, because the spam would have
already left your network.
Now that we have discussed a couple of approaches to fixing the problem, and even
discussed the type of behavior that we can expect to see from both a “normal” client and
one who is infected with a spambot trojan, let’s take a look at a couple of solutions. We
want to express, too, that while we are discussing these two approaches separately, they
are not, necessarily, mutually exclusive. It is acceptable, and sometimes useful, to take
bits and pieces from both to build the complete solution to fit YOUR ISP’s overall policy.
The first approach is rather simple. In fact, it is a total of 2 rules.
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 \
src-address-list=suspectedspambot \
action=drop comment="Drop traffic from those on the suspect list"
add chain=forward protocol=tcp dst-port=25 \
connection-limit=10,32 \
action=add-src-to-address-list \
address-list=suspectedspambot \
address-list-timeout=2d \
comment="More than 10 simultaneous connections looks spammy"
We have alternated colors for readability. The operation of this approach is quite
simple. The first rule (in blue) simply drops any SMTP connection attempts from
349
anyone who is found in the address list called “suspectedspambot”. The second rule (in
red) is the one that does the work of actually detecting spammers. What this rule does is
watch for SMTP connections and, if the count of connections from a single IP (/32) goes
above 10, then the source address of that packet is added to an address list called
“suspectedspambot”. On the next connection attempt, the packet will be dropped. The
only problem with this approach is that it assumes that there are NO mail servers that
MAY be sending more than 10 emails at a time legitimately. If this is the case, you can
simply create another address list called “smtpservers” then add a rule as follows
ABOVE the rule above (in blue):
add chain=forward protocol=tcp dst-port=25 \
src-address-list=smtpservers action=accept \
comment="Allow known smtp servers to send email"
This would allow your known mail servers to send email without fear of being “caught”
and tagged as a spam source. One further comment on these rules. This set of rules
does not take into account smtp traffic that is going TO your mail server. We will leave
that fix as an exercise for the reader. If one of your customers is “tagged” as a suspected
spambot, you will find their IP address in the address list and can begin troubleshooting
from there.
The second approach we will discuss is personal favorite.
solutions on over 300 ISP routers. First, the code:
We have deployed similar
/ip firewall address-list
add list=APPROVED_SMTP_SERVERS address=10.10.10.10 \
comment="An email server INSIDE the network" \
disabled=no
add list=VALID_SMTP address=12.12.12.12 \
comment="Valid email server OUTSIDE your network" \
disabled=no
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 \
src-address-list=APPROVED_SMTP_SERVERS action=accept \
comment="Allow email from our approved SMTP senders list regardless of
destination"
add chain=forward protocol=tcp dst-port=25 \
dst-address-list=APPROVED_SMTP_SERVERS action=accept \
comment="Allow email from our approved SMTP senders list regardless of
destination"
add chain=forward protocol=tcp dst-port=110 \
action=add-dst-to-address-list
address-list=VALID_SMTP \
comment="Checking POP3" address-list-timeout=48h
add chain=forward protocol=tcp dst-port=143 \
350
action=add-dst-to-address-list
address-list=VALID_SMTP \
comment="Checking POP3" address-list-timeout=48h
add chain=forward protocol=tcp dst-port=25 \
dst-address-list=VALID_SMTP action=accept \
comment="Allow SMTP going to known servers"
add chain=forward protocol=tcp dst-port=25 \
action=add-src-to-address-list \
address-list=POSSIBLE_TROJAN \
address-list-timeout=1h \
comment="These will be users using SMTP servers that are not on our approved
list"
add chain=forward protocol=tcp dst-port=25 \
action=drop \
comment="Drop traffic to invalid SMTP servers"
The above rules will implement the solution we described above as the first approach to a
solution. The first portion creates 2 address lists. These address lists, though their
names are similar, are used for different purposes. The
“APPROVED_SMTP_SERVERS” is a list of IPs that will not be subject to the
limitations on outbound connections OR inbound connections. In the ruleset, the first 2
blue rules accept ALL SMTP connections for packets with a source OR destination
address found in this list. This will be mail servers that are on the network. The
second list is going to include both static (you manually add them) and dynamic (we’ll
cover that in a second) entries. This list, called “VALID_SMTP”, is a list of servers that
we wish to allow our users to send mail through. In other words, it is our mail server
that exists OUTSIDE the network. Strictly speaking, it could be inside the network, too,
but for that type of mail server, you need to list them in the other list already.
The 2 rules in green are the workers for this rule set. They watch the traffic for
connections where people are checking their email. The assumption is that if a user is
checking mail on a particular server, then it is ok for them to send mail using the same
server. MOST ISPs tend to use the same server for both purposes, so this is almost
always the case. The rules grab the server’s IP address using the action “add-dst-toaddress-list” action and add it to the “VALID_SMTP” address list. This list of mail
checking protocols is NOT complete. There are many other ports that can be used, so
you’ll need to gather a list of ports and just duplicate the rules in green to complete this
set of rules.
Finally, for SMTP traffic that is going to a server that is in the “VALID_SMTP” list, we
allow that traffic. ANY OTHER SMTP traffic we do 2 things (orange and last blue
rule). First, we grab the source address of the person trying to send the email and then
we drop the traffic. In this way, we are limiting the ability of these customers to send to
“unapproved” servers, but giving them the ability to use any mail server they choose.
In terms of usability, this one has a couple of things to be aware of. First, not all mail
admins use the same address for POP and SMTP. If this is the case, you may have to
351
add a mail server IP address to the VALID_SMTP list manually. Also, you will have a
list called “POSSIBLE_TROJANS”. This list does not set any limits on a user, but is a
sort of “log” that you can use when troubleshooting a user’s email issues. If they are
using an “invalid” or “unapproved” SMTP server, their IP will be in this list.
Extension
The ISP I work for has had problems getting blacklisted due spam coming from the
network, junk email sucks as well. So...... This is an attempt at limiting the exposure to
this problem without blocking mail ports all together. Expanding on above basic filters.
This section expanded the list of check-mail server ports as well as connection limits
rather than 1 single hit triggering a block. We also added logging for debug purposes.
Summary of what this does
1. Monitor outbound port 25 connections from the internal network and
log/block/tarpit on more than 3 simultaneous connections.
2. Monitor outbound connections on ports 110, 143 463, 465, 587, 993 and 995
(common mail ports for auth etc.), inserts the target ip addresses into
VALID_SMTP address-list. Outbound port 25 connections to these targets are
allowed since the IP has been authenticated against at some point.
3. APPROVED_SMTP_SERVERS is an address-list that you add static entries to
your hosts that are valid email servers on your network.
4. POSSIBLE_TROJAN is an address-list that gets populated by the 3 strikes you
are out rule, these IP addresses are blocked from sending on port 25 for 1 hour.
Script follows....
/ip firewall address-list
# Modify below with your email server(s)
add address=XX.XX.118.0/24 comment="An email server INSIDE the network" \
disabled=no list=APPROVED_SMTP_SERVERS
add address=XX.XX.118.0/24 comment="An email server INSIDE the network" \
disabled=no list=APPROVED_SMTP_SERVERS
add address=XX.XX.118.0/24 comment="An email server INSIDE the network" \
disabled=no list=APPROVED_SMTP_SERVERS
#seed the VALID_SMTP address-list
add address=74.125.148.13 comment="!PLACEHOLDER email server OUTSIDE your
network - POP/IMAP Verify" \
disabled=no list=VALID_SMTP
# Now the actual work filters
/ip firewall filter
352
add action=accept chain=forward \
comment="Allow email from our approved SMTP senders list regardless of destination" \
disabled=no dst-port=25 protocol=tcp src-address-list=APPROVED_SMTP_SERVERS
add action=accept chain=forward \
comment="Allow email from our approved SMTP senders list regardless of destination" \
disabled=no dst-address-list=APPROVED_SMTP_SERVERS dst-port=25 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=110 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=143 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=463 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=465 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=587 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=993 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=995 protocol=tcp
add action=accept chain=forward \
comment="Allow SMTP going to known servers" \
disabled=no dst-address-list=VALID_SMTP dst-port=25 protocol=tcp
#log them, as a possible_trojan and add to the address-list
add action=add-src-to-address-list address-list=POSSIBLE_TROJAN address-listtimeout=1h chain=forward \
comment="These will be users using SMTP servers that are not on our approved list"
connection-limit=3,32 disabled=no dst-port=25 protocol=tcp
353
add action=log chain=forward comment="" \
connection-limit=3,32 disabled=no dst-port=25 log-prefix=marked-rule-6 protocol=tcp
#did not match above so we are going to tarpit after 3 connections
#(disable the tarpit for testing)
add action=log chain=forward \
comment="This would drop the connections if the action was drop" \
disabled=no dst-port=25 log-prefix=drop-rule-8 connection-limit=3,32 protocol=tcp
add action=tarpit chain=forward \
comment="" disabled=no dst-port=25 connection-limit=3,32 protocol=tcp
MPLS - Bridge Distant Networks
Multi-Protocol Label Switching (MPLS) offers some really nice options for bridging
networks that exist within a single administrative domain. But, what can you do if you
need to bridge 2 networks that do NOT exist within the same administrative domain?
This article discusses how to create a bridge using another fairly recent upgrade in
WAP/CAP.
Consider the following network:
What this article will attempt to explain is the process needed to bridge LAN1 and LAN2.
We will accomplish this task by building a tunnel (PPtP in this example) over the internet
and then creating a bridge on each router (Router1 and Router2) that includes the tunnel
endpoints as well as an Ethernet port on each end. There are numerous ways to
354
accomplish this task (I have another example in this blog post), however this method is
among the easiest AND offers a couple of real advantages over the method mentioned in
the earlier blog post. The primary advantage to this method is that it gives us the ability to
carry packets that are MUCH larger than what is available using EoIP. EoIP is limited
to an MTU of 1500 bytes. With the PPtP Bridge, we can have an MTU of over 65000!
First, we just need to configure the 2 routers for basic internet service. We won’t detail
that configuration here, but you should be able to log into either router or ping the other
public IP (12.12.12.1 and 24.24.24.1 in this example). The next step is to configure the
tunnel itself. On the server side, we need to configure the PPtP service. This is done with
the following command
(on router1 only):
/interface pptp-server server
set default-profile=default-encryption enabled=yes mrru=65535
Note that we set the MRRU value. Because of the way this works, all clients will need to
have this MRRU set the same. Another thing to note is that 10/100M Ethernet only has an
MTU of 1500 bytes, so setting this value to 65535 does nothing for 10/100 networks.
Also note that the default MTU for the tunnel can be set to whatever the actual transport
will carry. What this MRRU value does is configure the PPP protocol to transport packets
of any size (up to the MRRU value) even if the underlying transport (where the tunnel
will traverse) uses a smaller MTU. Of course, it will be fragmenting and reassembling the
packets on both ends.
Our next task is to create the bridge. Since we want to bridge ether2 with the tunnel, we
will be adding ether2 into the bridge in this step. THIS WILL NEED TO BE DONE ON
BOTH ROUTERS. Do this as follows:
/interface bridge add name=lanbridge
/interface bridge port
add bridge=lanbridge interface=ether2
NOTE: In order to be proper about how we configure the network, you should also move
the IP addresses that are assigned to ether2 over to the bridge. If you have firewall rules
that manage traffic on ether2, you need to configure the bridge to use the IP firewall
(/interface bridge settings set use-ip-firewall=yes) and change those rules to look for the
interface “lanbridge” OR “in-bridge-port=ether2″. Other configuration changes that
MAY be necessary includes DHCP server interfaces and queues.
