manualshive.com logo in svg

MikroTik RouterOS v2.9, Reference Manual

Share
Download
MikroTik RouterOS v2.9 Reference Manual Download Page 339

reside on different devices interconnected by a packet-switched network. With L2TP, a user has a
Layer 2 connection to an access concentrator - LAC (e.g., modem bank, ADSL DSLAM, etc.), and
the concentrator then tunnels individual PPP frames to the Network Access Server - NAS. This
allows the actual processing of PPP packets to be divorced from the termination of the Layer 2
circuit. From the user's perspective, there is no functional difference between having the L2 circuit
terminate in a NAS directly or using L2TP.

It may also be useful to use L2TP just as any other tunneling protocol with or without encryption.
The L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec (Note
that it is default mode for Microsoft L2TP client) as all L2TP control and data packets for a
particular tunnel appear as homogeneous UDP/IP data packets to the IPsec system.

L2TP includes PPP authentication and accounting for each L2TP connection. Full authentication
and accounting of each connection may be done through a RADIUS client or locally.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

L2TP traffic uses UDP protocol for both control and data packets. UDP port 1701 is used only for
link establishment, further traffic is using any available UDP port (which may or may not be 1701).
This means that L2TP can be used with most firewalls and routers (even with NAT) by enabling
UDP traffic to be routed through the firewall or router.

L2TP Client Setup

Home menu level: /interface l2tp-client

Property Description

name name ; default: l2tp-outN ) - interface name for reference

mtu integer ; default: 1460 ) - Maximum Transmission Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MTU
to 1460 to avoid fragmentation of packets)

mru integer ; default: 1460 ) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MRU
to 1460 to avoid fragmentation of packets)

connect-to IP address ) - The IP address of the L2TP server to connect to

user text ) - user name to use when logging on to the remote server

password text ; default: "" ) - user password to use when logging to the remote server

profile name ; default: default ) - profile to use when connecting to the remote server

allow multiple choice: mschap2mschap1chappap ; default: mschap2, mschap1, chap, pap ) -
the protocol to allow the client to use for authentication

add-default-route yes no ; default: no ) - whether to use the server which this client is connected
to as its default router (gateway)

Example

To set up L2TP client named test2 using username john with password john to connect to the
10.1.1.12 L2TP server and use it as the default gateway:

Page 325 of 695

Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.

Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

Summary of Contents for RouterOS v2.9

Page 1: ...MikroTik RouterOS v2 9 Reference Manual ...

Page 2: ...asic Setup Guide 25 General Information 25 Setting up MikroTik RouterOS 26 Logging into the MikroTik Router 29 Adding Software Packages 30 Navigating The Terminal Console 30 Basic Configuration Tasks 33 Setup Command 34 Basic Examples 35 Advanced Configuration Tasks 39 Installing RouterOS with CD Install 41 CD Install 41 Installing RouterOS with Floppies 45 Floppy Install 45 Installing RouterOS wi...

Page 3: ...ral Information 68 Installation Upgrade 69 Uninstallation 71 Downgrading 71 Disabling and Enabling 72 Unscheduling 73 System Upgrade 73 Adding Package Source 75 Software Package List 75 Software Version Management 78 General Information 78 System Upgrade 78 Adding Package Source 80 SSH Secure Shell Server and Client 81 General Information 81 SSH Server 82 SSH Client 82 Telnet Server and Client 84 ...

Page 4: ...tion 122 General Setup 123 Interfaces 124 Networks 125 Neighbors 126 Routes 126 General Information 127 Routes Equal Cost Multipath Routing Policy Routing 130 General Information 130 Routes 131 Policy Rules 133 General Information 134 BGP Command Reference 138 General Information 138 Instances 139 Peers 140 BGP Routing Filters 142 General Information 142 Filter Rules 143 ARLAN 655 Wireless Client ...

Page 5: ...roubleshooting 178 RSV V 35 Synchronous Link Applications 178 Driver Management 180 General Information 180 Loading Device Drivers 181 Removing Device Drivers 182 Notes on PCMCIA Adapters 183 Troubleshooting 183 Ethernet Interfaces 184 General Information 184 Ethernet Interface Configuration 185 Monitoring the Interface Status 186 Troubleshooting 186 FarSync X 21 Interface 188 General Information ...

Page 6: ...iguration 224 Troubleshooting 225 Synchronous Link Application Examples 225 PPP and Asynchronous Interfaces 228 General Information 228 Serial Port Configuration 229 PPP Server Setup 230 PPP Client Setup 231 PPP Application Example 232 RadioLAN 5 8GHz Wireless Interface 233 General Information 233 Wireless Interface Configuration 234 Troubleshooting 236 Wireless Network Applications 236 Sangoma Sy...

Page 7: ...ration 293 Frame Relay Configuration Examples 294 Troubleshooting 295 EoIP 297 General Information 297 EoIP Setup 298 EoIP Application Example 299 Troubleshooting 301 IP Security 303 General Information 303 Policy Settings 306 Peers 308 Remote Peer Statistics 310 Installed SAs 310 Flushing Installed SA Table 311 Counters 312 General Information 313 IPIP Tunnel Interfaces 319 General Information 31...

Page 8: ...6 General Information 356 VLAN Setup 358 Application Example 359 Graphing 360 General Information 360 General Options 361 Health Graphing 361 Interface Graphing 362 Simple Queue Graphing 362 Resource Graphing 363 HotSpot User AAA 364 General Information 364 HotSpot User Profiles 365 HotSpot Users 366 HotSpot Active Users 368 IP accounting 370 General Information 370 Local IP Traffic Accounting 371...

Page 9: ...rget 398 General Information 398 SNMP Service 402 General Information 402 SNMP Setup 403 SNMP Communities 403 Available OIDs 404 Available MIBs 405 Tools for SNMP Data Collection and Analysis 409 Log Management 411 General Information 411 General Settings 412 Actions 412 Log Messages 413 Bandwidth Control 415 General Information 415 Queue Types 426 Interface Default Queues 429 Simple Queues 429 Qu...

Page 10: ... 483 Store Leases on Disk 485 DHCP Networks 486 DHCP Server Leases 486 DHCP Alert 489 DHCP Option 490 DHCP Relay 490 Question Answer Based Setup 491 General Information 492 DNS Client and Cache 497 General Information 497 Client Configuration and Cache Setup 498 Cache Monitoring 499 Static DNS Entries 499 Flushing DNS cache 499 HotSpot Gateway 501 General Information 502 Question Answer Based Setu...

Page 11: ...Pools 540 General Information 540 Setup 541 Used Addresses from Pool 541 SOCKS Proxy Server 543 General Information 543 SOCKS Configuration 544 Access List 545 Active Connections 545 General Information 546 UPnP 548 General Information 548 Enabling Universal Plug n Play 549 UPnP Interfaces 549 Web Proxy 552 General Information 552 Setup 554 Access List 555 Direct Access List 557 Cache Management 5...

Page 12: ...e 583 RouterBoard specific functions 585 General Information 585 BIOS upgrading 586 BIOS Configuration 587 System Health Monitoring 588 LED Management or RB200 589 LED Management on RB500 590 Fan voltage control 590 Console Reset Jumper 591 Support Output File 592 General Information 592 Generating Support Output File 592 System Resource Management 593 General Information 594 System Resource 594 I...

Page 13: ...17 MAC Ping Server 618 Torch Realtime Traffic Monitor 619 General Information 619 The Torch Command 619 Traceroute 622 General Information 622 The Traceroute Command 623 Network Monitor 624 General Information 624 Network Watching Tool 624 Serial Port Monitor 627 General Information 627 Sigwatch 627 Scripting Host 630 General Information 631 Console Command Syntax 631 Expression Grouping 633 Varia...

Page 14: ...orts 663 ISDN Voice Ports 664 Voice Port for Voice over IP voip 666 Numbers 666 Regional Settings 669 Audio CODECs 670 AAA 670 Gatekeeper 672 Troubleshooting 675 A simple example 675 System Watchdog 682 General Information 682 Hardware Watchdog Management 682 UPS Monitor 684 General Information 684 UPS Monitor Setup 685 Runtime Calibration 686 UPS Monitoring 687 VRRP 689 General Information 689 VR...

Page 15: ...al time status information walled garden customized HTML login pages iPass support SSL secure authentication advertisement support Point to Point tunneling protocols PPTP PPPoE and L2TP Access Concentrators and clients PAP CHAP MSCHAPv1 and MSCHAPv2 authentication protocols RADIUS authentication and accounting MPPE encryption compression for PPPoE data rate limitation differentiated firewall PPPoE...

Page 16: ...ation protocols RADIUS authentication and accounting onboard serial ports modem pool with up to 128 ports dial on demand ISDN ISDN dial in dial out PAP CHAP MSCHAPv1 and MSCHAPv2 authentication protocols RADIUS authentication and accounting 128K bundle support Cisco HDLC x75i x75ui x75bui line protocols dial on demand SDSL Single line DSL support line termination and network termination modes Laye...

Page 17: ... router must have the following hardware Configuration possibilities RouterOS provides powerful command line configuration interface You can also manage the router through WinBox the easy to use remote configuration GUI for Windows which provides all the benefits of the command line interface without the actual command line which may scare novice users Web based configuration is provided for some ...

Page 18: ...o connect routers by their MAC addresses Router may be managed through the following interfaces note that until a valid IP configuration is enteres telnet and SSH connections are not possible Page 4 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of t...

Page 19: ... Specifications Description Asynchronous Serial Specifications Description ISDN Specifications Description VoIP Specifications Description xDSL Specifications Description HomePNA Specifications Description LCD Specifications Description PCMCIA Adapters Specifications Description GPRS Cards Specifications Page 5 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOA...

Page 20: ...ries ISA 10Base Compatibility 3Com EtherLink III 3Com FastEtherLink Chipset type 3Com 3c590 3c900 3Com FastEtherLink and FastEtherLink XL PCI 10 100Base Compatibility 3c590 Vortex 10BaseT 3c592 chip 3c595 Vortex 100BaseTX 3c595 Vortex 100BaseT4 3c595 Vortex 100Base MII 3c597 chip 3Com Vortex 3c900 Boomerang 10BaseT 3c900 Boomerang 10Mbit s Combo 3c900 Cyclone 10Mbit s Combo 3c900B FL Cyclone 10Bas...

Page 21: ...aseT Compatibility Planet 10 100Base TX USB Ethernet Adapter UE 9500 Linksys Instant EtherFast 10 100 USB Network Adapter USB100TX AMD PCnet Chipset type AMD PCnet PCnet II ISA PCI 10BaseT Compatibility AMD PCnet ISA AMD PCnet ISA II AMD PCnet PCI II AMD 79C960 based cards AMD PCnet32 Chipset type AMD PCnet32 PCI 10BaseT and 10 100BaseT Compatibility AMD PCnet PCI Page 7 of 695 Copyright 1999 2007...

Page 22: ...type Davicom DM9102 PCI 10 100Base Compatibility Davicom DM9102 Davicom DM9102A Davicom DM9102A DM9801 Davicom DM9102A DM9802 DEC 21x4x Tulip Chipset type DEC 21x4x Tulip PCI 10 100Base Compatibility Digital DC21040 Tulip Digital DC21041 Tulip Digital DS21140 Tulip 21140A chip 21142 chip Digital DS21143 Tulip Page 8 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and Rout...

Page 23: ...0 XT Server Adapter i82544 Board IDs A51580 xxx Intel PRO 1000 XF Server Adapter i82544 Board IDs A50484 xxx Intel PRO 1000 T Desktop Adapter i82544 Board IDs A62947 xxx Intel PRO 1000 MT Desktop Adapter i82540 Board IDs A78408 xxx C91016 xxx Intel PRO 1000 MT Server Adapter i82545 Board IDs A92165 xxx C31527 xxx Intel PRO 1000 MT Dual Port Server Adapter i82546 Board IDs A92111 xxx C29887 xxx Int...

Page 24: ...net Adapter EG1032 v2 Instant Gigabit Network Adapter EG1064 v2 Instant Gigabit Network Adapter Marvell 88E8001 Gigabit LOM Ethernet Adapter Marvell RDK 80xx Adapter Marvell Yukon Gigabit Ethernet 10 100 1000Base T Adapter N Way PCI Bus Giga Card 1000 100 10Mbps L SK 9521 10 100 1000Base T Adapter SK 98xx Gigabit Ethernet Server Adapter SMC EZ Card 1000 Marvell Yukon 88E8010 based Marvell Yukon 88...

Page 25: ...ond 89C940 and 89C940F Compex RL2000 KTI ET32P2 NetVin NV5000SC Via 86C926 SureCom NE34 Holtek HT80232 Holtek HT80229 IMC EtherNic PCI FO NS8390 Chipset type NS8390 compatible PCMCIA CardBus 10Base Compatibility D Link DE 660 Ethernet NE 2000 Compatible PCMCIA Ethernet NS8390 based PCMCIA cards Page 11 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are tr...

Page 26: ...ance ST201 Alta PCI 10 100Base Compatibility D Link DFE 550TX Fast Ethernet Adapter D Link DFE 550FX 100Mbps Fiber optics Adapter D Link DFE 580TX 4 port Server Adapter not recommended may lock up the system D Link DFE 530TXS Fast Ethernet Adapter D Link DL10050 based FAST Ethernet Adapter Sundance ST201 Alta chip Kendin KS8723 chip TI ThunderLAN Chipset type TI ThunderLAN PCI 10 100Base Compatibi...

Page 27: ...e Compatibility VIA Rhine vt3043 VIA Rhine II vt3065 AKA vt86c100 VIA VT86C100A Rhine VIA VT6102 Rhine II VIA VT6105 Rhine III VIA VT6105M Rhine III RouterBOARD 44 4 port Fast Ethernet card D Link DFE 530TX Winbond w89c840 Chipset type Winbond w89c840 PCI 10 100Base Compatibility Winbond W89c840 Compex RL100 ATX Page 13 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and ...

Page 28: ...hipset series based IEEE802 11a AR5212 MAC plus AR5111 PHY chips IEEE802 11b g AR5212 MAC plus AR2111 PHY chips IEEE802 11a b g AR5212 MAC plus AR5111 and 2111 PHY chips cards Atheros AR5002X chipset series based IEEE802 11b g AR5212 MAC plus AR2112 PHY chips IEEE802 11a b g AR5212 MAC plus AR5112 PHY chips cards Atheros AR5004X chipset series based IEEE802 11b g AR5213 MAC plus AR2112 PHY chips I...

Page 29: ...2 11b WLAN Card D Link DWL 650 11Mbit s 802 11b WLAN Card SMC 2632W 11Mbit s 802 11b WLAN Card BroMax Freeport 11Mbit s 802 11b WLAN Card Intersil PRISM2 Reference Design 11Mbit s WLAN Card Bromax OEM 11Mbit s 802 11b WLAN Card Prism 2 5 corega K K Wireless LAN PCC 11 corega K K Wireless LAN PCCA 11 CONTEC FLEXSCAN FX DDS110 PCC PLANEX GeoWave GW NS110 Ambicom WL1100 11Mbit s 802 11b WLAN Card LeA...

Page 30: ...rds Chipset type Aironet Arlan IC2200 ISA 2Mbit s 2 4GHz Compatibility Aironet Arlan 655 RadioLAN Packages required radiolan Description This is driver for legacy RadioLAN cards Chipset type RadioLAN ISA PCMCIA 10Mbit s 5 8GHz Compatibility RadioLAN ISA card Model 101 RadioLAN PCMCIA card Synchronous Serial Packages required synchronous Description FarSync PCI V 35 X 21 8 448 Mbit s LMC SBEI wanPC...

Page 31: ...or 8 PCI 4 8 port cards Sangoma S514 56 PCI 56 or 64Kbit s DDS DSU with secondary 128Kbit s RS232 port Note this card is not for modem pools or serial terminals ISDN Packages required isdn Description PCI ISDN cards Eicon Diehl Diva PCI Sedlbauer Speed Card PCI ELSA Quickstep 1000PCI Traverse Technologie NETjet PCI S0 card Teles PCI Dr Neuhaus Niccy PCI AVM Fritz PCI Gazel PCI ISDN cards HFC 2BS0 ...

Page 32: ...e 632 16x2 characters and 634 20x4 characters Powertip Character LCD Module PC1602 16x2 characters PC1604 16x4 characters PC2002 20x2 characters PC2004 20x4 characters PC2402 24x2 characters and PC2404 24x4 characters PCMCIA Adapters Packages required system Description Vadem VG 469 PCMCIA ISA adapter one or two PCMCIA ports RICOH PCMCIA PCI Bridge with R5C475 II or RC476 II chip one or two PCMCIA...

Page 33: ...650 Verizon Wireless Novatel Wireless CDMA card Novatel U730 Wireless HSDPA Modem Huawei Mobile Connect Model E620 3G Novatel Merlin S720 HSDPA Option G3 PCMCIA card Vodafone UMTS Sierra Aircard 595 and other Sierra Wireless cards Page 19 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred tradema...

Page 34: ...s without registration for about 24 hours from the first run Note that if you shut the router down the countdown is paused and it is resumed only when the router is started again During this period you must get a key otherwise you will need to reinstall the system A purchased license key allows you to use RouterOS features according to the chosen license level for unlimited time and gives you righ...

Page 35: ...ers 1 1 200 500 unlimited RADIUS client yes yes yes yes Queues 1 30 unlimited unlimited unlimited Web proxy yes yes yes yes RIP OSPF BGP protocols yes yes yes yes Note that Wireless Client and Bridge means that wireless cards can be used in station and bridge modes Bridge mode allows one wireless station to connect it There is a possibility to upgrade your key i e to extend licensing term from the...

Page 36: ...em console Update Key the same as update key command in system console Property Description key read only text software license key that unlocks the installation level read only integer 0 6 license level of the installation software id read only text ID number of the installation upgradable until read only text the date until which the software version can be upgraded or downgraded Command Descrip...

Page 37: ...existing key to the version s 2 9 one this can be done during your existing key upgrade term IP address key server s IP address text username to log into the key server text password to log into the key server text default script to execute while the command is running time default 1s how frequently to execute the given script if specified executes the sctipt once and then terminates the command c...

Page 38: ...contact sales mikrotik com for further assistance Key upgraded successfully the upgrade procedure has been completed successfully Page 24 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 39: ...ed Configuration Tasks Description Application Example with Masquerading Example with Bandwidth Management Example with NAT General Information Summary MikroTik RouterOS is independent Linux based Operating System for IA 32 routers and thinrouters It does not require any additional components and has no software prerequirements It is designed with easy to use yet powerful interface allowing networ...

Page 40: ...d IPsec STP bridging with filtering capabilities WDS and Virtual AP features HotSpot for Plug and Play access RIP OSPF BGP routing protocols Gigabit Ethernet ready V 35 X 21 T1 E1 synchronous support async PPP with RADUIS AAA IP Telephony remote winbox GUI admin telnet ssh serial console admin real time configuration and monitoring and much more please see the Specifications Sheet The Guide descri...

Page 41: ...u want to install RouterOS over a LAN with one floppy boot disk or alternatively using PXE or EtherBoot option supported by some network interface cards that allows truly networked installation Netinstall program works on Windows 95 98 NT4 2K XP MikroTik Disk Maker if you want to create 3 5 installation floppies The Disk Maker is a self extracting archive DiskMaker_v2 9 x_dd mmm yyyy_ build_z exe ...

Page 42: ...ed network installation standard AT floppy controller and 3 5 disk drive connected as the first floppy disk drive A PCI Ethernet network interface card supported by MikroTik RouterOS see the Device Driver List for the list Full network based installation PCI Ethernet network interface card supported by MikroTik RouterOS see the Device Driver List for the list with PXE or EtherBoot extension bootin...

Page 43: ...link on the main screen of the account server Notes The hard disk will be entirely reformatted during the installation and all data on it will be lost You can move the hard drive with MikroTik RouterOS installed to a new hardware without loosing a license but you cannot move the RouterOS to a different hard drive without purchasing an another license except hardware failure situations For addition...

Page 44: ...terminal console you will be presented with the MikroTik RouterOS login prompt Use admin and no password hit Enter for logging in the router for the first time for example MikroTik v2 9 Login admin Password The password can be changed with the password command admin MikroTik password old password new password retype new password admin MikroTik Adding Software Packages Description The basic install...

Page 45: ...btained by entering the question mark for example admin MikroTik log System logs quit Quit console radius Radius client settings certificate Certificate management special login Special login users redo Redo previously undone action driver Driver management ping Send ICMP Echo packets setup Do basic setup of system interface Interface configuration password Change password undo Undo previous actio...

Page 46: ...m any level admin MikroTik ip A command or an argument does not need to be completed if it is not ambiguous For example instead of typing interface you can type just in or int To complete a command use the Tab key Note that the completion is optional and you can just use short command and parameter names The commands may be invoked from the menu level where they are located by typing its name If t...

Page 47: ...e of the network mask in the address argument even if it is the 32 bit subnet i e use 10 0 0 1 32 for address 10 0 0 1 netmask 255 255 255 255 Basic Configuration Tasks Description Interface Management Before configuring the IP addresses and routes please check the interface menu to see the list of available interfaces If you have Plug and Play cards installed in the router it is most likely that ...

Page 48: ...ed using the add command under the drivers menu For example to load the driver for a card with IO address 0x280 and IRQ 5 it is enough to issue the command admin MikroTik driver add name ne2k isa io 0x280 admin MikroTik driver print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL 0 D RealTek 8139 1 D Intel EtherExpressPro 2 D PCI NE2000 3 ISA NE2000 280 4 Moxa C101 Synchronous C8000 a...

Page 49: ...your choice press Enter to configure ip address and gateway a To configure IP address and gateway press a or Enter if the a choice is marked with an asterisk symbol a add ip address g setup default gateway x exit menu your choice press Enter to add ip address a Choose a to add an IP address At first setup will ask you for an interface to which the address will be assigned If the setup offers you a...

Page 50: ...nt Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 217 10 0 0 255 Public 1 192 168 0 254 24 192 168 0 0 192 168 0 255 Local admin MikroTik ip address Here the network mask has been specified in the value of the address argument Alternatively the argument netmask could have been used with the value 255 255 255 0 The network and broadcast addresses wer...

Page 51: ...you need to specify where the router should forward packets which have destination other than networks connected directly to the router Adding Default Routes In the following example the default route destination 0 0 0 0 any netmask 0 0 0 0 any will be added In this case it is the ISP s gateway 10 0 0 1 which can be reached through the interface Public admin MikroTik ip route add gateway 10 0 0 1 ...

Page 52: ...n avg max 1 1 0 1 ms admin MikroTik ip route The workstation and the laptop can reach ping the router at its local address 192 168 0 254 If the router s address 192 168 0 254 is specified as the default gateway in the TCP IP configuration of both the workstation and the laptop then you should be able to ping the router C ping 192 168 0 254 Reply from 192 168 0 254 bytes 32 time 10ms TTL 253 Reply ...

Page 53: ...de should be added to the firewall configuration admin MikroTik ip firewall nat add chain srcnat action masquerade out interface Public admin MikroTik ip firewall nat print Flags X disabled I invalid D dynamic 0 chain srcnat out interface Public action masquerade Notes Please consult Network Address Translation for more information on masquerading Example with Bandwidth Management Assume you want ...

Page 54: ...or translating the destination address and port admin MikroTik ip firewall nat add chain dstnat action dst nat protocol tcp dst address 10 0 0 217 32 dst port 80 to addresses 192 168 0 4 admin MikroTik ip firewall nat pr Flags X disabled I invalid D dynamic 0 chain dstnat dst address 10 0 0 217 32 protocol tcp dst port 80 action dst nat to addresses 192 168 0 4 to ports 0 65535 Notes Please consul...

Page 55: ...w the instructions to install RouterOS using CD Install 1 After downloading the CD image from www mikrotik com you will have an ISO file on your computer 2 Open a CD Writing software like Ahead NERO as in this example 3 In the program choose Burn Image entry from the Recorder menu there should be similary named option in all major CD burning programs Page 41 of 695 Copyright 1999 2007 MikroTik All...

Page 56: ... Finally click Burn button Page 42 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 57: ...ages and press i to install the software 8 You will be asked for 2 questions Warning all data on the disk will be erased Continue y n Press Y to continue or N to abort the installation Do you want to keep old configuration y n You should choose whether you want to keep old configuration press Y or to erase the configuration permanently press N and continue without saving it For a fresh installatio...

Page 58: ...stallation you will have to enter the Software key See this manual how to do it Page 44 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 59: ...uterOS is using floppies You will need 9 floppies to install the software this includes only the system package 1 Download the archive here Extract it and run FloppyMaker exe Read the licence agreement and press Yes to continue Page 45 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks...

Page 60: ...it to leave the installation 3 You are prompted to insert disk 1 into the floppy drive Page 46 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 61: ... case you already have some floppies copied Proceed with next floppies until the following dialog occurs Page 47 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 62: ... until all floppies are processed Note after the installation you will have to enter the Software key See this manual how to do it Page 48 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 63: ...t network All you need is a blank floppy or an Ethernet device that supports PXE like RouterBoard 100 RouterBoard 200 and RouterBoard 500 series an Ethernet network between workstation and dedicated computer and a serial null modem console cable for RouterBoard routers NetInstall Program Parameters Page 49 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD ar...

Page 64: ...assword client s password Level license level of RouterOS Debit key a key that you have paid for but haven t generated yet Debit money money that you have on your account To add money to your account use the add debit link in the account server Credit key a key that you can take now but pay later Credit money paying with credit money allows you to get your keys now and pay for them later Keep old ...

Page 65: ...nstallation Sets an entry in this list represents the choice of packages selected to install from a directory If you want to make your own set browse for a folder that contains packages npk files select needed packages in the list and press the Save set button From type the directory where your packages are stored or press the Browse button to select the directory Select all selects all packages i...

Page 66: ...act the packages npk files on your hard drive NetInstall v1 10 Page 52 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 67: ... p memory settings m memory test u cpu mode f pci back off r reset configuration g bios upgrade through serial port c bios license information x exit setup your choice o boot device Press the e key to make the RouterBoard to boot from Ethernet interface Select boot device i IDE e Etherboot 1 Etherboot timeout 15s IDE 2 Etherboot timeout 1m IDE 3 Etherboot timeout 5m IDE 4 Etherboot timeout 30m IDE...

Page 68: ...uter by MAC address in the list Click on the desired entry and you will be able to configure installation parameters When done press the Install button to install RouterOS 6 When the installation process has finished press Enter on the console or Reboot button in the NetInstall program Remember to set the boot device back to IDE in the RouterBoard BIOS Page 54 of 695 Copyright 1999 2007 MikroTik A...

Page 69: ...ith commands which are used to perform the following functions system backup system restore from a backup configuration export configuration import system configuration reset Description The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary file which can be stored on the router or downloaded from it using FTP The configuration restore can be used for rest...

Page 70: ...r your configuration To restore the system configuration for example after a system reset it is possible to upload that file via ftp and load that backup file using load command in system backup submenu Command Description load name filename Load configuration backup from a file save name filename Save configuration backup to a file Example To save the router configuration to file test admin Mikro...

Page 71: ...s export file address admin MikroTik ip address To make an export file from only one item admin MikroTik ip address export file address1 from 1 admin MikroTik ip address To see the files stored on the router admin MikroTik file print NAME TYPE SIZE CREATION TIME 0 address rsc script 315 dec 23 2003 13 21 48 1 address1 rsc script 201 dec 23 2003 13 22 57 admin MikroTik To export the setting on the ...

Page 72: ...and name system reset Description The command clears all configuration of the router and sets it to the default including the login name and password admin and no password IP addresses and other configuration is erased interfaces will become disabled After the reset command router will reboot Command Description reset erases router s configuration Notes If the router has been installed using netin...

Page 73: ...ired system License required level1 Home menu level file Standards and Technologies FTP RFC 959 Hardware usage Not significant Related Documents Software Package Management Configuration Management File Transfer Protocol Server Home menu level file Description MikroTik RouterOS has an industry standard FTP server feature It uses ports 20 and 21 for communication with other hosts on the network Upl...

Page 74: ...directory unknown script package backup item type Command Description print shows a list of files stored shows contents of files less that 4kb long offers to edit file s contents with editor sets the file s contents to content Page 60 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks ...

Page 75: ...telnet is used to provide access to a router that has no IP address set It works just like IP telnet MAC telnet is possible between two MikroTik RouterOS routers only Specifications Packages required system License required level1 Home menu level tool tool mac server Standards and Technologies MAC Telnet Hardware usage Not significant Related Documents Software Package Management WinBox Ping MNDP ...

Page 76: ...c server print Flags X disabled INTERFACE 0 ether1 admin MikroTik tool mac server MAC WinBox Server Home menu level tool mac server mac winbox Property Description interface name all default all interface name to which it is alowed to connect with Winbox using MAC based protocol all all interfaces Notes There is an interface list in this submenu level If you add some interfaces to this list you al...

Page 77: ...E 0 wlan1 00 0B 6B 31 08 22 00 03 01 admin MikroTik tool mac server sessions MAC Telnet Client Command name tool mac telnet MAC address Example admin MikroTik tool mac telnet 00 02 6F 06 59 42 Login admin Password Trying 00 02 6F 06 59 42 Connected to 00 02 6F 06 59 42 MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KK...

Page 78: ...h devices and other systems that are interconnected via serial port The serial terminal may be used to monitor and configure many devices including modems network devices including MikroTik routers and any device that can be connected to a serial asynchronous port Specifications Packages required system License required level1 Home menu level system system console system serial terminal Standards ...

Page 79: ...ng equipment through a serial console connection to a high speed microwave modem that needed to be monitored and managed by a serial console connection With the serial terminal feature of the MikroTik up to 132 and maybe even more devices can be monitored and controlled Serial Console Configuration Description A special null modem cable should be used for connecting to the serial console The Seria...

Page 80: ...9600 data bits 8 parity none stop bits 1 flow control none admin MikroTik system serial console Using Serial Terminal Command name system serial terminal Description The command is used to communicate with devices and other systems that are connected to router via serial port All keyboard input is forwarded to the serial port and all data from the port is output to the connected device After exiti...

