General Information
Contents
1. 1 name limited session timeout 0s idle timeout 0s only one yes tx bit rate 65536 rx bit rate 32768 incoming filter outgoing filter mark flow logged in login method enabled address keepalive timeout 1m Page 240 of 398 admin MikroTik ip hotspot profile gt HotSpot Users Home menu level ip hotspot user Property Description name name user name password text user password address JP address default 0 0 0 0 static IP address If not 0 0 0 0 client will always get the same IP address It implies that only one simultaneous login for that user is allowed mac address MAC address default 00 00 00 00 00 00 static MAC address If not 00 00 00 00 00 00 client is allowed to login only from that MAC address profile name default default user profile routes text routes that are to be registered on the HotSpot gateway when the client is connected The route format is dst address gateway metric for example 10 1 0 0 24 10 0 0 1 1 Several routes may be specified separated with commas limit uptime time default Os total uptime limit for user pre paid time e Os no limit limit bytes in integer default 0 maximum amount of bytes user can transmit e 0 no limit limit bytes out integer default 0 maximum amount of bytes user can receive e 0 no limit uptime read only time total time user has been logged in bytes in read only integer2. admin MT_Prism_AP interface prism gt ip address Now the Ethernet interface and IP address are to be set admin MT_Prism_AP ip address gt add address 10 0 0 217 24 interface Local admineMT_Prism_AP ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 1 01 0 20 25 9 Local admin MT_Prism_AP ip address gt ip route admin MT_Prism_AP ip route gt add gateway 10 0 0 1 admin MT_Prism_AP ip route gt print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Ss 0 0 0 0 0 1000 51 1 Local 1 DC 10 0 0 0 24 00 0 0 0 Local admin MT_Prism_AP ip route gt interfac thernet admineMT_Prism_AP interfac thernet gt set Local arp proxy arp admineMT_Prism_AP interfac thernet gt print Flags X disabled R running NAME MTU MAC ADDRESS ARP 0 R Local 1500 00 50 08 00 00 F5 proxy arp admin MT_Prism_AP interfac thernet gt We should add PPPoE server to the Prism interface inter mt on admineMT_Prism_AP service nam face pppoe server server gt add interface prisml session per host yes disabled no admin MT_Prism_AP interface pppoe server server gt print Flags X disabled 0 service name mt interface
3. interface fa address 142 160 0 254 24 LAN Segment 2 LAN Segment 1 Bridged Network 192 166 0 0 24 When configuring the MikroTik router for bridging you should do the following Page 143 of 398 Add a bridge interface Configure the bridge interface Enable the bridge interface Assign an IP address to the bridge interface 1f needed AR Note that there should be no IP addresses on the bridged interfaces Moreover IP address on the bridge interface itself is not required for the bridging to work When configuring the bridge settings each protocol that should be forwarded should be added to the forward protocols list The other protocol includes all protocols not listed before as VLAN admineMikroTik interface bridge gt add forward protocols ip arp other admin MikroTik interface bridge gt print Flags X disabled R running 0 X name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp other priority 1 admin MikroTik interface bridge gt The priority argument is used by the Spanning Tree Protocol to determine which port remains enabled if two ports form a loop Next each interface that should be included in the bridging port table admineMikroTik interface bridge port gt print Flags X disabled INTERFACE BRIDGE 0 etherl none 1 ether2 none 2 ether3 none 3 prisml none admin MikroTik interface bridge port gt
4. admin HomeOffice ppp secret gt Test the L2TP tunnel connection admin RemoteOffice gt ping 10 0 103 1 10 0 103 1 pong ttl 255 time 3 ms 10 0 103 1 pong ttl 255 time 3 ms 10 0 103 1 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms Test the connection through the L2TP tunnel to the LocalHomeOffice interface admin RemoteOffice gt ping 10 150 2 254 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms To bridge a LAN over this secure tunnel please see the example in the EoIP section of the manual To set the maximum speed for traffic over this tunnel please consult the Queues section Connecting a Remote Client via L2TP Tunnel The following example shows how to connect a computer to a remote office network over L2TP encrypted tunnel giving that computer an IP address from the same network as the remote office has without need of bridging over EoIP tunnels Please consult the respective manual on how to set up a L2TP client with the software you are using Page 46 of 398 Internet rs a o Pz gt wo Encrypted 9 a L2TP Tunnel oie ISP 0 nekwork 192 168 81 0 netrifask 255 255 255 0 o y f ToRemoteOf
5. fadmin MikroTik interface radiolan gt You can monitor the status of the wireless interface admineMikroTik interface radiolan gt monitor radiolanl default 00 00 00 00 00 00 valid no admineMikroTik interface radiolan gt Here the wireless interface card has not found any neighbor fadmin MikroTik interface radiolan gt set 0 sid ba72 distance 4 7km 6 6km admineMikroTik interface radiolan gt print Flags X disabled R running 0 R name radiolan1 mtu 1500 mac address 00 A0 D4 20 4B E7 arp enabled card name 00A0D4204BE7 sid ba72 default destination first client default address 00 00 00 00 00 00 distance 4 7km 6 6km max retries 15 tx diversity disabled rx diversity disabled fadmin MikroTik interface radiolan gt monitor 0 default 00 A0 D4 20 3B 7F valid yes fadmin MikroTik interface radiolan gt Now we ll monitor other cards with the same sid within range admin MikroTik interface radiolan gt neighbor radiolanl print Flags A access point R registered U registered to us D our default destination NAME ADDRESS ACCESS POINT D OOA0D4203B7F 00 A0 D4 20 3B 7F fadmin MikroTik interface radiolan gt You can test the link by pinging the neighbor by its MAC address admin MikroTik interface radiolan gt ping 00 a0 d4 20 3b 7f radiolanl size 1500 count 50 Page 77 of 398 sent 1 successfully sent 1 max retries 0 average retries 0 min re
6. Local Network 192 168 0 0 24 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 Local 1 10 0 0 254 24 10 0 0 0 10 0 0 255 Public admin MikroTik ip address gt ip route print Flags X disabled I invalid D dynamic J rejected Cc connect S static rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 0 0 0 0 0 r 10 0 0 1 1 Public 1 DC 192 168 0 0 24 r 0 0 0 0 0 Local 2 DC 10 0 0 0 24 r 0 0 0 0 0 Public admineMikroTik ip address gt Assume you want to limit the data rate to 128kbps on downloads and 64kbps on uploads for all Page 296 of 398 hosts on the LAN Data rate limitation is done by applying queues for outgoing interfaces regarding the traffic flow It is enough to add a single queue rule at the MikroTik router to limit the download and upload data rate admin MikroTik queue simple gt add name LimitClients interface Local XV max limit 131072 65536 admin MikroTik queue simple gt print Flags X disabled I invalid D dynamic 0 name LimitClients target address 0 0 0 0 0 dst address 0 0 0 0 0 interface Local queue default priority 8 limit at 0 0 max 1imit 131072 65536 admin MikroTik queue simple gt Leave all other parameters as set by default The limit is approximately 128kbps going to the LAN and
7. An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are RFC 2003 compliant The IPIP tunnel may run over any connection that transports IP Each IPIP tunnel interface can connect with one remote router that has a corresponding interface configured An unlimited number of IPIP tunnels may be added to the router For more details on IPIP tunnels see RFC 2003 Property Description name name default ipipN interface name for reference mtu integer default 1480 Maximum Transmission Unit Should be set to 1480 bytes to avoid fragmentation of packets May be set to 1500 bytes 1f mtu path discovery is not working properly on links local address 1P address local address on router which sends IPIP traffic to the remote host remote address JP address the IP address of the remote host of the IPIP tunnel may be any RFC 2003 compliant router Notes Use ip address add command to assign an IP address to the IPIP interface There is no authentication or state for this interface The bandwidth usage of the interface may be monitored with the monitor feature from the interface menu MikroTik RouterOS IPIP implementation has been tested with Cisco 1005 The sample of the Cisco 1005 configuration is given below interface Tunnel0 ip address 10 3 0 1 255 255 255 0 tunnel source 10 0 0 171 tunnel destination 10 0 0 204 tunnel mode ipip IPIP Configuration Applicati
8. Crystalfontz LCD Installation Notes Before connecting the LCD please check the availability of ports their configuration and free the desired port resource 1f required admin MikroTik port gt print NAME USED BY BAUD RATE 0 serial0 Serial Console 9600 1 seriall 9600 Page 345 of 398 admin MikroTik port gt Configuring the LCD s Settings Home menu level system Icd Property Description enabled yes no default no turns the LCD on or off type powertip crystalfontz default powertip sets the type of the LCD serial port name name of the port where the LCD is connected not shown when type type powertip Example Printout admineMikroTik system lcd gt print enabled no type powertip admineMikroTik system lcd gt To enable Powertip parallel port LCD admin MikroTik system lcd gt print enabled no type powertip admin MikroTik system lcd gt set enabled yes admin MikroTik system lcd gt print enabled yes type powertip admin MikroTik system lcd gt To enable Crystalfontz serial LCD on serial1 admin MikroTik system lcd gt set type crystalfontz ERROR can t acquire requested port already used admin MikroTik system lcd gt set type crystalfontz serial port seriall admin MikroTik system lcd gt port print NAME USED BY BAUD RATE 0 serial0 Serial Console 9600 1 seriall LCD Panel 9600 admin MikroTik system lcd gt print enabled yes ty
9. Related Documents Software Package Management Additional Documents http www camiresearch com Data Com Basics RS232 standard html http www ctsystems org rs htm Page 355 of 398 Description The Serial Console managed side feature allows configuring one serial port of the MikroTik router for access to the router s Terminal Console over the serial port A special null modem cable is required to connect the router s serial port with the workstation s or laptop s serial COM port A terminal emulation program e g HyperTerminal should be run on the workstation You can also use MikroTik RouterOS to connect to an another Serial Console for example on a Cisco router Several customers have described situations where the Serial Terminal managing side feature would be useful e in a mountaintop where a MikroTik wireless installation sits next to equipment including switches and Cisco routers that can not be managed in band by telnet through an IP network e monitoring weather reporting equipment through a serial console e connection to a high speed microwave modem that needed to be monitored and managed by a serial console connection With the serial terminal feature of the MikroTik up to 132 and maybe even more devices can be monitored and controlled Serial Console Configuration Description A special null modem cable should be used for connecting to the serial console The Serial Console cabling diagram for
10. Summary Specifications Related Documents Common Console Functions Description Example Lists and Item Names Description Notes Example Quick Typing Description Notes Additional Information Description General Commands Description Command Description General Information Summary The Terminal Console is used for accessing the MikroTik Router s configuration and management features using text terminals id est remote terminal clients or locally attached monitor and keyboard The Terminal Console is also used for writing scripts This manual describes the general console operation principles Please consult the Scripting Manual on some advanced console commands and on how to write scripts Specifications Packages required system License required Any Hardware usage Not significant Related Documents Scripting Host and Complementary Tools Common Console Functions Description The console allows configuration of the router s settings using text commands Although the command structure is similar to the Unix shell you can get additional information about the command structure in the Scripting Host and Complementary Tools manual Since there is a lot of available commands they are split into groups organized in a way of hierarchical menu levels The name of a menu level reflects the configuration information accessible in the relevant section exempli gratia ip hotspot In general all menu levels hold the s
11. e You may want to use same address space for both your LAN and HotSpot networks Please consult the IP Address and ARP Manual for proxy arp feature e You may want to translate the destination addresses of all TCP port 25 connections SMTP from HotSpot users to your local mail sever for mail relaying Thus users can retain their mail client setup and use your mail server for outgoing mail without reconfiguring their mail clients If 10 5 6 100 is your mail server accepting connections from network 10 5 50 0 24 then the required destination NAT rule would be ip firewall dst nat add src address 10 5 50 0 24 dst port 25 protocol tcp to dst address 10 5 6 100 action nat comment Translate SMTP TCP 25 port to our mail server e One more option is to allow access certain pages without authentication walled garden For example if http hotspot example com is your web server s name admin MikroTik ip hotspot walled garden gt add dst host hotspot example coms fadmin MikroTik ip hotspot walled garden gt print Flags X disabled DST HOST DST PORT PATH ACTION Page 254 of 398 0 hotspot example com allow admin MikroTik ip hotspot walled garden gt For HotSpot clients to use transparent web proxy on the same router following configuration can be used 1 make sure web proxy software package is installed and DNS client is configured 2 it is assumed that HotSpot is set up and successfully running on po
12. whether power is being provided by the external utility power company on battery yes no Whether UPS battery is supplying power transfer cause text the reason for the most recent transfer to on battery operation only shown when the unit is on battery low battery only shown when the UPS reports this status replace battery only shown when the UPS reports this status overloaded output only shown when the UPS reports this status smart boost mode only shown when the UPS reports this status smart ssdd mode only shown when the UPS reports this status run time calibration running only shown when the UPS reports this status run time left time the UPS s estimated remaining run time in minutes You can query the UPS when it is operating in the on line bypass or on battery modes of operation The UPS s remaining run time reply is based on available battery capacity and output load battery charge percentage the UPS s remaining battery capacity as a percent of the fully charged condition battery voltage the UPS s present battery voltage The typical accuracy of this measurement is 5 of the maximum value depending on the UPS s nominal battery voltage line voltage the in line utility power voltage output voltage the UPS s output voltage load percentage the UPS s output load as a percentage of full rated load in Watts The typical accuracy of this measurement is 3 of the maximum of 105 frequency per
13. MikroTik RouterOS v2 8 Reference Manual Table Of Contents Terminal Console aiii iia 1 General Indo A A aa 1 Common Console FUNCUONS Ai 1 Lists and TEN AMES a A A TS A tad 3 Quick PE a 4 Additional Informationen nri A A AA A 1 AA AA A ARA 5 General Command a a E E AE E A 5 Package ManageMent oooccccccccccccccccncconononnnnonnnnnnnnnnnnnnnnnnn nr ner nnernennnnnnnns 7 General Informati A E 7 Software Package Installation perdia a a 8 Software Package Uninstalling a dad 9 SOLAI TE a A E A 9 SpecificatlOnS SN diia 12 General MORA A AA A 12 Device Driver Listo Ootmkticlaunatinie eines 13 General OAMI A emcee Canton Sete 13 ENEE gk ceo whee erste eee eres ere Gee ee ee 14 VTEC IE SS once A tons a a O N A a 19 Aironet A A E a ea i T 20 A ee Tee re en ery ee 21 SNC US SAN A A AAA 21 PES VTL CTT A O A A eal tea ce 21 A Mee E ee ai a oct Nk ad etc ae EA 22 Ne 22 RDS DA tel oer asin ee eee 22 Homer Aca a A ne Sane 23 POD So 23 PCMCIA Ad DE aia 23 Device Driver ManageMent oooooonconncnnccnonnnnnnnnnnnnnnnncnnn nn nn nnnnnennnnnannnnnas 24 Generador en ana a E E E EET sie 24 Loadi e Device DOVER ln 24 Removins Device DAVE A A AAA RA 26 Notes on PENCTA Adal iia 27 General Interface SettigS oonnonccccnnnnnnnnnnnncnnnnncnnncnnnnnnnnnnnnannnannnananas 28 General nformatioti A E A Ri 28 ie e AAA AAA A IIA 29 Traffic Monitoring 2 A tine EN 29 FarSync 1 21 Interface sis isicicscccicccscccscstesesscessassandsasiseaicanndanavenc
14. The monitor command shows the new status and the MAC address generated admin MikroTik interface pc gt monitor 0 synchronized yes associated yes frequency 2442MHz data rate ssid access point access point name signal quality 11Mbit s mt E 00 B8 01 98 01 35 N signal strength 62 error number 0 admin MikroTik interface pc gt The other router of the point to point link requires the operation mode set to ad hoc the System Service Identifier set to mt and the channel frequency set to 2412MHz If the cards are able to establish RF connection the status of the card should become synchronized and the green status led should become solid immediately after entering the command admin wnet_gw bitrate auto admin wnet_gw admin wnet_gw interface pc gt set 0 mode ad hoc ssidl b_link frequency 2412MHz interface pc gt monitor 0 synchronized associated frequency data rate ssid access point access point name signal quality signal strength error number yes no 2442MHz 11Mbit s b_link 2E 00 B8 01 98 01 131 83 0 interface pc gt As we see the MAC address under the access point property is the same as on the first router If desired IP addresses can be assigned to the wireless interfaces of the pint to point linked routers using a smaller subnet say 30 bit one admineMikroTik admineMikroTik ip address gt add address 192 168 11 1 30 i
15. This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Related Documents Description The Ping Command Property Description Notes MAC Ping Server Property Description General Information Summary Ping uses Internet Control Message Protocol ICMP Echo messages to determine if a remote host 1s active or inactive and to determine the round trip delay when communicating with it Specifications Packages required system system system License required Any Home menu level tool mac server ping Protocols utilized ICMP Hardware usage Not significant Related Documents Description Ping sends ICMP echo ICMP type 8 message to the host and waits for the ICMP echo reply ICMP type 0 from that host The interval between these events is called round trip If the response that is called pong has not come until the end of the interval we assume it has timed out The second significant parameter reported is ttl Time to Live Is is decremented at each machine in which the packet is processed The packet will reach its destination only when the ttl is greater than the number of routers between the source and the destination The Ping Command Command name ping Page 285 of 398 Property Description IP address MAC address IP or MAC address for destination host size integer 28 65535 default 64 size of the IP packet in bytes including the IP
16. in use settings Tunnel slot 0 conn id 2000 flow_id 1 crypto map mymap sa timing remaining key lifetime k sec 4607891 1034 IV size 8 bytes replay detection support Y inbound ah sas inbound pcp sas outbound esp sas spi 0x1308650C 319317260 transform esp des esp sha hmac in use settings Tunnel slot 0 conn id 2001 flow_id 2 crypto map mymap sa timing remaining key lifetime k sec 4607893 1034 IV size 8 bytes replay detection support Y outbound ah sas outbound pcp sas g aw wv El Page 191 of 398 Routes Equal Cost Multipath Routing Policy Routing Document revision 1 5 14 Feb 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Additional Documents Static Routes Property Description Notes Example Routing Tables Description Property Description Example Policy Rules Property Description Notes Example Application Examples Standard Policy Routing Setup General Information Summary The following manual surveys the IP routes management equal cost multi path ECMP routing technique and policy based routing which gives the opportunity to select routes in order to restrict the use of network resources to certain classes of customers Specifications Packages required system Home menu level Ap route ip policy routing Protocols uti
17. ip firewall service port Protocols utilized ZP Hardware usage Increases with connections count Related Documents IP Addresses and ARP IP Routes Management e Network Address Translation Connection Tracking Home menu level ip firewall connection Description Using Connection Tracking you can observe connections passing through the router Page 199 of 398 Connection Timeouts Here comes a list of connection timeouts Property Description dst address read only IP address port the destination address and port the connection is established to src address read only IP address port the source address and port the connection is established from protocol read only text IP protocol name or number tcp state read only text the state of TCP connectioon timeout read only time the amount of time until the connection will be timed out reply src address read only IP address port the source address and port the reply connection is established from reply dst address read only IP address port the destination address and port the reply connection is established to assured read only true false shows whether the connection is assured icmp id read only integer contains the ICMP ID Each ICMP packet gets an ID set to it when it is sent and when the receiver gets the ICMP message it sets the same ID within the new ICMP message so that the sender will recognize the reply and will be a
18. receive diversity tx diversity enabled disabled default disabled transmit diversity default destination ap as specified first ap first client no destination default first client default destination It sets the destination where to send the packet if it is not for a client in the radio network default address MAC address default 00 00 00 00 00 00 MAC address of a host in the radio Page 76 of 398 network where to send the packet if it is for none of the radio clients max retries integer default 1500 maximum retries before dropping the packet sid text Service Identifier card name text card name arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol one of the e disabled the interface will not use ARP protocol e enabled the interface will use ARP protocol e proxy arp the interface will be an ARP proxy see corresponding manual e reply only the interface will only reply to the requests originated to its own IP addresses but neighbor MAC addresses will be gathered from ip arp statically set table only Example admineMikroTik interface radiolan gt print Flags X disabled R running 0 R name radiolan1 mtu 1500 mac address 00 A0 D4 20 4B E7 arp enabled card name 00A0D4204BE7 sid bbbb default destination first client default address 00 00 00 00 00 00 distance 0 150m max retries 15 tx diversity disabled rx diversity disabled
19. running 0 nam oip remote mtu 1500 arp enabled remote address 10 0 0 2 tunnel id 0 admin Our_GW interface eoip gt admin Remot interfac oip gt add name eoip tunnel id 0 remote address 10 0 0 1 admin Remot interfac oip gt enabl oip main admin Remot interfac oip gt print Flags X disabled R running 0 name eoip mtu 1500 arp enabled remote address 10 0 0 1 tunnel id 0 Remote interfac oip gt 3 Enable bridging between the EoIP and Ethernet interfaces on both routers On the Our_GW admin Our_GW interface bridge gt add forward protocols ip arp other disabled no admin Our_GW interface bridge gt print Flags X disabled R running O R name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp other priority 1 admin Our_GW interface bridge gt port print Flags X disabled INTERFACE BRIDGE 0 eoip remote none 1 office eth none 2 isp none admin Our_GW interface bridge gt port set 0 1 bridge bridgel And the same for the Remote Page 127 of 398 admin Remote interface bridge gt add forward protocols ip arp other disabled no admin Remote interface bridge gt print Flags X disabled R running O R name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp other priority 1 admin Remote interface bridge gt port print Flags
20. total amount of bytes received from user bytes out read only integer total amount of bytes sent to user packets in read only integer total amount of packets received from user packets in read only integer total amount of packets sent to user Notes If auth mac property is enabled clients MAC addresses written with CAPITAL letters can be used as usernames If auth mac password is set to no there should be no password for that users Otherwise the password should be equal to the username When a client is connecting his her MAC address is checked first If there is a user with that MAC address the client is authenticated as this user If there is no match client is asked for username and password The address property is used only for dhep pool login method to tell it DHCP server If a user already has a permanent IP address as it is happening when enabled address method is used this property will just be ignored The byte limits are total limits for each user not for each session as at ip hotspot active So if a user has already downloaded something then session limit will show the total limit minus Page 241 of 398 already downloaded For example if download limit for a user is 100MB and the user has already downloaded 30MB then session download limit after login at ip hotspot active will be 100MB 30MB 70MB Should a user reach his her limits bytes in gt limit bytes in or bytes out gt limit
21. 0 255 pel 2 10 10 10 1 24 10 10 10 0 10 10 10 255 test admin MikroTik ip address gt On the Router 2 admin MikroTik ip address gt add address 10 10 10 2 24 interface test admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 201 24 10 0 0 0 1 0 0 20 255 etherl 1 10 10 10 2 24 10 10 10 0 10 10 10 255 test admin MikroTik ip address gt If it set up correctly then it is possible to ping Router 2 from Router 1 and vice versa admin MikroTik ip address gt ping 10 10 10 1 10 10 10 1 64 byte pong ttl 255 time 3 ms 10 10 10 1 64 byte pong tt1l 255 time 4 ms 10 10 10 1 64 byte pong tt1 255 time 10 ms 10 10 10 1 64 byte pong ttl1 255 time 5 ms 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 3 10 5 10 ms admin MikroTik ip address gt ping 10 10 10 2 10 10 10 2 64 byte pong tt1 255 time 10 ms 10 10 10 2 64 byte pong tt1 255 time 11 ms 10 10 10 2 64 byte pong tt1 255 time 10 ms 10 10 10 2 64 byte pong ttl 255 time 13 ms 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 10 11 13 ms admin MikroTik ip address gt Page 74 of 398 RadioLAN 5 8GHz Wireless Interface Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications
22. 1P address IP address of the appropriate DNS server to be propagated to the DHCP clients lease time time default 3d the time the lease will be valid Notes Depending on current settings and answers to the previous questions default values of following questions may be different Some questions may disappear if they become redundant for example there is no use of asking for relay when the server will lend the directly connected network Example To configure DHCP server on etherl interface to lend addresses from 10 0 0 2 to 10 0 0 254 which belong to the 10 0 0 0 24 network with 10 0 0 1 gateway and 159 148 60 2 DNS server for the time of 3 days admin MikroTik ip dhcp server gt setup Select interface to run DHCP server on dhcp server interface etherl Select network for DHCP addresses dhcp address space 10 0 0 0 24 Select gateway for given network gateway for dhcp network 10 0 0 1 Select pool of ip addresses given out by DHCP server addresses to give out 10 0 0 2 10 0 0 254 Select DNS servers Page 265 of 398 dns servers 159 148 60 2 Select lease tim lease time 3d admineMikroTik ip dhcp server gt The wizard has made the following configuration based on the answers above admineMikroTik Flags X AME 0 dhcpl admin MikroTik ESS O 10 0 0 0 24 admin MikroTik Page 266 of 398 ip dhcp server gt print ip d ip d ip d dis
23. Chipset type RadioLAN ISA PC 10Mbit s 5 8GHz e RadioLAN ISA card Model 101 RadioLAN PCMCIA card Synchronous Specifications Packages required synchronous Description Moxa C101 V 35 4 Mbit s Moxa C502 PCI 2 port V 35 8 Mbit s Cyclades PC 300 V 35 5 Mbit s Cyclades PC 300 E1 T1 FarSync V 35 X 21 8 448 Mbit s Asynchronous Specifications Packages required system Description Standard Communication Ports Com1 and Com2 Page 21 of 398 e Moxa Smartio C104H C168H CP 114 CP 132 CP 168U CP 104U CP 134U CP 132U PCI 2 4 8 port up to 4 cards up to 32 ports e Cyclades Cyclom Y and Cyclades Z Series up to 32 ports per card up to 4 cards up to 128 ports e TCL DataBooster 4 or 8 PCI cards ISDN Specifications Packages required isdn Description Eicon Diehl Diva PCI Sedlbauer Speed Card PCI ELSA Quickstep 1000PCI Traverse Technologie NETjet PCI SO card Teles PCI Dr Neuhaus Niccy PCI AVM Fritz PCI Gazel PCI ISDN cards HFC 2BSO0 based PCI cards TeleInt SA1 Winbond W6692 based PCI cards VoIP Specifications Packages required telepony Description QuickNet LineJack ISA QuickNet PhoneJack ISA Voicetronix V4PCI 4 analog telephone lines cards Zaptel X 100P IP telephony card 1 analog line xDSL Specifications Packages required synchronous Description Xpeed 300 SDSL cards up to 6 7km twisted pair wire connection max 2 3Mbit s Page 22 of 398 HomePNA Specifi
24. Page 91 of 398 The PPP connection must have a new user added to the routers one and two admin Mikrotik ppp secret gt add name backup password backup service isdn An ISDN server and PPP profile must be set up on the second router admin MikroTik ppp profile gt set default local address 3 3 3 254 remote address 3 3 3 1 admin MikroTik interface isdn server gt add name backup msn 7801032 An ISDN client must be added to the first router admin MikroTik interface isdn client gt add name backup user backup password backup phone 7801032 msn 7542159 e Then you have to set up static routes Use the ip route add command to add the required static routes and comments to them Comments are required for references in scripts The first router admin Mikrotik ip route gt add gateway 2 2 2 2 comment routel The second router admin Mikrotik ip route gt add gateway 2 2 2 1 comment routel dst address 1 1 1 0 24 e And finally you have to add scripts Add scripts in the submenu system script using the following commands The first router admin Mikrotik system script gt add name connection_down source interfac nable backup ip route set routel gateway 3 3 3 254 admin Mikrotik system script gt add name connection_up source interface disable backup ip route set routel gateway 2 2 2 2 The second router admin Mikrotik system script gt add name connect
25. The firewall filtering rules are grouped together in chains It allows a packets to be matched against one common criterion in one chain and then passed over for processing against some other common criteria to another chain Let us assume that for example packets must be matched against the IP addresses and ports Then matching against the IP addresses can be done in one chain without specifying the protocol ports Matching against the protocol ports can be done in a separate chain without specifying the IP addresses There are three predefined chains which cannot be deleted e The chain input is used to process packets entering the router through one of the interfaces with the destination of the router Packets passing through the router are not processed against the rules of the input chain e The chain forward is used to process packets passing through the router e The chain output is used to process packets originated from the router and leaving it through one of the interfaces Packets passing through the router are not processed against the rules of the output chain When processing a chain rules are taken from the chain in the order they are listed there from top to bottom If a packet matches the criteria of the rule then the specified action is performed on it and no more rules are processed in that chain If the packet has not matched any rule within the chain then the default policy action of the chain is performed Available
26. This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Description Additional Documents Configuring Frame Relay Interface Description Property Description Notes Frame Relay Configuration Example with Cyclades Interface Example with MOXA Interface Example with MikroTik Router to MikroTik Router Troubleshooting Description General Information Summary Frame Relay is a multiplexed interface to packet switched network and is a simplified form of Packet Switching similar in principle to X 25 in which synchronous frames of data are routed to different destinations depending on header information Frame Relay uses the synchronous HDLC frame format Specifications Packages required synchronous Home menu level interface pvc Protocols utilized Frame Relay RFC1490 Hardware usage Not significant Description To use Frame Relay interface you must have already working synchronous interface You can read how to set up synchronous boards supported by MikroTik RouterOS Cyclades PC300 PCI Adapters Moxa C101 Synchronous interface e Moxa C502 Dual Port Synchronous interface Page 80 of 398 Additional Documents Frame Relay Forum http www2 rad com networks 1994 fram_rel frame htm Configuring Frame Relay Interface Home menu level interface pvc Description To configure frame relay at first you should set up the synchronous interfa
27. at the router s console e After reboot verify that the packages were installed correctly by issuing system package print command Notes The packages uploaded to the router should retain the original name and also be in lowercase The installation upgrade process is shown on the console screen monitor attached to the router The Free Demo License do not allow software upgrades using ftp You should do a complete reinstall from floppies or purchase the license Before upgrading the router please check the current version of the system package and the additional software packages The versions of additional packages should match the version number Page 8 of 398 of the system software package The version of the MikroTik RouterOS system software and the build number are shown before the console login prompt Information about the version numbers and build time of the installed MikroTik RouterOS software packages can be obtained using the system package print command Software Package Uninstalling Description Usually you do not need to uninstall software packages However if you have installed a wrong package or you need additional free space to install a new one you have to uninstall some unused packages In order to uninstall software package you have to set uninstall property for that package to yes and reboot the router Notes If a package is marked for uninstallation but it is required for another dependent pac
28. default Os time that the client may use an address e Os lease will never expire server read only name server name which serves this client expires after read only time time until lease expires tx rate integer default 0 maximal transmit bitrate to the client for users it is download bitrate e 0 no limitation rx rate integer default 0 maximal receive bitrate to the client for users it is upload bitrate e 0 no limitation status read only waiting testing busy offered bound lease status e waiting not used static lease e testing testing whether this address is used or not only for dynamic leases by pinging it with timeout of 0 5s e busy this address is assigned statically to a client or already exists in the network so it can not be leased e offered server has offered this lease to a client but did not receive confirmation from the client bound server has received client s confirmation that it accepts offered address it is using it now and will free the address not later than the lease time will be over Command Description check status Check status of a given busy dynamic lease and free it in case of no response Notes Even though client address may be changed with adding a new item in lease print list it will not change for the client It is true for any changes in in the DHCP server configuration because of the nature of the DHCP protocol Client tries to renew assig
29. direct communication between the routers over third party networks Hetwork Setup with L2TP Internet Encrypted SS ISP 1 F L2TP Tunnel Sy ISP 2 network 192 168 804 ne amp work 192 168 81 0 netmask 255 255 2 netritask 255 255 255 _0 o HomeOffi f 4 RemoteOffice To PE N Ea f apep eee aaa Y To Intemet 192 169 80 1 24 g 700 703 28 ee eae lg 192 168 87 1 24 LocalHomeOffice ME a LocaiRemoteOffice q 0 150 2 254 24 10 150 1 254 24 network 10 150 2 0 network 10 150 1 0 netmask 255 255 255 0 netmask 255 255 255 0 g y Laptop Workstation 10 750 2 14 24 10 150 1 1 24 To route the local Intranets over the L2TP tunnel add these routes admin HomeOffice gt ip route add dst address 10 150 1 0 24 gateway 10 0 103 2 admin RemoteOffice gt ip route add dst address 10 150 2 0 24 gateway 10 0 103 1 Page 45 of 398 On the L2TP server it can alternatively be done using routes parameter of the user configuration admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service 12tp caller id password 1k3rht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret gt set 0 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service 12tp caller id password 1k3jrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes 10 150 1 0 24 10 0 103 2 1
30. dst address are set to sa src address and sa dst address values of this policy If you do not use tunnel mode id est you use transport mode then only packets whose source and destination addresses are the same as sa src address and sa dst address can be processed by this policy Transport mode can only work with packets that originate at and are destined for IPsec peers hosts that established security associations To encrypt traffic between networks or a network and a host you have to use tunnel mode It is good to have dont fragment cleared because encrypted packets are always bigger than original and thus they may need fragmentation If you are using IKE to establish SAs automatically then policies on both routers must exactly match each other id est src address 1 2 3 0 27 on one router and dst address 1 2 3 0 28 on another would not work Source address values on one router MUST be equal to destination address values on the other one and vice versa Example To add a policy to encrypt all the traffic between two hosts 10 0 0 147 and 10 0 0 148 we need do the following admin WiFi ip ipsec policy gt add sa src address 10 0 0 147 sa dst address 10 0 0 148 action encrypt admin WiFi ip ipsec policy gt print Flags X disabled D dynamic I invalid 0 src address 10 0 0 147 32 any dst address 10 0 0 148 32 any protocol all action encrypt level require ipsec protocols esp tunnel no sa src address 10 0 0 147 sa dst ad
31. e Serial console configuration is reset e Serial port that serial console will pick by default usually serialO is set to 9600 baud 8 bit 1 stop bit no parity default settings after installation e Special flag that prevents any other program except serial console to acquire this port is set e Router is rebooted Page 388 of 398 License Management Document revision 2 8 30 Jan 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Description License Management Description Property Description Command Description General Information Summary MikroTik RouterOS software has a licensing system with Software License Software Key issued for each individual installation of the RouterOS RouterOS version 2 8 introduces a new licensing scheme with different key system You should upgrade your key when updating to 2 8 version from 2 5 2 6 or 2 7 versions Specifications Packages required system License required Any Home menu level system license Hardware usage Not significant Description The Software License can be obtained through the Account Server at www mikrotik com after the MikroTik RouterOS has been installed The Software ID of the installation is required when obtaining the Software License Please read the MikroTik RouterOS Basic Setup Guide for detailed explanation of the installation and licensing process RouterOS allows you to use al
32. from that host The interval between these events is called round trip If the response that is called pong has not come until the end of the interval we assume it has timed out The second significant parameter reported is ttl Time to Live Is is decremented at each machine in which the packet is processed The packet will reach its destination only when the ttl is greater than the number of routers between the source and the destination Page 313 of 398 The Ping Command Command name ping Property Description UP address MAC address IP or MAC address for destination host size integer 28 65535 default 64 size of the IP packet in bytes including the IP and ICMP headers do not fragment if added packets will not be fragmented interval time 10ms 5s default 1s delay between messages count integer default 0 how many times ICMP packets will be sent e Ping continues till Ctrl C is pressed ttl integer 1 255 default 255 Time To Live TTL value of the ICMP packet src address ZP address change the source address of the packet Notes If DNS service is configured it is possible to ping by DNS address To do it from Winbox you should resolve DNS address first pressing right mouse button over it address and choosing Lookup Address Packet size may not be greater than the interface s mtu If pinging by MAC address minimal packet size iz 50 Only neighbour MikroTik RouterOS routers with MA
33. ip address add address 1 1 1 1 24 interface farsyncl The essential part of the configuration of Cisco router is provided below interface Serial0 ip address 1 1 1 2 255 255 255 0 no ip route cache no ip mroute cache no fair queue I ip classless ip route 0 0 0 0 0 0 0 0 1 1 1 1 MikroTik router to MikroTik router using Frame Relay Consider the following example Headquarters Remote Office The default value of the property clock source must be changed to internal for one of the cards This card also requires the property frame relay dce set to yes Both cards must have media type property set to X21 and the line protocol set to frame relay Now we need to add pve interfaces admin hq interface pvc gt add dlci 42 interface farsyncl admin hq interface pvc gt print Flags X disabled R running NAME MTU DLCI INTERFAC 0 X pvcl 1500 42 farsyncl admin hq interface pvc gt Similar routine has to be done also on office router admin office interface pvc gt add dlci 42 interface farsyncl admin office interface pvc gt print Flags X disabled R running NAMI MTU DLCI INTERFACE 0 X pvci 1500 42 farsyncl El admin office interface pvc gt Page 37 of 398 Finally we need to add IP addresses to pve interfaces and enable them On the hq router admin hq interface pvc gt ip addr add address 2 2 2 1 24 in
34. list of DHCP servers IP addresses which should be the DHCP requests forwarded to local address JP address default 0 0 0 0 the unique IP address of this DHCP relay needed for DHCP server to distinguish relays e 0 0 0 0 the IP address will be chosen automatically Notes DHCP relay does not choose the particular DHCP server in the dhcp server list it just sent to all the listed servers Example To add a DHCP relay named relay on etherl interface resending all received requests to the 10 0 0 1 DHCP server Page 264 of 398 admin MikroTik ip dhcp relay gt add name relay interface etherl Y dhecp server 10 0 0 1 disabled no admin MikroTik ip dhcp relay gt print Flags X disabled I invalid NAME INTERFACE DHCP SERVER LOCAL ADDRESS 0 relay etherl 10 004 0 0 0 0 admin MikroTik ip dhcp relay gt Question amp Answer Based Setup Command name ip dhcp server setup Command Description dhcp server interface name interface to run DHCP server on dhcp address space IP address mask default 192 168 0 0 24 network the DHCP server will lease to the clients gateway IP address default 0 0 0 0 the default gateway of the leased network dhcp relay IP address default 0 0 0 0 the IP address of the DHCP relay between the DHCP server and the DHCP clients addresses to give out text the pool of IP addresses DHCP server should lease to the clients dns servers
35. margin for each bin by equalizing the margin across all bins through bit reallocation bridged ethernet yes no default yes if the adapter operates in bridged Ethernet mode dici integer default 16 defines the DLCI to be used for the local interface The DLCI field identifies which logical circuit the data travels over Imi mode off line termination network termination network termination bidirectional default off defines how the card will perform LMI protocol negotiation e off no LMI will be used e line termination LMI will operate in LT Line Termination mode e network termination LMI will operate in NT Network Termination mode e network termination bidirectional LMI will operate in bidirectional NT mode cr 0 2 default 0 a special mask value to be used when speaking with certain buggy vendor equipment Can be 0 or 2 Example To enable interface admintr1 interface gt print Flags X disabled D dynamic R running NAME TYPE MTU 0 R outer ether 1500 1 R inner ether 1500 Page 130 of 398 2 X xpeedl xpeed 1500 admintr1 interface gt enable 2 admin rl interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R outer ether 1500 1 R inner ether 1500 2 R xpeedl xpeed 1500 admin rl interface gt Frame Relay Configuration Examples MikroTik Router to MikroTik Router Consider the following network setup with MikroTik router
36. priority 7 max limit 65536 burst limit 0 burst threshold 0 burst time 0 2 name Local_Up parent Up flow Local_Up limit at 0 queue default priority 8 max limit 0 burst limit 0 burst threshold 0 burst time 0 admin MikroTik queue tree gt Thus we used queue trees for limiting the upload The download speed can be limited the same way simply changing the interface names and matching the packets destinated to the server admin MikroTik queue tree gt add name Down parent Local max limit 131072 admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic 0 name Up parent Public flow limit at 0 queue default priority 8 max limit 65536 burst 1limit 0 burst threshold 0 burst time 0 1 name Server_Up parent Up flow Server_Up limit at 32768 queue default priority 7 max limit 65536 burst limit 0 burst threshold 0 burst time 0 2 name Local_Up parent Up flow Local_Up limit at 0 queue default priority 8 max limit 0 burst limit 0 burst threshold 0 burst time 0 3 name Down parent Local flow limit at 0 queue default priority 8 Page 298 of 398 max limit 131072 burst limit 0 burst threshold 0 burst time 0 admin MikroTik queue tree gt ip firewall mangle admin MikroTik ip firewall mangle gt add dst address 192 168 0 17 32 20 21 YX protocol tcp mark flow Server_Down in interface Public admin MikroTik ip firewall mangle gt add dst address 0 0 0 0 0 X mark flow Local_Do
37. time default 1m DHCP lease time for logged in user login delay time default 10s Time required to log user in The after login page is displayed for this time This time should be approximately the same as the lease time for the temporary address lease address pool name IP pool name from which a HotSpot client will get an IP address if it is not given a static IP address Notes This configuration is ignored by enabled address method There can be added one HotSpot Server for each DHCP server Which server profile to apply will depend on DHCP server which gave DHCP lease to that client Actually it means that if user will log in from different interfaces then different server profiles will be used It allows assigning different IP addresses on different Ethernet interfaces Network mask gateway and some other setting are set up in ip dhcp network submenu Example To add a HotSpot server named dhep1 to the DHCP server hotspot dhcp giving IP addresses from the hotspot address pool admin MikroTik ip hotspot server gt add name dhcpl dhcp server hotspot dhcp address pool hotspot fadmin MikroTik ip hotspot server gt print NAME DHCP SERVER ADDRESS POOL LOGIN DELAY LEASE TIME 0 dhcpl hotspot dhcp hotspot 10s 1m admineMikroTik ip hotspot server gt HotSpot Cookies Home menu level Ap hotspot cookie Page 244 of 398 Property Description user read only name
38. 0 0 0 0 0 READ ACCE SS yes READ ACCE SS To add the community called communa that is only accessible from the 159 148 116 0 24 network Available OIDs Description You can use the SNMP protocol to get statistics from the router in these submenus interface e interface pc e interface wavelan e interface wireless e interface wireless registration table e queue simple e queue tree e system identity e system resource Example To see available OID values just type print oid resource admin motors 1 Lo L ub WWW WW 6 6 6 6 6 1 1 1 1 1 system resource gt uptime 1 total hdd space used hdd space total memory used memory NM NMNN print oid 1 1 ils 1 1 eo 3 0 ro AO fe 29 243 Ie ES Seas eee oe PReR DUN ul For example to see available OIDs in system NNR FR Page 305 of 398 epu load Ll Lol Li2or 3 0 Li 21 admin motors system resource gt Available MIBs Description MikroTik RouterOS OID enterprises 14988 1 RFC1493 dot1dBridge dot1dBase dotl1dBaseBridgeAddress dot1dBridge dot1dStp dot1dStpProtocolSpecification dot1dBridge dot1dStp dot1dStpPriority dot1dBridge dot1dTp dot1dTpFdbTable dot1dTpFdbEntry dotldTpFdbAddress dot1dBridge dot1dTp dot1dTpFdbTable dot1dTpFdbEntry dotl1dTpFdbPort dot1dBridge dot1dTp dot1dTpFdbTable dot 1dTpFdbEntry dotldTpFdbStatus RFC2863 ifM