You probably noticed that we did not add anything referencing the tunnel when we added
ports to the bridge. If you did NOT notice, go back and look, because we didn’t. The
reason for this is due to the fact that we will be DYNAMICALLY adding interfaces to the
bridge. On router1 (the server side) we configure the profile and secret as follows:
/ppp profile
set default-encryption bridge=lanbridge change-tcp-mss=yes local355
address=192.168.25.1 \
use-compression=yes use-encryption=yes use-vj-compression=no
/ppp secret
add disabled=no name=router2 password=router2pass profile=default-encryption \
remote-address=192.168.25.2 service=pptp
Some things to note about the above configuration. We chose to set the local IP in the
profile and the remote IP in the secret. It is not important WHERE you set these values,
however they must be set somewhere. That tutorial is the subject matter for another day.
The bridge selection is important. With that setting enabled, the OS will automatically
(dynamically) add any new PPP (PPtP, PPPoE, PPP, L2TP, etc.) interface that uses the
profile to the selected bridge. We configured a username/password (router2/router2pass)
for the remote router and instructed the PPtP server to use the profile called “defaultencryption” (which includes the bridge configuration) for this user’s connection. With the
above configuration set in router1, we are finished with that side.
All that’s left is the set up the router2 side. Remember, the bridge and ports were
already done on that router, so all that remains is the tunnel and profile. That is done as
follows:
/ppp profile
set default-encryption bridge=bridge1 change-tcp-mss=yes use-compression=yes useencryption=yes use-vj-compression=no
/interface pptp-client
add connect-to=12.12.12.1 disabled=no mrru=65535 name=tunnel1 \
password=router2pass profile=default-encryption user=router2
Here we set the profile again to use the bridge1. NOTE that we do NOT set IP addresses
in the profile on the client side. This is controlled at the server side. We set the client to
connect to the server at its public IP of 12.12.12.1, configure the MRRU to be the same as
we set the server and name the tunnel (not needed, but I really dislike the default name of
“pptp-out1″).
Once this configuration is complete, you will notice that the ports have been
automatically added to the bridge (winbox: Bridge->Ports). You should be aware that if
you run a DHCP server on either side, it will be visible by devices at BOTH sides.
Configuring devices manually or using static lease entries is recommended. If you want
ALL traffic from LAN2 to use the LAN1 router as a default gateway (or the other way
around), it is easy to set up. Also note, that this configuration will behave just like you
have 2 switches bridged (connected with an Ethernet cable). IP space MUST be managed
accordingly. This configuration will pass DHCP, VLAN tags, broadcast and any other
type of packet.
356
VLAN: 802.1q and Q-in-Q (double tagging)
What is a VLAN?
VLANs (Virtual Local Area Networks) are a way to structure a network logically, put
simply a VLAN is a collection of nodes which are grouped together in a single broadcast
domain (address range) that is based on something other than physical location.
A broadcast domain is a network (or portion of a network) that will receive a broadcast
frame from any node located within that network. In a typical network, everything on the
same side of the router is all part of the same broadcast domain. A switch that you have
implemented VLANs on has multiple broadcast domains, similar to a router. But you still
need a router (or Layer 3 routing engine) to route from one VLAN to another -- the
switch can't do this by itself.
Some uses for VLANS are:
Security - Separating systems that have sensitive data from the rest of the network.
Projects/Special applications - Managing a project can be simplified by the use of a
VLAN that brings all of the required nodes together.
Performance/Bandwidth - Allows the network administrator to create VLANs that reduce
the number of router hops and increase bandwidth.
Departments/Specific job types - Companies may want VLANs set up for departments
that are heavy network users (such as multimedia or engineering), or a VLAN across
departments that is dedicated to specific types of employees (such as management or
sales).
You can create a VLAN using most manufacturers’ switches, they can usually be
configured by logging into the switch via Telnet or HTTP and entering the parameters for
the VLAN (name, domain and port assignments). After you have created the VLAN, any
network segments connected to the assigned ports will become part of that VLAN.
While you can have more than one VLAN on a switch, they cannot communicate directly
with one another on that switch. If they could, it would defeat the purpose of having a
VLAN, which is to isolate a part of the network. Communication between VLANs
requires the use of a router.
VLANs can span multiple switches, and you can have more than one VLAN on each
switch. For multiple VLANs on multiple switches to be able to communicate via a single
link between the switches, you must use a process called trunking, a technology that
allows information from multiple VLANs to be carried over a single link between
switches.
The VLAN trunking protocol (VTP) is the protocol that switches use to communicate
among themselves about VLAN configuration.
Network Diagram
You Remote networks can be easily bridged using L2 WDS-bridging feature of WAP or
CAP with Point to Point setup. This applies to VLAN trunk with 802.1q with extension
357
of wireless.
Let us assume the following network setup. You have two Cisco switches, catalyst 2950
and 3524, or 3550 series.
In the image above, each switch has two VLANs. On the
first switch 2950, VLAN 20 and VLAN 30 are sent through a single port (trunked, or
Fa0/24) to the second switch 3524, and vice versa VLAN 20 and VLAN 30 are trunked
on the second switch to the first switch.. This trunk can carry traffic to and from both
VLANs, but neither VLAN 20 or VLAN 30 can communicate with each other.
You can setup IP addresses of all equipments with single subnet, say, 10.1.1.0/24. you
can also choose different subnet, as long as IP addresses of equipments on same VLAN,
has same subnet such they can communicate with each other.
Some Cisco switches with IOS...
Cisco Catalyst 2950 24 Port 10/100 Switch, Cisco Catalyst 1900 Enterprise Switch
(1924), Cisco 3524 XL 10/100/1000 VLAN Switch Cisco 1924C Enterprise. Following
scenario also is applied to other Cisco switches as well.
Configuration for Switch 2950
core#show run
358
Building configuration...
Current configuration : 3191 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname core
!
logging monitor notifications
enable secret 5 $1$eJWw$BNjE9LE.yLsc7Pq99kk6T.
!
no ip subnet-zero
!
ip domain-name atssi.biz
ip ssh time-out 120
ip ssh authentication-retries 3
vtp mode transparent
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!...
!
vlan 20
name vlan20
!
vlan 30
name vlan30
!
interface FastEthernet0/1
switchport access vlan 20
!
interface FastEthernet0/2
switchport access vlan 30
!
!...
!
interface FastEthernet0/24
switchport mode trunk
!switchport trunk encapsulation dot1q << this is default for 2950, no need to specify it
!switchport nonegotiate << this is supported on 2950, but not 3524.
!
interface Vlan20
description vlan20
no ip address
no ip route-cache
359
shutdown
!
interface Vlan30
description vlan30
ip address 10.1.1.21 255.255.255.0
no ip route-cache
shutdown
!
!...
End
core#show vlan
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------…
20 vlan20
active
Fa0/1
30 vlan30
active
Fa0/2
…
VLAN Type SAID
MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----…
20 enet 100020
1500 0
0
30 enet 100030
1500 0
0
…
Configuration for Switch 3524
Switch#show runn
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$mvtX$lgPJJ8k5zQy8z9jqh37md1
…
!
interface FastEthernet0/1
duplex full
switchport access vlan 20
!
interface FastEthernet0/2
duplex full
switchport access vlan 30
360
!
!...
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
! switchport nonegotiate, is not supported on 3524
!
!...
!
interface VLAN20
description vlan20
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN30
description vlan30
ip address 10.1.1.30 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
!...
witch#show vlan
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------…
20 VLAN0020
active
Fa0/1
30 VLAN0030
active
Fa0/2
…
VLAN Type SAID
MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----…
20 enet 100020
1500 0
0
30 enet 100030
1500 0
0
…
Configuration of L2 WDS Transparent Bridge for Wireless
WAP/CAP
Followings show configuration of two P2P WAP or CAP nodes, COM and CPEM:
#----------------------------------------------------------------------# Transparently Bridge two Networks for P2P
#-----------------------------------------------------------------------
#-----------------------------------------------------------------------
361
# COM ODU (AP)
#----------------------------------------------------------------------# uncommon this line to reset system, prior of running following script
/system reset
# change password
#/ password
# set ID
/system identity set name=COM
# create bridge for ether1 (later for wlan1)
/int bridge add name=bridge1 protocol-mode=rstp
/int bridge port add interface=ether1 bridge=bridge1
# create wlan1
/interface wireless set wlan1 disabled=no ssid=master frequency=5800 band=5ghzturbo mode=bridge
# enable nstreme propritary
/int wireless nstreme set wlan1 enable-nstreme=yes disable-csma=yes \
framer-policy=best-fit framer-limit=3200
#Create wds interface for wlan1 and add the interface to the bridge
/interface wireless set wlan1 wds-mode=dynamic wds-default-bridge=bridge1
#add ip address
/ip address add address=10.1.1.51/24 broadcast=10.1.1.255 interface=bridge1
# disable firewall tracking for better performance
/ip firewall connection tracking set enabled=no
# backup as 'factory'
/system backup save name=factory
#----------------------------------------------------------------------# CPEM ODU (Client, or Station)
#----------------------------------------------------------------------#reset every setting
/system reset
362
/system identity set name=CPEM
# create bridge for ether1 and wlan1.
/int bridge add name=bridge1 protocol-mode=rstp
/int bridge port add interface=ether1 bridge=bridge1
/int bridge port add interface=wlan1 bridge=bridge1
# create wlan1
/interface wireless set wlan1 disabled=no ssid=master frequency=5800 band=5ghzturbo mode=station-wds
# enable nstreme propritary
/int wireless nstreme set wlan1 enable-nstreme=yes disable-csma=yes \
framer-policy=best-fit framer-limit=3200
#add ip address
/ip address add address=10.1.1.52/24 broadcast=10.1.1.255 interface=bridge1
# disable firewall tracking for better performance
/ip firewall connection tracking set enabled=no
# backup as 'factory'
/system backup save name=factory
Verification
Assume you have following IP address for each equipment:
363
•
•
•
VLAN20: PBX and Phone can communicate with each other. They can not
communicate with rest of equipments.
VLAN30: DB and PC can communicate with each other. They can not
communicate with rest equipments.
WAP/CAP can communicate with each other.
Q-in-Q (double tagging)
Original 802.1Q allows only one vlan header, Q-in-Q on the other hand allows two or
more vlan headers. In RouterOS Q-in-Q can be configured by adding one vlan interface
over another. Example:
/interface vlan
add name=vlan1 vlan-id=11 interface=ether1
add name=vlan2 vlan-id=12 interface=vlan1
If any packet is sent over 'vlan2' interface, two vlan tags will be added to ethernet header
- '11' and '12'.
Property
Description
arp (disabled | enabled | proxy-arp | reply-only;
Default: enabled)
Address Resolution Protocol mode
364
interface (name; Default: )
Name of physical interface on top of which VLAN will work
l2mtu (integer; Default: )
Layer2 MTU. For VLANS this value is not configurable. Read m
mtu (integer; Default: 1500)
Layer3 Maximum transmission unit
name (string; Default: )
Interface name
use-service-tag (yes | no; Default: )
802.1ad compatible Service Tag
vlan-id (integer: 4095; Default: 1)
Virtual LAN identifier or tag that is used to distinguish VLANs.
for all computers that belong to the same VLAN.
Example of VLAN Tunneling (Q-in-Q)
This example covers typical VLAN tunneling use case where service provider devices
add another VLAN tag for independent forwarding in the mean time allowing customers
to use their own VLANs.
Icon-note.png
Note: This example contains only Service VLAN tagging part.