Page 81: ...facility is created to change line number per screen if you have a monitor connected to router Property Description line count 25 40 50 number of lines on monitor Notes This parameter is applied only to a monitor connected to the router Example To set monitor s resolution from 80x25 to 80x40 admin MikroTik system console screen set line count 40 admin MikroTik system console screen print line coun...

Page 82: ...Example System Upgrade Description Property Description Example Adding Package Source Description Property Description Notes Example Software Package List Description General Information Summary The MikroTik RouterOS is distributed in the form of software packages The basic functionality of the router and the operating system itself is provided by the system software package Other Page 68 of 695 C...

Page 83: ...elf can be easily upgraded Multiple packages can be installed at once The package dependency is checked before installing a software package The package will not be installed if the required software package is missing The version of the feature package should be the same as that of the system package The packages can be uploaded on the router using ftp and installed only when the router is going ...

Page 84: ...fer Upload the software package files to the router Check the information about the uploaded software packages using the file print command Reboot the router by issuing the system reboot command or by pressing Ctrl Alt Del keys at the router s console After reboot verify that the packages were installed correctly by issuing system package print command Notes The packages uploaded to the router sho...

Page 85: ...even if marked for uninstallation Example Suppose we need to uninstall security package from the router admin MikroTik system package print NAME VERSION SCHEDULED 0 system 2 9 11 1 routing 2 9 11 2 dhcp 2 9 11 3 hotspot 2 9 11 4 wireless 2 9 11 5 web proxy 2 9 11 6 advanced tools 2 9 11 7 security 2 9 11 8 ppp 2 9 11 9 routerboard 2 9 11 admin MikroTik system package uninstall security admin Mikro...

Page 86: ...ious state It is useful if you don t want to uninstall a package but just turn off its functionality Notes If a package is marked for disabling but it is required for another dependent package then the marked package cannot be disabled You should disable or uninstall the dependent package too For the list of package dependencies see the Software Package List section below If any of the test packag...

Page 87: ...k system package print admin MikroTik system package pr Flags X disabled NAME VERSION SCHEDULED 0 system 2 9 11 1 routerboard 2 9 11 2 wireless test 2 9 11 scheduled for uninstall 3 ntp 2 9 11 4 routeros rb500 2 9 11 5 X rstp bridge test 2 9 11 6 wireless 2 9 11 7 webproxy test 2 9 11 8 routing 2 9 11 9 X routing test 2 9 11 10 ppp 2 9 11 11 dhcp 2 9 11 12 hotspot 2 9 11 13 security 2 9 11 14 adva...

Page 88: ...ERSION STATUS COMPLETED 0 192 168 25 8 advanced tools 2 9 11 available 1 192 168 25 8 dhcp 2 9 11 available 2 192 168 25 8 hotspot 2 9 11 available 3 192 168 25 8 isdn 2 9 11 available 4 192 168 25 8 ntp 2 9 11 available 5 192 168 25 8 ppp 2 9 11 available 6 192 168 25 8 routerboard 2 9 11 available 7 192 168 25 8 routing 2 9 11 available 8 192 168 25 8 security 2 9 11 available 9 192 168 25 8 syn...

Page 89: ...etrieved password text password of the remote router user text username of the remote router Notes After specifying a remote router in system upgrade upgrade package source you can type system upgrade refresh to refresh the package list and system upgrade print to see all available packages Example To add a router with IP address 192 168 25 8 username admin and no password system upgrade upgrade p...

Page 90: ...gging facility winbox server as well as winbox executable with some plugins After installing the MikroTik RouterOS a free license should be obtained from MikroTik to enable the basic system functionality Additional Software Feature Packages The table below shows additional software feature packages extended functionality provided by them the required prerequisites and additional licenses if any Na...

Page 91: ...nd Moxa C101 Moxa C502 Farsync Cyclades PC300 LMC SBE and XPeed synchronous cards none Synchronous telephony IP telephony support H 323 none none thinrouter pcipc forces PCI to CardBus Bridge to use IRQ 11 as in ThinRouters none none ups APC Smart Mode UPS support none none web proxy HTTP Web proxy support none none wireless Provides support for Cisco Aironet cards PrismII and Atheros wireless sta...

Page 92: ...r mode and then just rebooting the router This manual discusses a more advanced method how to upgrade a router automatically If you have more than one router then this can be useful Specifications Packages required system License required level1 Home menu level system upgrade Standards and Technologies None Hardware usage Not significant System Upgrade Home menu level system upgrade Related Docume...

Page 93: ...in MikroTik system upgrade print SOURCE NAME VERSION STATUS COMPLETED 0 192 168 25 8 advanced tools 2 9 available 1 192 168 25 8 dhcp 2 9 available 2 192 168 25 8 hotspot 2 9 available 3 192 168 25 8 isdn 2 9 available 4 192 168 25 8 ntp 2 9 available 5 192 168 25 8 ppp 2 9 available 6 192 168 25 8 routerboard 2 9 available 7 192 168 25 8 routing 2 9 available 8 192 168 25 8 security 2 9 available...

Page 94: ...f the router from which the package list entry will be retrieved user text username of the remote router Notes After specifying a remote router in system upgrade upgrade package source you can type system upgrade refresh to refresh the package list and system upgrade print to see all available packages Adding an upgrade source you will be prompted for a password Example To add a router with userna...

Page 95: ...ou won t be able to tell that you re using SSH The SSH feature can be used with various SSH Telnet clients to securely connect to and administrate the router The MikroTik RouterOS supports SSH 1 3 1 5 and 2 0 protocol standards server functions for secure administration of the router telnet session termination with 40 bit RSA SSH encryption is supported secure ftp is supported preshared key authen...

Page 96: ...e service is accessible Example Let s change the default SSH port 22 to 65 on which the SSH server listens for requests admin MikroTik ip service set ssh port 65 admin MikroTik ip service print Flags X disabled I invalid NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0 0 0 0 0 1 ftp 21 0 0 0 0 0 2 www 80 0 0 0 0 0 3 ssh 65 0 0 0 0 0 4 X www ssl 443 0 0 0 0 0 admin MikroTik ip service SSH Client Command...

Page 97: ...RR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 2 9rc7 c 1999 2005 http www mikrotik com Terminal unknown detected using single line input mode admin MikroTik Page 83 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other tradema...

Page 98: ... required level1 Home menu level system ip service Standards and Technologies Telnet RFC 854 Hardware usage Not significant Related Documents Package Management System Resource Management Telnet Server Home menu level ip service Description Telnet protocol is intended to provide a fairly general bi directional eight bit byte oriented communications facility The main goal is to allow a standard met...

Page 99: ... telnet client is used to connect to other hosts in the network via Telnet protocol Example An example of Telnet connection admin MikroTik system telnet 172 16 0 1 Trying 172 16 0 1 Connected to 172 16 0 1 Escape character is MikroTik v2 9 Login admin Password MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR R...

Page 100: ...ration and management features using text terminals id est remote terminal clients or locally attached monitor and keyboard The Terminal Console is also used for writing scripts This manual describes the general console operation principles Please consult the Scripting Manual on some advanced console commands and on how to write scripts Specifications Packages required system License required leve...

Page 101: ...10 1 0 1 0 isp1 admin MikroTik Instead of typing ip route path before each command the path can be typed only once to move into this particular branch of menu hierarchy Thus the example above could also be executed like this admin MikroTik ip route admin MikroTik ip route print Flags A active X disabled I invalid D dynamic C connect S static r rip b bgp o ospf d dynamic DST ADDRESS G GATEWAY DISTA...

Page 102: ...rties Thus they would not change on their own However there are all kinds of obscure situations possible when several users are changing router s configuration at the same time Generally item names are more stable than the numbers and also more informative so you should prefer them to numbers when writing console scripts Notes Item numbers are assigned by print command and are not constant it is p...

Page 103: ...ey all have a common beginning which is longer than that what you have typed then the word is completed to this common part and no space is appended interface set e Tab _ becomes interface set ether_ If you ve typed just the common part pressing the tab key once has no effect However pressing it for the second time shows all possible completions in compact form admin MikroTik interface set e Tab _...

Page 104: ...dmin MikroTik interface monitor traffic _ Additional Information Description Built in Help The console has a built in help which can be accessed by typing General rule is that help shows what you can type in position where the was pressed similarly to pressing Tab key twice but in verbose form and with explanations Internal Item Numbers You can specify multiple items as targets to some commands Al...

Page 105: ...nd has arguments with names corresponding to values you can change Use or double Tab to see list of all arguments If there is a list of items in this command level then set has one action argument that accepts the number of item or list of numbers you wish to set up This command does not return anything add this command usually has all the same arguments as set except the action number argument It...

Page 106: ... risk Safe mode is entered by pressing Ctrl X To quit safe mode press Ctrl X again admin MikroTik ip route Ctrl X Safe Mode taken admin MikroTik ip route SAFE Message Safe Mode taken is displayed and prompt changes to reflect that session is now in safe mode All configuration changes that are made also from other login sessions while router is in safe mode are automatically undone if safe mode ses...

Page 107: ... then session is automatically put out of the safe mode no changes are automatically undone Thus it is best to change configuration in small steps while in safe mode Pressing Ctrl X twice is an easy way to empty safe mode action list Page 93 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trad...

Page 108: ...sections in the manual The Winbox Console plugin loader the winbox exe program can be retrieved from the MikroTik router the URL is http router_address winbox winbox exe Use any web browser on Windows 95 98 ME NT4 0 2000 XP or Linux to retrieve the winbox exe executable file from Router If your router is not specifically configured you can also type in the web browser just http router_address The ...

Page 109: ...his program to your local disk and run it from there The winbox exe program opens the Winbox login window Page 95 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 110: ...r CDP Cisco Discovery Protocol devices Page 96 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 111: ...ile or exports them to wbx file Secure Mode provides privacy and data integrity between WinBox and RouterOS by means of TLS Transport Layer Security protocol Keep Password Saves password as a plain text on a local hard drive Warning storing passwords in plain text allows anybody with access to your files to read the password from there The Winbox Console of the router Page 97 of 695 Copyright 1999...

Page 112: ...double clicking on some list items in the windows you can open configuration windows for the specific items and so on There are some hints for using the Winbox Console To open the required window simply click on the corresponding menu item Add a new entry Remove an existing entry Enable an item Disable an item Page 98 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and Ro...

Page 113: ...ield and that you ve specified the correct port in the Winbox loader The command ip service set www port 80 address 0 0 0 0 0 will change these values to the default ones so you will be able to connect specifying just the correct address of the router in the address field of Winbox loader The Winbox Console uses TCP port 8291 Make sure you have access to it through the firewall Page 99 of 695 Copy...

Page 114: ...management and the Address Resolution Protocol settings IP addresses serve as identification when communicating with other network devices using the TCP IP protocol In turn communication between devices in one physical network proceeds with the help of Address Resolution Protocol and ARP addresses Specifications Packages required system License required level1 Home menu level ip address ip arp Sta...

Page 115: ...esses Static manually assigned to the interface by a user Dynamic automatically assigned to the interface by estabilished ppp ppptp or pppoe connections Property Description actual interface read only name only applicable to logical interfaces like bridges or tunnels Holds the name of the actual hardware interface the logical one is bound to address IP address IP address broadcast IP address defau...

Page 116: ...e the IP address is assigned to mac address MAC address default 00 00 00 00 00 00 MAC address to be mapped to Notes Maximal number of ARP entries is 8192 If arp feature is turned off on the interface i e arp disabled is used ARP requests from clients are not answered by the router Therefore static arp entry should be added to the clients as well For example the router s IP and MAC addresses should...

Page 117: ...valid H DHCP D dynamic ADDRESS MAC ADDRESS INTERFACE 0 D 10 5 7 242 00 A0 24 9D 52 A4 ether1 1 10 10 10 10 06 21 00 56 00 12 ether2 admin MikroTik ip arp Proxy ARP feature Description A router with properly configured proxy ARP feature acts like a transparent ARP proxy between directly connected networks Consider the following network diagram Page 103 of 695 Copyright 1999 2007 MikroTik All rights...

Page 118: ... broadcast MAC address FF FF FF FF FF FF Since the ARP request is a broadcast it will reach all hosts in the network A including the router R1 but it will not reach host C because routers do not forward broadcasts by default A router with enabled proxy ARP knows that the host C is on another subnet and will reply with its own MAC adress The router with enabled proxy ARP always answer with its own ...

Page 119: ... pppoe in25 pppoe in 3 D pppoe in26 pppoe in admin MikroTik ip arp ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 10 0 0 255 eth LAN 1 D 10 0 0 217 32 10 0 0 230 0 0 0 0 pppoe in25 2 D 10 0 0 217 32 10 0 0 231 0 0 0 0 pppoe in26 admin MikroTik ip arp ip route print Flags X disabled I invalid D dynamic J rejected C connect S static...

Page 120: ...ed source 0 0 0 0 gateway 192 168 0 1 gateway state reachable distance 1 interface pppsync 1 DC dst address 192 168 0 1 32 preferred source 10 0 0 214 gateway 0 0 0 0 gateway state reachable distance 0 interface pppsync admin MikroTik ip address As you can see a dynamic connected route has been automatically added to the routes list If you want the default gateway be the other router of the p2p li...

Page 121: ...Notes Example Interfaces Description Property Description Example Virtual Links Description Property Description Notes Example Neighbours Description Property Description Notes Example OSPF backup without using a tunnel Routing tables with Revised Link Cost Functioning of the Backup General Information Summary Page 107 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and R...

Page 122: ...outing information via a common routing protocol In order to deploy the OSPF all routers it will be running on should be configured in a coordinated manner note that it also means that the routers should have the same MTU for all the networks advertized by OSPF protocol The OSPF protocol is started after you will add a record to the OSPF network list The routes learned by the OSPF protocol are ins...

Page 123: ... to its routing database i e routes that have been created using the ip route add command router id IP address default 0 0 0 0 OSPF Router ID If not specified OSPF uses the largest IP address configured on the interfaces as its router ID Notes Within one area only the router that is connected to another area i e Area border router or to another AS i e Autonomous System boundary router should have ...

Page 124: ...structure of an area is invisible from the outside of the area This isolation of knowledge enables the protocol to effect a marked reduction in routing traffic as compared to treating the entire Autonomous System as a single link state domain 60 80 routers have to be the maximum in one area Property Description area id IP address default 0 0 0 0 OSPF area identifier Default area id 0 0 0 0 is the ...

Page 125: ...OST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 0 0 10 5 no 1 none admin WiFi routing ospf area Networks Home menu level routing ospf network Description There can be Point to Point networks or Multi Access networks Multi Access network can be a broadcast network a single message can be sent to all routers To start the OSPF protocol you have to define the networks on which it will run and th...

Page 126: ...re routing traffic will ensue This value must be the same on each end of the adjancency otherwise the adjacency will not form interface name default all interface on which OSPF will run all is used for the interfaces not having any specific settings priority integer 0 255 default 1 router s priority It helps to determine the designated router for the network When two routers attached to a network ...

Page 127: ...ed point to point network Property Description neighbor id IP address default 0 0 0 0 specifies router id of the neighbour transit area name default unknown a non backbone area the two routers have in common Notes Virtual links can not be estabilished through stub areas Example To add a virtual link with the 10 0 0 201 router through the ex area do the following admin MikroTik routing ospf virtual...

Page 128: ...eighbours ExStart the DR Designated Router and BDR Backup Designated Router create an adjancency with each other and they begin creating their link state databases using Database Description Packets Exchange is the process of discovering routes by exchanging Database Description Packets Loading receiving information from the neighbour Full the link state databases are completely synchronized The r...

Page 129: ...ces peer1 and peer2 will be configured for the OSPF protocol The interface main_gw will not be used for distributing the OSPF routing information 3 The routers OSPF peer 1 and OSPF peer 2 will distribute their connected route information and receive the default route using the OSPF protocol Now let s setup the OSPF_MAIN router The router should have 3 NICs admin OSPF_MAIN interface print Flags X d...

Page 130: ...N routing ospf area print Flags X disabled I invalid NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 0 0 0 1 no 1 none Add connected networks with area local_10 in ospf network admin OSPF_MAIN routing ospf network print Flags X disabled I invalid NETWORK AREA 0 10 1 0 0 24 local_10 1 10 2 0 0 24 local_10 For main router the configuration is done Next you should con...

Page 131: ...outer Enable the following interfaces admin OSPF_peer_2 interface print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R to_main ether 0 0 1500 1 R to_peer_1 ether 0 0 1500 Add the needed IP addresses admin OSPF_peer_2 ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 2 0 1 24 10 2 0 0 10 2 0 255 to_main 1 10 3 0 2 24 10 3 0 0 10 3...

Page 132: ...o 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 backup 3 Do 10 2 0 0 24 r 10 1 0 2 110 to_main r 10 3 0 2 backup 4 Io 10 1 0 0 24 110 5 DC 10 1 0 0 24 r 0 0 0 0 0 to_main admin OSPF_peer_2 ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 r 10 2 0 2 110 to_main 1 Io 10 3 0 0 24 110 2 DC 1...

Page 133: ...ettings we have only one equal cost multipath route left to the network 10 3 0 0 24 from OSPF_MAIN router Routes on OSPF_MAIN router admin OSPF_MAIN ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 192 168 0 0 24 110 1 DC 192 168 0 0 24 r 0 0 0 0 0 main_gw 2 Do 10 3 0 0 24 r 10 2 0 1 110 to_peer_2 r 1...

Page 134: ...10 2 DC 10 3 0 0 24 r 0 0 0 0 0 to_peer_1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to_main 5 Do 10 1 0 0 24 r 10 2 0 2 110 to_main Functioning of the Backup If the link between routers OSPF_MAIN and OSPF_peer_1 goes down we have the following situation The OSPF routing changes as follows Routes on OSPF_MAIN router admin OSPF_MAIN ip route print Flags X disabled I invalid D dynamic J rejec...

Page 135: ...main On OSPF_peer_2 admin OSPF_peer_2 ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 r 10 2 0 2 110 to_main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 to_peer_1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to_main 5 Do 10 1 0 0 24 r 10 2 0 2 110 to_main The change of the r...

Page 136: ...escription Property Description Example Routes Property Description Notes Example Example General Information Summary MikroTik RouterOS implements RIP Version 1 RFC1058 and Version 2 RFC 2453 RIP enables routers in an autonomous system to exchange routing information It always uses the best path the path with the fewest number of hops i e routers available Specifications Page 122 of 695 Copyright ...

Page 137: ... RIP protocol are installed in the route list ip route print with the distance of 120 Additional Documents RIPv1 Protocol RIPv2 Protocol Cisco Systems RIP protocol overview General Setup Property Description redistribute static yes no default no specifies whether to redistribute static routes to neighbour routers or not redistribute connected yes no default no specifies whether to redistribute con...

Page 138: ...distribute the routes to the connected networks admin MikroTik routing rip set redistribute connected yes admin MikroTik routing rip print redistribute static no redistribute connected yes redistribute ospf no redistribute bgp no metric static 1 metric connected 1 metric ospf 1 metric bgp 1 update timer 30s timeout timer 3m garbage timer 2m admin MikroTik routing rip Interfaces Home menu level rou...

Page 139: ... prefix list out plout admin MikroTik routing rip interface print Flags I inactive 0 interface ether1 receive v2 send v2 authentication none authentication key prefix list in plout prefix list out none admin MikroTik routing rip Networks Home menu level routing rip network Description To start the RIP protocol you have to define the networks on which RIP will run Property Description address IP ad...

Page 140: ...rce RIP protocol to exchange routing information with the 10 0 0 1 router admin MikroTik routing rip neighbor add address 10 0 0 1 admin MikroTik routing rip neighbor print Flags I inactive ADDRESS 0 10 0 0 1 admin MikroTik routing rip Routes Home menu level routing rip route Property Description dst address read only IP address mask network address and netmask of destination gateway read only IP ...

Page 141: ...e print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 1 DC 10 0 0 0 24 r 0 0 0 0 0 ether1 admin MikroTik Note that no default route has been configured The route will be obtained using the RIP The necessary configuration of the RIP general settings is as follows admin MikroTik ro...

Page 142: ... 192 168 3 0 24 r 10 0 0 26 120 ether1 2 R 192 168 1 0 24 r 10 0 0 26 120 ether1 3 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 4 DC 10 0 0 0 24 r 0 0 0 0 0 ether1 admin MikroTik routing rip Cisco Router Configuration Cisco show running config interface Ethernet0 ip address 10 0 0 26 255 255 255 0 no ip directed broadcast interface Serial1 ip address 192 168 1 1 255 255 255 252 ip directed broadcast route...

Page 143: ... 0 0 0 0 0 120 1 via 192 168 1 2 00 00 05 Serial1 Cisco As we can see the Cisco router has learned RIP routes both from the MikroTik router 192 168 0 0 24 and from the ISP router 0 0 0 0 0 and 192 168 3 0 24 Page 129 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein a...

Page 144: ...ith Failover General Information Summary The following manual surveys the IP routes management equal cost multi path ECMP routing technique and policy based routing Specifications Packages required system License required level1 Home menu level ip route Standards and Technologies IP RFC 791 Hardware usage Not significant Related Documents IP Addresses and ARP Filter NAT Page 130 of 695 Copyright 1...

Page 145: ... routes can be created by routing protocols RIP or OSPF or by adding a static route with multiple gateways separated by a comma e g ip route add gateway 192 168 0 1 192 168 1 1 The routing protocols may create multipath dynamic routes with equal cost automatically if the cost of the interfaces is adjusted properly For more information on using routing protocols please read the corresponding Manual...

Page 146: ... Only those packets which have the according routing mark will be routed using this gateway With this parameter we provide policy based routing scope integer 0 255 a value which is used to recursively lookup the nexthop addresses Nexthop is looked up only through routes that have scope target scope of the nexthop target scope integer 0 255 a value which is used to recursively lookup the next hop a...

Page 147: ...ently from the regular traffic Peer to Peer programs will not work general application is policy routing redirecting regular traffic through one interface and Peer to Peer traffic through another A known workaround for this problem is to solve it from the other side making not Peer to Peer traffic to go through another gateway but all other useful traffic go through another gateway In other words ...

Page 148: ...gs X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 Local 1 10 1 0 2 28 10 1 0 0 10 1 0 15 Public1 2 10 1 1 2 28 10 1 1 0 10 1 1 15 Public2 admin ECMP Router ip address Add the default routes one for ISP1 and 2 for ISP2 so we can get the ratio 1 3 admin ECMP Router ip route add gateway 10 1 0 1 10 1 1 1 10 1 1 1 admin ECMP Router ip ro...

Page 149: ...setup is the following route packets from the network 192 168 0 0 24 using gateway 10 0 0 1 and packets from network 192 168 1 0 24 using gateway 10 0 0 2 If GW_1 does not respond to pings use GW_Backup for network 192 168 0 0 24 if GW_2 does not respond to pings use GW_Backup also for network 192 168 1 0 24 instead of GW_2 The setup Page 135 of 695 Copyright 1999 2007 MikroTik All rights reserved...

Page 150: ...th a new routing mark net1 and packets from network 192 168 1 0 24 with a new routing mark net2 admin PB Router ip firewall mangle add src address 192 168 0 0 24 action mark routing new routing mark net1 chain prerouting admin PB Router ip firewall mangle add src address 192 168 1 0 24 action mark routing new routing mark net2 chain prerouting admin PB Router ip firewall mangle print Page 136 of 6...

Page 151: ...eck gateway ping admin PB Router ip route add gateway 10 0 0 3 routing mark net2 check gateway ping admin PB Router ip route add gateway 10 0 0 1 admin PB Router ip route print Flags X disabled A active D dynamic C connect S static r rip b bgp o ospf DST ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 10 0 0 0 24 10 0 0 7 Public 1 ADC 192 168 0 0 24 192 168 0 1 Local1 2 ADC 192 168 1 0 24 192 1...

Page 152: ...us versions Quick Setup Guide To configure a BGP instance with AS number of 200 and establish a BGP session to the 10 0 11 11 peer from the AS 100 redistributing connected and static routes only you should do the following Configure default BGP instance admin rb12 routing bgp instance set default as 200 redistribute static yes redistribute connected yes admin rb12 routing bgp instance print Flags ...

Page 153: ... of the Internet It maintains a table of routes prefixes which specify network layer reachability information NLRI between autonomous systems AS BGP is described as path vector protocol or policy routing protocol referring to the way it chooses the best route towards destination Unlike many other routing protocols BGP does not use technical metrics to select the best path but rather administrative...

Page 154: ...uting bgp peer Description You need to specify the BGP peer with whom you want to exchange the routing information The BGP exchanges routing information only if it can establish a TCP connection to its peer You can add as many peers as required Property Description hold time time specifies the BGP Hold Time value to use when negotiating with peers According to BGP specifications if router does not...

Page 155: ... integer default 0 AS number of the remote peer Page 141 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 156: ...echnologies RFC1771 Hardware usage Not significant Related Documents Software Package Management IP Addresses and ARP Routes Equal Cost Multipath Routing Policy Routing BGP Command Reference Description BGP filtering refers to the ability of BGP peer to apply administrative policies to incoming and outgoing routing update messages These policies are implemented as rules organized in chains The fol...

Page 157: ... prefix The prefix from incoming BGP routing update message is be shown with R rejected flag in the ip route print command output The prefix is suppressed from outgoing routing update message return return to the previous chain from which a jump to the current chain took place as path text unanchored pattern to be searched inside AS_PATH attribute of the route Optional sign preceiding parameter va...

Page 158: ...T_DISC BGP attribute set nexthop IP address sets next hop IP address for the route set prefsrc IP address sets preffered source address for the route set prepend integer 0 16 specifies how many times the router should prepend its AS number to the AS_PATH BGP attribute value for this route set route comment text specifies comment for the route set routing mark text sets routing mark for the route s...

Page 159: ... specified parameters of the route weight integer 2147483648 2147483647 match for the weight of the route Page 145 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 160: ...5 Wireless Interface client cards This card fits in the ISA expansion slot and provides transparent wireless communications to other network nodes Specifications Packages required arlan License required level4 Home menu level interface arlan Hardware usage Not significant Related Documents Package Management Device Driver List IP Addresses and ARP Log Management Installation Example Page 146 of 69...

Page 161: ...tion name name default arlanN assigned interface name mtu integer default 1500 Maximum Transmission Unit mac address MAC address Media Access Control address frequency 2412 2427 2442 2457 2465 default 2412 channel frequency in MHz bitrate 1000 2000 354 500 default 2000 data rate in Kbit s sid integer default 0x13816788 System Identifier Should be the same for all nodes on the radio network Must be...

Page 162: ...hange the argument value of sid to 0x03816788 and tma mode to yes admin MikroTik interface arlan set 0 sid 0x03816788 tma mode yes admin MikroTik interface arlan monitor 0 registered yes access point 00 40 88 23 91 F8 backbone 00 40 88 23 91 F9 admin MikroTik interface arlan Troubleshooting Description Keep in mind that not all combinations of I O base addresses and IRQs may work on particular mot...

Page 163: ...ster to the Access Point Check the cabling and antenna alignment Page 149 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 164: ... for bonding interface 2 Add bonding interface on Router1 admin Router1 interface bonding add slaves ether1 ether2 And on Router2 admin Router2 interface bonding add slaves ether1 ether2 3 Add addresses to bonding interfaces admin Router1 ip address add address 172 16 0 1 24 interface bonding1 admin Router2 ip address add address 172 16 0 2 24 interface bonding1 4 Test the link from Router1 admin ...

Page 165: ...l be resolved using ip arp statically set table only arp interval time default 00 00 00 100 time in milliseconds which defines how often to monitor ARP requests arp ip targets IP address default IP target address which will be monitored if link monitoring is set to arp You can specify multiple IP addresses separated by comma down delay time default 00 00 00 if a link failure has been detected bond...

Page 166: ...it and receive data in sequential order Provides load balancing and fault tolerance balance tlb Outgoing traffic is distributed according to the current load on each slave Incoming traffic is received by the current slave If receiving slave fails then another slave takes the MAC address of the failed slave Doesn t require any special switch support balance xor Use XOR policy for transmit Provides ...

Page 167: ...led I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 1 1 1 24 1 1 1 0 1 1 1 255 isp2 1 10 1 0 111 24 10 1 0 0 10 1 0 255 isp1 on Office2 admin office2 interface print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R isp2 ether 0 0 1500 1 R isp1 ether 0 0 1500 admin office2 interface ip add print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFA...

Page 168: ...ac address FE FD 00 00 00 01 admin office2 interface eoip print Flags X disabled R running 0 R name eoip tunnel1 mtu 1500 mac address FE FD 00 00 00 01 arp enabled remote address 1 1 1 1 tunnel id 1 1 R name eoip tunnel2 mtu 1500 mac address FE FD 00 00 00 02 arp enabled remote address 10 1 0 111 tunnel id 2 Bonding confguration for Office1 admin office1 interface bonding add slaves eoip tunnel1 e...

Page 169: ...terface bonding1 admin office2 ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 2 2 2 1 24 2 2 2 0 2 2 2 255 isp2 1 10 1 0 112 24 10 1 0 0 10 1 0 255 isp1 2 3 3 3 2 24 3 3 3 0 3 3 3 255 bonding1 admin office2 ip address ping 3 3 3 1 3 3 3 1 64 byte ping ttl 64 time 2 ms 3 3 3 1 64 byte ping ttl 64 time 2 ms 2 packets transmitted 2 packets received 0 packe...

Page 170: ... Property Description Example Bridge Port Monitoring Description Property Description Example Bridge Host Monitoring Property Description Example Bridge Firewall General Description Description Property Description Notes Bridge Packet Filter Description Property Description Bridge NAT Description Property Description Bridge Brouting Facility Description Property Description Page 156 of 695 Copyrig...

Page 171: ...ace basis MAC address table can be monitored in real time IP address assignment for router access Bridge interfaces can be filtered and NATed Support for brouting based on bridge packet filter Quick Setup Guide To put interface ether1 and ether2 in a bridge 1 Add a bridge interface called MyBridge interface bridge add name MyBridge disabled no 2 Add ether1 and ether2 to MyBridge interface interfac...