39. 0 0 0 pppoe in25 3 DC 10 0 0 231 32 r 0 0 0 0 0 pppoe in26 admin MikroTik ip arp gt Unnumbered Interfaces Description Unnumbered interfaces can be used on serial point to point links e g MOXA or Cyclades interfaces A private address should be put on the interface with the network being the same as the address on the router on the other side of the p2p link there may be no IP on that interface but there is an ip for that router Example Page 177 of 398 admin MikroTik ip address gt add address 10 0 0 214 32 network 192 168 0 1 interface pppsync admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 214 32 192 168 0 1 192 168 0 1 pppsync admineMikroTik ip address gt admin MikroTik ip address gt route print detail Flags X disabled I invalid D dynamic J rejected E connect S static R rip O ospf B bgp 0 S dst address 0 0 0 0 0 preferred source 0 0 0 0 gateway 192 168 0 1 gateway state reachable distance 1 interface pppsync 1 DC dst address 192 168 0 1 32 preferred source 10 0 0 214 gateway 0 0 0 0 gateway state reachable distance 0 interface pppsync admin MikroTik ip address gt As you can see a dynamic connected route has been automatically added to the routes list If you want the default gateway be the other router of the p2p link just add a static r
40. 0 65535 destination IP address jump target name name of the target chain if the action jump is used tcp options any syn only non syn only default any TCP options connection text default connection mark to match Only connections including related marked in the MANGLE would be matched dst netmask IP address destination netmask in decimal form x x x x limit burst integer default 0 allowed burst regarding the limit count limit time protocol ah egp ggp icmp ipencap ospf rspf udp xtp all encap gre idpr cmtp ipip pup st vmtp ddp esp hmp igmp iso tp4 rdp tcp xns idp default all protocol setting e all cannot be used if you want to specify ports connection state any established invalid new related default any connection state dst port integer 0 65535 destination port number or range e all ports 1 65535 limit count integer default 0 how many times to use the rule during the limit time period src address JP address mask port default 0 0 0 0 0 0 65535 source IP address content text default the text packets should contain in order to match the rule flow text flow mark to match Only packets marked in the MANGLE would be matched limit time time default 0 time interval used in limit count e 0 forever src mac address MAC address default 00 00 00 00 00 00 host s MAC address the packet has been received
41. 0 etherl 3 DE Ud 1 2 32 scammed Levee pred er 0 wan admin MikroTik ip route gt The configuration of the Cisco router at the other end part of the configuration is CISCO show running config Building configuration Current configuration a interface Ethernet0 description connected to EthernetLAN ip address 10 1 1 12 255 255 255 0 interface Serial0 description connected to MikroTik tp address Till 2 255 255 255 252 serial restart delay 1 ip classless ip route 0 0 0 0 0 0 0 0 10 1 1 254 I end CISCO Send ping packets to the MikroTik router CISCO ping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 32 40 ms CISCO Note Keep in mind that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 Page 153 of 398 Cyclades PC300 PCI Adapters Document revision 1 1 08 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents Synchronous Interface Configuration Description Property Description Troubleshooting Description RSV V 35 Synchronous Link Applications Example General Information Summary Th
42. 10 1 0 1 Connected to 10 1 0 1 i Password MM MMM MMM MMMM MM MMMM MMM MM MM MMM MM MMM MM MMM Escape character is kroTik v2 8betal2 Login admin III LIT III III ikroTik RouterOS CATT KKK TTITTTITITIT KKK ITTI TTTT KKK KKK RRRRRR 000000 LIL KKKKK RRR RRR OOO OOO LII KKK KKK RRRRRR 000 000 III KKK KKK RRR RRR 000000 LIL 2 8betal2 c 1999 2003 Terminal unknown detected admine10 1 0 1 Page 394 of 398 gt using single line input mode KKK KKK KKK KKK KKKKK KKK KKK KKK KKK http www mikrotik com Log Management Document revision 2 0 23 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description General Settings Property Description Example Log Classification Property Description Notes Example Log Messages Property Description Notes Example General Information Summary Various system events and status information can be logged Logs can be saved in a file on the router or sent to a remote server running a syslog daemon MikroTik provides a shareware Windows Syslog daemon which can be downloaded from www mikrotik com Specifications Packages required system License required Any Home menu level system logging log Protocols utilized Syslog Hardware usage Not significant Related Documents e Software Package Managemen
43. 11 56 19 invalid after sep 16 2004 11 56 19 ca yes Phone admin MikroTik certificate gt decrypt passphrase XXXX keys decrypted 1 admineMikroTik certificate gt print Flags K decrypted private key Q private key R rsa D dsa O KR name cert1 subject C LV ST 0 CN cert test mt lv issuer C LV ST 0 CN third serial number 01 invalid before sep 17 2003 11 56 19 invalid after sep 16 2004 11 56 19 ca yes admineMikroTik certificate gt Now the certificate may be used by HotSpot servlet admin MikroTik ip service gt print Flags X disabled I invalid NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0 0 0 0 0 1 ftp 21 0 0 0 0 0 2 www 8081 0 0 0 0 0 3 hotspot 80 0 0 0 0 0 4 ssh 22 0 0 0 0 0 Page 281 of 398 5 hotspot ssl 443 0 0 0 0 0 admin MikroTik ip service gt set hotspot ssl certificate certl none admin MikroTik ip service gt set hotspot ssl certificate certl admin MikroTik ip service gt print Flags X disabled AME telnet ftp www hotspot ssh hotspot ssl OM MUNRO I invalid admin MikroTik ip service gt Page 282 of 398 A 0 0 0 0 0 0 ooooooUu R Gl 000000 ss 0 0 0 0 0 0 0 0 0 0 0 0 none ERTIFICATE Q certl FTP Server Document revision 2 0 23 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table o
44. 1Mbps 2Mbps 5 5Mbps 11Mbps default 1Mbps 2Mbps 5 5Mbps 11Mbps rates to be supported when operating in IEEE 802 11b standard basic rates b multiple choice 1Mbps 2Mbps 5 5Mbps 11Mbps default 11Mbps basic rates in IEEE 802 11b mode ack timeout integer dynamic indoor acknowledgment code timeout transmission acceptance timeout in microseconds or one of these e dynamic ack timeout is chosen automatically e indoor standard constant tx power integer default default default transmit power in dB e default default value of the card default authentication yes no default yes to enable authentication by default or not default forwarding yes no default yes to use forwarding by default or not master device name physical wireless interface that will be used by Virtual Access Point VAP interface noise floor threshold integer default 128 127 default default value in dBm below whcih we say that it is rather noise than a normal signal server certificate not implemented yet wds default bridge name default none you can set the default bridge for WDS interface here You can also do it under interface bridge port submenu wds mode disabled dynamic static WDS mode e disabled WDS interfaces are disabled e dynamic WDS interfaces are created on the fly e static WDS interfaces are created manually 802 1x enable PEAP MSCHAPV2 none default no to
45. 2 Way stat changes 0 ls retransmits 0 ls requests 0 db summaries 0 dr id 0 0 0 0 backup dr id 0 0 0 0 admin MikroTik routing ospf gt General Information Page 278 of 398 Certificate Management Document revision 2 3 08 Jan 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Description Certificates Description Property Description Command Description Notes Example General Information Summary SSL Secure Socket Layer is a security technology to ensure encrypted transactions over a public network To protect the data an encryption key should be negotiated SSL protocol is using Certificates to negotiate a key for data encryption Specifications Packages required system License required Any Home menu level certificate Protocols utilized SSLv2 SSLv3 TLS Hardware usage high CPU usage Description SSL technology was first introduced by Netscape to ensure secure transactions between browsers and web servers When a browser requests a secure web page usually on TCP port 443 a web server first sends a Certificate which contains a public key for the encryption key negotiation to take place After the encryption key is negotiated the web server will send the requested page encrypted using this key to the browser and also the browser will be able to submit its data securely to the server SSL Certificate confirm
46. AP simultaneously mtu integer 68 1600 default 1500 Maximum Transmission Unit name name default wlanN interface name ssid text default MikroTik the service set identifier WDS Interface Configuration Home menu level interface wireless wds Description WDS Wireless Distribution System allows packets to pass from one wireless AP Access Point to another just as if the APs were ports on a wired Ethernet switch APs must have equal System Set Identifiers ssid in order to connect to each other There are two possibilities to create a WDS interface e dynamic is created on the fly and appers under wds menu as a dynamic interface e static is created manually Property Description name name default wdsN WDS interface name Page 114 of 398 mtu integer 0 65336 default 1500 Maximum Transmission Unit mac address MAC address default 00 00 00 00 00 00 MAC address of the master interface Specifying master interface this value will be set automatically arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol e disabled the interface will not use ARP e enabled the interface will use ARP e proxy arp the interface will use the ARP proxy feature e reply only the interface will only reply to the requests originated to its own IP addresses Neighbour MAC addresses will be resolved using ip arp statically set table only disable running check
47. C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 0 0 0 0 0 i INEA EA NA 1 wan 1 DC 10 0 0 0 24 E 1040 0 254 dl ether2 2 DC 192 168 0 0 24 r 192 168 0 254 0 etherl 3 DC 102 32 r 0 0 0 0 0 wan admineMikroTik ip route gt The configuration of the MikroTik router at the other end is similar admin MikroTik ip address gt add address 1 1 1 2 32 interface moxa Y network 1 1 1 1 broadcast 255 255 255 255 admine ikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 100101 12 24 MO cil 2 10 1 1 255 Public 1 Li ee 2 732 Elo dl 255 255 255 255 moxa admin MikroTik ip address gt ping 1 1 1 1 1 1 1 1 64 byte pong ttl 255 time 31 ms 1 1 1 1 64 byte pong ttl 255 time 26 ms 1 1 1 1 64 byte pong ttl 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt MikroTik Router to Cisco Router Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end Page 151 of 398 Internet interface Ethernet0 ia address 10 1 1 12 24 interface Serial address 1 1 1 2 32 A v 35 dikeni Baseband Modem interface wan address 1 1 1 1 32 interface ether2 address 10 0 0 254 24 interface ethe
48. Contents Table of Contents Summary Specifications BIOS upgrading Description Property Description Command Description Example BIOS Configuration Description Property Description Example System Health Monitoring Description Property Description Notes Example Hardware Watchdog Management Description Property Description Example LED Managment Description Property Description Notes Example Console Reset Jumper Description General Information Summary BIOS upgrading BIOS configuration Health monitoring Hardware watchdog management LED control may be used in scripting Console reset jumper Specifications Page 383 of 398 Packages required routerboard Home menu level system routerboard Hardware usage works only on RouterBOARD platform BIOS upgrading Home menu level system routerboard Description The BIOS is needed to recognize all the hardware and boot the system up Newer BIOS versions might have support for more hardware so it s generally a good idea to upgrade the BIOS once a newer version is available The newest versions of BIOS firmware is included in the newest routerboard software package BIOS firmware may also be uploaded to router s FTP server the file is called wlb bios rom This way for example BIOS firmware may be transferred from one router to an another e LEDI is on all the time the BIOS is upgrading and after that too till reboot LED2is on while sector is upda
49. DB9 connectors is as follows Router Side DB Side DION Setting Serial Console Home menu level system serial console Property Description enabled yes no default no whether serial console is enabled or not port name default serial0 which port should the serial terminal listen to Example Page 356 of 398 To enable Serial Console admin MikroTik system serial console gt set enabled yes admin MikroTik system serial console gt print enabled yes port serial0 admin MikroTik system serial console gt To check if the port is available or used admin MikroTik system serial console gt port print detail 0 name serial0 used by Serial Console baud rate 9600 data bits 8 parity none stop bits 1 flow control none 1 name seriall used by baud rate 9600 data bits 8 parity none stop bits 1 flow control none admineMikroTik system serial console gt Using Serial Terminal Command name system serial terminal Description The command is used to communicate with devices and other systems that are connected to router via serial port All keyboard input is forwarded to the serial port and all data from the port is output to the connected device After exiting with Ctrl Q the control signals of the port are lowered The speed and other parameters of serial port may be configured in the port directory of router console No terminal translation on printed data is performed It
50. Description Example SNMP Communities Description Property Description Example Available OIDs Description Example Available MIBs Description Tools for SNMP Data Collection and Analysis Description Example of using MRTG with MikroTik SNMP General Information Summary SNMP is an application layer protocol It is called simple because it works that way the management station makes a request and the managed device SNMP agent replies to this request In SNMPv1l there are three main actions Get Set and Trap RouterOS supports only Get which means that you can use this implementation only for network monitoring Hosts receive SNMP generated messages on UDP port 161 except the trap messages which are received on UDP port 162 The MikroTik RouterOS supports SNMPv1l only Read only access is provided to the NMS network management system User defined communities are supported Get and GetNext actions No Set support No Trap support Page 303 of 398 Specifications Packages required system ppp optional Home menu level snmp Protocols utilized SVMP RFC 1157 Hardware usage Not significant Related Documents e Package Management e IP Addresses and ARP Additional Documents http www ietf org rfc rfc1157 txt http www cisco com univercd cc td doc cisintwk ito_doc snmp htm http www david guerrero com papers snmp SNMP Setup Home menu level snmp Description This section shows you how
51. For more information see Related Documents section e PPP client profiles must match at least partially local address and values related to encryption should match with corresponding remote server values Example You can add a PPP client using the add command admin MikroTik interface ppp client gt add name test user test port seriall Y Y add default route yes admin MikroTik interface ppp client gt print Flags X disabled R running 0 X name test mtu 1500 mru 1500 port seriall user test password profile default phone tone dial yes modem init null modem no dial on demand no add default route yes use peer dns no Page 171 of 398 admineMikroTik interface ppp client gt enable 0 admin MikroTik interface ppp client gt monitor test admin MikroTik interface ppp client gt monitor 0 status dialing out admin MikroTik interface ppp client gt PPP Application Example Client Server Setup In this example we will consider the following network setup ee Ga seal seal ad R1 R2 6 sewer client 3 3 3 1 3 3 4 2 phone 132 login test press del For a typical server setup we need to add one user to the R1 and configure the PPP server admin MikroTik ppp secret gt add name test password test local address 3 3 3 1 remote address 3 3 3 2 admineMikroTik ppp secret gt print Flags X disabled 0 name test service any ca
52. Host Monitoring Protocol e xns idp Xerox ns idp e rdp Reliable Datagram Protocol e iso tp4 ISO Transport Protocol class 4 e xtp Xpress Transfer Protocol e ddp Datagram Delivery Protocol e idpr cmtp idpr Control Message Transport e gre General Routing Encapsulation e esp IPsec ESP protocol e ah IPsec AH protocol e rspf Radio Shortest Path First e vmtp Versatile Message Transport Protocol Page 328 of 398 e ospf Open Shortest Path First e ipip IP encapsulation e encap IP encapsulation protocol read only ip arp rarp ipx ipv6 the name number of ethernet protocol e ip Internet Protocol e arp Address Resolution Protocol e rarp Reverse Address Resolution Protocol e ipx Internet Packet exchange protocol e ipv6 Internet Protocol next generation size read only integer size of packet src address JP address source address time read only time time when packet arrived tos read only integer IP Type Of Service ttl read only integer IP Time To Live Example In the example below it s seen how to get the list of sniffed packets admin MikroTik tool sniffer packet gt pr TIME INTERFACE SRC ADDRESS DST ADDRESS IP SIZE Or Od etherl 10 0 0 241 1839 10 0 0 181 23 telnet tcp 46 10 12 etherl 10 0 0 241 1839 10 0 0 181 23 telnet tcp 40 2 0 12 etherl 10 0 0 181 23 telnet 10 0 0 241 1839 tcp
53. HotSpot Step by Step User Guide for enabled address Method Description Example Optional Settings General Information Summary The MikroTik HotSpot Gateway enables providing of public network access for clients using wireless or wired network connections HotSpot Gateway features authentication of clients using local client database or RADIUS server accounting using local database or RADIUS server Walled garden system accessing sone web pages without authorization HotSpot Gateway can provide access for authorized clients using two different methods e dhep pool method uses DHCP server to assign temporary not valid in outer networks IP addresses to clients prior to authentication After successful authentication the DHCP server assigns an IP address to the client from a different IP pool This method may be used to assign a fixed IP address to each user 1 e no matter which computer does the user use he she will always use the same IP address e enabled address method enables traffic for authorized clients without need of IP address change e traffic and connection time accounting e clients can be limited by e download upload speed tx rx bitrate e connection time e downloaded uploaded traffic bytes Universal Client feature may be used with HotSpot enabled address method to provide IP network services regardless of client computers IP network settings Specifications Packages required hotspot dhcp option
54. MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MRU to 1460 to avoid fragmentation of packets authentication multiple choice pap chap mschapl mschap2 default mschap2 authentication algorithm default profile default profile to use Example To enable PPTP server admineMikroTik interface pptp server server gt set enabled yes admin MikroTik interface pptp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin MikroTik interface pptp server server gt PPTP Server Users Home menu level interface pptp server Page 96 of 398 Description There are two types of items in PPTP server configuration static users and dynamic connections A dynamic connection can be established if the user database or the default profile has its local address and remote address set correctly When static users are added the default profile may be left with its default values and only P2P user in ppp secret should be configured Note that in both cases P2P users must be configured properly Property Description name name interface name user name the name of the u
55. MikroTik ip hotspot walled garden gt print Flags X disabled DST HOST DST PORT PATH ACTION 0 www example com paynow htm1 allow admin MikroTik ip hotspot walled garden gt Notes Page 245 of 398 symbol sequence is used to enter character e pattern means only in regular expressions single dot in pattern means any symbol e to show that no symbols are allowed before the given pattern we use symbol at the beginning of the pattern e to specify that no symbols are allowed after the given pattern we use symbol at the end of the pattern Customizing HotSpot Servlet Description Servlet Pages The HotSpot servlet recognizes 5 different request types 1 request for a remote host e jf user is logged in the requested page is served e if user is not logged in but the destination host is allowed by walled garden then the request is also served e if user is not logged in and the destination host is disallowed by walled garden rlogin html is displayed if rlogin html is not found redirect html is used to redirect to the login page 2 request for on the HotSpot host e if user is logged in rstatus html is displayed if rstatus html is not found redirect html is used to redirect to the status page e if user is not logged in rlogin html is displayed if rlogin html is not found redirect html is used to redirect to the login page 3 request for login page e if user has successfully logged in
56. RADIUS access accept message For more information on how the interaction with a RADIUS server works see the respective manual section If authentication by HTTP cookie is enabled then after each successful login cookie is sent to web Page 236 of 398 browser and the same cookie is added to active HTTP cookie list Next time a user will try to log in web browser will send http cookie This cookie will be compared to the one stored on the HotSpot gateway and only if there is the same source MAC address and the same randomly generated ID user will be automatically logged in Otherwise the user will be prompted to log in and in the case authentication was successfull old cookie will be removed from the local HotSpot active cookie list and the new one with different random ID and expiration time will be added to the list and sent to the web browser Authorization One of the two login methods is to be used for each client individually you may choose one or allow it to be done automatically in user profile configuration The enabled address method is the preferred one so if it is configured correctly and the client has a proper IP address that matches the one set in the user database this method will be used If the enabled address method is not enabled or the client s IP address should be changed the HotSpot Gateway tries to use dhcp pool method In that case MikroTik HotSpot Gateway s DHCP server tries to change the DHCP address lease th
57. ThePins Command aa 314 MAC Pinte SO A noes ieee E ace ane eaten A R 314 Dynamic DNS DDNS Update Tol ccccceeceeceeeeeeeeeeeeeeeeeeeennees 316 General dor A a 316 Dynamic IONS UP A A haa 317 Realtime Traffic Monitor torCh ooccccccccnnncccnnccconocnnnnononcorornnnaaannnnns 318 General Ido ita 318 The Lorch CONTA td NI A AS TEA RAS 318 Bandwidth Testi oe we ewe ouadcsehad decniaeasetceaeaneewss 321 General AA ee ee ee 321 Server Confisurat ond lite A A O a a a a 322 Chent CORA EUA ooroo ier etc Ae s t ds ETEA E E are E ATRE O 323 PACK EU SIR cui di 325 Centralia 325 Packet omitier CONTEO A as 326 RUINS Packet Sas oa 327 Sniffed Parkes A A A ee 328 Packet miter Protocol ra a ies 329 PARO O e se a A aren Fer R a 331 P cket Smffe CONN CONS iodo 331 TLACerollO uan 333 GencralIMdor Masia 333 The Traceroute AMA A A Eos 334 ICMP Bandwidth Testa dia 335 CREME RAIL Informatio tania 335 ICMP Bandwidth Testi a aaa 335 System Resource Manageme nt cccccceeeeeeeeeeeeeeeeeeeeeaeeaeeeaeeenees 337 General TIVE EVV ACL ON ha link aoc A he dada ees A 337 System RES OUEN SA E EA E ouaanees 338 RU Montoro aid tba 338 TO Por Usage Monto aa 339 A oi 340 Confisuraton RE RA 340 R yter Ident rreri OA IR A R A EET 341 Date and Mi EE E E E T E E 341 Configuration Change ISO ao 342 Liquid Crystal Display LCD Manual cccccsceeceeeeeeeeeeeeeeeeeneees 344 General Information o a E E A ao 344 Contisuria The LCDS S
58. Tool na AO 373 UPS MON OT taa 374 viii General Information 0 ec eeeeeeeccccccccccceseeecececcccsseeccccccceucausssesecececceeauaasseeeceeecceeunseeceeeecs 374 UPS Monitor Scan O a 375 Runtime Calibra onene A da 376 LIPS MOON AP eenen nn ER e aia aealaca N eee ance 377 Network Time Protocol NTP ooooononnnnncccococonnncccoococoononanannnnnnrrenannanas 379 General Into n a a a E A E Gudaseconmiacets 379 T A E E E E E TE 380 IBU PEET EE E E E E 381 TIME ZO A o 381 RouterBOARD specific FUNCtIONGS sseeeeeeeeeeeeeeeeeeeeeeeeeees 383 General Information estadia 383 BIOS p radin 0 ASAS EA AAA en De AS 384 BIOS COMPUTO A Abs 385 System CANA aa 385 Hardware Watchdog Management ccccsscccsssecceseeeeseeceseecesseeceseecsesuaeeesseeessseeessnees 386 LED Mangement acia 387 Console Rese Jumper ieee ore tato 388 License Managemenit seseeeeseeeeeeeeeeeeeeeeseaeeeeneeneeeneeessensenes 389 General OOO sta 389 license MAA AMA a EE a Ri 390 Telnet Server and ClieNt oooooononccccoconcnncconnncoononnnnnnnnnnnrrrnrnnnananannnnrnnnns 393 GeneralllOEMAati N iii bas 393 Telnet Server A ie eee eae ee a ee 393 Telnet Cid a aaa 394 Log Mana uscar in 395 General MAA A ROS 395 A O A alin taceasaents 396 Los Classification cis 396 Los MESS tdt 397 Terminal Console Document revision 2 0 0 19 Jan 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents
59. X disabled INTERFACE BRIDGE 0 ether none T adsl none 2 eoip main none admin Remote interface bridge gt port set 0 2 bridge bridgel 4 Addresses from the same network can be used both in the Office LAN and in the Remote LAN Page 128 of 398 Xpeed SDSL Single line Digital Subscriber Line Interface Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents Xpeed Interface Configuration Property Description Example Frame Relay Configuration Examples MikroTik Router to MikroTik Router MikroTik Router to Cisco Router Troubleshooting Description General Information Summary The MikroTik RouterOS supports the Xpeed 300 SDSL PCI Adapter hardware with speeds up to 2 32Mbps This device can operate either using Frame Relay or PPP type of connection SDSL Single line Digital Subscriber Line or Symmetric Digital Subscriber Line stands for the type of DSL that uses only one of the two cable pairs for transmission SDSL allows residential or small office users to share the same telephone for data transmission and voice or fax telephony Specifications Packages required synchronous Home menu level interface xpeed Protocols utilized PPP RFC 1661 Frame Relay RFC 1490 Hardware usage Not significant Related Documents Software Package Mana
60. X disabled I invalid D dynamic 0 src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 protocol all tcp options any icmp options any any flow connection content src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action passthrough mark flow myflow tcp mss dont chang mark connection 1 src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 protocol tcp tcp options syn only icmp options any any flow connection content src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action passthrough mark flow tcp mss 1448 mark connection adminttest_1 ip firewall mangle gt Page 204 of 398 Firewall Filters Document revision 1 3 15 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Related Documents Description Packet Flow Description Firewall Rules Description Property Description Notes Example Firewall Chains Description Notes Example General Information Summary The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to from and through the router Along with the Network Address Translation it serve as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic Specification
61. XX XX XX change the Login button link in login html to https www server serv register html mac mac you should correct the link to point to your server e To show a banner after user login in alogin html after if Spopups s true newWindow add the following line open http your web server your banner page html my banner name you should correct the link to point to the page you want to show e To choose different page shown after login in login html change lt input type hidden name dst value Slink orig gt to this line lt input type hidden name dst value http your web server gt you should correct the link to point to your server Possible Error Messages Description There are two kinds of errors fatal non fatal Fatal errors are shown on a separate HTML page called error html Non fatal errors are basically indicating incorrect user actions and are shown on the login form General non fatal errors General fatal errors Local HotSpot user database non fatal errors RADIUS client non fatal errors Page 248 of 398 RADIUS client fatal errors Question amp Answer Based Setup Command name ip hotspot setup Command Description hotspot interface name interface to run HotSpot on interface already configured yes no default no whether to add hotspot authentication for the existing interface setup or otherwise interface setup should be c
62. a baseband modem to the V 35 port and turn it on The MikroTik driver for the Cyclades Synchronous PCI Adapter allows you to unplug the V 35 cable from one modem and plug it into another modem with a different clock speed and you do not need to restart the interface or router Property Description name name default cycladesN Maximum Transmission Unit mtu integer default 1500 Maximum Transmission Unit line protocol cisco hdlc frame relay sync ppp default sync ppp line protocol media type E T1 V24 V35 X21 default V35 the hardware media used for this interface clock rate integer default 64000 internal clock rate in bps clock source internal external tx internal default external source clock line code AMI BSZS HDB3 NRZ default B8ZS for T1 E1 channels only Line modulation method e AMI Alternate Mark Inversion e B8ZS Binary 8 Zero Substitution e HDB3 High Density Bipolar 3 Code ITU T NRZ Non Return To Zero framing mode CRC4 D4 ESF Non CRC4 Unframed default ESF for T1 E1 channels only The frame mode e CRC4 Cyclic Redundancy Check 4 bit El Signaling Europe D4 Fourth Generation Channel Bank 48 Voice Channels on 2 T 1s or 1 T 1c e ESF Extended Superframe Format e Non CRC4 plain Cyclic Redundancy Check e Unframed do not check frame integrity line build out 04B 7 5dB 15dB 22 5dB default 0 for T1 channels only Line Buil
63. address pool hs pool real dhcp server network add address 10 5 50 0 24 gateway 10 5 50 1 dns server 159 148 60 2 159 148 108 1 domain example com Add local hotspot user hotspot user add name Ex password Ex Page 251 of 398 10 Setup hotspot service to run on port 80 www service has to be assigned another port e g 8081 ip service set www port 8081 ip service set hotspot port 80 Note Changing www service to other port than 80 requires that you specify the new port when connecting to MikroTik router using WinBox e g use 10 5 50 1 8081 in this case 11 Redirect all TCP requests from temporary IP addresses to hotspot service ip firewall dst nat add src address 192 168 0 0 24 dst port 443 protocol tcp action redirect to dst port 443 comment redirect unauthorized hotspot clients to hotspot service ip firewall dst nat add src address 192 168 0 0 24 protocol tcp action redirect to dst port 80 comment redirect unauthorized hotspot clients to hotspot service 12 Allow DNS requests and ICMP ping from temporary addresses and reject everything else ip firewall ip firewall Jjump target hotspot temp comment ip firewall ip firewall ip firewall ip firewall ip firewall comment all ip firewall comment all ip firewall add name hotspot temp comment limit unauthorized hotspot clients rul rus rus gu rul rul rul rul e forward add sr
64. are like user groups they are grouping users with the same limits Property Description name name profile reference name session timeout time default Os session timeout maximal session time for client e no timeout idle timeout time default Os idle timeout maximal period of inactivity for client e 0 no timeout shared users integer default 1 maximal number of simultaneously logged in users with the same username tx bit rate integer default 0 transmit bitrate for users it is download bitrate e 0 no limitation rx bit rate integer default 0 receive bitrate for users it is upload bitrate Page 239 of 398 e 0 no limitation incoming filter name name of the firewall chain applied to incoming packets outgoing filter name name of the firewall chain applied to outgoing packets mark flow name traffic from authorized users will be marked by firewall mangle with this flow name login method the login method user will be using e dhcp pool login by changing IP address via DHCP server e enabled address login by enabling access for client s existing IP address e smart choose best login method for each case keepalive timeout time default 2m keepalive timeout for client e 0 no timeout Notes To use enabled address method mark flow should be set To use dhcp pool method dhcp software package must be installed idle timeout is used to detect that client is not
65. argument value is not taken into account and it does not need to be specified since the router s local address is used e nat perform Network Address Translation The to src address should be specified not required with action masquerade out interface name default all interface the packet is leaving the router from e all may include the local loopback interface for packets with destination to the router to src address JP address default 0 0 0 0 source address to replace original source address with to sre port integer 0 65535 source port to replace original source port with Notes The source nat can masquerade several private networks and use individual to src address for each of them Example To use masquerading a source NAT rule with action masquerade should be added to the sre nat tule set admin test_1 ip firewall src nat gt add src address 192 168 0 0 24 out interface wlanl action masquerade admin test_1 ip firewall src nat gt print Flags X disabled I invalid D dynamic 0 src address 192 168 0 0 24 0 65535 dst address 0 0 0 0 0 0 65535 out interface wlanl protocol all icmp options any any flow connection content limit count 0 limit burst 0 limit time 0s action masquerade to src address 0 0 0 0 to src port 0 65535 admin test_1 ip firewall src nat gt If the packet matches the masquerade rule then the router opens a connection to the destination and sends out a modifi
66. bit rate 0 incoming filter outgoing filter admin Mikrotik ppp profile gt set default idle timeout 30s If you would like to remain connected all the time i e as a leased line then set the idle timeout to Os All that remains is to enable the interface admin MikroTik interface set isdn isp disabled no Page 89 of 398 You can monitor the connection status with the following command admin MikroTik interface isdn client monitor isdn isp ISDN Dial in Dial in ISDN connections allow remote clients to connect to your router via ISDN Let us assume you would like to configure a router for accepting incoming ISDN calls from remote clients You have an Ethernet card connected to the LAN and an ISDN card connected to the ISDN line First you should load the corresponding ISDN card driver Supposing you have an ISDN card with an HFC chip admin MikroTik driver add name hfc Now additional channels should appear Assuming you have only one ISDN card driver loaded you should get the following admineMikroTik isdn channels gt print Flags X disabled E exclusive NAME CHANNEL DIR TYPE PHONE 0 channell 0 1 channel2 1 fadmin MikroTik isdn channels gt Add an incoming ISDN interface and configure it in the following way admineMikroTik interface isdn server gt add msn 7542159 authentication chap pap bundle 128K no admin MikroTik interface
67. bits per second 2 43kbps 198bps Q quit D dump C z pause Page 30 of 398 FarSync X 21 Interface Document revision 1 1 09 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents Synchronous Interface Configuration Description Property Description Example Troubleshooting Description Synchronous Link Applications MikroTik router to MikroTik router MikroTik router to MikroTik router P2P using X 21 line MikroTik router to Cisco router using X 21 line MikroTik router to MikroTik router using Frame Relay General Information Summary The MikroTik RouterOS supports FarSync T Series X 21 synchronous adapter hardware These cards provide versatile high performance connectivity to the Internet or to corporate networks over leased lines Specifications Packages required synchronous Home menu level interface farsync Protocols utilized X 21 Frame Relay PPP Hardware usage Not significant Related Documents Software Package Management Device Driver Management IP Addresses and ARP Log Management Additional Documents Page 31 of 398 http www farsite co uk Synchronous Interface Configuration Home menu level interface farsync Description You can change the interface name to a more descriptive one using the set command To enable the interface use the en
68. clients no DHCP really allowed e 255 255 255 255 the DHCP server should be used for any incomming request from a DHCP relay except for those which are processed by another DHCP servers exist in the ip dhcp server submenu Notes If using both Universal Client and DHCP Server on the same interface client will only receive a DHCP lease in case it is directly reachable by its MAC address through that interface some wireless bridges may change client s MAC address If authoritative property is set to yes the DHCP server is sending rejects for the leases it cannot bind or renew It also may although not always help to prevent the users of the network to run illicitly their own DHCP servers disturbing the proper way this network should be functioning If relay property of a DHCP server is not set to 0 0 0 0 the DHCP server will not respond to the direct requests from clients Example To add a DHCP server to the ether1 interface lending IP addresses from dhep clients IP pool for 2 hours admin MikroTik ip dhcp server gt add name dhcp office address pool dhcp clients interface etherl lease time 2h admin MikroTik ip dhcp server gt enable dhcp offic admin MikroTik ip dhcp server gt print Flags X disabled I invalid NAME INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP A Page 261 of 398 0 dhcp office etherl dhcp clients 2h no admineMikroTik ip dhcp serv
69. commands that operate with items in this list applicable only to lists of items The action is performed with all items in this list in the same order in which they are given forces the print command to use tabular output form specifies what parameters to include in printout forces the print command to use property value output form set allows you to change values of general parameters or item parameters The set command has arguments with names corresponding to values you can change Use or double Tab to see list of all arguments If there is a list of items in this command level then set has one action argument that accepts the number of item or list of numbers you wish to set up This command does not return anything add this command usually has all the same arguments as set except the action number argument It adds a new item with values you have specified usually to the end of list in places where order is relevant There are some values that you have to supply like the interface for a new route other values are set to defaults unless you explicity specify them Copies an existing item It takes default values of new item s properties from another item If you do not want to make exact copy you can specify new values for some properties When copying items that have names you will usually have to give a new name to a copy add command returns internal number of item it has added places a new item before an existing
70. default 1 specifies the default cost used for stub reas Applicable only to area boundary routers stub yes no default no specifies the area type authetication none simple md5 default none Specifies authentication method for OSPF protocol messages e none do not use authentication e simple plain text authentication e md5 Keyed Message Digest 5 authentication Example To define additional OSPF area named local_10 with area id 0 0 10 5 do the following admin WiFi routing ospf area gt add area id 0 0 10 5 name local_10 admin WiFi routing ospf area gt print Flags X disabled I invalid NAME AREA 1D STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 0 0 10 25 no 1 none admin WiFi routing ospf area gt Networks Home menu level routing ospf network Description To start the OSPF protocol you have to define the networks on which it will run and the area ID for Page 274 of 398 each of those networks Property Description area name default backbone The OSPF area to be associated with the specified address range network IP address mask default 20 the network associated with the area The network argument allows defining one or multiple interfaces to be associated with a specific OSPF area Only directly connected networks of the router may be specified Notes You should set the network address exactly the same as the remote point IP add
71. default policy actions include Usually packets should be matched against several criteria More general filtering rules can be grouped together in a separate chain To process the rules of additional chains the jump action should be used with destination to this chain from a rule within another chain The policy of user added chains is none and it cannot be changed Chains cannot be removed if they contain rules are not empty Notes Because the NAT rules are applied first it is important to hold this in mind when setting up firewall rules since the original packets might be already modified by the NAT The packets passing through the router are not processed against the rules of neither the input nor output chains Page 209 of 398 Be careful about changing the default policy action to input and output chains You may lose the connection to the router if you change the policy to drop and there are no additional rules that allow connection to the router Example admin MikroTik ip firewall gt print NAME POLICY 0 input accept L forward accept 2 output accept admineMikroTik ip firewall gt add name router admineMikroTik ip firewall gt print NAME POLICY 0 input accept L forward accept 2 output accept 3 router none admin MikroTik ip firewall gt Page 210 of 398 Peer to Peer Traffic Control Document revision 0 1 09 02 2004 This document applies to MikroTik RouterOS V2 8 Table of Co
72. do the same admin Client interface wireless security gt set 0 security required algo 1 40bit wep key 1 0123456789 transmit key key 1 admin AP interface wireless security gt print 0 name prisml security required algo O none key 0 algo 1 40bit wep key 1 0123456789 algo 2 none key 2 algo 3 none key 3 transmit key key 1 sta private algo none sta private key radius mac authentication no admin Client interface wireless security gt Finally test the link admin Client interface wireless security gt ping 192 168 1 1 192 168 1 1 64 byte ping tt1 64 time 22 ms 192 168 1 1 64 byte ping tt1 64 time 16 ms 192 168 1 1 64 byte ping tt1 64 time 15 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 15 17 6 22 ms admin Client interface wireless security gt Page 123 of 398 Ethernet over IP EolP Tunnel Interface Document revision 1 2 23 01 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description EoIP Setup Property Description Notes Example EoIP Application Example Description Example General Information Summary Ethernet over IP EoIP Tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection The EoIP interfa
73. e MikroTik RouterOS PPPoE client to any PPPoE server access concentrator e MikroTik RouterOS server access concentrator to multiple PPPoE clients clients are avaliable for almost all operating systems and some routers Specifications Packages required ppp 3 92 Home menu level interface pppoe server interface pppoe client Protocols utilized PPPoE RFC 2516 Hardware usage PPPoE server may require additional RAM uses approx 200KB for each connection and CPU power Supports maximum of 10000 connections Related Documents Software Package Management IP Addresses and ARP Log Management Additional Documents Links for PPPoE documentation http www ietf org rfc rfc2516 txt http www cisco com univercd cc td doc product software ios120 120newft 120limit 120dc 120dc3 pppoe hi http www carricksolutions com PPPoE Clients e RASPPPOE for Windows 95 98 98SE ME NT4 2000 XP NET http user cs tu berlin de normanb PPPoE Client Setup Home menu level interface pppoe client Description The PPPoE client supports high speed connections It is fully compatible with the MikroTik PPPoE server access concentrator Note for Windows Some connection instructions may use the form where the phone number us MikroTik_ AC mt1 to indicate that MikroTik AC is the access concentrator name and mtl is the service name Page 160 of 398 Property Description name name default pppoe o
74. etherl interface and IP address 10 0 0 132 24 on the ether2 interface is invalid because both addresses belongs to the same network 10 0 0 0 24 Use addresses from different networks on different interfaces or enable proxy arp on ether or ether2 Example admin MikroTik ip address gt add address 10 10 10 1 24 interface ether2 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 2 2 2 1 24 2 2 2 0 2 262 259 ether2 1 10 5 7 244 24 NOs SF 00 LO O84 209 etherl Page 175 of 398 2 10 10 10 1 24 10 10 10 0 10 10 10 295 ether2 admin MikroTik ip address gt Address Resolution Protocol Home menu level ip arp Description Even though IP packets are addressed using IP addresses hardware addresses must be used to actually transport data from one host to another Address Resolution Protocol is used to map OSI level 3 IP addreses to OSI level 2 MAC addreses A router has a table of currently used ARP entries Normally the table is built dynamically but to increase network security it can be built statically by means of adding static entries Property Description address 1P address IP address to be mapped interface name interface name the IP address is assigned to mac address MAC address default 00 00 00 00 00 00 MAC address to be mapped to Notes Maximal number of ARP entries is 1024 If arp feature is turned off o
75. his her settings to use an unknown to us proxy server to the local embedded proxy server This feature may be used in combination with Universal Client feature to provide Internet access for users regardless of their network settings Page 238 of 398 allow unencrypted passwords property makes it possible to authenticate with the browsers not supporting JavaScript for example Internet Explorer 2 0 It is also possible to log in using telnet connection just requesting the page login user username amp password password An another use of this property is the possibility of hard coded authentication information in the servlet s login page simply creating the appropriate link auth requires mac property makes it possible to make a reverse HotSpot to authenticate users accessing the local network from the Internet Example To enable cookie support admin MikroTik ip hotspot gt set auth http cookie yes admin MikroTik ip hotspot gt print use ssl no hotspot address 0 0 0 0 dns name status autorefresh 1m universal proxy no parent proxy 0 0 0 0 0 auth requires mac yes auth mac no auth mac password no auth http cookie yes http cookie lifetime ld allow unencrypted passwords no login mac universal no split user domain no admin MikroTik ip hotspot gt HotSpot User Profiles Home menu level ip hotspot profile Description HotSpot User profiles are used for common user settings Profiles
76. ip ipsec proposal set default enc algorithms des for CISCO router Create IPsec transform set transformations that should be applied to traffic ESP encryption with DES and ESP authentication with SHA1 This must match ip ipsec proposal crypto ipsec transform set myset esp des esp sha hmac mode tunnel exit 3 Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode for MikroTik router admin MikroTik gt ip ipsec policy add XV src address 10 0 0 0 24 dst address 10 0 2 0 24 action encrypt tunnel yes sa src 10 0 1 1 sa dst 10 0 1 2 for CISCO router Create access list that matches traffic that should be encrypted access list 101 permit ip 10 0 2 0 0 0 0 255 10 0 0 0 0 0 0 255 Create crypto map that will use transform set myset use peer 10 0 1 1 to establish SAs and encapsulate traffic and use access list 101 to match traffic that should be encrypted crypto map mymap 10 ipsec isakmp set peer 10 0 1 1 set transform set myset set pfs group2 match address 101 exit And finally apply crypto map to serial interface interface Serial 0 crypto map mymap exit 4 Testing the IPsec tunnel on MikroTik router we can see installed SAs admin MikroTik ip ipsec installed sa gt print Flags A AH E ESP P pfs M manual 0 E spi 9437482 direction out src address 10 0 1 1 dst address 10 0 1 2 auth algorithm
77. ip policy routing table mt gt print Flags X disabled I invalid D dynamic R rejected TYPE DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 static 10 5 5 0 24 r 10 0 0 22 1 Public admineMikroTik ip policy routing table mt gt Policy Rules Home menu level ip policy routing rule Property Description sre address JP address mask source IP address mask dst address 1P address mask destination IP address mask interface name all default all interface name through which the packet arrives Should be all for the rule that should match locally generated or masqueraded packets since at the moment of processing the routing table these packets have interface name set to loopback flow name default flow mask of the packet to be mached by this rule To add a flow use ip firewall mangle commands action drop unreachable lookup default unreachable action to be processed on packets matched by this rule e drop silently drop packet e unreachable reply that destination host is unreachable e lookup lookup route in given routing table Notes Policy routing will not function as desired for packets originated from the router or masqueraded packets It is because these packets have source address 0 0 0 0 at the moment when they are processed by the routing table Therefore it is not possible to match masqueraded packets by source address with policy routing rule You s