It is recommended to additionally set Unknown/Invalid VLAN filtering configuration on
ports.
CRS-1: The first switch on the edge of service provider network has to properly indentify traffic
from customer VLAN id on port and assign new service VLAN id with ingress VLAN translation
rules.
VLAN trunk port configuration for service provider VLAN tags is in the same egress-vlan-tag
table.
The main difference from basic Port Based VLAN configuration is that CRS switch-chip has to be
set to do forwarding according to service (outer) VLAN id instead of customer (inner) VLAN id.
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
365
/interface ethernet switch ingress-vlan-translation
add customer-vid=200 new-service-vid=400 ports=ether1 sa-learning=yes
add customer-vid=300 new-service-vid=500 ports=ether2 sa-learning=yes
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether9 vlan-id=400
add tagged-ports=ether9 vlan-id=500
/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid
CRS-2: The second switch in the service provider network require only switched ports
using master-portand bridge-type configured to do forwarding according to service
(outer) VLAN id instead of customer (inner) VLAN id.
/interface ethernet
set [ find default-name=ether10 ] master-port=ether9
/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid
CRS-3: The third switch has similar configuration to CRS-1:
•
Ports in a switch group using master-port;
•
Ingress VLAN translation rules to define new service VLAN assingments on ports;
•
tagged-ports for service provider VLAN trunks;
•
CRS switch-chip set to use service VLAN id in switching lookup.
/interface ethernet
set [ find default-name=ether4 ] master-port=ether3
set [ find default-name=ether10 ] master-port=ether3
/interface ethernet switch ingress-vlan-translation
add customer-vid=200 new-service-vid=400 ports=ether3 sa-learning=yes
add customer-vid=300 new-service-vid=500 ports=ether4 sa-learning=yes
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether10 vlan-id=400
add tagged-ports=ether10 vlan-id=500
/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid
366
Bandwidth Control (QoS)
WAP offers DiffServ/TOS, HTB, PCQ, CIR, CBS, and more. Please refer to User Guide
for basic functions.
DSCP based QoS with HTB
This describes a way to prioritize traffic by using DSCP tags. The DiffServ Code Point is
a field in the IP header that allows you to classify traffic. DSCP is meant to be
administered in a per-hob-based way, allowing each router on a path to determine how
each traffic class should be prioritized. The solution described in this document is built
around the Hierarchical Token Bucket queuing algorithm in RouterOS, dividing the 64
possible DSCP code values into the 8 queues available. This solution also utilizes the
tree-based queuing, in order to have a parent queue do bandwidth control, with subqueues for each possible DSCP value.
The actual queuing is done as per this table:
Name
Precendence
DSCP Range
HTB Priority
Routing (default)
000 (0)
000000(0) – 000111 (7)
8
Priority
001 (1)
001000 (8) – 001111 (15)
7
Immediate
010( (2)
010000 (16) – 010111 (23) 6
Flash
011 (3)
011000 (24) – 011111 (31) 5
Flash Override
100 (4)
100000 (32) – 100111 (39) 4
Critical
101 (5)
101000 (40) – 101111 (47) 3
Internetwork Control 110 (6)
111000 (48) – 110111 (55) 2
Network Control
111000 (56) – 111111 (63) 1
111 (7)
DSCP marking/mangling
In order to match DSCP values in your queues, it is necessary to mark the packets using
firewall mangling. This is best done with this command:
367
:for x from 0 to 63 do={/ip firewall mangle add action=mark-packet chain=postrouting \
comment=("dscp_" . $x . "_eth") disabled=no dscp=$x new-packet-mark=("dscp_" . $x .
"_eth") passthrough=no}
This command creates 64 lines under /ip firewall mangle, that simply marks each packet
with a DSCP value to be processed later.
Having that done, it's time to move on to the actual queues.
Set up the queue tree
The next example assumes that ether1 is the wan interface, and your available bandwidth
is 5Mbit/s.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 maxlimit=5000000 name=ether1 \
parent=ether1 queue=default
#prio8
:for z from 0 to 7 do={/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no limit-at=0 max-limit=0 \
name=("routine_" . $z . "_ether1") packet-mark=("dscp_" . $z . "_eth") parent=ether1
priority=8 queue=ethernet-default}
#prio7
:for z from 8 to 15 do={/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no limit-at=0 max-limit=0 \
name=("priority_" . $z . "_ether1") packet-mark=("dscp_" . $z . "_eth") parent=ether1
priority=7 queue=ethernet-default}
#prio 6
:for z from 16 to 23 do={/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no limit-at=0 max-limit=0 \
name=("immediate_" . $z . "_ether1") packet-mark=("dscp_" . $z . "_eth")
parent=ether1 priority=6 queue=ethernet-default}
#prio 5
:for z from 24 to 31 do={/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no limit-at=0 max-limit=0 \
name=("flash_" . $z . "_ether1") packet-mark=("dscp_" . $z . "_eth") parent=ether1
priority=5 queue=ethernet-default}
368
#prio 4
:for z from 32 to 39 do={/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no limit-at=0 max-limit=0 \
name=("flash_override_" . $z . "_ether1") packet-mark=("dscp_" . $z . "_eth")
parent=ether1 priority=4 queue=ethernet-default}
#prio 3
:for z from 40 to 47 do={/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no limit-at=0 max-limit=0 \
name=("critical_" . $z . "_ether1") packet-mark=("dscp_" . $z . "_eth") parent=ether1
priority=3 queue=ethernet-default}
#prio 2
:for z from 48 to 55 do={/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no limit-at=0 max-limit=0 \
name=("intercon_" . $z . "_ether1") packet-mark=("dscp_" . $z . "_eth") parent=ether1
priority=2 queue=ethernet-default}
#prio 1
:for z from 56 to 63 do={/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no limit-at=0 max-limit=0 \
name=("netcon_" . $z . "_ether1") packet-mark=("dscp_" . $z . "_eth") parent=ether1
priority=1 queue=ethernet-default}
This solution is the most flexible solution I could come up with. It is built around the
philosophy that highest DSCP marking is served first. The actual shaping of the interface
could be moved to a simple queue in order to be able to police differently on upstream
and downstream, but I prefer to shape in both ends of a circuit, so when you have
different upload and download speed, you should shape in according to the upload speed.
Further Refinements by BrotherDust
Using the former script as a starting point, we have devised the following script:
#Set interface here
:global outboundInterface "ether1"
#Set bandwidth of the interface (remember, this is for OUTGOING)
:global interfaceBandwidth 0
#Set where in the chain the packets should be mangled
:global mangleChain postrouting
#Don't mess with these. They set the parameters for what is to follow
:global queueName ("qos_" . $outboundInterface)
:global qosClasses [:toarray
"netcon,intercon,critical,flash_override,flash,immedate,priority,routine"]
:global qosIndex 64
369
#Set up mangle rules for all 64 DSCP marks
#This is different in that the highest priority packets are mangled first.
:for indexA from 63 to 0 do={
/ip firewall mangle add \
action=mark-packet \
chain=$mangleChain \
comment=("dscp_" . $indexA) \
disabled=no \
dscp=$indexA \
new-packet-mark=("dscp_" . $indexA) \
passthrough=no
}
#Add a base queue to the queue tree for the outbound interface
/queue tree add \
max-limit=$interfaceBandwidth \
name=$queueName \
parent=$outboundInterface \
priority=1
#Set up queues in queue tree for all 64 classes, subdivided by 8.
:for indexA from=0 to=7 do={
:local subClass ([:pick $qosClasses $indexA] . "_" . $outboundInterface)
/queue tree add \
name=$subClass \
parent=$queueName \
priority=($indexA+1) \
queue=ethernet-default
:for indexB from=0 to=7 do={
:set qosIndex ($qosIndex-1)
/queue tree add \
name=($subClass . "_" . $indexB) \
parent=$subClass \
priority=($indexB+1) \
packet-mark=("dscp_" . $qosIndex) \
queue=ethernet-default
}
}
Set the variables accordingly on the globals, paying attention to the comments. This
script creates an even more granular priority structure by creating 64 different priorities
subdivided by 8 master priorities. So, this is what it will look like this under interface
queues when you enter it in the console:
370
A QoS structure can be illustrated as:
Some usage notes:
1. Remember! The way that this script is set up by default is such that it will only work
with outgoing traffic. It's best practices (in my opinion) to keep it set up that way as
doing it for incoming traffic would be redundant.
2. If this going to be applied to more than one interface, cut the script up so that it doesn't
make the mangle rules again.
371
3. Bandwidth parameter need not be set. It's just for if you have an interface with fixed
bandwidth or you you want to limit that interface. If it is set it must be in bits per second.
I have not yet tested this on a wireless interface because the rates are unstable and I want
them to be as fast as possible.
Updated on 20090604: I changed the script slightly to reverse the mangling chain. Now
highest priority packets are processed first. Probably not going to make a huge difference.
But we'll see.
Updated on 20100514: In response to the comments below: OSPF packets with DSCP
tag 48 do not get priority 8 globally; rather, they get priority 8 inside of a priority 2
queue. This script creates an extremely granular queue structure to work with. Most
people do not need this level of granularity. For the most part they will delete the queues
that aren't needed.
Comment on difference between this solution and first solution
Please note that the DSCP tagging strategy here is completely different from that of the
first script. Please consider if this fits within your current QoS setup before applying it.
For instance, RouterOS automatically tags dynamic routing with DSCP value 48, and
following this script, routing updates will have priority 8, which is the lowest priority. In
practical network setup, we suggest you only handle the DSCP codes that you know your
network is using. My current mangle setup script looks like this:
/ip firewall mangle add action=mark-packet chain=postrouting comment=dscp.0
disabled=no \
dscp=0 new-packet-mark=dscp.0 passthrough=no
/ip firewall mangle add action=mark-packet chain=postrouting comment=dscp.46
disabled=no \
dscp=46 new-packet-mark=dscp.46 passthrough=no
/ip firewall mangle add action=mark-packet chain=postrouting comment=dscp.48
disabled=no \
dscp=48 new-packet-mark=dscp.48 passthrough=no
:for x from 1 to 45 do={/ip firewall mangle add action=mark-packet chain=postrouting \
comment=dscp.1-45 disabled=no dscp=$x new-packet-mark=dscp.other
passthrough=no}
/ip firewall mangle add action=mark-packet chain=postrouting comment=dscp.47
disabled=no \
dscp=47 new-packet-mark=dscp.other passthrough=no
:for x from 49 to 63 do={/ip firewall mangle add action=mark-packet chain=postrouting
\
comment=dscp.49-63 disabled=no dscp=$x new-packet-mark=dscp.other
passthrough=no}
This basically gives you four markings:
372
•
•
•
•
dscp.0 for packets that have no DSCP tags
dscp.46 for EF packets (my VoIP traffic)
dscp.48 for routing updates
dscp.other for all other DSCP values
We then be able to assemble a queue tree where unmarked packets have the lowest
priority, followed by dscp.other, dscp.46 and dscp.48, under the philosophy that routing
updates should always be prioritized highest - without them, nothing works, then VoIP,
other prioritized packets and lowest of all, non-marked packets.
DiffServ for Quality of Service
Or “Efficiently control your traffic priorities”
Striving for performance, reliability, speed, all those things combine in something known
as Quality of Service, we introduce RouterOS operation in DiffServ mode. From this we
can learn some new tips and tricks how to operate complex networks to ease router
configuration and increase client satisfaction with the service provided
What is DiffServ
What is this Quality of Service (QoS) thing all about? Its goal is to use the available
resources effectively, and improve user experience and satisfaction with your service,
allowing you to run a prosperous business. QoS is what unites everything related to
making routing decisions, providing reliable service with failover capabilities, utilizing
most of the available network resources, respecting different application requirements. A
big part of router functionality may be considered to contribute to the Quality of Service:
routing, failover operation, shaping and queueing, partially even the firewall.