Page 172: ...n connection fail another connection could take its place This algorithm exchange configuration messages BPDU Bridge Protocol Data Unit periodically so that all bridges would be updated with the newest information about changes in network topology STP selects root bridge which is responosible for network reconfiguration such as blocking and opening ports of the other bridges The root bridge is the...

Page 173: ...in MikroTik interface bridge add print Flags X disabled R running 0 R name bridge1 mtu 1500 arp enabled mac address 61 64 64 72 65 73 stp no priority 32768 ageing time 5m forward delay 15s garbage collection interval 4s hello time 2s max message age 20s admin MikroTik interface bridge enable 0 Port Settings Home menu level interface bridge port Description The submenu is used to enslave interfaces...

Page 174: ... text the bridge ID which is in form of bridge priority bridge MAC address designated root text ID of the root bridge path cost integer the total cost of the path to the root bridge root port name port to which the root bridge is connected to Example To monitor a bridge admin MikroTik interface bridge monitor bridge1 bridge id 32768 00 02 6F 01 CE 31 designated root 32768 00 02 6F 01 CE 31 root po...

Page 175: ...oring Command name interface bridge host Property Description age read only time the time since the last packet was received from the host bridge read only name the bridge the entry belongs to local read only flag whether the host entry is of the bridge itself that way all local interfaces are shown mac address read only MAC address host s MAC address on interface read only name which of the bridg...

Page 176: ...or changing source destination MAC addresses of the packets traversing a bridge Has two built in chains scnat used for hiding a host or a network behind a different MAC address This chain is applied to the packets leaving the router through a bridged interface dstnat used for redirecting some pakets to another destinations broute makes bridge a brouter router that performs routing on some of the p...

Page 177: ...RP RARP request to a known MAC address to find out unknown IP address intended to be used by hosts to find out their own IP address similarly to DHCP service arp packet type integer arp src address IP address default 0 0 0 0 0 ARP source IP address arp src mac address MAC address default 00 00 00 00 00 00 ARP source MAC address chain text bridge firewall chain which the filter is functioning in ei...

Page 178: ... to reduce the amount of log messages Count maximum average packet rate measured in packets per second pps unless followed by Time option Time specifies the time interval over which the packet rate is measured Burst number of packets to match in a burst log prefix text defines the prefix to be printed before the logging information mac protocol integer 802 2 arp ip ipv6 ipx rarp vlan Ethernet payl...

Page 179: ...tp message sender MAC address stp sender priority integer 0 65535 sender priority stp type config tcn the BPDU type config configuration BPDU tcn topology change notification vlan encap 802 2 arp ip ipv6 ipx rarp vlan the MAC protocol type encapsulated in the VLAN frame vlan id integer 0 4095 VLAN identifier field vlan priority integer 0 7 the user priority field Notes stpmatchers are only valid i...

Page 180: ...ion describes bridge NAT options which were omitted in the general firewall description Property Description action accept arp reply drop dst nat jump log mark passthrough redirect return src nat default accept action to undertake if the packet matches the rule one of the accept accept the packet No action i e the packet is passed through without undertaking any action and no more rules are proces...

Page 181: ... packet matches the rule one of the accept let the bridging code decide what to do with this packet drop extract the packet from bridging code making it appear just like it would come from a not bridged interface no further bridge decisions or filters will be applied to this packet except if the packet would be router out to a bridged interface in which case the packet would be processed normally ...

Page 182: ... packet but no new packet mark there is an action mark connection but no new connection mark there is an action mark routing but no new routing mark Page 168 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 183: ...reless ISA PCI PC Adapter hardware Aironet ISA PCI PC4800 2 4GHz DS 11Mbps Wireless LAN Adapters 100mW Aironet ISA PCI PC4500 2 4GHz DS 2Mbps Wireless LAN Adapters 100mW CISCO AIR PCI340 2 4GHz DS 11Mbps Wireless LAN Adapters 30mW CISCO AIR PCI PC350 352 2 4GHz DS 11Mbps Wireless LAN Adapters 100mW Specifications Packages required wireless License required level4 Home menu level interface pc Stand...

Page 184: ...ter to the AP typically you should set the following parameters The service set identifier It should match the ssid of the AP Can be blank if you want the wireless interface card to register to an AP with any ssid The ssid will be received from the AP if the AP is broadcasting its ssid The data rate of the card should match one of the supported data rates of the AP Data rate auto should work in mo...

Page 185: ...an create a new one 0 do not create own network long retry limit integer 0 128 default 16 specifies the number of times an unfragmented packet is retried before it is dropped mode infrastructure ad hoc default infrastructure operation mode of the card modulation cck default mbok default cck modulation mode cck Complementary Code Keying mbok M ary Bi Orthogonal Keying mtu integer 256 2048 default 1...

Page 186: ...sid2 ssid3 mode infrastructure data rate 1Mbit s frequency 2437MHz modulation cck tx power 100 ap1 00 00 00 00 00 00 ap2 00 00 00 00 00 00 ap3 00 00 00 00 00 00 ap4 00 00 00 00 00 00 rx antenna right tx antenna right beacon period 100 long retry limit 16 short retry limit 16 rts threshold 2312 fragmentation threshold 2312 join net 10s card type PC4800A 3 65 admin MikroTik interface pc Interface st...

Page 187: ...us consider the following network setup with CISCO Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client The access point is connected to the wired network s HUB and has IP address from the network 10 1 1 0 24 The minimum configuration required for the AP is 1 Setting the Service Set Identifier up to 32 alphanumeric characters In our case we use ssid mt 2 Setting...

Page 188: ... for the link say 2412MHz The operation mode should be set to ad hoc One of the units slave should have wireless interface property join net set to 0s never create a network the other unit master should be set to 1s or whatever say 10s This will enable the master unit to create a network and register the slave unit to it The following command should be issued to change the settings for the pc inte...

Page 189: ...92 168 11 0 192 168 11 3 aironet 1 192 168 0 254 24 192 168 0 0 192 168 0 255 Local admin MikroTik ip address The second router will have address 192 168 11 2 The network connectivity can be tested by using ping or bandwidth test admin wnet_gw ip address add address 192 168 11 2 30 interface aironet admin wnet_gw ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTER...

Page 190: ...s internal or external clock T1 E1 TE models with 1 or 2 T1 E1 G 703 interfaces on standard RJ48C connector Full Fractional internal or external clock X 21 X21 models with 1 or 2 X 21 on standard DB 15 connector 8Mbps internal or external clock Specifications Packages required synchronous License required level4 Home menu level interface cyclades Standards and Technologies X 21 X 35 T1 E1 G 703 Fr...

Page 191: ...V24 V35 X21 default V35 the hardware media used for this interface clock rate integer default 64000 internal clock rate in bps clock source internal external tx internal default external source clock line code AMI B8ZS HDB3 NRZ default B8ZS for T1 E1 channels only Line modulation method AMI Alternate Mark Inversion B8ZS Binary 8 Zero Substitution HDB3 High Density Bipolar 3 Code ITU T NRZ Non Retu...

Page 192: ...min MikroTik ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 219 24 10 0 0 0 10 0 0 255 ether1 1 1 1 1 1 32 1 1 1 1 1 1 1 1 cyclades1 2 192 168 0 254 24 192 168 0 0 192 168 0 255 ether2 admin MikroTik ip address ping 1 1 1 2 1 1 1 2 64 byte pong ttl 255 time 12 ms 1 1 1 2 64 byte pong ttl 255 time 8 ms 1 1 1 2 64 byte pong ttl 255 time 7 ms 3 pack...

Page 193: ...1 12 255 255 255 0 interface Serial0 description connected to MikroTik ip address 1 1 1 2 255 255 255 252 serial restart delay 1 ip classless ip route 0 0 0 0 0 0 0 0 10 1 1 254 end CISCO Send ping packets to the MikroTik router CISCO ping 1 1 1 1 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 32...

Page 194: ...section The device drivers for PCI miniPCI PC PCMCIA and CardBus cards are loaded automatically Other network interface cards most ISA and PCI ISDN cards require the device drivers to be loaded manually using the driver add command Users cannot add their own device drivers only drivers included in the Mikrotik RouterOS software packages can be used If you need a support for a device which hasn t a...

Page 195: ... that you first find an acceptable irq setting and then try different i o base addresses If you need to specify hexadecimal values instead of decimal for the argument values put 0x before the number To see the list of available drivers issue the driver add name command The resource list shows only those interfaces which are enabled Typical io values for ISA cards are 0x280 0x300 and 0x320 Example ...

Page 196: ... keyboard 2 APIC U 3 4 serial port U 5 U 6 U 7 U 8 9 ether1 10 ether2 11 Texas Instruments PCI1250 PC card Cardbus Controller 11 Texas Instruments PCI1250 PC card Cardbus Controller 2 11 prism2_cs 11 orinoco_cs 12 usb ohci U 13 14 IDE 1 admin MikroTik system resource Suppose we need to load a driver for a NE2000 compatible ISA card Assume we had considered the information above and have checked av...

Page 197: ...ds only Other PCMCIA ISA and PCMCIA PCI adapters might not function properly Notes The Ricoh adapter might not work properly with some older motherboards When recognized properly by the BIOS during the boot up of the router it should be reported under the PCI device listing as PCI CardBus bridge Try using another motherboard if the adapter or the PCMCIA card are not recognized properly The maximum...

Page 198: ...RouterOS supports various types of Ethernet Interfaces The complete list of supported Ethernet NICs can be found in the Device Driver List Specifications Packages required system License required level1 Home menu level interface ethernet Standards and Technologies IEEE 802 3 Hardware usage Not significant Related Documents Package Management Device Driver List IP Addresses and ARP DHCP Client and ...

Page 199: ...maximum capabilities to achieve the best connection possible full duplex yes no default yes defines whether the transmission of data appears in two directions simultaneously speed 10 Mbps 100 Mbps 1 Gbps sets the data transmission speed of the interface By default this value is the maximal data rate supported by the interface Notes For some Ethernet NICs it is possible to blink the LEDs for 10s Ty...

Page 200: ...not recognized rate 10 Mbps 100 Mbps 1 Gbps the actual data rate of the connection auto negotiation done incomplete fast link pulses FLP to the adjacent link station to negotiate the SPEED and MODE of the link done negotiation done incomplete negotiation failed full duplex yes no whether transmission of data occurs in two directions simultaneously Notes See the IP Addresses and ARP section of the ...

Page 201: ...f your card is not broken Page 187 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 202: ...ing Frame Relay General Information Summary The MikroTik RouterOS supports FarSync T Series X 21 synchronous adapter hardware These cards provide versatile high performance connectivity to the Internet or to corporate networks over leased lines Specifications Packages required synchronous License required level4 Home menu level interface farsync Standards and Technologies X 21 Frame Relay PPP Hard...

Page 203: ...cN assigned interface name Example admin MikroTik interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 R ether1 ether 1500 1 X farsync1 farsync 1500 2 X farsync2 farsync 1500 admin MikroTik interface admin MikroTik interface enable 1 admin MikroTik interface enable farsync2 admin MikroTik interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 R ether1 ether 1500 1 far...

Page 204: ...ow up under the interface list Obtain the required license for synchronous feature The synchronous link does not work Check the cabling and the line between the modems Read the modem manual Synchronous Link Applications MikroTik router to MikroTik router Let us consider the following network setup with two MikroTik routers connected to a leased line with baseband modems Page 190 of 695 Copyright 1...

Page 205: ...l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address Note that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 The default route should be set to the gateway router 1 1 1 2 admin MikroTik ...

Page 206: ...1 ms admin MikroTik ip address MikroTik router to MikroTik router P2P using X 21 line Consider the following example The default value of the property clock source must be changed to internal for one of the cards Both cards must have media type property set to X21 IP address configuration on both routers is as follows by convention the routers are named hq and office respectively admin hq ip addre...

Page 207: ... running 0 R name farsync1 mtu 1500 line protocol cisco hdlc media type X21 clock rate 64000 clock source internal chdlc keepalive 10s frame relay lmi type ansi frame relay dce no 1 X name farsync2 mtu 1500 line protocol sync ppp media type V35 clock rate 64000 clock source external chdlc keepalive 10s frame relay lmi type ansi frame relay dce no admin MikroTik interface farsync Page 193 of 695 Co...

Page 208: ...ve media type property set to X21 and the line protocol set to frame relay Now we need to add pvc interfaces admin hq interface pvc add dlci 42 interface farsync1 admin hq interface pvc print Flags X disabled R running NAME MTU DLCI INTERFACE 0 X pvc1 1500 42 farsync1 admin hq interface pvc Similar routine has to be done also on office router admin office interface pvc add dlci 42 interface farsyn...

Page 209: ... 2 2 2 24 2 2 2 0 2 2 2 255 pvc1 admin office interface pvc enable 0 admin office interface pvc Now we can monitor the synchronous link status admin hq interface pvc ping 2 2 2 2 2 2 2 2 64 byte ping ttl 64 time 20 ms 2 2 2 2 64 byte ping ttl 64 time 20 ms 2 2 2 2 64 byte ping ttl 64 time 21 ms 2 2 2 2 64 byte ping ttl 64 time 21 ms 4 packets transmitted 4 packets received 0 packet loss round trip...

Page 210: ...ching similar in principle to X 25 in which synchronous frames of data are routed to different destinations depending on header information Frame Relay uses the synchronous HDLC frame format Specifications Packages required synchronous License required level4 Home menu level interface pvc Standards and Technologies Frame Relay RFC1490 Hardware usage Not significant Description To use Frame Relay i...

Page 211: ... time but many logical connections can co exist on a single physical line The DLCI allows the data to be logically tied to one of the connections so that once it gets to the network it knows where to send it Frame Relay Configuration Example with Cyclades Interface Let us consider the following network setup with MikroTik router with Cyclades PC300 interface connected to a leased line with baseban...

Page 212: ...rame relay lmi type ansi frame relay intf type dce interface Serial0 1 point to point ip address 1 1 1 2 255 255 255 0 no arp frame relay frame relay interface dlci 42 end Send ping to MikroTik router CISCO ping 1 1 1 1 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 31 32 ms CISCO Example with MO...

Page 213: ... Building configuration Current configuration ip subnet zero no ip domain lookup frame relay switching interface Ethernet0 description connected to EthernetLAN ip address 10 0 0 254 255 255 255 0 interface Serial0 description connected to Internet no ip address encapsulation frame relay IETF serial restart delay 1 frame relay lmi type ansi frame relay intf type dce interface Serial0 1 point to poi...

Page 214: ... MTU DLCI INTERFACE 0 X pvc1 1500 42 moxa c101 1 admin r1 interface pvc ip address add address 4 4 4 1 24 interface pvc1 on the R2 admin r2 interface pvc add dlci 42 interface moxa c101 1 admin r2 interface pvc print Flags X disabled R running NAME MTU DLCI INTERFACE 0 X pvc1 1500 42 moxa c101 1 admin r2 interface pvc ip address add address 4 4 4 2 24 interface pvc1 Finally we must enable PVC inte...

Page 215: ...uterOS interfaces Interface Status Home menu level interface Property Description name text the name of the interface type read only arlan bonding bridge cyclades eoip ethernet farsync ipip isdn client isdn server l2tp client l2tp server moxa c101 moxa c502 mtsync pc ppp client ppp server pppoe client pppoe server pptp client pptp server pvc radiolan sbe vlan wavelan wireless xpeed interface type ...

Page 216: ...second sent packets per second read only integer number of packets that interface has sent in one second sent bits per second read only integer number of bits that interface has sent in one second Notes One or more interfaces can be monitored at the same time To see overall traffic passing through all interfaces at time use aggregate instead of interface name Example Multiple interface monitoring ...

Page 217: ...ATE 0 serial0 Serial Console 115200 1 serial1 9600 admin MikroTik port Enter the pin code from serial terminal in this case PIN code is 3663 system serial terminal serial1 AT CPIN 3663 Now you should see OK on your screen Wait for about 5 seconds and see if the green led started to blink Press Ctrl Q to quit the serial terminal Change remote address in ppp profile in this case to 212 93 96 65 you ...

Page 218: ...address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 5 24 192 168 0 0 192 168 0 255 ether1 1 D 10 40 205 168 32 212 93 96 65 0 0 0 0 ppp out1 admin MikroTik ip address Page 204 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned he...

Page 219: ...DN Dial in ISDN Backup General Information Summary The MikroTik router can act as an ISDN client for dialing out or as an ISDN server for accepting incoming calls The dial out connections may be set as dial on demand or as permanent connections simulating a leased line The remote IP address provided by the ISP can be used as the default gateway for the router Specifications Packages required isdn ...

Page 220: ...g the driver add command MikroTik RouterOS supports passive PCI adapters with Siemens chipset Eicon Diehl Diva diva Sedlbauer Speed sedlbauer ELSA Quickstep 1000 quickstep NETjet netjet Teles teles Dr Neuhaus Niccy niccy AVM avm Gazel gazel HFC 2BDS0 based adapters hfc W6692 based adapters w6692 For example for the HFC based PCI card it is enough to use driver add name hfc command to get the drive...

Page 221: ... numbers can be used to dial the ISDN line These numbers are referred to as Multiple Subscriber Numbers MSN A similar but separate concept is EAZ numbering which is used in German ISDN networking EAZ number can be used in addition to dialed phone number to specify the required service For dial out ISDN interfaces MSN EAZ number specifies the outgoing phone number the calling end For dial in ISDN i...

Page 222: ...sdn client add msn 142 user test password test phone 144 bundle 128K no admin MikroTik interface isdn client print Flags X disabled R running 0 X name isdn out1 mtu 1500 mru 1500 msn 142 user test password test profile default phone 144 l2 protocol hdlc bundle 128K no dial on demand no add default route no use peer dns no admin MikroTik interface isdn client ISDN Server Interface Configuration Hom...

Page 223: ...rint Flags X disabled E exclusive NAME CHANNEL DIR TYPE PHONE 0 channel1 0 1 channel2 1 admin MikroTik isdn channels Suppose you would like to use dial on demand to dial your ISP and automatically add a default route to it Also you would like to disconnect when there is more than 30s of network inactivity Your ISP s phone number is 12345678 and the user name for authentication is john Your ISP ass...

Page 224: ... E exclusive NAME CHANNEL DIR TYPE PHONE 0 channel1 0 1 channel2 1 admin MikroTik isdn channels Add an incoming ISDN interface and configure it in the following way admin MikroTik interface isdn server add msn 7542159 authentication chap pap bundle 128K no admin MikroTik interface isdn server print Flags X disabled 0 X name isdn in1 mtu 1500 mru 1500 msn 7542159 authentication chap pap profile def...

Page 225: ...system In this example we ll use an ISDN connection for purpose to backup a standard Ethernet connection You can however use instead of the ISDN connection anything you need PPP for example When the Ethernet fail the router nr 1 cannot ping the router nr 2 to 2 2 2 2 see picture the router nr 1 will establish an ISDN connection so called backup link to continue communicating with the nr 2 You must...

Page 226: ...er admin MikroTik ppp profile set default local address 3 3 3 254 remote address 3 3 3 1 admin MikroTik interface isdn server add name backup msn 7801032 An ISDN client must be added to the first router admin MikroTik interface isdn client add name backup user backup password backup phone 7801032 msn 7542159 Then you have to set up static routes Use the ip route add command to add the required sta...

Page 227: ...d name connection_up source ip route set route1 gateway 2 2 2 1 To get all above listed to work set up Netwatch utility To use netwatch you need the advanced tools feature package installed Please upload it to the router and reboot When installed the advanced tools package should be listed under the system package print list Add the following settings to the first router admin Mikrotik tool netwat...

Page 228: ...all packet sizes of around 100 bytes M3P features enabled by a per interface setting other routers with MikroTik Discovery Protocol enabled will broadcast M3P settings significantly increases bandwidth availability over some wireless links by approximately four times offer configuration settings to customize this feature Specifications Packages required system License required level1 Home menu lev...

Page 229: ...ted packet packet size is reached or a maximum time of 15ms 5ms Setup Home menu level ip packing Description M3P is working only between MikroTik routers which are discovered with MikroTik Neighbor Discovery Protocol MNDP When M3P is enabled router needs to know which of its neighbouring hosts have enabled M3P MNDP is used to negotiate unpacking settings of neighbours therefore it has to be enable...

Page 230: ...d size setting minimum value of both ends is actual maximum size of aggregated packet used aggregated size can be bigger than interface MTU if network device allows it to be i e it supports sending and receiving frames bigger than 1514 bytes Example To enable maximal compression on the ether1 interface admin MikroTik ip packing add interface ether1 packing compress all unpacking compress all admin...

Page 231: ...Synchronous 4Mb s Adapter hardware The V 35 synchronous interface is the standard for VSAT and other satellite modems However you must check with the satellite system supplier for the modem interface type Specifications Packages required synchronous License required level4 Home menu level interface moxa c101 Standards and Technologies Cisco HDLC X 25 RFC 1356 Frame Relay RFC1490 PPP RFC 1661 PPP R...

Page 232: ... V 35m 4 RTS OUT C 5 CTS IN D 6 DSR IN E 7 GND B 8 DCD IN F 10 TxDB OUT S 11 TxDA OUT P 12 RxDB IN T 13 RxDA IN R 14 TxCB IN AA 16 TxCA IN Y 20 DTR OUT H 22 RxCB IN X 23 RxCA IN V short 9 and 25 pin Additional Documents For more information about the MOXA C101 synchronous 4Mb s adapter hardware please see http www moxa com product sync C101 htm the product on line documentation C101 SuperSync Boar...

Page 233: ...ons For synchronous modems which have a DB 25 connection you should use a standard DB 25 cable The MikroTik driver for the MOXA C101 Synchronous adapter allows you to unplug the V 35 cable from one modem and plug it into another modem with a different clock speed and you do not need to restart the interface or router Example admin MikroTik interface moxa c101 admin MikroTik interface moxa c101 pri...

Page 234: ...valid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 10 0 0 255 ether2 1 192 168 0 254 24 192 168 0 254 192 168 0 255 ether1 2 1 1 1 1 32 1 1 1 2 255 255 255 255 wan admin MikroTik ip address ping 1 1 1 2 1 1 1 2 64 byte pong ttl 255 time 31 ms 1 1 1 2 64 byte pong ttl 255 time 26 ms 1 1 1 2 64 byte pong ttl 255 time 26 ms 3 packets transmitted 3 packets received 0 packet...

Page 235: ...nvalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 10 0 0 255 ether2 1 192 168 0 254 24 192 168 0 254 192 168 0 255 ether1 2 1 1 1 1 32 1 1 1 2 255 255 255 255 wan admin MikroTik ip address ping 1 1 1 2 1 1 1 2 64 byte pong ttl 255 time 31 ms 1 1 1 2 64 byte pong ttl 255 time 26 ms 1 1 1 2 64 byte pong ttl 255 time 26 ms 3 packets transmitted 3 packets received 0 packe...

Page 236: ...seconds Success rate is 100 percent 5 5 round trip min avg max 28 32 40 ms CISCO Note Keep in mind that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 Page 222 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of M...

Page 237: ...PCI Dual port Synchronous 8Mb s Adapter hardware The V 35 synchronous interface is the standard for VSAT and other satellite modems However you must check with the satellite system supplier for the modem interface type Specifications Packages required synchronous License required level4 Home menu level interface moxa c502 Standards and Technologies Cisco HDLC X 25 RFC 1356 Frame Relay RFC1490 PPP ...

Page 238: ...ult 64000 speed of internal clock clock source external internal tx from rx tx internal default external clock source frame relay dce yes no default no operate or not in DCE mode frame relay lmi type ansi ccitt default ansi Frame relay Local Management Interface type ansi set LMI type to ANSI 617d also known as Annex A ccitt set LMI type to CCITT Q933a also known as Annex A ignore dcd yes no defau...

Page 239: ...s admin MikroTik interface moxa c502 monitor 0 dtr yes rts yes cts yes dsr yes dcd yes admin MikroTik interface moxa c502 Troubleshooting Description The synchronous interface does not show up under the interfaces list Obtain the required license for synchronous feature The synchronous link does not work Check the V 35 cabling and the line between the modems Read the modem manual Synchronous Link ...

Page 240: ...I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 1 12 24 10 1 1 12 10 1 1 255 Public 1 1 1 1 2 32 1 1 1 1 255 255 255 255 moxa admin MikroTik ip address ping 1 1 1 1 1 1 1 1 64 byte pong ttl 255 time 31 ms 1 1 1 1 64 byte pong ttl 255 time 26 ms 1 1 1 1 64 byte pong ttl 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin Mi...

Page 241: ...configuration interface Ethernet0 description connected to EthernetLAN ip address 10 1 1 12 255 255 255 0 interface Serial0 description connected to MikroTik ip address 1 1 1 2 255 255 255 252 serial restart delay 1 ip classless ip route 0 0 0 0 0 0 0 0 10 1 1 254 end CISCO Send ping packets to the MikroTik router CISCO ping 1 1 1 1 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 1 ...

Page 242: ...re configurations These appear as serial0 and serial1 automatically You can add more serial ports to use the router for a modem pool using these adapters MOXA http www moxa com Smartio CP 132 2 port PCI multiport asynchronous board with maximum of 8 ports 4 cards MOXA http www moxa com Smartio C104H CP 114 or CT 114 4 port PCI multiport asynchronous board with maximum of 16 ports 4 cards MOXA http...

Page 243: ...level port Property Description name name default serialN port name used by read only text shows the user of the port Only free ports can be used in PPP setup baud rate integer default 9600 maximal data rate of the port data bits 7 8 default 8 number of bits per character transmitted parity none even odd default none character parity check method stop bits 1 2 default 1 number of stop bits after e...

Page 244: ... default unknown serial port authentication multiple choice mschap2 mschap1 chap pap default mschap2 mschap1 chap pap authentication protocol profile name default default profile name used for the link mtu integer default 1500 Maximum Transmission Unit Maximum packet size to be transmitted mru integer default 1500 Maximum Receive Unit null modem no yes default no enable disable null modem mode whe...

Page 245: ... dialout tone dial yes no default yes defines whether use tone dial or pulse dial mtu integer default 1500 Maximum Transmission Unit Maximum packet size to be transmitted mru integer default 1500 Maximum Receive Unit null modem no yes default no enable disable null modem mode when enabled no modem initialization strings are sent modem init text default modem initialization strings You may use s11 ...

Page 246: ... disabled no admin MikroTik interface ppp server print Flags X disabled R running 0 name ppp in1 mtu 1500 mru 1500 port serial1 authentication mschap2 mschap1 chap pap profile default modem init ring count 1 null modem no admin MikroTik interface ppp server Now we need to setup the client to connect to the server admin MikroTik interface ppp client add port serial1 user test password test phone 13...

Page 247: ...wing RadioLAN 5 8GHz Wireless Adapter hardware RadioLAN ISA card Model 101 RadioLAN PCMCIA card For more information about the RadioLAN adapter hardware please see the relevant User s Guides and Technical Reference Manuals Specifications Packages required radiolan License required level4 Home menu level interface radiolan Hardware usage Not significant Related Documents Package Management Device D...

Page 248: ...ur motherboard As it has been observed the IRQ 5 and I O 0x300 work in most cases Wireless Interface Configuration Home menu level interface ratiolan Description To set the wireless interface for working with another wireless card in a point to point link you should set the following parameters The Service Set Identifier It should match the sid of the other card The Distance should be set to that ...

Page 249: ...ress 00 00 00 00 00 00 distance 0 150m max retries 15 tx diversity disabled rx diversity disabled admin MikroTik interface radiolan You can monitor the status of the wireless interface admin MikroTik interface radiolan monitor radiolan1 default 00 00 00 00 00 00 valid no admin MikroTik interface radiolan Here the wireless interface card has not found any neighbor admin MikroTik interface radiolan ...

Page 250: ...s 0 min retries 0 sent 50 successfully sent 50 max retries 0 average retries 0 min retries 0 admin MikroTik interface radiolan Troubleshooting Description The radiolan interface does not show up under the interfaces list Obtain the required license for RadioLAN 5 8GHz wireless feature The wireless card does not obtain the MAC address of the default destination Check the cabling and antenna alignme...

Page 251: ...4 admin MikroTik ip route add gateway 10 1 1 254 comment copy from disabled distance dst address netmask preferred source admin MikroTik ip route add gateway 10 1 1 254 preferred source 10 1 0 1 admin MikroTik ip route add dst address 192 168 0 0 24 gateway 10 1 0 2 preferred source 10 1 0 1 admin MikroTik ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O os...

Page 252: ...uld be set to 10 1 0 1 Page 238 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 253: ...bit s secondary ones Sangoma S5148 single port and S5147 dual port PCI E1 T1 Specifications Packages required synchronous License required level4 Home menu level interface sangoma Standards and Technologies X 21 V 35 T1 E1 G 703 Frame Relay PPP Cisco HDLC Hardware usage Not significant Related Documents Package Management Device Driver List IP Addresses and ARP Log Management Synchronous Interface...

Page 254: ...Unframed default ESF for T1 E1 channels only The frame mode CRC4 Cyclic Redundancy Check 4 bit E1 Signaling Europe D4 Fourth Generation Channel Bank 48 Voice Channels on 2 T 1s or 1 T 1c ESF Extended Superframe Format Non CRC4 plain Cyclic Redundancy Check Unframed do not check frame integrity line build out 0dB 7 5dB 15dB 22 5dB 110ft 220ft 330ft 440ft 550ft 660ft E1 75 E1 120 default 0dB for T1 ...

Page 255: ... DS3 44 736Mbps LMC SBEI wanPCI 1T1E1 PCI T1 E1 also known as DS1 or LMC1200P 1 544 Mbps or 2 048 Mbps Specifications Packages required synchronous License required level4 Home menu level interface sbe Standards and Technologies T1 E1 T3 G 703 Frame Relay PPP Cisco HDLC Hardware usage Not significant Related Documents Package Management Device Driver List IP Addresses and ARP Log Management Synchr...

Page 256: ...ase shift for very long links mtu integer 68 1500 default 1500 IP protocol Maximum Transmission Unit name name default sbeN unique interface name scrambler yes no default no when enabled makes the card unintelligible to anyone without a special receiver General Information Connecting two MT routers via T1 crossover In the following example we will configure two routers to talk to each other via T1...