78. is possible to get the terminal in an unusable state by outputting sequences of inappropriate control characters or random data Do not connect to devices at an incorrect speed and avoid dumping binary data Property Description port name port name to use Notes Ctrl Q and Ctrl X have special meaning and are used to provide a possibility of exitting from nested serial terminal sessions To send Ctrl X to to serial port press Ctrl X Ctrl X To send Ctrl Q to to serial port press Ctrl X Ctrl Q Example To connect to a device connected to the seriall port admin MikroTik system gt serial terminal seriall Type Ctrl Q to return to console Ctrl X is the prefix key Page 357 of 398 Global Positioning System GPS Document revision 2 0 23 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Additional Documents Synchronizing with a GPS Receiver Property Description Notes Example GPS Monitoring Description Property Description Example General Information Summary Global Positioning System GPS receiver can be used by MikroTik RouterOS to get the precise location and time which may be used as NTP time source Specifications Packages required gps License required Any Home menu level system gps Protocols utilized GPS NMEA 0183 Simple Text Output Protocol Hardw
79. item with specified position Thus you do not need to use the move command after adding an item to the list controls disabled enabled state of the newly added item s holds the description of a newly created item remove removes item s from a list contains number s or name s of item s to remove move changes the order of items in list where one is relevant Item numbers after move command are left in a consistent but hardly intuitive order so it s better to resync them by using print after each move command first argument Specifies the item s being moved second argument Specifies the item before which to place all items being moved they are placed at the end of the list if the second argument is omitted find The find command has the same arguments as set and an additional from argument which works like the from argument with the print command Plus find command has flag arguments like disabled invalid that take values yes or no depending on the value of respective flag To see all flags and their names look at the top of print command s output The find command returns internal numbers of all items that have the same values of arguments as specified Page 6 of 398 Package Management Document revision 2 1 0 15 Jan 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Related Documents Description Software Package Installation Upgrade Description N
80. iy sie 1 farsyncl Page 34 of 398 1 DC 10 0 0 0 24 r 10 0 0 254 i ether2 2 DC 192 168 0 0 24 r 192 168 0 254 0 etherl 3 DC Lito 12 32 r 0 0 0 0 0 farsyncl admin MikroTik ip route gt The configuration of the MikroTik router at the other end is similar admin MikroTik ip address gt add address 1 1 1 2 32 interface fsync network 1 1 1 1 broadcast 255 255 255 255 admine ikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 1 12 24 LO eho 10 1 1 255 Public 1 de ds 2432 Ledo L 255 255 255 255 fsync admin MikroTik ip address gt ping 1 1 1 1 1 1 1 1 64 byte pong ttl 255 time 31 ms 1 1 1 1 64 byte pong ttl 255 time 26 ms 1 1 1 1 64 byte pong ttl 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt MikroTik router to MikroTik router P2P using X 21 line Consider the following example Headquarters Remote farsync1 Offi 1 1 1 2 32 ps ea networket 1 4 1 farsync1 1 1 1 1 32 networke1 1 1 2 The default value of the property clock source must be changed to internal for one of the cards Both cards must have media type property set to X21 IP address configuration on both routers is as follows by convention the routers are named hq and office respectively admin hq ip address gt pri Flags
81. key 0 key 1 key 2 key 3 default key 0 which key to use for broadcast packets Used in AP mode sta private algo none 40bit wep 104bit wep algorithm to use if the sta private key is set Used to commumicate between 2 devices sta private key text if this key is set in station mode use this key for encryption In ap bridge mode you have to specify private keys in the access list or use the Radius server using radius mac authentication Used to commumicate between 2 devices radius mac authentication no yes default no whether to use Radius server MAC authentication or not security none optional required default none security level Page 118 of 398 e none do not encrypt packets and do not accept encrypted packets e optional if there is a sta private key set use it Otherwise if the ap bridge mode is set do not use encryption if the mode is station use encryption if the transmit key is set e required encrypt all packets and accept only encrypted packets Notes The keys used for encryption are in hexadecimal form If you use 40bit wep the key has to be 10 characters long if you use 104bit wep the key has to be 26 characters long Wireless Aplication Examples AP to Client Configuration Example Client You need both the 2 4GHz 5GHz Wireless Client and the Wireless AP Licenses to enable the AP mode To make the MikroTik router work as an access point the configuration of the wir
82. mac telnet 00 40 63 C1 23 C4 Login admin Password Trying 00 40 63 C1 23 C4 Connected to 00 40 63 C1 23 C4 MMM MMM KKK KKK MMMM MMMM KKK KKK MMM MMMM MMM III KKK KKK RRRRRR 000000 III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO III KKKKK MMM MMM III KKK KKK RRRRRR 000 000 III KKK KKK MMM MMM III KKK KKK RRR RRR 000000 III KKK KKK MikroTik RouterOS v2 7 c 1999 2003 http www mikrotik com Terminal linux detected using multiline input mode admine10 5 7 1 gt Page 312 of 398 Ping Document revision 15 Jul 2003 1 10 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Related Documents Description The Ping Command Property Description Notes An example of Ping command MAC Ping Server Property Description Example General Information Summary Ping uses Internet Control Message Protocol ICMP Echo messages to determine if a remote host is active or inactive and to determine the round trip delay when communicating with it Specifications Packages required system system system License required Any Home menu level tool mac server ping Protocols utilized ICMP Hardware usage Not significant Related Documents Software Package Installation and Upgrading Description Ping sends ICMP echo ICMP type 8 message to the host and waits for the ICMP echo reply ICMP type 0
83. mark will be shared between these hosts PCQ Page 290 of 398 PCQ Per Connection Queue type is used for limiting data rate for each connection These connections can be classified by the peq classifier target address target address which will be limited source address dst address destination address target port target port dst port destination port You can use multiple parameters in the peq classifier The peq limit is number of packets which can hold a single PCQ queue Data rate for each connection is limited by the peq rate parameter in bytes per second Note that for normal PCQ performance you have to use queue trees It is not recommended to use simple queues for limiting traffic with PCQ Additional Documents Home of Hierarchical Token Bucket HTB Paper on Random Early Detection RED More complete information on Traffic Cotrol Queue Types Home menu level queue type Description The queue types are used to specify some common argument values for queues There are four default built in queue types default ethernet default wireless default and synchronous default The built in queue types cannot be removed Property Description name name name for the queue type kind pfifo bfifo red sfq pcq default pfifo kind of the queuing algorithm used e pfifo Packets First In First Out e bfifo Bytes First In First Out e red Random Early Detection sfq Stohastic Fair Queui
84. mask source address and network mask to filter the traffic only with such an address any source address 0 0 0 0 0 destination address IP address mask destination address and network mask to filter the traffic only with such an address any destination address 0 0 0 0 0 Notes If there will be specific port given then only tcp and udp protocols will be filtered i e the name of the protocol can be any any ip tcp udp Except TX and RX there will be only the field you ve specified in command line in the command s output e g you will get PROTOCOL column only in case if protocol property is explicitly specified Example The following example monitors the traffic that goes through the etherl interface generated by telnet protocol admineMikroTik tool gt torch etherl port telnet SRE PORT DST PORT TX RX 1439 23 telnet 1 7kbps 368bps admin MikroTik tool gt To see what IP protocols are going through the ether1 interface admin MikroTik tool gt torch etherl protocol any ip PRO TX RX tcp 1 06kbps 608bps udp 896bps 3 7kbps icmp 480bps 480bps ospf Obps 192bps fadmin MikroTik tool gt To see what IP protocols are interacting with 10 0 0 144 32 host connected to the ether1 interface admin MikroTik tool gt torch etherl src address 10 0 0 144 32 protocol any PRO SRC ADDRESS TX tcp 10 0 0 144 1 01kbps 608bps icmp 10 0 0 144 480bps 480bps fadmin MikroTik tool gt To see what tcp udp prot
85. no tx bit rate 0 rx bit rate 0 incoming filter outgoing filter admin MT_Prism_AP ppp profile gt secret admin MT_Prism_AP ppp secret gt add name w password wkst service pppo admin MT_Prism_AP ppp secret gt add name 1 password ltp service pppo admin MT_Prism_AP ppp secret gt print Flags X disabled NAME SERVICE CALLER ID PASSWORD PROFILE 0 w pppoe wkst default 1 1 pppoe ltp default admin MT_Prism_AP ppp secret gt Thus we have completed the configuration and added two users w and who are able to connect using PPPoE client software Note that Windows XP built in client supports encryption but RASPPPOE does not So if it is planned not to support Windows clients older than Windows XP it is recommended to switch require encryption to yes value in the default profile configuration In other case the server will accept clients that do not encrypt data Page 167 of 398 Point to Point Protocol PPP and Asynchronous Interfaces Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents Serial Port Configuration Property Description Notes Example PPP Server Setup Description Property Description Example PPP Client Setup Description Property Description Notes Example PP
86. number of sent packets in form of sent packets number of packets which were packed into a larger ones using fast frames rx packed integer number of received packets in form of received packets number of packets which were packed into a larger ones using fast frames bytes read only integer integer number of received and sent bytes signal strength read only integer average signal level last activity time rx rate read only integer min average max receive data rate tx rate read only integer transmit data rate uptime read only time time the client is associated with the access point Example To see registration table showing all clients currently associated with the access point admin MikroTik interface wireless registration table gt print INTERFACE MAC ADDRESS AP SIGNAL STRENGTH TX RATE UPTIME 0 wlanl 00 02 6F 01 D0 A5 no 70 1Mbps 00 13 48 admin MikroTik interface wireless registration table gt To get additional statistics admineMikroTik interface wireless registration table gt print stats O interface wlanl mac address 00 02 6F 01 D0 A5 ap no rx rate 1Mbps tx rate 1Mbps packets 3 107 bytes 75 5251 uptime 00 15 42 last activity 00 00 04 120 signal strength 70 admin MikroTik interface wireless registration table gt Access List Home menu level interface wireless access list Description The access list is used by the access point
87. of 398 and the hardware interface is the VLAN switch Note that you cannot use the Virtual Access Point on Prism based cards Property Description 802 1x mode PEAP MSCHAPV2 none to use Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 for authentication arp disabled enabled proxy arp reply only ARP mode mac address read only MAC address default 00 00 00 00 00 00 MAC address of VAP Is assigned automatically when the field master interface is set default authentication yes no default yes whether to accept or reject a client that wants to associate but is not in the access list default forwarding yes no default yes whether to forward frames to other AP clients or not disable running check yes no default no disable running check For broken cards it is a good idea to set this value to yes disabled yes no default yes whether to disable the interface or not hide ssid yes no default no whether to hide ssid or not in the beacon frames e yes ssid is not included in the beacon frames AP replies only to probe requests with the given ssid e no ssid is included in beacon frames AP replies to probe requests with the given ssid ant to broadcast ssid empty ssid master interface name hardware interface to use for VAP max station count integer default 2007 number of clients that can connect to this
88. of the current location altitude read only text altitude of the current location speed read only text mean velocity valid read only yes no whether the received information is valid or not e g you can set a GPS receiver to the demo mode to test the connection in which case you will receive information but it will not be valid Example admineMikroTik system gps gt monitor date and time jul 23 2003 12 25 00 longitude E 24 8 17 latitude N 56 59 22 altitude 127 406400m speed 0 001600 km h valid yes admineMikroTik system gps gt Page 360 of 398 Scripting Host and Complementary Tools Document revision 2 0 8 09 Jan 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Console Command Syntax Description Notes Example Expression Grouping Description Notes Example Variables Description Notes Example Command Substitution and Return Values Description Example Operators Description Command Description Notes Example Data types Description Internal Console Expressions ICE Description Command Description Special Actions Description Notes Example Scripts Description Property Description Command Description Notes Example Task Management Description Property Description Page 361 of 398 Example Script Editor Description Command Description Notes Example Network Watchin
89. of this phase is approximately 30s e synchronized local clock is synchronized to NTP server s clock NTP server is activated e using local clock using local clock as time source server enabled while client disabled Example To enable the NTP client to synchronize with the 159 148 60 2 server Page 380 of 398 admin MikroTik system ntp client gt set enabled yes primary ntp 159 148 60 2 admin MikroTik system ntp client gt print enabled yes mode unicast primary ntp 159 148 60 2 secondary ntp 0 0 0 0 status synchronized admin MikroTik system ntp client gt Server Home menu level system ntp server Property Description enabled yes no default no whether the NTP client is enabled broadcast yes no default no whether NTP broadcast message is sent to 255 255 255 255 every 64s multicast yes no default no whether NTP multicast message is sent to 224 0 1 1 every 64s manycast yes no default yes whether NTP server listens for multicast messages sent to 239 192 1 1 and responds to them Notes NTP server activities only when local NTP client is in synchronized or using local clock mode If NTP server is disabled all NTP requests are ignored If NTP server is enabled all individual time requests are answered CAUTION Using broadcast multicast and manycast modes is dangerous Intruder or simple user can set up his own NTP server If this new server will be chosen as time source f
90. off cr 0 admin r2 interface xpeed gt set 0 mode line termination admin r2 interface xpeed gt Now rl and r2 can ping each other MikroTik Router to Cisco Router Page 131 of 398 Let us consider the following network setup with MikroTik Router with Xpeed interface connected to a leased line with a CISCO router at the other end MikroTik router setup admintr1 ip address gt add inter xpeedl address 1 1 1 1 24 admintr1 ip address gt pri Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 1 1 1 24 Tis Ls L 0 Ti Lo 1 255 xpeedl admintr1 interface xpeed gt print Flags X disabled 0 name xpeed1 mtu 1500 mac address 00 05 7A 00 00 08 arp enabled mode network termination sdsl speed 2320 sdsl invert no sdsl swap no bridged ethernet yes dlci 42 lmi mode off cr 0 admintr1 interface xpeed gt Cisco router setup CISCO show running config Building configuration Current configuration ip subnet zero no ip domain lookup frame relay switching I interface Ethernet0 description connected to EthernetLAN ip address 10 0 0 254 255 255 255 0 interface Serial0 description connected to Internet no ip address encapsulation frame relay IETF serial restart delay 1 frame relay lmi type ansi frame relay intf type dce I interface Serial0 1 point to point ip address 1 1 1 2 255 255 255 0 no arp frame relay frame relay interface
91. optimized to work with find command which returns lists of internal numbers and may return an empty list or just one internal number This example prints all ethernet interfaces each followed by all addresses that are assigned to it admineMikroTik gt foreach i in interface find type ether do aas put interface get Si name Feces foreach J in ip address find interface i do EER put ip address get j address iess acs ether1 ether2 10 0 0 65 24 admineMikroTik gt delay this action does nothing for a given amount of time It takes one argument an amount of time to wait whish defaults to one second time this action calculates the amount of time needed to execute given console commands It takes one argument which holds console commands the time action should be applied to The commands are executed once and the total amount of time taken is returned admin MikroTik gt put time delay 1s34 31ms admineMikroTik gt log this action adds an entry to the system logs It two parameters message which contains the string needed to be added and facility which in turn specifies by which logging facility the message should be logged The facility parameter defaults to System Info admin MikroTik gt slog facility Firewall Log message Very Good Neha Thing happened We have received our first packet admineMikroTik gt environment print This action prints information a
92. or is already logged in alogin html is displayed if alogin html is not found redirect html is used to redirect to the originally requested page or the status page in case original destination page was not given e if user is not logged in username was not supplied no error message appeared login html is showed e if login procedure has failed error message is supplied flogin html is displayed if flogin html is not found login html is used in case of fatal errors error html is showed 4 request for status page e if user is logged in status html is displayed e if user is not logged in fstatus html is displayed if fstatus html is not found redirect html is used to redirect to the login page 5 request for logout page e if user is logged in logout html is displayed e if user is not logged in flogout html is displayed if flogout html is not found redirect html is used to redirect to the login page Note that if it is not possible to meet a request using the pages stored on the router s FTP server the default pages are used There are many possibilities to customize what the HotSpot authentication pages look like Page 246 of 398 e The pages are easily modifiable They are stored on the router s FTP server in hotspot directory By changing the variables which client sends to the HotSpot servlet it is possible to reduce keyword count to one username or password for example the client s MAC address may be used a
93. set 0 1 bridge bridgel admineMikroTik interface bridge port gt print Flags X disabled INTERFACE BRIDGE 0 etherl bridgel 1 ether2 bridgel 2 ether3 none 3 prisml none admineMikroTik interface bridge port gt After setting some interfaces for bridging the bridge interface should be enabled in order to start using it admin MikroTik interface bridge gt print Flags X disabled R running 0 X name bridgel mtu 1500 arp enabled mac address 00 50 08 00 00 F5 forward protocols ip arp other priority 1 admin MikroTik interface bridge gt enable 0 admin MikroTik interface bridge gt print Flags X disabled R running O R name bridgel mtu 1500 arp enabled mac address 00 50 08 00 00 F5 forward protocols ip arp other priority 1 admin MikroTik interface bridge gt If you want to access the router through unnumbered bridged interfaces it is required to add an IP address to the bridge interface admin MikroTik ip address gt add address 192 168 0 254 24 interface bridgel admin MikroTik ip address gt add address 10 1 1 12 24 interface prisml admineMikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 bridgel 1 V0 0 1122 24 10 1 1 0 10 1 1 203 prisml Page 144 of 398 admin MikroTik ip address gt Note Assigning an IP address
94. set 0 sid 0x03816788 tma mode yes admin MikroTik interface arlan gt monitor 0 registered yes access point 00 40 88 23 91 F8 backbone 00 40 88 23 91 F9 admin MikroTik interface arlan gt Troubleshooting Description Keep in mind that not all combinations of I O base addresses and IRQs may work on particular motherboard It is recommended that you choose an IRQ not used in your system and then try to find an acceptable I O base address setting As it has been observed the IRQ 5 and I O 0x300 or 0x180 will work in most cases The driver cannot be loaded because other device uses the requested IRQ Try to set different IRQ using the DIP switches e The requested I O base address cannot be used on your motherboard Page 136 of 398 Try to change the I O base address using the DIP switches The pc interface does not show up under the interfaces list Obtain the required license for 2 4 5GHz Wireless Client feature The wireless card does not register to the Access Point Check the cabling and antenna alignment Page 137 of 398 Bridge Interface Document revision 1 1 05 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Additional Documents Bridge Interface Setup Description Property Description Notes Example Port Settings Description Property Description Example Bridge Monitoring P
95. shal enc algorithm des replay 4 state matur Page 190 of 398 auth key 9cf2123b8b5add950e3e67b9 eac79421d406aa09 nc key ffe7ec65b7a385c3 add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jul 12 2002 16 13 21 current usetime jul 12 2002 16 13 21 current bytes 71896 1E spi 319317260 direction in src address 10 0 1 2 dst address 10 0 1 1 auth algorithm shal enc algorithm des replay 4 state matur auth key 7575f5624914dd312839694db2622a318030bc3b enc key 633593f809c9d6af add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jul 12 2002 16 13 21 current usetime jul 12 2002 16 13 21 current bytes 0 admin MikroTik ip ipsec installed sa gt on CISCO router cisco show interface Serial 0 interface Seriall Crypto map tag mymap local addr 10 0 1 2 local ident addr mask prot port 10 0 2 0 255 255 255 0 0 0 remote ident addr mask prot port 10 0 0 0 255 255 255 0 0 0 current_peer 10 0 1 1 PERMIT flags origin_is_acl ts encaps 1810 pkts encrypt 1810 pkts digest 1810 ts decaps 1861 pkts decrypt 1861 pkts verify 1861 ts compressed 0 pkts decompressed 0 pkts not compressed 0 pkts compr failed 0 pkts decompress failed 0 send errors 0 recv errors 0 local crypto endpt 10 0 1 2 remote crypto endpt 10 0 1 1 path mtu 1500 media mtu 1500 current outbound spi 1308650C inbound esp sas spi 0x90012A 9437482 transform esp des esp sha hmac
96. supports a L2TP server Specifications Packages required ppp A Home menu level interface l2tp server interface l2tp client Protocols utilized L2TP RFC 2661 Hardware usage Not significant Related Documents Software Package Management e IP Addresses and ARP AAA Authentication Authorization and Accounting EoIP Ethernet over IP Tunnel Interface e JP Security IPsec Description L2TP is a secure tunnel for transporting IP traffic using PPP L2TP encapsulates PPP in virtual lines that run over IP Frame Relay and other protocols that are not currently supported by MikroTik RouterOS L2TP incorporates PPP and MPPE Microsoft Point to Point Encryption to make encrypted links The purpose of this protocol is to allow the Layer 2 and PPP endpoints to reside on different devices interconnected by a packet switched network With L2TP a user has an Layer 2 connection to an access concentrator e g modem bank ADSL DSLAM etc and the concentrator then tunnels individual PPP frames to the Network Access Server This allows the actual processing of PPP packets to be divorced from the termination of the Layer 2 circuit From the user s perspective there is no functional difference between having the L2 circuit terminate in a NAS directly or using L2TP It may also be useful to use L2TP just as any other tunneling protocol with or without encryption The L2TP standard says that the most secure way to encrypt data is us
97. that have two parts Each SPD rule can be associated with several Security Associations SA that determine packet encryption parameters key algorithm SPI Note that packet can only be encrypted if there is usable SA for policy rule By setting SPD rule security level user can control what happens when there is no valid SA for policy rule Decryption When encrypted packet is received for local host after dst nat and input filter the appropriate SA is looked up to decrypt it using packet source destination security protocol and SPI value If no SA is found the packet is dropped If SA is found packet is decrypted Then decrypted packet s fields are compared to policy rule that SA is linked to If the packet does not match the policy rule it is dropped If the packet is decrypted fine or authenticated fine it is received once more it goes through dst nat and routing which finds out what to do either forward or deliver locally again Note that before forward and input firewall chains a packet that was not decrypted on local host is compared with SPD reversing its matching rules If SPD requires encryption there is valid SA associated with matching SPD rule the packet is dropped This is called incoming policy check Internet Key Exchange The Internet Key Exchange IKE is a protocol that provides authenticated keying material for Internet Security Association and Key Management Protocol ISAKMP framework There are o
98. the 40bit wep or 104bit wep algorithm algo 0 algo 1 none 40bit wep 104bit wep default none which encryption algorithm to use e none do not use encryption and do not accept encrypted packets e 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets e 104bit wep use the 104bit encryption also known as 128bit wep and accept only these packets key 1 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 1 algo 2 none 40bit wep 104bit wep default none which encryption algorithm to use e none do not use encryption and do not accept encrypted packets e 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets e 104bit wep use the 104bit encryption also known as 128bit wep and accept only these packets key 2 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 2 algo 3 none 40bit wep 104bit wep default none which encryption algorithm to use e none do not use encryption and do not accept encrypted packets e 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets e 104bit wep use the 104bit encryption also known as 128bit wep and accept only these packets key 3 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 3 transmit key
99. the argument value of shared users to the number of simultaneous user sessions using the same username in HotSpot profile For example to allow 10 clients to use the same username simultaneously ip hotspot profile set default shared users 10 If you want the router to resolve DNS requests enable DNS cache and redirect all the DNS requests to the router itself 159 148 60 2 is this example mean the external DNS server the router will work with ip dns set primary dns 159 148 60 2 ip dns set allow remote requests yes ip firewall dst nat add protocol udp dst port 53 action redirect comment intercept all DNS requests Page 255 of 398 Page 256 of 398 DHCP Dynamic Host Configuration Protocol Document revision 2 4 22 Jan 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Description Additional Documents DHCP Client Setup Description Property Description Command Description Notes Example DHCP Client Lease Description Property Description Example DHCP Server Setup Description Property Description Notes Example DHCP Networks Property Description Notes DHCP Leases Description Property Description Command Description Notes Example DHCP relay Description Property Description Notes Example Question amp Answer Based Setup Command Description Notes Example General Information Page 257 of 398 Summary The DHCP Dynamic H
100. the displayed data address read only MAC address MAC address of the AP ssid read only text service set identifier of the AP band read only text in which standard does the AP operate freq read only integer the frequency of AP bss read only yes no basic service set privacy read only yes no whether all data is encrypted or not signal strength read only integer signal strength in dBm Example admineMikroTik interface wireless gt scan wlanl refresh interval 1s ADDRESS SSID BAND FREQ BSS PRIVACY SIGNAL STRENGTH 0 00 02 6F 01 69 FA wep2 2 4GHz B 2412 yes no 59 0 00 02 6F 20 28 E6 r 2 4GHz B 2422 yes no 79 0 00 02 6F 05 68 D3 hotspot 2 4GHz B 2442 yes no 95 O 00 40 96 44 2E 16 2 4GHz B 2457 yes no 84 0 00 02 6F 08 53 1F rbinstall 2 4GHz B 2457 yes no 93 admineMikroTik interface wireless gt Wireless Security Description Page 117 of 398 This section provides the WEP Wireless Encryption Protocol functions to wireless interfaces Property Description algo 0 none 40bit wep 104bit wep default none which encryption algorithm to use e none do not use encryption and do not accept encrypted packets e 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets e 104bit wep use the 104bit encryption also known as 128bit wep and accept only these packets key 0 text hexadecimal key which will be used to encrypt packets with
101. the outgoing interface regarding the traffic flow Specifications Packages required system 3 Home menu level queue Protocols utilized None Hardware usage significant Related Documents Software Package Management IP Addresses and ARP Firewall Filters Description Clasless Queues There are four types of simple queues implemented in RouterOS PFIFO BFIFO SFQ and RED With Bytes First In First Out BFIFO and Packets First In First Out PFIFO packets are served in the same order as they are received The only difference between BFIFO and PFIFO is that PFIFO has a length measured in packets BFIFO in bytes Generally you do not want to use BFIFO or PFIFO as traffic shapers It s better to use them just for statistics as they are pretty fast The only exception is when you are running out of resources with RED and or with complicated queue tree Stochastic Fair Queuing SFQ cannot limit traffic at all Its main idea is to equalize sessions not computer traffic but session traffic it is sometimes mentioned as SFQ drawback when your link is completely full It works in round robin fashion giving each session a chance to send sfq allot bytes Its algorithm can distinguish only 1024 sessions and that is why several sessions can be treated as one Each sfq perturb seconds it drops internal table mixing all the connections and creates a new table As it is very fast you may want to use it as a child queue The normal be
102. to restrict allow authentications associations of clients This list contains MAC address of client and associated action to take when client attempts to connect Also the forwarding of frames sent by the client is controlled The association procedure is as follows when a new client wants to associate to the AP that is configured on interface wlanN an entry with client s MAC address and interface wlanN is looked up in the access list If such entry is found then action specified in it is taken else default authentication and default forwarding arguments of interface wlanN are taken Property Description Page 110 of 398 mac address MAC address MAC address of the client interface name AP interface name authentication yes no default yes whether to accept or to reject this client when it tries to connect forwarding yes no default yes whether to forward the client s frames to other wireless clients private key text default private key of the client to use for private algo private algo 104bit wep 40bit wep none which encryption algorithm to use Notes If you have default authentication action for the interface set to yes you can disallow this node to register at the AP s interface wlanN by setting authentication no for it Thus all nodes except this one will be able to register to the interface wlanN If you have default authentication action for the interface set to no you can allow this no
103. under queue interface priority flow priority is the highest max limit text default 0 0 maximal stream data rate bits s in form of in out where in is the flow that matches the rule precisely and out is the flow that matches the reverse rule 1 e going from the specified interface with source and destination addresses swapped e 0 no limit total limit at integer default 0 allocated total bidirectional stream data rate bits s e 0 no limit total max limit integer default 0 maximal total bidirectional stream data rate bits s e 0 no limit burst limit text default 0 0 maximal allowed burst of data rate in form of in out e 0 no burst burst threshold text default 0 0 average burst threshold in form of in out burst time text default 0 0 burst time in form of in out total burst limit text default 0 0 maximal allowed total bidirectional burst of data rate Page 293 of 398 bits s e 0 no burst total burst threshold text default 0 0 total bidirectional burst time total burst time text default 0 0 total bidirectional burst time Notes max limit must be equal or greater than limit at Simple queues are applied before queue trees Queue rules are processed in the order they appear in the list If some packet matches the queue rule then the queuing mechanism specified in that rule is applied to it and no more rules are processed for that packet Example To
104. up to 17Mbit s With appropriate antennas and cabling the maximum distance should be as far as 40 km These values of ack timeout were approximated from the tests done by us as well as by some of default default default our customers Please note that these are not the precise values Depending on hardware used and many other factors they may vary up to 15 microseconds Hardware Notes The MikroTik RouterOS supports as many Atheros chipset based cards as many free adapter slots are there on your system One license is valid for all cards on your system Note that maximal number of PCMCIA sockets is 8 Some chipsets are not stable with Atheros cards and cause radio to stop working Via Epia MikroTik RouterBoard and systems based on Intel 1815 and 1845 chipsets are tested and work stable with Atheros cards There might be many other chipsets that are working stable but it has been reported that some older chipsets and some systems based on AMD Duron CPU are not stable Wireless Interface Configuration Home menu level interface wireless Description The wireless interface operates using IEEE 802 11 set of standards It uses radio waves as a physical signal carrier and is capable of wireless data transmission with speeds up to 108 Mbps in turbo mode Page 106 of 398 Property Description name name default wlanN assigned interface name mtu integer 68 1600 default 1500 Maximum Transmission Unit mac ad
105. use Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 for authentication Notes You should set tx power property to an appropriate value as many cards do not have their default setting set to the maximal power it can work on For the cards MikroTik is selling SG ABM 20dB 100mW is the maximal power in 5GHz bands and 18dB 65mW is the maximal power in 2 4GHz bands For different versions of Atheros chipset there are different value range of ack timeout property Page 108 of 398 er 5GHz turbo 2GHz B 2GHz G set version E default max default max default max default max 5000 5 2GHz only 204 22 102 oe Example Let us consider a following example a MikroTik router is connected to an AP using Atheros card and the AP is operating in IEEE 802 11b standard with ssid hotspot admin MikroTik interface wireless gt print Flags X disabled R running O X name wlan1 mtu 1500 mac address 00 01 24 70 03 75 arp enabled card type Atheros AR5211 2 4 5 GHz mode station ssid MikroTik frequency 5180 band 5GHz scan list default ism supported rates a 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates a 6Mbps supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps basic rates b 1Mbps ack timeout default tx power default default key 0 default key 1 default key 2 default key 3 station private key transmit key id 0 encryption none used authen
106. w6692 Now additional channels should appear Assuming you have only one ISDN card driver loaded you should get following admin MikroTik isdn channels gt print Flags X disabled E exclusive NAME CHANNEL DIR TYPE PHONE 0 channell 0 1 channel2 1 admineMikroTik isdn channels gt Suppose you would like to use dial on demand to dial your ISP and automatically add a default route to it Also you would like to disconnect when there is more than 30s of network inactivity Your ISP s phone number is 12345678 and the user name for authentication is john Your ISP assigns IP addresses automatically Add an outgoing ISDN interface and configure it in the following way admin mikrotik gt interface isdn client add name isdn isp phone 12345678 user john password 31337 add default route yes dial on demand yes admin MikroTik gt interface isdn client print Flags X disabled R running 0 X name isdn isp mtu 1500 mru 1500 msn user john password 31337 profile default phone 12345678 12 protocol hdlc bundle 128K no dial on demand yes add default route yes use peer dns no Configure PPP profile admin MikroTik ppp profile gt print Flags default 0 name default local address 0 0 0 0 remote address 0 0 0 0 session timeout 0s idle timeout 0s use compression no use v compression yes use encryption no require encryption no only one no tx bit rate 0 rx
107. yes no default no disable running check For broken wireless cards it is a good idea to set this value to yes master interface name wireless interface which will be used by WDS wds address MAC address MAC address of the remote WDS host Notes It is not recommended to add IP addresses to dynamic WDS interfaces they can disappear Example admin MikroTik interface wireless wds gt add master interface wlanl wds address 00 0B 6B 30 2B 27 disabled no admin MikroTik interface wireless wds gt print Flags X disabled R running D dynamic 0 R name wdsi mtu 1500 mac address 00 0B 6B 30 2B 23 arp enabled disable running check no master inteface wlanl wds address 00 0B 6B 30 2B 27 admineMikroTik interface wireless wds gt Align Home menu level interface wireless align Description This submenu is created to position wireless links The align submenu describes the properties which are used if interface wireless mode is set to alignment only In this mode the interface listens to those packets which are sent to it from other devices working on the same channel The interface also can send special packets which contains information about its parameters Property Description active mode yes no default yes whether the interface will receive and transmit alignment packets or it will only receive them receive all yes no default no whether the interface gathers packets about ot
108. 0 JJ p Laptop Work station 10 750 2 41 24 10 150 1 1 24 There are two routers in this example HomeOffice Interface LocalHomeOffice 10 150 2 254 24 Interface ToInternet 192 168 80 1 24 RemoteOffice Interface ToInternet 192 168 81 1 24 Interface LocalRemoteOffice 10 150 1 254 24 Each router is connected to a different ISP One router can access another router through the Internet On the Preforma PPTP server a user must be set up for the client admin HomeOffice ppp secret gt add name ex service pptp password 1k3rht local address 10 0 103 1 remote address 10 0 103 2 admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password 1k3jrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret gt Then the user should be added in the PPTP server list admin HomeOffice interface pptp server gt add user ex admin HomeOffice interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 pptp inl ex Page 98 of 398 admin HomeOffice interface pptp server gt And finally the server must be enabled admin HomeOffice interface pptp server server gt set enabled yes admin HomeOffice interface pptp server server gt print enabled yes mtu 1460 mru 1460 authentication mscha
109. 003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Example Configuration Load Command Example General Information Summary The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary file which can be stored on the router or downloaded from it using ftp The configuration restore can be used for restoring the router s configuration from a backup file For exporting configuration or part of it to a text script file and importing it please refer to the configuration export and import section of the MikroTik RouterOS Manual Specifications Packages required system License required Any Home menu level system backup Protocols utilized None Hardware usage Not significant Related Documents Software Package Management Configuration Export and Import Description The save command is used to store the entire router configuration in a backup file The file is shown in the file submenu It can be downloaded via ftp to keep it as a backup for your configuration To restore the system configuration for example after a system reset it is possible to upload that file via ftp and load that backup file using load command in system backup submenu General Information Page 353 of 398 Command name system backup save Example To save the router configuration to file test ad
110. 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Additional Documents Synchronous Interface Configuration Description Property Description Notes Example Troubleshooting Description Synchronous Link Application Examples MikroTik Router to MikroTik Router MikroTik Router to Cisco Router General Information Summary The MikroTik RouterOS supports the MOXA C502 PCI Dual port Synchronous 8Mb s Adapter hardware The V 35 synchronous interface is the standard for VSAT and other satellite modems However you must check with the satellite system supplier for the modem interface type Specifications Packages required synchronous Home menu level interface moxa c502 Protocols utilized Cisco HDLC X 25 RFC 1356 Frame Relay RFC1490 PPP RFC 1661 PPP RFC 1662 Hardware usage Not significant Related Documents Software Package Management Device Driver Management e IP Addresses and ARP Log Management Description Page 64 of 398 You can install up to four MOXA C502 synchronous cards in one PC box if you have so many PCI slots available Assuming you have all necessary packages and licences installed in most cases it should to be done nothing at that point all drivers are loaded automatically Additional Documents For more information about the MOXA C502 Dual port Synchronous 8Mb s Ada
111. 24 Interface ether address 192 166 0254 4 LAN LAN 10 0 0 0424 192 169 0 024 The interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface farsyncl network 1 1 1 2 broadcast 255 255 255 255 admineMikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 100 029 ether2 1 192 168 0 254 24 192 168 0 254 192 168 0 255 etherl 2 1 1 1 1 32 1 1 1 2 255 255 255 255 farsyncl admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1l 255 time 31 ms 1 1 1 2 64 byte pong tt1 255 time 26 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt Note that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 The default route should be set to the gateway router 1 1 1 2 admin MikroTik ip route gt add gateway 1 1 1 2 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected E connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 E
112. 25 5630 5635 5640 5645 5650 5655 5660 5665 5670 5675 5680 5685 5690 5695 5700 5705 5710 5715 5720 5725 5730 5735 5740 5745 5750 5755 5760 5765 5770 5775 5780 5785 5790 5795 5800 5805 5810 5815 5820 5825 5830 5835 5840 5845 5850 5855 5860 5865 5870 5875 5880 5885 5890 5895 5900 5905 5910 5915 5920 5925 5930 5935 5940 5945 5950 5955 5960 5965 5970 5975 5980 5985 5990 5995 6000 6005 6010 6015 6020 6025 6030 6035 6040 6045 6050 6055 6060 6065 6070 6075 6080 6085 6090 6095 6100 the list of 5GHz turbo channels frequencies are given in MHz Notes There is a special argument for the print command print count only It forces the print command to print only the count of information topics Page 112 of 398 Example admin MikroTik interface wireless info gt print 0 interface type Atheros AR5212 tx power control yes ack timeout control yes alignment mode yes virtual aps yes noise floor control yes supported bands 2GHz B 5GHz 5GHz turbo 2GHz G 2GHz B channels 2312 2317 2322 2327 2332 2337 2342 2347 2352 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2512 2532 2552 2572 2592 2612 2632 2652 2672 2692 2712 2732 2484 5GHz channels 5120 5125 5130 5135 5140 5145 5150 5155 5160 5165 5170 5175 5180 5185 5190 5195 5200 5205 5210 5215 5220 5225 5230 5235 5240 5245 5250 5255 5260 5265 5270 5275 5280 5285 5290 5295 5300 5
113. 25 5630 5635 5640 5645 5650 5655 5660 566 5670 5675 5680 5685 5690 5695 5700 5705 5710 5715 572 5725 5730 5735 5740 5745 5750 5755 5760 5765 5770 577 5780 5785 5790 5795 5800 5805 5810 5815 5820 5825 583 5835 5840 5845 5850 5855 5860 5865 5870 5875 5880 588 5890 5895 5900 5905 5910 5915 5920 5925 5930 5935 594 5945 5950 5955 5960 5965 5970 5975 5980 5985 5990 599 6000 6005 6010 6015 6020 6025 6030 6035 6040 6045 605 6055 6060 6065 6070 6075 6080 6085 6090 6095 6100 2GHz G channels 2312 2317 2322 2327 2332 2337 2342 2347 2352 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2512 2532 2552 2572 2592 2612 2632 2652 2672 2692 2712 2732 2484 hw resets 20 bad format packets 0 bad sequence packets 0 bad source packets 0 unauthenticated sender packets 0 unassociated sender packets 0 last hw reset 00 02 28 190 last bad format packet 00 00 00 last bad sequence packet 00 00 00 last bad source packet 00 00 00 last unauthenticated sender packet 00 00 00 last unassociated sender packet 00 00 00 admineMikroTik interface wireless info gt Virtual Access Point Interface Home menu level interface wireless Description Virtual Access Point VAP interface is used to have an additional AP You can create a new AP with different ssid It can be compared with a VLAN where the ssid from VAP is the VLAN tag Page 113
114. 3 2 Page 99 of 398 admin RemoteOffice gt ip route add dst address 10 150 2 0 24 gateway 10 0 103 1 On the PPTP server it can alternatively be done using routes parameter of the user configuration admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password 1k3jrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret gt set 0 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password 1k3jrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret gt Test the PPTP tunnel connection admin RemoteOffice gt ping 10 0 103 1 10 0 103 1 pong ttl 255 time 3 ms 10 0 103 1 pong ttl 255 time 3 ms 10 0 103 1 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms Test the connection through the PPTP tunnel to the LocalHomeOffice interface admin RemoteOffice gt ping 10 150 2 254 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong tt1l 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms To bridge a LAN over this secure tunnel please
115. 305 5310 5315 5320 5325 5330 5335 5340 5345 5350 5355 5360 5365 5370 5375 5380 5385 5390 5395 5400 5405 5410 5415 5420 5425 5430 5435 5440 5445 5450 5455 5460 5465 5470 5475 5480 5485 5490 5495 5500 5505 5510 5515 5520 5525 5530 5535 5540 5545 5550 5555 5560 5565 5570 5575 5580 5585 5590 5595 5600 5605 5610 5615 5620 5625 5630 5635 5640 5645 5650 5655 5660 5665 5670 5675 5680 5685 5690 5695 5700 5705 5710 5715 5720 5725 5730 5735 5740 5745 5750 5755 5760 5765 5770 5775 5780 5785 5790 5795 5800 5805 5810 5815 5820 5825 5830 5835 5840 5845 5850 5855 5860 5865 5870 5875 5880 5885 5890 5895 5900 5905 5910 5915 5920 5925 5930 5935 5940 5945 5950 5955 5960 5965 5970 5975 5980 5985 5990 5995 6000 6005 6010 6015 6020 6025 6030 6035 6040 6045 6050 6055 6060 6065 6070 6075 6080 6085 6090 6095 6100 5GHz turbo channels 5120 5125 5130 5135 5140 5145 5150 5155 5160 5165 5170 5175 5180 5185 5190 5195 5200 5205 5210 5215 5220 5225 5230 5235 5240 5245 5250 5255 5260 5265 5270 5275 5280 5285 5290 5295 5300 5305 5310 5315 5320 5325 5330 5335 5340 5345 5350 5355 5360 5365 5370 5375 5380 5385 5390 5395 5400 5405 5410 5415 5420 5425 5430 5435 5440 5445 5450 5455 5460 5465 5470 5475 5480 5485 5490 5495 5500 5505 5510 5515 5520 5525 5530 5535 5540 5545 5550 5555 5560 5565 5570 5575 5580 5585 5590 5595 5600 5605 5610 5 0 5 0 5 0 5 0 5615 5620 56
116. 36 pcq classifier src address admin MikroTik queue type gt add name p2p in kind pcq pcq rate 65536 pca classifier dst address admin MikroTik queue type gt Finally add two queues to the queue tree admineMikroTik queue tree gt add name p2p in parent all flow p2p in queue p2p in admin MikroTik queue tree gt add name p2p out parent all flow p2p out queue p2p out admin MikroTik queue tree gt Page 214 of 398 VRRP Virtual Router Redundancy Protocol Document revision 1 3 04 Sep 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Related Documents Description VRRP Routers Description Property Description Notes Virtual IP addresses Property Description Notes A simple example of VRRP fail over Description Configuring Master VRRP router Configuring Backup VRRP router Testing fail over General Information Summary Virtual Router Redundancy Protocol VRRP implementation in the MikroTik RouterOS is RFC2338 compliant VRRP protocol is used to ensure constant access to some resources Two or more routers referred as VRRP Routers in this context create a highly available cluster also referred as Virtual routers with dynamic fail over Each router can participate in not more than 255 virtual routers per interface Many modern routers support this protocol Network setups with VRRP cluste