The Internet Protocol has been developed to provide best-effort service in data networks,
without acknowledging different requirements of the applications using these networks. It
was assumed that each application and each user has the same right on the data channel,
and statistically, each network application received the same treatment as any other.
Unfortunately, growing demand for low latency (IP telephony) or other special services
proved this approach not to deliver the appropriate treatment for each and every
application. Moreover, ISPs who tend to provide differently priced services, which leads
to the need for packet prioritiation and scheduling on the network infrastructure. To
address this, the IETF has developed two approaches for sharing network resources
between different applications and making the network more aware of the types of traffic
it handles - the Integrated Services QoS (IntServ) and the Differentiated Services QoS
(DiffServ, DS).
While IntServ tend to provide very precise resource allocation based on the requirements
of each application (communicated with a special protocol, called RSVP (Resource
Reservation Protocol)), it requires both support on the application level, and enormous
resources on the packet forwarding equipment (as IntServ is stateful, and thus requires all
373
the concurrent connections to be tracked at each router along the path, which id quite
problemmatic in highspeed links and internet backbones). On the other hand, the Diffserv
stateless approach, according to RFC 2638, should "keep the forwarding path simple,
push complexity to the edges of the network to the extent possible". The DiffServ
architecture delivers a rather coarse traffic differentiation based on the special marking
transferred along with the packets within the DS domain. The byle-long ToS field is
employed for this purpose, and is renamed accordingly to the DSCP (Differentiated
Services Code Point) byte, of which the standard reserves 2 bits for future use (although
actual implementations sometimes do not respect this, allowing 256 possible DSCP
values, insead of only 64 as per standard). This distinguishes between Behavior
Aggregates (BA) - a set of flows that share the same DSCP mark, and thus receive
identical treatment within the DS domain.
The DSCP marks are put on the DS domain edge routers, so the main load is put on them.
Interior routers are relieved from the expensive operations, and mostly acting based on
the set of Per Hop Behavior (PB) actions, which are defined for each DSCP value. The
PHB may define the allocated data rate, priority, sometimes also filter set for a particular
BA to apply on a particular router.
Another technique of similar properties - pushing complexity to the edge routers and
differentiating hop behavior based on marking transmitted along with packets - is called
MPLS (MultiProtocol Label Switching) protocol, which is a new ultrafast packet
switching protocol based on arbitrary labels instead of addresses. Thus, MPLS
implementations do not examine IP headers and hence avoid expensive lookups in large
routing tables; they are just following what labels say them to do. MPLS and DiffServ are
even used together in many networks in order to combine label scheduling of DS and
label switching of MPLS. In many situations, the worldwide dominant IP protocol is the
only thing it is required of the infrastructure to forward, so in many cases there is no need
for Multi Protocol part of MPLS term, but Label Switching, although not as rapidly as by
MPLS implementations, may as well be performed by DiffServ routers capable of policy
routing.
Implementing DiffServ
The DSCP mark is transmitted inside each IP packet You can work with full DSCP field
using firewall mangle facility (it is called "tos" there). Note the reserved bits (two least
significant bits) if you want to respect the standards, as this facility works with the whole
byte. Once read, a set of firewall rules may be applied. A packet may as well be marked
with an internal flow mark (to use in queues) or routing mark (to use in policy routing).
You can also change DSCP marks of any packets.
For example, to put a DSCP mark 48 on all DNS traffic, do:
/ip firewall mangle add protocol=udp src-port=53 action=change-tos new-tos=48
/ip firewall mangle add protocol=udp dst-port=53 action=change-tos new-tos=48
/ip firewall mangle add protocol=tcp src-port=53 action=change-tos new-tos=48
/ip firewall mangle add protocol=tcp dst-port=53 action=change-tos new-tos=48
374
to put a routing mark "sip" to all packets from the 10.0.0.2 server with DSCP=64, do:
/ip firewall mangle add tos=64 src-address=10.0.0.2 action=mark-routing routingmark=sip
375
How to Configure MIMO / 802.11N Links
802.11n Features
•
•
•
•
Frame Aggregation
Block Acknowledgement
Channel Bonding
MIMO
Frame Aggregation
•
•
•
•
802.11a/b/g requires an Acknowledgement (ACK) for each frame that gets sent. This
allows high reliability, but at high data rates the overhead can be more than the actual
data
Nstreme gets around this to an extent by using Framer
Policy to allow more packets per frame
802.11n uses Aggregation of MAC Service Data Units (AMSDU), Aggregation of
MAC Protocol Data Units (AMPDU) and Block Acknowledgement (BA) as
mechanisms to increase data throughput on wireless links
Aggregation of Mac Service Data Units (AMSDU)
•
•
•
MSDU aggregation relies on most Access Points and most client protocol stacks
using Ethernet as their "native" frame format.
It collects Ethernet frames to be transmitted to a single destination and wraps them in
a single 802.11n frame. This is efficient because Ethernet headers are much shorter
than 802.11 headers.
Combining multiple (Ethernet) data frames into a single frame decreases the
overhead, allowing higher data rates
Aggregation of Mac Protocol Data Units (AMPDU)
•
•
•
•
MPDU aggregation also collects Ethernet frames to be transmitted to a single
destination, but it wraps each frame in an 802.11n MAC header
This is less efficient than MSDU aggregation, but it may be more efficient in
environments with high error rates, because of block acknowledgement (BA).
Instead of transmitting an individual ACK for every MPDU, multiple MPDUs can be
acknowledged together using a single BA frame.
This mechanism allows each of the aggregated data frames to be individually
acknowledged or retransmitted if affected by an error.
Channel Bonding, Chains
•
By default 802.11n uses 20MHz of bandwidth
376
•
•
•
•
•
Channel Bonding adds additional 20Mhz channel to the existing channel
The additional channel is placed below or above the main channel frequency
It is backward compatible with existing 20Mhz clients - A connection will be made to
the main channel
Allows the use of higher data rates
TX/RX chains (MIMO) – number of antennas that are being used
Discussion & Tips
1. When design MIMO link, you must take into consideration the data rate of your
customers. In the APs when a customer demand with low traffic rate, lower base
makes the performance of other clients connected to it, another thing you must
remember is to not saturate the amplifier card is better lower the power to the card a
little to reduce the noise that you can add
2. Antenna design is key to diversity/MIMO. Try spacing of about 2-3 feet between
antennas, opposite polarities between Tx and Rx
3. For distance field, enter a valid distance. For example 10km instead of auto
4. more tips:
• HW retires = 15
• Adaptive noise immunity = client & ap
• Periodic Calibration = off
• CSMA = off
• Framer policy = best fit
• Data rates = manual
• Disable ALL 802.11a/b/g rates
• Disable ALL MCS rates except MCS12 (This really depends on your setting), see
following link for bandwidth of MCS rates:
http://en.wikipedia.org/wiki/IEEE_802.11n-2009#Data_rates
• framelifetime 3
• /ip firewall connection tracking set enabled=no
5. More detail on some 802.11n configuration options
• ht-ampdu-priorities (0,1,2,3,4,5,6,7 - any combination of these)
A-MPDU (Aggregated Mac Protocol Data Unit) Frame Aggregation allows the
transmissions of multiple ethernet frames to a single location as burst. In other
word, this protocol allows several MAC-level service data units (MSDUs) to be
aggregated into a single MPDU. Some study demonstrates that A-MPDU
aggregation allows achieving a high channel utilization of 95% in the ideal case
while without aggregation the channel utilization is limited by just 33%.
• ht-extension-channel (above-control | below-control | disabled)
The current 802.11n draft allow wireless channel bonding. There is one 20Mhz
channel defined as the "control channel" while the "secondary channel" (or
expended channel) can then be set to sit above or below the control channel. We
recommends channel bonding be used in the 5GHz band due to the limited
number of non-overlapping channels available in the 2.4GHz band (remember:
377
•
extended channel = base channel + 20 MHz).
For more info visit 802.11n Channel Bonding
ht-rxchains/ht-txchains (0,1,2 - any combination of these)
which antenna connector to use for TX or RX. We can use one of these or
combination of these. Atheros AR9300 based radio modules, support up to 3
MMCX antenna connectors and to use all antenna ht-tx/rx-chains need to be
check 0, 1 and 2 for max performances.
6. Troubleshooting Tips
• Troubleshoot 1 antenna chain at a time
• MIMO configurations will hide problems
• Change HT Guide Interval (GI) to Long
• Change HW Retries from 4 to 7-10
• If using MIMO do not have the antennas perfectly tuned –force separation
• Nv2 Troubleshooting:
Increase throughput on long distance with tdma-period-size. In Every "period",
the Access Point leaves part of the time unused for data transmission (which is
equal to round trip time - the time in which the frame can be sent and received
from the client), it is used to ensure that client could receive the last frame from
Access Point, before sending it's own packets to it. The longer the distance, the
longer the period is unused.
For example, the distance between Access Point and client is 30km. Frame is sent
in 100us one direction, respectively round-trip-time is ~200us. tdma-period-size
default value is 2ms, it means 10% of the time is unused. When tdma-period-size
is increased to 4ms, only 5% of time is unused. For 60km wireless link, roundtrip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and
10% for 4ms. Bigger tdma-period-size value increases latency on the link.
7. 802.11n Outdoor Setup
• For 2 chain operation suggested to use different polarization for each chain
• When dual-polarization antennas are used isolation of the antenna recommended
to be at least 25db
• If possible test each chain separately before using both chains at the same time
8. 802.11n speed with encryption
• Avoid using wireless encryption with TKIP cipher as it slows down the wireless
link - speed drop from 220Mbps to 38Mbps
• Use AES cipher for 802.11n wireless encryption
9. Throughput discussion - Tips and notes on how to get the max wireless throughput:
• Use of 802.11n wireless standard
• Use of Nstreme or Nv2 wireless protocol
• Use of channels with less interference
• Having a good line of sight and fresnel zone
• Try out rate-selection=advanced
10. Lab vs Outdoor Performance
• MIMO setup: Test each chain separately before using both chains simultaneously
378
•
•
•
•
•
•
MIMO can deliver better performance or better reliability, but rarely both
For dual chain operation use a cross polarization for each chain
When used dual-polarized antennas, the recommended isolation of the antenna is
at least 25db
Nv2 seems to perform better in situations where noise is high but signal strength
is good (of course it is best when noise is low!)
When signal is poor or in extremely high noise situations, 802.11n with or without
Nstreme may deliver better results, experimentation is required
Nstreme in high noise areas can add a lot of latency to deliver higher speeds, real
time traffic like VOIP will suffer
AP Bridge and Station Mode
This is suitable for PTP or PTMP connection modes.
802.11, so and Nstreme and Nv2 later.
The Station mode support both
Both AP Brdige and Station sides, have same parameters except wireless mode that one is
AP Bridge while the other one is Station (client) mode.
Following test result is based on RouterOS 5.8
AP Bridge Side (COM)
Create Brdige1 which bridged ether1 and wlan1
379
380
Uncheck Default Forward (optional): This is the value of forwarding for clients that do
not match any entry in the access-list
Channel Width:
• Above & Below Control = 40MHz wide
• 40MHz HT channels use the adjacent channel selected by either above or below
control
• Both the AP & the Client must have the same values.
