manualshive.com logo in svg

Allied Telesis AT-WR4500 Series, User Manual, Page: 237 / 264

Share
Download
Allied Telesis AT-WR4500 Series User Manual Download Page 237

AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers 

237 

RouterOS v3 Configuration and User Guide 

if  user  is  logged  in, 

rstatus.html

  is  displayed;  if 

rstatus.html

  is  not  found, 

redirect.html

  is 

used to redirect to the status page  
if user is not logged in, 

rlogin.html

 is displayed; if 

rlogin.html

 is not found, 

redirect.html

 is 

used to redirect to the login page  

request for "/login" page  

if  user  has  successfully  logged  in  (or  is  already  logged  in), 

alogin.html

  is  displayed;  if 

alogin.html

 is not found, 

redirect.html

 is used to redirect to the originally requested page or 

the status page (in case, original destination page was not given)  
if user is not logged in (username was not supplied, no error message appeared), 

login.html

 is 

showed  
if login procedure has failed (error message is supplied), 

flogin.html

 is displayed; if 

flogin.html

 

is not found, 

login.html

 is used  

in case of fatal errors, 

error.html

 is showed  

request for "/status" page  

if user is logged in, 

status.html

 is displayed  

if user is not logged in, 

fstatus.html

 is displayed; if 

fstatus.html

 is not found, 

redirect.html

 is 

used to redirect to the login page  

request for '/logout' page  

if user is logged in, 

logout.html

 is displayed  

if user is not logged in, 

flogout.html

 is displayed; if 

flogout.html

 is not found, 

redirect.html

 

is used to redirect to the login page  

Note

 that if it is not possible to meet a request using the pages stored on the router's FTP server, Error 

404 is displayed 
There are many possibilities to customize what the HotSpot authentication pages look like: 
The pages are easily modifiable. They are stored on the router's FTP server in the directory you choose 
for the respective HotSpot server profile.  
By  changing  the  variables,  which  client  sends  to  the  HotSpot  servlet,  it  is  possible  to  reduce  keyword 
count to one (username or password; for example, the client's MAC address may be used as the other 
value) or even to zero (License Agreement; some predefined values general for all users or client's MAC 
address may be used as username and password)  
Registration  may  occur  on  a  different  server  (for  example,  on  a  server  that  is  able  to  charge  Credit 
Cards).  Client's  MAC  address  may  be  passed  to  it,  so  that  this  information  need  not  be  written  in 
manually. After the registration, the server should change RADIUS database enabling client to log in for 
some amount of time.

  

To insert variable in some place in HTML file, the $(var_name) syntax is used, where the "var_name" is 
the  name  of  the  variable  (without  quotes).  This  construction  may  be  used  in  any  HotSpot  HTML  file 
accessed as '/', '/login', '/status' or '/logout', as well as any text or HTML (

.txt

.htm

 or 

.html

) file stored 

on the HotSpot server (with the exception of traffic counters, which are available in status page only, and 

error

error-orig

chap-id

chap-challenge

  and 

popup

  variables,  which  are  available  in  login  page 

only). For example, to show a link to the login page, following construction can be used: 

<a href="$(link-login)">login</a> 

 

Variables  

All of the Servlet HTML pages use variables to show user specific values. Variable names appear only in 
the HTML source of the servlet pages - they are automatically replaced with the respective values by the 
HotSpot Servlet. For each variable there is an example of its possible value included in brackets. All the 
described variables are valid in all servlet pages, but some of them just might be empty at the time they 
are accesses (for example, there is no uptime before a user has logged in).  
Common server variables:  

hostname

 - DNS name or IP address (if DNS name is not given) of the HotSpot Servlet 

("hotspot.example.net")  

identity

 - RouterOS identity name ("AT-WR4562")  

login-by

 - authentication method used by user  

plain-passwd

 - a "yes/no" representation of whether HTTP-PAP login method is allowed ("no")  

server-address

 - HotSpot server address ("10.5.50.1:80")  

ssl-login

 - a "yes/no" representation of whether HTTPS method was used to access that servlet 

page ("no")  

Summary of Contents for AT-WR4500 Series

Page 1: ...PN 613 000813 Rev B AT WR4500 Series IEEE 802 11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide ...

Page 2: ...or registered trademarks of their respective owners Parts of this manual reproduced with Mikrotik permission from Mikrotik RouterOS v3 0 Reference Manual Allied Telesis Inc reserves the right to make changes in specifications and other information contained in this document without prior written notice The information provided herein is subject to change without notice In no event shall Allied Tel...

Page 3: ...LARY OR CONSEQUENTIAL DAMAGES DAMAGES FOR LOSS OF BUSINESS PROFITS OR DAMAGES FOR LOSS OF BUSINESS OF ANY CUSTOMER OR ANY THIRD PARTY ARISING OUT OF THE USE OR THE INABILITY TO USE THE PRODUCT OR THE SOFTWARES INCLUDING BUT NOT LIMITED TO THOSE RESULTING FROM DEFECTS IN THE PRODUCT OR SOFTWARE OR DOCUMENTATION OR LOSS OR INACCURACY OF DATA OF ANY KIND WHETHER BASED ON CONTRACT TORT OR ANY OTHER LE...

Page 4: ...ion 23 3 3 4 Downgrading 24 3 3 5 Disabling and Enabling 25 3 3 6 Unscheduling 25 3 3 7 System Upgrade 26 3 3 8 Adding Package Source 27 3 3 9 Software Package List 27 4 Configuring Interfaces 30 4 1 General Interface Settings 30 4 1 1 General Information 30 4 1 2 Interface Status 30 4 1 3 Traffic Monitoring 30 4 2 Ethernet Interfaces 31 4 2 1 General Information 31 4 2 2 Ethernet Interface Config...

Page 5: ...ge Brouting Facility 85 4 5 11 Troubleshooting 86 5 IP and Routing 87 5 1 IP Addresses and ARP 87 5 1 1 General Information 87 5 1 2 IP Addressing 87 5 1 3 Address Resolution Protocol 88 5 1 4 Proxy ARP feature 89 5 1 5 Unnumbered Interfaces 91 5 1 6 Troubleshooting 92 5 2 RIP Routing Information Protocol 92 5 2 1 General Information 92 5 2 2 General Setup 93 5 2 3 Interfaces 94 5 2 4 Networks 95 ...

Page 6: ...ested RADIUS Servers 134 7 1 5 Supported RADIUS Attributes 134 7 1 6 Troubleshooting 140 7 2 PPP User AAA 141 7 2 1 General Information 141 7 2 2 Local PPP User Profiles 141 7 2 3 Local PPP User Database 143 7 2 4 Monitoring Active PPP Users 144 7 2 5 PPP User Remote AAA 145 7 3 Router User AAA 145 7 3 1 General Information 145 7 3 2 Router User Groups 146 7 3 3 Router Users 147 7 3 4 Monitoring A...

Page 7: ...amples 183 8 7 8 Troubleshooting 187 8 8 IP Security 187 8 8 1 General Information 187 8 8 2 Policy Settings 189 8 8 3 Peers 191 8 8 4 Remote Peer Statistics 192 8 8 5 Installed SAs 193 8 8 6 Flushing Installed SA Table 194 8 8 7 Application Examples 195 9 Firewall and QoS 198 9 1 Filter 198 9 1 1 General Information 198 9 1 2 Firewall Filter 198 9 1 3 Filter Applications 203 9 2 Mangle 204 9 2 1 ...

Page 8: ...otSpot Users 246 10 4 4 HotSpot Active Users 247 11 High Availability protocols and techniques 249 11 1 VRRP 249 11 1 1 General Information 249 11 1 2 VRRP Routers 249 11 1 3 Virtual IP addresses 251 11 1 4 A simple example of VRRP fail over 251 11 2 System Watchdog 253 11 2 1 General Information 253 11 2 2 Hardware Watchdog Management 253 12 Monitoring and Management 255 12 1 Log Management 255 1...

Page 9: ...9 DHCP with RADIUS 128 Figure 20 EoIP Application Example 152 Figure 21 Bonding two EoIP tunnels 156 Figure 22 IPIP Tunnel example network 160 Figure 23 Router to Router Secure Tunnel Example 166 Figure 24 Secure Remote office connection through L2TP tunnel 167 Figure 25 Client to Office secure connection via L2TP tunnel 169 Figure 26 PPPoE Example 176 Figure 27 Network Setup without PPTP enabled ...

Page 10: ... router s command facility and perform the basic configuration tasts through the Command Line Interface The Web GUI and the WinBox application Chapter 3 Configuration and Software Management describes how to backup export and restore the router s configuration Chapters from 4 on describe all the available commands and parameters with some configuration examples Document Conventions This guide uses...

Page 11: ...on or server Returning Products Products for return or repair must first be assigned a return materials authorization RMA number A product sent to Allied Telesis without an RMA number will be returned to the sender at the sender s expense To obtain an RMA number contact Allied Telesis Technical Support through our web site http www alliedtelesis com support Sales or Corporate Information You can c...

Page 12: ... communication with local police patrols Local utilities can easily control their remote equipments and read in real time gas water and electricity meters without any need for expensive fiber cabling Hot spot services can be provided to hotel guests and hospital patients illuminating rooms from outside the building with a reduced impact on medical equipments because no transmit radio will be insta...

Page 13: ...lling functionalities Highly configurable QoS management for multimedia applications High sensitivity radio interface for longer reach and higher throughput on wireless links Wide choice of omnidirectional directional and sector antennas RoHS compliant 1 2 Software License RouterOS licensing scheme is based on software IDs To license the software you must know the software ID that is displayed dur...

Page 14: ...The MS Windows based utility WinBox can be downloaded from the Allied Telesis web site accessing http www alliedtelesis com Select you country access the Software and Documentation section under the Service Support menu select Wireless in the Product Category drop down menu and AT WR45421 in the Product drop down menu Scroll down the page and select the AT WR4500 WinBox loader from the list of ava...

Page 15: ...cted and logged into your router as shown in Figure 4 Figure 4 WinBox with terminal window open You can keep open as many WinBox internal windows as you need at the same time 2 3 Accessing the CLI When logging into the router via terminal console in telnet or SSH you will be presented with the RouterOS login prompt Use admin and no password hit Enter for logging into the router for the first time ...

Page 16: ...import interface Interface configuration ip log System logs password Change password ping Send ICMP Echo packets port Serial ports ppp Point to Point Protocol queue Bandwidth management quit Quit console radius Radius client settings redo Redo previously undone action routing setup Do basic setup of system snmp SNMP settings special login Special login users system System information and utilities...

Page 17: ...ambiguous a second Tab gives possible options Moves up to the base level command Executes the base level command Moves up one level Specifies an empty string word1 word2 Specifies a string of 2 words that contain a space You can abbreviate names of levels commands and arguments For the IP address configuration instead of using the address and netmask arguments in most cases you can specify the add...

Page 18: ...ext script file which can be downloaded from the router using FTP protocol The configuration dumped is actually a batch of commands that add without removing the existing configuration the selected configuration to a router The configuration import facility executes a batch of console commands from a script file System reset command is used to erase all configuration on the router Before doing tha...

Page 19: ...oad using FTP Command Description file filename saves the export to a file Example admin AT WR4562 ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 172 24 10 1 0 0 10 1 0 255 bridge1 1 10 5 1 1 24 10 5 1 0 10 5 1 255 ether1 admin AT WR4562 To make an export file admin AT WR4562 ip address export file address admin AT WR4562 ip address To see the fi...

Page 20: ...s erased interfaces will become disabled After the reset command router will reboot Command Description reset erases router s configuration If the router has been installed using netinstall and had a script specified as the initial configuration the reset command executes this script after purging the configuration To stop it doing so you will have to reinstall the router Example admin AT WR4562 s...

Page 21: ... download all command Property Description name read only name package name source read only IP address source IP address of the router from which the package list entry is retrieved status read only available scheduled downloading downloaded installed package status version read only text version of the package Command Description download download packages from list by specifying their numbers d...