117. 4 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Related Documents Modifying Service Settings Property Description Example List of Services Description General Information Summary This document lists protocols and ports used by various MikroTik RouterOS services It helps you to determine why your MikroTik router listens to certain ports and what you need to block allow in case you want to prevent or grant access to the certain services Please see the relevant sections of the Manual for more explanations Home menu level ip service Related Documents Firewall Filters Packet Marking Mangle e Certificate Management Modifying Service Settings Home menu level ip service Property Description name service name port integer 1 65535 the port particular service listens on address IP address mask default 0 0 0 0 0 IP address es from which the service is accessible certificate name none default none the name of the certificate used by particular service absent for the services that do not need certificates Example To set www service to use 8081 port accesible from the 10 10 10 0 24 network Page 230 of 398 admin MikroTik ip service gt print Flags X disabled I invalid NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0 0 0 0 0 1 ftp 21 0 0 0 0 0 2 www 80 0 0 0 0 0 3 hotspot 8088 0 0 0 0 0 4 ssh 22 0 0 0 0 0 5
118. 460 authentication mschap2 default profile default admin RemoteOffice interface 12tp server server gt Finally the proxy APR must be enabled on the Office interface admin RemoteOffice interfac thernet gt set Office arp proxy arp admin RemoteOffice interfac thernet gt print Flags X disabled R running NAME MTU MAC ADDRESS ARP O R Tolnternet 1500 00 30 4F 0B 7B C1 enabled 1 R Office 1500 00 30 4F 06 62 12 proxy arp admin RemoteOffice interfac thernet gt L2TP Setup for Windows Microsoft provides L2TP client support for Windows XP 2000 NT4 ME and 98 Windows 2000 and XP include support in the Windows setup or automatically install L2TP For 98 NT and ME installation requires a download from Microsoft L2TP IPsec VPN Client For more information see Microsoft L2TP IPsec VPN Client Microsoft L2TP IPsec VPN Client On Windows 2000 L2TP setup without IPsec requires editing registry Disabling IPsec for the Windows 2000 Client Disabling IPSEC Policy Used with L2TP Troubleshooting Description e use firewall and I cannot establish L2TP connection Make sure UDP connections can pass through both directions between your sites My Windows L2TP IPsec VPN Client fails to connect to L2TP server with Error 789 or Error 781 The error messages 789 and 781 occur when IPsec is not configured properly on both ends See the respective documentation on how to configure IPsec in the Microsof
119. 5 0 I interface Serial0 description connected to Internet no ip address encapsulation frame relay IETF serial restart delay 1 frame relay lmi type ansi frame relay intf type dce I interface Serial0 1 point to point ip address 1 1 1 2 255 255 255 0 no arp frame relay frame relay interface dlci 42 l end Send ping to MikroTik router CISCO ping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 31 32 ms CISCO Example with MikroTik Router to MikroTik Router Let us consider the following example In this example we will use two Moxa C101 synchronous cards Do not forget to set line protocol for synchronous interfaces to frame relay To achieve proper Page 83 of 398 result one of the synchronous interfaces must operate in DCE mode admintr1 interface moxa c101 gt set 0 frame relay dce yes admintr1 interface moxa c101 gt print Flags X disabled R running 0 R name moxa c101 1 mtu 1500 line protocol frame relay clock rate 64000 clock source external frame relay lmi type ansi frame relay dce yes cisco hdlc keepalive interval 10s ignore dcd no admin r1i interface moxa c101 gt Then we need to add PVC interfaces and IP addresses On the R1 admintr1 interface pvc gt add dlci 42 interface moxa c101 1 admintr1 interface pvc gt print Flags
120. 57 of 398 IP over IP IPIP Tunnel Interface Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents IPIP Setup Description Property Description Notes IPIP Configuration Application Example General Information Summary The IPIP tunneling implementation on the MikroTik RouterOS is RFC 2003 compliant IPIP tunnel is a simple protocol that encapsulates IP packets in IP to make a tunnel between two routers The IPIP tunnel interface appears as an interface under the interface list Many routers including Cisco and Linux based support this protocol This protocol makes multiple network schemes possible IP tunneling protocol adds the following possibilities to a network setups to tunnel Intranets over the Internet e touse it instead of source routing Specifications Packages required system 2 9 Home menu level interface ipip Protocols utilized PIP RFC 2003 Hardware usage Not significant Related Documents Software Package Management Device Driver Management e IP Addresses and ARP Log Management Additional Documents Page 58 of 398 http www ietf org rfc rfc1853 txt number 1853 http www ietf org rfc rfc2003 txt number 2003 http www ietf org rfc rfc1241 txt number 1241 IPIP Setup Home menu level interface ipip Description
121. 64kbps leaving the client s LAN Please note that the queues have been added for the outgoing interfaces regarding the traffic flow As you can see the two values for the max limit parameter sets download data rate to 128kbps and upload to 64kbps To monitor the traffic flow through the interface while doing file transfer use the interface monitor traffic command admin MikroTik queue simple gt interface monitor traffic Local received packets per second 7 received bits per second 62 2kbps sent packets per second 12 sent bits per second 125kbps admin MikroTik queue simple gt If you want to exclude the server from being limited add a queue for it without limitation max limit by default is 0 0 and move it to the top admin MikroTik queue simple gt add name Server interface Local dst address 192 168 0 17 32 admin MikroTik queue simple gt print Flags X disabled I invalid D dynamic 0 name LimitClients target address 0 0 0 0 0 dst address 0 0 0 0 0 interface Local queue default priority 8 limit at 0 0 max 1imit 131072 65536 name Server target address 0 0 0 0 0 dst address 192 168 0 17 32 interface Local queue default priority 8 limit at 0 0 max limit 0 0 admin MikroTik queue simple gt move 1 0 admin MikroTik queue simple gt print Flags X disabled I invalid D dynamic 0 name Server target address 0 0 0 0 0 dst address 192 168 0 17 32 interface Local queue default pr
122. 65 5470 5475 5480 5485 5490 5495 5500 5505 5510 5515 5520 5525 5530 5535 5540 5545 5550 5555 5560 5565 5570 5575 5580 5585 5590 5595 5600 5605 5610 5615 5620 5625 5630 5635 5640 5645 5650 5655 5660 5665 5670 5675 5680 5685 5690 5695 5700 5705 5710 5715 5720 5725 5730 5735 5740 5745 5750 5755 5760 5765 5770 5775 5780 5785 5790 5795 5800 5805 5810 5815 5820 5825 5830 5835 5840 5845 5850 5855 5860 5865 5870 5875 5880 5885 5890 5895 5900 5905 5910 5915 5920 5925 5930 5935 5940 5945 5950 5955 5960 5965 5970 5975 5980 5985 5990 5995 6000 6005 6010 6015 6020 6025 6030 6035 6040 6045 6050 6055 6060 6065 6070 6075 6080 6085 6090 6095 6100 the list of 5GHz channels frequencies are given in MHz 5GHz turbo channels multiple choice read only 5120 5125 5130 5135 5140 5145 5150 5155 5160 5165 5170 5175 5180 5185 5190 5195 5200 5205 5210 5215 5220 5225 5230 5235 5240 5245 5250 5255 5260 5265 5270 5275 5280 5285 5290 5295 5300 5305 5310 5315 5320 5325 5330 5335 5340 5345 5350 5355 3300 5365 5370 5375 5380 5385 5390 5395 5400 5405 5410 5415 5420 5425 5430 5435 5440 5445 5450 5455 5460 5465 5470 5475 5480 5485 5490 5495 5500 5505 5510 5515 5520 5525 5530 5535 5540 5545 5550 5555 5560 5565 5570 5575 5580 5585 5590 5595 5600 5605 5610 5615 5620 56
123. 78 3 0292 etherl 10 0 0 181 10 0 0 4 gre 88 4 0 32 etherl 10 0 0 241 1839 10 0 0 181 23 telnet tcp 40 5 0 744 etherl 10 0 0 144 2265 10 0 0 181 22 ssh tcp 76 6 0 744 etherl 10 0 0 144 2265 10 0 0 181 22 ssh tcp 76 7 0 744 etherl 10 0 0 181 22 885 10 0 0 144 2265 tcp 40 8 0 744 etherl 10 0 0 181 22 ssh 10 0 0 144 2265 tcp 76 more Packet Sniffer Protocols Home menu level tool sniffer protocol Description In this submenu you can see all kind of protocols that have been sniffed Property Description bytes integer total number of data bytes protocol read only ip arp rarp ipx ipv6 the name number of ethernet protocol e ip Internet Protocol e arp Address Resolution Protocol e rarp Reverse Address Resolution Protocol e ipx Internet Packet exchange protocol Page 329 of 398 e ipv6 Internet Protocol next generation ip protocol ip icmp igmp ggp ipencap st tcp egp pup udp hmp xns idp rdp iso tp4 xtp ddp idrp cmtp gre esp ah rspf vmtp ospf ipip encap the name number of IP protocol e ip Internet Protocol e icmp Internet Control Message Protocol e igmp Internet Group Management Protocol e ggp Gateway Gateway Protocol e ipencap IP Encapsulated in IP e st st datagram mode e tcp Transmission Control Protocol e egp Exterior Gateway Protocol e pup Parc Universal packet Protocol e udp User Datagram Protocol e hmp Host Monitori
124. 8390 PCMCIA CardBus 10Base D Link DE 660 Ethernet e NE 2000 Compatible PCMCIA Ethernet e NS8390 based PCMCIA cards RealTek RTL8129 Chipset type RealTek RTL8129 PCI 10 100Base RealTek RTL8129 Fast Ethernet RealTek RTL8139 Fast Ethernet RTL8139A B C chip RTL8130 chip SMC1211TX EZCard 10 100 RealTek RTL8139 Accton MPX5030 RealTek RTL8139 D Link DFE 538TX Sundance ST201 Alta Chipset type Sundance ST201 Alta PCI 10 100Base D Link DFE 550TX Fast Ethernet Adapter D Link DFE 550FX 100Mbps Fiber optics Adapter D Link DFE 580TX 4 port Server Adapter D Link DFE 530TXS Fast Ethernet Adapter D Link DL10050 based FAST Ethernet Adapter Sundance ST201 Alta chip Kendin KS8723 chip TI ThunderLAN Chipset type TI ThunderLAN PCI 10 100Base Compaq Netelligent 10 T Compaq Netelligent 10 T 2 Compaq Netelligent 10 100 TX Compaq NetFlex 3 P Olicom OC 2183 Olicom OC 2185 Olicom OC 2325 Olicom OC 2326 VIA vt612x Velocity Chipset type VIA vt612x Velocity PCI 10 100 1000Base e VIA VT6120 Page 18 of 398 e VIA VT6121 e VIA VT6122 VIA vt86c100 Rhine Chipset type VIA vt86c100 Rhine PCI 10 100Base VIA Rhine vt3043 VIA Rhine II vt3065 AKA vt86c100 VIA VT86C100A Rhine VIA VT6102 Rhine II VIA VT6105 Rhine III VIA VT6105M Rhine III D Link DFE 530TX Winbond w89c840 Chipset type Winbond w89c840 PCI 10 100Base Winbond W89c840 e Compex RL100 ATX Notes For ISA cards lo
125. 98 max limit integer default 0 maximum stream data rate bits s burst limit text default 0 0 average burst threshold burst threshold text default 0 0 average burst threshold burst time text default 0 0 burst time Notes max limit must be equal or greater than limit at To apply queues on flows the mangle feature should be used first to mark incomming packets Simple queues are applied before queue trees Example To mark all the traffic going from web servers TCP port 80 with abc http mark admin MikroTik ip firewall mangle gt add action passthrough mark flow abc http protocol tcp target port 80 admin MikroTik ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 target address 80 protocol tcp action passthrough mark flow abc http admin MikroTik ip firewall mangle gt aa You can add queue using the queue tree add command admin MikroTik queue tree gt add name HTTP parent etherl flow abc http max 1limit 128000 admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic 0 name HTTP parent etherl flow abc http limit at 0 queue default priority 8 max limit 128000 burst limit 0 burst threshold 0 burst time 0 admin MikroTik queue tree gt Troubleshooting Description The queue is not added for the correct interface Add the queue to the interface through which the traffic is leaving the router Queuing works only for pac
126. AA A A AA E AA 283 File Transfer Protocol SCI RA A A AA TE AE 283 Pl senate otk nainac sev E E E T E E E 285 Generalitat site 285 TEPIC A 285 MAC Ping SOI Sabat toda 286 Quality OF SeIVICO nd 288 Sua A A 288 CUCU Type Serene on Sevens neers ade neaeane tet E Mee E cebasecencteete A 291 interlace Ie fault Ome ie see cee 4 acct cecccordouan oe a 292 Conhsurne Simple QUES Mitek eae eine AR A A 293 Conneunns Queue reedita 294 Tro bleshootingsasnsenreae A AA AA AAA A wages beh ALA 295 Quete Applications eneen a a E A decode EE e 295 Export and MIMD OMe siisscsicccesccncesceccs ossesaadssasanisans annaia aapakan naanin 300 General Infor A 300 The Export Combaldan tasa iaa 301 vi PRG Imp rt Coma sec A A eee eee ee ave 301 Simple Network Management Protocol SNMP ssseceeeeeeees 303 General Informatio sese AA A Read AA A 303 SNMP SUD ios 304 SINO CMU CIES a E E teers Glas aw 304 Avaa OIDO A A AAA 305 AVallablesMIBS 4 sei ia 306 Tools for SNMP Data Collection and Analysis cccscccsesseceeesseceeseeessneeeesneeesseeesseeens 309 MAC Telnet Server and Client ccccccssesssseessesesssseeeeeesseeeeeenseeeees 311 a Nase sce is as Doses A Geta een ad te Sat oat aad ests as se A aa oak ice nan AP 311 MACTl NS tito 311 Monitoring Active Session Last unit A a A Ad 312 MAC ee CE o seo e acest lata odes 312 PUN sivas caaatsinntcecaccccctepaueigashpiacssbadeataatoa tuatens capes suneenee E 313 Goncral Id A ia 313
127. AN example on MikroTik Routers General Information Summary VLAN is an implementation of the 802 1Q VLAN protocol for MikroTik RouterOS 2 7 It allows you to have multiple Virtual LANs on a single ethernet cable giving the ability to segregate LANs efficiently It supports up to 250 vlan interfaces per ethernet device Many routers including Cisco and Linux based and many Layer 2 switches also support it A VLAN is a logical grouping that allows end users to communicate as if they were physically connected to a single isolated LAN independent of the physical configuration of the network VLAN support adds a new dimension of security and cost savings permitting the sharing of a physical network while logically maintaining separation among unrelated users Specifications Packages required system Home menu level interface vlan Protocols utilized VLAN IEEE 802 1Q Hardware usage Not significant Related Documents Software Package Management e IP Addresses and ARP Description VLANs are simply a way of grouping a set of switch ports together so that they form a logical network separate from any other such group Within a single switch this is straightforward local configuration When the VLAN extends over more than one switch the inter switch links have to become trunks on which packets are tagged to indicate which VLAN they belong to You can use MikroTik RouterOS as well as Cisco IOS and Linux to mark these packets as
128. ASA 174 IP Addressing ennnen a A A E E E A ce adenoid 175 Address Resolution Protocolar ti 176 POR MARE Tere ii ai 177 Unnumbered trat nr A SS 177 PSU ci 179 General Information 10 rai 179 Poley DEIA sn iS 181 PS tata 184 Remote Peer ASCO sc aL AAA sees Beh le Benita Melita AA E ER 185 RS baled SANS ia Ad 186 Blushing Installed SA Tablas estes di i 187 COUNEIS T EO RTA EONA TETO S aul oaaanw EER det ee amet nenee RS 187 General Informationerne ener A AA AA ARE A 188 Routes Equal Cost Multipath Routing Policy Routing 192 General TONO A a denen A eae ele R RRA 192 Statie AROUSA a 193 A A gametes 194 Policy RUS o Rs 196 Application Examples costas AAA 197 Connection Tracking and Service Ports ccccceceeceeeeeeeeeeeeeeeeeeees 199 General Informatioi it dai 199 Connection Tracks aaa 199 Service POS A AAA EA A IA 200 Packet Marking Mangle sssussnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnmnnn 202 General Information a A AA AAA A 202 A ba cae epee ease wh neem 202 Firewall FIS o td 205 General Information a E A ad a 205 lA AA A A eens 206 Be Weal RUC A sce Poaceae apncacegun sexes A E aaron as cenae ee ceat tian 206 Firewall CHAS ala 209 Peer to Peer Traffic COntroll ccsccccssssssssesseeeeeeeseeeseeseeeeessenneenes 211 General NOA 5 514 os sauienidtaessstainavies apaistaltaeoraracaa ated E E E a ea 211 Tr WWE ATIIN Dn Siete curess arte isce e cause lO eats 212 a AAA re A Bert ce tye
129. Add hotspot authentication for existing interface setup interface already configured yes Create local hotspot user name of local hotspot user admin password for the user rubbish Use transparent web proxy for hotspot clients use transparent web proxy yes admin MikroTik ip hotspot gt HotSpot Step by Step User Guide for dhcp pool Method Description Let us consider following example HotSpot setup There will be 2 HotSpot IP address ranges used for clients on prism1 interface You are free to choose the address ranges just make sure you use masquerading for not routed ones In this example we are using e temporary addresses which must be masqueraded e network 192 168 0 0 24 e gateway 192 168 0 1 e pool 192 168 0 2 192 168 0 254 e real addresses which require routing e network 10 5 50 0 24 e gateway 10 5 50 1 Page 250 of 398 e pool 10 5 50 2 10 5 50 254 For HotSpot client accounting HotSpot will add dynamic firewall rules in firewall HotSpot chain This chain has to be created manually And all network packets to from HotSpot clients have to pass this chain Example 1 2 3 The etherl interface is configured with IP address 10 5 6 5 24 and the default route pointing to the 10 5 6 1 gateway The prisml interface is configured for AP mode and is able register IEEE 802 11b wireless clients See the Prism Interface Manual for more details ARP should be set to reply only mode on the p
130. C ping feature enabled can be pinged by MAC address An example of Ping command dmin MikroTik gt ping 10 1 1 0 1 64 byte ping ttl 64 time 1 ms 0 1 64 byte ping tt1 64 time 1 ms 0 1 64 byte ping ttl 64 time 1 ms 0 1 64 byte ping tt1 64 time 1 ms 1 0 1 64 byte ping tt1 64 time 1 ms 5 packets transmitted 5 packets received 0 packet loss round trip min avg max 1 1 0 1 ms admin MikroTik gt MAC Ping Server Home menu level tool mac server ping Property Description enabled yes no default yes whether MAC pings to this router are allowed Example Page 314 of 398 To disable MAC pings admin MikroTik tool mac server ping gt set enabled no admin MikroTik tool mac server ping gt print enabled no admin MikroTik tool mac server ping gt Page 315 of 398 Dynamic DNS DDNS Update Tool Document revision 1 2 13 10 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Additional Documents Dynamic DNS Update Property Description Notes Example General Information Summary Dynamic DNS Update Tool gives a way to keep domain name pointing to dynamic IP address It works by sending domain name system update request to name server which has a zone to be updated Secure DNS updates are also supported The DNS update tool supports only one algorithm hmac md5 It s the only pr
131. Command name system resource io print Description IO usage shows which IO Input Output ports are currently used by hardware Cologne Chip Designs GmbH ISDN network controller Ltd RTL 8139 8139C 8139C HFC PCI 1 port Example admin MikroTik gt system resource io print PORT RANGE OWNER 0x20 0x3F APIC 0x40 0x5F timer 0x60 0x6F keyboard 0x80 0x8F DMA OxAQ OxBF APIC OxCO OxDF DMA OxFO OxFF FPU 0x1F0 0x1F7 IDE 1 0x2F8 0x2FF serial port 0x3C0 0x3DF VGA 0x3F6 0x3F6 IDE 1 0x3F8 0x3FF serial port OxCF8 0OxCFF PCI conf1 0x4000 0x40FF PCI CardBus 03 0x4400 0x44FF PCI CardBus 03 0x4800 0x48FF PCT CardBus 04 0x4C00 0x4CFF PCI CardBus 04 0x5000 0x500F Intel Corp 82801BA BAM SMBus OxCOO00 OxCOFF Realtek Semiconductor Co 0xC000 0xC0OFF 8139to0 0xC400 0xC407 0xC800 0xC87F Cyclades Corporation PC300 TE OxFOOO OxFOOF Intel Corp 82801BA IDE U100 admineMikroTik gt Reboot Command name system reboot Page 339 of 398 Description The system reboot is required when upgrading or installing new software packages The packages are installed during the system shutdown The reboot process sends termination signal to all running processes unmounts the file systems and reboots the router Notes Only users which are members of groups with reboot privileges are permitted to reboot the router Reboot can be called from scripts in which case it does not prompt for c
132. Cyclone CardBus 3c575 series CardBus 3Com Boomerang Page 14 of 398 ADMtek Pegasus Chipset type ADMtek Pegasus Pegasus II USB 10 100BaseT e Planet 10 100Base TX USB Ethernet Adapter UE 9500 Linksys Instant EtherFast 10 100 USB Network Adapter USB 100TX AMD PCnet Chipset type AMD PCnet PCnet II ISA PCI 10BaseT AMD PCnet ISA AMD PCnet ISA II AMD PCnet PCI II AMD 79C960 based cards AMD PCnet32 Chipset type AMD PCnet32 PCI 10BaseT and 10 100BaseT AMD PCnet PCI AMD PCnet 32 AMD PChnet Fast Broadcom Tigon3 Chipset type Broadcom Tigon3 PCI 10 100 1000BaseT Broadcom Tigon3 570x Broadcom Tigon3 5782 Broadcom Tigon3 5788 Broadcom Tigon3 5901 Broadcom Tigon3 5901 2 SysKonnect SK 9Dxx Gigabit Ethernet SysKonnect SK 9Mxx Gigabit Ethernet Altima AC100x Altima AC9100 Davicom DM9102 Chipset type Davicom DM9102 PCI 10 100Base Davicom DM9102 Davicom DM9102A Davicom DM9102A DM9801 Davicom DM9102A DM9802 DEC 21x4x Tulip Chipset type DEC 21x4x Tulip PCI 10 100Base e Digital DC21040 Tulip Page 15 of 398 Digital DC21041 Tulip Digital DS21140 Tulip 21140A chip 21142 chip Digital DS21143 Tulip D Link DFE 570TX 4 port Lite On 82c168 PNIC Macronix 98713 PMAC Macronix 98715 PMAC Macronix 98725 PMAC ASIX AX88140 Lite On LC82C115 PNIC II ADMtek AN981 Comet Compex RL100 TX Intel 21145 Tulip IMC QuikNic FX Conexant LANfinity Intel EtherExpressPro Chipset type Intel 182557 S
133. DISTANCE INTERFACE 0 S 0 0 0 0 0 a o Oz 1 cyclades1l 1 DC 10 0 0 0 24 E 10 0 0 0 0 etherl 2 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 3 DC 1 1 1 2 32 r 0 0 0 0 0 cycladesl admin MikroTik ip route gt The configuration of the CISCO router at the other end part of the configuration is CISCO show running config Building configuration Current configuration a interface Ethernet0 description connected to EthernetLAN ip address 10 1 1 12 255 255 255 0 1 interface Serialo description connected to MikroTik ip address 1 1 1 2 255 255 255 252 serial restart delay 1 ip classless ip route 0 0 0 0 0 0 0 0 10 1 1 254 end CISCO Send ping packets to the MikroTik router CISCO ping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 CISCO Page 158 of 398 32 40 ms Point to Point Protocol over Ethernet PPPoE Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents PPPoE Client Setup Description Property Description Notes Example Monitoring PPPoE Client Property Description Example PPPoE Server Setup Access Concentrator Description Property Description Notes Example PPPoE Server Users Property Descripti
134. E ADDRESS REMOTE PORT ECHO 0 Firewall Log memory syslog 10 0 13 11 514 no 1 PPP Account memory none 0 0 0 0 0 no 2 PPP Info memory none 0 0 0 0 0 no 3 PPP Error memory none 0 0 0 0 0 no 4 System Info memory none 0 0 0 0 0 no 5 System Error memory none 0070 0 0 no 6 System Warning memory none 0 0 0 0 0 no 7 Telephony Info memory none 0202050 0 no 8 Telephony E memory none 0 00 0 0 no 9 Prism Info memory none 0 0 0 0 0 no 10 Web Proxy A memory none 0 0 0 0 0 no 11 ISDN Info memory none 0 0 0 0 0 no 12 Hotspot Acc memory none 0 0 0 0 0 no 13 Hotspot Info memory none 0 0 0 0 0 no 14 Hotspot Error memory none D 00 0 0 no 15 IPsec Event memory none 0 0 0 0 0 no 16 IKE Event memory none 0 00 0 0 no 17 IPsec Warning memory none 0 0 0 0 0 no 18 System Echo memory none 0 0 0 0 0 yes admin MikroTik system logging facility gt Log Messages Home menu level log Property Description time text date and time of the event message text message text Notes print command has arguments e follow monitor system logs e without paging print the log without paging e file saves the log information to ftp Example To view the local logs Page 397 of 398 TIME dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 Q quit D dump 000000 MESSAGE 20 36 log 20 36 log 20 36 log 20 36 log 20 36 log 20 36 log To monitor the system l
135. IB ifMIBObjects ifXTable ifXEntry ifName ifMIB ifMIB Objects ifXTable ifXEntry ifHCInOctets ifMIB ifMIB Objects ifXTable ifXEntry ifHCInUcastPkts ifMIB ifMIBObjects ifXTable ifXEntry ifHCOutOctets ifMIB ifMIB Objects ifXTable ifXEntry ifHCOutUcastPkts RFC1213 interfaces ifNumber interfaces ifTable ifEntry ifIndex interfaces ifTable ifEntry ifDescr interfaces ifTable ifEntry ifType interfaces ifTable ifEntry if Mtu interfaces ifTable ifEntry ifSpeed interfaces ifTable ifEntry ifPhysAddress interfaces ifTable ifEntry ifAdminStatus interfaces ifTable ifEntry ifOperStatus Page 306 of 398 interfaces ifTable ifEntry ifLastChange interfaces ifTable ifEntry ifInOctets interfaces ifTable ifEntry ifInUcastPkts interfaces ifTable ifEntry ifInNUcastPkts interfaces ifTable ifEntry ifInDiscards interfaces ifTable ifEntry ifInErrors interfaces ifTable ifEntry ifInUnknownProtos interfaces ifTable ifEntry ifOutOctets interfaces ifTable ifEntry ifOutUcastPkts interfaces ifTable ifEntry ifOutNUcastPkts interfaces ifTable ifEntry ifOutDiscards interfaces ifTable ifEntry ifOutErrors interfaces ifTable ifEntry ifOutQLen RFC2011 ip ipForwarding ip ipDefaultTTL ip ipAddrTable ipAddrEntry ipAdEntAddr ip ipAddrTable ipAddrEntry ipAdEntIfIndex ip ipAddrTable ipAddrEntry ipAdEntNetMask ip ipAddrTable ipAddrEntry ipAdEntBcastAddr ip ipAddrTable ipAddrEntry ipAdEntReasmMaxSize ip ipNetToMediaTable ipNetToMediaEntry ipNetToMedialfIndex ip ipNetToMe
136. Ifthe software package file can be uploaded to the router then the disk space is sufficient for the installation of the package Software Package Installation Upgrade Description Installation or upgrade of the MikroTik RouterOS software packages can be done by uploading the newer version of the software package to the router and rebooting it The software package files are compressed binary files which can be downloaded from the MikroTik s web page download section The full name of the software package consists of a descriptive name version number and extension npk exempli gratia system 2 8rc3 npk routerboard 2 8rc3 npk You should check the available hard disk space prior to downloading the package file by issuing system resource print command If there is not enough free disk space for storing the upgrade packages it can be freed up by uninstalling some software packages which provide functionality not required for your needs If you have a sufficient amount of free space for storing the upgrade packages connect to the router using ftp Use user name and password of a user with full access privileges Step by Step Connect to the router using ftp client Select the BINARY mode file transfer Upload the software package files to the router and disconnect Check the information about the uploaded software packages using the file print command Reboot the router by issuing the system reboot command or by pressing Ctrl Alt Del keys
137. L2TP server to connect to user text user name to use when logging on to the remote server password text default user password to use when logging to the remote server profile name default default profile to use when connecting to the remote server allow multiple choice mschap2 mschapl chap pap default mschap2 mschap1 chap pap the protocol to allow the client to use for authentication add default route yes no default no whether to use the server which this client is connected to as its default router gateway Example To set up L2TP client named test2 using username john with password john to connect to the 10 1 1 12 L2TP server and use it as the default gateway admin MikroTik interface 12tp client gt add name test2 connect to 10 1 1 12 user john add default route yes password john admin MikroTik interface 12tp client gt print Flags X disabled R running 0 X name test2 mtu 1460 mru 1460 connect to 10 1 1 12 user john password john profile default add default route yes admin MikroTik interface 12tp client gt enable 0 Monitoring L2TP Client Command name interface l2tp client monitor Property Description status text status of the client e Dialing attempting to make a connection e Verifying password connection has been established to the server password verification in progress e Connected self explanatory e Te
138. Mbps Wireless LAN Adapters 100mW CISCO AIR PCI340 2 4GHz DS 11Mbps Wireless LAN Adapters 30mW e CISCO AIR PCI PC350 352 2 4GHz DS 11Mbps Wireless LAN Adapters 100mW Specifications Packages required wireless Home menu level interface pc Protocols utilized JEEE802 11b Hardware usage Not significant Related Documents Software Package Management Device Driver Management IP Addresses and ARP Log Management Notes on PCMCIA Adapters Page 50 of 398 Additional Documents Cisco Aironet www cisco com warp public 44 jump wireless shtml http mt lv Documentation manual_2 7 Interface www cisco com warp public cc pd witc ao350a For more information about the CISCO Aironet PCI ISA adapter hardware please see the relevant User s Guides and Technical Reference Manuals in PDF format e 710 003638a0 pdffor PCI ISA 4800 and 4500 series adapters e 710 004239B0 pdffor PC 4800 and 4500 series adapters Documentation about CISCO Aironet Wireless Bridges and Access Points can be found in archives e AP48MAN exe for AP4800 Wireless Access Point e BRSOMAN exe for BR500 Wireless Bridge Wireless Interface Configuration Home menu level interface pc Description CISCO Aironet 2 4GHz card is an interface for wireless networks operating in IEEE 802 11b standard If the wireless interface card is not registered to an AP the green status led is blinking fast If the wireless interface card is registered to an AP the
139. OADCAST INTERFACE 0 10 0 0 1 24 10 0 0 0 10 0 0 255 public 1 192 168 1 2 24 192 168 1 0 192 168 1 209 local 2 D 192 168 1 1 24 192 168 1 0 192 16831 209 local admin MikroTik ip vrrp gt Configuring Backup VRRP router Now we will create VRRP instance with lower priority we can use the default value of 100 so this router will back up the preferred one admin MikroTik ip vrrp gt add interface local admin MikroTik ip vrrp gt print Flags X disabled I invalid M master B backup 0 B name vr1 interface local vrid 1 priority 100 interval 1 preemption mode yes authentication none password on backup on master admin MikroTik ip vrrp gt Now we should add the same virtual address as was added to the master node admin MikroTik ip vrrp gt address add address 192 168 1 1 24 group vr1 admin MikroTik ip vrrp gt address print Flags X disabled A activ ADDRESS NETWORK BROADCAST GROUP 0 192 168 1 1 24 192 168 1 0 192 168 1 255 vrl admin MikroTik ip vrrp gt Note that this address will not appear in ip address list admineMikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 1 24 10 0 0 0 10 0 0 255 public 1 192 168 1 3 24 192 168 1 0 192 LOS VALS local admineMikroTik ip address gt Testing fail over Now when we will disconnect the master router the backup one will switch t
140. OAT Sorte nares A 212 TAS aE A E E E A E tine o hoe lan ter nore n ern Ty 213 Point to Point Traffic Control Exaples uti ia at 213 VRRP Virtual Router Redundancy Protocol ssssscceessssseeees 215 General TNE TALON teresa att 215 VRRP ROUGTS is ii sled sone E AA AA AAA A A A 216 NEAR wala Nea E E A EE cs ca tates 217 Ausimple example of VRRP fal OVA 218 Network Address Translation cccccceceessssseeeseeeeeeseeeesssneeeeeseenes 220 General ORIO ta aia 220 Common NAT Parameters ia aa 221 EN alii 222 DEMIAN O Oi RS O 224 Universal Plug and Play UPMP cccceceeeeeeeeeeeeeeeeeeeeeneeseeeeeeeeeeees 225 General TON tt Ai A Ra 225 E abline UnversalPluesn Playas data 226 UPnP tE AS A A A e 226 DNS Client and Cache cicsstecicecoccctessctececveccctuscesecsicteceeaaeetesteceteeblacid 228 General Information A AAA E EAE EERE ET ER E hoes AAA 228 DINS CO leent Contour ation ae i Ee E EE E EE A Saadnets 228 Services Protocols and PoOPts c cccesseecesseceeeneeecenseseenssesenseesees 230 General Information as 230 Modifying Service Setini a AS 230 Tist OL SEIS daa 231 HotSpot CANVAS 233 General Informations A A A das 234 HotSp t Gateway SEU aaran oria n ia ee o T OTA TR E RAE TE T T SS 237 HotSpot User Prol A AAA A AR 239 HotSpot stress td 241 HOtSpOrActUve USCIS ii A AS A ade aaa 242 HotSpot Remote AAA O 243 HotSpot Server Settings ereit nin ano SSA 243 HotSpot Cookies nsere ao E R E RRT 244 Walled AA A E NE c
141. OM de dd 346 LCD Information Display CONSUMO A eid 346 ECD Troubleshootn aaa 347 S pporn Qu tput Fie iii earn 349 Genera Informatii da aa 349 Generating Support OPUS edd swncucadalatieriatetsccsdhecanause eal 349 Secure Shell SSH Server and Client cccccccsssssssseeeeeeeseeeneeeens 350 General tana iia actas 350 SSH O A A A A IA 351 SA A A A eee Ma nase Malate 351 Backup and ReSlOrevecciscce seizes cassen scaiecavescckcesdeneeacwvestecseanesessuvasshavacers 353 ota hci tear A A eta RG eels 353 Genera LATENTES AN USA 353 Contisurati on Load Comm dds celta ria da arabe 354 Serial Console and TerMiNal ooooonnnnnnicicoconcnnconnnnrronrnnnanananonerernnnaanans 355 Generator tata 355 Serial Console Conti UA 0 A A las A A A A DAA 356 O A tetaeahiaa lees aa Racoate tence RE 356 Using Serial Trim al ccs ses cack A o 357 Global Positioning System GPS ccececeeeeeeeeeeeeeeeeeeeeneeneeneeeeees 358 General toma o tata 358 Synchronizing with a GPS RECO Erin A 359 GPS NOOO A ASES E A RR A A 359 Scripting Host and Complementary TOoIlS cccccceceeeeeeeeeeeeneenees 361 General TOTANA A A eee eu te ee ee ae 362 Cons le Command A as 362 EX Pres SIG ION ic 363 WAR ADCS cada eaten A ieee AAA declan cist 364 Command Substitution and Return Vall ani ad 365 OPE os 365 Data PES ir ld 367 Internal Console Expressions ICE Aia 367 Specia ACUSA 369 A TR A IN elie Calle elicit 370 Task Mana ae 371 SEPELIO as 372 Network Watching
142. P ICMP type of protocol to use If one fails for example it is blocked by a firewall try the other size integer 28 1500 default 64 packet size in bytes timeout time 1s 8s default 1s response waiting timeout i e delay between messages tos integer 0 255 default 0 Type Of Service parameter of IP packet use dns yes no default no specifies whether to use DNS server which can be set in ip dns menu src address JP address change the source address of the packet Notes Traceroute session may be stopped by pressing Ctrl C Example To trace the route to 216 239 39 101 host using ICMP protocol with packet size of 64 bytes setting ToS field to 8 and extending the timeout to 4 seconds admin MikroTik tool gt traceroute 216 239 39 101 protocol icmp size 64 tos 8 timeout 4s ADDRESS STATUS 1 159 148 60 227 3ms 3ms 3ms 2 195 13 173 221 80ms 169ms 14ms 3 195413 L73428 6ms 4ms 4ms 4 195 158 240 21 111ms 110ms 110ms 5 213 174 71 49 124ms 120ms 129ms 6 213 174 71 134 139ms 146ms 135ms 7 213 174 700 245 132ms 131ms 136ms 8 213 174 70 58 211lms 215ms 215ms 9 195 158 229 130 225ms 239ms Os 10 216 32 223 114 283ms 269ms 281ms 11 216 32 132 14 267ms 260ms 266ms 12 209 185 9 102 296ms 296ms 290ms 13 216 109 66 1 288ms 297ms 294ms 14 216 109 66 90 297ms 317ms 319ms 15 216 239 47 66 137ms 136ms 134ms 16 216 239 47 46 135ms 134ms 134ms 17 216 239 39 101 134ms 134ms 135ms admin Mikr
143. P Application Example Client Server Setup General Information Summary PPP Point to Point Protocol provides a method for transmitting datagrams over serial point to point links Physically it relies on com1 and com2 ports from standard PC hardware configurations These appear as serial0 and seriall automatically You can add more serial ports to use the router for a modem pool using these adapters e MOXA http www moxa com Smartio C104H 4 port PCI multiport asynchronous board with maximum of 16 ports 4 cards e MOXA ht p www moxa com Smartio C168H 8 port PCI multiport asynchronous board with maximum of 32 ports 4 cards e Cyclades http www cyclades com Cyclom Y Series PCI multiport asynchronous serial cards e Cyclades http www cyclades com Cyclades Z Series PCI multiport asynchronous serial cards TCL http www thetcl com DataBooster 4 or 8 port High Speed Buffered PCI Communication Controllers Page 168 of 398 Specifications Packages required ppp Home menu level interface ppp client interface ppp server Protocols utilized PPP RFC 1661 Hardware usage Not significant Related Documents Software Package Management Device Driver Management e JP Addresses and ARP Log Management AAA Authentication Authorization and Accounting Additional Documents http www ietf org rfc rfc2138 txt number 2138 http www ietf org rfc rfc2138 txt number 2139 Serial Port Configur
144. PS while in hibernate mode and then restart itself after when the utility power returns If the UPS battery is drained and the router loses all power the router will power back to full operation when the utility power returns The UPS monitor feature on the MikroTik RouterOS supports e hibernate and safe reboot on power and battery failure e UPS battery test and run time calibration test e monitoring of all smart mode status information supported by UPS e logging of power changes Specifications Packages required ups License required Any Home menu level system ups Page 374 of 398 Protocols utilized APC s smart protocol Hardware usage Not significant Related Documents Software Package Management Description Cabling The APC UPS BackUPS Pro or SmartUPS requires a special serial cable If no cable came with the UPS a cable may be ordered from APC or one can be made in house Use the following diagram 7 IN a PONIA UPS Monitor Setup Property Description enabled yes no default no status of the monitoring is disabled by default port name communication port of the router off line time time default 5m how long to work on batteries The router waits that amount of time and then goes into hibernate mode until the UPS reports that the utility power is back e 0 the router will go into hibernate mode according the min run time setting and 10 of battery power event I
145. RESS UPTIME ENC O DR lt l12tp ex gt ex 1460 10 0 0 202 6m32s none 1 12tp in1 ex1 admin MikroTik interface l2tp server gt In this example an already connected user ex is shown besides the one we just added L2TP Application Examples Router to Router Secure Tunnel Example Page 43 of 398 Hetwork Setup without L2TP enabled To Internet 192 168 80 1 24 Internet ISP 1 network 192 168 80 0 netmask 255 255 255 0 HomeOffice ISP 2 network 192 168 81 0 netmask 255 255 255 0 RemoteOffice To ntemet 192 168 81 1 24 LocalHomeOffice LocalRemoteOffice 10 150 2 254 24 10 150 1 254 24 network 10 150 2 0 network 10 150 1 0 netmask 255 255 255 0 netmask 255 255 255 0 Jo a York station 10 150 1 1 24 fa Laptop 10 150 2 1 24 There are two routers in this example HomeOffice Interface LocalHomeOffice 10 150 2 254 24 Interface Tolnternet 192 168 80 1 24 RemoteOffice Interface Tolnternet 192 168 81 1 24 Interface LocalRemoteOffice 10 150 1 254 24 Each router is connected to a different ISP One router can access another router through the Internet On the L2TP server a user must be set up for the client secret gt add name ex service 12tp password 1k3rht 1 remote address 10 0 103 2 secret gt print detail admin HomeOffice ppp local address 10 0 103 admin HomeOffice ppp Flags X disabled 0 name ex servic local address 10 12tp c
146. Related Documents Description Wireless Interface Configuration Description Property Description Example Troubleshooting Description Wireless Network Applications Point to Point Setup with Routing General Information Summary The MikroTik RouterOS supports the following RadioLAN 5 8GHz Wireless Adapter hardware RadioLAN ISA card Model 101 e RadioLAN PCMCIA card For more information about the RadioLAN adapter hardware please see the relevant User s Guides and Technical Reference Manuals Specifications Packages required radiolan Home menu level interface radiolan Hardware usage Not significant Related Documents Software Package Management Device Driver Management e IP Addresses and ARP Log Management Description Page 75 of 398 Installing the Wireless Adapter These installation instructions apply to non Plug and Play ISA cards If You have a Plug and Play compliant system AND PnP OS Installed option in system BIOS is set to Yes AND you have a Plug and Play compliant ISA or PCI card using PCMCIA or CardBus card with Plug and Play compliant adapter the driver should be loaded automatically If it is not these instructions may also apply to your system The basic installation steps of the wireless adapter should be as follows 1 Check the system BIOS settings for peripheral devices like Parallel or Serial communication ports Disable them if you plan to use IRQ s assigned to them by th
147. TEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 Ts Se EZ gl wan 1 DC 10 0 0 0 24 Y 1 0 0 0 254 0 ether2 2 DC 192 168 0 0 24 r 192 168 0 254 0 etherl 3 DC 135 11 2 32 Te dea 0 wan admin MikroTik ip route gt The configuration of the Cisco router at the other end part of the configuration is CISCO show running config Building configuration Current configuration oo interface Ethernet0 description connected to EthernetLAN ip address 10 1 1 12 255 255 255 0 1 interface Serial0 description connected to MikroTik ip address 1 1 1 2 255 255 255 252 serial restart delay 1 1 ip classless ip route 0 0 0 0 0 0 0 0 10 1 1 254 end CISCO Send ping packets to the MikroTik router CISCO ping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 32 40 ms CISCO Note Keep in mind that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 Page 70 of 398 Virtual LAN VLAN Interface Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Related Documents Description Additional Documents VLAN Setup Property Description Notes Example Application Example VL
148. WiFi ip ipsec peer gt Remote Peer Statistics Home menu level ip ipsec remote peers Description This submenu provides you with various statistics about remote peers that curently have established phase 1 connections with this router Note that if peer doesn t show up here it doesn t mean that no IPsec traffic is being exchanged with it For example manually configured SAs will not show up here Property Description local address read only IP address local ISAKMP SA address remote address read only IP address peer s IP address state read only text state of phase 1 negotiation with the peer e estabilished normal working state side multiple choice read only initiator responder shows which side initiated the connection e initiator phase 1 negotiation was started by this router e responder phase 1 negotiation was started by peer Page 185 of 398 estabilished read only text shows date and time when phase 1 was established with the peer ph2 active read only integer how many phase 2 negotiations with this peer are currently taking place ph2 total read only integer how many phase 2 negotiations with this peer took place Example To see currently estabilished SAs admine WiFi ip ipsec gt remote peers print 0 local address 10 0 0 148 remote address 10 0 0 147 state established side initiator established jan 25 2003 03 34 45 ph2 active 0 ph2 total 1 admin WiFi ip ipsec gt Install
149. X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 1 24 192 168 0 0 192 168 0 255 etherl 1 Le delet 732 iZ Taly dz farsyncl admin hq ip address gt admin office ip address gt Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 112 24 10 0 0 0 100e 00209 etherl Page 35 of 398 dl 1 1 1 2 32 Lvl LTL admin office ip address gt MikroTik router to Cisco router using X 21 line Assume we have the following configuration MT router G ISC O se alo 1 1 1 3234 lins protocal cisco halo router The configuration of MT router is as follows farsyncl admin MikroTik interface farsync gt set farsyncl line protocol cisco hdle XV media type X21 clock source internal admineMikroTik interface farsync gt enable farsyncl admineMikroTik interface farsync gt print Flags X disabled R running 0 R name farsyncl mtu 1500 line protocol cisco hdlc media type X21 clock rate 64000 clock source internal chdlc keepalive 10s frame relay lmi type ansi frame relay dce no 1 X name farsync2 mtu 1500 line protocol sync ppp media type V35 clock rate 64000 clock source external chdlc keepalive 10s frame relay lmi type ansi frame relay dce no admin MikroTik interface farsync gt Page 36 of 398 admin MikroTik interface farsync gt
150. X disabled R running NAME MTU DLCI INTERFACE 0 X pvcl 1500 42 moxa c101 1 admin r1 interface pvc gt ip address add address 4 4 4 1 24 interface pvcl on the R2 admintr2 interface pvc gt add dlci 42 interface moxa c101 1 admintr2 interface pvc gt print Flags X disabled R running NAME MTU DLCI INTERFACE 0 X pvcl 1500 42 moxa c101 1 admin r2 interface pvc gt ip address add address 4 4 4 2 24 interface pvcl Finally we must enable PVC interfaces admintr1 interface pvc gt enable pvcl admintr1 interface pvc gt admintr2 interface pvc gt enable pvcl admin r2 interface pvc gt Troubleshooting Description I cannot ping through the synchronous frame relay interface between MikroTik router and a Cisco router Frame Relay does not support address resolving and IETF encapsulation should be used Please check the configuration on the Cisco router Page 84 of 398 ISDN Interface Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents ISDN Hardware and Software Installation Description Property Description ISDN Channels MSN and EAZ numbers ISDN Client Interface Configuration Description Property Description Example ISDN Server Interface Configuration Description Property Description Examp
151. able command Property Description hdlc keepalive time default 10s Cisco HDLC keepalive period in seconds clock rate integer default 64000 the speed of internal clock clock source external internal default external clock source disabled yes no default yes shows whether the interface is disabled frame relay dce yes no default no operate in Data Communications Equipment mode frame relay Imi type ansi ccitt default ansi Frame Relay Local Management Interface type line protocol cisco hdlc frame relay sync ppp default sync ppp line protocol media type V24 V35 X2 default V35 type of the media mtu integer default 1500 Maximum Transmit Unit name name default farsyneN assigned interface name Example admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R ether1 ether 1500 1 X farsyncl farsync 1500 2 X farsync2 farsync 1500 admin MikroTik interface gt admin MikroTik interface gt enable 1 admin MikroTik interface gt enable farsync2 admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 I farsyncl farsync 1500 2 farsync2 farsync 1500 admin MikroTik interface gt farsync admin MikroTik interface farsync gt print Flags X disabled R running 0 name farsyncl mtu 1500 line protocol sync ppp media type V35 clo
152. able from_netl add gateway 10 0 0 1 admineMikroTik ip policy routing gt table from_net2 add gateway 10 0 0 2 admin MikroTik ip policy routing gt table from_netl print Flags X disabled I invalid D dynamic R rejected TYPE DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 static 0 0 0 0 0 ANLO O 20 s 1 Public admin MikroTik ip policy routing gt table from_net2 print Flags X disabled I invalid D dynamic R rejected TYPE DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 static 0 0 0 0 0 Y 1000 0 2 1 Public admin MikroTik ip policy routing gt 3 Create rules that will direct traffic from sources to given tables and arrange them in the desired order admin MikroTik ip policy routing gt rule admin MikroTik ip policy routing rule gt print Flags X disabled I invalid SRC ADDRESS DST ADDRESS INT FLOW ACTION 0 0 0 0 0 0 0 0 0 0 0 all lookup admin MikroTik ip policy routing rule gt add src address 1 1 1 1 32 Nes action lookup table main admin MikroTik ip policy routing rule gt add src address 2 2 2 1 32 ee action lookup table main admin MikroTik ip policy routing rule gt add src address 1 1 1 0 24 Na action lookup table from_net1 admin MikroTik ip policy routing rule gt add src address 2 2 2 0 24 Ns action lookup table from_net2 admin MikroTik ip policy routing rule gt print Flags X disabl
153. abled I invalid INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP etherl 0 0 0 0 dhcp_pooll 3d no hcp server gt network print GATEWAY DNS SERVER WINS SERVER DOMAIN 10 0 0 1 159 148 60 2 hcp server gt ip pool print RANGES 10 0 0 2 10 0 0 254 hCp server gt Universal Client Interface Document revision 2 2 08 Jan 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Description Universal Client Interface Setup Property Description Notes Example Universal Host List Description Property Description Example Universal Access List Description Property Description Example Service Port Description Property Description Example General Information Summary Universal Client Interface allows to work with clients regardless of their IP addresses translating these addresses to the ones the router is able to work with It gives a possibility to provide a network access for example Internet access to mobile clients that are not willing to change their networking settings The feature is intended to use with HotSpot but may be useful even without HotSpot Specifications Packages required system License required Any Home menu level ip hotspot universal Hardware usage Not significant Description Universal client accepts any incoming address from a connected network interface
154. ace e The EoIP protocol encapsulates Ethernet frames in GRE IP protocol number 47 packets just like PPTP and sends them to the remote side of the EoIP tunnel e Maximal count of EoIP tunnels is 65536 EolP Setup Home menu level interface eoip Property Description name name default eoip tunnelN interface name for reference mtu integer default 1500 Maximum Transmission Unit The default value provides maximal compatibility arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol tunnel id integer a unique tunnel identifier remote address the IP address of the other side of the EoIP tunnel must be a MikroTik router mac address MAC address MAC address of the EoIP interface You can freely use MAC addresses that are in the range from 00 00 5E 80 00 00 to 00 00 5E FF FF FF Notes tunnel id is method of identifying tunnel There should not be tunnels with the same tunnel id on the same router tunnel id on both participant routers must be equal mtu should be set to 1500 to eliminate packet refragmentation inside the tunnel that allows transparent bridging of Ethernet like networks so that it would be possible to transport full sized Ethernet frame over the tunnel For EoIP interfaces you can use MAC addresses that are in the range from 00 00 5E 80 00 00 to 00 00 5E FF FF FF Example To add and enable an EoIP tunnel named to_mt2 to the 10 5 8 1 router specifyin