381
Under the data rate change it from Default to configured (Advanced), and uncheck all the
values a/b/g rate.
•
•
Max Sation Count, would be dependent on your real deployment. We set it to 1 for
Point to point scenario. You can set it up to maximum count of 2007 station.
Distance as indoors, is for lab test only. You should specify correct parameters.
382
•
•
•
•
Disable Calibration
Hardware Retries to be 15
Frame Lifetime to be 3
Adaptive Noise Immunity to be ‘ap and client mode’.
define it to be “client mode”)
(on later Station side, you can
HT Extension Channel
HT (high throughput) Tx Chains and Rx Chains:
Check both chain0 and chain1 for 2X2 which should produce max connection rate:
MCS Index
15
Number of
spatial
streams
2
Modulation
64-QAM
Data Rate (in Mbps)(GI =
800ns)
Data Rate (in Mbps)(GI =
400ns)
20MHz
40MHz
130
270
20MHz
40MHz
144.4
300
HT Guard interval:
1. Symbols are groups of individual bits
2. The Guard Interval is a time delay between symbols to account for the late arrival
of a symbol.
3. A GI that is too short will cause Inter-Symbol Interference (ISI).
4. 802.11 a/b/g radios use a GI of 800 us (nanoseconds)
5. 802.11 n can use a GI of 400 us which increases BW by approximately 10%
• Long = 800ns. Selecting long will provide a more stable link
• Any = 400ns. Best Fit
383
HT AMSDU (Aggregate MAC Service Data Unit):
• Method of frame aggregation where multiple 802.3 frames have the headers removed
and the data combined into a new 802.11 frame.
• 0-8192
• Default is best value
HT AMPDU Priorities (Aggregate MAC Protocol Data Unit):
• Similar to AMSDU
• A method of frame aggregation
• AP & Clients must have the same values
• Default is “best effort” -best value
• Changing from default will cause problems for VOIP and streaming video
Modulation & Coding Schemes
Select the MCS rating manually. For example if you want to set the data rate @ MSC12
- select only MCS12 uncheck rest. You can also select range from MCS 12 to 15, depends
on your experimental setting. This has to be applied to HT supported and HT Basics too.
Data rate (Mbit/s)
MCS Spatial Modulation Coding
index streams
type
rate
20 MHz channel
40 MHz channel
800 ns GI 400 ns GI 800 ns GI 400 ns GI
0
1
BPSK
1/2
6.50
7.20
13.50
15.00
384
•
•
•
1
1
QPSK
1/2
13.00
14.40
27.00
30.00
2
1
QPSK
3/4
19.50
21.70
40.50
45.00
3
1
16-QAM
1/2
26.00
28.90
54.00
60.00
4
1
16-QAM
3/4
39.00
43.30
81.00
90.00
5
1
64-QAM
2/3
52.00
57.80
108.00
120.00
6
1
64-QAM
3/4
58.50
65.00
121.50
135.00
7
1
64-QAM
5/6
65.00
72.20
135.00
150.00
8
2
BPSK
1/2
13.00
14.40
27.00
30.00
9
2
QPSK
1/2
26.00
28.90
54.00
60.00
10
2
QPSK
3/4
39.00
43.30
81.00
90.00
11
2
16-QAM
1/2
52.00
57.80
108.00
120.00
12
2
16-QAM
3/4
78.00
86.70
162.00
180.00
13
2
64-QAM
2/3
104.00
115.60
216.00
240.00
14
2
64-QAM
3/4
117.00
130.00
243.00
270.00
15
2
64-QAM
5/6
130.00
144.40
270.00
300.00
16
3
BPSK
1/2
19.50
21.70
40.50
45.00
17
3
QPSK
1/2
39.00
43.30
81.00
90.00
18
3
QPSK
3/4
58.50
65.00
121.50
135.00
19
3
16-QAM
1/2
78.00
86.70
162.00
180.00
20
3
16-QAM
3/4
117.00
130.70
243.00
270.00
21
3
64-QAM
2/3
156.00
173.30
324.00
360.00
22
3
64-QAM
3/4
175.50
195.00
364.50
405.00
23
3
64-QAM
5/6
195.00
216.70
405.00
450.00
24
4
BPSK
1/2
26.00
28.80
54.00
60.00
25
4
QPSK
1/2
52.00
57.60
108.00
120.00
26
4
QPSK
3/4
78.00
86.80
162.00
180.00
27
4
16-QAM
1/2
104.00
115.60
216.00
240.00
28
4
16-QAM
3/4
156.00
173.20
324.00
360.00
29
4
64-QAM
2/3
208.00
231.20
432.00
480.00
30
4
64-QAM
3/4
234.00
260.00
486.00
540.00
31
4
64-QAM
5/6
260.00
288.80
540.00
600.00
Must select configured on the Date Rate Tab
MCS 0-7 uses 1 spatial stream
MCS 8-15 uses 2 spatial streams
385
Rest Parameters keep default – no Nv2, no Nstreme at this moment.
turn on Nv2 to compare the performance.
Later we would
You can choose Tx Power Mode with ‘default’ for best performance if on outdoor
environment. Here we use ‘all rates fixed’ to be 9 dBm to avoid over-powered.
386
Disable Connection Tracking
Configuration Script
#
# this is sample configuration for P2P with standard 802.11n & MIMO for maximum
bandwidth in lab
# you may need to adjust it for field deployment
#
#
# ---------------------------------------------------------------------------------------------# AP Side (AP-bridge) for MIMO. IP address is 10.1.1.31
#
# do /system reset prior of next setting. system would request you to reboot, type 'y' (no
quote)
/system reset
/system identity set name=WAP-520N-C
# create a brdige for ethernet and wireless interfaces
387
/int bridge add name=bridge1 protocol-mode=rstp
/ip address add address=10.1.1.31/24 broadcast=10.1.1.255 interface=bridge1
/int bridge port add interface=ether1 bridge=bridge1
/int bridge port add interface=wlan1 bridge=bridge1
/int wireless set wlan1 mode=ap-bridge band=5ghz-onlyn channel-width=20/40mhz-htabove \
frequency=5825 ssid=COM-5024 wireless-protocol=802.11 disabled=no \
country=no_country_set default-forwarding=no \
rate-set=configured supported-rates-a/g="" basic-rates-a/g="" max-station-count=1 \
distance=dynamic periodic-calibration=disabled hw-retries=15 frame-lifetime=3 \
adaptive-noise-immunity=ap-and-client-mode \
ht-supported-mcs=mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs20,mcs-21,\
mcs-22,mcs-23 ht-basic-mcs=mcs-12,mcs-13,mcs-14,mcs-15 ht-txchains=0,1 htrxchains=0,1
/ip firewall connection tracking set enabled=no
/system backup save name=factory-com
/system reboot
Station (APClient) Side (CPEM)
All parameters are the same with AP Bridge side, except wireless mode:
388
Now check the status of signal level and CCQ quality. If CCQ is more than 90% you will
get the expected result.
Rest configurations are the same with AP (COM).
Configuration Script
#
# ---------------------------------------------------------------------------------------------# CPE Side (station) for MIMO. IP address is 10.1.1.32
#
# do /system reset prior of next setting. system would request you to reboot, type 'y' (no
quote)
/system reset
/system identity set name=WAP-520N-C
# create a brdige for ethernet and wireless interfaces
389
/int bridge add name=bridge1 protocol-mode=rstp
/ip address add address=10.1.1.32/24 broadcast=10.1.1.255 interface=bridge1
/int bridge port add interface=ether1 bridge=bridge1
/int bridge port add interface=wlan1 bridge=bridge1
/int wireless set wlan1 mode=station band=5ghz-onlyn channel-width=20/40mhz-htabove \
frequency=5825 ssid=COM-5024 wireless-protocol=802.11 disabled=no \
country=no_country_set default-forwarding=no \
rate-set=configured supported-rates-a/g="" basic-rates-a/g="" max-station-count=1 \
distance=dynamic periodic-calibration=disabled hw-retries=15 frame-lifetime=3 \
adaptive-noise-immunity=ap-and-client-mode \
ht-supported-mcs=mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs20,mcs-21,\
mcs-22,mcs-23 ht-basic-mcs=mcs-12,mcs-13,mcs-14,mcs-15 ht-txchains=0,1 htrxchains=0,1
/ip firewall connection tracking set enabled=no
/system backup save name=factory-cpem
/system reboot
Bandwidth on the Air
This is tested with 70 dBm attenuation between two antennas, or use small gain antenna
(5dBi) with smaller fixed Tx power rate 9dB
390
802.11n and WDS
• 802.11n frame aggregation can’t be used together with WDS
391
• Max transmit speed drops from 220Mbps to 160Mbps using WDS (UDP traffic)
• Station-bridge has the same speed limitations as Station-wds
• Avoid using WDS or use Nstreme/Nv2 wireless protocol to overcome this limitation
392
Nstreme Version 2 (Nv2)
•
•
•
•
•
What is Nv2
Nv2 Compatibility
Nv2 co-existence
Nv2 vs 802.11 vs Nstreme
Nstreme / NV2 Rates
What is Nv2
•
•
•
•
•
•
•
•
•
•
•
Proprietary protocol for use with Atheros 802.11 wireless chips. It uses TDMA (Time
Division Multiple Access) as the MAC level data carrier
It replaces and is not compatible with CSMA/CA (Carrier Sense Multiple Access) and
Nstreme
TDMA solves hidden node problem and improves media usage, thus improving
throughput and latency, especially in PtMP networks.
Nv2 is supported for Atheros 802.11n chips and legacy 802.11a/b/g chips starting
from AR5212, but not supported on older AR5211 and AR5210 chips. Both 11n and
legacy devices can participate in the same network and a hardware upgrade is not
required to implement Nv2
NV2 deploys multiple timeslots per transmission cycle that are assigned to clients at
the beginning of each transmission
Each client may only transmit in his own timeslot
Strict timeslot control ensures each client has a fair chance of transmitting or
receiving data
Media access in a Nv2 network is controlled by the Nv2 Access Point.
The AP divides time into fixed size "periods" which are dynamically divided in the
downlink (data sent from AP to clients) and uplink (data sent from clients to AP)
portions, based on queue state on AP and clients.
Uplink time is further divided between connected clients based on their requirements
for bandwidth.
At the beginning of each period the AP broadcasts a schedule that tells clients when
they may transmit and the amount of time they can use.
Nv2 Compatibitily
•
•
•
Nv2 protocol is not compatible with any other wireless protocols or implementations,
either TDMA based or any other kind, including Motorola Canopy, Ubiquiti Airmax
and FreeBSD TDMA implementation. Only Nv2 supported and enabled devices can
participate in a Nv2 network.
Regular 802.11 devices will not recognize and will not be able to connect to an Nv2
AP.
WAP/CAP devices that have Nv2 support will see Nv2 APs when running a wireless
scan, but will only connect to a Nv2 AP if properly configured.
393
Nv2 Co-existence
•
•
As Nv2 does not use CSMA technology it may disturb any other networks on the
same frequency. In the same way other networks may interfere with an Nv2 network,
because all other signals are considered noise.
Unlike 802.11 CSMA, the TDMA protocol is “always on”, so it is always
transmitting, so the chance of interference is much higher
Nv2 Key Points
The key points regarding compatibility and coexistence:
• Only WAP/CAP devices will be able to participate in an Nv2 network
• only WAP/CAP devices will see an Nv2 AP when scanning
• Nv2 networks will disturb other networks in the same channel
• Nv2 networks may be affected by any (Nv2 or not) other networks in the same
channel
• Nv2 enabled device will not connect to any other TDMA based network
Nv2 vs 802.11
•
•
•
Media access is scheduled by the AP - this eliminates hidden node problem and
allows a centralized media access policy. AP controls how much time is used by each
client and can assign time to clients according a policy as opposed to each device
contending for media access.