Page 257: ...uter admin R1 ip address add address 10 10 10 2 24 interface sbe1 Finally we could test connection by issuing ping command from R1 router admin R1 ping 10 10 10 2 10 10 10 2 64 byte ping ttl 64 time 7 ms 10 10 10 2 64 byte ping ttl 64 time 8 ms 10 10 10 2 64 byte ping ttl 64 time 8 ms 10 10 10 2 64 byte ping ttl 64 time 8 ms 10 10 10 2 64 byte ping ttl 64 time 8 ms 5 packets transmitted 5 packets ...

Page 258: ...ty Description Notes Example Nstreme2 Group Settings Description Property Description Notes Example Registration Table Description Property Description Example Connect List Description Property Description Access List Description Property Description Notes Example Info Description Property Description Notes Example Virtual Access Point Interface Description Page 244 of 695 Copyright 1999 2007 Mikr...

Page 259: ...ty Description Example Security Profiles Description Property Description Notes Sniffer Description Property Description Sniffer Sniff Description Property Description Command Description Sniffer Packets Description Property Description Example Snooper Description Property Description Command Description Example Station and AccessPoint Page 245 of 695 Copyright 1999 2007 MikroTik All rights reserv...

Page 260: ...de for positioning antennas and monitoring wireless signal VAP Virtual Access Point ability to disable packet forwarding among clients Nstreme wireless transmission protocol and others You can see the table of features supported by different cards The Nstreme protocol is MikroTik proprietary i e incompatible with other vendors wireless protocol aimed to improve point to point and point to multipoi...

Page 261: ...s License required level4 station and bridge mode level5 station bridge and AP mode levelfreq more frequencies Home menu level interface wireless Standards and Technologies IEEE802 11a IEEE802 11b IEEE802 11g Hardware usage Not significant Related Documents Software Package Management Device Driver List IP Addresses and ARP Log Management Description The Atheros card has been tested for distances ...

Page 262: ...any Atheros chipset based cards as many free adapter slots are on your system One license is valid for all cards on your system Note that maximal number of PCMCIA sockets is 8 Some chipsets are not stable with Atheros cards and cause radio to stop working MikroTik RouterBoard 200 RouterBoard 500 series and systems based on Intel i815 and i845 chipsets are tested and work stable with Atheros cards ...

Page 263: ...5ghz IEEE 802 11a up to 54 Mbit 5ghz turbo IEEE 802 11a using double channel providing air rate of up to 108Mbit 2ghz 10mhz variation of IEEE 802 11g with half the band and accordingly twice lower speed air rate of up to 27Mbit 2ghz 5mhz variation of IEEE 802 11g with quarter the band and accordingly four times lower speed air rate of up to 13 5Mbit 5ghz 10mhz variation of IEEE 802 11a with half t...

Page 264: ... side for APs that are not in connect list or on the APs side for clients that are not in access list yes enables AP to register a client even if it is not in access list In turn for client it allows to associate with AP not listed in client s connect list default client tx limit integer default 0 limits each client s transmit data rate in bps Works only if the client is also a MikroTik Router 0 n...

Page 265: ...rface max station count integer 1 2007 default 2007 maximal number of clients allowed to connect to AP Real life experiments from our customers show that 100 clients can work with one AP using traffic shaping mode alignment only ap bridge bridge nstreme dual slave station station wds wds slave default station operating mode alignment only this mode is used for positioning antennas to get the best ...

Page 266: ...ess clients radio name name descriptive name of the card Only for MikroTik devices rate set default configured which rate set to use default basic and supported rates settings are not used instead default values are used configured basic and supported rates settings are used as configured scan list multiple choice integer default default default the list of channels to scan default represents all ...

Page 267: ...WDS Bridging on the AP side works fine It is strongly suggested to leave basic rates at the lowest setting possible Using compression the AP can serve approximately 50 clients with compression enabled Compression is supported only by Atheros wireless cards If disable running check value is set to no the router determines whether the network interface is up and running in order to show flag R for A...

Page 268: ...scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode a...

Page 269: ... reduce the amount of protocol overhead and thus increase speed The card is not waiting for frames but in case a number of packets are queued for transmitting they can be combined There are several methods of framing none do nothing special do not combine packets best fit put as much packets as possible in one frame until the framer limit limit is met but do not fragment packets exact size put as ...

Page 270: ...er the interface should always be treated as running even if there is no connection to a remote peer framer limit integer default 2560 maximal frame size framer policy none best fit exact size default none the method how to combine frames like fast frames setting in interface configuration A number of frames may be combined into one bigger one to reduce the amout of protocol overhead and thus incr...

Page 271: ...band operating band of the transmitting radio 2 4ghz b IEEE 802 11b 2 4ghz g IEEE 802 11g 2 4ghz g turbo IEEE 802 11g in Atheros proprietary turbo mode up to 108Mbit 5ghz IEEE 802 11a up to 54 Mbit 5ghz turbo IEEE 802 11a in Atheros proprietary turbo mode up to 108Mbit tx frequency integer default 5180 Frequency to use for transmitting frames tx radio name which radio should be used for transmitti...

Page 272: ...02 1x mode none admin MikroTik interface wireless set 0 1 mode nstreme dual slave 2 Then add nstreme2 interface with exact size framing admin MikroTik interface wireless nstreme dual add framer policy exact size 3 Configure which card will be receiving and which transmitting and specify remote receiver card s MAC address admin MikroTik interface wireless nstreme dual print Flags X disabled R runni...

Page 273: ...ess of the registered client packets read only integer integer number of sent and received network layer packets packing size read only integer maximum packet size in bytes parent read only MAC address parent access point s MAC address if forwarded from another access point routeros version read only name RouterOS version of the registered client rx ccq read only integer 0 100 Client Connection Qu...

Page 274: ...61dBm 18Mbps 40m43s330ms 60dBm 24Mbps 40m43s 61dBm 36Mbps 33m10s230ms 62dBm 48Mbps 33m9s760ms 66dBm 54Mbps 10ms tx signal strength 65dBm tx ccq 24 rx ccq 20 ack timeout 28 distance 28 nstreme no framing mode none routeros version 2 9rc5 last ip 192 168 63 8 admin MikroTik interface wireless Connect List Home menu level interface wireless connect list Description The Connect List is a list of rules...

Page 275: ... association procedure is as follows when a new client wants to associate to the AP that is configured on interface wlanN an entry with client s MAC address and interface wlanN is looked up in the access list If such entry is found action specified in the access list is performed else default authentication and default forwarding arguments of interface wlanN are taken Property Description ap tx li...

Page 276: ... 2337 2342 2347 2352 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 2512 2532 2552 2572 2592 2612 2632 2652 2672 2692 2712 2732 the list of 2GHz IEEE 802 11b channels frequencies are given in MHz 2ghz g channels multiple choice read only 2312 2317 2322 2327 2332 2337 2342 2347 2352 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462...

Page 277: ...5845 5850 5855 5860 5865 5870 5875 5880 5885 5890 5895 5900 5905 5910 5915 5920 5925 5930 5935 5940 5945 5950 5955 5960 5965 5970 5975 5980 5985 5990 5995 6000 6005 6010 6015 6020 6025 6030 6035 6040 6045 6050 6055 6060 6065 6070 6075 6080 6085 6090 6095 6100 the list of 5GHz turbo channels frequencies are given in MHz ack timeout control read only yes no provides information whether this device s...

Page 278: ...5445 0 5450 0 5455 0 5460 0 5465 0 5470 0 5475 0 5480 0 5485 0 5490 0 5495 0 5500 0 5505 0 5510 0 5515 0 5520 0 5525 0 5530 0 5535 0 5540 0 5545 0 5550 0 5555 0 5560 0 5565 0 5570 0 5575 0 5580 0 5585 0 5590 0 5595 0 5600 0 5605 0 5610 0 5615 0 5620 0 5625 0 5630 0 5635 0 5640 0 5645 0 5650 0 5655 0 5660 0 5665 0 5670 0 5675 0 5680 0 5685 0 5690 0 5695 0 5700 0 5705 0 5710 0 5715 0 5720 0 5725 0 5...

Page 279: ... 0 2432 0 2437 0 2442 0 2447 0 2452 0 2457 0 2462 0 2467 0 2472 0 2477 0 2482 0 2487 0 2492 0 2497 0 2314 0 2319 0 2324 0 2329 0 2334 0 2339 0 2344 0 2349 0 2354 0 2359 0 2364 0 2369 0 2374 0 2379 0 2384 0 2389 0 2394 0 2399 0 2404 0 2409 0 2414 0 2419 0 2424 0 2429 0 2434 0 2439 0 2444 0 2449 0 2454 0 2459 0 2464 0 2469 0 2474 0 2479 0 2484 0 2489 0 2494 0 2499 0 admin MikroTik interface wireless...

Page 280: ...ilar in terms of bit values to the MAC address of the physical interface it is put onto as possible because the more different the addresses are the more it affects performance WDS Interface Configuration Home menu level interface wireless wds Description WDS Wireless Distribution System allows packets to pass from one wireless AP Access Point to another just as if the APs were ports on a wired Et...

Page 281: ... which are in WDS mode have to communicate at equal frequencies it is not recommended to use WDS and DFS simultaneously it is most probable that these routers will not connect to each other WDS significantly faster than EoIP up to 10 20 on RouterBOARD 500 systems so it is recommended to use WDS whenever possible Example admin MikroTik interface wireless wds add master interface wlan1 wds address 0...

Page 282: ...kets about other 802 11 standard packets or it will gather only alignment packets ssid all yes no default no whether you want to accept packets from hosts with other ssid than yours test audio integer test the beeper for 10 seconds Notes If you are using the command interface wireless align monitor then it will automatically change the wireless interface s mode from station bridge or ap bridge to ...

Page 283: ...RXQ LAST RX TXQ LAST TX CORRECT 0 00 01 24 70 4B FC wirelesa 60 60 0 01 67 0 01 100 admin MikroTik interface wireless align Frequency Monitor Description Aproximately shows how loaded are the wireless channels Property Description freq read only integer shows current channel use read only percentage shows usage in current channel Example Monitor 802 11b network load admin MikroTik interface wirele...

Page 284: ...ps 9 11Mbps 7 admin MikroTik interface wireless manual tx power table print 0 name wlan1 manual tx powers 1Mbps 10 2Mbps 10 5 5Mbps 9 11Mbps 7 admin MikroTik interface wireless manual tx power table Network Scan Command name interface wireless scan interface_name Description This is a feature that allows you to scan all avaliable wireless networks While scanning the card unregisters itself from th...

Page 285: ...ces WPA The Wi Fi Protected Access is a combination of 802 1X EAP MIC TKIP and AES This is a easy to configure and secure wireless mechanism It has been later updated to version 2 to provide greater security WEP The Wired Equivalent Privacy encrypts data only between 802 11 devices using static keys It is not considered a very secure wireless data encryption mechanism though it is better than no e...

Page 286: ... profile radius mac authentication no yes default no whether to use Radius server for MAC authentication static algo 0 none 40bit wep 104bit wep aes ccm tkip default none which encryption algorithm to use none do not use encryption and do not accept encrypted packets 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets 104bit wep use the 104bit encryption also k...

Page 287: ...d also must consist of even number characters static key 2 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 0 If AES CCM is used the key must consist of even number of characters and must be at least 32 characters long For TKIP the key must be at least 64 characters long and also must consist of even number characters static key 3 text hexa...

Page 288: ...AP and station to communicate wpa unicast ciphers aes ccm tkip default which algorithms are allowed to use for unicast communications If the interface is an Access Point then it sends these algorithms as supported If it is a station then it will connect only to APs which support any of these algorithms Notes The keys used for encryption are in hexadecimal form If you use 40bit wep the key has to b...

Page 289: ... many packets are dropped because of exceeding file limit file saved packets read only integer number of packets saved to file file size read only integer current file size kB memory over limit packets read only integer number of packets that are dropped because of exceeding memory limit memory saved packets read only integer how many packets are stored in mermory memory size read only integer how...

Page 290: ...the sniffed packet Example Sniffed packets admin MikroTik interface wireless sniffer packet pr Flags E crc error FREQ SIGNAL RATE SRC DST TYPE 0 2412 73dBm 1Mbps 00 0B 6B 31 00 53 FF FF FF FF FF FF beacon 1 2412 91dBm 1Mbps 00 02 6F 01 CE 2E FF FF FF FF FF FF beacon 2 2412 45dBm 1Mbps 00 02 6F 05 68 D3 FF FF FF FF FF FF beacon 3 2412 72dBm 1Mbps 00 60 B3 8C 98 3F FF FF FF FF FF FF beacon 4 2412 65...

Page 291: ...STA COUNT 2 4ghz b 2412MHz 1 5 11 8kbps 2 2 2 4ghz b 2417MHz 1 3 6 83kbps 0 1 2 4ghz b 2422MHz 0 6 4 38kbps 1 1 2 4ghz b 2427MHz 0 6 4 43kbps 0 0 2 4ghz b 2432MHz 0 3 2 22kbps 0 0 2 4ghz b 2437MHz 0 0bps 0 0 2 4ghz b 2442MHz 1 8 1kbps 0 0 2 4ghz b 2447MHz 1 8 22kbps 1 1 2 4ghz b 2452MHz 1 8 3kbps 0 0 2 4ghz b 2457MHz 0 0bps 0 0 2 4ghz b 2462MHz 0 0bps 0 0 admin MikroTik interface wireless snooper ...

Page 292: ...rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disa...

Page 293: ...e wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin Station interface wireless ip address admin Station ip address add address 10 1 0 2 24 interface To AP admin Station ip address print Flags ...

Page 294: ...e bridge admin WDS_AP interface bridge add admin WDS_AP interface bridge print Flags X disabled R running 0 R name bridge1 mtu 1500 arp enabled mac address B0 62 0D 08 FF FF stp no priority 32768 ageing time 5m forward delay 15s garbage collection interval 4s hello time 2s max message age 20s admin WDS_AP interface bridge port Page 280 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrot...

Page 295: ...bridge1 mtu 1500 arp enabled mac address 11 05 00 00 02 00 stp no priority 32768 ageing time 5m forward delay 15s garbage collection interval 4s hello time 2s max message age 20s admin WDS_Station interface bridge port admin WDS_Station interface bridge port print INTERFACE BRIDGE PRIORITY PATH COST 0 Local none 128 10 1 wlan1 none 128 10 admin WDS_Station interface bridge port set 0 1 bridge brid...

Page 296: ...adio name 000C42050022 mode ap bridge ssid test area frequency mode superchannel country no_country_set antenna gain 0 frequency 2437 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power de...

Page 297: ...o dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin Nstreme AP interface wireless nstreme admin Nstreme AP interface ...

Page 298: ...ling yes framer policy none framer limit 3200 admin Nstreme Client interface wireless nstreme And monitor the link admin Nstreme Client interface wireless monitor wlan1 status connected to ess band 5ghz frequency 5805MHz tx rate 24Mbps rx rate 18Mbps ssid nstreme bssid 00 0C 42 05 00 22 radio name 000C42050022 signal strength 70dBm tx signal strength 68dBm tx ccq 0 rx ccq 3 wds link no nstreme yes...

Page 299: ...ncy mode superchannel country no_country_set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodi...

Page 300: ...hz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mod...

Page 301: ...ic algo 1 40bit wep static key 1 1234567890 static transmit key key 1 admin WEP_AP interface wireless security profiles print 0 name default mode none wpa unicast ciphers wpa group ciphers pre shared key static algo 0 none static key 0 static algo 1 none static key 1 static algo 2 none static key 2 static algo 3 none static key 3 static transmit key key 0 static sta private algo none static sta pr...

Page 302: ...in WEP_AP interface wireless access list Configure WEP_StationX admin WEP_Station1 interface wireless security profiles add name Station1 mode static keys required static sta private algo 104bit wep static sta private key 65432109876543210987654321 admin WEP_Station1 interface wireless security profiles print 0 name default mode none wpa unicast ciphers wpa group ciphers pre shared key static algo...

Page 303: ... interface wireless set wlan1 name WEP STAX ssid mt_wep band 5ghz security profile StationX mode station disabled no admin WEP_StationX interface wireless print 0 R name WEP STAX mtu 1500 mac address 00 0C 42 05 06 B2 arp enabled disable running check no interface type Atheros AR5413 radio name 000C420506B2 mode station ssid mt_wep area frequency mode superchannel country no_country_set antenna ga...

Page 304: ...erface wireless security profiles set default mode wpa psk pre shared key 1234567890 wpa unicast ciphers tkip wpa group ciphers aes ccm tkip admin WPA_Station interface wireless security profiles pr 0 name default mode wpa psk wpa unicast ciphers tkip wpa group ciphers tkip aes ccm pre shared key 1234567890 static algo 0 none static key 0 static algo 1 none static key 1 static algo 2 none static k...

Page 305: ...is used by the peer router MikroTik RouterOS does not send any traffic through Cisco Wireless Access Point or Wireless Bridge If you use CISCO Aironet Wireless Ethernet Bridge or Access Point you should set the Configuration Radio I80211 Extended Allow proprietary extensions to off and the Configuration Radio I80211 Extended Encapsulation Default encapsulation method to RFC1042 If left to the defa...

Page 306: ...onnection SDSL Single line Digital Subscriber Line or Symmetric Digital Subscriber Line stands for the type of DSL that uses only one of the two cable pairs for transmission SDSL allows residential or small office users to share the same telephone for data transmission and voice or fax telephony Specifications Packages required synchronous License required level4 Home menu level interface xpeed St...

Page 307: ...g data errors sdsl swap yes no default no whether or not the Xpeed 300 SDSL Adapter performs bit swapping Bit swapping can maximize error performance by attempting to maintain an acceptable margin for each bin by equalizing the margin across all bins through bit reallocation bridged ethernet yes no default yes if the adapter operates in bridged Ethernet mode dlci integer default 16 defines the DLC...

Page 308: ...4 1 1 1 0 1 1 1 255 xpeed1 admin r1 interface xpeed print Flags X disabled 0 name xpeed1 mtu 1500 mac address 00 05 7A 00 00 08 arp enabled mode network termination sdsl speed 2320 sdsl invert no sdsl swap no bridged ethernet yes dlci 16 lmi mode off cr 0 admin r1 interface xpeed Router r2 setup First we need to add a suitable IP address admin r2 ip address add inter xpeed1 address 1 1 1 2 24 admi...

Page 309: ...nfiguration ip subnet zero no ip domain lookup frame relay switching interface Ethernet0 description connected to EthernetLAN ip address 10 0 0 254 255 255 255 0 interface Serial0 description connected to Internet no ip address encapsulation frame relay IETF serial restart delay 1 frame relay lmi type ansi frame relay intf type dce interface Serial0 1 point to point ip address 1 1 1 2 255 255 255 ...

Page 310: ...hould use LT mode and the other NT mode You can also change sdsl swap and sdsl invert parameters on the router running LT mode if you have a very long line Page 296 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 311: ...bridged just as if there where a physical Ethernet interface and cable between the two routers with bridging enabled This protocol makes multiple network schemes possible Network setups with EoIP interfaces Possibility to bridge LANs over the Internet Possibility to bridge LANs over encrypted tunnels Possibility to bridge LANs over 802 11b ad hoc wireless networks Quick Setup Guide To make an EoIP...

Page 312: ...hat transports IP Specific Properties Each EoIP tunnel interface can connect with one remote router which has a corresponding interface configured with the same Tunnel ID The EoIP interface appears as an Ethernet interface under the interface list This interface supports all features of an Ethernet interface IP addresses and other tunnels may be run over the interface The EoIP protocol encapsulate...

Page 313: ...00 00 to 00 00 5E FF FF FF which IANA has reserved for such cases Alternatively you can set the second bit of the first byte to mark the address as locally administered address assigned by network administrator and use any MAC address you just need to ensure they are unique between the hosts connected to one bridge Example To add and enable an EoIP tunnel named to_mt2 to the 10 5 8 1 router specif...

Page 314: ...ic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 from_remote joe admin Our_GW interface pptp server The Remote router will be the pptp client admin Remote interface pptp client add name pptp user joe connect to 192 168 1 1 password top_s3 mtu 1500 mru 1500 admin Remote interface pptp client enable pptp admin Remote interface pptp client print Flags X disabled R running 0 R name pptp mtu 1500...

Page 315: ...garbage collection interval 4s hello time 2s max message age 20s admin Our_GW interface bridge add bridge bridge1 interface eoip remote admin Our_GW interface bridge add bridge bridge1 interface office eth admin Our_GW interface bridge port print Flags X disabled I inactive D dynamic INTERFACE BRIDGE PRIORITY PATH COST 0 eoip remote bridge1 128 10 1 office eth bridge1 128 10 admin Our_GW interface...

Page 316: ...C addresses of the EoIP interfaces they should not be the same Page 302 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 317: ...ption Example Flushing Installed SA Table Description Property Description Example Counters Property Description Example MikroTik Router to MikroTik Router IPsec Between two Masquerading MikroTik Routers MikroTik router to CISCO Router MikroTik Router and Linux FreeS WAN General Information Specifications Packages required security License required level1 Home menu level ip ipsec Page 303 of 695 C...

Page 318: ...y rule use if there is no valid SA send packet unencrypted like accept rule acquire send packet unencrypted but ask IKE daemon to establish new SA require drop packet and ask IKE daemon to establish new SA Decryption When encrypted packet is received for local host after dst nat and input filter the appropriate SA is looked up to decrypt it using packet source destination security protocol and SPI...

Page 319: ...re are two lifetime values soft and hard When SA reaches it s soft lifetime treshold the IKE daemon receives a notice and starts another phase 2 exchange to replace this SA with fresh one If SA reaches hard lifetime it is discarded IKE can optionally provide a Perfect Forward Secrecy PFS whish is a property of key exchanges that in turn means for IKE that compromising the long term phase 1 key wil...

Page 320: ...ming packets were decrypted by the policy dont fragment clear inherit set default clear The state of the don t fragment IP header field clear clear unset the fields so that packets previously marked as don t fragment got fragmented inherit do not change the field set set the field so that each packet matching the rule will not be fragmented dst address IP address netmask port default 0 0 0 0 32 an...

Page 321: ...n that will be sent by IKE daemon to establish SAs for this policy protocol name integer default all protocol name or number sa dst address IP address default 0 0 0 0 SA destination IP address sa src address IP address default 0 0 0 0 SA source IP address src address IP address netmask port default 0 0 0 0 32 any source IP address tunnel yes no default no specifies whether to use tunnel mode Notes...

Page 322: ...Home menu level ip ipsec peer Description Peer configuration settings are used to establish connections between IKE daemons phase 1 configuration This connection then will be used to negotiate keys and algorithms for SAs Property Description address IP address netmask port default 0 0 0 0 32 500 address prefix If remote peer s address matches this prefix then this peer configuration is used while ...

Page 323: ...ms are much faster than DES so it is recommended to use this algorithm class whenever possible But AES s speed is also its drawback as it potentially can be cracked faster so use AES 256 when you need security or AES 128 when speed is also important Both peers MUST have the same encryption and authentication algorithms DH group and exchange mode Some legacy hardware may support only DES and MD5 Yo...

Page 324: ...choice read only initiator responder shows which side initiated the connection initiator phase 1 negotiation was started by this router responder phase 1 negotiation was started by peer state read only text state of phase 1 negotiation with the peer estabilished normal working state Example To see currently estabilished SAs admin WiFi ip ipsec remote peers print 0 local address 10 0 0 148 remote a...

Page 325: ... read only time soft hard expiration time counted from the first use of SA Example Sample printout looks as follows admin WiFi ip ipsec installed sa print Flags A AH E ESP P pfs M manual 0 E spi E727605 direction in src address 10 0 0 148 dst address 10 0 0 147 auth algorithm sha1 enc algorithm 3des replay 4 state mature auth key ecc5f4aee1b297739ec88e324d7cfb8594aa6c35 enc key d6943b8ea582582e449...

Page 326: ...rop policy or encrypt policy with level require that does not have all necessary SAs in drop encrypted expected read only integer shows how many incoming packets were matched by encrypt policy and dropped because they were not encrypted out accept read only integer shows how many outgoing packets were matched by accept policy including the default accept all case out accept isakmp read only intege...

Page 327: ... peer add address 1 0 0 2 secret gvejimezyfopmekun for Router2 admin Router2 ip ipsec policy add sa src address 1 0 0 2 sa dst address 1 0 0 1 action encrypt admin Router2 ip ipsec peer add address 1 0 0 1 secret gvejimezyfopmekun transport mode example using ESP with automatic keying and automatic policy generating on Router 1 and static policy on Router 2 Page 313 of 695 Copyright 1999 2007 Mikr...

Page 328: ...s 10 2 0 0 24 action encrypt ipsec protocols ah tunnel yes sa src 1 0 0 1 sa dst 1 0 0 2 manual sa ah sa1 for Router2 admin Router2 ip ipsec manual sa add name ah sa1 ah spi 0x100 0x101 ah key abcfed admin Router2 ip ipsec policy add src address 10 2 0 0 24 dst address 10 1 0 0 24 action encrypt ipsec protocols ah tunnel yes sa src 1 0 0 2 sa dst 1 0 0 1 manual sa ah sa1 IPsec Between two Masquera...

Page 329: ...0 1 sa dst address 1 0 0 2 admin Router1 ip ipsec peer add address 1 0 0 2 exchange mode aggressive secret gvejimezyfopmekun for Router2 admin Router2 ip ipsec policy add src address 10 2 0 0 24 dst address 10 1 0 0 24 action encrypt tunnel yes sa src address 1 0 0 2 sa dst address 1 0 0 1 admin Router2 ip ipsec peer add address 1 0 0 1 exchange mode aggressive secret gvejimezyfopmekun MikroTik ro...

Page 330: ... authentication with SHA1 This must match ip ipsec proposal crypto ipsec transform set myset esp des esp sha hmac mode tunnel exit 3 Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode for MikroTik router admin MikroTik ip ipsec policy add src address 10 0 0 0 24 dst address 10 0 2 0 24 action encrypt tunnel yes sa src 10 0 1 1 sa dst 10 0 1 2 for C...

Page 331: ...is_acl pkts encaps 1810 pkts encrypt 1810 pkts digest 1810 pkts decaps 1861 pkts decrypt 1861 pkts verify 1861 pkts compressed 0 pkts decompressed 0 pkts not compressed 0 pkts compr failed 0 pkts decompress failed 0 send errors 0 recv errors 0 local crypto endpt 10 0 1 2 remote crypto endpt 10 0 1 1 path mtu 1500 media mtu 1500 current outbound spi 1308650C inbound esp sas spi 0x90012A 9437482 tra...

Page 332: ...ation admin MikroTik ip ipsec peer add address 192 168 0 108 secret gvejimezyfopmekun hash algorithm md5 enc algorithm 3des dh group modp1024 lifetime 28800s admin MikroTik ip ipsec proposal auth algorithms md5 enc algorithms 3des pfs group none admin MikroTik ip ipsec policy add sa src address 192 168 0 155 sa dst address 192 168 0 108 src address 10 0 0 0 24 dst address 192 168 87 0 24 tunnel ye...

Page 333: ...unneling protocol adds the following possibilities to a network setups to tunnel Intranets over the Internet to use it instead of source routing Quick Setup Guide To make an IPIP tunnel between 2 MikroTik routers with IP addresses 10 5 8 104 and 10 1 0 172 using IPIP tunnel addresses 10 0 0 1 and 10 0 0 2 follow the next steps Configuration on router with IP address 10 5 8 104 1 Add an IPIP interf...

Page 334: ...Setup Home menu level interface ipip Description An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are RFC 2003 compliant The IPIP tunnel may run over any connection that transports IP Each IPIP tunnel interface can connect with one remote router that has a corresponding interface configured An unlimited number of IPIP tunnels may be add...

Page 335: ...local address 10 0 0 1 remote address 22 63 11 6 admin MikroTik interface ipip print Flags X disabled R running NAME MTU LOCAL ADDRESS REMOTE ADDRESS 0 X ipip1 1480 10 0 0 1 22 63 11 6 admin MikroTik interface ipip en 0 admin MikroTik interface ipip ip address add address 1 1 1 1 24 interface ipip1 The configuration of the R2 is shown below admin MikroTik interface ipip add local address 22 63 11 ...

Page 336: ...ik interface ipip Page 322 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 337: ...TP Tunnel L2TP Setup for Windows Troubleshooting Description General Information Summary L2TP Layer 2 Tunnel Protocol supports encrypted tunnels over IP The MikroTik RouterOS implementation includes support for both L2TP client and server General applications of L2TP tunnels include secure router to router tunnels over the Internet linking bridging local Intranets or LANs in cooperation with EoIP ...

Page 338: ...s password pass connect to 10 5 8 104 Specifications Packages required ppp License required level1 limited to 1 tunnel level3 limited to 200 tunnels level5 Home menu level interface l2tp server interface l2tp client Standards and Technologies L2TP RFC 2661 Hardware usage Not significant Related Documents Package Management IP Addresses and ARP PPP AAA EoIP Tunnel Interface IP Security Description ...

Page 339: ...ling UDP traffic to be routed through the firewall or router L2TP Client Setup Home menu level interface l2tp client Property Description name name default l2tp outN interface name for reference mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MTU to 1460 to avoid fragm...

Page 340: ...ted with being used in this connection Example Example of an established connection admin MikroTik interface l2tp client monitor test2 status connected uptime 4m27s encoding MPPE128 stateless admin MikroTik interface l2tp client L2TP Server Setup Home menu level interface l2tp server server Description The L2TP server creates a dynamic interface for each connected L2TP client The L2TP connection c...

Page 341: ...P Server Users Home menu level interface l2tp server Description There are two types of items in L2TP server configuration static users and dynamic connections A dynamic connection can be established if the user database or the default profile has its local address and remote address set correctly When static users are added the default profile may be left with its default values and only PPP user...

Page 342: ... Router Secure Tunnel Example There are two routers in this example HomeOffice Interface LocalHomeOffice 10 150 2 254 24 Interface ToInternet 192 168 80 1 24 RemoteOffice Interface ToInternet 192 168 81 1 24 Interface LocalRemoteOffice 10 150 1 254 24 Each router is connected to a different ISP One router can access another router through the Internet Page 328 of 695 Copyright 1999 2007 MikroTik A...