155. ace pppoe server gt To disconnect the user ex admin MikroTik interface pppoe server gt remove find user ex admineMikroTik interface pppoe server gt print admineMikroTik interface pppoe server gt Troubleshooting Description The PPPoE server shows more than one active user entry for one client when the clients disconnect they are still shown and active Set the keepalive timeout parameter in the PPPoE server configuration to 10 if You want clients to be considered logged off if they do not respond for 10 seconds Note that if the keepalive timeout parameter is set to 0 and the only one parameter in PPP profile settings 1s set to yes then the clients might be able to connect only once To resolve this problem one session per host parameter in PPPoE server configuration should be set to yes I can get through the PPPoE link only small packets eg pings You need to change mss of all the packets passing through the PPPoE link to the value of PPPoE link s MTU 40 at least on one of the peers So for PPPoE link with MTU of 1480 admin MikroTik ip firewall mangle gt add protocol tcp tcp options syn only Nise action passthrough tcp mss 1440 admin MikroTik ip firewall mangle gt print Flags X disabled I invalid la 0 src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 protocol tcp tcp options syn only icmp options any any flow src mac addres
156. acter long text string for plain text authentication or 16 character long text string 128 bit key required for AH authentication on backup name default script to execute when the node switch to backup state on master name default script to execute when the node switch to master state Notes All the nodes of one cluster must have the same vrid interval preemption mode authentication and password As said before priority of 255 is reserved for the real owner of the virtual router s IP addresses Theoretically the owner should have the IP address added statically to its IP address list and also to the VRRP virtual address list but you should never do this Any addresses that you are using as virtual addresses i e they are added in ip vrrp address must not appear in ip address list as they otherwise can cause IP address conflict which will not be resolved automatically Also You must have an IP address no matter what on the interface you want to run VRRP on Example To add a VRRP instance on etherl interface forming because priority is 255 a virtual router with vrid of 1 admin MikroTik ip vrrp gt add interface etherl vrid 1 priority 255 admin MikroTik ip vrrp gt print Flags X disabled I invalid M master B backup 0 I name vri interface etherl vrid 1 priority 255 interval 1 preemption mode yes authentication none password on backup on master admin MikroTik ip
157. ad the driver by specifying the I O base address IRQ is not required Wireless Specifications Packages required wireless Description Atheros Chipset type Atheros AR5001X PC PCI 11 54Mbit s IEEES02 11a b g Intel 5000 series Dlink DWL A520 Dlink DWL G650 Atheros AR5000 chipset series based IEEE802 11a AR5210 MAC plus AR5110 PHY chips cards e Atheros AR5001A chipset series based IEEE802 11a AR5211 MAC plus AR5111 PHY chips cards e Atheros AR5001X chipset series based IEEE802 11a AR5211 MAC plus AR5111 PHY chips IEEE802 11b g AR5211 MAC plus AR2111 PHY chips IEEE802 11a b g AR5211 MAC plus AR5111 and 2111 PHY chips cards e Atheros AR5001X chipset series based IEEE802 11a AR5212 MAC plus AR5111 PHY chips IEEE802 11b g AR5212 MAC plus AR2111 PHY chips IEEE802 11a b g AR5212 Page 19 of 398 MAC plus AR5111 and 2111 PHY chips cards Cisco Aironet Chipset type Cisco Aironet ISA PCI PC 11Mbit s IEEE802 11b Aironet ISA PCI PC4800 2 4GHz DS 11Mbps Wireless LAN Adapters 100mW Aironet ISA PCI PC4500 2 4GHz DS 2Mbps Wireless LAN Adapters 100mW CISCO AIR PCI340 2 4GHz DS 11Mbps Wireless LAN Adapters 30mW CISCO AIR PCI PC350 352 2 4GHz DS 11Mbps Wireless LAN Adapters 100mW Intersil Prism IT Chipset type Intersil Prism H PC PCI 11 Mbit s IEEES02 11b Intersil PRISM2 Reference Design 11Mb s IEEE802 11b WLAN Card GemTek WL 211 Wireless LAN PC Card Compaq WL100 200 11Mb s 802 11b WLAN Card Compaq iP
158. add a simple queue that will limit download traffic from 192 168 0 0 24 network to 128000 bits per second and upload traffic to 192 168 0 0 24 network to 64000 bits per second on etherl interface admin MikroTik queue simple gt add dst address 192 168 0 0 24 interface etherlXY max 1limit 64000 128000 admineMikroTik queue simple gt print Flags X disabled I invalid D dynamic 0 name queuel target address 0 0 0 0 0 dst address 192 168 0 0 24 interface etherl queue default priority 8 limit at 0 0 max 1imit 64000 128000 admin MikroTik queue simple gt Configuring Queue Trees Description The queue trees should be used when you want to use sophisticated data rate allocation based on protocols ports groups of IP addresses etc Property Description name name default queueN descriptive name for the queue parent name name of the parent queue The top level parents are the available interfaces actually main HTB Lower level parents can be other queues Dynamic queues created with the simple queue tool cannot be used as parents flow name default flow mark of the packets to be queued Flow marks can be assigned to the packets under ip firewall mangle when the packets enter the router through the incoming interface limit at integer default 0 maximum stream data rate bits s queue name default default queue type priority flow priority is the highest Page 294 of 3
159. address 10 0 0 20 admin MikroTik ip hotspot universal access gt print Flags X disabled I invalid H DHCP D dynamic MAC ADDRESS ADDRESS TO ADDRESS INTERFACE IDLE TIME 10 20 30 40 10 0 0 20 etherl 1s admin MikroTik ip hotspot universal access gt Service Port Home menu level Ap hotspot universal service port Description Just like for classic NAT the Universal Client Interface breaks some protocols that are incompatible with address translation To leave these protocols consistent helper modules must be used For the Universal Client Interface the only such a module is for FTP protocol Property Description name read only name protocol name ports read only integer list of the ports on which the protocol is working Example To set the FTP protocol uses bot 20 and 21 TCP port admineMikroTik ip hotspot universal service port gt print Flags X disabled AME PORTS 0 ft admin MikroTik ip hotspot universal service port gt set ftp ports 20 21 a admin MikroTik ip hotspot universal service port gt print Flags X disabled AME PORTS 0 ftp 20 21 admin MikroTik ip hotspot universal service port gt Page 270 of 398 OSPF Document revision 2 0 11 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description General Setup D
160. admin MikroTik ip route gt admin MikroTik ip gt You can also use and to execute commands from other menu levels without changing the current level admin MikroTik ip route gt ping 10 0 0 1 10 0 0 1 ping timeout 2 packets transmitted 0 packets received 100 packet loss admin MikroTik ip route gt firewall print NAME POLICY Page 2 of 398 0 input accept 1 forward accept 2 output accept 3 5 Limit unauthorized HS clients hs temp none 4 account auth HS clients hotspot none admin MikroTik ip route gt Lists and Item Names Description Lists Many of the command levels operate with arrays of items interfaces routes users etc Such arrays are displayed in similarly looking lists All items in the list have an item number followed by its parameter values To change parameters of an item you have to specify it s number to the set command Item Names Some lists have items that have specific names assigned to each Examples are interface or user levels There you can use item names instead of item numbers You do not have to use the print command before accessing items by name As opposed to numbers names are not assigned by the console internally but are one of the items properties Thus they would not change on their own However there are all kinds of obscure situations possible when several users are changing router s configuration at the same time Generally item names are more sta
161. ady up and running after MikroTik router installation The default port of the service is 22 You can set a different port number Property Description name name service name port integer 1 65535 port the service listens to address IP address mask default 0 0 0 0 0 IP address from which the service is accessible Example admin MikroTik ip service gt set ssh port 65 admin MikroTik ip service gt print Flags X disabled I invalid NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0 0 0 0 0 1 ftp 21 0 0 0 0 0 2 www 80 0 0 0 0 0 3 hotspot 8088 0 0 0 0 0 4 ssh 65 0 0 0 0 0 5 X hotspot ssl 443 0 0 0 0 0 none admin MikroTik ip service gt SSH Client Command name system ssh Example admin MikroTik ip service gt system ssh Page 351 of 398 address admineMikroTik ip service gt admineMikroTik gt system ssh 10 1 0 1 user admin port 22 MM MMM MMM MMMM MM MMMM MMM MM MM MMM MM MMM MM MMM III III III TIT ikroTik RouterOS KKK KKK KKK KKK KKKKK KKK KKK KKK KKK 2 8betal2 Terminal ansi detected using admine10 1 0 1 Page 352 of 398 gt RRRRRR 000000 RRR RRR OOO 000 RRRRRR 000 000 RRR RRR 000000 c 1999 2003 III III LITI III KKK KKK KKK KKK KKKKK KKK KKK KKK KKK http www mikrotik com single line input mode Backup and Restore Document revision 2 0 23 Dec 2
162. age Increases with rules and connections count Related Documents Software Package Management IP Addresses and ARP IP Routes Management Firewall Filters Page 220 of 398 Description NAT subdivision Network Address Translation is subdivided into two separate facilities e Source NAT This type of NAT allows hiding of private networks beyond the router It alters forwarded IP packets source addresses Destination NAT This one is used for accessing public services on the local servers from outside the intranet It can also help to accomplish some additional tasks like transparent proxying Destination NAT alters forwarded IP packets destination addresses Redirect and Masquerade REDIRECT is similar to regular destination NAT in the same way as MASQUERADING is similar to source NAT masquerading is source NAT except you do not have to specify to src address outgoing interface address is used automatically The same is for REDIRECT it is destination NAT where to dst address is not used incoming interface address is used instead So there is no use of specifying to src address for src nat rules with action masquerade as well as no use of specifying to dst address for dst nat rules with action redirect Note that to dst port is meaningful for REDIRECT rules this is the port on which the service on router that will handle these requests is sitting e g web proxy When packet is dst natted no matter action nat
163. age Not significant Related Documents Software Package Management Ping e Mikrotik Neighbour Discovery Protocol MNDP MAC Telnet Server Home menu level tool mac server Property Description interface name all default all interface name to which the mac server clients will connect e all all interfaces Page 311 of 398 Notes There is an interface list in configured in the submenu level If you add some interfaces to this list you allow MAC telnet to that interface Disabled disabled yes item means that interface in not in the list rather than that MAC telnet is disabled on that interface Example To enable MAC telnet server on etherl interface only admin MikroTik tool mac server gt print Flags X disabled INTERFACE 0 all admin MikroTik tool mac server gt remove 0 admin MikroTik tool mac server gt add interface etherl disabled no admin MikroTik tool mac server gt print Flags X disabled INTERFACE 0 etherl admin MikroTik tool mac server gt Monitoring Active Session List Home menu level tool mac server sessions Property Description interface read only name interface the client is connected to src address read only MAC address client s MAC address uptime read only time how long the client is connected to the server MAC Telnet Client Command name tool mac telnet Example admin MikroTik tool gt
164. al License required Base Home menu level ip hotspot Protocols utilized ICMP DHCP Page 234 of 398 Hardware usage Not significant Related Documents Software Package Management e IP Addresses and Address Resolution Protocol ARP e IP Pools e DHCP Client and DHCP Server Authentication Authorization and Accounting Firewall Filters Packet Marking Mangle Network Address Translation Connection Tracking and Service Ports Description MikroTik HotSpot Gateway should have at least two network interfaces 1 HotSpot interface which is used to connect HotSpot clients 2 LAN WAN interface which is used to access network resources For example DNS and RADIUS server s should be accessible The diagram below shows a sample HotSpot setup The HotSpot interface should have an IP address assigned to it To use dhcp pool method there should be two IP addresses one as the gateway for the temporary IP address pool used prior to authentication and second as the gateway for the permanent IP address pool used by authenticated clients Note that you have to provide routing for these address pools unless you plan to use masquerading source NAT Physical network connection has to be established between the HotSpot user s computer and the gateway It can be wireless the wireless card should be registered to AP or wired the NIC card should be connected to a hub or a switch In dhep pool case the arp mode of the Ho
165. al form x x x x dst port integer 0 65535 destination port number or range e 0 means all ports from 0 to 65535 Source NAT Description Source NAT is a firewall function that can be used to hide private networks behind one external IP address of the router For example it is useful if you want to access the ISP s network and the Internet appearing as all requests coming from one single IP address given to you by the ISP The Source NAT will change the source IP address and port of the packets originated from the private network to the external address of the router when the packet is routed through it Source NAT helps to ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request It also conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world Property Description action accept masquerade nat default accept action to undertake if a packed matched a particular src nat rule one of the Page 222 of 398 e accept accept the packet without undertaking any action except for mangle No more rules are processed in the relevant list chain e masquerade use masquerading for the packet and substitute the source address port of the packet with the ones of the router In this case the to src address
166. allation and client setup Windows 98SE Troubleshooting Description General Information Summary PPTP Point to Point Tunnel Protocol supports encrypted tunnels over IP The MikroTik RouterOS implementation includes support for PPTP client and server General applications of PPTP tunnels e For secure router to router tunnels over the Internet To link bridge local Intranets or LANs when EoIP is also used e For mobile or remote clients to remotely access an Intranet LAN of a company see PPTP setup for Windows for more information Page 93 of 398 Each PPTP connection is composed of a server and a client The MikroTik RouterOS may function as a server or client or for various configurations it may be the server for some connections and client for other connections For example the client created below could connect to a Windows 2000 server another MikroTik Router or another router which supports a PPTP server Specifications Packages required ppp 23 Home menu level interface pptp server interface pptp client Protocols utilized PPTP RFC 2637 Hardware usage Not significant Related Documents Software Package Management IP Addresses and ARP AAA Authentication Authorization and Accounting EoIP Ethernet over IP Tunnel Interface Description PPTP is a secure tunnel for transporting IP traffic using PPP PPTP encapsulates PPP in virtual lines that run over IP PPTP incorporates PPP and MPPE Micros
167. aller id password 1k3jrht profile default 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret gt Then the user should be added in the L2TP server list admin HomeOffic interface 12tp server gt add user ex admin HomeOffic interface 12tp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 12tp in1 ex admin HomeOffic interface 12tp server gt Page 44 of 398 And finally the server must be enabled admin HomeOffice interface 12tp server server gt set enabled yes admin HomeOffice interface 12tp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin HomeOffice interface 12tp server server gt Add a L2TP client to the RemoteOffice router admin RemoteOffice interface 12tp client gt add connect to 192 168 80 1 user ex password lkjrht disabled no admin RemoteOffice interface 12tp client gt print Flags X disabled R running O R name 12tp out1 mtu 1460 mru 1460 connect to 192 168 80 1 user ex password 1k3rht profile default add default route no admin RemoteOffice interface 12tp client gt Thus a L2TP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addresses 10 0 103 1 and 10 0 103 2 at each router It enables
168. ame reference name Page 260 of 398 interface name Ethernet like interface name lease time time default 72h the time that a client may use an address The client will try to renew this address after a half of this time and will request a new address after time limit expires address pool name static only default static only IP pool from which to take IP addresses for clients e static only allow only the clients that have a static lease i e no dynamic addresses will be given to clients only the ones added in lease submenu src address ZP address default 0 0 0 0 the address which the DHCP client must send requests to in order to renew an IP address lease If there is only one static address on the DHCP server interface and the source address is left as 0 0 0 0 then the static address will be used If there are multiple addresses on the interface an address in the same subnet as the range of given addresses should be used add arp yes no default no whether to add dynamic ARP entry e no either ARP mode should be enabled on that interface or static ARP entries should be administratively defined in ip arp submenu authoritative yes no default no whether the DHCP server is the only one DHCP server for that network relay 1P address default 0 0 0 0 the IP address of the relay this DHCP server should process requests from 0 0 0 0 the DHCP server will be used only for direct requests from
169. ame cyclades1 mtu 1500 line protocol frame relay media type V35 clock rate 64000 clock source external line code B8ZS framing mode ESF line build out 0dB rx sensitivity short haul frame relay lmi type ansi frame relay dce no chdlc keepalive 10s Page 81 of 398 admin MikroTik interface cyclades gt PVC admin MikroTik interface pvc gt print Flags X disabled R running NAME MTU DLCI INTERFACE 0 R pvel 1500 42 cyclades1l admin MikroTik interface pvc gt Cisco router setup CISCO show running config Building configuration Current configuration ip subnet zero no ip domain lookup frame relay switching interface Ethernet0 description connected to EthernetLAN ip address 10 0 0 254 255 255 255 0 interface Serial0 description connected to Internet no ip address encapsulation frame relay IETF serial restart delay 1 frame relay lmi type ansi frame relay intf type dce interface Serial0 1 point to point ip address 1 1 1 2 255 255 255 0 no arp frame relay frame relay interface dlci 42 l end Send ping to MikroTik router CISCOfping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max CISCO Example with MOXA Interface Let us consider the following network setup with MikroTik router with MOXA C502 syn
170. ame default etherN assigned interface name arp disabled enabled proxy arp replay only default enabled Address Resolution Protocol mtu integer default 1500 Maximum Transmission Unit disable running check yes no default yes disable running check For broken Ethernet cards 1t is good to disable running status checking as default mac address read only MAC address Media Access Control address of the card auto negotiation yes no default yes when enabled the interface advertises its maximum capabilities to achieve the best connection possible full duplex yes no default yes defines whether the transmission of data appears in two directions simultaneously long cable yes no default no changes the cable length setting only applicable to NS DP83815 6 cards speed 10 Mbps 100 Mbps 1000 Mbps sets the data transmission speed of the interface Notes For some Ethernet NICs it is possible to blink the LEDs for 10s Type interface ethernet blink etherl and watch the NICs to see the one which has blinking LEDs Example admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 X etherl ether 1500 admin MikroTik gt interfac nabl ther1 admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 R etherl ether 1500 admin MikroTik gt interfac thernet admin Mik
171. ame commands The difference is expressed mainly in command parameters Example For example you can issue the ip route print command admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected E connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 192 1 68 2 1 T WAN 1 DC 192 168 124 0 24 r 0 0 0 0 0 LAN 2 DC 192 168 2 0 24 r 0 0 0 0 0 WAN 3 DC 192 168 0 0 24 r 0 0 0 0 0 LAN fadmin MikroTik gt Instead of typing ip route path before each command the path can be typed only once to move into this particular branch of menu hierarchy Thus the example above could also be executed like this admin MikroTik gt ip route admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected Cc connect S Static rip 0 OSPE D bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 192108 251 al WAN 1 DC 192 168 124 0 24 E 0 0 0 0 0 LAN 2 DC 192 168 2 0 24 r 0 0 0 0 0 WAN 3 DC 192 168 0 0 24 r 0 0 0 0 0 LAN admineMikroTik ip route gt Notice that the prompt changes in order to reflect where you are located in the menu hierarchy at the moment To move to the top level again type admin MikroTik gt ip route admin MikroTik ip route gt fadmin MikroTik gt To move up one command level type
172. and ICMP headers do not fragment if added packets will not be fragmented interval time 10ms 5s default 1s delay between messages count integer default 0 how many times ICMP packets will be sent e Ping continues till Ctrl C is pressed ttl integer 1 255 default 255 time To Live TTL value of the ICMP packet Notes If DNS service is configured it is possible to ping by DNS address To do it from Winbox you should resolve DNS address first pressing right mouse button over it address and choosing Lookup Address Packet size may not be greater than the interface s mtu If pinging by MAC address minimal packet size iz 50 Only neighbour MikroTik RouterOS routers with MAC ping feature enabled can be pinged by MAC address Example An example of Ping command admin MikroTik gt ping 159 148 60 2 count 5 interval 40ms size 64 159 148 60 2 64 byte pong tt1 247 time 32 ms 159 148 60 2 64 byte pong tt1 247 time 30 ms 159 148 60 2 64 byte pong tt1 247 time 40 ms 159 148 60 2 pong timeout 159 148 60 2 64 byte pong tt1 247 time 28 ms 5 packets transmitted 4 packets received 20 packet loss round trip min avg max 28 32 5 40 ms admin MikroTik gt MAC Ping Server Home menu level tool mac server ping Property Description enabled yes no default yes whether MAC pings to this router are allowed Example To disable MAC pings admin MikroTik tool mac server ping gt set ena
173. and does one to one network address translation so that data may be routed through standard IP networks Clients may use any preconfigured addresses If the Universal client feature is set to translate a client s address to a public IP address then the client may even run a server or any other service that requires a public IP address It is possible to add static entries so that some clients will get the specified addresses Universal client is changing source address of each packet just after 1t is received by the router even mangle sees the translated address Note also that arp mode must be enabled on the interface you set Universal Client Interface on Universal Client Interface Setup Home menu level Ap hotspot universal Property Description interface name interface to run universal client on address pool name IP address pool name arp all arp no arp default all arp ARP handling mode e all arp respond to all ARP requests no arp respond to ARP requests normally use dhcp yes no default yes do not translate the addresses assigned by DHCP server idle timeout time default 5m idle timeout maximal period of inactivity for client added dynamically addresses per mac integer default 2 maximal amount of IP addresses assigned to one MAC address Notes Setting arp in all arp is generally a good idea because in most cases you cannot know what is the gateway s IP address configured on the c
174. and voltage Information becomes available not sooner than 2 minutes after boot up It is not available if LM87 chip is not detected successfully All values are 10 second averages with short peak values ignored as likely read errors Property Description core CPU core voltage 3 3v 3 3V power line voltage 5v 5V power line voltage 12v 12V power line voltage Im87 temp temperature of the LM87 chip cpu temp temperature of the CPU area board temp temperature of the PCI area state read only enabled disabled default disabled the current state of health monitoring whether it is enabled or not state after reboot enabled disabled default disabled the state of the health monitor after the reboot Notes You cannot change state on the fly just control whether the health control will be enabled after reboot All themperature values are in Celsius degrees Example To check system health admin MikroTik gt system routerboard health print core 1 8 3 3V 3 3 5v7 5 02 lave 12 25 1m87 temp 33 cpu temp 33 board temp 26 state enabled state after reboot enabled fadmin MikroTik gt Hardware Watchdog Management Home menu level system watchdog Description Page 386 of 398 Two separate independant hardware watchdogs are available on RouterBOARD systems The watchdogs are polled once in 10 seconds When router fails to poll it for a minute this happens if the system has hang up syste
175. aq HNW 100 11Mb s 802 11b WLAN Card Samsung SWL2000 N 11Mb s 802 11b WLAN Card Z Com XI300 11Mb s 802 11b WLAN Card ZoomAir 4100 11Mb s 802 11b WLAN Card Linksys WPC11 11Mbps 802 11b WLAN Card Addtron AWP 100 11Mbps 802 11b WLAN Card D Link DWL 650 11Mbps 802 11b WLAN Card SMC 2632W 11Mbps 802 11b WLAN Card BroMax Freeport 11Mbps 802 11b WLAN Card Intersil PRISM2 Reference Design 11Mb s WLAN Card Bromax OEM 11Mbps 802 11b WLAN Card Prism 2 5 Bromax OEM 11Mbps 802 11b WLAN Card Prism 3 corega K K Wireless LAN PCC 11 corega K K Wireless LAN PCCA 11 CONTEC FLEXSCAN FX DDS110 PCC PLANEX GeoWave GW NS110 Ambicom WL1100 11Mbps 802 11b WLAN Card LeArtery SYNCBYAIR 11Mbps 802 11b WLAN Card Intermec MobileLAN 11Mbps 802 11b WLAN Card NETGEAR MA401 11Mbps 802 11 WLAN Card Intersil PRISM Freedom 11mbps 802 11 WLAN Card OTC Wireless AirEZY 2411 PCC 11Mbps 802 11 WLAN Card Z Com XI 325HP PCMCIA 200mW Card Z Com XI 626 Wireless PCI Card WaveLAN ORiINOCO Chipset type Lucent Agere Proxim WaveLAN ORiNOCO ISA PC 11 Mbit s IEEE802 11b WaveLAN Bronze Gold Silver ISA PCMCIA Aironet Arlan Page 20 of 398 Specifications Packages required arlan Description This is driver for legacy Aironet Arlan cards not for newer Cisco Aironet cards Chipset type Aironet Arlan C2200 ISA 2Mbit s IEEE802 11b e Aironet Arlan 655 RadioLAN Specifications Packages required radiolan Description This is driver for legacy RadioLAN cards
176. arbage collection interval 4s hello time 2s max message age 20s admin MikroTik interface bridge gt enable 0 Port Settings Home menu level interface bridge port Description The submenu is used to group interfaces in a particular bridge interface Property Description interface read only name interface name bridge name default none the bridge interface the respective interface is grouped in e none the interface is not grouped in a bridge Page 140 of 398 priority integer 0 255 default 128 interface priority compared to other interfaces which are destined to the same network path cost integer 0 65535 default 10 path cost to the interface used by STP to determine the best path Example To group etherl and ether2 in the bridgel bridge admin MikroTik interface bridge port gt set etherl ether2 bridge bridgel admin MikroTik interface bridge port gt print INTERFACE BRIDGE PRIORITY PATH COST 0 etherl bridgel 128 10 1 ether2 bridgel 128 10 2 wlanl none 128 10 admin MikroTik interface bridge port gt Bridge Monitoring Home menu level interface bridge host Property Description bridge read only name the bridge the entry belongs to mac address read only MAC address host s MAC address on interface read only name which of the bridged interfaces the host is connected to age read only time the time since the last packet was re
177. are required if you want to access the AP remotely using telnet or http Page 54 of 398 The IP addresses assigned to the wireless interface should be from the network 10 1 1 0 24 admin MikroTik ip address gt add address 10 1 1 12 24 interface aironet admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 1 12 24 10 1 1 0 10 1 1 255 aironet 1 192 168 0 254 24 192 168 0 0 192 168 0 255 Local admineMikroTik The default route should be set to the gateway router 10 1 1 254 not the AP 10 1 1 250 ip address gt admin MikroTik ip route gt add gateway 10 1 1 254 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 1 1 254 1 aironet 1 DC 192 168 0 0 24 r 0 0 0 0 0 Local 2 DC 10 1 1 0 24 r 0 000 0 aironet admin MikroTik ip route gt Point to Point Wireless LAN Point to Point links provide a convenient way to connect a pair of clients on a short distance Let us consider the following point to point wireless network setup with two MikroTik wireless routers Internet Internet interface Public i get od oT address eit a pb ____ U m E 222 interface pct Wireless Router A ssid1 b_link 2 4GHz mode ad hoc Mbps ad
178. are usage Not significant Related Documents Software Package Management Network Time Protocol NTP Description Global Positioning System GPS is used for determining precise location of a GPS receiver There are two types of GPS service e Precise Positioning Service PPS that is used only by U S and Allied military certain U S Government agencies and selected civil users specifically approved by the U S Government Page 358 of 398 Its accuracy is 22m horizontally 27 7m vertically and 200ns of time e Standard Positioning Service SPS can be used by civil users worldwide without charge or restrictions except that SPS accuracy is intentionally degradated to 100m horizontally 156m vertically and 340ns of time GPS system is based on 24 satellites rotating on 6 different orbital planes with 12h orbital period It makes that at least 5 but usually 6 or more satellites are visible at any time anywhere on the Earth GPS receiver calculates more or less precise position latitude longitude and altitude and time based on signals received from 4 satellites three are used to determine position and fourth is used to correct time which are broadcasting their current positions and UTC time MikroTik RouterOS can communicate with many GPS receivers which are able to send the positioning and time via asynchronous serial line using NMEA 0183 NMEA RTCM or Simple Text Output Protocol Precise time is mainly intended to be use
179. asic rates a g 6Mbps supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps basic rates b 1Mbps max station count 2007 ack timeout default tx power default noise floor threshold default wds mode static wds default bridge none default authentication yes default forwarding yes hide ssid no 802 1x mode none admin Neighbour interface wireless gt Now the WDS interface configuration admin Neighbour interface wireless wds gt add wds address 00 01 24 70 3A 83 master inteface wlanl disabled no admin Neighbour interface wireless wds gt print Flags X disabled R running D dynamic 0 R name wds1 mtu 1500 mac address 00 01 24 70 3B AE arp enabled disable running check no master inteface wlanl wds address 00 01 24 70 3A 83 admin Neighbour interface wireless wds gt Add the IP address admin Neighbour ip address gt add address 192 168 25 1 24 interface wdsl admin Neighbour ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 25 1 24 192 168 25 0 192 168 25 255 wdsl admin Neighbour ip address gt And now you can check whether the WDS link works admin Neighbour ip address gt ping 192 168 25 2 192 168 25 2 64 byte ping ttl 64 time 6 ms 192 168 25 2 64 byte ping ttl 64 time 4 ms 192 168 25 2 64 byte ping ttl 64 time 4 ms 5 packets transmitted 5 packets received 0 packet loss round trip min avg
180. asier the Tab key completions and abbreviations of command names Completions work similarly to the bash shell in UNIX If you press the Tab key after a part of a word console tries to find the command within the current context that begins with this word If there is only one match it is automatically appended followed by a space inte Tab _ becomes interface _ If there is more than one match but they all have a common beginning which is longer than that what you have typed then the word is completed to this common part and no space is appended interface set e Tab _ becomes interface set ether_ If you ve typed just the common part pressing the tab key once has no effect However pressing it for the second time shows all possible completions in compact form admin MikroTik gt interface set e Tab _ admineMikroTik gt interface set ether Tab admineMikroTik gt interface set ether Tab etherl ether5 admin MikroTik gt interface set ether The Tab key can be used almost in any context where the console might have a clue about possible values command names argument names arguments that have only several possible values like names of items in some lists or name of protocol in firewall and NAT rules You cannot complete numbers IP addresses and similar values Another way to press fewer keys while typing is to abbreviate command and argument names You can type only beginning of command
181. ation Home menu level port Property Description name name default serialN port name used by read only text shows the user of the port Only free ports can be used in PPP setup baud rate integer default 9600 maximal data rate of the port data bits 7 8 default 8 namber of bits per character transmitted parity none even odd default none character parity check method stop bits 1 2 default 1 number of stop bits after each character transmitted flow control none hardware xon xoff default hardware flow control method Notes Keep in mind that baud rate data bits parity stop bits and flow control parameters must be the same for both communicating sides Example admin MikroTik gt port print NAME USED BY BAUD RATE 0 serial0 Serial Console 9600 1 databoosterl 9600 2 databooster2 9600 3 databooster3 9600 4 databooster4 9600 5 databooster5 9600 6 databooster6 9600 7 databooster7 9600 Page 169 of 398 8 databooster8 9600 9 cycladesAl 9600 10 cycladesA2 9600 11 cycladesA3 9600 12 cycladesA4 9600 13 cycladesA5 9600 14 cycladesA6 9600 15 cycladesA7 9600 16 cycladesA8 9600 fadmin MikroTik gt set 9 baud rate 38400 admineMikroTik gt PPP Server Setup Home menu level interface ppp server Description PPP server provides a remode connection service for users When dialing in the users can be authenticated locally using the local user database in the u
182. att da ta 93 PPTP CHEESE Dr A A AA A AAA SA a 94 Montoro POTES iS 95 PPEP Server AAA A S A ans a Nhetesa tata 96 PPTP Server USO Rand 96 PPIP Appicavion EXA A aah eae a hades 97 A E TORN 102 Wireless Client and Wireless Access Point Manual 104 General ON a ai 105 Wireless Interface lt Ont UTN isa 106 Registration Table 109 PROCESS A A AR 110 A O een SA 111 Virt al Access Point Imbert aCe as 113 WDS Interface COn A A E A a T aS ae E 114 A EE aa S EE PEE E E ESE E E E A E E E E EA 115 Alion MONOT ft ere toc A NS II OR INS 116 NetWork CM aa aa a Sa 117 Wireless SEC tna 117 Wireless Aplication EXAMPLE A A AA 119 Ethernet over IP EolP Tunnel InterfacCe ooooonnnciccococnnnnccmnooroonononnns 124 General AO iio 124 SS A A A A ee Tree nae eee 125 EolP A pplication Exploits 126 Xpeed SDSL Single line Digital Subscriber Line Interface 129 General Informatii dt 129 peed Interface Confreura oN a a 130 Frame Relay Configuration Examples ado 131 Troubleshootin is id as 132 Arlan 655 2 4GHz 2Mbps Wireless Interface scsssessseeees 134 General noO 134 O ee 134 Wireless Interface COn UTA A iia 135 Trouble AE A te Lace alt 136 Bridge Interface canino canilla 138 General OMA A A A a ai 138 Bridge terrace UP A A E 139 POTES ES di IAN 140 Bdge Monitorin ast A AER 141 Bridge Freno 141 Application Example ssia e E A a 143 A A E PEE A A O 145 Moxa C101 Synchronous Interface oooocooconnon
183. ault priority 7 max limit 131072 burst 1imit 0 burst threshold 0 burst time 0 5 name Local_Down parent Down flow Local_Down limit at 0 queue default priority 8 max limit 0 burst limit 0 burst threshold 0 burst time 0 admin MikroTik queue tree gt Page 299 of 398 Export and Import Document revision 2 1 23 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description The Export Command Example The Import Command Description Example General Information Summary Configuration export feature is used to dump the part or whole RouterOS configuration Then it can be edited and imported to the same or to an another router Specifications Packages required system License required Any Home menu level Protocols utilized None Hardware usage Not significant Related Documents Software Package Management e IP Addresses and Address Resolution Protocol ARP Configuration Backup and Restore Description The configuration export can be used for dumping out MikroTik RouterOS configuration to the console screen or to a text script file which can be downloaded from the router using ftp The configuration import can be used to import the router configuration script from a text file The export command prints a script that can be used to restore configuration The command can be invoked at any menu level an
184. ave your service name empty Property Description service name text the PPPoE service name mtu integer default 1480 Maximum Transmission Unit The optimal value is the MTU of the Page 162 of 398 interface the tunnel is working over decreased by 20 so for 1500 byte Ethernet link set the MTU to 1480 to avoid fragmentation of packets mru integer default 1480 Maximum Receive Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 20 so for 1500 byte Ethernet link set the MTU to 1480 to avoid fragmentation of packets authentication multiple choice mschap2 mschap1 chap pap default mschap2 mschap1 chap pap authentication algorithm keepalive timeout defines the time period in seconds after which the router is starting to send keepalive packets every second If no traffic and no keepalive responses has came for that period of time i e 2 keepalive timeout not responding client is proclaimed disconnected one session per host yes no default no allow only one session per host determined by MAC address If a host will try to establish a new session the old one will be closed default profile name default default default profile to use Notes The default keepalive timeout value of 10 is OK in most cases If you set it to 0 the router will not disconnect clients until they log out or router is restarted To resolve this problem the one session per h
185. before SA is discarded e 0 SA expiration will not be due to byte count excess Page 184 of 398 Notes AES Advanced Encryption Standard encryption algorithms are much faster than DES so it is recommended to use this algorithm class whenever possible But AES s speed is also its drawback as it potentially can be cracked faster so use AES 256 when you need security or AES 128 when speed is also important Both peers MUST have the same encryption and authentication algorithms DH group and exchange mode Some legacy hardware may support only DES and MDS You should set generate policy flag to yes only for trusted peers because there is no verification done for the established policy To protect yourself against possible unwanted events add poilcies with action accept for all networks you don t want to be encrypted at the top of policy list Since dynamic policies are added at the bottom of the list they will not be able to override your configuration Example To define new peer configuration for 10 0 0 147 peer with secret gwejimezyfopmekun admin WiFi ip ipsec peer gt add address 10 0 0 147 32 secret gwejimezyfopmekun admin WiFi ip ipsec peer gt print Flags X disabled 0 address 10 0 0 147 32 500 secret gwejimezyfopmekun generate policy no xchange mode main send initial contact yes proposal check obey hash algorithm md5 enc algorithm 3des dh group modp1024 lifetime 1d lifebytes 0 admine
186. ble than the numbers and also more informative so you should prefer them to numbers when writing console scripts Notes Item numbers are assigned by print command and are not constant it is possible that two successive print commands will order items differently But the results of last print commands are memorized and thus once assigned item numbers can be used even after add remove and move operations after move operation item numbers are moved with the items Item numbers are assigned on per session basis they will remain the same until you quit the console or until the next print command is executed Also numbers are assigned separately for every item list so ip address print would not change numbers for interface list Example admineMikroTik interface gt set 0 mtu 1200 ERROR item numbers not assigned admin MikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R WAN ether 1500 Page 3 of 398 1 R LAN ether 1500 admin MikroTik interface gt set 0 disabled mtu name admineMikroTik interface gt set 0 mtu 1200 admin MikroTik interface gt set LAN mtu 1300 admin MikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R WAN ether 1200 1 R LAN ether 1300 admin MikroTik interface gt Quick Typing Description There are two features in the console that help entering commands much quicker and e
187. ble L2TP server admin MikroTik interface 12tp server server gt set enabled yes admineMikroTik interface 12tp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin MikroTik interface 12tp server server gt L2TP Server Users Home menu level interface l2tp server Description There are two types of items in L2TP server configuration static users and dynamic connections Page 42 of 398 A dynamic connection can be established if the user database or the default profile has its local address and remote address set correctly When static users are added the default profile may be left with its default values and only P2P user in ppp secret should be configured Note that in both cases P2P users must be configured properly Property Description name name interface name user text the name of the user that is configured statically or added dynamically mtu shows client s MTU client address shows the IP of the connected client uptime shows how long the client is connected encoding text encryption and encoding if asymmetric separated with being used in this connection Example To add a static entry for ex1 user admin MikroTik interface 12tp server gt add user exl admin MikroTik interface 12tp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADD
188. ble can be managed in the ip route submenu as well admin MikroTik ip policy routing gt table main admin MikroTik ip policy routing table main gt print Flags X disabled I invalid D dynamic R rejected TYPE DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 static 192 168 1 0 24 r 192 168 0 50 1 Local 1 static 0 0 0 0 0 10410408 1 Public 2D connect 192 168 0 0 24 r 0 0 0 0 0 Local 3 D connect 10 0 0 0 24 r 0 0 0 0 0 Public admin MikroTik ip policy routing table main gt admin MikroTik ip policy routing table main gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 192 168 1 0 24 r 192 168 0 50 1 Local 1 S 0 0 0 0 0 r 10 0 0 1 1 Public 2 DC 192 168 0 0 24 r 0 0 0 0 0 Local 3 DC 10 0 0 0 24 r 0 0 0 0 0 Public admineMikroTik ip policy routing table main gt Page 195 of 398 To add a new table named mt fadmin MikroTik ip policy routing gt add name mt admin MikroTik ip policy routing gt print Flags D dynamic NAME 0 mt 1 D main admineMikroTik ip policy routing gt To add the route to the 10 5 5 0 24 network via 10 0 0 22 gateway to the mt table admineMikroTik ip policy routing gt table mt admin MikroTik ip policy routing table mt gt add dst address 10 5 5 0 24 gateway 10 0 0 22 admineMikroTik
189. ble to connect it with the appropriate ICMP request icmp option read only integer the ICMP type and code fields reply icmp id read only integer contains the ICMP ID of received packet reply icmp option read only integer the ICMP type and code fields of received packet unreplied read only true false shows whether the request was unreplied Example admin test_1 ip firewall connection gt print Flags U unreplied A assured SRC ADDRESS DST ADDRESS PR TCP STATE TIMEOUT 0U 0 0 0 0 5678 255 255 255 255 5678 udp 1s 1U 1 1 1 1 49679 299299299299769 udp lis 2 U tel Te 356635 250 299 200 200869 udp 27s 3 A 10 1 0 128 2413 10105141223 tcp established 4d22h24m14s 4 U 10 1 0 157 5678 255 255 255 255 5678 udp Os 5 U 10 1 0 172 5678 259 255 259 255 5678 udp 24s 6 U 10 1 0 175 5678 255 255 255 255 5678 udp 25s 7U 10 1 0 209 5678 255 255 255 255 5678 udp 25s 8 U 10 1 0 212 5678 255 255 255 255 5678 udp 22s 9 A 10 5 7 242 32846 10 10 1 1 23 tcp established 4d23h59m59s 10 A 10 5 7 242 32933 10 10 1 1 23 tcp established 4d23h59m59s 11 U 10 10 1 11 5678 255 255 255 255 5678 udp 12s 12 U 10 10 10 1 5678 255 255 255 255 5678 udp 24s adminttest_1 ip firewall connection gt Service Ports Page 200 of 398 Home menu level ip firewall service port Description Some network protocols require direct two sided connection between endpoints This is not always possible as network ad
190. bled no admin MikroTik tool mac server ping gt print Page 286 of 398 enabled no admin MikroTik tool mac server ping gt Page 287 of 398 Quality of Service Document revision 1 1 06 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Additional Documents Queue Types Description Property Description Notes Example Interface Default Queues Property Description Example Configuring Simple Queues Description Property Description Notes Example Configuring Queue Trees Description Property Description Notes Example Troubleshooting Description Queue Applications Description Example of Emulating a 128k 64k Line Example of Guaranteed Quality of Service General Information Summary Queuing is a mechanism that controls data rate allocation delay variability timely delivery and delivery reliability The MikroTik RouterOS supports the following queuing mechanisms PFIFO Packets First In First Out BFIFO Bytes First In First Out SFQ Stochastic Fair Queuing RED Random Early Detection Page 288 of 398 e HTB Hierarchical Token Bucket e PCQ Per Connection Queue The queuing can be used for limiting the data rate for certain IP addresses protocols or ports The queuing is performed for packets leaving the router through a real interface It means that the queues should always be configured on
191. board serial port debug level none low high BIOS output debug level e none no debugging output e low show only some debugging information e high show all debugging information about the boot process boot delay time Os 10s default 1s how much time to wait for a key storke while booting beep on boot yes no default yes whether to beep during boot procedure to indicate that it has succeeded vga to serial yes no default yes whether to map VGA output to the serial console Should be enabled if working via serial terminal gives much more output memory test yes no default no whether to testall the RAM during boot procedure Regardless of the choice hte first megabyte of the RAM will be tested anyway Enabling this option may cause longer boot process Example To set high debug level with RAM test admin MikroTik gt system routerboard bios print baud rate 9600 debug level low boot delay 1s beep on boot yes vga to serial yes memory test no admin MikroTik gt system routerboard bios set debug level high ram test yes admin MikroTik gt system routerboard bios print baud rate 9600 debug level high boot delay 1s beep on boot yes vga to serial yes memory test yes admineMikroTik gt System Health Monitoring Home menu level system routerboard health Page 385 of 398 Description LM87 health controller chip provides some measurments of temperature
192. bout variables All global variables in the system are listed under the heading Global Variables All variables that are introduced in this script local variables introduced by local or created by for or foreach statements global variables introduced by global in short all variables that can be used within the current script are listed under the heading Local Variables admineMikroTik gt environment print Global Variables gl this is global variable Local Variables gl this is global variable l1 this is local variable counter 2 admineMikroTik gt Special Actions Description Page 369 of 398 Monitor It is possible to access values that are shown by most monitor actions from scripts If monitor action has do argument it can be supplied either script name see system scripts or console commands Get It is also possible to access from scripts values that are shown by most print actions Most command levels that have print action also have get action It has one or two arguments If this command level s get action deals with a list of items the first argument is a name or an internal number of an item The second argument is a name of item s property which should be returned Notes Monitor action with do argument can also be called directly from scripts It will not print anything then just execute the given script Names of properties that can be accessed by get are the same as shown by print action plus name