Page 22: ...min AT WR4562 ystem upgrade upgrade package source print ADDRESS USER 0 192 168 25 8 admin admin AT WR4562 system upgrade upgrade package source 3 3 Software Package Management Document revision 1 3 Mon Jul 11 12 42 44 GMT 2005 Applies to V2 9 3 3 1 General Information Summary The RouterOS is distributed in the form of software packages The basic functionality of the router and the operating syste...

Page 23: ...s not enough free disk space for storing the upgrade packages it can be freed up by uninstalling some software packages which provide functionality not required for your needs If you have a sufficient amount of free space for storing the upgrade packages connect to the router using ftp Use user name and password of a user with full access privileges Step by Step Connect to the router using ftp cli...

Page 24: ...dmin AT WR4562 reboot 3 3 4 Downgrading Command name system package downgrade Description Downgrade option allows you to downgrade the software via FTP without losing your license key or reinstalling the router It is not recommended to use older versions however if the newest version introduced some unwanted behavior you may try to downgrade If you send a support question you will probably be aske...

Page 25: ...rked package cannot be disabled You should disable or uninstall the dependent package too For the list of package dependencies see the Software Package List section below If any of the test packages will be enabled for example wireless test and routing test packages that are included in routeros x86 npk system automaticly will disable regular packages that conflict with them Example Suppose we nee...

Page 26: ...user name and password to system upgrade upgrade package source on the router s you will be upgrading This step will only be needed once and you may continue using the same package source in future to upgrade the router s again See the next section for details Refresh available software package list system upgrade refresh See available packages using system upgrade print command Download selected ...

Page 27: ... address of the router from which the package list entry will be retrieved password text password of the remote router user text username of the remote router After specifying a remote router in system upgrade upgrade package source you can type system upgrade refresh to refresh the package list and system upgrade print to see all available packages Example To add a router with IP address 192 168 ...

Page 28: ...low shows additional software feature packages extended functionality provided by them the required prerequisites and additional licenses if any Allied Telesis distributes and supports the following packages only Package name Contents Prerequisites Additional License advanced tools email client pingers netwatch and other utilities none none calea Call Content Connection CCC data retention server f...

Page 29: ...1abgh Outdoor Wireless Routers 29 RouterOS v3 Configuration and User Guide Package name Contents Prerequisites Additional License wireless Support for wireless interfaces with updated Country Regulatory Domain settings none None ...

Page 30: ...er l2tp client l2tp server moxa c101 moxa c502 mtsync pc ppp client ppp server pppoe client pppoe server pptp client pptp server pvc radiolan sbe vlan wavelan wireless xpeed interface type Example To see the list of all available interfaces admin AT WR4562 interface print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R ether1 ether 0 0 1500 1 R bridge1 bridge 0 0 1500 2 R et...

Page 31: ...s with all available features This section describes how to configure the various parameters and settings Specifications Packages required system License required Level1 Submenu level interface ethernet Standards and Technologies IEEE 802 3 Hardware usage Not significant Related Topics Software Package Management IP Addresses and ARP DHCP and DNS Additional Resources http grouper ieee org groups 8...

Page 32: ... is set on the specific interface becomes invalid Command Description reset mac name set the MAC address of the NIC to the factory default setting Example admin AT WR4562 interface print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 X ether1 ether 0 0 1500 admin AT WR4562 interface enable ether1 admin AT WR4562 interface print Flags X disabled D dynamic R running NAME TYPE R...

Page 33: ...comply with IEEE 802 11 set of standards These interfaces use radio waves as a physical signal carrier and are capable of data transmission with speeds up to 108 Mbps in 5GHz turbo mode RouterOS can operate wireless interfaces as wireless clients station mode wireless bridges bridge mode wireless access points ap bridge mode and for antenna positioning alignment only mode RouterOS provides a compl...

Page 34: ...ncy 5805 band 5ghz mode bridge disabled no The remote interface should be configured to station as showed below To make the wireless interface as a wireless station working in 802 11a standard and Service Set Identifier p2p interface wireless set wlan1 ssid p2p band 5ghz mode station disabled no Specifications Packages required wireless License required Level4 station and bridge mode Submenu level...

Page 35: ...transmission acceptance timeout in microseconds for acknowledgement messages Can be one of these dynamic ack timeout is chosen automatically indoors standard constant for indoor usage adaptive noise immunity yes no default yes adjust various receiver parameters dynamically to minimize interference and noise effect on the signal quality allow sharedkey yes no default no allow WEP Shared Key cilents...

Page 36: ...t compression country albania algeria argentina armenia australia austria azerbaijan bahrain belarus belgium belize bolvia brazil brunei darussalam bulgaria canada chile china colombia costa rica croatia cyprus czech republic denmark dominican republic ecuador egypt el salvador estonia finland france france_res georgia germany greece guatemala honduras hong kong hungary iceland india indonesia ira...

Page 37: ...ngs are allowed hide ssid yes no default no whether to hide ssid or not in the beacon frames yes ssid is not included in the beacon frames AP replies only to probe requests with the given ssid no ssid is included in beacon frames AP replies to probe requests with the given ssid ant to broadcast ssid empty ssid hw retries integer default 15 number of frame sending retries until the transmission is ...

Page 38: ...accepted by older RouterOS versions This will include the new format as well so this mode is compatiblewith all RouterOS versions This mode is incompatible with wireless clients built on the new Centrino wireless chipset and may as well be incompatible with some other stations radio name text descriptive name of the card Only for RouterOS devices rate set default configured which rate set to use d...

Page 39: ...ted to leave basic rates at the lowest setting possible Using compression the AP can serve approximately 50 clients with compression enabled Compression is supported only by Atheros wireless interfaces like the ones used in AT WR4500 series If disable running check value is set to no the router determines whether the network interface is up and running in order to show flag R for AP one or more cl...

Page 40: ...m tx signal strength 35dBm noise floor 96dBm signal to noise 73dB tx ccq 79 rx ccq 46 p throughput 28681 overall tx ccq 79 authenticated clients 1 current ack timeout 56 wds link no nstreme no framing mode none routeros version 3 0 last ip 10 10 10 1 802 1x port enabled yes compression no current tx powers 1Mbps 19 19 2Mbps 19 19 5 5Mbps 19 19 11Mbps 19 19 6Mbps 19 19 9Mbps 19 19 12Mbps 19 19 18Mb...

Page 41: ... 4 Nstreme2 Group Settings Submenu level interface wireless nstreme dual Description Two radios in nstreme dual slave mode can be grouped together to make nstreme2 Point to Point connection To put wireless interfaces into a nstreme2 group you should set their mode to nstreme dual slave Many parameters from interface wireless menu are ignored using the nstreme2 except frequency mode country antenna...

Page 42: ...ency integer default 5320 Frequency to use for receiving frames rx radio name which radio should be used for receiving frames tx band operating band of the transmitting radio 2 4ghz b IEEE 802 11b 2 4ghz g IEEE 802 11g 2 4ghz g turbo IEEE 802 11g in Atheros proprietary turbo mode up to 108Mbit 5ghz IEEE 802 11a up to 54 Mbit 5ghz turbo IEEE 802 11a in Atheros proprietary turbo mode up to 108Mbit 2...

Page 43: ...own rx radio unknown remote mac 00 00 00 00 00 00 tx band 5GHz tx frequency 5180 rx band 5GHz rx frequency 5320 disable csma no rates b 1Mbps 2Mbps 5 5Mbps 11Mbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps framer policy exact size framer limit 4000 admin AT WR4562 interface wireless nstreme dual set 0 disabled no tx radio wlan1 rx radio wlan2 remote mac 00 0C 42 05 0B 12 admin...

Page 44: ...g receiving framing packed frames read only integer integer number of frames packed into larger ones for transmitting receiving framing packets read only integer integer number of sent and received network layer packets radio name read only text radio name of the peer routeros version read only name RouterOS version of the registered client rx ccq read only integer 0 100 Client Connection Quality ...

Page 45: ...its AP list which do not have such ssid If a rule is matched and the parameter connect is set to yes the station will connect to this AP If the parameter says connect no or the rule is not matched we jump to the next rule If we have gone through all rules and haven t connected to any AP yet The router chooses an AP with the best signal and ssid that is set under interface wireless In case when the...

Page 46: ...ngth range in dBm Rule is matched if the signal from AP is within this range time time rule is only matched during the specified period of time If you have default authentication action for the interface set to yes you can disallow this node to register at the AP s interface wlanN by setting authentication no for it Thus all nodes except this one will be able to register to the interface wlanN If ...

Page 47: ...5100 5105 5110 5115 5120 5125 5130 5135 5140 5145 5150 5155 5160 5165 5170 5175 5180 5185 5190 5195 5200 5205 5210 5215 5220 5225 5230 5235 5240 5245 5250 5255 5260 5265 5270 5275 5280 5285 5290 5295 5300 5305 5310 5315 5320 5325 5330 5335 5340 5345 5350 5355 5360 5365 5370 5375 5380 5385 5390 5395 5400 5405 5410 5415 5420 5425 5430 5435 5440 5445 5450 5455 5460 5465 5470 5475 5480 5485 5490 5495 ...

Page 48: ...erOS v3 Configuration and User Guide There is a special argument for the print command print count only It forces the print command to print only the count of information topics interface wireless info print command shows only channels supported by a particular card ...

Page 49: ...5 0 5590 0 5595 0 5600 0 5605 0 5610 0 5615 0 5620 0 5625 0 5630 0 5635 0 5640 0 5645 0 5650 0 5655 0 5660 0 5665 0 5670 0 5675 0 5680 0 5685 0 5690 0 5695 0 5700 0 5705 0 5710 0 5715 0 5720 0 5725 0 5730 0 5735 0 5740 0 5745 0 5750 0 5755 0 5760 0 5765 0 5770 0 5775 0 5780 0 5785 0 5790 0 5795 0 5800 0 5805 0 5810 0 5815 0 5820 0 5825 0 5830 0 5835 0 5840 0 5845 0 5850 0 5855 0 5860 0 5865 0 5870...

Page 50: ...e a new AP with different ssid and mac address It can be compared with a VLAN where the ssid from VAP is the VLAN tag and the hardware interface is the VLAN switch You can add up to 128 VAP interfaces for each hardware interface RouterOS supports VAP feature for Atheros AR5212 and newer Property Description area text default string value that is used to describe an Access Point Connect List on the...

Page 51: ...ges more than by 10 since the last recalculation wds default bridge name default none the default bridge for WDS interface If you use dynamic WDS then it is very useful in cases when wds connection is reset the newly created dynamic WDS interface will be put in this bridge wds default cost integer default 100 default bridge port cost of the WDS links wds ignore ssid yes no default no if set to yes...

Page 52: ... interfaces If you want to use dynamic WDS in a bridge set the wds default bridge value to desired bridge interface name When the link will go down and then it comes up the dynamic WDS interface will be put in the specified bridge automatically As the routers which are in WDS mode have to communicate at equal frequencies it is not recommended to use WDS and DFS simultaneously it is most probable t...

Page 53: ...g the command interface wireless align monitor then it will automatically change the wireless interface s mode from station bridge or ap bridge to alignment only Example admin AT WR4562 interface wireless align print frame size 300 active mode yes receive all yes audio monitor 00 00 00 00 00 00 filter mac 00 00 00 00 00 00 ssid all no frames per second 25 audio min 100 audio max 20 admin AT WR4562...

Page 54: ... WR4562 interface wireless frequency monitor wlan1 FREQ USE 2412MHz 3 8 2417MHz 9 8 2422MHz 2 2427MHz 0 8 2432MHz 0 2437MHz 0 9 2442MHz 0 9 2447MHz 2 4 2452MHz 3 9 2457MHz 7 5 2462MHz 0 9 To monitor other bands change the the band setting for the respective wireless interface 4 3 14 ManualTransmit PowerTable Submenu level interface wireless manual tx power table Description In this submenu you can...