Page 343: ...print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin HomeOffice interface l2tp server server Add a L2TP client to the RemoteOffice router admin RemoteOffice interface l2tp client add connect to 192 168 80 1 user ex password lkjrht disabled no admin RemoteOffice interface l2tp client print Flags X disabled R running 0 R name l2tp out1 mtu 1460 mru 1460 connect to...

Page 344: ...secret print detail Flags X disabled 0 name ex service l2tp caller id password lkjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret Test the L2TP tunnel connection admin RemoteOffice ping 10 0 103 1 10 0 103 1 pong ttl 255 time 3 ms 10 0 103 1 pong ttl 255 time 3 ms 10 0 103 1 pong ttl 255 time 3 ms ping interrupted...

Page 345: ...how to connect a computer to a remote office network over L2TP encrypted tunnel giving that computer an IP address from the same network as the remote office has without need of bridging over EoIP tunnels Please consult the respective manual on how to set up a L2TP client with the software you are using The router in this example RemoteOffice Interface ToInternet 192 168 81 1 24 Interface Office 1...

Page 346: ...interface l2tp server server Finally the proxy APR must be enabled on the Office interface admin RemoteOffice interface ethernet set Office arp proxy arp admin RemoteOffice interface ethernet print Flags X disabled R running NAME MTU MAC ADDRESS ARP 0 R ToInternet 1500 00 30 4F 0B 7B C1 enabled 1 R Office 1500 00 30 4F 06 62 12 proxy arp admin RemoteOffice interface ethernet L2TP Setup for Windows...

Page 347: ...eed to edit system registry using regedt32 exe or regedit exe Add the following registry value to HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters Value Name ProhibitIpSec Data Type REG_DWORD Value 1 You must restart the Windows 2000 for the changes to take effect For more information on configuring Windows 2000 see Configuring Cisco IOS and Windows 2000 Clients for L2TP Usin...

Page 348: ...ss 802 11g network Troubleshooting Description General Information Summary The PPPoE Point to Point Protocol over Ethernet protocol provides extensive user management network management and accounting benefits to ISPs and network administrators Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain Ethernet networks PPPoE is an extension of ...

Page 349: ... command to see bad replies parameter This value should increase whenever a client tries to connect Supported connections MikroTik RouterOS PPPoE client to any PPPoE server access concentrator MikroTik RouterOS server access concentrator to multiple PPPoE clients clients are avaliable for almost all operating systems and most routers Quick Setup Guide To configure MikroTik RouterOS to be a PPPoE c...

Page 350: ...PPPoE for Windows 95 98 98SE ME NT4 2000 XP NET http www raspppoe com PPPoE Client Setup Home menu level interface pppoe client Description The PPPoE client supports high speed connections It is fully compatible with the MikroTik PPPoE server access concentrator Note for Windows Some connection instructions may use the form where the phone number such as MikroTik_AC mt1 to indicate that MikroTik_A...

Page 351: ...to the PPP peer DNS i e whether to get DNS settings from the peer user text default a user name that is present on the PPPoE server Example To add and enable PPPoE client on the gig interface connecting to the AC that provides testSN service using user name john with the password password admin RemoteOffice interface pppoe client add interface gig service name testSN user john password password di...

Page 352: ...ore the command prompt The identity may be set within the system identity submenu PPPoE users are created in ppp secret menu see the AAA manual for further information Note that if no service name is specified in WindowsXP it will use only service with no name So if you want to serve WindowsXP clients leave your service name empty Property Description authentication multiple choice mschap2 mschap1...

Page 353: ...l be receiving the PPPoE requests on Example To add PPPoE server on ether1 interface providing ex service and allowing only one connection per host admin MikroTik interface pppoe server server add interface ether1 service name ex one session per host yes admin MikroTik interface pppoe server server print Flags X disabled 0 X service name ex interface ether1 mtu 1480 mru 1480 authentication mschap2...

Page 354: ...rver remove find user ex admin MikroTik interface pppoe server print admin MikroTik interface pppoe server Application Examples PPPoE in a multipoint wireless 802 11g network In a wireless network the PPPoE server may be attached to an Access Point as well as to a regular station of wireless infrastructure Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPo...

Page 355: ...out dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile de...

Page 356: ...0 admin PPPoE Server ip pool ppp profile admin PPPoE Server ppp profile set default use encryption yes local address 10 1 0 3 remote address pppoe admin PPPoE Server ppp profile print Flags default 0 name default local address 10 1 0 3 remote address pppoe use compression no use vj compression no use encryption yes only one no change tcp mss yes 1 name default encryption use compression default us...

Page 357: ... 0 service name mt interface wlan1 max mtu 1440 max mru 1440 authentication pap chap mschap1 mschap2 keepalive timeout 10 one session per host yes max sessions 0 default profile default admin MT interface pppoe server server My windows PPPoE client obtains IP address and default gateway from the MikroTik PPPoE server but it cannot ping beyond the PPPoE server and use the Internet PPPoE server is n...

Page 358: ...n Example PPTP Application Examples Router to Router Secure Tunnel Example Connecting a Remote Client via PPTP Tunnel PPTP Setup for Windows Sample instructions for PPTP VPN installation and client setup Windows 98SE Troubleshooting Description General Information Summary PPTP Point to Point Tunnel Protocol supports encrypted tunnels over IP The MikroTik RouterOS implementation includes support fo...

Page 359: ...TP Server ppp secret add name jack password pass local address 10 0 0 1 remote address 10 0 0 2 2 Enable the PPTP server admin PPTP Server interface pptp server server set enabled yes Setup on PPTP client 1 Add the PPTP client admin PPTP Client interface pptp client add user jack password pass connect to 10 5 8 104 disabled no Specifications Packages required ppp License required level1 limited to...

Page 360: ...tp www ietf org rfc rfc3078 txt number 3078 http www ietf org rfc rfc3079 txt number 3079 PPTP Client Setup Home menu level interface pptp client Property Description add default route yes no default no whether to use the server which this client is connected to as its default router gateway allow multiple choice mschap2 mschap1 chap pap default mschap2 mschap1 chap pap the protocol to allow the c...

Page 361: ...ess Connected self explanatory Terminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minutes and seconds uptime time connection time displayed in days hours minutes and seconds Example Example of an established connection admin MikroTik interface pptp client monitor test2 uptime 4h35s encoding MPPE 128 bit stateles...

Page 362: ...1460 to avoid fragmentation of packets mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets Example To enable PPTP server admin MikroTik interface pptp server server set enabled yes admin MikroTik interface pptp server server pr...

Page 363: ...ime shows how long the client is connected user name the name of the user that is configured statically or added dynamically Example To add a static entry for ex1 user admin MikroTik interface pptp server add user ex1 admin MikroTik interface pptp server print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 DR pptp ex ex 1460 10 0 0 202 6m32s none 1 pptp in1 ex1 admi...

Page 364: ...e address 10 0 103 2 admin HomeOffice ppp secret print detail Flags X disabled 0 name ex service pptp caller id password lkjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret Then the user should be added in the PPTP server list admin HomeOffice interface pptp server add user ex admin HomeOffice interface pptp server print Flags X disabled D d...

Page 365: ...running 0 R name pptp out1 mtu 1460 mru 1460 connect to 192 168 80 1 user ex password lkjrht profile default add default route no admin RemoteOffice interface pptp client Thus a PPTP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addresses 10 0 103 1 and 10 0 103 2 at each router It enables direct communication between th...

Page 366: ...acket loss round trip min avg max 3 3 0 3 ms Test the connection through the PPTP tunnel to the LocalHomeOffice interface admin RemoteOffice ping 10 150 2 254 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms To bridge a LAN over this s...

Page 367: ...1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret Then the user should be added in the PPTP server list admin RemoteOffice interface pptp server add name FromLaptop user ex admin RemoteOffice interface pptp server print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 FromLaptop ex admin RemoteOffice interface pptp server And the server must be enab...

Page 368: ...reate a new connection The option to create a VPN should be selected If there is no VPN options then follow the installation instructions below When asked for the Host name or IP address of the VPN server type the IP address of the router Double click on the new icon and type the correct user name and password must also be in the user database on the router or RADIUS server used for authentication...

Page 369: ...our sites Also IP protocol 47 should be passed through Page 355 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 370: ...x based and many Layer 2 switches also support it A VLAN is a logical grouping that allows end users to communicate as if they were physically connected to a single isolated LAN independent of the physical configuration of the network VLAN support adds a new dimension of security and cost savings permitting the sharing of a physical network while logically maintaining separation among unrelated us...

Page 371: ... plain wireless interfaces In other words while wireless clients may participate in VLANs put on wireless interfaces it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface Currently supported Ethernet interfaces This is a list of network interfaces on which VLAN was tested and worked Note that there might be many other interfaces that support V...

Page 372: ...0 bytes as on Ethernet interfaces But this may not work with some Ethernet cards that do not support receiving transmitting of full size Ethernet packets with VLAN header added 1500 bytes data 4 bytes VLAN header 14 bytes Ethernet header In this situation MTU 1496 can be used but note that this will cause packet fragmentation if larger packets have to be sent over interface At the same time rememb...

Page 373: ...CAST INTERFACE 0 10 0 0 204 24 10 0 0 0 10 0 0 255 ether1 1 10 20 0 1 24 10 20 0 0 10 20 0 255 pc1 2 10 10 10 1 24 10 10 10 0 10 10 10 255 test admin MikroTik ip address On the Router 2 admin MikroTik ip address add address 10 10 10 2 24 interface test admin MikroTik ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 201 24 10 0 0 0 10 0 0 255 ether1...

Page 374: ...Resource Graphing Description Property Description Example General Information Summary Graphing is a tool which is used for monitoring various RouterOS parameters over a period of time Specifications Packages required system routerboard optional License required level1 Home menu level tool graphing Hardware usage Not significant Description The Graphing tool can display graphics for Page 360 of 69...

Page 375: ...aph 2 Hour Average Yearly Graph 1 Day Average To access each graphic from a network specify this network in allow address parameter for the respective item General Options Home menu level tool graphing Property Description store every 5min hour 24hours default 5min how often to store information on system drive Example To store information on system drive every hour tool graphing set store every h...

Page 376: ...n about traffic on system drive or not If not the information will be stored in RAM and will be lost after a reboot Example To monitor traffic which is passed through interface ether1 only from local network 192 168 0 0 24 and write information on disk admin MikroTik tool graphing interface add interface ether1 allow address 192 168 0 0 24 store on disk yes admin MikroTik tool graphing interface p...

Page 377: ...outer resource usage information over a period of time CPU usage Memory usage Disk usage Property Description allow address IP address netmask default 0 0 0 0 0 IP address range which is allowed to view information about the resource usage If a client PC not belonging to this IP address range tries to open http Router_IP_address graphs it will not see this entry store on disk yes no default yes wh...

Page 378: ...ument provides information on authentication authorization and accounting parameters and configuration for HotSpot gateway system Specifications Packages required system License required level1 Home menu level ip hotspot user Standards and Technologies RADIUS Hardware usage Local traffic accounting requires additional memory Related Documents HotSpot Gateway PPP User AAA Router User AAA Page 364 o...

Page 379: ...ps The list is cyclic so when the last item reached next time the first is shown idle timeout time none default none idle timeout maximal period of inactivity for authorized clients It is used to detect that client is not using outer networks e g Internet i e there is NO TRAFFIC coming from that client and going through the router Reaching the timeout user will be logged out dropped of the host li...

Page 380: ...d tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified 1s is used as default Priority takes values 1 8 where 1 implies the highest priority but 8 the lowest If rx rate min and tx rate min are not specified rx rate ...

Page 381: ...t read only integer total amount of packets sent to user i e packets sent to the user password text user password profile name default default user profile routes text routes that are to be registered on the HotSpot gateway when the client is connected The route format is dst address gateway metric for example 10 1 0 0 24 10 0 0 1 1 Several routes may be specified separated with commas server name...

Page 382: ...iption The active user list shows the list of currently logged in users Nothing can be changed here except user can be logged out with the remove command Property Description address read only IP address IP address of the user blocked read only flag whether the user is blocked by advertisement i e usual due advertisement is pending bytes in read only integer how many bytes did the router receive f...

Page 383: ...session time left read only time the exact value of session time left that applies to this user This property shows how long should the user stay logged in see uptime for it to be logged off automatically uptime read only time current session time of the user i e how long has the user been logged in user read only name name of the user Example To get the list of active users admin MikroTik ip hots...

Page 384: ...g feature provides a possibility of local and or remote on RADIUS server Point to Point and HotSpot user management and traffic accounting all IP traffic passing the router is accounted local traffic acocunting is an option Specifications Packages required system License required level1 Home menu level user ppp ip accounting radius Standards and Technologies RADIUS Hardware usage Traffic accountin...

Page 385: ...inside the bridge interface are also accounted correctly Traffic generated by the router itself and sent to it may as well be accounted Property Description enabled yes no default no whether local IP traffic accounting is enabled account local traffic yes no default no whether to account the traffic to from the router itself threshold integer default 256 maximum number of IP pairs in the accountin...

Page 386: ...ent s name if aplicable packets read only integer total number of packets matched by this entry src address read only IP address source IP address src user read only text sender s name if aplicable Notes Usernames are shown only if the users are connected to the router via a PPP tunnel or are authenticated by HotSpot Before the first snapshot is taken the table is empty Example To take a new snaps...

Page 387: ...hat none of the traffic data will be lost The snapshot image will be made when the connection from wget is initiated Web browsers or wget should connect to URL http routerIP accounting ip cgi Property Description accessible via web yes no default no wheather the snapshot is available via web address IP address netmask default 0 0 0 0 IP address range that is allowed to access the snapshot Example ...

Page 388: ...Remote AAA Property Description Notes Example General Information Summary This documents provides summary configuration reference and examples on PPP user management This includes asynchronous PPP PPTP PPPoE and ISDN users Specifications Packages required system License required level1 Home menu level ppp Related Documents HotSpot User AAA Router User AAA RADIUS client Page 374 of 695 Copyright 19...

Page 389: ...The MikroTik RouterOS has a RADIUS client which can authenticate for PPP PPPoE PPTP L2TP and ISDN connections The attributes received from RADIUS server override the ones set in the default profile but if some parameters are not received they are taken from the respective default profile Local PPP User Profiles Home menu level ppp profile Description PPP profiles are used to define default values ...

Page 390: ...ity rx rate min tx rate min from the point of view of the router so rx is client upload and tx is client download All rates are measured in bits per second unless followed by optional k suffix kilobits per second or M suffix megabits per second If tx rate is not specified rx rate serves as tx rate too The same applies for tx burst rate tx burst threshold and tx burst time If both rx burst threshol...

Page 391: ...ofile Therefore chain ppp should be manually added before changing these arguments only one parameter is ignored if RADIUS authentication is used If there are more that 10 simultaneous PPP connections planned it is recommended to turn the change mss property off and use one general MSS changing rule in mangle table instead to reduce CPU utilization Example To add the profile ex that assigns the ro...

Page 392: ...lt profile name to use together with this access record for user authentication remote address IP address name IP address or IP address pool name for PPP clients routes text routes that appear on the server when the client is connected The route format is dst address gateway metric for example 10 1 0 0 24 10 0 0 1 1 Several routes may be specified separated with commas service any async isdn l2tp ...

Page 393: ...gh tis connection First figure represents amount of transmitted traffic from the router s point of view while the second one shows amount of received traffic service read only async isdn l2tp pppoe pptp the type of service the user is using session id read only text shows unique client identifier uptime read only time user s uptime Example admin rb13 ppp active print Flags R radius NAME SERVICE CA...

Page 394: ...ble RADIUS AAA admin MikroTik ppp aaa set use radius yes admin MikroTik ppp aaa print use radius yes accounting yes interim update 0s admin MikroTik ppp aaa Page 380 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 395: ...hooting Description General Information Summary This document provides information about RouterOS built in RADIUS client configuration supported RADIUS attributes and recommendations on RADIUS server selection Specifications Packages required system License required level1 Home menu level radius Standards and Technologies RADIUS Related Documents HotSpot User AAA Router User AAA PPP User AAA Page ...

Page 396: ... Home menu level radius Description This facility allows you to set RADIUS servers the router will use to authenticate users Property Description accounting backup yes no default no this entry is a backup RADIUS accounting server accounting port integer default 1813 RADIUS server port used for accounting address IP address default 0 0 0 0 IP address of the RADIUS server authentication port integer...

Page 397: ...and ex shared secret you need to do the following admin MikroTik radius add service hotspot ppp address 10 0 0 3 secret ex admin MikroTik radius print Flags X disabled SERVICE CALLED ID DOMAIN ADDRESS SECRET 0 ppp hotspot 10 0 0 3 ex admin MikroTik radius AAA for the respective services should be enabled too admin MikroTik radius ppp aaa set use radius yes admin MikroTik radius ip hotspot profile ...

Page 398: ...dictionary is the minimal dictionary which is enough to support all features of MikroTik RouterOS It is designed for FreeRADIUS but may also be used with many other UNIX RADIUS servers eg XTRadius Note that it may conflict with the default configuration files of RADIUS server which have references to the Attributes absent in this dictionary Please correct the configuration files not the dictionary...

Page 399: ... client login name MS CHAP Domain User domain if present Mikrotik Realm If it is set in radius menu it is included in every RADIUS request as Mikrotik Realm attribute If it is not set the same value is sent as in MS CHAP Domain attribute if MS CHAP Domain is missing Realm is not included neither WISPr Location ID text string specified in radius location id property of the HotSpot server WISPr Loca...

Page 400: ...s chain The same applies for HotSpot but the rules will be created in hotspot chain Mikrotik Mark Id firewall mangle chain name HotSpot only The MikroTik RADIUS client upon receiving this attribute creates a dynamic firewall mangle rule with action jump chain hotspot and jump target equal to the atribute value Mangle chain name can have suffixes in or out that will install rule only for incoming o...

Page 401: ...iority but 8 the lowest If rx rate min and tx rate min are not specified rx rate and tx rate values are used The rx rate min and tx rate min values can not exceed rx rate and tx rate values Mikrotik Group Router local user group name defines in user group for local users HotSpot default profile for HotSpot users Mikrotik Advertise URL URL of the page with advertisements that should be displayed to...

Page 402: ...s RADIUS server cookie as received in Access Accept Acct Delay Time how long does the router try to send this Accounting Request packet Stop and Interim Update Accounting Request Additionally to the accounting start request the following messages will contain the following attributes Acct Session Time connection uptime in seconds Acct Input Octets bytes received from the client Acct Input Gigaword...

Page 403: ...hanges a user must be disconnected first Attribute Numeric Values Name VendorID Value RFC where it is defined Acct Authentic 45 RFC2866 Acct Delay Time 41 RFC2866 Acct Input Gigawords 52 RFC2869 Acct Input Octets 42 RFC2866 Acct Input Packets 47 RFC2866 Acct Interim Interval 85 RFC2869 Acct Output Gigawords 53 RFC2869 Acct Output Octets 43 RFC2866 Acct Output Packets 48 RFC2866 Acct Session Id 44 ...

Page 404: ...ate Limit 14988 8 Mikrotik Realm 14988 9 Mikrotik Recv Limit 14988 1 Mikrotik Recv Limit Gigawords 14988 14 Mikrotik Wireless Enc Algo 14988 6 Mikrotik Wireless Enc Key 14988 7 Mikrotik Wireless Forward 14988 4 Mikrotik Wireless Skip Dot1x 14988 5 Mikrotik Xmit Limit 14988 2 Mikrotik Xmit Limit Gigawords 14988 15 MS CHAP Challenge 311 11 RFC2548 MS CHAP Domain 311 10 RFC2548 MS CHAP Response 311 1...

Page 405: ... 2 wi fi org WISPr Logoff URL 14122 3 wi fi org WISPr Redirection URL 14122 4 wi fi org WISPr Session Terminate Time 14122 9 wi fi org Troubleshooting Description My radius server accepts authentication request from the client with Auth Login OK but the user cannot log on The bad replies counter is incrementing under radius monitor This situation can occur if the radius client and server have high...

Page 406: ...y Description Example Router User Remote AAA Description Property Description Notes Example General Information Summary This documents provides summary configuration reference and examples on router user management Specifications Packages required system License required level1 Home menu level user Hardware usage Not significant Related Documents Page 392 of 695 Copyright 1999 2007 MikroTik All ri...

Page 407: ...y via console telnet policy that grants rights to log in remotely via telnet ssh policy that grants rights to log in remotely via secure shell protocol ftp policy that grants remote rights to log in remotely via FTP and to transfer files from and to the router reboot policy that allows rebooting the router read policy that grants read access to the router s configuration All console commands that ...

Page 408: ...telnet ssh reboot read test winbox password web ftp write policy 1 name write policy local telnet ssh reboot read write test winbox password web ftp policy 2 name full policy local telnet ssh ftp reboot read write policy test winbox password web 3 name reboot policy local telnet reboot read ssh ftp write policy test winbox password web admin rb13 user group Router Users Home menu level user Descri...

Page 409: ...ser name admin group full address 0 0 0 0 0 1 name joe group write address 0 0 0 0 0 admin MikroTik user Monitoring Active Router Users Command name user active print Description This command shows the currently active users along with respective statisics information Property Description address read only IP address host IP address from which the user is accessing the router 0 0 0 0 the user is l...

Page 410: ...fault for users authenticated via RADIUS server interim update time default 0s RADIUS Interim Update interval use radius yes no default no specifies whether a user database on a RADIUS server should be consulted Notes The RADIUS user database is consulted only if the required username is not found in the local user database Example To enable RADIUS AAA enter the following command admin MikroTik us...

Page 411: ...about packets which pass through the router Besides network monitoring and accounting system administrators can identify various problems that may occur in the network With help of Traffic Flow it is possible to analyze and optimize the overall network performance As Traffic Flow is compatible with Cisco NetFlow it can be used with various utilities which are designed for Cisco s NetFlow Traffic F...

Page 412: ...w inactive flow timeout time default 15s how long to keep the flow active if it is idle Traffic Flow Target Description With Traffic Flow targets we specify those hosts which will gather the Traffic Flow information from router Property Description address IP address port IP address and port UDP of the host which receives Traffic Flow statistic packets from the router v9 template refresh integer d...

Page 413: ... MikroTik ip traffic flow target print Flags X disabled ADDRESS VERSION 0 192 168 0 2 2055 9 admin MikroTik ip traffic flow target Now the router starts to send packets with Traffic Flow information Some screenshots from NTop program which has gathered Traffic Flow information from our router and displays it in nice graphs and statistics For example where what kind of traffic has flown Top three h...

Page 414: ...by each protocol Page 400 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 415: ... Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 416: ...e it works that way the management station makes a request and the managed device SNMP agent replies to this request In SNMPv1 there are three main actions Get Set and Trap RouterOS supports only Get which means that you can use this implementation only for network monitoring Hosts receive SNMP generated messages on UDP port 161 except the trap messages which are received on UDP port 162 The Mikro...

Page 417: ...nable the SNMP agent on MikroTik RouterOS Property Description enabled yes no whether the SNMP service is enabled contact text default contact information for the NMS location text default location information for the NMS Example To enable the service specifying some info admin MikroTik snmp set contact admin riga 2 location 3rd floor enabled yes admin MikroTik snmp print enabled yes contact admin...

Page 418: ...k snmp community add name communa address 159 148 116 0 24 admin MikroTik snmp community print NAME ADDRESS READ ACCESS 0 public 0 0 0 0 0 no 1 communa 159 148 116 0 24 no admin MikroTik snmp community Available OIDs Description OID stands for an object identifier which is a data type specifying an authoritatively named object An object identifier is a sequence of integers separated by decimal poi...

Page 419: ... Management Information Base or MIB is the database of information maintained by the agent that the manager can query You can download MikroTik MIB file MikroTik RouterOS OID enterprises 14988 1 RFC1493 dot1dBridge dot1dBase dot1dBaseBridgeAddress dot1dBridge dot1dStp dot1dStpProtocolSpecification dot1dBridge dot1dStp dot1dStpPriority dot1dBridge dot1dTp dot1dTpFdbTable dot1dTpFdbEntry dot1dTpFdbA...

Page 420: ...erfaces ifTable ifEntry ifLastChange interfaces ifTable ifEntry ifInOctets interfaces ifTable ifEntry ifInUcastPkts interfaces ifTable ifEntry ifInNUcastPkts interfaces ifTable ifEntry ifInDiscards interfaces ifTable ifEntry ifInErrors interfaces ifTable ifEntry ifInUnknownProtos interfaces ifTable ifEntry ifOutOctets interfaces ifTable ifEntry ifOutUcastPkts interfaces ifTable ifEntry ifOutNUcast...

Page 421: ...uteIfIndex ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteType ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteProto ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteAge ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteInfo ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteNextHopAS ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteMetric1 ip ...

Page 422: ...sco ciscoMgmt ciscoAAASessionMIB casnMIBObjects casnActive casnActiveTableEntries enterprises cisco ciscoMgmt ciscoAAASessionMIB casnMIBObjects casnActive casnActiveTable casnActiveEntry casn enterprises cisco ciscoMgmt ciscoAAASessionMIB casnMIBObjects casnActive casnActiveTable casnActiveEntry casn enterprises cisco ciscoMgmt ciscoAAASessionMIB casnMIBObjects casnActive casnActiveTable casnActiv...

Page 423: ... Configuration File This file is for use with mrtg 2 5 4c Global configuration WorkDir var www mrtg WriteExpires Yes RunAsDaemon Yes Interval 6 Refresh 300 System RouterBOARD Description RouterOS v2 9 Contact support mikrotik com Location Mikrotik main office Interface RemOffice Target RouterBOARD 1 3 6 1 2 1 2 2 1 10 8 1 3 6 1 2 1 2 2 1 16 8 public 1 1 1 3 SetEnv RouterBOARD MRTG_INT_IP 1 1 1 3 M...

Page 424: ...ABLE TR TD System TD TD RouterBOARD TD TR TR TD Maintainer TD TD MicroTik Support TD TR TR TD Description TD TD An Embedded Board TD TR TR TD ifType TD TD ethernetCSMACD 6 TD TR TR TD ifName TD TD RemOffice TD TR TR TD queueName TD TD queue1 TD TR TR TD Max Speed TD TD 64 0 kBytes s TD TR TR TD IP TD TD 10 10 2 1 TD TR TABLE The output page of MRTG interface part should look like this Example MRTG...

Page 425: ... console sent to an email or to a remote server running a syslog daemon MikroTik provides a shareware Windows Syslog daemon which can be downloaded from www mikrotik com Specifications Packages required system License required level1 Home menu level system logging log Standards and Technologies Syslog Hardware usage Not significant Related Documents Package Management Description Logs have differe...

Page 426: ...nvalid TOPICS ACTION PREFIX 0 info memory 1 error memory 2 warning memory 3 critical echo 4 firewall memory admin MikroTik system logging Actions Home menu level system logging action Property Description disk lines integer default 100 Used when target is set to type disk Specifies the number of records in log file disk stop on full yes no default no Used when target is set to type disk Specifies ...

Page 427: ...ffer if number of records in buffer are less than 50 admin MikroTik system logging action add name short target memory memory lines 50 memory stop on full yes admin MikroTik system logging action print FACILITY LOCAL REMOTE PREFIX REMOTE ADDRESS REMOTE PORT ECHO Flags default NAME TARGET REMOTE 0 memory memory 1 disk disk 2 echo echo 3 remote remote 0 0 0 0 514 4 short memory admin MikroTik system...

Page 428: ...tion changed by admin dec 24 2003 08 24 34 log configuration changed by admin dec 24 2003 08 24 51 log configuration changed by admin dec 24 2003 08 25 59 log configuration changed by admin dec 24 2003 08 25 59 log configuration changed by admin dec 24 2003 08 30 05 log configuration changed by admin dec 24 2003 08 30 05 log configuration changed by admin dec 24 2003 08 35 56 system started dec 24...

Page 429: ... Masquerading Equal bandwidth sharing among users General Information Summary Bandwidth Control is a set of mechanisms that control data rate allocation delay variability timely delivery and delivery reliability The MikroTik RouterOS supports the following queuing disciplines PFIFO Packets First In First Out BFIFO Bytes First In First Out SFQ Stochastic Fairness Queuing RED Random Early Detect PCQ...

Page 430: ... we lose some TCP information The main terms used to describe the level of QoS for network applications are queuing discipline qdisc an algorithm that holds and maintains a queue of packets It specifies the order of the outgoing packets it means that queuing discipline can reorder packets and which packets to drop if there is no space for them CIR Committed Information Rate the guaranteed data rat...

Page 431: ...ket filtering global in queueing is executed just after mangle and dst nat global out represents all the output interfaces in general Queues attached to it apply before the ones attached to a specific interface global total represents a virtual interface through which all the data going through the router is passing When attaching a qdisc to global total the limitation is done in both directions F...

Page 432: ...el of the hierarchy It consists of 8 self slots self slot an element of a self feed that corresponds to each particular priority All classes active at the same level of one priority are attached to one self slot that they are using to send packets out through active class at a particular level a class that is attached to a self slot at the given level inner feed similar to self feed object which c...

Page 433: ...is also yellow or to its own level self slot of the same priority in case the parent is green Upon the transition to this state the class disconnects from self feed of its level and connects to its parent s inner feed red a class the actual rate of which exceeds max limit This class cannot borrow rate from its parent class Priorities When a leaf class wants to send some traffic as they are the onl...

Page 434: ...is is a simple situation there are active classes Leaf1 and Leaf2 at Level 0 and as they both are in green state they are processed in order of their priorities at first we serve Leaf2 then Leaf1 2 Now assume that Leaf2 has to send more than 256kbps for this reason it attaches itself to its parent s ClassB inner feed which recursively attaches itself to Level1 self slot at priority 7 Leaf1 continu...