193. bytes out he she will not be able to log in anymore The statistics is updated if a user is authenticated via local user database each time he she logs out It means that if a user is currently logged in then the statistics will not show current total values Use ip hotspot active submenu to view the statistics on the current user sessions Example To add user Ex with password Ex that is allowed to log in only with 01 23 45 67 89 AB MAC address and is limited to 1 hour of work admin MikroTik ip hotspot user gt add name Ex password Ex mac address 01 23 45 67 89 AB limit uptime 1h admineMikroTik ip hotspot user gt print Flags X disabled AME ADDRESS MAC ADDRESS PROFILE UPTIME 0 Ex 0 0 0 0 01 23 45 67 89 AB default Os admin MikroTik ip hotspot user gt print detail Flags X disabled 0 name Ex password Ex address 0 0 0 0 mac address 01 23 45 67 89 AB profile default routes limit uptime 1h limit bytes in 0 limit bytes out 0 uptime 0s bytes in 0 bytes out 0 packets in 0 packets out 0 fadmin MikroTik ip hotspot user gt HotSpot Active Users Home menu level ip hotspot active Description The active user list shows the list of currently logged in users Nothing can be changed here except user can be logged out with the remove command Property Description user read only name name of the user domain read only text domain of the user if split fr
194. c address 192 168 0 0 24 action jump limit access for unauthorized hotspot clients e input add src address 192 168 0 0 24 dst port 80 protocol tcp action accept comment accept requests for e input add src address 192 168 0 0 24 dst port 443 protocol tcp action accept comment accept request for e input add src address 192 168 0 0 24 dst port 67 protocol udp action accept comment accept requests for le input add src address 192 168 0 0 24 action jump jump target hotspot temp comment limit access for unau hotspot servlet hotspot servlet local DHCP server thorized hotspot clients e hotspot temp add protocol icmp action return ow ping requests e hotspot temp add protocol udp dst por ow dns requests e hotspot temp add action reject t 53 action return comment reject access for unauthorized hotspot clients 13 Add hotspot chain ip firewall add name hotspot comment account authorized hotspot clients 14 Pass all through going traffic to the hotspot chain ip firewall rule forward add action jump jump target hotspot comment account traffic for authorized hotspot clients Note that in order to use SSL authentication you should install an SSL certificate This topic is not covered by this manual section Please see the respective manual section on how to install certificates in MikroTik RouterOS HotSpot Step by Step User Guide for enabled address Method Description Let u
195. cations Packages required system Description Linksys HomeLink PhoneLine Network Card up to 10Mbit s home network over telephone line LCD Specifications Packages required lcd Description e Crystalfontz Intelligent Serial LCD Module 632 16x2 characters and 634 20x4 characters Powertip Character LCD Module PC2404 24x4 characters PCMCIA Adapters Specifications Packages required system Description e Vadem VG 469 PCMCIA ISA adapter one or two PCMCIA ports e RICOH PCMCIA PCI Bridge with R5C475 II or RC476 I chip one or two PCMCIA ports e CISCO Aironet PCMCIA adapter ISA and PCI versions for CISCO Aironet PCMCIA cards only Page 23 of 398 Device Driver Management Document revision 2 1 0 15 Jan 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Related Documents Loading Device Drivers Description Property Description Notes Example Removing Device Drivers Description Notes on PCMCIA Adapters Description Notes General Information Summary Device drivers represent the software interface part of installed network devices Some drivers are included in the system software package and some in additional feature packages For complete list of supported devices and respective device driver names please consult the Related Documents section The device drivers for PCI miniPCI PC PCMCIA and CardBus cards are loaded automatically Other netw
196. ce and then the PVC interface Property Description name name default pveN assigned name of the interface mtu integer default 1500 Maximum Transmission Unit of an interface dici integer default 16 Data Link Connection Identifier assigned to the PVC interface interface name Frame Relay interface Notes A DLCTI is a channel number Data Link Connection Identifier which is attached to data frames to tell the network how to route the data Frame Relay is statistically multiplexed which means that only one frame can be transmitted at a time but many logical connections can co exist on a single physical line The DLCI allows the data to be logically tied to one of the connections so that once it gets to the network it knows where to send it Frame Relay Configuration Example with Cyclades Interface Let us consider the following network setup with MikroTik router with Cyclades PC300 interface connected to a leased line with baseband modems and a Cisco router at the other end admin MikroTik ip address gt add interface pvcl address 1 1 1 1 netmask 255 255 255 0 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 1 1 1 24 Mudo LD Tod 5d e255 pvcl admin MikroTik ip address gt PVC and Cyclades interface configuration e Cyclades admineMikroTik interface cyclades gt print Flags X disabled R running 0 R n
197. ce appears as an Ethernet interface When the bridging function of the router is enabled all Ethernet traffic all Ethernet protocols will be bridged just as if there where a physical Ethernet interface and cable between the two routers with bridging enabled This protocol makes multiple network schemes possible Network setups with EoIP interfaces e Possibility to bridge LANs over the Internet e Possibility to bridge LANs over encrypted tunnels e Possibility to bridge LANs over 802 11b ad hoc wireless networks Specifications Packages required system Home menu level interface eoip Protocols utilized GRE RFCI701 Hardware usage Not significant Related Documents Software Package Management e IP Addresses and ARP Bridge Interfaces Page 124 of 398 PPTP Point to Point Tunnel Protocol Interface Description An EoIP interface should be configured on two routers that have the possibility for an IP level connection The EoIP tunnel may run over an IPIP tunnel a PPTP 128bit encrypted tunnel a PPPoE connection or any connection that transports IP Specific Properties e Each EoIP tunnel interface can connect with one remote router which has a corresponding interface configured with the same Tunnel ID The EoIP interface appears as an Ethernet interface under the interface list e This interface supports all features of an Ethernet interface IP addresses and other tunnels may be run over the interf
198. ceived login mac universal yes no default no whether to log in every host of Universal client instantly in case it has its MAC address listed in HotSpot user list split user domain yes no default no whether to split username from domain name when the username is given in user domain or in domain user format Command Description reset html overwrite the existing HotSpot servlet with the original HTML files It is used if you have changed the servlet and it is not working after that Notes If dns name property is not specified hotspot address is used instead If hotspot address is also absent then both are to be detected automatically If auth mac is enabled then a client is not prompted for username and password if the MAC address of this computer is in the HotSpot user database either local or on RADIUS Nevertheless this method does not excuse clients from the common login procedure just from filling out the registration form i e regardless of whether MAC authorization is applicable for a client he she should open the Login page in order to get registered The only exception is the users of Universal Client if login mac universal property is enabled they will not even have to open a web browser if their MAC addresses are listed in the user database The universal proxy feature automatically creates DST NAT rules to redirect requests of each particular user to a proxy server he she is using it may be set in
199. ceived from the host Example To get the active host table admin MikroTik interface bridge host gt print Flags L local BRIDGE MAC ADDRESS ON INTERFACE AGE bridgel 00 00 B4 5B A6 58 etherl 4m48s bridgel 00 30 4F 18 58 17 etherl 4m50s L bridgel 00 50 08 00 00 F5 etherl Os L bridgel 00 50 08 00 00 F6 ether2 Os bridgel 00 60 52 0B B4 81 etherl 4m50s bridgel 00 C0 DF 07 5E E6 etherl 4m46s bridgel 00 E0 C5 6E 23 25 prisml 4m48s bridgel 00 E0 F7 7F 0A B8 etherl 1s admin MikroTik interface bridge host gt Bridge Firewall Home menu level interface bridge firewall Description Traffic between bridged interfaces can be filtered Note that packets between bridged interfaces are also passed through the generic ip firewall rules so they even can be NATted These rules can be used with real physical receiving transmitting Page 141 of 398 interfaces as well as with bridge interface that simply groups bridged interfaces Property Description mac src address MAC address default 00 00 00 00 00 00 MAC address of the source host name default all interface the packet has entered the bridge through e all any interface mac dst address MAC address default 00 00 00 00 00 00 MAC address of the destination host out interface name default all interface the packet is leaving the bridge through e all any interface in interface name default all in
200. centage when operating on line the UPS s internal operating frequency is synchronized to the line within variations within 3 Hz of the nominal 50 or 60 Hz The typical accuracy of this measurement is 1 of the full scale value of 63 Hz Example Page 377 of 398 When running on utility power admin MikroTik system ups gt monitor admin MikroTik system ups gt When running on battery on line on battery run time left battery charge battery voltage line voltage output voltage load fequency yes no 11m 100 13 221 221 57 50 admin MikroTik system ups gt monitor on line on battery transfer cause run time left battery charge battery voltage line voltage output voltage load fequency admin MikroTik system ups gt Page 378 of 398 no yes utility voltage notch or spike detected 9m 95 11 Network Time Protocol NTP Document revision 2 0 1 30 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Client Property Description Example Server Property Description Notes Example Time Zone Notes Example General Information Summary NTP protocol allows synchronizing time among computers in network It is good if there is an internet connection available and local NTP server is synchronized to correct time source List of publec NTP servers is available at
201. ch will connect to other APs This is just a simple example how to get a connection between APs using WDS Afterwards you can bridge it with the wireless and or ethernet interface Let us consider the following example Page 120 of 398 Neighbour Router Home ssid wds test IP Address 192 168 0 2 Network Mask 255 255 255 0 Router Neighbour ssid wds test IP Address 192 168 0 1 Network Mask 255 255 255 0 Router Home configuration At first we should configure the wireless interface for router Home admin Home interface wireless gt set wlanl mode ap bridge ssid wds test wds mode static disabled no admin Home interface wireless gt print Flags X disabled R running 0 name wlan1 mtu 1500 mac address 00 01 24 70 3A 83 arp enabled disable running check no interface type Atheros AR5211 mode ap bridge ssid wds test frequency 5120 band 5GHz scan list default ism supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates a g 6Mbps supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps basic rates b 1Mbps max station count 2007 ack timeout default tx power default noise floor threshold default wds mode static wds default bridge none default authentication yes default forwarding yes hide ssid no 802 1x mode none admin Home interface wireless gt We should add and configure a WDS interface Note that the value of wds a
202. changes from unknown or down to up down script name a console script that is executed once when state of a host changes from unknown or up to down since read only time indicates when state of the host changed last time status read only up down unknown shows the current status of the host e up the host is up e down the host is down e unknown after any properties of this list entry were changed or the item is enabled or disabled Page 373 of 398 UPS Monitor Document revision 2 0 29 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description UPS Monitor Setup Property Description Notes Example Runtime Calibration Description Notes Example UPS Monitoring Property Description Example General Information Summary The UPS monitor feature works with APC UPS units that support smart signaling This feature enables the network administrator to monitor the UPS and set the router to gracefully handle any power outage with no corruption or damage to the router The basic purpose of this feature is to ensure that the router will come back online after an extended power failure To do this the router will monitor the UPS and set itself to hibernate mode when the utility power is down and the UPS battery is has less than 10 of its battery power left The router will then continue to monitor the U
203. chronous interface connected to a leased line with baseband modems and a Cisco router at the other end admin MikroTik ip address gt add interface pvcl address 1 1 1 1 netmask 255 255 255 0 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST 0 1 1 1 1 24 Vo Ls 140 1 11 295 admineMikroTik ip address gt PVC and Moxa interface configuration Moxa Page 82 of 398 28 31 32 ms INTERFACE pvcl admin MikroTik interface moxa c502 gt print Flags X disabled R running O R name moxal mtu 1500 line protocol frame relay clock rate 64000 clock source external frame relay 1mi type ansi frame relay dce no cisco hdlc keepalive interval 10s 1 X name moxa c502 2 mtu 1500 line protocol sync ppp clock rate 64000 clock source external frame relay 1mi type ansi frame relay dce no cisco hdlc keepalive interval 10s admin MikroTik interface moxa c502 gt e PVC admin MikroTik interface pvc gt print Flags X disabled R running AMI MTU DLCI INTERFACE O R pvcl 1500 42 moxal admin MikroTik interface pvc gt Ci CISCO router setup CISCO show running config Building configuration Current configuration I ip subnet zero no ip domain lookup frame relay switching I interface Ethernet0 description connected to EthernetLAN ip address 10 0 0 254 255 255 25
204. ck rate 64000 clock source external chdlc keepalive 10s frame relay 1mi type ansi frame relay dce no 1 name farsync2 mtu 1500 line protocol sync ppp media type V35 clock rate 64000 clock source external chdlc keepalive 10s frame relay lmi type ansi frame relay dce no admin MikroTik interface farsync gt You can monitor the status of the synchronous interface admin MikroTik interface farsync gt monitor 0 Page 32 of 398 card type T2P FarSync T Series state running firmware id 2 firmware version 0 7 0 physical media V35 cable detected clock not detected input signals CTS output signals RTS DTR admin MikroTik interface farsync gt Troubleshooting Description The farsync interface does not show up under the interface list Obtain the required license for synchronous feature The synchronous link does not work Check the cabling and the line between the modems Read the modem manual Synchronous Link Applications MikroTik router to MikroTik router Let us consider the following network setup with two MikroTik routers connected to a leased line with baseband modems Page 33 of 398 Internet Interface Public address 10 1 1 12 24 a Interface fsync address 1 1 12 52 thith m p y 35 MikroTik Baseband Modem Baseband Modem MikroTik Y3 thith m interface farsync _ address 1 4 41 82 _ interface ether E address 10 00 254
205. connected via SDSL line using Xpeed interface to another MikroTik router with Xpeed 300 SDSL adapter SDSL line can refer a common patch cable included with the Xpeed 300 SDSL adapter such a connection is called Back to Back Lets name the first router r1 and the second r2 Router r1 setup The following setup is identical to one in the first example admin rl ip address gt add inter xpeedl address 1 1 1 1 24 admin rl ip address gt pri Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 1 1 1 24 1 1 1 0 Lede 255 xpeedl admin rl interface xpeed gt print Flags X disabled 0 name xpeed1 mtu 1500 mac address 00 05 7A 00 00 08 arp enabled mode network termination sdsl speed 2320 sdsl invert no sdsl swap no bridged ethernet yes dlci 16 lmi mode off cr 0 admin rl interface xpeed gt Router r2 setup First we need to add a suitable IP address admin r2 ip address gt add inter xpeedl address 1 1 1 2 24 admin r2 ip address gt pri Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 1 1 2 24 LL 0 Ledo L 255 xpeedl Then some changes in xpeed interface configuration should be done admin r2 interface xpeed gt print Flags X disabled 0 name xpeedl mtu 1500 mac address 00 05 7A 00 00 08 arp enabled mode network termination sdsl speed 2320 sdsl invert no sdsl swap no bridged ethernet yes dlci 16 lmi mode
206. crypt policy with level require that does not have all necessary SAs in decrypted read only integer shows how many incoming packets were successfully decrypted in drop encrypted expected read only integer shows how many incoming packets were matched by encrypt policy and dropped because they were not encrypted Example To view current statistics admin WiFi ip ipsec gt counters print out accept 6 out accept isakmp 0 out drop 0 out encrypt 7 in accept 12 in accept isakmp 0 in drop 0 in decrypted 7 in drop encrypted expected 0 admin WiFi ip ipsec gt General Information MikroTik Router to MikroTik Router e transport mode example using ESP with automatic keying e for Routerl admin Router1 gt ip ipsec policy add sa src 1 0 0 1 sa dst 1 0 0 2 action encrypt admin Routerl gt ip ipsec peer add address 1 0 0 2 secret gvejimezyfopmekun for Router2 admin Router2 gt ip ipsec policy add sa src 1 0 0 2 sa dst 1 0 0 1 NX action encrypt admin Router2 gt ip ipsec peer add address 1 0 0 1 XV secret gvejimezyfopmekun e transport mode example using ESP with automatic keying and automatic policy generating on Router 1 and static policy on Router 2 for Routerl Page 188 of 398 admin Routerl gt ip ipsec peer add address 1 0 0 0 24 secret gvejimezyfopmekun generate policy yes for Router2 admin Router2 gt ip ipsec pol
207. cs for throughput are calculated using the entire size of the TCP Page 321 of 398 packet As acknowledgments are an internal working of TCP their size and usage of the link are not included in the throughput statistics Therefore this statistic is not as reliable as the UDP statistic when estimating throughput The UDP tester sends 110 or more packets than currently reported as received on the other side of the link To see the maximum throughput of a link the packet size should be set for the maximum MTU allowed by the links usually this is 1500 bytes There is no acknowledgment required by UDP this implementation means that the closest approximation of the throughput can be seen Usage Notes Caution Bandwidth Test uses all available bandwidth by default and may impact network usability Bandwidth Test uses much resources If you want to test real throughput of a router you should run bandwidth test through it not from or to 1t To do this you need at least 3 routers connected in chain the Bandwidth Server the given router and the Bandwidth Client SSS Bandwidth The Router Bandwidth Server you are Client testing Note that if you use UDP protocol then Bandwidth Test counts IP header UDP header UDP data In case if you use TCP then Bandwidth Test counts only TCP data TCP header and IP header are not included Server Configuration Home menu level tool bandwidth server Property Description enable yes no default
208. ction encrypt tunnel yes Sa src address 1 0 0 1 sa dst address 1 0 0 2 admin Router gt ip ipsec peer add address 1 0 0 2 Nas xchange mode aggressive secret gvejimezyfopmekun for Router2 dle ec gt ip ipsec policy add src address 10 2 0 0 24 No dst address 10 1 0 0 24 action encrypt tunnel yes Sa src address 1 0 0 2 sa dst address 1 0 0 1 admin Router 2 gt ip ipsec peer add address 1 0 0 1 Ne xchange mode aggressive secret gvejimezyfopmekun MikroTik router to CISCO Router We will configure IPsec in tunnel mode in order to protect traffic between attached subnets 1 Add peer with phasel configuration parameters DES and SHA1 will be used to protect IKE traffic Page 189 of 398 for MikroTik router admin MikroTik gt ip ipsec peer add address 10 0 1 2 secret gvejimezyfopmekun enc algorithm des for CISCO router Configure ISAKMP policy phasel config must match configuration of ip ipsec peer on RouterOS Note that DES is default encryption algorithm on Cisco SHAl is default authentication algorithm crypto isakmp policy 9 encryption des group 2 hash md5 exit Add preshared key to be used when talking to RouterOS crypto isakmp key mykey address 10 0 1 1 255 255 255 255 2 Set encryption proposal phase2 proposal settings that will be used to encrypt actual data to use DES to encrypt data e for MikroTik router admin MikroTik gt
209. d Out Signal Level rx sensitivity long haul short haul default short haul for T1 E1 channels only Numbers of Page 155 of 398 active channels up to 32 for El and up to 24 for T1 chdlc keepalive time default 10s Cisco HDLC keepalive interval in seconds frame relay dce yes no default no specifies whether the device operates in Data Communication Equipment mode The value yes is suitable only for T1 models frame relay Imi type ansi ccitt default ansi Frame Relay Line Management Interface Protocol type Troubleshooting Description The cyclades interface does not show up under the interfaces list Obtain the required license for synchronous feature The synchronous link does not work Check the V 35 cabling and the line between the modems Read the modem manual RSV V 35 Synchronous Link Applications Example Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end Page 156 of 398 Internet interface Ethernet E address 10 1 1 12 24 Interface Serial address 1 1 1 2 32 ET Baseband Modern ave E ctas interface cyclades MikroTik address 1 1 1 17432 Interface ether2 address 10 0 0 254 24 Interface ether address 192 166 0 254 24 LAN LAM 10 0 0 0 24 192 166 0 0 24 The driver for the Cyclades PC300 RSV Synchronous PCI Adapter should load automatically The interface sh
210. d an acceptable irq setting and then try different i o base addresses If you need to specify hexadecimal values instead of decimal for the argument values put 0x before the number To see the list of available drivers issue the driver add name command The resource list shows only those interfaces which are enabled Typical io values for ISA cards are 0x280 0x300 and 0x320 Example To view the list of available drivers do the following admineMikroTik driver gt add name 3c509 c101 lance ne2k isa pc isa fadmin MikroTik driver gt add name To see system resources occupied by the devices use the system resource io print and system resource irq print commands admineMikroTik system resource gt io print PORT RANGE OWNER 0x20 0x3F APIC 0x40 0x5F timer 0x60 0x6F keyboard 0x80 0x8F DMA OxAQ OxBF APIC OxCO OxDF DMA OxFO OxFF FPU 0x100 0x13F prism2_cs 0x180 0x1BF orinoco_cs 0x1F0 0x1F7 IDE 1 Page 25 of 398 0x3D4 0x3D5 0x3F6 0x3F6 0x3F8 0x3FF OxCF8 0xCFF 0x1000 0x10FF 0x1000 0x10FF 0x1400 0x14FF 0x1400 0x14FF 0x1800 0x18FF 0x1C00 0x1C3F 0x1C40 0x1C7F 0x1C80 0x1CBF 0x1CC0 0x1CCF 0x4000 0x40FF 0x4400 0x44FF 0x4800 0x48FF 0x4C00 0x4CFF admineMikroTik Flags U unused IRQ OWNER 1 keyboard 2 APIC U3 4 serial por U 5 U 6 U 7 U 8 9 etherl 10 ether2 11 Texas 11 Texas 11 prism2_cs UL orinoco_c 12 usb ohci U 13 14 IDE 1 admineMikr
211. d build info 6 5s ether1 7 5s prisml admin MikroTik system lcd page gt To set System date and time page to be displayed for 10 seconds admin MikroTik system lcd page gt set 0 display time 10s admin MikroTik system lcd page gt print Flags X disabled DISPLAY TIME DESCRIPTION 0 10s System date and time 1 5s System resources cpu and memory load 2 5s System uptime 3 5s Aggregate traffic in packets sec 4 5s Aggregate traffic in bits sec 5 5s Software version and build info 6 5s etherl 7 5s prisml admin MikroTik system lcd page gt LCD Troubleshooting Description Page 347 of 398 LCD doesn t work cannot be enabled by the system lcd set enabled yes command Probably the selected serial port is used by PPP client or server or by the serial console Check the availability and use of the ports by examining the output of the port print command Alternatively select another port for connecting the LCD or free up the desired port by disabling the related resource LCD doesn t work does not show any information Probably none of the information display items have been enabled Use the system lcd page set command to enable the display Page 348 of 398 Support Output File Document revision 2 1 0 24 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Generating Support Output File Example General Information Su
212. d by built in NTP server which can use it as a time source without any additional configuration if GPS is configured to set system time Additional Documents e Global Positioning System How it Works Synchronizing with a GPS Receiver Home menu level system gps Property Description enabled yes no whether the router will communicate with a GPS receiver or not port name the port that will be used to communicate with a GPS receiver set system time time whether to set the system time to the value received from a GPS receiver or not Notes If you are synchronizing system time with a GPS device you should correctly choose time zone if it is different from GMT as satellites are broadcasting GMT a k a UTC time Example To enable GPS communication through serial0 port admin MikroTik system gps gt print enabled no port unknown set system time yes admin MikroTik system gps gt set enabled yes port serial0 admin MikroTik system gps gt print enabled yes port serial0 set system time yes admin MikroTik system gps gt GPS Monitoring Page 359 of 398 Home menu level system gps monitor Description This command is used for monitoring the data received from a GPS receiver Property Description date and time read only text date and time received from GPS server longitude read only text longitude of the current location latitude read only text latitude
213. d hotspot clients 7 Pass all through going traffic to the hotspot chain ip firewall rule forward add action jump jump target hotspot comment account traffic for authorized hotspot clients Note that in order to use SSL authentication you should install an SSL certificate This topic is not covered by this manual section Please see the respective manual section on how to install certificates in MikroTik RouterOS As we see from example only hotspot interface is used we don t care what IP addresses are there It is possible to add hotspot authentication for one more interface prism2 by adding only 4 additional firewall rules e Setup dst nat to redirect unauthorized clients to the hotspot service ip firewall dst nat add in interface prism2 flow hs auth protocol tcp dst potr 443 action redirect to dst port 443 comment redirect unauthorized prism2 clients to hotspot service ip firewall dst nat add in interface prism2 flow hs auth protocol tcp action redirect to dst port 80 comment redirect unauthorized prism2 clients to hotspot service e Limit access for unauthorized prism2 interface clients ip firewall rule forward add in interface prism2 action jump jump target hotspot temp comment limit access for unauthorized prism2 clients ip firewall rule input add in interface prism2 action jump A jump target hotspot temp comment limit access for unauthorized prism2 clients Optional Settings
214. d it acts for that menu level and all menu levels below it If the argument from is used then it is possible to export only specified items In this case export does not descend recursively through the command hierarchy export also has the argument file which Page 300 of 398 allows you to save the script in a file on the router to retrieve it later via ftp The root level command import file_name restores the exported information from the specified file This is used to restore configuration or part of it after a system reset event or anything that causes configuration data loss Note that 1t is impossible to import the whole router configuration using this feature It can only be used to import a part of configuration for example firewall rules in order to spare you some typing For backing up configuration to a binary file and restoring it without alterations please refer to the configuration backup and restore section of the MikroTik RouterOS Manual The Export Command Command name export Example admineMikroTik gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 172 24 10 1 0 0 10 1 0 255 bridgel l 10 5 1 1 24 10 3 1 0 106 541 3255 etherl admineMikroTik gt To make an export file admin MikroTik ip address gt export file address admin MikroTik ip address gt To make an export file form olny one item admin MikroT
215. d receive FTP data and control messages admin MikroTik ip firewall mangle gt add src address 192 168 0 17 32 20 21 protocol tcp mark flow Server_Up in interface Local admin MikroTik ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 src address 192 168 0 17 32 20 21 in interface Local protocol tcp action accept mark flow Server_Up admin MikroTik ip firewall mangle gt The second mangle rule will match the rest of the traffic from the network admin MikroTik ip firewall mangle gt add src address 0 0 0 0 0 mark flow Local_Up in interface Local admin MikroTik ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 src address 192 168 0 17 32 20 21 in interface Local protocol tcp action accept mark flow Server_Up 1 in interface Local action accept mark flow Local_Up admin MikroTik ip firewall mangle gt Finally shaping the traffic admin MikroTik queue tree gt add name Server_Up parent Up limit at 32768 flow Server_Up max limit 65536 priority 7 admin MikroTik queue tree gt add name Local_Up parent Up limit at 0 flow Local_Up admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic 0 name Up parent Public flow limit at 0 queue default priority 8 max limit 65536 burst limit 0 burst threshold 0 burst time 0 1 name Server_Up parent Up flow Server_Up limit at 32768 queue default
216. d to connect is your router public check whether the router has a default route and is able to reack the key server e Connecion failed connection has timed out e Bad response from server try again e ERROR You must enable this feature in account server change user information section you should enable Allow to use my account in netinstall feature on the accout server in change user information section e ERROR Incorrect username or password self explanatory e ERROR Someone has already converted this key the requested software ID has already been converted to 2 8 version e ERROR Key for specified software ID is expired You can purchase new key at www mikrotik com website you may not update an expired key to the version 2 8 you must purchase a new one e ERROR You are not allowed to use this service please contact sales mikrotik com for further assistance e Key upgraded successfully the upgrade procedure has been completed successfully Page 392 of 398 Telnet Server and Client Document revision 2 0 24 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Telnet Server Description Example Telnet Client Description Example General Information Summary MikroTik RouterOS has a build in Telnet server and client features These two are used to communicate with other systems over a network Specificat
217. dcastPkts ifMIB ifMIB Objects ifXTable ifXEntry ifHighS peed RFC2790 host hrStorage hrStorageTable hrStorageEntry hrStorageAllocationFailures Tools for SNMP Data Collection and Analysis Description MRTG Multi Router Traffic Grapher is the most commonly used SNMP monitor For further information see this link http people ee ethz ch oetiker webtools mrtg Example of using MRTG with MikroTik SNMP Here is a example configuration file for MRTG to monitor network card traffic on Mikrotik RouterOS This file was created with MRTG v2 9 17 cfgmaker on a linux computer This is a only an example file Page 309 of 398 MRTG Sample Configuration For more information read the MRTG documentation Configuration Reference Page 310 of 398 MAC Telnet Server and Client Document revision 2 0 24 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents MAC Telnet Server Property Description Notes Example Monitoring Active Session List Property Description MAC Telnet Client Example General Information Summary MAC telnet is used to provide access to a router that has no IP address set It works just like IP telnet MAC telnet is possible between two MikroTik RouterOS routers only Specifications Packages required system License required Any Home menu level tool tool mac server Protocols utilized MAC Telnet Hardware us
218. ddress is the remote wds host s wireless interface MAC address to which we will connect to admin Home interface wireless wds gt add wds address 00 01 24 70 3B AE master inteface wlanl disabled no admin Home interface wireless wds gt print Flags 0 X disabled R running D dyn name wds1 mtu 1500 mac address amic 00 01 24 70 3A 83 arp enabled disable running check no master inteface wlan1 wds address 00 01 24 70 3B AE Page 121 of 398 admin Home interface wireless wds gt Add the IP address to the WDS interface admin Home ip address gt add address 192 168 25 2 24 interface wds1l admin Home ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 25 2 24 192 168 25 0 192 168 25 255 wdsl admin Home ip address gt Router Neighbour configuration At first we should configure the wireless interface for router Neighbour admin Neighbour interface wireless gt set wlanl mode ap bridge ssid wds test wds mode static disabled no admin Neighbour interface wireless gt print Flags X disabled R running 0 R name wlan1 mtu 1500 mac address 00 01 24 70 3B AE arp enabled disable running check no interface type Atheros AR5211 mode ap bridge ssid wds test frequency 5120 band 5GHz scan list default ism supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps b
219. de to register at the AP s interface wlanN by setting authentication yes for it Thus only the specified nodes will be able to register to the interface wlanN Example To allow authentication and forwarding for the client 00 01 24 70 3A BB from the wlan interface using WEP 40bit algorithm with the key 1234567890 admineMikroTik interface wireless access list gt add mac address 00 01 24 70 3A BB interface wlanl private algo 40bit wep private key 1234567890 admin MikroTik interface wireless access list gt print Flags X disabled 0 mac address 00 01 24 70 3A BB interface wlanl authentication yes forwarding yes skip 802 1x yes private algo 40bit wep private key 1234567890 admineMikroTik interface wireless access list gt Info Home menu level interface wireless info Description This facility provides you with general wireless interface information Property Description interface type read only text shows the hardware interface type alignment mode read only yes no is the alignment only mode supported or not virtual aps read only yes no does this interface support Virtual Access Points or not noise floor control read only yes no does this interface support noise floor thershold detection firmware read only text current firmware of the interface used only for Prism chipset based cards Page 111 of 398 tx power control read only yes no provides
220. default local address 10 150 1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret gt Then the user should be added in the PPTP server list admin RemoteOffice interface pptp server gt add name FromLaptop user ex admin RemoteOffice interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 FromLaptop ex admin RemoteOffice interface pptp server gt And the server must be enabled admin RemoteOffice interface pptp server server gt set enabled yes Page 101 of 398 admin RemoteOffice interface pptp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin RemoteOffice interface pptp server server gt Finally the proxy APR must be enabled on the Office interface admin RemoteOffice interfac thernet gt set Office arp proxy arp adminfRemoteO0ffice interfac thernet gt print Flags X disabled R running NAME MTU MAC ADDRESS ARP O R Tolnternet 1500 00 30 4F 0B 7B C1 enabled 1 R Office 1500 00 30 4F 06 62 12 proxy arp admin RemoteOffice interfac thernet gt PPTP Setup for Windows Microsoft provides PPTP client support for Windows NT 2000 ME 98SE and 98 Windows 98SE 2000 and ME include support in the Windows setup or automatically install PPTP For 95 NT and 98 installation requires a
221. diaTable ipNetToMediaEntry ipNetToMediaPhys Address ip ipNetToMediaTable ipNetToMediaEntry ipNetToMediaNetAddress ip ipNetToMediaTable ipNetToMediaEntry ipNetToMediaType RFC2096 ip ipForward ipCidrRouteNumber ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteDest ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteMask ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteTos Page 307 of 398 ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteNextHop ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRoutelfIndex ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteType ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteProto ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteAge ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteInfo ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteNextHopAS ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteMetric ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteMetric2 ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteMetric3 ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteMetric4 ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteMetric5 ip ipForward ipCidrRouteTable ipCidrRouteEntry ipCidrRouteStatus Note that obsolete ip ipRouteTable is also supported 1213 system sysDescr system sysObjectID system sysUpTime system sysContact system sysName system sysLocation system sysServices RFC2790 ho
222. dlci 42 l end Send ping to MikroTik router CISCO ping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds S ccess rate is 100 percent 5 5 round trip min avg max 28 31 32 ms CISCO Troubleshooting Description e I tried to connect two routers as shown in MT to MT but nothing happens The link indicators on both cards must be on If it s not check the cable or interface configuration One adapter should use LT mode and the other NT mode You can also change Page 132 of 398 sdsl swap and sdsl invert parameters on the router running LT mode if you have a very long line Page 133 of 398 Arlan 655 2 4GHz 2Mbps Wireless Interface Document revision 1 1 08 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents Installation Example Wireless Interface Configuration Description Property Description Example Troubleshooting Description General Information Summary The MikroTik RouterOS supports Arlan 655 Wireless Interface client cards This card fits in the ISA expansion slot and provides transparent wireless communications to other network nodes Specifications Packages required arlan Home menu level Ainterface arlan Hardware usage Not significant Related Documents Software Package Installation and Upgrading D
223. download from Microsoft Many ISPs have made help pages to assist clients with Windows PPTP installation http www real time com Customer Support PPTP Config config html http www microsoft com windows95 downloads contents WUAdminTools S_WUNetworkingTools W95 Wi Sample instructions for PPTP VPN installation and client setup Windows 98SE If the VPN PPTP support is installed select Dial up Networking and Create a new connection The option to create a VPN should be selected If there is no VPN options then follow the installation instructions below When asked for the Host name or IP address of the VPN server type the IP address of the router Double click on the new icon and type the correct user name and password must also be in the user database on the router or RADIUS server used for authentication The setup of the connections takes nine seconds after selection the connect button It is suggested that the connection properties be edited so that NetBEUT IPX SPX compatible and Log on to network are unselected The setup time for the connection will then be two seconds after the connect button is selected To install the Virtual Private Networking support for Windows 98SE go to the Setting menu from the main Start menu Select Control Panel select Add Remove Program select the Windows setup tab select the Communications software for installation and Details Go to t
224. dress MAC address MAC address arp Address Resolution Protocol setting max station count integer 1 2007 default 2007 maximal number of clients allowed interface type read only text adapter type and model antenna mode ant a ant b rxa txb txa rxb default ant a which antenna to use for transmit receive data e ant a use only antenna a e ant b use only antenna b e rxa txb use antenna a for receiving packets use antenna b for transmitting packets e txa rxb use antenna a for transmitting packets antenna b for receiving packets mode ap bridge bridge station alignment only default station operating mode e ap bridge the interface is operating as an Access Point bridge the interface is operating as a bridge e station the interface is operating as a client e alignment only this mode is used for positioning antennas to get the best direction ssid text default MikroTik Service Set Identifier Used to separate wireless networks hide ssid yes no default no whether to hide ssid or not in the beacon frames e yes ssid is not included in the beacon frames AP replies only to probe requests with the given ssid e no ssid is included in beacon frames AP replies to probe requests with the given ssid ant to broadcast ssid empty ssid disable running check yes no default no disable running check For broken cards it is a good idea to set this value to yes frequ
225. dress 10 0 0 148 proposal default manual sa none dont fragment clear AA admin WiFi ip ipsec policy gt to view the policy statistics do the following admine WiFi ip ipsec policy gt print stats Flags X disabled D dynamic I invalid 0 src address 10 0 0 147 32 any dst address 10 0 0 148 32 any protocol all ph2 state no phase2 in accepted 0 in dropped 0 out accepted 0 out dropped 0 encrypted 0 not encrypted 0 decrypted 0 not decrypted 0 Page 183 of 398 admine WiFi ip ipsec policy gt Peers Home menu level ip ipsec peer Description Peer configuration settings are used to establish connections between IKE daemons phase 1 configuration This connection then will be used to negotiate keys and algorithms for SAs Property Description address JP address mask port default 0 0 0 0 32 500 address prefix If remote peer s address matches this prefix then this peer configuration is used while authenticating and establishing phase 1 If several peer s addresses matches several configuration entries the most specific one i e the one with largest netmask will be used secret text default secret string If it starts with Ox it is parsed as a hexadecimal value generate pollicy yes no default no allow this peer to establish SA for non existing policies Such policies are created dynamically for the lifetime of SA This way it is possible for example to create IPsec secured L2TP
226. dress 192 168 11 2 30 interface aironet X I ssid1 b_link mode ad hoc address 192 168 11 1 30 interface Local address 192 168 0 254 24 Wireless Network Wireless Router 192 168 11 0 30 mikrotik Local Network 192 168 0 0 24 NO p Wo rkstation 192 168 0 1 192 168 0 2 Page 55 of 398 To establish a point to point link the configuration of the wireless interface should be as follows e A unique Service Set Identifier should be chosen for both ends say mt e A channel frequency should be selected for the link say 2412MHz e The operation mode should be set to ad hoc e One of the units slave should have wireless interface property join net set to Os never create a network the other unit master should be set to 1s or whatever say 10s This will enable the master unit to create a network and register the slave unit to it The following command should be issued to change the settings for the pc interface of the master unit admineMikroTik XV bitrate auto admineMikroTik interface pc gt set 0 mode ad hoc ssidl mt frequency 2442MHz interface pc gt For 10 seconds this is set by the property join net the wireless card will look for a network to join The status of the card is not synchronized and the green status light is blinking fast If the card cannot find a network it creates its own network The status of the card becomes synchronized and the green status led becomes solid
227. dress 192 168 0 4 to dst port 0 65535 admin MikroTik ip firewall dst nat gt Page 224 of 398 Universal Plug and Play UPnP Document revision 2 0 12 Feb 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Description Additional Documents Enabling Universal Plug n Play Property Description Example UPnP Interfaces Property Description Notes Example General Information Summary The MikroTik RouterOS supports Universal Plug and Play architecture for transparent peer to peer network connectivity of personal computers and network enabled intelligent devices or appliances UPnP builds enables these devices to automatically connect with one another and work together to make networking possible for more people Specifications Packages required system Home menu level Ap upnp Protocols utilized TCP IP HTTP XML IGD Hardware usage Not significant Description UPnP enables data communication between any two devices under the command of any control device on the network Universal Plug and Play is completely independent of any particular physical medium It supports networking with automatic discovery without any initial configuration whereby a device can dynamically join a network DHCP and DNS servers are optional and will be used if available on the network UPnP implements simple yet powerfull NAT traversal solution that enables the clien
228. dress translation is widely used to connect clients to the network This submenu allows to configure Connection Tracking helpers for above mentioned protocols These helpers are used to provide correct NAT traversal Property Description name protocol name ports read only integer port range that is used by the protocol Example Suppose we want to disable h323service port admin test_1 ip firewall service port gt set h323 disabled yes admin test_1 ip firewall service port gt print Flags X disabled NAME PORTS ftp 21 pptp gre x h323 mms irc 6667 quake3 Dd 04 wWNRO admin test_1 ip firewall service port gt Page 201 of 398 Packet Marking Mangle Document revision 1 0 15 Sep 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Mangle Description Property Description Example General Information Summary Specifications Packages required system License required Any Home menu level ip firefall mangle Protocols utilized JP Hardware usage Increases with rules and connections count Related Documents Software Package Management IP Addresses and ARP IP Routes Management Firewall Filters Network Address Translation Mangle Description Packets entering the router can be marked for further processing them against the rules of firewall chains source
229. ds so that packets previously marked as don t fragment got fragmented e inherit do not change the field e set set the field so that each packet matching the rule will not be fragmented ph2 state read only expired no phase2 estabilished the progress of key estabilishing e expired there are some leftovers from previous phase2 In general it is similar to no phase2 e no phase2 no keys are estabilished at the moment e estabilished Appropriate SAs are in place and everything should be working fine in accepted integer how many incoming packets were passed through by the policy without an attempt to decrypt in dropped integer how many incoming packets were dropped by the policy without an attempt Page 182 of 398 to decrypt out accepted integer how many outgoing packets were passed through by the policy without an attempt to encrypt out dropped integer how many outgoing packets were dropped by the policy without an attempt to encrypt encrypted integer how many outgoing packets were encrypted by the policy not encrypted integer how many outgoing packets the policy attempted to encrypt but discarded for any reason decrypted integer how many incoming packets were decrypted by the policy not decrypted integer how many incoming packets the policy attempted to decrypt but discarded for any reason Notes All packets are IPIP encapsulated in tunnel mode and their new IP header sre address and
230. e SSH just the same way as telnet you run the client tell it where you want to connect to give your username and password and everything is the same after that After that you won t be able to tell that you re using SSH The SSH feature can be used with various SSH Telnet clients to securely connect to and administrate the router The MikroTik RouterOS supports SSH 1 3 1 5 and 2 0 protocol standards e server functions for secure administration of the router e telnet session termination with 40 bit RSA SSH encryption is supported e secure ftp is not supported e Winbox connection encryption TSL The MikroTik RouterOS has been tested with the following SSH telnet terminals PuTTY e Secure CRT e Most SSH compatible telnet clients Specifications Packages required security License required Any Home menu level system ssh Protocols utilized SSH Hardware usage Not significant Page 350 of 398 Related Documents Software Package Management Additional Documents http www zip com au roca ttssh html http www chiark greenend org uk sgtatham putty htmll http pgpdist mit edu FiSSH index html http telneat lipetsk ru http lakson sgh waw p chopin ssh index en html http cs mscd edu MSSH index html Hhttp www networksimplicity com openssh http www openssh com http www freessh org SSH Server Home menu level ip service Description SSH Server is alre
231. e optional Must contain less than 16 characters arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting tma mode yes no default no Networking Registration Mode Page 135 of 398 e yes ARLAN e no NON ARLAN Example admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 R outer ether 1500 X arlanl arlan 1500 admin MikroTik interface gt enable 1 admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 R outer ether 1500 R arlanl arlan 1500 More configuration and statistics parameters can be found under the interface arlan menu admin MikroTik interface arlan gt print Flags X disabled R running 0 R name arlan1 mtu 1500 mac address 00 40 96 22 90 C8 arp enabled frequency 2412 bitrate 2000 tma mode no card name test sid 0x13816788 admin MikroTik interface arlan gt You can monitor the status of the wireless interface admin MikroTik interface arlan gt monitor 0 registered no access point 00 00 00 00 00 00 backbone 00 00 00 00 00 00 admin MikroTik interface arlan gt Suppose we want to configure the wireless interface to accomplish registration on the AP with a sid 0x03816788 To do this it is enough to change the argument value of sid to 0x03816788 and tma mode to yes admin MikroTik interface arlan gt