Page 55: ...ork connections are lost while scanning Property Description address read only MAC address MAC address of the AP band read only text in which standard does the AP operate bss read only yes no basic service set freeze time interval time default 1s time in seconds to refresh the displayed data freq read only integer the frequency of AP interface_name name the name of interface which will be used for...

Page 56: ... the authentication process to the RADIUS server not used by the stations group ciphers multiple choice tkip aes ccm a set of ciphers used to encrypt frames sent to all wireless station broadcast transfers in the order of preference tkip Temporal Key Integrity Protocol encryption protocol compatible with lagacy WEP equipment but enhanced to correct some of WEP flaws aes ccm more secure WPA encrypt...

Page 57: ...packets 104bit wep use the 104bit encryption also known as 128bit wep and accept only these packets aes ccm use the AES CCM Advanced Encryption Standard in Counter with CBC MAC encryption algorithm and accept only these packets tkip use the TKIP Temporal Key Integrity Protocol and accept only these packets static key 0 text hexadecimal key which will be used to encrypt packets with the 40bit wep o...

Page 58: ... long Wireless encryption cannot work together with wireless compression 4 3 17 Sniffer Submenu level interface wireless sniffer Description With wireless sniffer you can sniff packets from wireless networks Property Description channel time time default 200ms how long to sniff each channel if multiple channels is set to yes file limit integer default 10 limits file name s file size measured in ki...

Page 59: ...it will be displayed by crc error flag Property Description band read only text wireless band dst read only MAC address the receiver s MAC address freq read only integer frequency interface read only text wireless interface that captures packets signal rate read only text at which signal strength and rate was the packet received src read only MAC address the sender s MAC address time read only tim...

Page 60: ...n BAND operating band Example Snoop 802 11b network admin AT WR4562 interface wireless snooper snoop wlan1 BAND FREQ USE BW NET COUNT STA COUNT 2 4ghz b 2412MHz 1 5 11 8kbps 2 2 2 4ghz b 2417MHz 1 3 6 83kbps 0 1 2 4ghz b 2422MHz 0 6 4 38kbps 1 1 2 4ghz b 2427MHz 0 6 4 43kbps 0 0 2 4ghz b 2432MHz 0 3 2 22kbps 0 0 2 4ghz b 2437MHz 0 0bps 0 0 2 4ghz b 2442MHz 1 8 1kbps 0 0 2 4ghz b 2447MHz 1 8 22kbps...

Page 61: ...ates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none...

Page 62: ...ding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin Station interface wireless ip address admin Station ip address add address 10 1 0 2 24 interface To AP admin Station ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 172 16 0 2 24 172 16 0 0...

Page 63: ...ge ssid wds sta test wds mode dynamic wds default bridge bridge1 disabled no band 2 4ghz b g frequency 2437 admin WDS_AP interface wireless print Flags X disabled R running 0 name wlan1 mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode ap bridge ssid wds sta test area frequency mode superchannel country no_country...

Page 64: ...me 000B6B345A91 mode station wds ssid wds sta test area frequency mode superchannel country no_country_set antenna gain 0 frequency 2412 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power...

Page 65: ...d test area frequency mode superchannel country no_country_set antenna gain 0 frequency 2437 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor t...

Page 66: ...na gain 0 frequency 5805 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast fra...

Page 67: ...ng yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin Nstreme Client interface wireless nstreme admin Nstreme Client interface wireless nstreme set wlan1 enable nstreme yes admin Nstreme Client interface wireless nstreme print 0 name wlan1 enable nstreme yes enable polling yes framer poli...

Page 68: ...abled disable running check no interface type Atheros AR5413 radio name 000C42050028 mode nstreme dual slave ssid AT WR4500 area frequency mode superchannel country no_country_set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic ...

Page 69: ...s 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore...

Page 70: ...will use 104bit wep for one station and 40bit wep for other clients The configuration of stations is also present Interface WEP STA1 MAC 00 0C 42 05 00 22 Interface WEP AP ssid mt_wep WEP_AP Internet WEP_Station1 40bit wep 104bit wep WEP_StationX Interface WEP STAX MAC 00 0C 42 05 06 B2 Figure 9 WEP security example The key used for connection between WEP_AP and WEP_Station1 will be 65432109876543...

Page 71: ... X disabled R running 0 name WEP AP mtu 1500 mac address 00 0C 42 05 04 36 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050436 mode ap bridge ssid mt_wep area frequency mode superchannel country no_country_set antenna gain 0 frequency 5320 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps...

Page 72: ... update 5m admin WEP_Station1 interface wireless security profiles admin WEP_Station1 interface wireless set wlan1 mode station ssid mt_wep band 5ghz security profile Station1 name WEP STA1 disabled no admin WEP_Station1 interface wireless print Flags X disabled R running 0 R name WEP STA1 mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 rad...

Page 73: ...in WEP_StationX interface wireless print 0 R name WEP STAX mtu 1500 mac address 00 0C 42 05 06 B2 arp enabled disable running check no interface type Atheros AR5413 radio name 000C420506B2 mode station ssid mt_wep area frequency mode superchannel country no_country_set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported ...

Page 74: ... 5m admin WPA_Station interface wireless security profiles Test the link between Access point and the client admin WPA_Station interface wireless print Flags X disabled R running 0 R name wlan1 mtu 1500 mac address 00 0B 6B 35 E5 5C arp enabled disable running check no interface type Atheros AR5213 radio name 000B6B35E55C mode station ssid AT WR4500 area frequency mode superchannel country no_coun...

Page 75: ...eaking one physical switch into several independent parts Within a single switch this is straightforward local configuration When the VLAN extends over more than one switch the inter switch links have to become trunks on which packets are tagged to indicate which VLAN they belong to You can use RouterOS to mark these packets as well as to accept and route marked ones As VLAN works on OSI Layer 2 i...

Page 76: ...interface vlan add name test vlan id 1 interface ether1 admin AT WR4562 interface vlan print Flags X disabled R running NAME MTU ARP VLAN ID INTERFACE 0 X test 1500 enabled 1 ether1 admin AT WR4562 interface vlan enable 0 admin AT WR4562 interface vlan print Flags X disabled R running NAME MTU ARP VLAN ID INTERFACE 0 R test 1500 enabled 1 ether1 admin AT WR4562 interface vlan 4 4 3 Application Exa...

Page 77: ...rip min avg max 3 10 5 10 ms admin AT WR4562 ip address ping 10 10 10 2 10 10 10 2 64 byte pong ttl 255 time 10 ms 10 10 10 2 64 byte pong ttl 255 time 11 ms 10 10 10 2 64 byte pong ttl 255 time 10 ms 10 10 10 2 64 byte pong ttl 255 time 13 ms 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 10 11 13 ms admin AT WR4562 ip address 4 5 Bridge Interfaces D o c u m e n t r...

Page 78: ...ANs are interconnected latency and data rate between hosts may vary Network loops may emerge intentionally or not in complex topologies Without any special treatment loops would prevent network from functioning normally as they would lead to avalanche like packet multiplication Each bridge runs an algorithm which calculates how the loop can be prevented STP allows bridges to communicate with each ...

Page 79: ...ng Tree Protocol Bridging loops will only be prevented if this property is turned on transmit hold count Example To add and enable a bridge interface that will forward all the protocols admin AT WR4562 interface bridge add print Flags X disabled R running 1 R name bridge1 mtu 1500 arp enabled mac address 00 0D B9 12 B3 F9 protocol mode none priority 0x8000 auto mac yes admin mac 00 00 00 00 00 00 ...

Page 80: ... Description Used to monitor the current status of a bridge Property Description current mac address MAC address MAC address currently assigned to the bridge root bridge yes no if this bridge is the root bridge root bridge id text the bridge ID which is in form of bridge priority bridge MAC address root path cost integer the total cost of the path to the root bridge root port name port to which th...

Page 81: ... local BRIDGE MAC ADDRESS ON INTERFACE AGE bridge1 00 00 B4 5B A6 58 ether1 4m48s bridge1 00 30 4F 18 58 17 ether1 4m50s L bridge1 00 50 08 00 00 F5 ether1 0s L bridge1 00 50 08 00 00 F6 ether2 0s bridge1 00 60 52 0B B4 81 ether1 4m50s bridge1 00 C0 DF 07 5E E6 ether1 4m46s bridge1 00 E0 C5 6E 23 25 prism1 4m48s bridge1 00 E0 F7 7F 0A B8 ether1 1s admin AT WR4562 interface bridge host 4 5 7 Bridge...

Page 82: ...2 3 sap integer DSAP Destination Service Access Point and SSAP Source Service Access Point are 2 one byte fields which identify the network protocol entities which use the link layer service These bytes are always equal Two hexadecimal digits may be specified here to match an SAP byte 802 3 type integer Ethernet protocol type placed after the IEEE 802 2 frame header Works only if 802 3 sap is 0xAA...

Page 83: ...p xerox ns idp xtp xpress transfer protocol jump target name if action jump specified then specifies the user defined firewall chain to process the packet limit integer time 0 1 integer restricts packet match rate to a given limit Usefull to reduce the amount of log messages Count maximum average packet rate measured in packets per second pps unless followed by Time option Time specifies the time ...

Page 84: ...e only consulted if the actual frame is compliant with IEEE 802 2 and IEEE 802 3 standards note it is not the industry standard Ethernet frame format used in most networks worldwide These matchers are ignored for other packets 4 5 8 Bridge Packet Filter Submenu level interface bridge filter Description This section describes bridge packet filter specific filtering options which were omitted in the...

Page 85: ...on dst nat is selected to src mac address MAC address source MAC address to put in Ethernet frames when action src nat is selected 4 5 10 Bridge Brouting Facility Submenu level interface bridge broute Description This section describes broute facility specific options which were omitted in the general firewall description The Brouting table is applied to every packet entering a forwarding enslaved...

Page 86: ...ption Router shows that my rule is invalid in interface in bridge or in bridge port is specified but such an interface does not exist there is an action mark packet but no new packet mark there is an action mark connection but no new connection mark there is an action mark routing but no new routing mark Non presente nel manual pdf ...

Page 87: ...dressing the router also needs the network mask value id est which bits of the complete IP address refer to the address of the host and which to the address of the network The network address value is calculated by binary AND operation from network mask and IP address values It s also possible to specify IP address followed by slash and the amount of bits that form the network address In most case...

Page 88: ...unless both interfaces are bridged together because both addresses belong to the same network 10 0 0 0 24 Use addresses from different networks on different interfaces Example admin AT WR4562 ip address add address 10 10 10 1 24 interface ether2 admin AT WR4562 ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 2 2 2 1 24 2 2 2 0 2 2 2 255 ether2 1 10 5 7 2...

Page 89: ...s 10 10 10 10 interface ether2 mac address 06 21 00 56 00 12 admin AT WR4562 ip arp print Flags X disabled I invalid H DHCP D dynamic ADDRESS MAC ADDRESS INTERFACE 0 D 2 2 2 2 00 30 4F 1B B3 D9 ether2 1 D 10 5 7 242 00 A0 24 9D 52 A4 ether1 2 10 10 10 10 06 21 00 56 00 12 ether2 admin AT WR4562 ip arp If static arp entries are used for network security on an interface you should set arp to reply o...

Page 90: ...directly connected network it sends a broadcast ARP request Therefore host A sends a broadcast ARP request for the host C MAC address Broadcast ARP requests are sent to the broadcast MAC address FF FF FF FF FF FF Since the ARP request is a broadcast it will reach all hosts in the network A including the router R1 but it will not reach host C because routers do not forward broadcasts by default A r...

Page 91: ... pppoe in 3 D pppoe in26 pppoe in admin AT WR4562 ip arp ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 10 0 0 255 eth LAN 1 D 10 0 0 217 32 10 0 0 230 0 0 0 0 pppoe in25 2 D 10 0 0 217 32 10 0 0 231 0 0 0 0 pppoe in26 admin AT WR4562 ip arp ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ...