Reduced propagation delay overhead. No per-frame ACKs significantly improves
throughput, especially on long distance links
Reduced per frame overhead. Nv2 implements frame aggregation and fragmentation
to maximize assigned media usage and reduce per-frame overhead
Nv2 vs Nstreme
•
•
•
Reduced polling overhead.
o Nv2 AP broadcasts an uplink schedule that assigns time to multiple clients,
instead of polling each client.
o this can be considered "group polling“, reduced per-client polling means more
time for actual data transmission
o This improves throughput, especially in PtMP configurations.
Reduced propagation delay overhead
o The uplink schedule is based on estimated distance (propagation delay) to
clients
o This improves throughput, especially in PtMP configurations.
More control over latency
o reduced overhead, adjustable period size and QoS features allows for more
control over latency in the network.
394
Nstreme / NV2 Rates
TDMA – Time Slot Transmission
TDMA (Time Division Multiple Access) is one channel access method combined burst
synchronization and error detection, for shared medium networks. It allows several
different links (point-to-point) to share the same frequency channel by dividing the signal
into different time slots. The links transmit in rapid succession, one after the other, each
using his own time slot. This allows multiple stations to share the same transmission
medium (e.g. radio frequency channel) while using only a part of its channel capacity.
The most important benefits of new TDMA protocol are:
• Increased speed
• More client connections in PTMP (point to multiple, or radio hubs in cell)
environments
• Lower latency
• No distance limitations
• No penalty for long distances
TDMA settings
•
Nv2-qos sets the packet priority mechanism, firstly data from high priority queue
is sent, and then lower queue priority data until 0 queue priority is reached. When
link is full with high priority queue data, lower priority data is not sent. Use it
very carefully, setting works on Access Point (AP)
395
o
o
frame-priority - manual setting that can be tuned with Mangle rules.
default - default setting where small packets receive priority for best
latency
•
Nv2-cell-radius (default value: 30); setting affects the size of contention time slot
that AP on radio hub allocates for clients (the AP on remote end) to initiate
connection and also size of time slots used for estimating distance to client. When
setting is too small, clients that are farther away may have trouble connecting
and/or disconnect with "ranging timeout" error. Although during normal operation
the effect of this setting should be negligible, in order to maintain maximum
performance, it is advised to not increase this setting if not necessary, so AP is not
reserving time that is actually never used, but instead allocates it for actual data
transfer.
o on AP: distance to farthest client in km
o on station: no effect
•
tdma-period-size (default value: 2) specifies TDMA period in milliseconds. It
could help on the longer distance links, it could slightly increase bandwidth, while
latency is increased too.
queue-count: specifies how many priority queues are used in P2P network
•
Nv2 Troubleshooting
Increase throughput on long distance with tdma-period-size. In Every "period", the
Access Point leaves part of the time unused for data transmission (which is equal to
round trip time - the time in which the frame can be sent and received from the client), it
is used to ensure that client could receive the last frame from Access Point, before
sending it's own packets to it. The longer the distance, the longer the period is unused.
For example, the distance between Access Point and client is 30km. Frame is sent in
100us one direction, respectively round-trip-time is ~200us. tdma-period-size default
value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to
396
4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms,
unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdmaperiod-size value increases latency on the link.
Nv2 Configuration
Tips to Improve Performance
•
•
•
Select the protocol as "nv2" or "nstream"
Adjust the TDMA period, Cell Radius, Queue count and QoS under the NV2 to get
the best result
The issues that were resolved by using Nv2:
o Near-far problem: with 802.11 when there are users close to the sector and users
far from the sector, the close users dominate and the sector starts behaving badly
o A user with bad signal affecting all other users
Nv2 solves these by using a form of TDMA - it sends out a transmission schedule that
all clients must obey, so if someone has bad CCQ/signal, a retry means they simply
miss their time-slot and have to wait for the next one. Other users are then not
affected.
Data Rates
In the past we'd generally limit the client side down to something between 6-18Mpbs to
keep the sector stable and provide a fair share of the bandwidth. Nv2 ignores any client
side limits you set. The client will take its limit from what is set on the AP. So if you set
the AP to 9Mbps, the max any client will connect at is 9Mbps. Start by setting the default
limits on the AP (i.e. no limits) to see how it handles, before resorting to data rate limits.
Tweaks
Unless you are using QoS the only useful things to look at are TDMA Period Size and
Cell Radius. You can use wind to determine the furthest client, add a few km for padding
and then adjust the Cell Radius. TDMA will affect latency and throughput. Smaller
period can potentially decrease latency (because AP can assign time for client sooner),
but will increase protocol overhead and therefore decrease throughput. On the other hand
- increasing period will increase throughput but also increase latency. You can leave this
as default of 2ms unless you've done more reading and know what you are doing.
By choosing Wireless Protocol to be Nv2 for both AP-Bridge and Station, you can have
slightly improve bandwidth with more stable link:
397
802.11n (2X2) without Nv2
802.11n (2X2) with Nv2
Configuration Script
# network Protocol, if you prefer to run:
# 802.11:
wireless-protocol=802.11
# nv2:
wireless-protocol=nv2
# nv2 nstreme 802.11: wireless-protocol=nv2-nstreme-802.11,
# enable nstreme propritary
/interface wireless nstreme set wlan1 enable-nstreme=yes disable-csma=yes \
398
enable-polling=yes framer-policy=best-fit framer-limit=3200
Time Division Multiple Access (TDD) & Time Division
Multiple Access (TDMA)
On WAP firmware version 5 beta, we offer OFDM/TDMA/TDD (Time Division Multiple
Access) burst synchronization scheme suitable for a high rate multiple point to point
system (or radio hub system) with a centralized dynamic slot allocation MAC protocol is
presented. A generic frame format is shown on below:
TDMA/TDD requires only one channel for transmitting downlink and uplink sub-frames
at two distinct time slots. Therefore it has higher spectral efficiency. Moreover, using
TDMA/TDD downlink to uplink (DL/UL) ratio can be adjusted dynamically.
TDMA/TDD can flexibly handle both symmetric and asymmetric broadband traffic.
This is the foundation for WAP OS that support WiMAX classification QoS.
Such new wireless protocol is based on TDMA technology applied to WLAN, is on beta
site now and would be ready for deployment schedule of this tender.
TDMA/TDD is one channel access method combined burst synchronization and error
detection, for shared medium networks. It allows several different links (point-to-point)
to share the same frequency channel by dividing the signal into different time slots. The
links transmit in rapid succession, one after the other, each using his own time slot. This
allows multiple stations to share the same transmission medium (e.g. radio frequency
channel) while using only a part of its channel capacity.
The most important benefits of new TDMA/TDD protocol are:
• Increased speed
399
•
•
•
•
More client connections in PTM (point to multiple, or radio hubs in cell)
environments
Lower latency
No distance limitations
No penalty for long distances
TDMA/TDD settings
See also section:TDMA settings
•
qos sets the packet priority mechanism, firstly data from high priority queue is
sent, then lower queue priority data until 0 queue priority is reached. When link is
full with high priority queue data, lower priority data is not sent. Use it very
carefully, setting works on Access Point (AP)
o frame-priority - manual setting that can be tuned with Mangle rules.
o default - default setting where small packets receive priority for best
latency
•
cell-radius (default value: 30); setting affects the size of contention time slot that
AP on radio hub allocates for clients (the AP on remote end) to initiate connection
and also size of time slots used for estimating distance to client. When setting is
too small, clients that are farther away may have trouble connecting and/or
disconnect with "ranging timeout" error. Although during normal operation the
effect of this setting should be negligible, in order to maintain maximum
performance, it is advised to not increase this setting if not necessary, so AP is not
reserving time that is actually never used, but instead allocates it for actual data
transfer.
o on AP: distance to farthest client in km
o on station: no effect
•
tdma-period-size (default value: 2) specifies TDMA period in milliseconds. It
could help on the longer distance links, it could slightly increase bandwidth, while
latency is increased too.
queue-count: specifies how many priority queues are used in P2P network
•
How TDMA/TDD works with radio hub?
It increase throughput on long distance with tdma-period-size. In Every "period" that all
Access Points in radio hub that are time synchronization, the Access Point leaves part of
the time unused for data transmission (which is equal to round trip time - the time in
which the frame can be sent and received from the client), it is used to ensure that client
could receive the last frame from Access Point, before sending its own packets to it. The
longer the distance, the longer the period is unused.
400
For example, the distance for one of links between Access Point and remote is 30km.
Frame is sent in 100us one direction; respectively round-trip-time is ~200us. tdmaperiod-size default value is 2ms, it means 10% of the time is unused. When tdma-periodsize is increased to 4ms, only 5% of time is unused. For another 60km wireless link,
round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10%
for 4ms. Bigger tdma-period-size value increases latency on the link.
This enhanced TDMA/TDD scheme offers unique Multiple-Point-to-Point (P2P)
architecture; it allows multiple units are deployed in one hub site location, from where
they provide a dedicated high-capacity connection to each remote site. It synchronizes
the transmission of collocated radios thus removing potential interference commonly
experienced with collocated TDD radios.
By setting same time synchronization with centralized accurate time server (NTP) and
adding an ordinal hub switch among those centralized links center, we develop scripts
that examine TDMA period for each P2P link in this radio hub can be adjusted with
internal scripts pushing onto individual P2P. This adjusts tdma-period-size of time
periods that WAP AP uses for media access scheduling. By using smaller period that can
potentially decrease latency (because AP can assign time for remote AP sooner), but will
increase protocol overhead and therefore decrease throughput. Increasing period will
increase throughput but also increase latency. Such internal scripts may be required to
increase this value for especially long links to get acceptable throughput. These scripts
would also adjust channels of each link for multichannel synchronization for burst radios
with adjacent channel interference. This allows creating uplink schedule based on
estimated distance (propagation delay) to clients such that media usage is most effective.
This improves throughput and reduce interference, especially in multiple point-to-point
(radio hub) configurations
Multiple point-to-point radio Hub Deployment with TDMA/TDD Synchronization
401
Monitoring
Winbox or Webfig
See all online machine
IP->Hotspot->Hosts
See all active IP addresses
Tools->IP Scan, choose interface to be bridge1->Start
Leave Address Range to be blank
402
Log
General firewall logs
Log->
Firewall Health
System->Health
CPU Usage
Tools->Profile->Start
403
Logging
System->Logging
firewall can send emails for any log message, while it is really too much. Currently we log all event onto
W2K3 DB server with Dude,
404
Traffic and system resource graphing
From Web (webfig)
Graghs->
For example, bridge1 showed all traffic:
405
Troubleshooting tools
Tools->Torch
Torch is realtime traffic monitoring tool that can be used to monitor the traffic flow through an interface.
Choose ‘bridge1’ as interface for intranet:
406
SNMP
Hook up with Dude to monitor all devices.
Dude
See Dude session
407
Configuration for WAP-520N with MIMO 2.4GHz
NOTE: DUE TO HIGH POWER MODULES INSIDE, YOU MUST
HAVE ANTENNA CONNECTED WITH N-TYPE CONNECTORS OF
WAP-520N TO AVOID OVERHEATING OF INTERNAL RADIO.
Default Configuration
GUI MODE
Run winbox.exe from CD WAP_CAP/utilities/winbox.exe. Have your WAP connected with your
intranet – regardless of IP since it can be MAC neighborhood connected.