Page 435: ...ber that at first we serve those classes which are at the lowest level with the highest priority then continuing with the next level and so on 3 Consider that Leaf1 has reached its max limit and changed its state to red and Leaf2 now uses more than 1Mbps and less than 2Mbps so its parent ClassB has to borrow from ClassA and becomes yellow Leaf3 still has no packets to send Page 421 of 695 Copyrigh...

Page 436: ...ough rate available As Leaf3 has no packets to send the only one class who sends them is Leaf2 4 Assume that Leaf2 is borrowing from ClassB ClassB from ClassA but ClassA reaches its max limit 2Mbps Page 422 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are propert...

Page 437: ... what happens if Leaf1 Leaf2 Leaf3 and ClassB are in the yellow state and ClassA is green Page 423 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 438: ...f each class over the last burst time seconds If this average data rate is less than burst threshold burst is enabled and the actual data rate reaches burst limit bps otherwise the actual data rate falls to max limit or limit at Let us consider that we have a setup where max limit 256000 burst time 8 burst threshold 192000 and burst limit 512000 When a user is starting to download a file via HTTP ...

Page 439: ...total global out interface queue When adding a simple queue it creates 3 HTB classes in global in global total and global out but it does not add any classes in interface queue Queue tree is more flexible you can add it to any of these HTB s When packet travels through the router it passesall 4 HTB trees global in global total global out and interface queue If it is directed to the router it passe...

Page 440: ...an increase latency Use FIFO queuing disciplines if you haven t a congested link SFQ Stochastic Fairness Queuing SFQ cannot limit traffic at all Its main idea is to equalize traffic flows TCP sessions or UDP streams when your link is completely full The fairness of SFQ is ensured by hashing and round robin algorithms Hashing algorithm divides the session traffic over a limited number of subqueues ...

Page 441: ...classified by their source address If you classify the packets by src address then all packets with different source IP addresses will be grouped into different subqueues Now you can do the limitation or equalization for each subqueue with the pcq rate parameter Perhaps the most significant part is to decide to which interface should we attach this queue If we will attach it to the Local interface...

Page 442: ...it integer default 15000 maximum number of bytes that the BFIFO queue can hold kind bfifo pcq pfifo red sfq which queuing discipline to use bfifo Bytes First In First Out pcq Per Connection Queue pfifo Packets First In First Out red Random Early Detection sfq Stohastic Fairness Queuing name name associative name of the queue type pcq classifier dst address dst port src address src port default a c...

Page 443: ...ound robin turn sfq perturb integer default 5 time in seconds Specifies how often to change SFQ s hashing algorithm Interface Default Queues Home menu level queue interface Description In order to send packets over an interface they have to be enqueued in a queue even if you do not want to limit traffic at all Here you can specify the queue type which will be used for transmitting data Note that i...

Page 444: ...its only target upload leaving the download rates unlimited download the queue limits only target download leaving the upload rates unlimited dst address IP address netmask destination address to match dst netmask netmask netmask for dst address interface text interface this queue applies to i e the interface the target is connected to limit at integer integer guaranteed data rate to this queue in...

Page 445: ...acket flows in queue trees Property Description burst limit integer maximum data rate which can be reached while the burst is active burst threshold integer used to calculate whether to allow burst If the average data rate over the last burst time seconds is less than burst threshold the actual data rate may reach burst limit burst time time used to calculate average data rate flow text packet flo...

Page 446: ...rint Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 Local 1 10 5 8 104 24 10 5 8 0 10 5 8 255 Public admin MikroTik ip address And routes admin MikroTik ip route print Flags X disabled A active D dynamic C connect S static r rip b bgp o ospf DST ADDRESS G GATEWAY DISTANCE INTERFACE Page 432 of 695 Copyright 1999 2007 MikroTik A...

Page 447: ... 1 32 interface Local admin MikroTik queue simple print Flags X disabled I invalid D dynamic 0 name Limit Local target addresses 192 168 0 0 24 dst address 0 0 0 0 0 interface Local parent none priority 8 queue default default limit at 0 0 max limit 65536 131072 total queue default 1 name Server target addresses 192 168 0 1 32 dst address 0 0 0 0 0 interface Local parent none priority 8 queue defa...

Page 448: ...k server con chain prerouting admin MikroTik ip firewall mangle add connection mark server con action mark packet new packet mark server chain prerouting admin MikroTik ip firewall mangle print Flags X disabled I invalid D dynamic 0 chain prerouting src address 192 168 0 1 action mark connection new connection mark server con 1 chain prerouting connection mark server con action mark packet new pac...

Page 449: ...it at 131072 queue default priority 8 max limit 262144 burst limit 0 burst threshold 0 burst time 0s 1 name Server Upload parent Public packet mark server limit at 65536 queue default priority 8 max limit 131072 burst limit 0 burst threshold 0 burst time 0s admin MikroTik queue tree And similar config for Laptop and Workstation admin MikroTik queue tree add name Laptop Wkst Down parent Local packe...

Page 450: ...ueue type to the Local interface it will create a dynamic queue for each destination address user which is downloading to the network 192 168 0 0 24 The second type called pcq upload will group the traffic by source address We will attach this queue to the Public interface so it will make one dynamic queue for each user who is uploading to Internet from the local network 192 168 0 0 24 queue type ...

Page 451: ...ueue for upload and one for download attached directly to the interface queue tree add parent Local queue pcq download packet mark users queue tree add parent Public queue pcq upload packet mark users Page 437 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are prop...

Page 452: ...ck Setup Guide To add a firewall rule which drops all TCP packets that are destined to port 135 and going through the router use the following command ip firewall filter add chain forward dst port 135 protocol tcp action drop To deny acces to the router via Telnet protocol TCP port 23 type the following command ip firewall filter add chain input protocol tcp dst port 23 action drop To only allow n...

Page 453: ...r minimizing the security risks inherent in connecting to other networks Properly configured firewall plays a key role in efficient and secure network infrastrure deployment MikroTik RouterOS has very powerful firewall implementation with features including stateful packet filtering peer to peer protocols filtering traffic classification by source MAC address IP addresses network or list and addre...

Page 454: ...trol over the IP packet to some other chain id est mychain in this example Then rules that perform matching against separate ports can be added to mychain chain without specifying the IP addresses input used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router s addresses Packets passing through the router are not processed...

Page 455: ...rule If the input does not match the name of an already defined chain a new chain will be created comment text a descriptive comment for the rule A comment can be used to identify rules form scripts connection bytes integer integer matches packets only if a given amount of bytes has been transfered through the particular connection 0 means infinity exempli gratia connection bytes 2000000 0 means t...

Page 456: ...unt maximum average packet rate measured in packets per second pps unless followed by Time option Time specifies the time interval over which the packet rate is measured Burst number of packets to match in a burst Mode the classifier s for packet rate limiting Expire specifies interval after which recorded IP addresses ports will be deleted dst port integer 0 65535 integer 0 65535 destination port...

Page 457: ...1 then the rule matches every 2nd packet Counter specifies which counter to use A counter increments each time the rule containing nth match matches Packet match on the given packet number The value by obvious reasons must be between 0 and Every If this option is used for a given counter then there must be at least Every 1 rules with this option covering all values between 0 and Every inclusively ...

Page 458: ...P address netmask IP address IP address specifies the address range an IP packet is originated from Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 src address list name matches source address of a packet against user defined address list src address type unicast local broadcast multicast matches source address type of t...

Page 459: ...tate invalid action drop comment Drop Invalid connections add chain input connection state established action accept comment Allow Established connections add chain input protocol udp action accept comment Allow UDP add chain input protocol icmp action accept comment Allow ICMP add chain input src address 192 168 0 0 24 action accept comment Allow access to router from known network add chain inpu...

Page 460: ... action drop comment deny DHCP Deny udp ports in udp chain add chain udp protocol udp dst port 69 action drop comment deny TFTP add chain udp protocol udp dst port 111 action drop comment deny PRC portmapper add chain udp protocol udp dst port 135 action drop comment deny PRC portmapper add chain udp protocol udp dst port 137 139 action drop comment deny NBT add chain udp protocol udp dst port 204...

Page 461: ...level1 Home menu level ip firewall address list Standards and Technologies IP Hardware usage Not significant Related Documents Software Package Management NAT Filter Packet Flow Packet Flow Address Lists Description Firewall address lists allow user to create lists of IP addresses grouped together Firewall filter mangle and NAT facilities can use address lists to match packets against them Page 44...

Page 462: ...ess list add list drop_traffic address 192 0 34 166 32 admin MikroTik ip firewall address list print Flags X disabled D dynamic LIST ADDRESS 0 drop_traffic 192 0 34 166 admin MikroTik ip firewall mangle add chain prerouting protocol tcp dst port 23 action add src to address list address list drop_traffic admin MikroTik ip firewall filter add action drop chain input src address list drop_traffic ad...

Page 463: ...ckets Additionaly the mangle facility is used to modify some fields in the IP header like TOS DSCP and TTL fields Specifications Packages required system License required level1 Home menu level ip firewall mangle Standards and Technologies IP Hardware usage Increases with count of mangle rules Related Documents Software Package Management IP Addresses and ARP Routes Equal Cost Multipath Routing Po...

Page 464: ...ge Time to Live field value of the packet to a value specified by the new ttl parameter jump jump to the chain specified by the value of the jump target parameter log each match with this action will add a message to the system log mark connection place a mark specified by the new connection mark parameter on the entire connection that matches the rule mark packet place a mark specified by the new...

Page 465: ...ts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 dst address list name match destination address of a packet against user defined address list dst address type unicast local broadcast multicast match destination address type of the IP packet one of the unicast IP addresses used for one point to another point transmission There is only one sender...

Page 466: ...e routing option no timestamp match packets with no timestamp option record route match packets with record route option router alert match packets with router alter option strict source routing match packets with strict source routing option timestamp match packets with timestamp jump target forward input output postrouting prerouting name name of the target chain to jump to if the action jump is...

Page 467: ...soulseek warez winmx match packets belonging to connections of the above P2P protocols packet mark name match the packets marked in mangle with specific packet mark packet size integer 0 65535 integer 0 65535 matches packet of the specified size or size range in bytes Min specifies lower boundary of the size range or a standalone value Max specifies upper boundary of the size range passthrough yes...

Page 468: ...from one point to all other points in the IP subnetwork multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points src mac address MAC address source MAC address src port integer 0 65535 integer 0 65535 source port number or range tcp flags multiple choice ack cwr ece fin psh rst syn urg tcp flags to match ack acknowledging data cwr conges...

Page 469: ...mangle add chain forward connection mark p2p_conn action mark packet new packet mark other admin MikroTik ip firewall mangle print Flags X disabled I invalid D dynamic 0 chain forward p2p all p2p action mark connection new connection mark p2p_conn 1 chain forward connection mark p2p_conn action mark packet new packet mark p2p 2 chain forward packet mark p2p_conn action mark packet new packet mark ...

Page 470: ... decrease of the MSS of the packets coming through the VPN link solves the problem The following example demonstrates how to decrease the MSS value via mangle admin MikroTik ip firewall mangle add out interface pppoe out protocol tcp tcp flags syn action change mss new mss 1300 chain forward admin MikroTik ip firewall mangle print Flags X disabled I invalid D dynamic 0 chain forward out interface ...

Page 471: ...ost commonly used to enable multiple host on a private network to access the Internet using a single public IP address Specifications Packages required system License required level1 number of rules limited to 1 level3 Home menu level ip firewall nat Standards and Technologies IP RFC1631 RFC2663 Hardware usage Increases with the count of rules Related Documents Software Package Management IP Addre...

Page 472: ...AT a bold example is AH protocol from the IPsec suite RouterOS includes a number of so called NAT helpers that enable NAT traversal for various protocols Redirect and Masquerade Redirect and masquerade are special forms of destination NAT and source NAT respectively Redirect is similar to the regular destination NAT in the same way as masquerade is similar to the source NAT masquerade is a special...

Page 473: ... target parameter log each match with this action will add a message to the system log masquerade replaces source address of an IP packet to an automatically determined by the routing facility IP address netmap creates a static 1 1 mapping of one set of IP addresses to another one Often used to distribute public IP addresses to hosts on private networks passthrough ignores this rule goes on to the...

Page 474: ...k IP address IP address specifies the address range an IP packet is destined to Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 dst address list name matches destination address of a packet against user defined address list dst address type unicast local broadcast multicast matches destination address type of the IP pack...

Page 475: ...ckets with router alter option strict source routing match packets with strict source routing option timestamp match packets with timestamp jump target dstnat srcnat name name of the target chain to jump to if the action jump is used limit integer time integer restricts packet match rate to a given limit Usefull to reduce the amount of log messages Count maximum average packet rate measured in pac...

Page 476: ...Weight weight of the packets with privileged 1024 destination port HighPortWeight weight of the packet with non priviliged destination port random integer match packets randomly with given propability routing mark name matches packets marked by mangle facility with particular routing mark same not by dst yes no specifies whether to account or not to account for destination IP address when selectin...

Page 477: ...rk addresses Example of Source NAT Masquerading If you want to hide the private LAN 192 168 0 0 24 behind one address 10 5 8 109 given to you by the ISP you should use the source network address translation masquerading feature of the MikroTik router The masquerading will change the source IP address and port of the packets originated from the network 192 168 0 0 24 to the address 10 5 8 109 of th...

Page 478: ...networks having its source address translated to 10 5 8 200 ip firewall nat add chain srcnat src address 192 168 0 109 action src nat to addresses 10 5 8 200 Example of 1 1 mapping If you want to link Public IP subnet 11 11 11 0 24 to local one 2 2 2 0 24 you should use destination address translation and source address translation features with action netmap ip firewall nat add chain dstnat dst a...

Page 479: ...escribes the order in which an IP packet traverses various internal facilities of the router and some general information regarding packet handling common IP protocols and protocol options Specifications Packages required system License required level3 Home menu level ip firewall Standards and Technologies IP Hardware usage Increases with NAT mangle and filter rules count Related Documents Softwar...

Page 480: ...nterface to the Internet in named Public ip firewall nat add action masquerade out interface Public chain srcnat Regular packet filtering bandwith management or packet marking can be configured with ease in a similar manner However a more complicated configuration could be deployed only with a good understanding of the underlying processes in the router The packet flow through the router is depict...

Page 481: ...from the point an ordinal packet enters the router A paket can enter processing conveyer of the router in two ways First a packet can come from one of the interfaces present in the roter then the interface is referred as input interface Second it can be originated from a local process like web proxy VPN or others Alike there are two ways for Page 467 of 695 Copyright 1999 2007 MikroTik All rights ...

Page 482: ...nation can be found in the routing tables These packets go through the prerouting forward and postrouting chains unroutable traffic which is received at the router s MAC address has an IP address different from any of the router s own addresses but its destination can not be found in the routing tables These packets go through the prerouting and stop in the routing recision The actions imposed by ...

Page 483: ...nt in the router Thus for example a router with 64 MB of RAM can hold the information about up to 65536 connections but a router with 128 MB RAM increases this value to more than 130000 Please ensure that your router is equipped with sufficient amount of physical memory to properly handle all connections Property Description assured read only true false shows whether replay was seen for the last p...

Page 484: ...le entry that keeps tracking of packets that are neither TCP nor UDP for instance GRE will survive after having seen last packet matching this entry Creating PPTP connection this value will be increased automaticly icmp timeout time default 10s maximal amount of time connection tracking entry will survive after having seen ICMP request max entries read only integer the maximum number of connection...

Page 485: ...lt 3m maximal amount of time connection tracking entry will survive after replay is seen for the last packet matching this entry connection tracking entry is assured It is used to increase timeout for such connections as H323 VoIP etc udp timeout time default 10s maximal amount of time connection tracking entry will survive after having seen last packet matching this entry Notes The maximum timeou...

Page 486: ... to protect your router and attached private networks you need to configure firewall to drop or reject most of ICMP traffic However some ICMP packets are vital to maintain network reliability or provide troubleshooting services The following is a list of ICMP TYPE CODE values found in good packets It is generally suggested to allow these types of ICMP traffic 8 0 echo request 0 0 echo reply Ping 1...

Page 487: ...s defined in RFC2474 and ECN codepoints Explicit Congestion Notification ECN as defined in RFC3168 which are using the same field in the IP protocol header Note that it does not mean that RouterOS supports DiffServ or ECN it is just possible to access and change the marks used by these protocols RFC1349 defines these standard values normal normal service ToS 0 low cost minimize monetary cost ToS 2...

Page 488: ...key ABC Azureus BitAnarch SimpleBT BitTorrent Net mlMac Blubster Blubster Piolet WPNP WinMX Warez Warez Ares starting from 2 8 18 this protocol can only be dropped speed limiting is impossible Page 474 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties o...

Page 489: ...ant sections of the Manual for more explanations Home menu level ip service Related Documents Firewall Filters Packet Marking Mangle Certificate Management Modifying Service Settings Home menu level ip service Property Description name service name port integer 1 65535 the port particular service listens on address IP address mask default 0 0 0 0 0 IP address es from which the service is accessibl...

Page 490: ... as to be enabled by administrator exempli gratia bandwidth server Port Protocol Description 20 tcp File Transfer Protocol FTP Data Connection 21 tcp File Transfer Protocol FTP Control Connection 22 tcp Secure Shell SSH remote Login Protocol Only with security package 23 tcp Telnet protocol 53 tcp Domain Name Server DNS 53 udp Domain Name Server DNS 67 udp Bootstrap Protocol or DHCP Server only wi...

Page 491: ...trol Only with telephony package 1900 udp Universal Plug and Play uPnP 2828 tcp Universal Plug and Play uPnP 2000 tcp Bandwidth test server 3986 tcp Proxy for winbox 3987 tcp SSL proxy for secure winbox Only with security package 5678 udp MikroTik Neighbor Discovery Protocol 8080 tcp HTTP Web proxy Only with web proxy package 8291 tcp Winbox 20561 udp MAC winbox 5000 udp H 323 RTP Audio Streem Onl...

Page 492: ... OSPF Interior Gateway Protocol 112 VRRP Virtual Router Redundancy Protocol Page 478 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 493: ... Example Store Leases on Disk Description Property Description DHCP Networks Property Description Notes DHCP Server Leases Description Property Description Command Description Notes Example DHCP Alert Description Property Description Notes DHCP Option Description Property Description Notes Example DHCP Relay Description Property Description Page 479 of 695 Copyright 1999 2007 MikroTik All rights r...

Page 494: ...ou how to setup DHCP Server and DHCP Client on MikroTik RouterOS Setup of a DHCP Server 1 Create an IP address pool ip pool add name dhcp pool ranges 172 16 0 10 172 16 0 20 2 Add a DHCP network which will concern to the network 172 16 0 0 12 and will distribute a gateway with IP address 172 16 0 1 to DHCP clients ip dhcp server network add address 172 16 0 0 12 gateway 172 16 0 1 3 Finally add a ...

Page 495: ...Tik RouterOS DHCP client may be enabled on any Ethernet like interface at a time The client will accept an address netmask default gateway and two dns server addresses The received IP address will be added to the interface with the respective netmask The default gateway will be added to the routing table as a dynamic entry Should the DHCP client be disabled or not renew an address the dynamic defa...

Page 496: ...u Command Description release release current binding and restart DHCP client renew renew current leases If the renew operation was not successful client tries to reinitialize lease i e it starts lease request procedure rebind as if it had not received an IP address yet Notes If host name property is not specified client s system identity will be sent in the respective field of DHCP request If cli...

Page 497: ...x rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time priority rx rate min tx rate min All rates should be numbers with optional k 1 000s or M 1 000 000s If tx rate is not specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified ...

Page 498: ...rom this server no dhcp server ignores clients requests for addresses that are not available from this server yes to clients request for an address that is not available from this server dhcp server will send negative acknowledgment DHCPNAK bootp support none static dynamic default static support for BOOTP clients none do not respond to BOOTP requests static offer only static leases to BOOTP clien...

Page 499: ...rect requests from clients Example To add a DHCP server to interface ether1 lending IP addresses from dhcp clients IP pool for 2 hours ip dhcp server add name dhcp office disabled no address pool dhcp clients interface ether1 lease time 2h admin MikroTik ip dhcp server print Flags X disabled I invalid NAME INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP 0 dhcp office ether1 dhcp clients 02 00 00 a...

Page 500: ...servers domain text the DHCP client will use this as the DNS domain setting for the network adapter gateway IP address default 0 0 0 0 the default gateway to be used by DHCP clients netmask integer 0 32 default 0 the actual network mask to be used by DHCP client 0 netmask from network address is to be used next server IP address IP address of next server to use in bootstrap wins server text the Wi...

Page 501: ... that the IP addresses assigned statically are not probed Property Description active address read only IP address actual IP address for this lease active client id read only text actual client id of the client active mac address read only MAC address actual MAC address of the client active server read only actual dhcp server which serves this client address IP address specify ip address or ip poo...

Page 502: ...fered address it is using it now and will free the address not later than the lease time will be over tx rate integer default 0 maximal transmit bitrate to the client for users it is download bitrate 0 no limitation Command Description check status Check status of a given busy dynamic lease and free it in case of no response make static convert a dynamic lease to static one Notes If rate limit is ...

Page 503: ...hcp alert on Public discovered unknown dhcp server mac 00 02 29 60 36 E7 ip 10 5 8 236 admin MikroTik ip dhcp server alert When the system alerts about a rogue DHCP server it can execute a custom script As DHCP replies can be unicast rogue dhcp detector may not receive any offer to other dhcp clients at all To deal with this rogue dhcp server acts as a dhcp client as well it sends out dhcp discove...

Page 504: ...ent Example This example shows how to set DHCP server to reply on DHCP client s Hostname request code 12 with value Host A Add an option named Option Hostname with code 12 Hostname and value Host A admin MikroTik ip dhcp server option add name Hostname code 12 value Host A admin MikroTik ip dhcp server option print NAME CODE VALUE 0 Option Hostname 12 Host A admin MikroTik ip dhcp server option Us...

Page 505: ...o add a DHCP relay named relay on ether1 interface resending all received requests to the 10 0 0 1 DHCP server admin MikroTik ip dhcp relay add name relay interface ether1 dhcp server 10 0 0 1 disabled no admin MikroTik ip dhcp relay print Flags X disabled I invalid NAME INTERFACE DHCP SERVER LOCAL ADDRESS 0 relay ether1 10 0 0 1 0 0 0 0 admin MikroTik ip dhcp relay Question Answer Based Setup Com...

Page 506: ...er interface ether1 Select network for DHCP addresses dhcp address space 10 0 0 0 24 Select gateway for given network gateway for dhcp network 10 0 0 1 Select pool of ip addresses given out by DHCP server addresses to give out 10 0 0 2 10 0 0 254 Select DNS servers dns servers 159 148 60 20 Select lease time lease time 3d admin MikroTik ip dhcp server The wizard has made the following configuratio...

Page 507: ...ks 192 168 1 0 24 and 192 168 2 0 24 that are behind a router DHCP Relay IP addresses of DHCP Server admin DHCP Server ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 1 24 192 168 0 0 192 168 0 255 To DHCP Relay 1 10 1 0 2 24 10 1 0 0 10 1 0 255 Public admin DHCP Server ip address Page 493 of 695 Copyright 1999 2007 MikroTik All rights reserved...

Page 508: ...00 00 admin DHCP Server ip dhcp server Configure respective networks ip dhcp server network add address 192 168 1 0 24 gateway 192 168 1 1 dns server 159 148 60 20 ip dhcp server network add address 192 168 2 0 24 gateway 192 168 2 1 dns server 159 148 60 20 admin DHCP Server ip dhcp server network print ADDRESS GATEWAY DNS SERVER WINS SERVER DOMAIN 0 192 168 1 0 24 192 168 1 1 159 148 60 20 1 192...

Page 509: ...address 172 16 0 2 secret MySecret authentication port 1812 accounting port 1813 timeout 00 00 00 300 accounting backup no realm admin DHCP Server radius Setup DHCP Server 1 Create an address pool ip pool add name Radius Clients ranges 192 168 0 11 192 168 0 100 2 Add a DHCP server ip dhcp server add address pool Radius Clients use radius yes interface Local disabled no 3 Configure DHCP networks P...

Page 510: ...e client with MAC address 00 0B 6B 31 02 4B will always receive IP address 192 168 0 55 Page 496 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 511: ...on Example General Information Summary DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time This is a simple recursive DNS server with local items Specifications Packages required system License required level1 Home menu level ip dns Standards and Technologies DNS Hardware usage Not significant Related Documents Software Package Management...

Page 512: ...live for cahce records In other words cache records will expire after cache max ttl time cache size integer 512 10240 default 2048KiB specifies the size of DNS cache in KiB cache used read only integer displays the currently used cache size in KiB primary dns IP address default 0 0 0 0 primary DNS server secondary dns IP address default 0 0 0 0 secondary DNS server Notes If the property use peer d...

Page 513: ...DNS server Property Description address IP address IP address to resolve domain name with name text DNS name to be resolved to a given IP address ttl time time to live of the DNS record Example To add a static DNS entry for www example com to be resolved to 10 0 0 1 IP address admin MikroTik ip dns static add name www example com address 10 0 0 1 admin MikroTik ip dns static print NAME ADDRESS TTL...

Page 514: ...mote requests yes cache size 2048 KiB cache max ttl 1w cache used 10 KiB admin MikroTik ip dns Page 500 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 515: ...s Property Description Notes Example HotSpot User Profiles Description HotSpot Users Description HotSpot Active Users Description HotSpot Cookies Description Property Description Notes Example HTTP level Walled Garden Description Property Description Notes Example IP level Walled Garden Description Property Description Example One to one NAT static address bindings Page 501 of 695 Copyright 1999 2...

Page 516: ...eable difference in user experience setting up HotSpot system in version 2 9 from the previous RouterOS versions is that it has become in order of magnitude easier to set up a correctly working HotSpot system Given a router with two interfaces Local where HotSpot clients are connected to and Public which is connected to the Internet To set up HotSpot on the Local interface 1 first a valid IP confi...

Page 517: ...racking set enabled yes Specifications Packages required hotspot dhcp optional License required level1 Limited to 1 active user level3 Limited to 1 active user level4 Limited to 200 active users level5 Limited to 500 active users level6 Home menu level ip hotspot Standards and Technologies ICMP DHCP Hardware usage Not significant Description MikroTik HotSpot Gateway should have at least two networ...

Page 518: ...otocol so they are not required to install additional software The gateway is accounting the uptime and amount of traffic each of its clients have used and also can send this information to a RADIUS server The HotSpot system may limit each particular user s bitrate total amount of traffic uptime and some other parameters mentioned further in this document The HotSpot system is targeted to provide ...

Page 519: ...see the translated address Note also that arp mode must be enabled on the interface you use one to one NAT on Before the authentication When enabling HotSpot on an interface the system automatically sets up everything needed to show login page for all clients that are not logged in This is done by adding dynamic destination NAT rules which you can observe on a working HotSpot system These rules ar...

Page 520: ...pted In either case HTTP POST method if not possible then HTTP GET method is used to send data to the HotSpot gateway HTTP cookie after each successful login a cookie is sent to web browser and the same cookie is added to active HTTP cookie list Next time the same user will try to log in web browser will send http cookie This cookie will be compared with the one stored on the HotSpot gateway and o...

Page 521: ...y used for unauthorized clients to provide Walled Garden facility may also be used for authorized users to show them advertisement popups Transparent proxy for authorized users allows to monitor http requests of the clients and to take some action if required It enables the possibility to open status page even if client is logged in by mac address as well as to show advertisements time after time ...

Page 522: ...ot setup Command Description address pool of network name IP address pool for the HotSpot network dns name text DNS domain name of the HotSpot gateway will be statically configured on the local DNS proxy dns servers IP address IP address DNS servers for HotSpot clients hotspot interface name interface to run HotSpot on ip address of smtp server IP address default 0 0 0 0 IP address of the SMTP ser...

Page 523: ...is a small chance to reduce denial of service attack based on taking over all free IP addresses unlimited number of IP addresses per one MAC address is not limited address pool name none default none IP address pool name for performing one to one NAT You can choose not to use the one to one NAT none do not perform one to one NAT for the clients of this HotSpot interface HTTPS read only flag whethe...

Page 524: ...ik ip hotspot print Flags X disabled I invalid S HTTPS NAME INTERFACE ADDRESS POOL PROFILE IDLE TIMEOUT 0 hs local local HS real default 00 05 00 admin MikroTik ip hotspot HotSpot Server Profiles Home menu level ip hotspot profile Property Description dns name text DNS name of the HotSpot server This is the DNS name used as the name of the HotSpot server i e it appears as the location of the login...

Page 525: ...S server accounting information on each user once in a while the while is defined in the radius interim update property radius default domain text default default domain to use for RADIUS requests It allows to select different RADIUS servers depending on HotSpot server profile but may be handful for single RADIUS server as well radius interim update time received default received how often to sent...

Page 526: ...re to be detected automatically In order to use RADIUS authentication the radius menu must be set up accordingly Trial authentication method should allways be used together with one of the other authentication methods Example HotSpot User Profiles Home menu level ip hotspot user profile Description Article moved to HotSpot AAA section HotSpot Users Home menu level ip hotspot user Description Artic...

Page 527: ...Walled Garden Home menu level ip hotspot walled garden Description Walled garden is a system which allows unauthorized use of some resources but requires authorization to access other resources This is useful for example to give access to some general information about HotSpot service provider or billing options This menu only manages Walled Garden for HTTP and HTTPS protocols Other protocols can ...

Page 528: ... we use symbol at the beginning of the pattern to specify that no symbols are allowed after the given pattern we use symbol at the end of the pattern You can not use path property for HTTPS requests as router can not and should not that is what the HTTPS protocol was made for decrypt the request Example To allow unauthorized requests to the www example com domain s paynow html page admin MikroTik ...

Page 529: ...g Description You can setup NAT translations statically based on either the original IP address or IP network or the original MAC address You can also allow some addresses to bypass HotSpot authentication i e they will be able work without having to log in to the network first and completely block some addresses Property Description address IP address netmask default the original IP address or net...

Page 530: ...ad only time how long has the router not received any packets including ARP replies keepalive replies and user traffic from this host idle time read only time the amount of time has the user been idle idle timeout read only time the exact value of idle timeout that applies to this user This property shows how long should the user stay idle for it to be logged off automatically keepalive timeout re...