Page 92: ...an see a dynamic connected route has been automatically added to the routes list If you want the default gateway be the other router of the p2p link just add a static route for it It is shown as 0 in the example above 5 1 6 Troubleshooting Description Router shows that the IP address is invalid Check whether the interface exists to which the IP address is assigned Or maybe it is disabled It is als...

Page 93: ...o redistribute static routes to neighbor routers or not redistribute connected yes no default no specifies whether to redistribute connected routes to neighbor routers or not redistribute ospf yes no default no specifies whether to redistribute routes learned via OSPF protocol to neighbor routers or not redistribute bgp yes no default no specifies whether to redistribute routes learned via bgp pro...

Page 94: ... v1 2 v2 default v2 specifies RIP protocol update versions to distribute receive v1 v1 2 v2 default v2 specifies RIP protocol update versions the router will be able to receive authentication none simple md5 default none specifies authentication method to use for RIP messages none no authentication performed simple plain text authentication md5 Keyed Message Digest 5 authentication authentication ...

Page 95: ...ge routing information with Normally there is no need to add the neighbors if multicasting is working properly within the network If there are problems with exchanging routing information neighbor routers can be added to the list It will force the router to exchange the routing information with the neighbor using regular unicast packets Property Description address IP address default 0 0 0 0 IP ad...

Page 96: ...der an example of routing information exchange between a RouterOS router an Alliedware router and the ISP RouterOS router RouterOS Router Configuration admin AT WR4562 interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 R ether1 ether 1500 1 R ether2 ether 1500 admin AT WR4562 ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 174 24...

Page 97: ... ether2 as no propagation of RIP information is required into the Remote network in this example The routes obtained by RIP can be viewed in the routing rip route menu admin AT WR4562 routing rip route print Flags S static R rip O ospf C connect B bgp 0 R dst address 0 0 0 0 0 gateway 10 0 0 26 metric 2 from 10 0 0 26 1 C dst address 10 0 0 0 24 gateway 0 0 0 0 metric 1 from 0 0 0 0 2 C dst addres...

Page 98: ...etwork 0 0 0 0 10 0 0 0 24 is subnetted 1 subnets C 10 0 0 0 is directly connected Ethernet0 R 192 168 0 0 24 120 1 via 10 0 0 174 00 00 19 Ethernet0 192 168 1 0 30 is subnetted 1 subnets C 192 168 1 0 is directly connected Serial1 R 192 168 3 0 24 120 1 via 192 168 1 2 00 00 05 Serial1 R 0 0 0 0 0 120 1 via 192 168 1 2 00 00 05 Serial1 awplus As we can see the Alliedware router has learned RIP ro...

Page 99: ...send the default route with type 1 metric only if it has been installed a static default route or route added by DHCP PPP etc if installed as type 2 send the default route with type 2 metric only if it has been installed a static default route or route added by DHCP PPP etc always as type 1 always send the default route with type 1 metric always as type 2 always send the default route with type 2 ...

Page 100: ... line speed The table contains some examples Example To enable the OSPF protocol redisrtibute routes to the connected networks as type1 metrics with the cost of 1 you need do the following admin AT WR4562 routing ospf set redistribute connected as type 1 metric connected 1 admin AT WR4562 routing ospf print router id 0 0 0 0 distribute default never redistribute connected no redistribute static no...

Page 101: ...i routing ospf area add area id 0 0 10 5 name local_10 admin WiFi routing ospf area print Flags X disabled I invalid NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 0 0 10 5 no 1 none admin WiFi routing ospf area 5 3 4 Networks Submenu level routing ospf network Description There can be Point to Point networks or Multi Access networks Multi Access network can be a ...

Page 102: ... the one with the higher router s priority takes precedence retransmit interval time default 5s time between retransmitting lost link state advertisements When a router sends a link state advertisement LSA to its neighbor it keeps the LSA until it receives back the acknowledgment If it receives no acknowledgment in time it will retransmit the LSA The following settings are recommended for Broadcas...

Page 103: ...r dr id read only IP address designated router s router id for this neighbor ls requests read only integer number of link state requests ls retransmits read only integer number of link state retransmits priority read only integer the priority of the neighbor which is used in designated router elections via Hello protocol on this network router id read only IP address the router id parameter of the...

Page 104: ...ter OSPF peer 2 This example shows how to use OSPF for backup purposes if you are controlling all the involved routers and you can run OSPF on them main_gw 192 168 0 11 OSPF_peer_2 Cost 1 Cost 1 Cost 1 to_peer1 10 3 0 2 to_main 10 2 0 1 backup 10 3 0 1 to_peer2 10 2 0 2 to_peer1 10 1 0 2 OSPF_MAIN to_main 10 1 0 1 OSPF_peer_1 Internet Figure 13 OSPF Backup In this example 1 We introduce an OSPF ar...

Page 105: ...ric static metric rip metric bgp should be zero admin OSPF_MAIN routing ospf print router id 0 0 0 0 distribute default if installed as type 2 redistribute connected as type 1 redistribute static as type 2 redistribute rip no redistribute bgp no metric default 1 metric connected 0 metric static 0 metric rip 0 metric bgp 0 Define new OSPF area named local_10 with area id 0 0 0 1 admin OSPF_MAIN rou...

Page 106: ... static 0 metric rip 0 metric bgp 0 Add the same area as in main router admin OSPF_peer_1 routing ospf area print Flags X disabled I invalid NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 0 0 0 1 no 1 none Add connected networks with area local_10 admin OSPF_peer_1 routing ospf network print Flags X disabled I invalid NETWORK AREA 0 10 3 0 0 24 local_10 1 10 1 0 0...

Page 107: ...o 192 168 0 0 24 110 1 DC 192 168 0 0 24 r 0 0 0 0 0 main_gw 2 Do 10 3 0 0 24 r 10 2 0 1 110 to_peer_2 r 10 1 0 1 to_peer_1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to_peer_2 5 Io 10 1 0 0 24 110 6 DC 10 1 0 0 24 r 0 0 0 0 0 to_peer_1 admin OSPF_peer_1 ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERF...

Page 108: ...uting ospf interface print 0 interface backup cost 50 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 10s dead interval 40s admin OSPF_peer_2 routing ospf interface add interface to_peer_1 cost 50 admin OSPF_peer_2 routing ospf interface print 0 interface to_peer_1 cost 50 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 10...

Page 109: ...min OSPF_peer_2 ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 r 10 2 0 2 110 to_main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 to_peer_1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to_main 5 Do 10 1 0 0 24 r 10 2 0 2 110 to_main Functioning of the Backup If the link bet...

Page 110: ... 1 0 0 24 110 5 DC 10 1 0 0 24 r 0 0 0 0 0 to_main On OSPF_peer_2 admin OSPF_peer_2 ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 r 10 2 0 2 110 to_main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 to_peer_1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to_main 5 Do 10 1 0 0...

Page 111: ... reordered and therefore do not kill TCP performance The ECMP routes can be created by routing protocols RIP or OSPF or by adding a tatic route with multiple gateways separated by a comma e g ip route add gateway 192 168 0 1 192 168 1 1 The routing protocols may create multipath dynamic routes with equal cost automatically if the cost of the interfaces is adjusted propery For more information on u...

Page 112: ...is used to recursively lookup the next hop addresses Each nexthop address selects smallest value of target scope from all routes that use this nexthop address Nexthop is looked up only through routes that have scope target scope of the nexthop You can specify more than one or two gateways in the route Moreover you can repeat some routes in the list several times to do a kind of cost setting for ga...

Page 113: ...tc will go through the gateway A leaving all the rest so Peer to Peer traffic also to use the gateway B it is not important which gateway is which it is only important to keep Peer to Peer together with all traffic except the specified protocols Example To add the rule specifying that all the packets from the 10 0 0 144 host should lookup the at routing table admin AT WR4562 ip firewall mangle add...

Page 114: ... static r rip b bgp o ospf DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 10 1 0 0 28 Public1 1 ADC 10 1 1 0 28 Public2 2 ADC 192 168 0 0 24 Local 3 A S 0 0 0 0 0 r 10 1 0 1 Public1 r 10 1 1 1 Public2 r 10 1 1 1 Public2 admin ECMP Router ip route Standard Policy Based Routing with Failover This example will show how to route packets using an administrator defined policy The policy for this setup i...

Page 115: ...lags X disabled I invalid D dynamic 0 chain prerouting src address 192 168 0 0 24 action mark routing new routing mark net1 1 chain prerouting src address 192 168 1 0 24 action mark routing new routing mark net2 admin PB Router ip firewall mangle Route packets from network 192 168 0 0 24 to gateway GW_1 10 0 0 2 packets from network 192 168 1 0 24 to gateway GW_2 10 0 0 3 using the according packe...

Page 116: ...0 20 2 Add a DHCP network which will concern to the network 172 16 0 0 12 and will distribute a gateway with IP address 172 16 0 1 to DHCP clients ip dhcp server network add address 172 16 0 0 12 gateway 172 16 0 1 3 Finally add a DHCP server ip dhcp server add interface wlan1 address pool dhcp pool Setup of the DHCP Client which will get a lease from the DHCP server configured above 1 Add the DHC...

Page 117: ...rator or ISP Commonly it is set to the client s MAC address but it may as well be any text string dhcp server read only IP address IP address of the DHCP server expires after read only time time when the lease expires specified by the DHCP server gateway read only IP address IP address of the gateway which is assigned by DHCP server host name text the host name of the client as sent to a DHCP serv...

Page 118: ...er supports an individual server for each Ethernet like interface The RouterOS DHCP server supports the basic functions of giving each requesting client an IP address netmask lease default gateway domain name DNS server s and WINS server s for Windows clients information set up in the DHCP networks submenu In order DHCP server to work you must set up also IP pools do not include the DHCP server s ...

Page 119: ...st for an address dhcp server will wait 10 seconds and if there is another request from the client after this period of time then dhcp server will offer the address to the client or will send DHCPNAK if the requested address is not available from this server after 2sec delay to clients request for an address dhcp server will wait 2 seconds and if there is another request from the client after this...

Page 120: ...nge client s MAC address If authoritative property is set to yes the DHCP server is sending rejects for the leases it cannot bind or renew It also may although not always help to prevent the network users to run their own DHCP servers illicitly disturbing the proper way the network should be functioning If relay property of a DHCP server is not set to 0 0 0 0 the DHCP server will not respond to th...

Page 121: ...mary and secondary NTP servers wins server text the Windows DHCP client will use these as the default WINS servers Two comma separated WINS servers can be specified to be used by DHCP client as primary and secondary WINS servers The address field uses netmask to specify the range of addresses the given entry is valid for The actual netmask clients will be using is specified in netmask property 6 1...

Page 122: ... specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified 1s is used as default server read only name server name which serves this client src mac address MAC address source MAC address status read only waiting testing authorizing busy offered bound lease status waiting not used static lease testing testing whet...

Page 123: ...print 00 34 23 dhcp critical error warning info debug dhcp alert on Public discovered unknown dhcp server mac 00 02 29 60 36 E7 ip 10 5 8 236 admin AT WR4562 ip dhcp server alert When the system alerts about a rogue DHCP server it can execute a custom script As DHCP replies can be unicast rogue dhcp detector may not receive any offer to other dhcp clients at all To deal with this rogue dhcp server...

Page 124: ...stname 12 Host A admin AT WR4562 ip dhcp server option Use this option in DHCP server network list admin AT WR4562 ip dhcp server network add address 10 1 0 0 24 gateway 10 1 0 1 dhcp option Option Hostname dns server 159 148 60 20 admin AT WR4562 ip dhcp server network print detail 0 address 10 1 0 0 24 gateway 10 1 0 1 dns server 159 148 60 20 dhcp option Option Hostname admin AT WR4562 ip dhcp ...