Default IP: AP mode – 10.1.1.31; Client mode – 10.1.1.32
Alternate is to use your web browser and key in above IP address if available.
which has identical content with Winbox mode.
This is WebFig mode
If without IP address then you can run winbox mode:
Click MAC Address then click Connect. You can also click IP Address and click Connect
408
SCRIPT MODE
You can copy and paste below initial configuration by using New Terminal available from above
utilities:
409
Scripts for initial setting
This is from WAP_CAP/configuration/WAP-520N_default.txt:
# ---------------------------------------------------------------------------------------------# AP Side (AP-bridge) for MIMO. IP address is 10.1.1.31
#
# do /system reset prior of next setting. system would request you to reboot, type 'y' (no quote)
#/system reset
/system identity set name=AP
# create a brdige for ethernet and wireless interfaces
/int bridge add name=bridge1 protocol-mode=rstp
/ip address add address=10.1.1.31/24 broadcast=10.1.1.255 interface=bridge1
/int bridge port add interface=ether1 bridge=bridge1
/int bridge port add interface=wlan2 bridge=bridge1
/int wireless set wlan1 disabled=yes
/int wireless set wlan2 mode=ap-bridge band=2ghz-onlyn channel-width=20/40mhz-ht-above \
frequency=2412 ssid=WAP-520N wireless-protocol=any disabled=no scan-list=2312-2497 frequency-mode=superchannel
country=no_country_set default-forwarding=no \
rate-set=default distance=dynamic periodic-calibration=disabled hw-retries=15 frame-lifetime=3 \
adaptive-noise-immunity=ap-and-client-mode ht-txchains=0,1 ht-rxchains=0,1
/ip firewall connection tracking set enabled=no
/system backup save name=factory
/system routerboard print
/system reboot
y
#
# ---------------------------------------------------------------------------------------------# CPE Side (station) for MIMO. IP address is 10.1.1.32
410
#
# do /system reset prior of next setting. system would request you to reboot, type 'y' (no quote)
/system reset
/system identity set name=CLIENT
# create a brdige for ethernet and wireless interfaces
/int bridge add name=bridge1 protocol-mode=rstp
/ip address add address=10.1.1.32/24 broadcast=10.1.1.255 interface=bridge1
/int bridge port add interface=ether1 bridge=bridge1
/int bridge port add interface=wlan2 bridge=bridge1
/int wireless set wlan1 disabled=yes
/int wireless set wlan2 mode=station-bridge band=2ghz-onlyn channel-width=20/40mhz-ht-above \
frequency=2412 ssid=WAP-520N wireless-protocol=any disabled=no frequency-mode=superchannel
country=no_country_set default-forwarding=no \
rate-set=default distance=dynamic periodic-calibration=disabled hw-retries=15 frame-lifetime=3 \
adaptive-noise-immunity=ap-and-client-mode ht-txchains=0,1 ht-rxchains=0,1
/ip firewall connection tracking set enabled=no
/system backup save name=factory
/system reboot
Y
You can type /system reset to reset back to default configuration (without setting). You can also restore
factory setting (above configuration) by using Files->choose ‘factory backup’ then click Restore.
Wireless Configuration
Note: your WAP-520N equipped with two radio module, wlan1 and wlan2. Wlan1 is disabled as a
backup radio. You should keep it as disabled mode, while using wlan2 all the time.
Click Wireless, then choose wlan2 by double clicking it:
411
Choose Wireless tab and Advanced Mode,
you will see full options for radio module:
412
Mode: ap bridge for AP mode, bridge
station for CLIENT mode
Band: 2GHz-only-N for MIMO mode
Channel Width: 5/10/20/40MHz, you can
choose 20/40MHz HT Above or Below for
MIMO mode
For firmware version 6.30.1 and above:
eC = 20/40MHz-ht-below
Ce = 20/40MHz-ht-above
C- is center of frequency
e - is extension channel
Scan List: enable 2.3~2.4GHz range
Wireless Protocol: any
Frequency Mode: superchannel for all
available frequency
Country: no_country_set
Above would perform the best for
bandwidth. 802.11b/g/n perform the best
for less than 10KM of range. For above
10KM range, you can use same
configuration or maybe Band with 2GHz
B/G/N and let system decides it.
Available frequency:
2312:0,2317:0,2322:0,2327:0,2332:0,2337:0,2342:0,2347:0,
2352:0,2357:0,2362:0,2367:0,2372:0,2377:0,2382:0,2387:0,2392:0,
2397:0,2402:0,2407:0,2412:0,2417:0,2422:0,2427:0,2432:0,2437:0,
2442:0,2447:0,2452:0,2457:0,2462:0,2467:0,2472:0,2477:0,2482:0,
2487:0,2492:0,2497:0,2502:0,2507:0,2512:0,2517:0,2522:0,2527:0,
2532:0,2537:0,2542:0,2547:0,2552:0,2557:0,2562:0,2567:0,2572:0,
Tx Power: use default for best performance:
Distance: use Dynamic which is default.
You can also specify 20km by keying 20 other than Dynamic.
413
Keep rest of option with default setting for best performance.
Click Apply / OK to save your changes.
Network Setting
Default is AP: 10.1.1.31; CLIENT 10.1.1.32
You can change it by IP->Addresses:
Double click above row:
Click Apply or OK to save your changes.
Password Setting
System->Password
414
Bandwidth Test
This is done with indoor test with two 5dBi antennas on each WAP. Performance can be improved with
proper setting of Tx Power, antenna aiming, channel to reduce interference, etc.
2412MHz N-only
UDP: average Tx 91Mbps / Rx 87Mbps, or total 188Mbps
TCP: average Tx 66Mbps / Rx 67Mbps, or total 133.Mbps
2357MHz N-only
UDP: average Tx 97Mbps / Rx 86Mbps, or total 183Mbps
TCP: average Tx 46Mbps / Rx 41Mbps, or total 87Mbps
415
5850 MHz N-only
UDP: average Tx 105.0Mbps / Rx 112.5Mbps, or total 217.5Mbps. Single way would be 220.0Mbps
416
Configure WAP-350N
WAP-350N takes OFDM technology to support 3.3~3.8GHz of frequency with 2X2 MIMO PtP bridging
applications.
Standard frequency offset for WAP-350N is 2106.6MHz. For example if you set the driver to 5595MHz,
you will have a center = 5595-2106.6 = 3488.4MHz. Range of broadcast frequency is 3300~3800MHz,
which means driver setting is 5407-5907 MHz)
Sample Frequency mapping can be:
Offset (MHz)
2106.6
2106.6
2106.6
2106.6
2106.6
2106.6
Driver Freq. (MHz)
5410
5510
5610
5710
5810
5910
Antenna Freq. (MHz)
3303.4
3403.4
3503.4
3603.4
3703.4
3803.4
Configuration Script
#
# this is sample configuration for P2P with standard 802.11n & MIMO for maximum bandwidth in lab
# you may need to adjust it for field deployment
# 802.11:
wireless-protocol=802.11
# nv2:
wireless-protocol=nv2
# nv2 nstreme 802.11: wireless-protocol=nv2-nstreme-802.11,
#
#
/system routerboard print
/system routerboard upgrade
/system reboot
# ---------------------------------------------------------------------------------------------# AP Side (AP-bridge) for MIMO. IP address is 10.1.1.31
#
# do /system reset prior of next setting. system would request you to reboot, type 'y' (no quote)
/system reset
/system routerboard print
/system routerboard upgrade
/system reboot
417
/system identity set name=AP
# create a brdige for ethernet and wireless interfaces
/int bridge add name=bridge1 protocol-mode=rstp
/ip address add address=10.1.1.31/24 broadcast=10.1.1.255 interface=bridge1
/int bridge port add interface=ether1 bridge=bridge1
/int bridge port add interface=wlan1 bridge=bridge1
/int wireless set wlan1 mode=ap-bridge band=5ghz-onlyn channel-width=20/40mhz-ht-above \
frequency=5600 ssid=COM-5024 wireless-protocol=802.11 disabled=no country=netherlands defaultforwarding=no \
rate-set=default distance=dynamic periodic-calibration=disabled hw-retries=15 frame-lifetime=3 \
adaptive-noise-immunity=ap-and-client-mode ht-txchains=0,1 ht-rxchains=0,1
/ip firewall connection tracking set enabled=no
/system backup save name=factory-ap
/system reboot
#
# ---------------------------------------------------------------------------------------------# CPE Side (station) for MIMO. IP address is 10.1.1.32
#
# do /system reset prior of next setting. system would request you to reboot, type 'y' (no quote)
/system reset
/system identity set name=CLIENT
# create a brdige for ethernet and wireless interfaces
/int bridge add name=bridge1 protocol-mode=rstp
/ip address add address=10.1.1.32/24 broadcast=10.1.1.255 interface=bridge1
/int bridge port add interface=ether1 bridge=bridge1
/int bridge port add interface=wlan1 bridge=bridge1
/int wireless set wlan1 mode=station band=5ghz-onlyn channel-width=20/40mhz-ht-above \
frequency=5600 ssid=COM-5024 wireless-protocol=802.11 disabled=no country=netherlands defaultforwarding=no \
rate-set=default distance=dynamic periodic-calibration=disabled hw-retries=15 frame-lifetime=3 \
adaptive-noise-immunity=ap-and-client-mode ht-txchains=0,1 ht-rxchains=0,1
/ip firewall connection tracking set enabled=no
/system backup save name=factory-cpe
/system reboot
418
Appendix A: Power Offset Table
TX-Power
The tx-power default setting is the maximum tx-power that the card can use. If you want to use larger
tx-rates, you are able to set them, but do it at your own risk. Usually, you can use this parameter to
reduce the tx-power. In general tx-power controlling properties should be left at the default settings.
Changing the default setting may help with some cards in some situations, but without testing, the most
common result is degradation of range and throughput. Some of the problems that may occur are: (1)
overheating of the power amplifier chip and the card which will cause lower efficiency and more data
errors; (2) overdriving the amplifier which will cause more data errors; (3) excessive power usage for the
card and this may overload the 3.3V power supply of the board that the card is located on resulting in
voltage drop and reboot or excessive temperatures for the board.
Note: that the values in this table are set in dBm! NOT in mW!
Standard 600mW 802.11a/n MIMO radio card
Power offset is 5 dBm. This means that the driver reports a lower transmit power level to the genuine
output power of the card and therefore a correction factor of 5dB is required.
This is what it should look like with
DEFAULT power levels, you have to
visually add 5 to the total Tx power and
that is then the true power. (Look to the
example picture on the right)
This is considered normal and optimal
settings for yourWAP/CAP. It is highly
recommended to use DEFAULT settings.
Standard 600mW 802.11a and 800mW 802.11b/g radio card
You should choose Antenna Mode to be “antenna a” for such type of radio if only one radio is available:
419
Power offset table (Target power vs Actual output
power) for 8603
802.11a
7dB
802.11b/g
9dB
Refer to above power offset table, it means that if you are setting 18 as your Tx Power, it would produce
18+7 = 25 dB for 802.11a.
If you set it to 25 dB, which means 25 + 8 = 33 dB which is more than maximum of power can offer
from this card, it would stay with maximum power value.
Thus, if you feel insufficient power, you can set a higher value such as 25 dB which would produce
maximum Tx power (limited to 600mW as pick). Remember to connect to external antenna prior of
setting radio to very high Tx power. Also, setting of Default usually comes with better performance for
link. Thus, unless you suspect there has issue of power from radio, do not set it with over-powered
though your radio comes with circuit protection.