Page 531: ...protocol is working Example To set the FTP protocol uses both 20 and 21 TCP port admin MikroTik ip hotspot service port print Flags X disabled NAME PORTS 0 ftp 21 admin MikroTik ip hotspot service port set ftp ports 20 21 admin MikroTik ip hotspot service port print Flags X disabled NAME PORTS 0 ftp 20 21 admin MikroTik ip hotspot service port Customizing HotSpot Firewall Section Description Apart...

Page 532: ... called Universal Proxy If it is detected that a client is using some proxy server the system will automatically mark that packets with the http hotspot mark to work around the unknown proxy problem as we will see later on Note that the port used 64874 is the same as for HTTP requests in the rule 8 so both HTTP and HTTP proxy requests are processed by the same code HTTPS proxy is listening on the ...

Page 533: ...ect all packets to the clients with ICMP reject message Customizing HotSpot HTTP Servlet Pages Description You can create a completely different set of servlet pages for each HotSpot server you have specifying the directory it will be stored in html directory property of a HotSpot server profile ip hotspot profile The default servlet pages are copied in the directory of your choice right after you...

Page 534: ...nvironments error html error page shown on fatal errors only rlogin html page which redirects client from some other URL to the login page if authorization of the client is required to access that URL rstatus html similarly to rlogin html only in case if the client is already logged in and the original URL is not known flogin html shown instead of login html if some error has happened invalid user...

Page 535: ...ssibilities to customize what the HotSpot authentication pages look like The pages are easily modifiable They are stored on the router s FTP server in the directory you choose for the respective HotSpot server profile By changing the variables which client sends to the HotSpot servlet it is possible to reduce keyword count to one username or password for example the client s MAC address may be use...

Page 536: ...perty interface name physical HotSpot interface name in case of bridged interfaces this will return the actual bridge port name Links link login link to login page including original URL requested http 10 5 50 1 login dst http www example com link login plain link to login page not including original URL requested http 10 5 50 1 login link logout link to logout page http 10 5 50 1 logout link stat...

Page 537: ...es sent to the user 11352 packets in number of packets received from the user 251 packets out number of packets sent to the user 211 remain bytes in remaining bytes until limit bytes in will be reached 337465 or if there is no limit remain bytes out remaining bytes until limit bytes out will be reached 124455 or if there is no limit Miscellaneous variables session id value of session id parameter ...

Page 538: ...gular version of HTML pages To utilize this feature create subdirectories in HotSpot HTML directory and place those HTML files which are different in that subdirectory For example to translate everything in Latvian subdirectory lv can be created with login html logout html status html alogin html radvert html and errors txt files which are translated into Latvian If the requested HTML page can not...

Page 539: ...h basic HTML language knowledge and the examples below it should be easy to implement the ideas described above To provide predefined value as username in login html change type text value username to this line input type hidden name user value hsuser where hsuser is the username you are providing To provide predefined value as password in login html change input type password to this line input t...

Page 540: ...name input type hidden name link login value link login input type hidden name link orig value link orig input type hidden name error value error form script language JavaScript document redirect submit script body html The external server can log in a HotSpot client by redirecting it back to the original HotSpot servlet login page specifying the correct username and password Here is an example of...

Page 541: ...using a MAC address username different from the actual user s MAC address Solution no users with usernames that look like a MAC address eg 12 34 56 78 9a bc may only log in from the MAC address specified as their user name session limit reached error orig depending on licence number of active hotspot clients is limited to some number The error is displayed when this limit is reached Solution try t...

Page 542: ...onsult with your RADIUS server s documentation for further information RADIUS client fatal errors RADIUS server is not responding user is being authenticated by RADIUS server but no response is received from it Solution check whether the RADIUS server is running and is reachable from the HotSpot router HotSpot How to s Description This section will focus on some simple examples of how to use your ...

Page 543: ...che Management Description Property Description Proxy Monitoring Description Property Description Connection List Description Property Description Cache inserts Description Property Description Cache Lookups Description Property Description Complementary Tools Description Command Description HTTP Methods Description General Information Page 529 of 695 Copyright 1999 2007 MikroTik All rights reserv...

Page 544: ...maximal server connections 1000 max object size 2000KiB max fresh time 3d admin MikroTik ip proxy Remember to secure your proxy by preventing unauthorized access to it otherwise it may be used as an open proxy Also you need to setup destination NAT in order to utilize transparent proxying facility admin MikroTik ip firewall nat add chain dstnat protocol tcp dst port 80 action redirect to ports 808...

Page 545: ... completion to see the list of available drives cache only on disk yes no default yes whether to create database in memory that describes cache contents on disk This will minimize memory consumption but may affect speed enabled yes no default no whether the proxy server is enabled max disk cache size none unlimited integer 0 4294967295 default none specifies the maximal disk cache size measured in...

Page 546: ...xy on port 8000 admin MikroTik ip proxy set enabled yes port 8000 admin MikroTik ip proxy print enabled yes src address 0 0 0 0 port 8000 parent proxy 0 0 0 0 0 cache drive system cache administrator dmitry mikrotik com max disk cache size none max ram cache size 100000KiB cache only on disk yes maximal client connections 1000 maximal server connections 1000 max object size 2000KiB max fresh time ...

Page 547: ...Notes Wildcard properties dst host and dst path match a complete string i e they will not match example com if they are set to example Available wildcards are match any number of any characters and match any one character Regular expressions are also accepted here but if the property should be treated as a regular expression it should start with a colon Small hits in using regular expressions symb...

Page 548: ...ethod any connect delete get head options post put trace HTTP method used in the request see HTTP Methods section in the end of this document path wildcard name of the requested page within the target server i e the name of a particular web page or document without the name of the server it resides on src address IP address netmask source address of the IP packet Notes Unlike the access list the d...

Page 549: ...m the cache ram cache used read only integer RAM space used to store the cache received from servers read only integer amount of data received from other servers requests read only integer number of requests handled sent to clients read only integer amount of data sent to the clients of this proxy server status read only text default stopped display status information of the proxy server stopped p...

Page 550: ...ot idle resolving rx header tx body tx eof tx header waiting opened connection state closing the data transfer is finished and the connection is being finalized connecting establishing toe connection converting replacing header and footer fields in response or request paket hotspot check if hotspot authentication allows to continue for hotspot proxy idle staying idle resolving resolving server s D...

Page 551: ...request with non cacheable read only integer number of requests requested from the external servers unconditionally as their caching is denied by the cache access list not found read only integer number of requests not found in the cache and thus requested from an external server or parent proxy if configured accordingly successes read only integer number of requests found in the cache Complementa...

Page 552: ...intends to reduce unnecessary network usage by requesting only parts of entities without transferring data already held by client The response to a GET request is cacheable if and only if it meets the requirements for HTTP caching HEAD This method shares all features of GET method except that the server must not return a message body in the response This retrieves the metainformation of the entity...

Page 553: ...d be treated as stale Responses to this method are not cacheable TRACE This method invokes a remote application layer loop back of the request message The final recipient of the request should reflect the message received back to the client as the entity body of a 200 OK response The final recipient is either the origin server or the first proxy or gateway to receive a Max Forwards value of 0 in t...

Page 554: ...dresses that is used for DHCP server and Point to Point servers Specifications Packages required system License required level1 Home menu level ip pool Standards and Technologies none Hardware usage Not significant Related Documents Package Management IP Addresses and ARP AAA DHCP Client and Server HotSpot Gateway Universal Client Interface Page 540 of 695 Copyright 1999 2007 MikroTik All rights r...

Page 555: ... excluding gateway s address 10 0 0 1 and server s address 10 0 0 100 and the other pool dhcp pool with the 10 0 0 200 10 0 0 250 address range admin MikroTik ip pool add name ip pool ranges 10 0 0 2 10 0 0 99 10 0 0 101 10 0 0 126 admin MikroTik ip pool add name dhcp pool ranges 10 0 0 200 10 0 0 250 admin MikroTik ip pool print NAME RANGES 0 ip pool 10 0 0 2 10 0 0 99 10 0 0 101 10 0 0 126 1 dhc...

Page 556: ...min MikroTik ip pool used print POOL ADDRESS OWNER INFO local 192 168 0 100 00 0C 42 03 1F 60 test local 192 168 0 99 00 0C 42 03 21 0F test Page 542 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 557: ...service through SOCKS server General Information Summary This manual discusses the SOCKS proxy server which is implemented in RouterOS MikroTik RouterOS supports SOCKS version 4 Specifications Packages required system License required level1 Home menu level ip socks Standards and Technologies SOCKS version 4 Hardware usage Not significant Related Documents Web Proxy NAT Page 543 of 695 Copyright 1...

Page 558: ...e security issues to your network and may provide a way for spammers to send junk mail through the router Additional Documents Information about SOCKS SOCKS Configuration Description In this section you will learn how to enable the SOCKS proxy server and do its configuration Property Description connection idle timeout time default 2m time after which idle connections are terminated enabled yes no...

Page 559: ...tes received src address read only IP address source application client IP address TX read only integer bytes sent Example To see current TCP connections admin MikroTik ip socks connections print SRC ADDRESS DST ADDRESS TX RX 0 192 168 0 2 3242 159 148 147 196 80 4847 2880 1 192 168 0 2 3243 159 148 147 196 80 3408 2127 2 192 168 0 2 3246 159 148 95 16 80 10172 25207 3 192 168 0 2 3248 194 8 18 26...

Page 560: ...d access to a client with an IP address 192 168 0 2 32 to SOCKS access list allow data transfer from FTP server to client allow destionation ports from 1024 to 65535 for any IP address and drop everything else admin MikroTik ip socks access add src address 192 168 0 2 32 dst address 21 action allow admin MikroTik ip socks access add dst address 1024 65535 action allow admin MikroTik ip socks acces...

Page 561: ...S server s local IP and port 1080 Page 547 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 562: ...usage Not significant Description UPnP enables data communication between any two devices under the command of any control device on the network Universal Plug and Play is completely independent of any particular physical medium It supports networking with automatic discovery without any initial configuration whereby a device can dynamically join a network DHCP and DNS servers are optional and wil...

Page 563: ...abled yes no default no whether UPnP feature is enabled show dummy rule yes no default yes this is to enable a workaround for some broken implementations which are handling the absense of UPnP rules inincorrectly for example popping up error messages This option will instruct the server to install a dummy meaningless UPnP rule that can be observed by the clients which refuse to work correctly othe...

Page 564: ...options any any flow connection content limit count 0 limit burst 0 limit time 0s action masquerade to src address 0 0 0 0 to src port 0 65535 admin MikroTik ip upnp interfaces Now all we have to do is to add interfaces and enable UPnP admin MikroTik ip upnp interfaces add interface ether1 type external admin MikroTik ip upnp interfaces add interface ether2 type internal admin MikroTik ip upnp int...

Page 565: ...ikroTik ip upnp interfaces set enabled yes admin MikroTik ip upnp interfaces Page 551 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 566: ...e Management Description Property Description Complementary Tools Description Command Description Transparent Mode Description Notes Example HTTP Methods Description General Information Summary The MikroTik RouterOS implements the following proxy server features Regular HTTP proxy Transparent proxy Can be transparent and regular at the same time Page 552 of 695 Copyright 1999 2007 MikroTik All rig...

Page 567: ...s to it otherwise it may be used as an open proxy Specifications Packages required web proxy License required level3 Home menu level ip web proxy Standards and Technologies HTTP 1 0 HTTP 1 1 FTP Hardware usage uses memory and disk space if available see description below Related Documents Software Package Management IP Addresses and ARP Log Management Description Web proxy performs Internet object...

Page 568: ...e unlimited integer 0 4294967295 default unlimited specifies the maximal memory cache size measured in kibibytes parent proxy IP address port default 0 0 0 0 0 specifies upper level parent proxy port port default 3128 specifies the port s the web proxy will be listening on reserved for cache read only integer default 0 specifies allocated memory cache size measured in kibibytes reserved for ram ca...

Page 569: ...em max cache size is also taken in account so the cache will not occupy more than it is specified in this property The effective limit is calculated as a minimum of all three limits Note also that RouterOS supports up to 950MB of memory Considering the previous note you should be aware that you will not be able to enable web proxy if you have less than 60MB of RAM on your router Expire time of cac...

Page 570: ...e URL of the HTTP request Notes There is one rule by default that disallows connect method connections to ports other than 443 https and 563 snews connect method is a security hole that allows connections transparent tunneling to any computer using any protocol It is used mostly by spammers as they found it very convenient to use others mail SMTP servers as anonymous mail relay to send spam over t...

Page 571: ... Access List Home menu level ip web proxy direct Description If parent proxy property is specified it is possible to tell the proxy server whether to try to pass the request to the parent proxy or to resolve it connecting to the requested server directly Direct Access List is managed just like Proxy Access List described in the previous chapter except the action argument Property Description actio...

Page 572: ...bjects from matched request dst address IP address netmask destination address of the IP packet dst port port a list or range of ports the packet is destined to local port port specifies the port of the web proxy via which the packet was received This value should match one of the ports web proxy is listening on method any connect delete get head options post put trace HTTP method used in the requ...

Page 573: ... MikroTik ip firewall nat add in interface ether1 dst port 80 protocol tcp action redirect to ports 8080 chain dstnat admin MikroTik ip firewall nat print Flags X disabled I invalid D dynamic 0 chain dstnat protocol tcp in interface ether1 dst port 80 action redirect to ports 8080 admin MikroTik Be aware that you will not be able to access the router s web page after addition of the rule above unl...

Page 574: ...hypertext links for validity accessibility and recent modification The response to a HEAD request may be cacheable in the way that the information contained in the response may be used to update previously cached entity identified by that Request URI POST This method requests that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Req...

Page 575: ... is either the origin server or the first proxy or gateway to receive a Max Forwards value of 0 in the request A TRACE request must not include an entity Responses to this method MUST NOT be cached Page 561 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are propert...

Page 576: ... port 443 a web server first sends a Certificate which contains a public key for the encryption key negotiation to take place After the encryption key is negotiated the web server will send the requested page encrypted using this key to the browser and also the browser will be able to submit its data securely to the server SSL Certificate confirms the web server identity The Certificate contains i...

Page 577: ...on name name reference name subject read only text holder subject of the certificate issuer read only text issuer of the certificate serial number read only text serial number of the certificate invalid before read only date date the certificate is valid from invalid after read only date date the certificate is valid until ca yes no default yes whether the certificate is used for building or verif...

Page 578: ...tion unit name common name CN the server s common name For SSL web servers this must be the fully qualified domain name FQDN of the server that will use this certificate like www example com This is checked by web browsers email address Email e mail address of the person responsible for the certificate challenge password the challenge password It s use depends on your CA It may be used to revoke t...

Page 579: ... 01 invalid before sep 17 2003 11 56 19 invalid after sep 16 2004 11 56 19 ca yes admin MikroTik certificate Now the certificate may be used by HotSpot servlet admin MikroTik ip service print Flags X disabled I invalid NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0 0 0 0 0 1 ftp 21 0 0 0 0 0 2 www 8081 0 0 0 0 0 3 hotspot 80 0 0 0 0 0 4 ssh 22 0 0 0 0 0 5 hotspot ssl 443 0 0 0 0 0 none admin MikroTik...

Page 580: ...y one algorithm hmac md5 It s the only proposed algorithm for signing DNS messages Specifications Packages required advanced tools License required level1 Command name tool dns update Standards and Technologies Dynamic Updates in the DNS RFC 2136 Secure DNS Dynamic Update RFC 3007 Hardware usage Not significant Related Documents Package Management Description Dynamic DNS Update is a tool that shou...

Page 581: ...o live for the item in seconds zone text DNS zone where to update the domain name in Notes Example To tell 23 34 45 56 DNS server to re associate mydomain name in the myzone com zone with 68 42 14 4 IP address specifying that the name of the key is dns update key and the actual key is update admin MikroTik tool dns update dns server 23 34 45 56 name mydomain zone myzone com address 68 42 14 4 key ...

Page 582: ...location and time which may be used as NTP time source Specifications Packages required gps License required level1 Home menu level system gps Standards and Technologies GPS NMEA 0183 Simple Text Output Protocol Hardware usage Not significant Related Documents Package Management NTP Network Time Protocol Description Global Positioning System GPS is used for determining precise location of a GPS re...

Page 583: ...re the router s serial port in order to work with your device For example many GPS receivers work on 4800bit s bitrate to the same should be set in the port menu for the respective serial port Precise time is mainly intended to be used by built in NTP server which can use it as a time source without any additional configuration if GPS is configured to set system time Additional Documents Global Po...

Page 584: ...urrent location speed read only text mean velocity valid read only yes no whether the received information is valid or not e g you can set a GPS receiver to the demo mode to test the connection in which case you will receive information but it will not be valid Example admin MikroTik system gps monitor date and time jul 23 2003 12 25 00 longitude E 24 8 17 latitude N 56 59 22 altitude 127 406400m ...

Page 585: ...rystalfontz com Intelligent Serial LCD Module 632 16x2 characters and 634 20x4 characters Powertip http www powertip com tw PC1602 16x2 characters PC1604 16x4 characters PC2002 20x2 characters PC2004 20x4 characters PC2402 24x2 characters and PC2404 24x4 characters Portwell http www portwell com tw EZIO 100 16x2 characters Specifications Packages required lcd License required level1 Home menu leve...

Page 586: ...the 17th pin GND and 5V can be taken from computer s internal power supply use black wire for GND and red wire for 5V WARNING Be very careful connecting power supply We do not recommend using external power supplies In no event shall MikroTik liable for any hardware damages Note that there are some PowerTip PC2404A modules that have different pin out Compare Page 572 of 695 Copyright 1999 2007 Mik...

Page 587: ...or the DB9 to 10 pin female header cable is DB9 female 10 pin female header 2 2 3 3 5 5 Please note that the actual traces may not correspond to any of the documents coming from the manufacturer It seems that all pin numbers of J2 are printed on the silkscreen in a mirrored way Thus the 1 pin is where the 5 is printed the wiring above lists actual pin numbers not the ones printed on the board Conf...

Page 588: ... 0 admin MikroTik system lcd LCD Information Display Configuration Home menu level system lcd page Description The submenu is used for configuring LCD information display what pages and how long will be shown Property Description description read only text page description display time time default 5s how long to display the page Notes You cannot neither add your own pages they are created dynamic...

Page 589: ...e and time 1 5s System resources cpu and memory load 2 5s System uptime 3 5s Aggregate traffic in packets sec 4 5s Aggregate traffic in bits sec 5 5s Software version and build info 6 5s ether1 7 5s prism1 admin MikroTik system lcd page LCD Troubleshooting Description LCD doesn t work cannot be enabled by the system lcd set enabled yes command Probably the selected serial port is used by PPP clien...

Page 590: ...arned information to set up some features with minimal or no configuration MNDP features works on IP level connections works on all non dynamic interfaces distributes basic information on the software version distributes information on configured features that should interoperate with other MikroTik routers MikroTik RouterOS is able to discover both MNDP and CDP Cisco Discovery Protocol devices Sp...

Page 591: ...hernet like interfaces will not be automatically enabled for MNDP uses UDP protocol port 5678 a UDP packet with router info is broadcasted over the interface every 60 seconds every 30 seconds the router checks if some of the neighbor entries are not stale if no info is received from a neighbor for more than 180 seconds the neighbor information is discarded Setup Home menu level ip neighbor discove...

Page 592: ... the interface of the neighbour router is unpacking packets packed with M3P platform read only text hardware software platworm type of neighbour router age read only time specifies the record s age in seconds time from last update Example To view the table of discovered neighbours admin MikroTik ip neighbor pri INTERFACE ADDRESS MAC ADDRESS IDENTITY VERSION 0 ether2 10 1 0 113 00 0C 42 00 02 06 ID...

Page 593: ...erty Description Notes Example Time Zone Notes Example System Clock Summary System clock allows router to track current date and time Specifications License required level1 Home menu level system clock Property Description date text date in format mm DD YYY dst active read only yes no default no whether the Daylight Saving Time is currently acitve Page 579 of 695 Copyright 1999 2007 MikroTik All r...

Page 594: ...ne 00 00 dst active no admin Local system clock System Clock DST adjustment Home menu level system clock dst Description In most countries a Daylight Saving Time regime is activated in spring and deactivated in autumn This configuration menu provides DST adjustment facility to drift the timezone according to your local legislation and practice Property Description dst delta text default 01 00 UTC ...

Page 595: ... server NTP server listens on UDP port 123 NTP client synchronizes local clock with some other time source NTP server There are 4 modes in which NTP client can operate at unicast Client Server mode NTP client connects to specified NTP server IP address of NTP server must be set in ntp server and or second ntp server parameters At first client synchronizes to NTP server Afterwards client periodical...

Page 596: ...tarting NTP service please try to restart disable and enable NTP service started NTP client service is started but NTP server is not found yet failed NTP server sent invalid response to our NTP client NTP server is not synchronized to some other time source reached NTP server contacted Comparing local clock to NTP server s clock duration of this phase is approximately 30s timeset local time change...

Page 597: ... change time on your server at his will Example To enable NTP server to answer unicast requests only admin MikroTik system ntp server set manycast no enabled yes admin MikroTik system ntp server print enabled yes broadcast no multicast no manycast no admin MikroTik system ntp server Time Zone Home menu level system clock Notes NTP changes local clock to UTC GMT time by default Example Time zone is...

Page 598: ...MikroTik system clock set time zone 3 admin MikroTik system clock print time sep 24 2004 08 13 28 time zone 03 00 admin MikroTik system clock Page 584 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 599: ...ent or RB200 Description Property Description Notes Example LED Management on RB500 Description Property Description Fan voltage control Description Property Description Console Reset Jumper Description General Information Summary There are some features used to configure specific functions exist only in RouterBOARD series embedded routers BIOS upgrading BIOS configuration Page 585 of 695 Copyrigh...

Page 600: ...ay for example BIOS firmware may be transferred from one router to an another Property Description current firmware read only text the version and build date of the BIOS already flashed model read only text RouterBOARD model routerboard read only yes no whether the motherboard has been detected as a RouterBOARD serial number read only text RouterBOARD serial number upgrade firmware read only text ...

Page 601: ...oot once boot from etherboot once then returns to previous settings cpu mode power save regular default power save whether to enter CPU suspend mode in HTL instruction Most OSs use HLT instruction during CPU idle cycle When CPU is in suspend mode it consumes less power but in low temperatire conditions it is recommended to choose regular mode so that overall system temperature would be greater deb...

Page 602: ...ard bios print baud rate 9600 debug level low boot delay 00 00 01 enter setup on any key beep on boot yes boot device ide only etherboot timeout 00 01 00 vga to serial yes memory settings optimal memory test no cpu mode power save pci backoff enabled admin MikroTik system routerboard bios set debug level high admin MikroTik system routerboard bios print baud rate 9600 debug level high boot delay 0...

Page 603: ...l be enabled after reboot All themperature values are in Celsius degrees Example To check system health admin MikroTik system health print core 1 32 3 3v 3 26 5v 4 97 lm87 temp 0 9 cpu temp 0 9 board temp 0 9 state enabled state after reboot enabled admin MikroTik system routerboard health LED Management or RB200 Command name led Description The four user LEDs of the RouterBOARD 200 series can be ...

Page 604: ...d name blink Description It is possible to blink with the only user LED the red one near the blue power LED of ROuterBOARD 500 series boards Property Description duration time default 10s how long to flash the red LED Fan voltage control Command name system routerboard fan control Description On RouterBOARD 200 series you can control whether the J11 fan 5V voltage output is enabled This feature wi...

Page 605: ...tion is reset Serial port that serial console will pick by default usually serial0 is set to 9600 baud 8 bit 1 stop bit no parity default settings after installation Special flag that prevents any other program except serial console to acquire this port is set Router is rebooted Page 591 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mik...

Page 606: ...icant Generating Support Output File Command name system sup output Example To make a Support Output File admin MikroTik system sup output creating supout rif file might take a while Done admin MikroTik To see the files stored on the router admin MikroTik file print NAME TYPE SIZE CREATION TIME 0 supout rif unknown 108787 dec 24 2003 10 12 38 admin MikroTik Connect to the router using FTP and down...

Page 607: ...on Example PCI Information Property Description Example Reboot Description Notes Example Shutdown Description Notes Example Router Identity Description Example Date and Time Property Description Notes Example System Clock Manual Adjustment Description Property Description Configuration Change History Description Command Description Page 593 of 695 Copyright 1999 2007 MikroTik All rights reserved M...

Page 608: ...values for cpu usage and free memory are in percentage and kilobytes respectively Example To view the basic system resource status admin MikroTik system resource print uptime 04 32 41 free memory 46488 kB total memory 62672 kB model RouterBOARD 230 cpu Geode cpu load 0 free hdd space 35873 kB total hdd space 61972 kB write sect since reboot 2678 write sect total 408130 admin MikroTik system resour...

Page 609: ...Command name system resource io print Description IO usage shows which IO Input Output ports are currently used by hardware Example admin MikroTik system resource io print PORT RANGE OWNER 0x20 0x3F APIC 0x40 0x5F timer 0x60 0x6F keyboard 0x80 0x8F DMA 0xA0 0xBF APIC 0xC0 0xDF DMA 0xF0 0xFF FPU 0x1F0 0x1F7 IDE 1 0x2F8 0x2FF serial port 0x3C0 0x3DF VGA 0x3F6 0x3F6 IDE 1 0x3F8 0x3FF serial port 0xCF...

Page 610: ... speed at which the port works vendor read only text vendor name of the USB device Example To list all available USB ports admin MikroTik system resource usb print DEVICE VENDOR NAME SPEED 0 1 1 USB OHCI Root Hub 12 Mbps admin MikroTik system resource usb PCI Information Command name system resource pci print Property Description device read only text number of device irq read only integer IRQ num...

Page 611: ...s termination signal to all running processes unmounts the file systems and reboots the router Notes Only users which are members of groups with reboot privileges are permitted to reboot the router Reboot can be called from scripts in which case it does not prompt for confirmation Example admin MikroTik system reboot Reboot yes y N y system will reboot shortly admin MikroTik Shutdown Command name ...

Page 612: ...name Gateway admin Gateway Date and Time Home menu level system clock Property Description date text date in format mm DD YYY dst active read only yes no default no whether the Daylight Saving Time is currently acitve gmt offset read only text the current effective GMT timezone in format HH MM or HH MM time time time in format HH MM SS time zone name name default manual timezone code for example E...

Page 613: ... Clock Manual Adjustment Home menu level system clock manual Description In most countries a Daylight Saving Time regime is activated in spring and deactivated in autumn This configuration menu provides DST adjustment facility to drift the timezone according to your local legislation and practice in case it does not match any of the presets that it is possible to choose in system clock menu from P...

Page 614: ...oable R redoable F floating undo ACTION BY POLICY U system time zone changed admin write U system time zone changed admin write U system time zone changed admin write U system identity changed admin write admin MikroTik system clock What the undo command does admin MikroTik system history print Flags U undoable R redoable F floating undo ACTION BY POLICY R system time zone changed admin write U sy...

Page 615: ... default yes whether to show system note on each login Notes If you want to enter or edit multiline system note you may need to use embedded text editor system note edit note Page 601 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective...

Page 616: ...Packages required system License required level1 Home menu level tool Standards and Technologies TCP RFC 793 UDP RFC768 Hardware usage significant Related Documents Software Package Management Description Protocol Description The TCP test uses the standard TCP protocol with acknowledgments and follows the TCP algorithm on how many packets to send according to latency dropped packets and other feat...

Page 617: ...do this you need at least 3 routers connected in chain the Bandwidth Server the given router and the Bandwidth Client Note that if you use UDP protocol then Bandwidth Test counts IP header UDP header UDP data In case if you use TCP then Bandwidth Test counts only TCP data TCP header and IP header are not included Server Configuration Home menu level tool bandwidth server Property Description alloc...

Page 618: ...s in seconds local tx speed integer default 0 transfer test maximum speed bits per second 0 no speed limitations local tx size integer 40 64000 local transmit packet size in bytes password text default password for the remote user protocol udp tcp default udp protocol to use random data yes no default no if random data is set to yes the payload of the bandwidth test packets will have incompressibl...

Page 619: ...nd average 3 87Mbps tx total average 3 53Mbps rx current 3 33Mbps rx 10 second average 3 68Mbps rx total average 3 49Mbps admin MikroTik tool Page 605 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 620: ...Not significant Related Documents Software Package Management IP Addresses and ARP Log Management ICMP Bandwidth Test Description The ICMP test uses two standard echo requests per second The time between these pings can be changed Ping packet size variation makes it possible to approximately evaluate connection parameters and speed with different packet sizes Statistics for throughput is calculate...

Page 621: ... two requests in one second once specifies that the ping will be performed only once interval time 20ms 5s time interval between two ping repetitions Example In the following example we will test the bandwidth to a host with IP address 159 148 60 2 The interval between repetitions will be 1 second admin MikroTik tool ping speed 159 148 60 2 interval 1s current 2 23Mbps average 2 61Mbps admin Mikro...

Page 622: ...on Example Packet Sniffer Host Description Property Description Example Packet Sniffer Connections Description Property Description Example Sniff MAC Address General Information Summary Packet sniffer is a feature that catches all the data travelling over the network that it is able to get when using switched network a computer may catch only the data addressed to it or is forwarded through it Spe...

Page 623: ...the file in KB Sniffer will stop after this limit is reached streaming enabled yes no default no whether to send sniffed packets to a remote server streaming server IP address default 0 0 0 0 Tazmen Sniffer Protocol TZSP stream receiver filter stream yes no default yes whether to ignore sniffed packets that are destined to the stream server filter protocol all frames ip only mac only no ip default...

Page 624: ...st file limit 10 streaming enabled yes streaming server 10 0 0 241 filter stream yes filter protocol ip only filter address1 0 0 0 0 0 0 65535 filter address2 0 0 0 0 0 0 65535 running no admin MikroTik tool sniffer start admin MikroTik tool sniffer stop Running Packet Sniffer Command name tool sniffer start tool sniffer stop tool sniffer save Description The commands are used to control runtime o...