Page 125: ...ess IP address of the appropriate DNS server to be propagated to the DHCP clients gateway IP address default 0 0 0 0 the default gateway of the leased network lease time time default 3d the time the lease will be valid Depending on current settings and answers to the previous questions default values of following questions may be different Some questions may disappear if they become redundant for ...

Page 126: ...g DHCP Relay Let us consider that you have several IP networks behind other routers but you want to keep all DHCP servers on a single router To do this you need a DHCP relay on your network which relies DHCP requests from clients to DHCP server This example will show you how to configure a DHCP server and a DHCP relay which serve 2 IP networks 192 168 1 0 24 and 192 168 2 0 24 that are behind a ro...

Page 127: ...alid NAME INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP 0 DHCP 1 To DHCP Relay 192 168 1 1 Local1 Pool 3d00 00 00 1 DHCP 2 To DHCP Relay 192 168 2 1 Local2 Pool 3d00 00 00 admin DHCP Server ip dhcp server Configure respective networks ip dhcp server network add address 192 168 1 0 24 gateway 192 168 1 1 dns server 159 148 60 20 ip dhcp server network add address 192 168 2 0 24 gateway 192 168 2 ...

Page 128: ...n RouterOS radius add service dhcp address 172 16 0 2 secret MySecret admin DHCP Server radius print detail Flags X disabled 0 service dhcp called id domain address 172 16 0 2 secret MySecret authentication port 1812 accounting port 1813 timeout 00 00 00 300 accounting backup no realm admin DHCP Server radius Setup DHCP Server 1 Create an address pool ip pool add name Radius Clients ranges 192 168...

Page 129: ... and UDP requests on port 53 Additional Resources http www ietf org rfc rfc1035 txt number 1035 http www freesoft org CIE Course Section2 3 htm http www networksorcery com enp protocol dns htm http en wikipedia org wiki Domain_Name_System 6 3 DNS Cache Setup Submenu level ip dns Description DNS facility is used to provide domain name resolution for router itself as well as for the clients connecte...

Page 130: ...el ip dns static Description The RouterOS has an embedded DNS server feature in DNS cache It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server Property Description address IP address IP address to resolve domain name with name text DNS name to be resolved to a given IP address ttl time t...

Page 131: ...NS record Reverse DNS lookup Address to Name of the regular expression entries is not possible You can however add an additional plain record with the same IP address and specify some name for it Remember that the meaning of a dot in regular expressions is any character so the expression should be escaped properly For example if you need to match anything within example com domain but not all the ...

Page 132: ...tSpot PPP PPPoE PPTP L2TP and ISDN connections The attributes received from RADIUS server override the ones set in the default profile but if some parameters are not received they are taken from the respective default profile The RADIUS server database is consulted only if no matching user acces record is found in router s local database Traffic is accounted locally with RouterOS Traffic Flow and ...

Page 133: ...if you have wrong shared secret RADIUS server will accept request but router won t accept reply You can see that with radius monitor command bad replies number should increase whenever somebody tries to connect Example To set a RADIUS server for HotSpot and PPP services that has 10 0 0 3 IP address and ex shared secret you need to do the following admin AT WR4562 radius add service hotspot ppp add...

Page 134: ...n files of RADIUS server which have references to the Attributes absent in this dictionary Please correct the configuration files not the dictionary as no other Attributes are supported by RouterOS There is also dictionary mikrotik that can be included in an existing dictionary to support RouterOS vendor specific Attributes Definitions PPPs PPP PPTP PPPoE and ISDN default configuration settings in...

Page 135: ...e used with MS CHAPv1 authentication MS CHAP2 Response MS CHAP Challenge encrypted password and challenge used with MS CHAPv2 authentication Access Accept Framed IP Address IP address given to client If address belongs to 127 0 0 0 8 or 224 0 0 0 3 networks IP pool is used from the default profile to allocate client IP address If Framed IP Address is specified Framed Pool is ignored Framed IP Netm...

Page 136: ...otik Recv Limit Gigawords 4G 2 32 bytes of total receive limit bits 32 63 when bits 0 31 are delivered in Mikrotik Recv Limit Mikrotik Xmit Limit total transmit limit in bytes for the client Mikrotik Xmit Limit Gigawords 4G 2 32 bytes of total transmit limit bits 32 63 when bits 0 31 are delivered in Mikrotik Recv Limit Mikrotik Wireless Forward not forward the client s frames back to the wireless...

Page 137: ...pecify data rate for the client Ascend data rate attributes are considered second and WISPr attributes takes the last precedence Here are some Rate Limit examples 128k rx rate 128000 tx rate 128000 no bursts 64k 128M rx rate 64000 tx rate 128000000 64k 256k rx tx rate 64000 rx tx burst rate 256000 rx tx burst threshold 64000 rx tx burst time 1s 64k 64k 256k 256k 128k 128k 10 10 rx tx rate 64000 rx...

Page 138: ...ise Url Mikrotik Advertise Interval Session Timeout Idle Timeout Port Limit It is not possible to change IP address pool or routes that way for such changes a user must be disconnected first Attribute Numeric Values Name VendorID Value RFC where it is defined Acct Authentic 45 RFC2866 Acct Delay Time 41 RFC2866 Acct Input Gigawords 52 RFC2869 Acct Input Octets 42 RFC2866 Acct Input Packets 47 RFC2...

Page 139: ...65 Idle Timeout 28 RFC2865 Mikrotik Advertise Interval 14988 13 Mikrotik Advertise URL 14988 12 Mikrotik Group 14988 3 Mikrotik Host IP 14988 10 Mikrotik Mark Id 14988 11 Mikrotik Rate Limit 14988 8 Mikrotik Realm 14988 9 Mikrotik Recv Limit 14988 1 Mikrotik Recv Limit Gigawords 14988 14 Mikrotik Wireless Enc Algo 14988 6 Mikrotik Wireless Enc Key 14988 7 Mikrotik Wireless Forward 14988 4 Mikrotik...

Page 140: ...4122 8 wi fi org WISPr Bandwidth Max Up 14122 7 wi fi org WISPr Bandwidth Min Down 14122 6 wi fi org WISPr Bandwidth Min Up 14122 5 wi fi org WISPr Location Id 14122 1 wi fi org WISPr Location Name 14122 2 wi fi org WISPr Logoff URL 14122 3 wi fi org WISPr Redirection URL 14122 4 wi fi org WISPr Session Terminate Time 14122 9 wi fi org 7 1 6 Troubleshooting Description My radius server accepts aut...

Page 141: ...highest priority with the only exception being particular IP addresses take precedence over IP pools in the local address and remote address settings which described later on Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network The RouterOS has a RADIUS client which can authenticate ...

Page 142: ...rate min from the point of view of the router so rx is client upload and tx is client download All rates are measured in bits per second unless followed by optional k suffix kilobits per second or M suffix megabits per second If tx rate is not specified rx rate serves as tx rate too The same applies for tx burst rate tx burst threshold and tx burst time If both rx burst threshold and tx burst thre...

Page 143: ...ng filter mypppclients admin rb13 ppp profile print Flags default 0 name default use compression default use vj compression default use encryption default only one default change tcp mss yes 1 name default encryption use compression default use vj compression default use encryption yes only one default change tcp mss yes 2 name ex local address 10 0 0 1 remote address ex use compression default us...

Page 144: ...PPTP and L2TP it is the IP address the client connected from For PPPoE it is the MAC address the client connected from For ISDN it is the caller s number the client dialed in from no restrictions on where clients may connect from encoding read only text shows encryption and encoding separated with if asymmetric being used in this connection limit bytes in read only integer maximal amount of bytes ...

Page 145: ...t revision 2 3 Fri Jul 08 11 58 32 GMT 2005 Applies to V2 9 7 3 1 General Information Summary This documents provides summary configuration reference and examples on router user management Specifications Packages required system License required Level1 Submenu level user Hardware usage Not significant Related Topics PPP User AAA Software Package Management Description RouterOS router user facility...

Page 146: ... read access to the router s configuration All console commands that do not alter router s configuration are allowed write policy that grants write access to the router s configuration except for user management This policy does not allow to read the configuration so make sure to enable read policy as well policy policy that grants user management rights Should be used together with write policy t...

Page 147: ...ter Users Submenu level user Description Router user database stores the information such as username password allowed access addresses and group about router management personnel Property Description address IP address netmask default 0 0 0 0 0 host or network address from which the user is allowed to log in group name name of the group the user belongs to name name user name Although it must sta...

Page 148: ...ad only flag the user has been authenticated through a RADIUS server via read only console telnet ssh winbox user s access method console user is logged in locally telnet user is logged in remotely via telnet ssh user is logged in remotely via secure shell protocol winbox user is logged in remotely via WinBox tool when read only date log in date and time Example To print currently active users ent...

Page 149: ...ttygen convert generated keys to right type Property Description key owner read only text emote user as specified in the key file user name the user that is allowed to log in using this key must exist in the user list Command Description import import the uploaded DSA key user the user the imported key is linked to file filename of the DSA key to import Example Generating key on a linux machine sh...

Page 150: ...een 2 routers which have IP addresses 10 5 8 1 and 10 1 0 1 On router with IP address 10 5 8 1 add an EoIP interface and set its MAC address interface eoip add remote address 10 1 0 1 tunnel id 1 mac address 00 00 5E 80 00 01 disabled no On router with IP address 10 1 0 1 add an EoIP interface and set its MAC address interface eoip add remote address 10 5 8 1 tunnel id 1 mac address 00 00 5E 80 00...

Page 151: ...of identifying tunnel There should not be tunnels with the same tunnel id on the same router tunnel id on both participant routers must be equal mtu should be set to 1500 to eliminate packet refragmentation inside the tunnel that allows transparent bridging of Ethernet like networks so that it would be possible to transport full sized Ethernet frame over the tunnel When bridging EoIP tunnels it is...

Page 152: ...rver admin Our_GW interface pptp server ppp secret add name joe service pptp password top_s3 local address 10 0 0 1 remote address 10 0 0 2 admin Our_GW interface pptp server add name from_remote user joe admin Our_GW interface pptp server server set enable yes admin Our_GW interface pptp server print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 from_remote joe ad...

Page 153: ...n mac 00 00 00 00 00 00 max message age 20s forward delay 15s transmit hold count 6 ageing time 5m admin Our_GW interface bridge port add bridge bridge1 interface eoip remote admin Our_GW interface bridge port add bridge bridge1 interface ether1 admin Our_GW interface bridge port print Flags X disabled I inactive D dynamic INTERFACE BRIDGE PRIORITY PATH COST 0 eoip remote bridge1 128 10 1 ether1 b...

Page 154: ...Add bonding interface on Router1 admin Router1 interface bonding add slaves ether1 ether2 And on Router2 admin Router2 interface bonding add slaves ether1 ether2 Add addresses to bonding interfaces admin Router1 ip address add address 172 16 0 1 24 interface bonding1 admin Router2 ip address add address 172 16 0 2 24 interface bonding1 Test the link from Router1 admin Router1 interface bonding pi ...

Page 155: ...nterface type1 to determine link status Link status determenation relies on the device driver If bonding shows that the link status is up when it should not be then it means that this card don t support this possibility mii type2 uses MII type2 to determine link status used if mii type1 is not supported by the NIC none no method for link monitoring is used If a link fails it is not considered as d...

Page 156: ...cation Examples Bonding two EoIP tunnels Assume you need to configure the AT WR4500 router for the following network setup where you have two offices with 2 ISP for each You want combine links for getting double speed and provide failover Office1 Office2 Internet ISP2 Local Net Local net 10 0 0 1 Eoip tunnel 1 Eoip tunnel 2 Internet ISP1 bonding1 Figure 21 Bonding two EoIP tunnels We are assuming ...