If you have set Tx power to very high value and still feel insufficient gain, then you can compare with
another AP to see the difference. Usually if you are in lab and it is over powered then you could feel
under powered of Tx. You can move it to outdoor with given some range and see the difference by
cranking power up or down.
Ubiquiti SR / XR
You should choose Antenna Mode to be “antenna a” for such type of radio if only one radio connector
(MMCX) is available, such as XR2 / XR5.
420
when using SR2 /SR5 with two radio connectors, one is u.fl and another one is MMCX, then take
'antenna b' if you are using MMCX connector (antenna-mode=ant-b). The default for SR2/SR5 is is for
the u.fl connector which is ‘antenna-a’
Because of problems with TX power control in certain versions of the Atheros
MADWIFI Linux Driver, the SR / XR cards were purposely programmed with a power "offset" which
causes the driver to think it is transmitting at a lower power level than it really is. The table below shows
the maximum power levels programmed into the cards versus the actual corresponding output power
levels. It is important to realize that what the driver reports will be significantly lower than the TX power
of the radio.
It is always a good idea to leave power levels at their default settings as this will produce radio operation
according to the SR / XR specifications. If there are any questions concerning power offsets, please
contact support@ubnt.com or give Ubiquiti a call at 408-942-1153.
Radio Card
SR2
SR9
SR5
XR2
XR5
Default / Programmed Max
Power (dBm)
16
16
19
18
18
Offset
(dB)
10
12
7
10
10
True Max. Avg.
Output Power (dBm)
26
28
26
28
28
Refer to http://www.ubnt.com/downloads/ubi_mtik_power.pdf:
Using power setting override can lead to a variety of problems and it is highly recommended that the
default power settings be used for all Ubiquiti cards. The only instance the power settings should be used
is to lower the overall power. However, when lowering the power, it is important to note that higher data
rate power must be kept at specifications in line with Ubiquiti's datasheets in order to ensure smooth
421
error-free throughput. Below is a table of Ubiquiti cards, power offset information, and whether
firmware has implemented correction for the offset (as of 8/2007).
It is STRONGLY recommended that the default power settings are used at all times.
Unex CM10H
There has no offset value for this radio module.
Appendix B: Setting for ACK Timeout
If you feel poor throughput for extra long range such as 15 miles or 20 kilometers further of distance,
you may need to adjust ACK timing.
RESOLUTION:
Usually for deployment of long-range, we features the ability to fine-tune parameters such as slot time,
ACK and CTS timeouts from values recommended to achieve a longer range.
There is possibility of adjustment of ACK Timeout, which decides on the maximum range of the link. It is
defined by the formula : ACK = 23 + d/150, where 'd' means the distance in meters between antennas of
the devices. The parameter determines the period of time when the base station awaits a response from the
other device. Simply, longer time is needed for bigger distance.
Distance in meters/150 + 23 =ack delay (timeout)
Example: 24km =24000 meters
24000/150=160
160+23=183
Ack delay= 183
General rules for ACK timing:
• The farthest customer determines the speed of all connected to the AP, so plan accordingly.
100 (25uS) for 5 miles or less
422
200 (50uS) for 10 miles or less
400 (100uS) for 20 miles of less
•
•
•
•
Do consider ALL of the customers that you will be serving, and determine the farthest one. All of
the "timings" will be affected by the farthest customer. You cannot connect a bunch of "close"
customers and then hook up a bunch of "far" customers. All the "kids" must play together!
If the ACK timing is too high it will not affect the throughput that much. If the ACK time is too
low it can drop your throughput to the point of being unusable and can even make the system not
connect. Some people also claim that the higher the ack timing the lower the throughput, therefor
if the ACK setting is too high then throughput will be lost due to waiting for the Ack Window to
timeout on lost packets. If the ACK setting is too low then the ACK window will have expired
and the returning packet will be dropped, greatly lowering throughput.
A procedure for finding optimal ACK can be: start with 400 (100uS) at both ends so the link goes
up and you can ping the other box. Then, decrease to half YOUR side of connection. If you are
still connected and can ping the other side, proceed with other halving. If you cut yourself off,
increase the number to half-way between your current non-working and previous working one so
you will approximate the optimum:
ie.
start 400 (which is 100uS, or value of 100 you seen from WAP/CAP)
lower to 200 -> still connected
lower to 100 -> still connected
lower to 50 -> not connected
rise to 75 -> not connected
rise to 87 (half between 75 and 100 : 75+100=175 / 2 = 87) -> not connected
rise to 94 (half between 87 and 100), connected - there you go.
usually we always add 10 to this number, just for sake and some room for trial and error in future.
We have found out if you have clean environment without interference, this number is not
important - it comes into play only when there is great number of retransmissions required. We
didn't find any practical performance difference between setting 55 (lowest one which worked, 53
didn't connect) and 75...
For example, it’s very suitable for WAP-1915/CAP-1900 series to set ACK with 91 for range of
20KM. A LOS range with 24dBi antenna can easily be 50+ km with decent fade margin. Use
ACK setting less than 91 for 10KM which needs to practice on field. If you are building a very
short range of site such as few kilometers than default 0 value is fine.
ACK Timeout for WAP/CAP that equipped with Routerboards:
The Atheros card has been tested for distances up to 20 km providing connection speed up to 17Mbit/s.
With appropriate antennas and cabling the maximum distance should be as far as 50km.
These values of ack-timeout were approximated from the tests done by us, as well as by some of our
customers:
423
Please note that these are not the precise values. Depending on hardware used and many other factors
they may vary up to +/- 15 microseconds. You can also use dynamic ack-timeout value - the router will
determine ack-timeout setting automatically by sending periodically packets with a different acktimeout. Ack-timeout values by which ACK frame was received are saved and used later to determine the
real ack-timeout.
For WAP-240/WAP-500/WAP-520:
Ack timeout is calculated on each association when ack-timeout=dynamic. A little bit of packet loss can
leave it at an unreasonable high ack-timeout, giving really poor performance. ack-timeout=dynamic is
meant to be used when you initially setup the link and should be fixed at the suggested ack-timeout. The
ack-timeout is different in each "band" and different for each channel width (5mhz, 10mhz, 20mhz,
40mhz). it is also different depending on the distance of the link.
Dynamic-ack only works against Atheros. ack-timeout=dynamic did not work on the AP which has
PLC/PRISM antenna that had no concept of dynamic ack timeout. And since the AP calculated the ACK
timeout by gradually decrease ACK timeout during association, it usually failed miserably. Might be
wrong, it's been 3 years! Just as a side note. Leaving ack-timeout at a static 80 usually did the trick for
clients closer than 3-4 km's. It still works today.
Without ack-timeout setting on clients and AP, you will experience very poor performance for links that
are longer than ~4 km's, depending on the firmware. if a link is longer than the (prism hardcoded?) acktimeout then every packet that this station (or AP) will transmit, will essentially be retransmitted X
number of times, even though the first was accepted. but perhaps none of your links are longer than that?
Under nstreme it is not necessary to set ack timeout. just leave it as dynamic.
Try this;
We have wireless router A connected to wireless router B through a 10 km 802.11a (20mhz) link. set the
ack timeout on both sides. then change the link to "turbo" (40mhz) mode. (it still should work) then
change ack timeout to dynamic, read the ack-timeouts and set the new ack-timeout values to the
suggested ones. they will be lower by this point (roughly half)
424
General rules for RTS/CTS:
• From experience that 256 is a good RTS setting for WISPs. The lowest setting of 64 really cuts
down on throughput since every Ack packet now has RTS/CTS overhead.
• You can also try 256, then 128 and finally even 64. You will lose more capacity, but packet
clobbering will be minimized as you lower RTS.
• You set the RTS on the CPE only, never the AP.
o Basically this tells the CPE's to wait for clear signal before sending anything larger than
that size packet.
o A general rule of thumb for RTS is the more clients you have, the lower the value should
be set.
o So if it is set to 2347 that basically means to go ahead and collide with anything it can't
"hear" itself (hidden node problem).
o If you have 512 size then it will ask the AP on packets larger than that if it is clear to send.
o Which means if you have one CPE flooding the AP with packets smaller than 512 then it
will be stomping on other CPE's access to the AP that it can't hear or that can't hear it
sending.
Following description of ACK / Slot and Performance is from Madwifi:
http://madwifi.org/wiki/UserDocs/LongDistance#ACKtimeoutandSlottime
ACK timeout and Slot time
In 802.11a/b/g all data transmissions are acknowledged by the receiving radio and the transmitter makes
a number of retransmission attempts if such an ack is not received. (Note that there are ways to send
unacknowledged packets using multicast or multimedia features.) The acknowledgments affect long
distance links in that the transmitter waits for a limited amount of time before retrying. If the ACK
timeout is set too short, the transmitter will start retransmitting before an ACK could have possibly been
received and this retransmission may well actually interfere with an ACK that is "on it's way".(It is
important to note that this retransmission will occur after a random backoff) The end result is that actual
throughput is very low and the number of retransmissions is excessively high. If, conversely, the ACK
timeout is set too long, the transmitter waits unncesessarily long before retransmitting in the case no
ACK is received. This represents lost time and thus reduces the throughput of the link.
In addition to the ACK timeout, there are a number of other time constants that need to be adjusted for
long distance links. These time constants have to do with the collision sensing and avoidance parts of the
protocol.
The bottom line is that you need to determine the distance between the radios (or the maximum distance
in the case of a mobile installation), calculate the time of flight of the packets in microseconds, and then
set the ACK timeout to a little more than a round-trip time as the CTS timeout as well as the Slot time to
the one-way time. These settings are available in /proc/sys/dev/wifiX as slottime, ctstimeout, and
425
acktimeout. The easiest way to change these settings is using the athctrl utility provided with the driver.
For example, athctrl -d 15000 sets these parameters appropriately for stations located 15000 meters apart
(approx 9.4 miles). Note that it is important that all stations that are communicating with each other use
the same value. So if you have an access point in a point-to-multipoint set-up where one client is 10000
meters away and the other is 15000 meters away then you should run athctrl -d 15000 on all three nodes.
One little problem with the slot time is that 802.11g requires it to be switched between 9us and 20us
depending on whether a 802.11b client is associated or not (or something like that). You will thus see the
slot time suddenly be reset to one of these values if any association operation takes place on your access
point. There is a patch in the works to lock the slot time to what you set it. This description will be
updated when that goes into the code base...
Performance expectations and measurements
The first measurement you are likely to do is to look at the SNR (signal to noise ratio) or quality values
displayed by iwconfig, iwlist, and athstats. What the values mean depends on the driver and differs from
chipset to chipset. For MadWifi there is only a single value that means anything and that's the signal-tonoise or quality value. This value is in dB above the noise floor. That means the SNR or quality or rssi
values reported by the various applications are all derived from so-called rssi (received signal strength
indication) values placed into the tx/rx descriptors by the chipset and retrieved by the driver.
How about the signal strength and noise floor values you may see? Well, the hardware only returns
rssi/SNR measurements and the driver simply sets the noise floor value returned to various tools to a
constant -95dB. From that some tools calculate signal strength to be noise floor + signal to noise. So, in
other words, if you are using MadWifi you may as well only look at SNR and ignore all other values as
they don't contain any additional information. Comments in the driver further explain: "If you assume
that the noise floor is -95, which is an excellent assumption 99.5 % of the time, then you can derive the
absolute signal level (i.e. -95 + rssi). There are some other slight factors to take into account depending
on whether the rssi measurement is from 11b, 11g, or 11a. These differences are at most 2db and can be
documented."
426