Page 625: ... ipip encap the name number of IP protocol ip Internet Protocol icmp Internet Control Message Protocol igmp Internet Group Management Protocol ggp Gateway Gateway Protocol ipencap IP Encapsulated in IP st st datagram mode tcp Transmission Control Protocol egp Exterior Gateway Protocol pup Parc Universal packet Protocol udp User Datagram Protocol hmp Host Monitoring Protocol xns idp Xerox ns idp rd...

Page 626: ...0 241 1839 10 0 0 181 23 telnet tcp 46 1 0 12 ether1 10 0 0 241 1839 10 0 0 181 23 telnet tcp 40 2 0 12 ether1 10 0 0 181 23 telnet 10 0 0 241 1839 tcp 78 3 0 292 ether1 10 0 0 181 10 0 0 4 gre 88 4 0 32 ether1 10 0 0 241 1839 10 0 0 181 23 telnet tcp 40 5 0 744 ether1 10 0 0 144 2265 10 0 0 181 22 ssh tcp 76 6 0 744 ether1 10 0 0 144 2265 10 0 0 181 22 ssh tcp 76 7 0 744 ether1 10 0 0 181 22 ssh ...

Page 627: ...liable Datagram Protocol iso tp4 ISO Transport Protocol class 4 xtp Xpress Transfer Protocol ddp Datagram Delivery Protocol idpr cmtp idpr Control Message Transport gre General Routing Encapsulation esp IPsec ESP protocol ah IPsec AH protocol rspf Radio Shortest Path First vmtp Versatile Message Transport Protocol ospf Open Shortest Path First ipip IP encapsulation encap IP encapsulation packets i...

Page 628: ...64 0 1 10 0 0 144 0bps 0bps 6 24kbps 12 2kbps 1092 2128 2 10 0 0 181 0bps 0bps 12 2kbps 6 24kbps 2994 1598 3 10 0 0 241 0bps 0bps 1 31kbps 4 85kbps 242 866 admin MikroTik tool sniffer host Packet Sniffer Connections Home menu level tool sniffer connection Description Here you can get a list of the connections that have been watched during the sniffing time Property Description active read only yes...

Page 629: ... 10 5 8 104 1125 dst address 10 1 0 172 3987 winbox tls protocol ip ip protocol tcp size 146 ip packet size 146 ip header size 20 tos 0 identification 5088 fragment offset 0 ttl 126 1 time 0 src mac address 00 30 4F 08 3A E7 dst mac address 00 0C 42 03 02 C7 interface bridge1 src address 10 1 0 172 3987 winbox tls dst address 10 5 8 104 1125 protocol ip ip protocol tcp size 253 ip packet size 253 ...

Page 630: ...quired system License required level1 Home menu level tool mac server ping Standards and Technologies ICMP Hardware usage Not significant Related Documents Software Package Management Description Ping sends ICMP echo ICMP type 8 message to the host and waits for the ICMP echo reply ICMP type 0 from that host The interval between these events is called round trip If the response that is called pong...

Page 631: ...box you should resolve DNS address first pressing right mouse button over its address and choosing Lookup Address You cannot ping with packets larger that the MTU of that interface so the packet size should always be equal or less than MTU If pinging by MAC address minimal packet size iz 50 bytes Only neighbour MikroTik RouterOS routers with MAC ping feature enabled can be pinged by MAC address Ex...

Page 632: ...smitted 3 packets received 0 packet loss round trip min avg max 1 1 0 1 ms admin MikroTik MAC Ping Server Home menu level tool mac server ping Property Description enabled yes no default yes whether MAC pings to this router are allowed Example To disable MAC pings admin MikroTik tool mac server ping set enabled no admin MikroTik tool mac server ping print enabled no admin MikroTik tool mac server ...

Page 633: ...Technologies none Hardware usage Not significant Related Documents Software Package Management Description Realtime Traffic Monitor called also torch is used for monitoring traffic that is going through an interface You can monitor traffic classified by protocol name source address destination address port Torch shows the protocols you have chosen and mean transmitted and received data rate for ea...

Page 634: ...field you ve specified in command line in the command s output e g you will get PROTOCOL column only in case if protocol property is explicitly specified Example The following example monitors the traffic that goes through the ether1 interface generated by telnet protocol admin MikroTik tool torch ether1 port telnet SRC PORT DST PORT TX RX 1439 23 telnet 1 7kbps 368bps admin MikroTik tool To see w...

Page 635: ...12 1813 radius acct 512bps 2 11kbps tcp 1059 139 netbios ssn 248bps 360bps admin MikroTik tool Page 621 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks mentioned herein are properties of their respective owners ...

Page 636: ...ted Documents Software Package Management IP Addresses and ARP Firewall Filters Ping Description Traceroute is a TCP IP protocol based utility which allows user to determine how packets are being routed to a particular host Traceroute works by increasing the time to live value of packets and seeing how far they get until they reach the given destination thus a lengthening trail of hosts passed thr...

Page 637: ... To trace the route to 216 239 39 101 host using ICMP protocol with packet size of 64 bytes setting ToS field to 8 and extending the timeout to 4 seconds admin MikroTik tool traceroute 216 239 39 101 protocol icmp size 64 tos 8 timeout 4s ADDRESS STATUS 1 159 148 60 227 3ms 3ms 3ms 2 195 13 173 221 80ms 169ms 14ms 3 195 13 173 28 6ms 4ms 4ms 4 195 158 240 21 111ms 110ms 110ms 5 213 174 71 49 124ms...

Page 638: ...s required system License required level1 Home menu level tool netwatch Standards and Technologies None Hardware usage Not significant Related Documents Software Package Management Scripting Host Network Watching Tool Specifications Packages required advanced tools License required level1 Home menu level tool netwatch Standards and Technologies none Hardware usage Not significant Page 624 of 695 C...

Page 639: ...hat is executed once when state of a host changes from unknown or down to up Example This example will run the scripts gw_1 or gw_2 which change the default gateway depending on the status of one of the gateways admin MikroTik system script add name gw_1 source ip route set ip route find dst 0 0 0 0 gateway 10 0 0 1 admin MikroTik system script add name gw_2 source ip route set ip route find dst 0...

Page 640: ...goes down admin MikroTik system script add name e down source tool e mail send from rieks mt lv server 159 148 147 198 body Router down subject Router at second floor is down to rieks latnet lv admin MikroTik system script add name e up source tool e mail send from rieks mt lv server 159 148 147 198 body Router up subject Router at second floor is up to rieks latnet lv admin MikroTik system script...

Page 641: ...Packages required advanced tools License required level1 Home menu level tool sigwatch Standards and Technologies none Hardware usage Not significant Related Documents Software Package Management Scripting Host Sigwatch Description Sigwatch monitors state of the serial port pins Property Description count read only integer how many times the event for this item was triggered Count is reset Page 62...

Page 642: ...text last remembered state of monitored signal Notes You can type actual script source instead of the script name from system script list Example In the following example we will add a new sigwatch item that monitors whether the port serial1 has cts signal admin 10 179 tool sigwatch pr Flags X disabled NAME PORT SIGNAL ON CONDITION LOG 0 test serial1 cts change no admin MikroTik tool sigwatch By t...

Page 643: ...dtr rts cts admin MikroTik port This means that the line state besides the dtr and rts signals has also cts when a serial cable is connected The example below will execute a script whenever on condition changes to off admin 10 MikroTik tool sigwatch pr detail Flags X disabled 0 name cts_rest port serial1 signal cts on condition off log no script system shutdown count 0 state on admin 10 MikroTik t...

Page 644: ...urn Values Description Example Operators Description Command Description Notes Example Data types Description Command Reference Description Command Description Special Commands Description Notes Example Additional Features Description Script Repository Description Property Description Command Description Notes Example Page 630 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik Router...

Page 645: ...ribed in the relevant manuals while expressions are prefixed with and are accessible from all submenus The events used to trigger script execution include but are not limited to the System Scheduler the Traffic Monitoring Tool and the Netwatch Tool generated events Specifications Packages required system License required level1 Home menu level system script Standards and Technologies None Hardware...

Page 646: ...ntered in fixed order after the action name like in 10 0 0 1 in admin MikroTik ip firewall mangle ping 10 0 0 1 name value a sequence of parameter names followed by respective values if required like ssid myssid in interface wireless set wlan1 ssid myssid Notes Variable substitution command substitution and expressions are allowed only for path_args and unnamed parameter values prefix path action ...

Page 647: ... 0 0 0 0 0 1 uuu full 0 0 0 0 0 admin MikroTik ip route Although the current command level is changed to ip route it has no effect on next commands entered from prompt therefore print command is still considered to be user print Example The example below demonstrates how to add two users to the user menu admin MikroTik ip route user add name x password y group write add name y password z group rea...

Page 648: ...riables by placing environment print statement inside the do block of commands You can assign a new value to variable using set action It takes two unnamed parameters the name of the variable and the new value of the variable If a variable is no longer needed it s name can be freed by unset command If you free local variable it s value is lost If you free global variable it s value is still kept i...

Page 649: ...ption unary minus Inverts given number value binary minus Substracts two numbers two time values two IP addresses or an IP address and a number logical NOT Unary operator which inverts given boolean value division Binary operator Divides one number by another gives number or a time value by a number gives time value concatenation Binary operator concatenates two string or append one list to anothe...

Page 650: ...aring two arrays note that two arrays are equal only if their respective elements are equal Example Operator priority and evaluation order admin MikroTik ip firewall rule forward put 10 1 6 2 11 12 2 3 1 false admin MikroTik ip firewall rule forward put 10 1 6 2 11 12 2 3 1 true admin MikroTik ip firewall rule forward logical NOT admin MikroTik interface put true false admin MikroTik interface put...

Page 651: ...in MikroTik interface put 60s 1d 1m 3600s true admin MikroTik interface put bridge routing false admin MikroTik interface put yes false false admin MikroTik interface put true aye false admin MikroTik interface logical AND logical OR admin MikroTik interface put yes yes yes no true admin MikroTik interface put no no no yes false admin MikroTik interface bitwise AND bitwise OR bitwise XOR admin Mik...

Page 652: ...ternal number IP address number string or time The number type is internally represented as 64 bit signed integer so the value a number type variable can take is in range from 9223372036854775808 to 9223372036854775807 It is possible to input number value in hexadecimal form by prefixing it with 0x e g admin MikroTik global MyVar 0x10 admin MikroTik put MyVar 16 admin MikroTik Lists are treated as...

Page 653: ...ple admin MikroTik beep execute global list pick time toip typeof delay find if local put toarray tonum while do for led log resolve tobool tostr environment foreach len nothing set toid totime admin MikroTik Command Description beep forces the built in PC beeper to produce a signal for length seconds at frequency Hz integer default 1000 signal frequency measured in Hz time default 100ms signal le...

Page 654: ...red from 0 upwards text the string or value list the search will be performed in text value to be searched for integer position after which the search is started admin MikroTik interface pppoe server put find 13sdf1sdfss1sfsdf324333 0 admin MikroTik interface pppoe server put find 13sdf1sdfss1sfsdf324333 3 1 admin MikroTik interface pppoe server put find 13sdf1sdfss1sfsdf324333 3 3 17 admin MikroT...

Page 655: ...l else block is executed yes no logical condition which is evaluated once before the execution of enclosed statements text this block of commands is executed if the logical condition evaluates to true text this block of commands is executed if the logical condition evaluates to false Check if the firewall has any rules added admin MikroTik if len ip firewall filter find 0 do put true else put fals...

Page 656: ...e timeout keepalive timeout status autorefresh shared users rate limit incoming filter outgoing filter incoming mark outgoing mark open status page on login on logout copy from admin MikroTik local declares local variable name name of the variable text value which should be assigned to the variable admin MikroTik local MyString This is a string admin MikroTik local IPAddr 10 0 0 1 admin MikroTik l...

Page 657: ...f ether1 interface admin MikroTik put interface get ether1 mtu 1500 admin MikroTik resolve returns IP address of the host resolved from the DNS name The DNS settings should be configured on the router ip dns submenu prior to using this command text domain name to be resolved into an IP address DNS configuration and resolve command example admin MikroTik ip route ip dns set primary dns 159 148 60 2...

Page 658: ...s or two parameters when working with lists Notes Monitor command with do argument can also be called directly from scripts It will not print anything then just execute the given script The names of the properties that can be accessed by get are the same as shown by print command plus names of item flags like the disabled in the example below You can use T ab key completions to see what properties...

Page 659: ...ode 32 Note that followed by any amount of whitespace characters spaces newlines carriage returns tabulations followed by newline is treated as a single whitespace except inside quotes where it is treated as nothing This is used by console to break up long lines in scripts generated by export commands Script Repository Home menu level system script Description All scripts are stored in the system ...

Page 660: ... reboot source text default the script source code itself Command Description run name executes a given script name the name of the script to execute Notes You cannot do more in scripts than you are allowed to do by your current user rights that is you cannot use disabled policies For example if there is a policy group in user group which allows you ssh local telnet read write policy test web and ...

Page 661: ...t edit Description RouterOS console has a simple full screen editor for scripts with support for multiline script writing Keyboard Shortcuts Delete deletes character at cursor position Ctrl h backspase deletes character before cursor Unindents line Tab indents line Ctrl b LeftArrow moves cursor left Ctrl f RightArrow moves cursor right Ctrl p UpArrow moves cursor up Ctrl n DownArrow moves cursor d...

Page 662: ... contents of cut buffer Script editor works only on VT102 compatible terminals terminal names vt102 linux xterm rxvt are recognized as VT102 at the moment Delete backspace and cursor keys might not work with all terminal programs use Ctrl alternatives in such cases Example The following example shows the script editor window with a sample script open This script is used for writing message hello a...

Page 663: ...required level1 Home menu level system scheduler Standards and Technologies None Hardware usage Not significant Related Documents Package Management Scripting Examples Scripting Examples Scheduler Configuration Description The scheduler can trigger script execution at a particular time moment after a specified time interval or both Property Description Page 649 of 695 Copyright 1999 2007 MikroTik ...

Page 664: ...ach time router boots Example We will add a task that executes the script log test every hour admin MikroTik system script add name log test source log message test admin MikroTik system script print 0 name log test source log messgae test owner admin run count 0 admin MikroTik system script scheduler admin MikroTik system scheduler add name run 1h interval 1h on event log test admin MikroTik syst...

Page 665: ...sabled NAME ON EVENT START DATE START TIME INTERVAL RUN COUNT 0 email e backup oct 30 2008 15 19 28 7d 1 admin MikroTik system scheduler Do not forget to set the e mail settings i e the SMTP server and From address under tool e mail For example admin MikroTik tool e mail set server 159 148 147 198 from SysAdmin host com admin MikroTik tool e mail print server 159 148 147 198 from SysAdmin host com...

Page 666: ...ftware Package Management Scripting Host Traffic Monitor Home menu level tool traffic monitor Description The traffic monitor tool is used to execute console scripts when interface traffic crosses a given threshold Each item in traffic monitor list consists of its name which is useful if you want to disable or change properties of this item from another script some parameters specifying traffic co...

Page 667: ... the received traffic falls below 12kbps on ether1 admin MikroTik system script add name eth up source interface enable ether2 admin MikroTik system script add name eth down source interface disable ether2 admin MikroTik system script tool traffic monitor admin MikroTik tool traffic monitor add name turn_on interface ether1 on event eth up threshold 15000 trigger above traffic received admin Mikro...

Page 668: ... Description Notes PhoneJack Voice Ports Property Description Command Description Zaptel Voice Ports Property Description Command Description ISDN Voice Ports Property Description Command Description Notes Voice Port for Voice over IP voip Description Property Description Numbers Description Property Description Notes Example Regional Settings Description Property Description Notes Page 654 of 695...

Page 669: ...using routers equipped with the following voice port hardware Quicknet LineJACK or PhoneJACK analog telephony cards ISDN cards Voicetronix OpenLine4 was V4PCI 4 analog telephone lines cards Zaptel Wildcard X100P IP telephony card 1 analog telephone line Specifications Packages required telephony License required level1 Home menu level ip telephony Standards and Technologies RTP Hardware usage Pent...

Page 670: ...onal Telecommunications Union Telecommunications ITU T specification H 323v4 H 323 is a specification for transmitting multimedia voice video and data across an IP network H 323v4 includes H 245 H 225 Q 931 H 450 1 RTP real time protocol The followong audio codecs are supported G 711 the 64 kbps Pulse code modulation PCM voice coding G 723 1 the 6 3 kbps compression technique that can be used for ...

Page 671: ...u level ip telephony voice port Description This submenu is used for managing all IP telephony voice ports linejack phonejack isdn voip voicetronix zaptel Property Description name name assigned name of the voice port type read only phonejack linejack phonejack lite phonejack pci voip isdn voicetronix zaptel type of the installed telephony voice port phonejack Quicknet PhoneJACK ISA linejack Quick...

Page 672: ...tomatic gain control on playback can not be used together with hardware voice codecs agc on record yes no default no automatic gain control on record can not be used together with hardware voice codecs detect cpt yes no default no automatically detect call progress tones balance registers integer 0 255 default 199 registers which depend on telephone line impedance Can be adjusted to get best echo ...

Page 673: ... busy current state of the port on hook the handset is on hook no activity off hook the handset is off hook the number is being dialed ring call in progress direction of the call is shown by the direction property connection the connection has been established busy the connection has been terminated the handset is still off hook ip to port port to ip direction of the call ip to port call from the ...

Page 674: ... level of additional echo attenuation software aec yes no software echo canceller experimental for most of the cards agc on playback yes no default no automatic gain control on playback can not be used together with hardware voice codecs agc on record yes no default no automatic gain control on record can not be used together with hardware voice codecs detect cpt yes no default no automatically de...

Page 675: ...P address of the remote party name CODEC used for the audio connection time duration of the phone call Notes When telephone line is connected to the line port green LED next to the port should be lit in some seconds If telephone line disappear the LED next to the line port will change its state to red in an hour or when the line is activated i e when somebody calls to from it When telephone line i...

Page 676: ...e port name show statistics of time maximal time of packet round trip integer number of packets sent by this card these packets are digitalized input of the voice port integer number of bytes sent by this card these packets are digitalized input of the voice port text minimal average maximal intervals between packets sent integer number of packets received by this card these packets form analog ou...

Page 677: ...gnal level record volume integer 48 48 default 0 record volume in dB 0 0dB meand no change to signal level region name default us regional setting for the voice port This setting is used for setting the parameters of PSTN line as well as for detecting and generating the tones aec yes no wheteher echo detection and cancellation is enabled aec tail length short medium long default short size of the ...

Page 678: ... to ip direction of the call ip to port call from the IP network to the voice card port to ip call from the voice card to an IP address plugged unplugged state of the PSTN line plugged the telephone line is connected to the PSTN port of the card unplugged there is no working line connected to the PSTN port of the card integer the phone number being dialed text name and IP address of the remote par...

Page 679: ...by this card these packets form output of the voice port text minimal average maximal intervals between packets received time approximate delay time from the moment of receiving an audio packet from the IP network till it is played back over the telephony voice port The value shown is never less than 30ms although the actual delay time could be less If the shown value is 40ms then it is close 1ms ...

Page 680: ... default record then default values are used 0 0 0 0 the record with this IP address will specify the default values for an incomming call autodial integer phone number which will be added in front of the telephone number received over the IP network In most cases it should be blank jitter buffer time 0 1000ms default 100ms size of the jitter buffer 0 the size of it is adjusted automatically durin...

Page 681: ...first one of them is already busy next one with the same dst pattern is used Telephony number entries can be moved to select desired order Example Let us consider the following example for the number table admin MikroTik ip telephony numbers print Flags I invalid X disabled D dynamic R registered DST PATTERN VOICE PORT PREFIX 0 12345 XX 1 1111 YY 2 22 ZZ 333 3 QQ 55 admin MikroTik ip telephony num...

Page 682: ...cord 5 nc 55321 vp LL Let us add a few more records admin MikroTik ip telephony numbers print Flags I invalid X disabled D dynamic R registered Flags I invalid X disabled D dynamic R registered DST PATTERN VOICE PORT PREFIX 0 12345 XX 1 1111 YY 2 22 ZZ 333 3 QQ 55 4 222 KK 44444 5 3 LL 553 6 33 MM 33 7 11 NN 7711 admin MikroTik ip telephony numbers If nr 335 incomplete record 6 the call is rejecte...

Page 683: ...bled Property Description name name name of the regional setting busy tone cadence integer 0 30000 default 500 500 busy tone cadence in ms 0 end of cadence busy tone frequency integer 20 2000 integer 24 6 default 440x0 frequency and volume gain of busy tone Hz x dB data access arrangement australia france germany japan uk us default us ring voltage impedance setting for line jack card dial tone fr...

Page 684: ...s based on the throughput and speed of the network Better audio quality can be achieved by using CODEC requiring higher network throughput The highest audio quality can be achieved by using the G 711 uLaw CODEC requiring 64kb s throughput for each direction of the call It is used mostly within a LAN The G 723 1 CODEC is the most popular one to be used for audio connections over the Internet It req...

Page 685: ...ords h323 connect time session establish time only in INTERIM UPDATE and STOP records h323 gw id name of gateway emitting message should be equal to NAS Identifier h323 call type call leg type should be VoIP h323 call origin indicates origin of call relatively to the gateway answer for calls from IP network originate to IP network h323 setup time call setup time h323 conf id unique session ID h323...

Page 686: ...is connection is down This value is suggested not to be less than 3 minutes 0 no interim update messages are sent at all Notes All the parameters which names begin with h323 are CISCO vendor specific Radius attributes Gatekeeper Home menu level ip telephony gatekeeper Description For each H 323 endpoint gatekeeper stores its telephone numbers So gatekeeper knows all telephone numbers for all regis...

Page 687: ...lephony numbers entry is registered to the endpoint only if voice port for that entry is local not voip If dst pattern contains or _ it is sent as prefix otherwise as alias The known part of the dst pattern is sent as prefix If there is no known part dst pattern is _ or for example then this entry is not sent at all Property Description gatekeeper none local remote default none Gatekeeper type to ...

Page 688: ...keeper Example For example if numbers table is like this admin MikroTik ip telephony numbers print Flags I invalid X disabled D dynamic R registered DST PATTERN VOICE PORT PREFIX 0 1 phonejack1 1 128 voip1 128 2 78 voip2 78 3 77 phonejack1 4 76 phonejack1 55 5 _ voip1 then entries 0 3 and 4 will be sent to the gatekeeper others are voip voice ports and are ignored Entry 0 will be sent as prefix 1 ...

Page 689: ... router using any installation procedure You may keep the configuration using either the installation program option or the backup file The IP Telephony gateway does not detect the drop of the line when connected to some PBXs Different regional setting should be used to match the parameters of the PBX For example try using uk for Meridian PBX The IP Telephone does not call the gateway but gives bu...

Page 690: ...T PATTERN VOICE PORT PREFIX 0 31 rob 31 1 33 linejack1 2 1 gw 1 admin Joe ip telephony numbers Here the dst pattern 31 is to call the Welltech IP Telephone if the number 31 is dialed on the dialpad The dst pattern 33 is to ring the local telephone if a call for number 33 is received over the network Anything starting with digit 1 would be sent over to the IP Telephony gateway Making calls from the...

Page 691: ... print Flags I invalid X disabled D dynamic R registered DST PATTERN VOICE PORT PREFIX 0 31 rob 31 1 33 joe 33 2 1 linejack1 1 admin voip_gw ip telephony numbers Making calls through the IP telephony gateway To dial the IP telephone 10 0 0 224 from the office PBX line the extension number 19 should be dialed and after the dial tone has been received the number 33 should be entered Thus the telepho...

Page 692: ...g729a g729 Volume levels voice volume 54 input gain 26 dtmf volume 23 Silence suppression CNG G 723 1 Off Echo canceller On JitterBuffer Min Delay 90 JitterBuffer Max Delay 150 usr config 3 Make sure you have set the H 323 operation mode to phone to phone P2P not gatekeeper GK usr config h323 print H 323 stack relate information RAS mode Non GK mode Registered e164 31 Registered H323 ID Rob RTP po...

Page 693: ...nd ip telephony codec disable G 711 ALaw 64k sw G 711 ALaw 64k hw Fast start has to be used otherwise no ring back tone and problems with codec negotiation ip telephony voice port set cisco fast start yes Telephone number we want to call to must be sent to Cisco for example ip telephony numbers add destination pattern 101 voice port cisco prefix 101 Telephone number cisco will call us must be assi...

Page 694: ...rate limit console 10 except errors enable secret 5 1 bTMC nDGl9 n pc3OMbtWxADMg1 enable password 123 memory size iomem 25 ip subnet zero no ip finger call rsvp sync voice rtp send recv voice class codec 1 codec preference 1 g711ulaw codec preference 2 g723r63 interface FastEthernet0 ip address 10 0 0 101 255 255 255 0 no ip mroute cache speed auto half duplex ip classless ip route 0 0 0 0 0 0 0 0...

Page 695: ...ve ip telephony voice port voip add name gw2 remote address 10 0 0 183 ip telephony numbers add dst pattern 1 voice port gw2 prefix 2 add dst pattern 2 voice port vctx1 prefix 1 IP telephony gateway 2 should have ip telephony voice port voip add name gw1 remote address 10 0 0 182 ip telephony numbers add dst pattern 2 voice port vctx1 prefix 1 add dst pattern 1 voice port gw1 prefix 2 The system w...

Page 696: ...e the system has locked up Software watchdog timer is used to provide the last option so in very rare cases caused by hardware malfunction it can lock up by itself There is a hardware watchdog device available in RouterBOARD hardware which can reboot the system in any case Property Description reboot on failure yes no default no whether to reboot on kernel panic watch address IP address default no...

Page 697: ...port output file to send smtp server text default SMTP server address to send the support output file through If not set the value set in tool e mail is used Example To make system generate a support output file and sent it automatically to support example com throught the 192 0 2 1in case of a software crash admin MikroTik system watchdog set auto send supout yes send to email support example com...

Page 698: ...power failure To do this the router will monitor the UPS and set itself to hibernate mode when the utility power is down and the UPS battery is has less than 10 of its battery power left The router will then continue to monitor the UPS while in hibernate mode and then restart itself after when the utility power returns If the UPS battery is drained and the router loses all power the router will po...

Page 699: ... sound alarm setting delayed alarm is delayed to the on battery event immediate alarm immediately after the on battery event low battery alarm only when the battery is low none do not alarm load read only percentage the UPS s output load as a percentage of full rated load in Watts The typical accuracy of this measurement is 3 of the maximum of 105 manufacture date read only text the UPS s date of ...

Page 700: ...e 12 character serial numbers version read only text UPS version consists of three fields SKU number firmware revision country code The county code may be one of the following I 220 230 240 Vac D 115 120 Vac A 100 Vac M 208 Vac J 200 Vac Notes In order to enable UPS monitor the serial port should be available Example To enable the UPS monitor for port serial1 admin MikroTik system ups add port ser...

Page 701: ...S battery is supplying power on line yes no whether power is being provided by the external utility power company output voltage the UPS s output voltage overloaded output only shown when the UPS reports this status replace battery only shown when the UPS reports this status runtime calibration running only shown when the UPS reports this status runtime left time the UPS s estimated remaining run ...

Page 702: ... yes transfer cause Line voltage notch or spike RTC running no runtime left 19m offline after 4m46s battery charge 94 battery voltage 24V line voltage 0V output voltage 228V load 42 temperature 39C frequency 50Hz replace battery no smart boost no smart trim no overload no low battery no admin MikroTik system ups Page 688 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and...

Page 703: ...ss to some resources Two or more routers referred as VRRP Routers in this context create a highly available cluster also referred as Virtual routers with dynamic fail over Each router can participate in not more than 255 virtual routers per interface Many modern routers support this protocol Network setups with VRRP clusters provide high availability for routers without using clumsy ping based scr...

Page 704: ...ed on its priority For more details on virtual routers see RFC2338 Notes VRRP does not currently work on VLAN interfaces as it is impossible to have the MAC address of a VLAN interface different from the MAC address of the physical interface it is put on VRRP Routers Home menu level ip vrrp Description A number of VRRP routers may form a virtual router The maximal number of clusters on one network...

Page 705: ...me vrid interval preemption mode authentication and password As said before priority of 255 is reserved for the real owner of the virtual router s IP addresses Theoretically the owner should have the IP address added statically to its IP address list and also to the VRRP virtual address list but you should never do this Any addresses that you are using as virtual addresses i e they are added in ip...

Page 706: ...ld be the same for each node of a virtual router Example To add a virtual address of 192 168 1 1 24 to the vr1 VRRP router admin MikroTik ip vrrp address add address 192 168 1 1 24 virtual router vr1 admin MikroTik ip vrrp address print Flags X disabled A active ADDRESS NETWORK BROADCAST INSTANCE INTERFACE 0 192 168 1 1 24 192 168 1 0 192 168 1 255 vr1 default admin MikroTik ip vrrp A simple examp...

Page 707: ...orrectly it should have at least a default route SRC NAT or masquerading should also be configured before See the respective manual chapters on how to make this configuration We will assume that the interface the 192 168 1 0 24 network is connected to is named local on both VRRP routers Configuring Master VRRP router First of all we should create a VRRP instance on this router We will use the prio...

Page 708: ...valid M master B backup 0 B name vr1 interface local vrid 1 priority 100 interval 1 preemption mode yes authentication none password on backup on master admin MikroTik ip vrrp Now we should add the same virtual address as was added to the master node admin MikroTik ip vrrp address add address 192 168 1 1 24 virtual router vr1 admin MikroTik ip vrrp address print Flags X disabled A active ADDRESS N...

Page 709: ...bled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 1 24 10 0 0 0 10 0 0 255 public 1 192 168 1 3 24 192 168 1 0 192 168 1 255 local 2 D 192 168 1 1 24 192 168 1 0 192 168 1 255 local admin MikroTik ip vrrp Page 695 of 695 Copyright 1999 2007 MikroTik All rights reserved Mikrotik RouterOS and RouterBOARD are trademarks of Mikrotikls SIA Other trademarks and registred trademarks m...

Reviews:

No comments

Brands by name

Popular brands

Load more brands