Page 157: ...mote address 10 1 0 111 tunnel id 2 mac address FE FD 00 00 00 02 admin office2 interface eoip print Flags X disabled R running 0 R name eoip tunnel2 mtu 1500 mac address FE FD 00 00 00 02 arp enabled remote address 10 1 0 111 tunnel id 2 for Office1through ISP2 admin office1 interface eoip add remote address 2 2 2 1 tunnel id 1 mac address FE FD 00 00 00 03 admin office1 interface eoip print Flag...

Page 158: ...erval 00 00 00 100 down delay 00 00 00 up delay 00 00 00 lacp rate 30secs admin office2 ip address add address 3 3 3 2 24 interface bonding1 admin office2 ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 2 2 2 1 24 2 2 2 0 2 2 2 255 isp2 1 10 1 0 112 24 10 1 0 0 10 1 0 255 isp1 2 3 3 3 2 24 3 3 3 0 3 3 3 255 bonding1 admin office2 ip address ping 3 3 3 1 ...

Page 159: ...esses and ARP Log Management Additional Resources http www ietf org rfc rfc1853 txt number 1853 http www ietf org rfc rfc2003 txt number 2003 http www ietf org rfc rfc1241 txt number 1241 8 4 2 IPIP Setup Submenu level interface ipip Description An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are RFC 2003 compliant The IPIP tunnel may ...

Page 160: ...es and then add IP addresses to them The configuration for router R1 is as follows admin AT WR4562 interface ipip add local address 10 0 0 1 remote address 22 63 11 6 admin AT WR4562 interface ipip print Flags X disabled R running NAME MTU LOCAL ADDRESS REMOTE ADDRESS 0 X ipip1 1480 10 0 0 1 22 63 11 6 admin AT WR4562 interface ipip en 0 admin AT WR4562 interface ipip ip address add address 1 1 1 ...

Page 161: ...nd Internet access points for ISP accessing an Intranet LAN of a company for remote mobile clients employees Each L2TP connection is composed of a server and a client The RouterOS may function as a server or client or for various configurations it may be the server for some connections and client for other connections Quick Setup Guide To make a L2TP tunnel between two RouterOS routers with IP add...

Page 162: ... 1500 and larger packets and bridging over PPP links using Bridge Control Protocol BCP that allows to send raw Ethernet frames over PPP links This way it is possible to setup bridging without EoIP The bridge should either have an administratively set MAC address or an Ethernet like interface in it as PPP links do not have MAC addresses This is the default mode for Microsoft L2TP client L2TP includ...

Page 163: ...s the default gateway admin AT WR4562 interface l2tp client add name test2 connect to 10 1 1 12 user john add default route yes password john admin AT WR4562 interface l2tp client print Flags X disabled R running 0 X name test2 mtu 1460 mru 1460 connect to 10 1 1 12 user john password john profile default add default route yes allow pap chap mschap1 mschap2 admin AT WR4562 interface l2tp client en...

Page 164: ...nsmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets mrru integer 512 65535 default disabled maximum packet size that can be received on the link If a packet is bigger than tunnel MTU it will be split into multiple packets allowing full size IP or Ethernet packets...

Page 165: ...ent s MRU mtu read only integer client s MTU name name interface name uptime read only time shows how long the client is connected user name the name of the user that is configured statically or added dynamically Example To add a static entry for ex1 user admin AT WR4562 interface l2tp server add user ex1 admin AT WR4562 interface l2tp server print Flags X disabled D dynamic R running NAME USER MT...

Page 166: ...t 192 168 81 1 24 Interface LocalRemoteOffice 10 150 1 254 24 Each router is connected to a different ISP One router can access another router through the Internet On the L2TP server a user must be set up for the client admin HomeOffice ppp secret add name ex service l2tp password lkjrht local address 10 0 103 1 remote address 10 0 103 2 admin HomeOffice ppp secret print detail Flags X disabled 0 ...

Page 167: ... route no allow pap chap mschap1 mschap2 admin RemoteOffice interface l2tp client Thus a L2TP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addresses 10 0 103 1 and 10 0 103 2 at each router It enables direct communication between the routers over third party networks WISP 1 192 168 80 0 24 WISP 2 192 168 81 0 24 Home Of...

Page 168: ...0 103 1 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms Test the connection through the L2TP tunnel to the LocalHomeOffice interface admin RemoteOffice ping 10 150 2 254 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 ...

Page 169: ...e l2tp password lkjrht local address 10 150 1 254 remote address 10 150 1 2 admin RemoteOffice ppp secret print detail Flags X disabled 0 name ex service l2tp caller id password lkjrht profile default local address 10 150 1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret Then the user should be added in the L2TP server list admin RemoteOffice interface l2tp server add name FromL...

Page 170: ...between your sites My Windows L2TP IPsec VPN Client fails to connect to L2TP server with Error 789 or Error 781 The error messages 789 and 781 occur when IPsec is not configured properly on both ends See the respective documentation on how to configure IPsec in the Microsoft L2TP IPsec VPN Client and in the RouterOS If you do not want to use IPsec it can be easily switched off on the client side I...

Page 171: ...orted connections RouterOS PPPoE client to any PPPoE server access concentrator RouterOS server access concentrator to multiple PPPoE clients clients are avaliable for almost all operating systems and most routers Quick Setup Guide To configure RouterOS to be a PPPoE client Just add a pppoe client interface pppoe client add name pppoe user mike user mike password 123 interface wlan1 service name i...

Page 172: ...ated and disconnects when there is no traffic for the period set in the idle timeout value interface name interface the PPPoE server can be reached through max mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MRU to 1460 to avoid fragmentation of packets max mtu integer defa...

Page 173: ...e name text name of the service the client is connected to status text status of the client dialing attempting to make a connection verifying password connection has been established to the server password verification in progress connected self explanatory terminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minu...

Page 174: ...e received on the link If a packet is bigger than tunnel MTU it will be split into multiple packets allowing full size IP or Ethernet packets to be sent over the tunnel disabled disable MRRU on this link one session per host yes no default no allow only one session per host determined by MAC address If a host will try to establish a new session the old one will be closed service name text the PPPo...

Page 175: ... disappear once the user disconnects so it is impossible to reference the tunnel created for that use in router configuration for example in firewall so if you need a persistent rules for that user create a static entry for him her Otherwise it is safe to use dynamic configuration In both cases PPP users must be configured properly static entries do not replace PPP configuration Property Descripti...

Page 176: ... offers wireless clients transparent access to the local network with authentication Reserved for Wireless PPPoE Clients 10 1 0 100 10 1 0 200 PPPoE Server Ssid mt Frequency 2442 10 1 0 3 24 ether1 10 1 0 1 24 Internet Server 10 1 0 2 24 10 1 0 200 32 10 1 0 199 32 10 1 0 198 32 Dynamic Interfaces pppoe inX 10 1 0 3 24 Figure 26 PPPoE Example First of all the wireless interface should be configure...

Page 177: ...st yes max sessions 0 default profile default admin PPPoE Server interface pppoe server server Finally we can set up PPPoE clients admin PPPoE Server ip pool add name pppoe ranges 10 1 0 100 10 1 0 200 admin PPPoE Server ip pool print NAME RANGES 0 pppoe 10 1 0 100 10 1 0 200 admin PPPoE Server ip pool ppp profile admin PPPoE Server ppp profile set default use encryption yes local address 10 1 0 3...

Page 178: ... name mt interface wlan1 max mtu 1440 max mru 1440 authentication pap chap mschap1 mschap2 keepalive timeout 10 one session per host yes max sessions 0 default profile default admin MT interface pppoe server server My Windows XP client cannot connect to the PPPoE server You have to specify the Service Name in the properties of the XP PPPoE client If the service name is not set or it does not match...

Page 179: ...ed links The purpose of this protocol is to make well managed secure connections between routers as well as between routers and PPTP clients clients are available for and or included in almost all OSs including Windows Multilink PPP MP is supported in order to provide MRRU the ability to transmit full sized 1500 and larger packets and bridging over PPP links using Bridge Control Protocol BCP that ...

Page 180: ...ntation of packets mrru integer 512 65535 default disabled maximum packet size that can be received on the link If a packet is bigger than tunnel MTU it will be split into multiple packets allowing full size IP or Ethernet packets to be sent over the tunnel disabled disable MRRU on this link name name default pptp outN interface name for reference password text default user password to use when lo...

Page 181: ...t from clients depends on the license level you have Level1 license allows 1 PPTP client Level3 or Level4 licenses up to 200 clients and Level5 or Level6 licenses do not have PPTP client limitations Property Description authentication multiple choice pap chap mschap1 mschap2 default mschap2 authentication algorithm default profile default profile to use enabled yes no default no defines whether PP...

Page 182: ...tatic users and dynamic connections An interface is created for each tunnel established to the given server Static interfaces are added administratively if there is a need to reference the particular interface name in firewall rules or elsewhere created for the particular user Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any e...

Page 183: ...PTP tunnel over the Internet Remote Office 192 168 81 1 24 Home Office 192 168 80 1 24 Internet ISP 2 192 168 81 0 24 ISP 1 192 168 80 0 24 10 150 2 254 24 10 150 2 1 24 10 150 1 1 24 10 150 1 254 24 Figure 27 Network Setup without PPTP enabled There are two routers in this example HomeOffice Interface LocalHomeOffice 10 150 2 254 24 Interface ToInternet 192 168 80 1 24 RemoteOffice Interface ToIn...

Page 184: ...teOffice interface pptp client print Flags X disabled R running 0 R name pptp out1 mtu 1460 mru 1460 connect to 192 168 80 1 user ex password lkjrht profile default add default route no allow pap chap mschap1 mschap2 admin RemoteOffice interface pptp client Thus a PPTP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addres...

Page 185: ...0 103 1 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms Test the connection through the PPTP tunnel to the LocalHomeOffice interface admin RemoteOffice ping 10 150 2 254 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 ...

Page 186: ... local address 10 150 1 254 remote address 10 150 1 2 admin RemoteOffice ppp secret print detail Flags X disabled 0 name ex service pptp caller id password lkjrht profile default local address 10 150 1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret Then the user should be added in the PPTP server list admin RemoteOffice interface pptp server add name FromLaptop user ex admin Re...

Page 187: ...ype the correct user name and password must also be in the user database on the router or RADIUS server used for authentication The setup of the connections takes nine seconds after selection the connect button It is suggested that the connection properties be edited so that NetBEUI IPX SPX compatible and Log on to network are unselected The setup time for the connection will then be two seconds a...

Page 188: ...nation security protocol and SPI value If no SA is found the packet is dropped If SA is found packet is decrypted Then decrypted packet s fields are compared to the policy rule that SA is linked to If the packet does not match the policy rule it is dropped If the packet is decrypted fine or authenticated fine it is received once more it goes through dst nat and routing which finds out what to do e...

Page 189: ...ne securely The following Modular Exponential MODP Diffie Hellman also known as Oakley Groups are supported Diffie Hellman Group Modulus Reference Group 1 768 bits RFC2409 Group 2 1024 bits MODP group RFC2409 Group 3 EC2N group on GP 2 155 RFC2409 Group 4 EC2N group on GP 2 185 RFC2409 Group 5 1536 bits MODP group RFC3526 IKE Traffic To avoid problems with IKE packets hit some SPD rule and require...

Page 190: ... transformed integer how many outgoing packets were encrypted ESP and or signed AH ph2 state read only expired no phase2 established indication of the progress of key establishing expired there are some leftovers from previous phase2 In general it is similar to no phase2 no phase2 no keys are estabilished at the moment estabilished Appropriate SAs are in place and everything should be working fine...

Page 191: ...icating and establishing phase 1 If several peer s addresses matches several configuration entries the most specific one i e the one with largest netmask will be used auth method pre shared key rsa signature default pre shared key authentication method pre shared key authenticate by a password secret string shared between the peers rsa signature authenticate using a pair of RSA certificates certif...