232. e Atheros AR5211 2 4 5 GHz mode station ssid testl frequency 5180 band 5GHz scan list default ism supported rates a 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates a 6Mbps supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps basic rates b 1Mbps ack timeout default tx power default default key 0 default key 1 default key 2 default key 3 station private key transmit key id 0 encryption none used authentication open system accepted authentication open system default authentication yes default forwarding yes 802 1x enable no admintclient interface wireless gt Now we can monitor our connection both from the AP admin AP interface wireless gt registration table admin AP interface wireless registration table gt print INTERFACE MAC ADDRESS TYPE PARENT SIGNAL TX RATI 0 wlanl 00 01 24 70 03 33 radio 20 6Mbps EH admin AP interface wireless registration table gt and the client admin client interface wireless gt monitor 0 status connected to ess band 5GHz frequency 5180 tx rate 18Mbps ssid testl bssid 00 01 24 70 03 75 signal strength 20 rx rate 6Mbps admin client interface wireless gt WDS Configuration Example WDS Wireless Distribution System makes it able to connect APs to each other with the same ssid and share the same network On one physical wireless interface you can create multiple WDS interfaces whi
233. e BIOS 2 Use the RLProg exe to set the IRQ and Base Port address of the RadioLAN ISA card Model 101 RLProg must not be run from a DOS window Use a separate computer or a bootable floppy to run the RLProg utility and set the hardware parameters The factory default values of VO 0x300 and IRQ 10 might conflict with other devices Please note that not all combinations of I O base addresses and IRQs may work on your motherboard As it has been observed the IRQ 5 and I O 0x300 work in most cases Wireless Interface Configuration Home menu level interface ratiolan Description To set the wireless interface for working with another wireless card in a point to point link you should set the following parameters The Service Set Identifier It should match the sid of the other card The Distance should be set to that of the link For example if you have 6 km link use distance 4 7 km 6 6 km All other parameters can be left as default You can monitor the list of neighbors having the same sid and being within the radio range Property Description name name default radiolanN assigned interface name mtu integer default 1500 Maximum Transmission Unit mac address read only MAC address MAC address distance 0 150m 10 2km 13 0km 2 0km 2 9km 4 7km 6 6km 1 1km 2 0km 150m 1 1km 2 9km 4 7km 6 6km 10 2km default 0 150m distance setting for the link rx diversity enabled disabled default disabled
234. e ISDN line These numbers are referred to as Multiple Subscriber Numbers MSN A similar but separate concept is EAZ numbering which is used in German ISDN networking EAZ number can be used in addition to dialed phone number to specify the required service For dial out ISDN interfaces MSN EAZ number specifies the outgoing phone number the calling end For dial in ISDN interfaces MSN EAZ number specifies the phone number that will be answered If you are unsure about your MSN EAZ numbers leave them blank it is the default For example if your ISDN line has numbers 1234067 and 1234068 you could configure your dial in server to answer only calls to 1234068 by specifying 1234068 as your MSN number In a sense MSN is just your phone number ISDN Client Interface Configuration Home menu level interface isdn client Description The ISDN client is used to connect to remote dial in server probably ISP via ISDN To set up an ISDN dial out connection use the ISDN dial out configuration menu under the submenu ISDN client interfaces can be added using the add command Property Description name name default isdn outN interface name mtu integer default 1500 Maximum Transmission Unit mru integer default 1500 Maximum Receive Unit phone integer default phone number to dial msn integer default MSN EAZ of ISDN line provided by the line operator dial on demand yes no default no use diali
235. e MikroTik RouterOS supports the following Cyclades PC300 Adapter hardware RSV V 35 RSV models with 1 or 2 RS 232 V 35 interfaces on standard DB25 M 34 connector 5Mbps internal or external clock e TI E1 TE models with 1 or 2 T1 E1 G 703 interfaces on standard RJ48C connector Full Fractional internal or external clock X 21 X21 models with 1 or 2 X 21 on standard DB 15 connector 8Mbps internal or external clock Specifications Packages required synchronous Home menu level interface cyclades Protocols utilized X 21 X 35 T1 E1 G 703 Frame Relay PPP Cisco HDLC Hardware usage Not significant Related Documents Software Package Management Device Driver Management IP Addresses and ARP Log Management Additional Documents Page 154 of 398 http www cyclades com products svrbas pc300 php the product on line documentation http mt lv Documentation pc300_21 el pdf the Installation Manual in pdf format Synchronous Interface Configuration Home menu level interface cyclades Description You can install up to four Cyclades PC300 PCI Adapters in one PC box if you have so many adapter slots and IRQs available The Cyclades PC300 RSV Synchronous PCI Adapter comes with a V 35 cable This cable should work for all standard modems which have V 35 connections For synchronous modems which have a DB 25 connection you should use a standard DB 25 cable Connect a communication device e g
236. e client might have received before the authentication It is possible to specify what IP addresses each particular user will receive after he she logs in that way a user will always get the same IP no matter what computer he she has logged in from Address assignment with dhcp pool login method To create a HotSpot infrastructure with dhcp pool method DHCP server should be configured to lease an IP addresses from a temporary IP address pool for a very short period of time lease time at about 14 seconds lesser values may cause problems with some DHCP clients This temporary subnet should have some restrictions so that the users received a temporary IP address could only access the HotSpot login page Once a user is authenticated the HotSpot gateway changes the lease assigned to the user so that he she will receive an IP address from a different IP address pool when the lease time of the current temporary lease will be over it is not possible to recall DHCP lease so the address will only change when the temporary lease expire Accounting The HotSpot system makes user accounting through firewall rules You should create a hotspot firewall chain and the system will put there two dynamic rules for each active user one for upload and one for download You shold make all the traffic you need accounting for to pass through this firewall table HotSpot Gateway Setup Home menu level ip hotspot Property Description use ssl yes no de
237. e following example we ll see the list of hosts admin MikroTik tool sniffer host gt print ADDRESS RATE PEEK RATE TOTAL 0 10 0 0 4 Obps O0bps 704bps 0bps 264 0 1 10 0 0 144 Obps O0bps 6 24kbps 12 2kbps 1092 2128 2 10 0 0 181 Obps O0bps 12 2kbps 6 24kbps 2994 1598 3 10 0 0 241 Obps O0bps 1 31kbps 4 85kbps 242 866 admineMikroTik tool sniffer host gt Packet Sniffer Connections Home menu level tool sniffer connection Description Here you can get a list of the connections that have been watched during the sniffing time Property Description active read only yes no if yes the find active connections bytes read only integer bytes in the current connection dst address read only IP address destination address mss read only integer Maximum Segment Size resends read only integer the number of packets resends in the current connection src address read only IP address source address Example The example shows how to get the list of connections admin MikroTik tool sniffer connection gt print Page 331 of 398 Flags A active SRC ADDRESS 0 A 10 0 0 241 1839 1 A 10 0 0 144 2265 admineMikroTi Page 332 of 398 DST ADDRESS 10 0 0 181 23 10 0 0 181 22 telnet ssh k tool sniffer connection gt BYTES 6 42 504 252 RESENDS 60 0 504 0 MSS 0 0 0 0 Traceroute Document revision 1 2 13 10 2003 This document applies
238. e gt add gateway 1 1 1 2 interface wan Page 67 of 398 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected E connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 1 1 1 2 1 wan 1 DC 10 0 0 0 24 r 10 0 0 254 1 ether2 2 DC 192 168 0 0 24 r 192 168 0 254 0 etherl 3 DE 1 1 52 32 r 0 0 0 0 0 wan admin MikroTik ip route gt The configuration of the MikroTik router at the other end is similar admin MikroTik ip address gt add address network admin MikroTik ip address gt print Flags X disabled ADDRESS NETWORK 0 10 1 1 12 24 LO Lg Le12 peg 232 Led ed MikroTik 1 64 byte pong 1 J ttl 255 time 31 ms ttl 255 time 26 ms ttl 255 time 26 ms 64 byte pong 64 byte pong 3 packets transmitted round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt MikroTik Router to Cisco Router ip address gt ping 1 1 1 3 packets received 1 1 1 2 32 interface moxa 1 1 1 1 broadcast 255 255 255 255 I invalid D dynamic BROADCAST INTERFACE 10 1 1 255 Public 255 255 255 255 moxa 1 0 packet loss Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end Page 68 of 398 Internet interface Ethernet0 nine address 10 1 1 12 24 interface Se
239. e intervals IP addresses internal numbers and lists Currently console tries to convert any value to the most specific type first backing up if it fails This is the order in which console attempts to convert a value list internal number number IP address time e boolean e string There is no way to explicitly control this type conversion In console integers are internally represented as 64 bit signed numbers so the range of variable values can be from 9223372036854775808 to 9223372036854775807 It is possible to input them as hexadecimal numbers by prefixing with 0x Lists are written as comma separated sequence of values Putting whitespaces around commas is not recommended because it might confuse console about word boundaries Boolean values are written as either true or false Console also accepts yes for true and no for false Internal numbers begin with Time intervals are written as sequence of numbers that can be followed by letters specifying the units of time measure The default is a second Numbers may have decimal point It is also possible to use the HH MM SS notation Accepted time units Internal Console Expressions ICE Description Within this document ICE refers to console s built in commands and expressions those do not depend on the current menu level These commands do not change configuration directly but they are useful for automating various maintenance tasks The full ICE li
240. e is allocated to a number of subscribers For example the contention ratio of 1 4 means that the allocated data rate may be shared between no more than 4 users e Priority the order of importance in what traffic will be processed You can give priority to some traffic in order it to be handeled before some other traffic MikroTik RouterOS may be used to provide CIR and MIR with some contention level and priority Here we will talk in terms of queues which represent either real or virtual interface and classes children of a queue each class has an another queue attached to it e limit at property is used to specify CIR If the queue will be able to provide that data rate it will i e the parent queue and the link the router is connected to should be able to provide the total data rate equal or greater that the sum of all CIRs the queue should satisfy in order to quarantee these CIRs CIRs will be satisfied in order of their priority e max limit property is used to specify MIR If the queue has satisfied all the CIRs and it is able to provide some additional data rate it will try to distribute that additional data rate between all its classes regardless of their priorities and not exceeding their MIRs e Filters in RouterOS are very powerful and flexible Providing Contention Ratio is only one application of what they can do Using firewall mangle you can mark some a number of hosts with a flow mark so the data rate allocated for that
241. e may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500 This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500 It has not been determined how to change the MTU of the Windows wireless interface at this moment Let us consider the following setup where the MikroTik Wireless AP offers wireless clients transparent access to the local network with authentication Ethernet LAN 10 0 0 0 24 Internet Internet Gatewa pa 10 0 0 Denver 10 0 0 2 interface Local Wireless address 10 0 0 21 7 24 Accesspoint 5 MT Prism AP dynamic interfaces gt ssid mt PROS F sfequeng 2442 addresses 10 0 0 2 77 32 e A _ Workstation mes 10 0 0 230 10 0 0 231 Reserved for dial in clients 10 0 0 230 240 Note that you should have Basic Wireless Wireless AP licenses for this setup Page 165 of 398 First of all the Prism interface should be configured admin MT_Prism_AP interface prism gt set 0 mode ap bridge frequency 2442MHz ssid mt disabled no admin MT_Prism_AP interface prism gt print Flags X disabled R running O R name prism1 mtu 1500 mac address 00 90 4B 02 17 E2 arp enabled mode ap bridge root ap 00 00 00 00 00 00 frequency 2442MHz ssid mt default authentication yes default forwarding yes max clients 2007 card type generic tx power auto supported rates 1 11 basic rates 1 hide ssid no
242. e result are both IP addresses lt lt left shift Binary operator which shifts IP address by a given amount of bits The first argument is an IP address the second is an integer and the result is an IP address gt gt right shift Binary operator which shifts IP address by a given amount of bits The first argument is an IP address the second is an integer and the result is an IP address concatenation Binary operator concatenates two string or append one list to another or appends an element to a list Notes When comparing two arrays note that two arrays are equal if their respective elements are equal Example Operator priority and evaluation order admin MikroTik ip firewall rule forward gt put 10 1 6 2 11 12 2 3 1 false admin MikroTik ip firewall rule forward gt put 10 1 6 2 11 12 2 3 1 true admin MikroTik ip firewall rule forward Concatenation admin MikroTik interface gt put 1 3 T3 Page 366 of 398 admin MikroTik interface gt put 1 2 3 IS admin MikroTik interface gt put 1 3 4 13 4 admin MikroTik interface gt put 1 2 3 4 1 2 37d admin MikroTik interface gt put 1 3 1 ERROR cannot add string to integer number admin MikroTik interface gt Data types Description The console can work with several data types Currently it distinguishes between strings boolean values numbers tim
243. ead only name interface name the client is connected to idle time read only time inactivity time uptime read only time how long the client is active bytes in read only integer the amount of bytes received from the client bytes out read only integer the amount of bytes sent to the client packets in read only integer the amount of packets received from the client packets out read only integer the amount of packets sent to the client Example To check the current translation table admin MikroTik ip hotspot universal host gt print Flags I invalid H DHCP D dynamic MAC ADDRESS ADDRESS TO ADDRESS INTERFACE 0D 00 05 5D 5F 4E 34 10 1 0 144 192 168 0 254 int admin MikroTik ip hotspot universal host gt Universal Access List Home menu level ip hotspot universal access Description You can specify manually what IP address will a given IP and or MAC addresses get Property Description Page 269 of 398 mac address MAC address client s MAC address address IP address client s IP address to address 1P address IP address to translate the address to interface name empty interface name the client is connected to Example To add an entry specifying that IP address 10 20 30 40 should be translated to 10 0 0 20 for packets coming from etherl interface admin MikroTik ip hotspot universal access gt add address 10 20 30 40 interface etherl to
244. easascesece 31 General MAA as 31 Synchronous Interface COn UFO ii oil 32 Troubleshooting ia Ghee Raastenlucek ORTE E aera eke 33 Synchronous Link Appl Cations issseecaiecsic cetcsszeciassds tE 33 Layer 2 Tunnel Protocol L2TPhooooonoocccccccconnccconcocoonocnnnanannroronrnnannnnnos 39 General Informatio erroe renne En A A adi 39 EXT CHAS EUA A AAA E IA 40 Monitoring E2TP Chente aa 41 LITA SS ida 42 EXTFP Server Use cet sch 2 a2 cicc a T oO aOR EO ER 42 LO TE Appication Pxamplesec2n A eaten tape eald arisna 43 OUraltiodian ie c nb tsquesen aunty ears wir E E Mer yan rentyO Re NPTUET dere tera teeta set trent Seen rier ner 48 CISCO Aironet 2 4GHz 11Mbps Wireless Interface ommcomoomoo 50 General TNO RIAL eect eg See SSN I AE A tg ee a 50 Wireless Interace Contralor tio da 51 Troubleshootn t a A AE E O ET A 53 Applicaton Example da 54 IP over IP IPIP Tunnel InterfaCe oooooonnccccicnnnnccccocccooconananannnnorenonnnanas 58 General do ees ae a E teva A AE E a O maaan 58 A a a aa a aadi 59 IPIP C nficutatio A E R ORE A E RETE 59 Ethetnet Inter fa O Sae aa dearen eaaa aa a aaa aa daada ide taa ao Ea ENRE iaie 61 General Informatio da AR 61 Ethernet Interface E ont AMAN A AA E ebathenanes 62 Monitoring the Interact Aia 63 Moxa C502 Synchronous Interface ccoooocococnonnonocccccnnnnnnnnannnnnennnos 64 SCRE FAL TICE ACO Rye A sua ibaeauehetaniee sak tee 64 Synchronous Interface C On MSU Rat OM scr dali 65 Troubleshooting
245. ed I invalid SRC ADDRESS DST ADDRESS INT FLOW ACTION 0 Mods 1 32 0 0 0 0 0 all lookup 1 2 2 2 1 32 0700070 all lookup 2 1 1 1 07724 0 0 0 0 0 all lookup 3 2 2 2 0 24 0 0 0 0 0 all lookup 4 0 0 0 0 0 0 0 0 0 0 all lookup admin MikroTik ip policy routing rule gt Here the rules 0 and 1 are needed to correctly process connections initiated from the local addresses of the router Namely the connected routes from the main table should be used instead of using the default routes from tables from_netl or from_net2 Rules 2 and 3 handles packets originated from locally connected networks and rule 4 looks after packets originated from all other sources Page 198 of 398 Connection Tracking and Service Ports Document revision 1 0 06 Oct 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Connection Tracking Description Property Description Example Service Ports Description Property Description Example General Information Summary Connection tracking or conntrack provides a facility for monitoring connections made through the router and respective state information In turn service port submenu allows to configure conntrack helpers for various protocols They are used to provide correct NAT traversal for these protocols Specifications Packages required system License required Any Home menu level ip firewall connection
246. ed SAs Home menu level ip ipsec installed sa Description This facility provides information about installed security associations including the keys Property Description spi read only integer SPI value of SA represented in hexadecimal form direction multiple choice read only in out SA direction sre address read only IP address source address of SA taken from respective policy dst address read only IP address destination address of SA taken from respective policy auth algorithm multiple choice read only none md5 shal authentication algorithm used in SA enc algorithm multiple choice read only none des 3des aes encryption algorithm used in SA replay read only integer size of replay window presented in bytes This window protects the receiver against replay attacks by rejecting old or duplicate packets state multiple choice read only larval mature dying dead SA living phase auth key read only text authentication key presented in form of hex string enc key read only text encryption key presented in form of hex string not applicable to AH SAs add lifetime read only time soft hard expiration time counted from installation of SA use lifetime read only time soft hard expiration time counted from the first use of SA lifebytes read only integer soft hard expiration threshold for amount of processed data current addtime read only text t
247. ed packet with its own address and a port allocated for this connection The router keeps track about masqueraded connections and performs the demasquerading of packets which arrive for the opened connections For filtering purposes you may want to specify the to src ports argument value say to 60000 65535 If you want to change the source address port to specific adress port use the action nat instead of action masquerade admin test_1 ip firewall src nat gt add src address 192 168 0 1 32 out interface wlanl action nat to src address 1 1 1 1 admin test_1 ip firewall src nat gt print Flags X disabled I invalid D dynamic 0 src address 192 168 0 1 32 0 65535 dst address 0 0 0 0 0 0 65535 out interface wlanl protocol all icmp options any any flow connection content limit count 0 limit burst 0 limit time 0s action nat to src address 1 1 1 1 to src port 0 65535 admin test_1 ip firewall src nat gt Here the Page 223 of 398 Destination NAT Home menu level ip firewall dst nat Description Redirection and destination NAT should be used when you need to give access to services located on a private network from the outside world Property Description action accept redirect nat default accept action to undertake if a packed matched a particular dst nat rule one of the e accept accept the packet without undertaking any action except for mangle No more rules are processed in the rel
248. ed to drop all the P2P traffic coming from the Internet but allow the use of WinMX client between two offices limiting it to 284 Kbps in both directions You need to do the following e Allow WinMX client to be used between two offices admin MikroTik ip firewall rule forward gt add p2p winmx action accept src address 10 0 0 0 24 dst address 10 0 1 0 24 admin MikroTik ip firewall rule forward gt add p2p winmx action accept dst address 10 0 0 0 24 src address 10 0 1 0 24 e Drop all other P2P traffic admin MikroTik ip firewall rule forward gt add p2p all p2p action drop e Limit the traffic to 284 Kbps admin MikroTik queue simple gt add dst address 10 0 1 0 24 max limit 290816 290816 Per Address Queuing Suppose we want to limit each P2P user to a given amount of Kbps This can be done on a per address basis Page 213 of 398 We should define custom queue type kind pcq to accomplish the task Each user upload and download rates would be limited to the peq rate value in the relevant queue First we need to mark the P2P traffic admin MikroTik ip firewall mangle gt add src address 10 0 0 0 24 flow p2p out s p2p all p2p action passthrough admin MikroTik ip firewall mangle gt add dst address 10 0 0 0 24 flow p2p in p2p all p2p action passthrough admin MikroTik ip firewall mangle gt e Then create custom queue type with kind pcq admin MikroTik queue type gt add name p2p out kind pcq pcg rate 655
249. efault isdn inN interface name mtu integer default 1500 Maximum Transmission Unit mru integer default 1500 Maximum Receive Unit phone integer default phone number to dial msn integer default MSN EAZ of ISDN line provided by the line operator 12 protocol hdlc x75i x75ui x75bui default hdlc level 2 protocol to be used profile name default default profile to use when connecting to the remote server bundle 128K yes no default yes use both channels instead of just one authentication pap chap mschap1 mschap2 default mschap2 mschap1 chap pap used authentication Example A sample printout of ISDN server interface is as follows admin MikroTik interface isdn server gt add msn 142 bundle 128K no admin MikroTik interface isdn server gt print Flags X disabled R running Page 88 of 398 0 X name isdn inl mtu 1500 mru 1500 msn 142 authentication mschap2 chap pap profile default 12 protocol x75bui bundle 128K no admineMikroTik interface isdn server gt ISDN Examples ISDN Dial out Dial out ISDN connections allow a local router to connect to a remote dial in server ISP s via ISDN Let s assume you would like to set up a router that connects your local LAN with your ISP via ISDN line First you should load the corresponding ISDN card driver Supposing you have an ISDN card with a W6692 based chip admineMikroTik gt driver add name
250. eless interface should be as follows e A unique Service Set Identifier should be chosen say test1 e A frequency should be selected for the link say 5180MHz e The operation mode should be set to ap bridge The following command should be issued to change the settings for the wireless AP interface admin AP interface wireless gt set 0 mode ap bridge ssid testl enable 0 admin AP interface wireless gt print Page 119 of 398 Flags X disabled R running O R name wlan1 mtu 1500 mac address 00 01 24 70 03 75 arp enabled card type Atheros AR5211 2 4 5 GHz mode ap bridge ssid testl frequency 5180 band 5GHz scan list default ism supported rates a 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates a 6Mbps supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps basic rates b 1Mbps ack timeout default tx power default default key 0 default key 1 default key 2 default key 3 station private key transmit key id 0 encryption none used authentication open system accepted authentication open system default authentication yes default forwarding yes 802 1x enable no admin AP interface wireless gt Then we need to configure the wireless client interface fadmin client interface wireless gt set 0 ssid testl admintclient interface wireless gt enable 0 admintclient interface wireless gt print 0 R name wlan1 mtu 1500 mac address 00 01 24 70 03 33 arp enabled card typ
251. ency integer default 5120 operating frequency of the card band operating band 2 4GHz B IEEE 802 11b 2 4GHz G IEEE 802 11g e 5GHz IEEE 802 11la up to 54 Mbit e 5GHz turbo IEEE 802 11a up to 108Mbit scan list multiple choice integer default ism default default ism the list of channels to scan e default ism for 2 4GHz mode 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 for 5GHz mode 5180 5200 5220 5240 5260 5280 5300 5320 5745 5765 5785 5805 for 5GHz turbo 5210 5250 5290 5760 5800 burst time time default disabled time in microseconds which will be used to send data without stopping Note that other wireless cards in that network will not be able to transmit data for burst time microseconds This setting is available only for AR5000 ARS001X and AR5001X Page 107 of 398 chipset based cards fast frames yes no default no whether to pack smaller packets into a larger one which makes larger data rates possible supported rates a g multiple choice 6Mbps 9Mbps 12Mbps 1I8Mbps 24Mbps 36Mbps 48Mbps 54Mbps default 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps rates to be supported when operating in IEEE 802 11a and 802 11g standards basic rates a g multiple choice 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps default 6Mbps basic rates in IEEE 802 11a and 802 11g modes supported rates b multiple choice
252. ent applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Related Documents Description L2TP Client Setup Property Description Example Monitoring L2TP Client Property Description Example L2TP Server Setup Description Property Description Example L2TP Server Users Description Property Description Example L2TP Application Examples Router to Router Secure Tunnel Example Connecting a Remote Client via L2TP Tunnel L2TP Setup for Windows Troubleshooting Description General Information Summary L2TP Layer 2 Tunnel Protocol supports encrypted tunnels over IP The MikroTik RouterOS implementation includes support for L2TP client and server General applications of L2TP tunnels e For secure router to router tunnels over the Internet e To link bridge local Intranets or LANs when EolIP is also used To extend PPP user connections to a remote location for example for ISP to authenticate and to provide Internet access separately e For mobile or remote clients to remotely access an Intranet LAN of a company Each L2TP connection is composed of a server and a client The MikroTik RouterOS may function Page 39 of 398 as a server or client or for various configurations it may be the server for some connections and client for other connections For example the client created below could connect to a Cisco L2TP server another MikroTik Router or another router which
253. er john password john profile default add default route yes admin MikroTik interface pptp client gt enable 0 Monitoring PPTP Client Command name interface pptp client monitor Property Description uptime time connection time displayed in days hours minutes and seconds encoding text encryption and encoding if asymmetric seperated with being used in this connection status text status of the client e Dialing attempting to make a connection e Verifying password connection has been established to the server password verification in progress e Connected self explanatory Page 95 of 398 Terminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minutes and seconds Example Example of an established connection admin MikroTik interface pptp client gt monitor test2 uptime 4h35s encoding MPPE 128 bit stateless status Connected admin MikroTik interface pptp client gt PPTP Server Setup Home menu level interface pptp server server Description The PPTP server supports unlimited connections fom clients For each current connection a dynamic interface is created Property Description enabled yes no default no defines whether PPTP server is enabled or not mtu integer default 1460 Maximum Transmission Unit The optimal value is the
254. er gt DHCP Networks Home menu level Ap dhcp server network Property Description address 1P address mask the network DHCP server s will lend addresses from netmask integer 0 32 default 0 the actual network mask to be used by DHCP client e netmask from network address is to be used gateway P address default 0 0 0 0 the default gateway to be used by DHCP clients dns server text the DHCP client will use these as the default DNS servers Two comma separated DNS servers can be specified to be used by DHCP client as primary and secondary DNS servers wins server text the Windows DHCP client will use these as the default WINS servers Two comma separated WINS servers can be specified to be used by DHCP client as primary and secondary WINS servers domain text the DHCP client will use this as the DNS domain setting for the network adapter next server JP address IP address of next server to use in bootstrap boot file name text Boot file name Notes Winbox does not have option for specifying two DNS or WINS servers you should use terminal console instead The address field uses netmask to specify the range of addresses the given entry is valid for The actual netmask clients will be using is specified in netmask property DHCP Leases Home menu level ip dhcp server lease Description DHCP server lease submenu is used to monitor and manage server s leases The issued leases is showed he
255. er in two ways whether the packet has come from an interface or whether it has been originated by the router Analogically a packet has two ways to leave the conveyer through an outgoing interface or in case the packet is locally destined in the local process When the packet arrives to the router s interface firewall rules are applied in the following order e The NAT rules are applied first The firewall rules of the input chain and routing are applied after the packet has passed the NAT rule set e Ifthe packet should be forwarded through the router the firewall rules of the forward chain are applied next e When a packet leaves an interface firewall rules of the output chain are applied first then the NAT rules and queuing Additional arrows from IPsec boxes shows the processing of encrypted packets they need to be encrypted decrypted first and then processed as usual id est from the point an ordinal packet enters the router If the packet is bridged one the Routing Decision changes to Bridge Forwarding Decision In case the bridge is forwarding non IP packets all things regarding IP protocol are not applicable Universal Client Conntrack Mangle et cetera Firewall Rules Home menu level ip firewall rule lt chain name gt Description A rule is an expression in a definite form that tells the router what to do with a particular packet Page 206 of 398 The rule consists of two logical parts
256. er management for Ethernet ISA cards serial port management local user management export and import of router configuration scripts backup and restore of the router s configuration undo and redo of configuration changes network diagnostics tools ping traceroute bandwidth tester traffic monitor bridge support system resource management package management telnet client and server local and remote logging facility winbox server as well as winbox executable with some plugins After installing the MikroTik RouterOS a free license should be obtained from MikroTik to enable the basic system functionality Additional Software Feature Packages The table below shows additional software feature packages extended functionality provided by them the required prerequisites and additional licenses if any email client pingers advanced tools netwatch and other utilities support for DSSS arlan 2 4GHz 2mbps cabo oa Aironet ISA cards DHCP server and dhcp client support support for GPS devices support for ISDN devices support for Icd informational LCD display nt network time P protocol support support for PPP hotspot HotSpot gateway mone any additional license Page 10 of 398 PPTP L2TP PPPoE and ISDN PPP Provides support for radiolan 5 8GHz RadioLAN cards support for routerboard RouterBoard specific functions and utilities nga support for RIP Cee OSPF and BGP4 support for IPSEC security SSH and sec
257. er of clusters on one network is 255 each having a unique VRID Virtual Router ID Each router participating in a VRRP cluster must have it priority set to a valid value Property Description name name assigned name of the VRRP instance interface name interface name the instance is running on vrid integer 0 255 default 1 Virtual Router Identifier must be unique on one interface priority integer 1 255 default 100 priority of the current node higher values mean higher priority e 255 RFC requires that the router that owns the IP addresses assigned to this instance had the priority of 255 interval integer 1 255 default 1 VRRP update interval in seconds Defines how frequently the master of the given cluster sends VRRP advertisement packets preemption mode yes no default yes whether preemption mode is enabled e no a backup node will not be elected to be a master until the current master fail even if the backup node has higher priority than the current master e yes the master node always has the priority authentication none simple ah default none authentication method to use for VRRP advertisement packets e none no authentication Page 216 of 398 e simple plain text authentication e ah Authentication Header using HMAC MD5 96 algorithm password text default password required for authentication depending on method used can be ignored if no authentication used 8 char
258. erci id AAA CRN GAS oa Saeed ee aide renee 66 Synchronous Link Application Examplles ccsscccssscccssscecssssecssssccsesenseesseceessnceesenseesees 66 Virtual LAN VLAN Interface cccceesseccsseeeeeeseeeseseeeeeeeeeeeeneenneeeees 71 General das 71 VEAN SUD A ta T2 Application EXAMEN ande 73 RadioLAN 5 8GHz Wireless Interface omccconcccccccocccccnnconancnnanonanonanas 75 General TONO dora 75 Wireless Interface CONSUL a 76 Trouble VAE E E E E E nrr sree cory ern 78 Wireless Network Applications td lle 78 Frame Relay PVC InterfaceS ooomonccccccnccnnccconccooonenannanannrornrrnnaaaannnos 80 Generalitat ri did tt 80 Configuring Frame Relay Interface ooconocccononococooncncnoncncnoncncnononononononononnconnnn conan cncnoncnananos 81 Erame Relay CONAM ia 81 TRONS SING OTL a A E A T EA Ee ESN 84 ISDN InterfaCe asnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnm nna 85 General Informatio salsas tasa tia 85 ISDN Hardware and Software Installati0N ooocnnnnnuuooonnonncnononanaaannnnnonononnnnnnonononnnanoconnnnnns 86 ISDN Client Interface CON MSUTACIO gi he tien eet buidhe 87 ISDN Server Interiace C Omi Our ation saci siy vss aicwtdaiasceblassea tales a susan evan wnetouarduytavecaeesinsrwscadiehesss 88 IDN Examples ote eens ae aa ewe de ed pc pe eae ciclo ee ee cel te eter rend selon agin 89 Point to Point Tunnel Protocol PPTP ccccccssssssseseeeeeeeeneeesseeeeees 93 Genera Iniormato
259. es metric rip integer default 20 specifies the cost of the routes learned from RIP protocol metric bgp integer default 20 specifies the cost of the routes learned from BGP protocol Notes Within one area only the router that is connected to another AS 1 e border router should have the propagation of the default route enabled OSPF protocol will try to use the shortest path path with the smallest total cost if available OSPF protocol supports two types of metrics Example To enable the OSPF protocol redisrtibute routes to the connected networks as typel metrics with the cost of 1 you need do the following admin MikroTik routing ospf gt set redistribute connected as type 1 A metric connected 1 admin MikroTik routing ospf gt print router id 0 0 0 0 distribute default never redistribute connected as type 1 redistribute static no Page 273 of 398 redistribute rip no redistribute bgp no metric default 1 metric connected 1 metric static 20 metric rip 20 metric bgp 20 admineMikroTik routing ospf gt Areas Home menu level routing ospf area Description TODO There is one area that is configured by default the backbone area which has the area id 0 0 0 0 The name and area id for this area can not be changed Property Description name name default OSPF area s name area id 1P address default 0 0 0 0 OSPF area identifier default cost integer
260. es in AP mode can be connected together using MAC Bridges The bridge feature allows the interconnection of stations connected to separate LANs using EoIP geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them as if they were attached to a single LAN As bridges are transparent they do not appear in traceroute list and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged depending on the way the LANs are interconnected latency and data rate between hosts may vary Additional Documents http users pandora be bart de schuymer ebtables br_fw_ia br_fw_ia html Bridge Interface Setup Home menu level interface bridge Description To bridge a number of networks into one bridge a bridge interface should be created that will group all the bridged interfaces One MAC address will be assigned to all the bridged interfaces Note that you may only assign IP addresses to the bridge interface the one is created in this submenu level not the bridged interfaces the ones which will be grouped in the bridge Property Description Page 139 of 398 name name default bridgeN a descriptive name of the interface mtu integer default 1500 Maximum Transmission Unit arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting mac address read o
261. escription Property Description Notes Example Areas Description Property Description Example Networks Description Property Description Notes Example Interfaces Description Property Description Example Virtual Links Description Property Description Notes Example Neighbours Description Property Description Notes Example General Information Summary MikroTik RouterOS implements OSPF Version 2 RFC 2328 The OSPF protocol is the link state protocol that takes care of the routes in the dynamic network structure that can employ different paths to its subnetworks It always chooses shortest path to the subnetwork first Page 271 of 398 Specifications Packages required routing License required Any Home menu level routin ospf Protocols utilized OSPF Hardware usage Not significant Related Documents Software Package Management IP Addresses and ARP Routes Equal Cost multipath Routing Policy Routing Log Management Description Open Shortest Path First OSPF dynamic routing protocol distributes routing information between the routers belonging to a single autonomous system AS An AS is a group of routers exchanging routing information via a common routing protocol In order to deploy the OSPF all routers it will be running on should be configured in a coordinated manner note that it also means that the routers should have the same MTU for all the networks advertized by OSPF protocol Routers belon
262. ess appropriate IP address of the neighbour priority read only integer the priority of the neigbour which is used in designated router elections via Hello protocol on this network state read only Down Attempt Init 2 Way ExStart Exchange Loading Full the state of the connection e Down the connection is down e Attempt the router is sending Hello protocol packets e Init a Hello packet received from a neighbour e 2 Way bidirectional communication estabilished e ExStart negotiating Exchange state e ExStart exchanging with whole Link State DataBase e Loading receiving information from the neighbour e Full the link state databases are completely synchronized state changes read only integer number of connection state changes Is retransmits read only integer number of link state retransmits Is requests read only integer number of link state requests db summaries read only integer number of records in link state database advertised by the neighbour dr id read only IP address designated router s router id for this neighbor backup dr id read only IP address backup designated router s router id for this neighbor Notes The neighbour s list also displays the router itself Example The following text can be observed just after adding an OSPF network Page 277 of 398 admin MikroTik routing ospf gt neighbor print router id 10 0 0 204 address 10 0 0 204 priority 1 state
263. et interface Public address 10 1 1 12 24 interface moxa address 1 1 1 2 32 A v 35 Mier Baseband Modem Baseband Modem MikroTik V3 interface wan address 1 1 1 1 32 interface ether interface ether 1 address 10 0 0 254 24 address 192 168 0 254 24 LAN 192 168 0 0 24 LAN 10 0 0 0 24 The driver for MOXA C101 card should be loaded and the interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface wan network 1 1 1 2 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 10 0 0 255 ether2 1 192 168 0 254 24 192 168 0 254 192 168 0 255 etherl 2 lod 1 32 ddl a2 255 255 255 255 wan admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1 255 time 31 ms 1 1 1 2 64 byte pong tt1 255 time 26 ms 1 1 1 2 64 byte pong tt1 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt The default route should be set to the gateway router 1 1 1 2 admin MikroTik ip route gt add gateway 1 1 1 2 Page 150 of 398 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected
264. evant list chain e redirect redirects to the local address port of the router In this case the to dst address argument value is not taken into account and it does not need to be specified since the router s local address is used e nat perform Network Address Translation The to dst address should be specified not required with action redirect in interface name default all interface the packet has entered the router through e all may include the local loopback interface for packets with destination to the router to dst address JP address default 0 0 0 0 destination IP address to replace original with to dst port integer 0 65535 default 0 65535 destination port to replace original with src mac address MAC address default 00 00 00 00 00 00 host s MAC address the packet has been received from Example This example shows how to add a dst NAT rule that gives access to the http server 192 168 0 4 on the local network via external address 10 0 0 217 admin MikroTik ip firewall dst nat gt add action nat protocol tcp dst address 10 0 0 217 32 80 to dst address 192 168 0 4 fadmin MikroTik ip firewall dst nat gt print Flags X disabled I invalid D dynamic 0 src address 0 0 0 0 0 0 65535 in interface all dst address 10 0 0 217 32 80 protocol tcp icmp options any any flow connection content src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action nat to dst ad
265. evice Driver Management IP Addresses and Address Resolution Protocol ARP Log Management Additional Documents http www aironet com http www comptek ru 8100 wireless files filearlan html Installation Page 134 of 398 Example To add the driver for Arlan 655 adapter do the following admineMikroTik gt driver add name arlan io 0xD000 admineMikroTik gt driver print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL O D RealTek 8139 1 Arlan 655 0xD000 admineMikroTik driver gt Wireless Interface Configuration Home menu level interface arlan Description The wireless card status can be obtained from the two LEDs the Status LED and the Activity LED ARLAN 655 is functional but Amber Amber nonvolatile memory is not configured v i ARLAN 655 not registered to Green or orate state et Amber Harta tre et eet fare Property Description name name default arlanN assigned interface name mtu integer default 1500 Maximum Transmission Unit mac address MAC address Media Access Control address frequency 24 2 2427 2442 2457 2465 default 2412 channel frequency in MHz bitrate 1000 2000 354 500 default 2000 data rate in Kbit s sid integer default 0x13816788 System Identifier Should be the same for all nodes on the radio network Must be an even number with maximum length 31 character add name text default test card nam
266. executes its payload once which does not make much use However if you specify a condition as a value for the while argument it will be evaluated after executing commands and if it will return true do statement is executed again and again until false If you specify a condition for the if argument it is evaluated only once before doing anything else and if it is false nothing is done fadmin MikroTik gt global i set i 10 do put Si decr Te Nabe while i lt 10 ES Si gt 0 sunset i 10 9 8 7 6 5 4 3 2 1 fadmin MikroTik gt for this action takes one argument the name of the loop variable It has also four parameters from to step and do First two parameters indicate the borders for the loop counter The interval includes these two values as well The third one specifies the step of decrement or increment And finally the do statement holds console commands to repeat admin MikroTik gt for i from 1 to 100 step 37 do put Si 1000 1 Page 368 of 398 1 pe 1000 38 26 75 admineMikroTik gt foreach this action takes one argument the name of the loop variable It has also two parameters in and do The in argument is treated as a list with each value assigned to the loop variable and do statement executed for this value If in value is not a list then do statement is executed only once in case in value is empty do statement is not executed at all This way it is
267. f Contents Summary Specifications Related Documents File Transfer Protocol Server Description Property Description General Information Summary MikroTik RouterOS implements File Transfer Protocol FTP server feature It is intended to use for software packages uploading as well as configuration script exporting and importing procedures Specifications Packages required system License required Any Home menu level file Protocols utilized FTP RFC 959 Hardware usage Not significant Related Documents Software Package Management Configuration Export and Import Configuration Backup and Restore File Transfer Protocol Server Home menu level file Description MikroTik RouterOS has an industry standard FTP server feature It uses ports 20 and 21 for communication with other hosts on the network Do not disable these ports on your router Uploaded files as well as exported configuration or backup files can be accessed under file menu There you can delete unnecessary files from your router Authorization via ftp uses router s system user account names and passwords Page 283 of 398 Property Description name read only name item name type read only file directory unknown script package backup item type size read only integer package size in bytes creation time read only time item creation date and time Page 284 of 398 Ping Document revision 15 Jul 2003 1 10
268. fault no whether the servlet allows only HTTPS e yes the registration may only occur using the Secure HTTP HTTPS protocol e no the registration may be accomplished using both HTTP and HTTPS protocols Page 237 of 398 hotspot address ZP address default 0 0 0 0 IP address for HotSpot service used for www access dns name text DNS name of the HotSpot server status autorefresh time default 1m WWW status page autorefresh time universal proxy yes no default no whether to intercept the requests to HTTP proxy servers parent proxy 1P address default 0 0 0 0 the address of the proxy server the HotSpot service will use as a parent proxy auth requires mac yes no default yes whether to require client s IP address to resolve to MAC address i e whether to require that all the clients are in the same Ethernet like network as opposed to IP network Ethernet like network is bounded by routers as the HotSpot gateway auth mac yes no default no defines whether authentication by Ethernet MAC address is enabled auth mac password yes no default no use MAC address as a password if MAC authorization 1s enabled auth http cookie yes no default no defines whether HTTP authentication by cookie is enabled http cookie lifetime time default 1d validity time of HTTP cookies allow unencrypted passwords yes no default no whether to authenticate user if plain text password is re