Page 192: ...is recommended to use this algorithm class whenever possible But AES s speed is also its drawback as it potentially can be cracked faster so use AES 256 when you need security or AES 128 when speed is also important Both peers MUST have the same encryption and authentication algorithms DH group and exchange mode Some legacy hardware may support only DES and MD5 You should set generate policy flag ...

Page 193: ...SA was installed auth algorithm multiple choice read only none md5 sha1 authentication algorithm used in SA auth key read only text authentication key presented as a hex string current bytes read only integer amount of data processed by this SA s crypto algorithms dst address read only IP address destination address of SA taken from respective policy enc algorithm multiple choice read only none de...

Page 194: ...ress 10 0 0 148 auth algorithm sha1 enc algorithm 3des replay 4 state mature auth key 8ac9dc7ecebfed9cd1030ae3b07b32e8e5cb98af enc key 8a8073a7afd0f74518c10438a0023e64cc660ed69845ca3c addtime jan 28 2003 20 55 12 add lifetime 24m 30m usetime jan 28 2003 20 55 12 use lifetime 0s 0s current bytes 512 lifebytes 0 0 admin WiFi ip ipsec 8 8 6 Flushing Installed SATable Command name ip ipsec installed s...

Page 195: ... address 1 0 0 2 action encrypt admin Router1 ip ipsec peer add address 1 0 0 2 secret gvejimezyfopmekun for Router2 admin Router2 ip ipsec policy add sa src address 1 0 0 2 sa dst address 1 0 0 1 action encrypt admin Router2 ip ipsec peer add address 1 0 0 1 secret gvejimezyfopmekun Transport mode example using ESP with automatic keying and automatic policy generating on Router 1 and static polic...

Page 196: ... address 10 2 0 0 24 dst address 10 1 0 0 24 action encrypt ipsec protocols ah tunnel yes sa src 1 0 0 2 sa dst 1 0 0 1 manual sa ah sa1 IPsec Between two Masquerading RouterOS Routers Router2 1 0 0 2 Router1 1 0 0 1 IP Network 10 1 0 0 24 10 2 0 0 24 1 0 0 0 24 Figure 31 Add accept and masquerading rules in SRC NAT for Router1 admin Router1 ip firewall nat add chain srcnat src address 10 1 0 0 24...

Page 197: ...crypt tunnel yes sa src address 1 0 0 1 sa dst address 1 0 0 2 admin Router1 ip ipsec peer add address 1 0 0 2 exchange mode aggressive secret gvejimezyfopmekun for Router2 admin Router2 ip ipsec policy add src address 10 2 0 0 24 dst address 10 1 0 0 24 action encrypt tunnel yes sa src address 1 0 0 2 sa dst address 1 0 0 1 admin Router2 ip ipsec peer add address 1 0 0 1 exchange mode aggressive ...

Page 198: ...ot more than 5 simultaneous connections from each of the clients do the following ip firewall filter add chain forward protocol tcp tcp flags syn connection limit 6 32 action drop Specifications Packages required system License required Level1 P2P filters limited to 1 Level3 Submenu level ip firewall filter Standards and Technologies IP RFC2113 Hardware usage Increases with filtering rules count R...

Page 199: ...rules are grouped together in chains It allows a packet to be matched against one common criterion in one chain and then passed over for processing against some other common criteria to another chain For example a packet should be matched against the IP address port pair Of course it could be achieved by adding as many rules with IP address port match as required to the forward chain but a better ...

Page 200: ...hain will be created comment text a descriptive comment for the rule A comment can be used to identify rules form scripts connection bytes integer integer matches packets only if a given amount of bytes has been transfered through the particular connection 0 means infinity exempli gratia connection bytes 2000000 0 means that the rule matches if more than 2MB has been transfered through the relevan...

Page 201: ... transparent proxying is enabled for that particular client local dst true if a packet has local destination IP address to client true if a packet is sent to a client icmp options integer integer matches ICMP Type Code fields in bridge port name actual interface the packet has entered the router through if bridged this property matches the actual bridge port while in interface the bridge itself in...

Page 202: ...cap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp integer matches particular IP protocol specified by protocol name or number You should specify this setting if you want to specify ports psd integer time integer integer attempts to detect TCP and UDP scans It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives such...

Page 203: ...ection state invalid action drop comment Drop Invalid connections add chain input connection state established action accept comment Allow Established connections add chain input protocol udp action accept comment Allow UDP add chain input protocol icmp action accept comment Allow ICMP add chain input src address 192 168 0 0 24 action accept comment Allow access to router from known network add ch...

Page 204: ...r add chain udp protocol udp dst port 135 action drop comment deny PRC portmapper add chain udp protocol udp dst port 137 139 action drop comment deny NBT add chain udp protocol udp dst port 2049 action drop comment deny NFS add chain udp protocol udp dst port 3133 action drop comment deny BackOriffice Allow only needed icmp codes in icmp chain add chain icmp protocol icmp icmp options 0 0 action ...

Page 205: ...scp parameter change mss change Maximum Segment Size field value of the packet to a value specified by the new mss parameter change ttl change Time to Live field value of the packet to a value specified by the new ttl parameter jump jump to the chain specified by the value of the jump target parameter log each match with this action will add a message to the system log mark connection place a mark...

Page 206: ...r field value dst address IP address netmask IP address IP address specify the address range an IP packet is destined to Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 dst address list name match destination address of a packet against user defined address list dst address type unicast local broadcast multicast match de...

Page 207: ...ump to if the action jump is used layer7 protocol name Layer 7 filter name as set in the ip firewall layer7 protocol menu Caution this matcher needs high computational power limit integer time 0 1 integer restrict packet match rate to a given limit Usefull to reduce the amount of log messages count maximum average packet rate measured in packets per second pps unless followed by time option time s...

Page 208: ...idp xtp integer matches particular IP protocol specified by protocol name or number You should specify this setting if you want to specify ports psd integer time integer integer attempts to detect TCP and UDP scans It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives such as from passive mode FTP transfers WeightThreshold total weight of the la...

Page 209: ...otherwice expanding to the full link capacity admin AT WR4562 ip firewall mangle add chain forward p2p all p2p action mark connection new connection mark p2p_conn admin AT WR4562 ip firewall mangle add chain forward connection mark p2p_conn action mark packet new packet mark p2p admin AT WR4562 ip firewall mangle add chain forward connection mark p2p_conn action mark packet new packet mark other a...

Page 210: ...nt revision 2 7 Mon Jun 05 12 04 15 GMT 2006 Applies to V2 9 9 3 1 General Information Summary This manual describes the order in which an IP packet traverses various internal facilities of the router and some general information regarding packet handling common IP protocols and protocol options Specifications Packages required system License required Level3 Submenu level ip firewall Standards and...

Page 211: ...nt an ordinal packet enters the router A paket can enter processing conveyer of the router in two ways First a packet can come from one of the interfaces present in the roter then the interface is referred as input interface Second it can be originated from a local process like web proxy VPN or others Alike there are two ways for a packet to leave the processing pipeline A packet can leave through...

Page 212: ...ains Bridged Traffic In case the incoming traffic needs to be bridged do not confuse it with the traffic coming to the bridge interface at the router s own MAC address and thus classified as routed traffic it is first determined whether it is an IP traffic or not After that IP traffic goes through the prerouting forward and postrouting chains while non IP traffic bypasses all IP firewall rules and...

Page 213: ...ddress read only IP address port the source address and port the reply connection is established from src address read only IP address port the source address and port the connection is established from tcp state read only text the state of TCP connection timeout read only time the amount of time until the connection will be timed out unreplied read only true false shows whether the request was un...

Page 214: ...nnection state table udp stream timeout time default 3m maximal amount of time connection tracking entry will survive after replay is seen for the last packet matching this entry connection tracking entry is assured It is used to increase timeout for such connections as H323 VoIP etc udp timeout time default 10s maximal amount of time connection tracking entry will survive after having seen last p...

Page 215: ... provides a method for upper layer protocols to convey hints to the Internet Layer about how the tradeoffs should be made for the particular packet This method is implemented with the help of a special field in the IP protocol header the Type of Service field The fundamental rule is that if a host makes appropriate use of the TOS facility its network service should be at least as good as it would ...

Page 216: ...lMac Overnet Soulseek Soulseek MLDonkey BitTorrent BitTorrent BitTorrent Shareaza MLDonkey ABC Azureus BitAnarch SimpleBT BitTorrent Net mlMac Blubster Blubster Piolet WPNP WinMX Warez Warez Ares starting from 2 8 18 this protocol can only be dropped speed limiting is impossible 9 4 NAT Document revision 2 8 Tue Feb 28 15 15 00 GMT 2006 Applies to V2 9 9 4 1 General Information Summary Network Add...

Page 217: ...urce NAT without need to specify to addresses outgoing interface address is used automatically The same is for redirect it is a form of destination NAT where to addresses is not used incoming interface address is used instead Note that to ports is meaningful for redirect rules this is the port of the service on the router that will handle these requests e g web proxy When packet is dst natted no m...

Page 218: ...for a new rule If the input does not match the name of an already defined chain a new chain will be created dstnat a rule placed in this chain is applied before routing The rules that replace destination addresses of IP packets should be placed there srcnat a rule placed in this chain is applied after routing The rules that replace the source addresses of IP packets should be placed there comment ...

Page 219: ...he bridge itself in interface name interface the packet has entered the router through if the interface is bridged then the packet will appear to come from the bridge interface itself ingress priority integer 0 63 INGRESS received priority of the packet if set 0 otherwise The priority may be derived from either VLAN or WMM priority ipv4 options any loose source routing no record route no router al...

Page 220: ... the latest TCP UDP packets with different destination ports coming from the same host to be treated as port scan sequence DelayThreshold delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence LowPortWeight weight of the packets with privileged 1024 destination port HighPortWeight weight of the packet with non priviliged des...

Page 221: ...possible to the Local addresses If you want to allow connections to the server on the local network you should use destination Network Address Translation NAT Example of Destination NAT If you want to link Public IP 10 5 8 200 address to Local one 192 168 0 109 you should use destination address translation feature of the RouterOS router Also if you want allow Local server to talk with outside wit...

Page 222: ... address pool as DHCP server uses for that interface ip hotspot add interface local address pool dhcp pool 1 4 and finally add at least one HotSpot user ip hotspot user add name admin These simple steps should be sufficient to enable HotSpot system Please find HotSpot How to s which will answer most of your questions about configuring a HotSpot gateway at the end of this manual It is still recomme...

Page 223: ... lent IP addresses to clients MAC addresses if required The HotSpot system does not care how did a client get an address before he she gets to the HotSpot login page Moreover HotSpot server may automatically and transparently change any IP address yes meaning really any IP address of a client to a valid unused address from the selected IP pool This feature gives a possibility to provide a network ...

Page 224: ...rvlet s login page simply creating the appropriate link HTTP CHAP standard method which includes CHAP challenge in the login page The CHAP MD5 hash challenge is to be used together with the user s password for computing the string which will be sent to the HotSpot gateway The hash result as a password together with username is sent over network to HotSpot service so password is never sent in plain...

Page 225: ...to a RADIUS server which delivers similar configuration options as the local database For any user requiring authorization a RADIUS server gets queried first and if no reply received the local database is examined RADIUS server may send a Change of Authorization request according to standards to alter the previously accepted parameters Advertisement The same proxy used for unauthorized clients to ...

Page 226: ...l address of network IP address default 10 5 50 1 24 HotSpot gateway address for the interface masquerade network yes no default yes whether to masquerade the HotSpot network name of local hotspot user text default admin username of one automatically created user passphrase text the passphrase of the certificate you are importing password for the user text password for the automatically created us...

Page 227: ...r Reaching the timeout user will be dropped of the host list and the address used buy the user will be freed none do not timeout idle users interface name interface to run HotSpot on ip of dns name read only IP address IP address of the HotSpot gateway s DNS name set in the HotSpot interface profile keepalive timeout time none default none keepalive timeout for unauthorized clients Used to detect ...

Page 228: ...be possible to intercept them https use encrypted SSL tunnel to transfer user communications with the HotSpot server Note that in order this to work a valid certificate must be imported into the router see a separate manual on certificate management mac try to use client s MAC address first as its username If the matching MAC address exists in the local user database or on the RADIUS server the cl...

Page 229: ...ser profile that trial users will use use radius yes no default no whether to use RADIUS to authenticate HotSpot users If dns name property is not specified hotspot address is used instead If hotspot address is also absent then both are to be detected automatically In order to use RADIUS authentication the radius menu must be set up accordingly Trial authentication method should always be used tog...

Page 230: ...s the rule allow allow the access to the page without prior authorization deny authorization is required to access this page dst address read only IP address IP address of the destination web server installed by IP level walled garden dst host wildcard default domain name of the destination web server dst port integer default the TCP port a client has send the request to hits read only integer how...

Page 231: ...efault the TCP or UDP port protocol MUST be specified explicitly in the protocol property a client has send the request to protocol integer ddp egp encap ggp gre hmp icmp idpr cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp IP protocol name server name name of the HotSpot server this rule applied to src address IP address IP address of the user sendi...

Page 232: ...rom this host idle time read only time the amount of time has the user been idle idle timeout read only time the exact value of idle timeout that applies to this user This property shows how long should the user stay idle for it to be logged off automatically keepalive timeout read only time the exact value of keepalive timeout that applies to this user This property shows how long should the user...

Page 233: ...action jump jump target hotspot hotspot from client Putting all HotSpot related tasks for packets from all HotSpot clients into a separate chain 1 I chain hotspot action jump jump target pre hotspot Any actions that should be done before HotSpot rules apply should be put in the pre hotspot chain This chain is under full administrator control and does not contain any rules set by the system hence t...

Page 234: ... that packets with the http hotspot mark to work around the unknown proxy problem as we will see later on Note that the port used 64874 is the same as for HTTP requests in the rule 8 so both HTTP and HTTP proxy requests are processed by the same code 11 D chain hs unauth protocol tcp dst port 443 action redirect to ports 64875 HTTPS proxy is listening on the 64875 port 13 I chain hs unauth action ...

Page 235: ...4872 64875 protocol tcp Allow client access to the local authentication and proxy services as described earlier 6 D chain hs input action jump jump target hs unauth hotspot auth All other traffic from unauthorized clients to the router itself will be treated the same way as the traffic traversing the routers 7 D chain hs unauth protocol icmp action return 8 D www alliedtelesis com chain hs unauth ...

Page 236: ...aScript for MD5 password hashing Used together with http chap login method alogin html page shown after client has logged in It pops up status page and redirects browser to originally requested page before he she was redirected to the HotSpot login page status html status page shows statistics for the client It is also able to display advertisements automatically logout html logout page shown afte...

Page 237: ... address may be used as the other value or even to zero License Agreement some predefined values general for all users or client s MAC address may be used as username and password Registration may occur on a different server for example on a server that is able to charge Credit Cards Client s MAC address may be passed to it so that this information need not be written in manually After the registr...

Page 238: ...f none session timeout secs session time left for the user in seconds 3475 or 0 if there is such timeout session time left session time left for the user 5h or if none session time left secs session time left for the user in seconds 3475 or 0 if there is such timeout uptime current session uptime 10h2m33s uptime secs current session uptime in seconds 125 Traffic counters which are available only i...

Page 239: ...otSpot servlet directory You can change and translate all these messages to your native language To do so edit the errors txt file You can also use variables in the messages All instructions are given in that file Multiple Versions of HotSpot Pages Multiple hotspot page sets for the same hotspot server are supported They can be chosen by user to select language or automatically by JavaScript to se...

Page 240: ...r erase cookie to the logout page which may be either on or true to delete user cookie on logout so that the user would not be automatically logged on when he she opens a browser next time Example With basic HTML language knowledge and the examples below it should be easy to implement the ideas described above To provide predefined value as username in login html change type text value username to...

Page 241: ... an external authentication server html title title body form name redirect action https auth example com login php method post input type hidden name mac value mac input type hidden name ip value ip input type hidden name user value username input type hidden name link login value link login input type hidden name link orig value link orig input type hidden name error value error form script lang...

Page 242: ...rent from the actual user s MAC address Solution no users with usernames that look like a MAC address eg 12 34 56 78 9a bc may only log in from the MAC address specified as their user name session limit reached error orig depending on licence number of active hotspot clients is limited to some number The error is displayed when this limit is reached Solution try to log in later when there will be ...

Page 243: ...rst certificate must be present with decrypted private key admin AT WR4562 certificate print Flags K decrypted private key Q private key R rsa D dsa 0 KR name hotspot example net subject C LV L Riga O MT OU dev CN hotspot example net emailAddress admin hotsot example net issuer C LV L Riga O MT OU dev CN hotsot example net emailAddress admin hotsot example net serial number 0 email admin hotsot ex...

Page 244: ...enu level ip hotspot user Standards and Technologies RADIUS Hardware usage Local traffic accounting requires additional memory Related Topics Hot Spot Service PPP User AAA Router User AAA RADIUS client Software Package Management IP Addresses and ARP 10 4 2 HotSpot User Profiles Submenu level ip hotspot user profile Description HotSpot User profiles are used for common user settings Profiles are l...

Page 245: ...would see it http login open status page only in case of HTTP login including cookie and https login methods always open the status page in case of mac login as well once the user opens any web page outgoing filter name name of the firewall chain applied to outgoing packets to the users of this profile outgoing packet mark name packet mark put on all the packets to every user of this profile autom...

Page 246: ...e to be registered on the HotSpot gateway when the client is connected The route format is dst address gateway metric for example 10 1 0 0 24 10 0 0 1 1 Several routes may be specified separated with commas If gateway is not specified the remote address is used If metric is not speciefied the metric of 1 is used server name all default all which HotSpot server is this user allowed to log in to upt...

Page 247: ... has the user been idle idle timeout read only time the exact value of idle timeout that applies to this user This property shows how long should the user stay idle for it to be logged off automatically keepalive timeout read only time the exact value of keepalive timeout that applies to this user This property shows how long should the user s computer stay out of reach for it to be logged off aut...

Page 248: ...rs RouterOS v3 Configuration and User Guide Example To get the list of active users admin AT WR4562 ip hotspot active print Flags R radius B blocked USER ADDRESS UPTIME SESSION TIMEOUT IDLE TIMEOUT 0 ex 10 0 0 144 4m17s 55m43s admin AT WR4562 ip hotspot active ...

Page 249: ...l router A node of a virtual router can be in one of the following states MASTER state when the node answers all the requests to the instance s IP addresses There may only be one MASTER node in a virtual router This node sends VRRP advertisement packets to all the backup routers using multicast address every once in a while set in interval property BACKUP state when the VRRP router monitors the av...

Page 250: ...can be ignored if no authentication used 8 character long text string for plain text authentication or 16 character long text string 128 bit key required for AH authentication preemption mode yes no default yes whether preemption mode is enabled no a backup node will not be elected to be a master until the current master fail even if the backup node has higher priority than the current master yes ...

Page 251: ...92 168 1 1 24 to the vr1 VRRP router admin AT WR4562 ip vrrp address add address 192 168 1 1 24 virtual router vr1 admin AT WR4562 ip vrrp address print Flags X disabled A active ADDRESS NETWORK BROADCAST INSTANCE INTERFACE 0 192 168 1 1 24 192 168 1 0 192 168 1 255 vr1 default admin AT WR4562 ip vrrp 11 1 4 A simple example of VRRP fail over Description VRRP protocol may be used to make a redunda...

Page 252: ...P address should be added to this VRRP instance admin AT WR4500 ip address add address 192 168 1 1 24 interface vrrp1 admin M AT WR4500 ip address print admin AT WR4562 ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 1 24 10 0 0 0 10 0 0 255 public 1 192 168 1 2 24 192 168 1 0 192 168 1 255 local 2 192 168 1 1 24 192 168 1 0 192 168 1 255 vrrp1 ad...

Page 253: ...so in very rare cases caused by hardware malfunction it can lock up by itself There is a hardware watchdog device available in AT WR454x hardware which can reboot the system in any case Property Description auto send supout yes no default no after the support output file is automatically generated it can be sent by email automatic supout yes no default yes when software failure happens a file name...

Page 254: ...through the 192 0 2 1 smtp server in case of a software crash admin AT WR4562 system watchdog set auto send supout yes send to email support example com send smtp server 192 0 2 1 admin AT WR4562 system watchdog print watch address none watchdog timer yes no ping delay 5m automatic supout yes auto send supout yes send smtp server 192 0 2 1 send email to support example com admin AT WR4562 system w...

Page 255: ...drive not enabled by default as is harmful for flash disks 12 1 2 General Settings Submenu level system logging Property Description action name default memory specifies one of the system default actions or user specified action listed in system logging action prefix text local log prefix topics info critical firewall keepalive packet read timer write ddns hotspot l2tp ppp route update account deb...

Page 256: ...0 0 514 remote logging server s IP address and UDP port only if action target is set to remote target disk echo email memory remote default memory log storage facility or target disk logs are saved to the hard drive echo logs are displayed on the console screen email logs are sent by email memory logs are saved to the local memory buffer remote logs are sent to a remote host You cannot delete or r...

Page 257: ...configuration changed by admin dec 24 2003 08 25 59 log configuration changed by admin dec 24 2003 08 30 05 log configuration changed by admin dec 24 2003 08 30 05 log configuration changed by admin dec 24 2003 08 35 56 system started dec 24 2003 08 35 57 isdn out1 initializing dec 24 2003 08 35 57 isdn out1 dialing dec 24 2003 08 35 58 Prism firmware loading OK dec 24 2003 08 37 48 user admin log...

Page 258: ... Not significant 12 3 2 Related Documents NTop Description Traffic Flow is a system that provides statistic information about packets which pass through the router Besides network monitoring and accounting system administrators can identify various problems that may occur in the network With help of Traffic Flow it is possible to analyze and optimize the overall network performance Traffic Flow su...

Page 259: ... port UDP of the host which receives Traffic Flow statistic packets from the router v9 template refresh integer default 20 number of packets after which the template is sent to the receiving host only for NetFlow version 9 v9 template timeout after how long to send the template if it has not been sent version 1 5 9 which version format of NetFlow to use 12 3 5 Application Examples Traffic Flow Exa...

Page 260: ...me screenshots from NTop program which has gathered Traffic Flow information from our router and displays it in nice graphs and statistics For example where what kind of traffic has flown Figure 36 Host Information Top three hosts by upload and download each minute Figure 37 Network Load Statistics Matrix ...

Page 261: ...AT WR4500 Series IEEE 802 11abgh Outdoor Wireless Routers 261 RouterOS v3 Configuration and User Guide Figure 38 Network load profile by time Figure 39 Traffic Load by protocol ...

Page 262: ...t displays data in a Web page To access the graphics type http Router_IP_address graphs and choose a graphic to display in your Web browser Data from the router is gathered every 5 minutes but saved on the system drive every store every time After rebooting the router graphing will display information that was last time saved on the disk before the reboot RouterOS generates four graphics for each ...

Page 263: ...e which will be monitored store on disk yes no default yes whether to store information about traffic on system drive or not If not the information will be stored in RAM and will be lost after a reboot Example To monitor traffic which is passed through interface ether1 only from local network 192 168 0 0 24 and write information on disk admin AT WR4562 tool graphing interface add interface ether1 ...

Page 264: ...period of time CPU usage Memory usage Disk usage Property Description allow address IP address netmask default 0 0 0 0 0 network which is allowed to view graphs of router health store on disk yes no default yes whether to store information about traffic on hard drive or not If not the information will be stored in RAM and will be lost after a reboot Example Add IP range 192 168 0 0 24 from which u...

Reviews:

No comments