269. fice RAMIS ama f 10 150 1 2 32 Fromiaptop 4 To Intemet E 10 150 1 254 32 We59192 168 81 1 24 Mi Office 7 Laptop 192 168 80 111 24 10 150 1 254 24 network 10 150 1 0 netmask 255 255 255 0 J York station 10 150 1 1 24 The router in this example RemoteOffice Interface ToInternet 192 168 81 1 24 Interface Office 10 150 1 254 24 The client computer can access the router through the Internet On the L2TP server a user must be set up for the client admin RemoteOffice ppp secret gt add name ex service 12tp password 1k gt 3rht local address 10 150 1 254 remote address 10 150 1 2 admin RemoteOffice ppp secret gt print detail Flags X disabled 0 name ex service 12tp caller id password 1k3jrht profile default local address 10 150 1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret gt Then the user should be added in the L2TP server list admin RemoteOffice interface 12tp server gt add name FromLaptop user ex admin RemoteOffice interface 12tp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 FromLaptop ex admin RemoteOffice interface 12tp server gt And the server must be enabled admin RemoteOffice interface 12tp server server gt set enabled yes Page 47 of 398 admin RemoteOffice interface 12tp server server gt print enabled yes mtu 1460 mru 1
270. for monitoring and managing the system resources Specifications Packages required system License required Any Home menu level system Protocols utilized None Hardware usage Not significant Related Documents Software Package Management e Network Time Protocol NTP System Resource Home menu level system resource Notes In monitor command priotout the values for cpu usage and free memory are in percentage and kilobytes respectively Example To view the basic system resource status admin MikroTik gt system resource print uptime 1d3h2m39s free memory 26420 kB total memory 62700 kB cpu Celeron cpu frequency 626 MHz cpu load 0 free hdd space 148524 kB total hdd space 3123332 kB write sect since reboot 645208 write sect total 645208 admineMikroTik gt To view the current system CPU usage and free memory admin MikroTik gt system resource monitor cpu used 0 free memory 115676 fadmin MikroTik gt IRQ Usage Monitor Command name system resource irg print Description IRQ usage shows which IRQ Interrupt requests are currently used by hardware Page 338 of 398 Example admin MikroTik gt system resource irq print Flags U unused IRQ OWNER 1 keyboard 2 APIC U 3 4 serial port 5 Ricoh Co Ltd RL5c476 II 2 U 6 U 7 U 8 U 9 U 10 11 etherl 12 Ricoh Co Ltd RL5c476 11 U 13 14 IDE 1 admineMikroTik gt IO Port Usage Monitor
271. from icmp options integer default any any ICMP options log yes no default no specifies to log the action or not src netmask IP address source netmask in decimal form x x x x p2p any all p2p bit torrent direct connect fasttrack soulseek blubster edonkey gnutella default any match Peer to Peer P2P connections e all p2p match all known P2P traffic e any match any packet 1 e do not check this property tos lt integer gt dont change low cost low delay max reliability max throughput normal any default any match the value of Type of Service ToS field of IP header e any match any packet 1 e do not check this property Notes Keep in mind that protocol must be explicity specified if you want to select port Example For instance we want to reject packets with dst port 8080 Page 208 of 398 admin MikroTik ip firewall rule input gt add dst port 8080 protocol tcp action reject admin MikroTik ip firewall rule input gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 8080 out interface all protocol tcp icmp options any any tcp options any connection state any flow sconnection content rc mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action reject log no admin MikroTik ip firewall rule input gt Firewall Chains Home menu level ip firewall Description
272. g Tool Specifications Description Property Description General Information Summary This manual describes the usage of internal console expressions as well as techniques to combine them in scripts Scripting host provides a way to automate some router maintenance tasks by means of executing user defined scripts 1f some event occurs The script consists of configuration commands and console expressions The configuration commands are described in the relevant documentation The events can be used to invoke a script include the System Scheduler the Traffic Monitoring Tool and for the Netwatch Tool generated events Specifications Packages required system License required Any Home menu level system script Protocols utilized None Hardware usage Not significant Related Documents Software Package Management Console Command Syntax Description Console commands are made of following parts e prefix optional parts which indicates whether that the command is an ICE like put or that the path starts from the root menu level like ping 10 0 0 1 e path a relative path to the desired menu level e path_args this part is required to select some menu levels where the actual path can vary across different user inputs like ip firewall rule lt name gt e action one of the actions available at the specified menu level e action_args these are required by some actions and should come in fixed order after the Pa
273. g tunnel id of 1 admin MikroTik interface eoip gt add name to_mt2 remote address 10 5 8 1 Page 125 of 398 tunnel id 1 admin MikroTik interface eoip gt print Flags X disabled R running 0 X name to_mt2 mtu 1500 arp enabled remote address 10 5 8 1 tunnel id 1 admin MikroTik interfac oip gt enable 0 admin MikroTik interface eoip gt print Flags X disabled R running OR name to_mt2 mtu 1500 arp enabled remote address 10 5 8 1 tunnel id 1 admin MikroTik interface eoip gt EolP Application Example Description Let us assume we want to bridge two networks Office LAN and Remote LAN The networks are connected to an IP network through the routers Our_GW and Remote The IP network can be a private intranet or the Internet Both routers can communicate with each other through the IP network Example Our goal is to create a secure channel between the routers and bridge both networks through it The network setup diagram is as follows IP Metwark Remote our CVV 192 168 2 1 192 168 1 1 PPTP Tunnel Remote Office LAN LAN To make a secure Ethernet bridge between two routers you should Page 126 of 398 1 Create a PPTP tunnel between them Our_GW will be the pptp server admin Our_GW interface pptp server gt ppp secret add name joe service pptp password top_s3 local address 10 0 0 1 remote address 10 0 0 2 admin Our_GW interface p
274. ge 362 of 398 action name like in ping lt ip address gt e params values a sequence of parameter names followed respective values if required Notes Variable substitution command substitution and expressions are allowed only for path_args and action_args values prefix path action and params can only be given directly as a word So put 1 2 is valid and pu t 3 is not Example The internal console commands parts are futher explained in the following examples ping 10 0 0 1 count 5 etn ing params values count 5 ip firewall rule input for i from 1 to 10 do put i INIA IO mas a fom 1to 10do put i interface monitor traffic etherl ether2 ipipl AAA ee action monitor traffic action_args ether1 ether2 ipip1 Expression Grouping Description This feature provides the easy way to execute commands from within one command level by enclosing them in braces Page 363 of 398 Notes You should not change current command level in scripts by typing just it s path without any command like you when working with console interactively Such changes have no effect in scripts Consider the following admin MikroTik ip address gt user ip route lo print scare Y Flags X disabled 0 777 system default user name admin group full address 0 0 0 0 0 1 name x group write address 0 0 0 0 0 2 name y group read address 0 0 0 0 0 admineMikr
275. gement Device Driver Management IP Addresses and ARP Xpeed SDSL Single line Digital Subscriber Line Interface Additional Documents Xpeed homepage Page 129 of 398 Xpeed Interface Configuration Home menu level interface xpeed Property Description name name interface name mtu integer default 1500 Maximum Transmission Unit mac address MAC address MAC address of the card arp disabled enabled proxy arp reply only Address Resolution Protocol e disabled the interface will not use ARP protocol e enabled the interface will use ARP protocol e proxy arp the interface will be an ARP proxy e reply only the interface will only reply to the requests originated to its own IP addresses but neighbor MAC addresses will be gathered from ip arp statically set table only mode network termination line termination default line termination interface mode either line termination LT or network termination NT sdsl speed integer default 2320 SDSL connection speed sdsl invert yes no default no whether the clock is phase inverted with respect to the Transmitted Data interchange circuit This configuration option is useful when long cable lengths between the Termination Unit and the DTE are causing data errors sdsl swap yes no default no whether or not the Xpeed 300 SDSL Adapter performs bit swapping Bit swapping can maximize error performance by attempting to maintain an acceptable
276. ging to one area should have the same area ID configured OSPF areas provide a convenient way to segregate your AS into logical units However you should try to minimize the count of OSPF areas to avoid unnecessary complication of setups After you have divided your networks in areas you have to configure the following settings on each of OSPF routers 1 Change general OSPF settings of redistributing connected static and default routes The default route should be distributed only from border routers of your area 2 Configure additional areas if any 3 If you are using encryption you should configure keys in routing ospf interface command level 4 Add OSPF network records for all networks you want the OSPF to run on The OSPF protocol is started after you will add a record to the OSPF network list The routes learned by the OSPF protocol are installed in the routes table list with the distance of 110 General Setup Home menu level routing ospf Description TODO Property Description Page 272 of 398 router id IP address default 0 0 0 0 OSPF Router ID If not specified OSPF uses the largest IP address configured on the interfaces as its router ID distribute default never if installed as type 1 if installed as type 2 always as type 1 always as type 2 default 0 0 0 0 specifies how to distribute default route e never do not send own default route to other routers e if installed as type 1 send the defa
277. green status led is blinking slow To set the wireless interface for working with an access point register to the AP typically you should set the following parameters The service set identifier It should match the ssid of the AP Can be blank if you want the wireless interface card to register to an AP with any ssid The ssid will be received from the AP if the AP is broadcasting its ssid e The data rate of the card should match one of the supported data rates of the AP Data rate auto should work in most cases Property Description name name assigned interface name mtu integer 0 65536 default 1500 Maximum Transmission Unit mode infrastructure ad hoc default infrastructure operation mode of the card rts threshold integer 0 2312 default 2312 determines the packet size at which the interface issues a request to send RTS before sending the packet A low value can be useful in areas where many clients are associating with the access point or bridge or in areas where the clients are far apart and can detect only the access point or bridge and not each other fragmentation threshold integer 256 2312 default 2312 this threshold controls the packet size at which outgoing packets will be split into multiple fragments If a single fragment transmit error occurs only that fragment will have to be retransmitted instead of the whole packet Use a low setting in areas with poor communication or with a g
278. gument is shown only if the run count 0 policy multiple choice ftp local policy read reboot ssh telnet test web write default reboot read write policy test the list of the policies applicable e ftp user can log on remotely via ftp and send and retrieve files from the router e local user can log on locally via console e policy manage user policies add and remove user e read user can retrieve the configuration e reboot user can reboot the router e ssh user can log on remotely via secure shell e telnet user can log on remotely via telnet e test user can run ping traceroute bandwidth test e web user can log on remotely via http e write user can retrieve and change the configuration Command Description run name executes a given script Notes You cannot do more in scripts than you are allowed to do by your current user rights that is you cannot use disabled policies For example if there is a policy group in user group which allows you ssh local telnet read write policy test web and this group is assigned to your user name then you cannot make a script that reboots the router Example The following example is a script for writing message Hello World to the system log admin MikroTik system script gt add name log test source log message Hello World admin MikroTik system script gt print 0 name log test source log message Hello World owner admin po
279. h being used in this connection uptime time connection time displayed in days hours minutes and seconds service name text name of the service the client is connected to ac name text name of the AC the client is connected to ac mac MAC address MAC address of the access concentrator AC the client is connected to Example To monitor the pppoe outl connection admin MikroTik interface pppoe client gt monitor pppoe outl status connected uptime 10s encoding none service name testSN ac name 10 0 0 1 ac mac 00 C0 DF 07 5E E6 admin MikroTik interface pppoe client gt PPPoE Server Setup Access Concentrator Home menu level interface pppoe server server Description The PPPoE server access concentrator supports multiple servers for each interface with differing service names Currently the throughput of the PPPoE server has been tested to 160 Mb s on a Celeron 600 CPU Using higher speed CPUs throughput should increase proportionately The access concentrator name and PPPoE service name are used by clients to identity the access concentrator to register with The access concentrator name is the same as the identity of the router displayed before the command prompt The identity may be set within the system identity submenu Note that if no service name is specified in WindowsXP it will use only service with no name So if you want to serve WindowsXP clients le
280. havior of queues is called tail drop Tail drop works by queuing up to a certain amount then dropping all traffic that spills over Random Early Detection RED is also known as Random Early Drop because it actually works that way statistically drops packets from flows before it reaches its hard limit This causes a congested backbone link to slow more gracefully It starts dropping packets when threshold reaches red min threshold mark randomly with increasing probability as threshold rising Maximum probability is used when traffic reaches red max threshold mark Then packets are simply thrown away burst parameter is the number of packets allowed to burst through the interface when the link is empty generally value of min min max 3 works fine The minimum value that can be used here is equal to the value of red min threshold Classful Queues Page 289 of 398 Classful queues are very useful if you have different kinds of traffic which should have different treatment Generally we can set only one queue on the interface but in RouterOS even simple queues known as classless queues are attached to the main attached to the root which represent real interface Hierarchical Token Bucket HTB and thus have some properties derived from that parent queue With classful queues it is possible to deploy hierarchical queue trees For example we can set a maximum data rate for a workgroup and then distribute that amount of traffic between the members
281. he SMTP server to redirect SMTP requests TCP port 25 to e 0 0 0 0 no redirect use transparent web proxy yes no default no whether to use transparent web proxy for hotspot clients use local dns cache yes no whether to redirect all DNS requests UDP port 53 to the local DNS cache dns servers IP address IP address DNS servers for HotSpot clients dns name text DNS domain name of the HotSpot gateway another port for service integer default 8081 another port for www service so that hotspot Page 249 of 398 service could be put on port 80 name of local hotspot user text default admin username of one automatically created user password for the user text password for the automatically created user Notes Depending on current settings and answers to the previous questions default values of following questions may be different Some questions may disappear if they become redundant for example there is no use of setting up temporary network when login method is enabled address If Universal Client is enabled and DNS cache is not used DNS requests are redirected to the first DNS server configured Example To configure HotSpot on etherl interface which is already configured enabling transparent web proxy and adding user admin with password rubbish admin MikroTik ip hotspot gt setup Select interface to run HotSpot on hotspot interface etherl Use SSL authentication use ssl no
282. he bottom of the list of software and select Virtual Private Networking to be installed Troubleshooting Description I use firewall and I cannot establish PPTP connection Make sure the TCP connections to port 1723 can pass through both directions between your sites Also IP protocol 47 should be passed through Page 102 of 398 Page 103 of 398 Wireless Client and Wireless Access Point Manual Document revision 1 1 05 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Wireless Interface Configuration Description Property Description Notes Example Registration Table Description Property Description Example Access List Description Property Description Notes Example Info Description Property Description Notes Example Virtual Access Point Interface Description Property Description WDS Interface Configuration Description Property Description Notes Example Align Description Property Description Notes Example Align Monitor Description Property Description Example Page 104 of 398 Network Scan Description Property Description Example Wireless Security Description Property Description Notes Wireless Aplication Examples AP to Client Configuration Example WDS Configuration Example Wireless Security Example General Information Summary MikroTik RouterOS supports the Inte
283. he default queue type to wireless default for the prism1 interface Page 292 of 398 admin MikroTik queue interface gt print i INTERFACE QUEUE 0 etherl default 1 prisml default admin MikroTik queue interface gt set prisml queue wireless default admin MikroTik queue interface gt print INTERFACE QUEUE 0 etherl default 1 prisml wireless default admin MikroTik queue interface gt Configuring Simple Queues Home menu level queue simple Description Simple queues can be used to set up data rate management for the whole traffic leaving an interface or for certain source and or destination addresses For more sophisticated queue setup use the queue trees described further on Property Description name name default queuel name of the queue target address JP address mask source IP address dst address JP address mask destination IP address interface name outgoing interface of the traffic flow limit at text default 0 0 allocated stream data rate bits s in form of in out where in is the flow that matches the rule precisely and out is the flow that matches the reverse rule i e going from the specified interface with source and destination addresses swapped e 0 no limit queue name default default queue type If you specify the queue type other than default then 1t overrides the default queue type set for the interface
284. hen upgrading to 2 8 you can update your existing key for version 2 5 2 6 or 2 7 for free during the existing key upgrade term during the three day demonstration period either manually on our accounting server or with a console or WinBox command This three day term allows you to use all the existing key There is also a possibility in 2 8 version to upgrade your key i e to extend licensing term from the console or WinBox License Management Page 390 of 398 Home menu level system license Description There are three methods of entering a key to the system console e import a file that should be sent to you after you will require a key you should upload this file to the router s FTP server e set the key property in the system license submenu e simply copy the received key as a text and paste or type in to the router s console no matter in which submenu These methods also apply to WinBox with the difference that key importing and exporting is happening through the Windows host PC itself The options available Property Description software id read only text 1D number of the installation key text software license key that unlocks the installation upgradable until read only text the date until which the software version can be upgraded or downgraded level read only integer 0 6 license level of the installation Command Description import import a key file name file name to use as a key
285. her 802 11 standard packets or 1t will gather only alignment packets frame size integer 200 1500 default 300 size of alignment packets that will be transmitted Page 115 of 398 audio monitor MAC address default 00 00 00 00 00 00 MAC address of the remote host which will be listened filter mac MAC address default 00 00 00 00 00 00 in case if you want to receive packets from only one remote host you should specify here its MAC address ssid all yes no default no whether you want to accept packets from hosts with other ssid than yours frames per second integer 1 100 default 25 number of frames that will be sent per second in active mode audio min integer default 0 signal strength at which audio beeper frequency will be the lowest audio max integer default 64 signal strength at which audio beeper frequency will be the highest test audio integer test the beeper for 10 seconds Notes If you are using the command interface wireless align monitor then it will automatically change the wireless interface s mode from station bridge or ap bridge to alignment only Example admineMikroTik interface wireless align gt print frame size 300 active mode yes receive all yes audio monitor 00 00 00 00 00 00 filter mac 00 00 00 00 00 00 ssid all no frames per second 25 audio min 0 audio max 64 admineMikroTik interface wireless align gt Align Monitor Command na
286. hold 2312 join net 10s card type PC4800A 3 65 admineMikroTik interface pc gt Interface status monitoring admineMikroTik interface pc gt monitor 0 synchronized no associated no error number 0 admin MikroTik interface pc gt Example Suppose we want to configure the wireless interface to accomplish registration on the AP with a ssid mt We need to change the value of ssid property to the corresponding value To view the results we can use monitor feature admin MikroTik interface pc gt set 0 ssidl mt admin MikroTik interface pc gt monitor 0 synchronized yes associated yes frequency 2412MHz data rate 11Mbit s ssid mt access point 00 02 6F 01 5D F access point name signal quality 132 signal strength 82 error number 0 admineMikroTik interface pc gt pl Troubleshooting Description Keep in mind that not all combinations of I O base addresses and IRQs may work on particular motherboard It is recommended that you choose an IRQ not used in your system and then try to find an acceptable I O base address setting As it has been observed the IRQ 5 and I O 0x300 or 0x180 will work in most cases The driver cannot be loaded because other device uses the requested IRQ Try to set different IRQ using the DIP switches The requested I O base address cannot be used on your motherboard Try to change the I O base address using the DIP switches The pc interface does not show u
287. hotspot ssl 443 0 0 0 0 0 hotspot admin MikroTik ip service gt set www port 8081 address 10 10 10 0 24 admin MikroTik ip service gt print Flags X disabled I invalid NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0 0 0 0 0 1 ftp 21 0 0 0 0 0 2 WWW 8081 10 10 10 0 24 3 hotspot 8088 0 0 0 0 0 4 ssh 22 0 0 0 0 0 5 hotspot ssl 443 0 0 0 0 0 hotspot admin MikroTik ip service gt List of Services Description Below is the list of protocols and ports used by MikoTik RouterOS services Some services require additional package to be installed as well as to be enabled by administrator exempli gratia bandwidth server 20 tcp File Transfer Default Data 21 tcp File Transfer Control te SSH Remote Login Protocol Only with P security package 67 ud Bootstrap Protocol Server DHCP Client P only with dhcp package 68 ud Bootstrap Protocol Client DHCP Client P only with dhcp package 80 tcp World Wide Web HTTP 123 tep Network Time Protocol Only with ntp package 161 tcp SNMP Only with snmp package 443 te Secure Socket Layer Encrypted HTTP Only with hotspot package 500 udp IKE protocol Only with ipsec package Border Gateway Protocol Only with routing 179 tcp package Page 231 of 398 1719 udp h323gatestat Only with telephony package 1720 tcp h323hostcall Only with telephony package 1723 tcp pptp Only with ppp package 2000 tcp bandwidth test server 3986 tcp proxy for w
288. hould use matching by flow together with packet marking Example To add the rule specifying that all the packets from the 10 0 0 144 host should lookup the mt routing table admin MikroTik ip policy routing rule gt add src address 10 0 0 144 32 table mt action lookup Page 196 of 398 admin MikroTik ip policy routing rule gt print Flags X disabled I invalid SRC ADDRESS DST ADDRESS INTE FLOW ACTION 0 0 0 0 0 0 0 0 0 0 0 all lookup 1 10 0 0 144 32 0 0 0 0 0 all lookup admin MikroTik ip policy routing rule gt Application Examples Standard Policy Routing Setup TABLE main mt Suppose we want packets coming from 1 1 1 0 24 to use gateway 10 0 0 1 and packets from 2 2 2 0 24 to use gateway 10 0 0 2 And the rest of packets will use gateway 10 0 0 254 assuming we already have it 10 0 0 254 interface Public MikroTik address 10 0 0 12 24 Router interface Local address 7 7 1 74 interface Local address 1 1 1 1 24 LAN Segment 1 LAN Segment 2 Command sequence to achieve this 1 Add 2 new routing tables admin MikroTik ip policy routing gt add name from_net1l add name from_net2 admin MikroTik ip policy routing gt print Flags D dynamic NAME Page 197 of 398 0 from_netl 1 from_net2 2 D main admineMikroTik ip policy routing gt 2 Create the default route in each of the tables admin MikroTik ip policy routing gt t
289. http www eecis udel edu mills ntp servers html Specifications Packages required ntp License required Any Home menu level system ntp Protocols utilized NTP RFC 958 Hardware usage Not significant Related Documents Software Package Management e JP Addresses and ARP Description Network Time Protocol NTP is used to synchronize time with some NTP servers in a network MikroTik RouterOS provides both NTP client and NTP server Page 379 of 398 NTP client synchronizes local clock with some other time source NTP server There are 4 modes in which NTP client can operate at unicast Client Server mode NTP client connects to specified NTP server IP address of NTP server must be set in ntp server and or second ntp server parameters At first client synchronizes to NTP server Afterwards client periodically 64 1024s sends time requests to NTP server Unicast mode is the only one which uses ntp server and second ntp server parameters broadcast mode NTP client listens for broadcast messages sent by NTP server After receiving first broadcast message client synchronizes local clock using unicast mode and afterwards does not send any packets to that NTP server It uses received broadcast messages to adjust local clock multicast mode acts the same as broadcast mode only instead of broadcast messages IP address 255 255 255 255 multicast messages are received IP address 224 0 1 1 manycast mode actually is
290. i id 245 Customize Hot pol a ee 246 Possible Error NICSSAS CS cio eis E A AA AE AA A A dele sbes 248 Question Answer Based SEU beens coer ge aieabaevoaPadek bovthoatidedermniadaernvacetaeels 249 HotSpot Step by Step User Guide for dhcp pool MethoOd ooconocccnnonoccnooocnconncncooncncnonnncnnnos 250 HotSpot Step by Step User Guide for enabled address MethoOd oooooonccninccnonccioconanccnonnnos 232 DHCP Dynamic Host Configuration Protocol oomocmcnncommmmo 257 General Intormati on RA A AA AA AAA AA 257 DACP Clientes UP e a A ERA 258 DEG PC Hens SC a A A ees 259 DHGP Server Set pe sirenen eerie ae a eae eee aes 260 DEC NE WORKS A Mh chee OE aan antes 262 DRAE Ls OO 262 DATA a ia bs 264 Cuesti ons Answer Based SUP ias 265 Universal Client Interface ooocccocccccnnconnncnnnncnancnanarcnancnnancnnancnanannnas 267 CENA NITO LAO soser nta A A ar Pee en Became ede 267 Universal Chent Interface SEDA a 268 Is AAA A sheds vues E 269 Universal Access Linn ed elle 269 SOIVICE POM A A O Sait tees RN 270 O PP naa 271 General Information ees occ ri 8 ec ie ee ees ct oat ee i N at ae 271 General SE GUID co eeoa ein a O 272 A A A A A 274 A 274 A oct r E E E a e A E a OEA 275 NAS a 276 NErENDQUES pa A tada 277 General Informations sea n a a a E E E e E O 278 Certificate Management ssnsnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn anni 279 Ss O 279 A A O EAE IEE AS 280 ETA SOI acia 283 General fformat O e erroan
291. ice 5 Allow DNS requests and ICMP ping from temporary addresses and reject everything else ip firewall add name hotspot temp comment limit unauthorized hotspot clients ip firewall rule forward add in interface prisml action jump jump target hotspot temp comment limit access for unauthorized hotspot clients ip firewall rule input add in interface prisml dst port 80 protocol tcp Y action accept comment accept requests for hotspot servlet ip firewall rule input add in interface prisml dst port 443 protocol tcp action accept comment accept request for hotspot servlet ip firewall rule input add in interface prisml dst port 67 protocol udp Y protocol udp action accept comment accept requests for local DHCP server ip firewall rule input add in interface prisml action jump jump target hotspot temp comment limit access for unauthorized hotspot clients ip firewall rule hotspot temp add flow hs auth action return comment return if connection is authorized ip firewall rule hotspot temp add protocol icmp action return comment allow ping requests ip firewall rule hotspot temp add protocol udp dst port 53 action return comment allow dns requests ip firewall rule hotspot temp add action reject comment reject access for unauthorized clients Page 253 of 398 6 Create a hotspot chain for authorized hotspot clients ip firewall add name hotspot comment account authorize
292. ich happens only once between any host pair and then is kept for long time PFS adds this expensive operation also to each phase 2 exchange Diffie Hellman MODP Groups Diffie Hellman DH key exchange protocol allows two parties without any initial shared secret to create one securely The following Modular Exponential MODP Diffie Hellman also known as Oakley Groups are supported IKE Traffic To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA that this packet perhaps is trying to establish locally originated packets with UDP source port 500 are not processed with SPD The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check Setup Procedure To get IPsec to work with automatic keying using IKE ISAKMP you will have to configure policy peer and proposal optional entries For manual keying you will have to configure policy and manual sa entries Policy Settings Home menu level ip ipsec policy Description Page 181 of 398 Policy table is needed to determine whether encryption should be applied to a packet Property Description src address JP address mask port default 0 0 0 0 32 any source IP address dst address 1P address mask port default 0 0 0 0 32 any destination IP address protocol name integer default all protocol name or number action accept drop encrypt defa
293. icy add sa src 1 0 0 2 sa dst 1 0 0 1 action encrypt admin Router 2 gt ip ipsec peer add address 1 0 0 1 secret gvejimezyfopmekun e tunnel mode example using AH with manual keying e for Routerl admin Router1 gt ip ipsec manual sa add name ah sal Ns ah spi 0x101 0x100 ah key abcfed admingRouter gt ip ipsec policy add src address 10 1 0 0 24 dst address 10 2 0 0 24 action encrypt ipsec protocols ah Nos tunnel yes sa src 1 0 0 1 sa dst 1 0 0 2 manual sa ah sal for Router2 admin Router2 gt ip ipsec manual sa add name ah sal we ah spi 0x100 0x101 ah key abcfed admingRouter2 gt ip ipsec policy add src address 10 2 0 0 24 MSs dst address 10 1 0 0 24 action encrypt ipsec protocols ah NG tunnel yes sa src 1 0 0 2 sa dst 1 0 0 1 manual sa ah sal IPsec Between two Masquerading MikroTik Routers 1 Add accept and masquerading rules in SRC NAT e for Routerl admin Routerl gt ip firewall src nat add src address 10 1 0 0 24 dst address 10 2 0 0 24 admin Router1 gt ip firewall src nat add out interface public Na action masquerade for Router2 admin Router2 gt ip firewall src nat add src address 10 2 0 0 24 dst address 10 1 0 0 24 admin Router 2 gt ip firewall src nat add out interface public action masquerade 2 configure IPsec e for Router1 ee ee gt ip ipsec policy add src address 10 1 0 0 24 No dst address 10 2 0 0 24 a
294. ik ip address gt add address 10 1 0 1 30 interface radiolanl admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 1 12 24 10 1 1 0 103i 31 255 etherl 1 10 1 0 1 30 10 1 0 0 10 1 0 3 radiolanl admineMikroTik ip address gt The default route should be set to the gateway router 10 1 1 254 A static route should be added for the network 192 168 0 0 24 admineMikroTik ip route gt add gateway 10 1 1 254 comment copy from disabled distanc dst address netmask preferred sourc admineMikroTik ip route gt add gateway 10 1 1 254 preferred source 10 1 0 1 admin MikroTik ip route gt add dst address 192 168 0 0 24 gateway 10 1 0 2 preferred source 10 1 0 1 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected G connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 jae LO di 254 1 radiolanl 1 S 192 168 0 0 24 r 10 1 0 2 1 radiolanl 2 DC 10 1 0 0 30 r 0 0 0 0 0 radiolanl 3 DE gt 101 1 0 24 r 0 0 0 0 0 etherl admin MikroTik ip route gt The Router 2 should have addresses 10 1 0 2 30 and 192 168 0 254 24 assigned to the radiolan and Ethernet interfaces respectively The default route should be set to 10 1 0 1 Page 79 of 398 Frame Relay PVC Interfaces Document revision 1 1 09 09 2003
295. ik ip address gt export file addressl from 1 admin MikroTik ip address gt To see the files stored on the router admin MikroTik gt file print NAME TYPE SIZE CREATION TIME O address rsc script 315 dec 23 2003 13 21 48 1 addressl rsc script 201 dec 23 2003 13 22 57 admineMikroTik gt To export the setting on the display use the same command without the file argument admin MikroTik ip address gt export from 0 1 dec 23 2003 13 25 30 by RouterOS 2 8betal2 software id MGJ4 MAN ip address add address 10 1 0 172 24 network 10 1 0 0 broadcast 10 1 0 255 interface bridgel comment disabled no add address 10 5 1 1 24 network 10 5 1 0 broadcast 10 5 1 255 interface etherl comment disabled no admin MikroTik ip address gt The Import Command Home menu level import Page 301 of 398 Description The import command is used to load a saved configuration script Example To load the saved export file use the following command admineMikroTik gt import address rsc Opening script file address rsc Script file loaded successfully admineMikroTik gt Page 302 of 398 Simple Network Management Protocol SNMP Document revision 1 5 06 Feb 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents SNMP Setup Description Property
296. ill not be able to Page 142 of 398 receive IP packets itself and thus will not be able to provide routing To make bridge drop IP ARP and RARP packets admin MikroTik interface bridge firewall gt add mac protocol 2048 action drop admin MikroTik interface bridge firewall gt add mac protocol 2054 action drop admin MikroTik interface bridge firewall gt add mac protocol 32821 action drop admin MikroTik interface bridge firewall gt print Flags X disabled I invalid 0 mac src address 00 00 00 00 00 00 in interface all mac dst address 00 00 00 00 00 00 out interface all mac protocol 2048 src address 0 0 0 0 0 dst address 0 0 0 0 0 protocol all action drop 1 mac src address 00 00 00 00 00 00 in interface all mac dst address 00 00 00 00 00 00 out interface all mac protocol 2054 src address 0 0 0 0 0 dst address 0 0 0 0 0 protocol all action drop 2 mac src address 00 00 00 00 00 00 in interface all mac dst address 00 00 00 00 00 00 out interface all mac protocol 32821 src address 0 0 0 0 0 dst address 0 0 0 0 0 protocol all action drop admin MikroTik interface bridge firewall gt Application Example Example Assume we want to enable bridging between two Ethernet LAN segments and have the MikroTik router be the default gateway for them Internet Wireless Metwork 4 10 1 1 024 y Interface prismi MikroTik i address 10 1 1 12 24
297. ime period src mac address MAC address default 00 00 00 00 00 00 host s MAC address the packet has been received from Page 203 of 398 log yes no default no specifies to log the action or not mark flow text default change flow mark of the packet to this value mark connection text default change connection mark of the packet to this value tcp mss integer dont change default dont change change MSS of the packet e dont change leave MSS of the packet as is Example Specify the value for the mark flow argument and use action passthrough for example adminttest_1 ip firewall mangle gt add action passthrough mark flow myflow adminttest_1 ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 protocol all tcp options any icmp options any any flow connection content src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action passthrough mark flow myflow tcp mss dont chang mark connection adminttest_1 ip firewall mangle gt On order to change the MSS adjust the tep mss argument For example if your if you have encrypted PPPoE link with MTU 1492 you can set the mangle rule as follows admin test_1 ip firewall mangle gt add protocol tcp tcp options syn only action passthrough tcp mss 1448 adminttest_1 ip firewall mangle gt print Flags
298. ime when this SA was installed current usetime read only text time when this SA was first used current bytes read only integer amount of data processed by this SA s crypto algorithms Page 186 of 398 Example Sample printout looks as follows admin WiFi ip ipsec gt installed sa print Flags 0 E A AH E ESP F pfs M manual spi E727605 direction in src address 10 0 0 148 dst address 10 0 0 147 auth algorithm shal enc algorithm 3des replay 4 state matur auth key ecc5f4aeelb297739 ec88e324d7cfb859 aa6c35 enc key d6943b8ea582582e449bde085c9471ab0b209783c9 eb4bbd add 1ifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jan 28 2003 20 55 12 current usetime jan 28 2003 20 55 23 current bytes 128 spi E15CEE06 direction out src address 10 0 0 147 dst address 10 0 0 148 auth algorithm shal enc algorithm 3des replay 4 state mature auth key 8ac dc7ecebfed9cd1030ae3b07b32e8e5cb98af enc key 8a8073a7afd0f74518c10438a0023e64cc660ed69845ca3c add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jan 28 2003 20 55 12 current usetime jan 28 2003 20 55 12 current bytes 512 admine WiFi ip ipsec gt Flushing Installed SA Table Command name ip ipsec installed sa flush Description Sometimes after incorrect incomplete negotiations took place it is required to flush manually the installed SA table so that SA could be renegotiated Th
299. imilarly to pressing Tab key twice but in verbose form and with explanations Internal Item Numbers You can specify multiple items as targets to some commands Almost everywhere where you can write the number of item you can also write a list of numbers admineMikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 admineMikroTik gt interface set 0 1 2 mtu 1460 admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R ether1 ether 1460 1 R ether2 ether 1460 2 R ether3 ether 1460 3 R ether4 ether 1500 admin MikroTik gt General Commands Description There are some commands that are common to nearly all menu levels namely print set remove add find get export enable disable comment move These commands have similar behavior Page 5 of 398 throughout different menu levels Command Description print shows all information that s accessible from particular command level Thus system clock print shows system date and time ip route print shows all routes etc If there s a list of items in current level and they are not read only i e you can change remove them example of read only item list is system history which shows history of executed actions then print command also assigns numbers that are used by all
300. inbox 3987 tcp sslproxy for secure winbox Only with security package 5678 udp MikroTik Neighbor Discovery Protocol 8080 tcp HTTP dio Ari web proxy ICMP Internet Control Message IP IP in IP encapsulation GRE General Routing Encapsulation Only for PPTP and EoIP AH Authentication Header for IPv6 Only with security package OSPFIGP OSPF Interior Gateway Protocol ESP Encap Security Payload for IPv6 Only 50 with security package Page 232 of 398 HotSpot Gateway Document revision 2 16 21 Jan 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description HotSpot Gateway Setup Property Description Command Description Notes Example HotSpot User Profiles Description Property Description Notes Example HotSpot Users Property Description Notes Example HotSpot Active Users Description Property Description Example HotSpot Remote AAA Property Description Notes Example HotSpot Server Settings Description Property Description Notes Example HotSpot Cookies Property Description Example Walled Garden Description Property Description Example Customizing HotSpot Servlet Description Notes Page 233 of 398 Example Possible Error Messages Description Question amp Answer Based Setup Command Description Notes Example HotSpot Step by Step User Guide for dhep pool Method Description Example
301. ineMikroTik tool sniffer gt start tool sniffer gt stop Below the sniffed packets will be saved in the file named fest admineMikroTik tool sniffer gt save file name test admin MikroTik tool sniffer gt file print NAME TYPE SIZE CREATION TIME 0 test unknown 1350 apr 07 2003 16 01 52 admineMikroTik tool sniffer gt Page 327 of 398 Sniffed Packets Home menu level tool sniffer packet Description The submenu allows to see the list of sniffed packets Property Description data read only text specified data inclusion in packets dst address read only IP address IP destination address fragment offset read only integer IP fragment offset identification read only integer IP identification ip header size read only integer the size of IP header ip packet size read only integer the size of IP packet ip protocol ip icmp igmp ggp ipencap st tcp egp pup udp hmp xns idp rdp iso tp4 xtp ddp idrp cmtp gre esp ah rspf vmtp ospf ipip encap the name number of IP protocol e ip Internet Protocol e icmp Internet Control Message Protocol e igmp Internet Group Management Protocol e ggp Gateway Gateway Protocol e ipencap IP Encapsulated in IP e st st datagram mode e tcp Transmission Control Protocol e egp Exterior Gateway Protocol e pup Parc Universal packet Protocol e udp User Datagram Protocol e hmp
302. information whether this device supports transmission power control ack timeout control read only yes no provides information whether this device supports transmission acceptance timeout control supported bands multiple choice read only 2GHz B 5GHz 5GHz turbo 2GHz G the list of supported bands 2GHz B channels multiple choice read only 2312 2317 2322 2327 2332 2337 2342 2347 2352 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2512 2532 2552 2572 2592 2612 2632 2652 2672 2692 2712 2732 2484 the list of 2GHz IEEE 802 11b channels frequencies are given in MHz 2GHz G channels multiple choice read only 2312 2317 2322 2327 2332 2337 2342 2347 2332 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2512 2532 2552 2572 2592 2612 2632 2652 2672 2692 2712 2732 2484 the list of 2GHz IEEE 802 11g channels frequencies are given in MHz 5GHz chamnels multiple choice read only 5120 5125 5130 5135 5140 5145 5150 5155 5160 5165 5170 5175 5180 5185 5190 5195 5200 5205 5210 5215 5220 5225 5230 5235 5240 5245 5250 5255 5260 5265 5270 5275 5280 5285 5290 5295 5300 5305 5310 5315 5320 5325 5330 5335 5340 5345 5350 5355 5360 5365 5370 5375 5380 5385 5390 5395 5400 5405 5410 5415 5420 5425 5430 5435 5440 5445 5450 5455 5460 54
303. ing L2TP over IPsec Note that it is default mode for Microsoft L2TP client as all L2TP control and data packets for a particular tunnel appear as homogeneous UDP IP data packets to the IPsec system L2TP includes PPP authentication and accounting for each L2TP connection Full authentication and accounting of each connection may be done through a RADIUS client or locally MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported L2TP traffic uses UDP protocol for both control and data packets UDP port 1701 is used only for link establishment further traffic is using any available UDP port which may or may not be 1701 This means that L2TP can be used with most firewalls and routers even with NAT by enabling UDP traffic to be routed through the firewall or router L2TP Client Setup Home menu level interface l2tp client Page 40 of 398 Property Description name name default 12tp outN interface name for reference mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MTU to 1460 to avoid fragmentation of packets mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MRU to 1460 to avoid fragmentation of packets connect to IP address The IP address of the
304. ing the route for a packet the packet is matched against policy routing rules one after another until some rule matches the packet Then action specified in that rule is executed If no rule matches the packet it is assumed that there is no route to given host and appropriate action is taken packet dropped and ICMP error sent back to the source If a routing table does not have a route for the packet next rule after the one that directed to the current table is examined until the route is found end of rule list is reached or some rule with action drop or unreachable is hit Thus it is good to have last rule say from everywhere to everywhere all interfaces lookup main route table because then gateways can be found connected routes are entered in the main table only Note that the only way for packet to be forwarded is to have some rule direct to some routing table that contains route to packet destination Routing Tables Routing tables is a way to organize routing rules into groups for a purpose of easy management These tables can be created deleted in the ip policy routing menu The routes in the routing tables are managed the same way as the static routes described above but in the submenu ip policy routing table name submenu where name is the name of the table Property Description name name table name Example There is always a table called main this table cannot be deleted and its name cannot be changed The main ta
305. interface with the respective netmask The default gateway will be added to the routing table as a dynamic entry Should the DHCP client be disabled or not renew an address the dynamic default route will be removed If there is already a default route installed prior the DHCP client obtains one the route obtained by the DHCP client would be shown as invalid Property Description enabled yes no default no whether the DHCP client is enabled interface name any Ethernet like interface this includes wireless and EoIP tunnels host name text the host name of the client Page 258 of 398 client id text corresponds to the settings suggested by the network administrator or ISP Commonly it is set to the client s MAC address but it may as well be any test string add default route yes no default yes whether to add the default route to the gateway specified by the DHCP server use peer dns yes no default yes whether to accept the DNS settings advertized by DHCP server they will appear in ip dns submenu Command Description renew renew current leases If the renew operation was not successful client tries to reinitialize lease i e it starts lease request procedure rebind as if it had not received an IP address yet Notes If host name property is not specified client s system identity will be sent in the respective field of DHCP request If client id property is not specified client s MAC address wil
306. ion_down source ip route set routel gateway 3 3 3 1 admin Mikrotik system script gt add name connection_up source ip route set routel gateway 2 2 2 1 e To get all above listed to work set up Netwatch utility To use netwatch you need the advanced tools feature package installed Please upload it to the router and reboot When installed the advanced tools package should be listed under the system package print list Add the following settings to the first router admin Mikrotik tool netwatch gt add host 2 2 2 1 interval 5s up script connection_up down script connection_down Add the following settings to the second router admin Mikrotik tool netwatch gt add host 2 2 2 2 interval 5s up script connection_up down script connection_down Page 92 of 398 Point to Point Tunnel Protocol PPTP Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Related Documents Description Additional Documents PPTP Client Setup Property Description Example Monitoring PPTP Client Property Description Example PPTP Server Setup Description Property Description Example PPTP Server Users Description Property Description Example PPTP Application Examples Router to Router Secure Tunnel Example Connecting a Remote Client via PPTP Tunnel PPTP Setup for Windows Sample instructions for PPTP VPN inst
307. ions Packages required system License required Any Home menu level system ip service Protocols utilized Telnet RFC 854 Hardware usage Not significant Related Documents Software Package Management System Resource Management Telnet Server Description Telnet protocol is intended to provide a fairly general bi directional eight bit byte oriented communications facility The main goal is to allow a standard method of interfacing terminal devices to each other MikroTik RouterOS implements industry standard Telnet server It uses port 23 which must not be disabled on the router in order to use the feature Page 393 of 398 You can enable disable this service or allow the use of the service to certain IP addresses Example admineMikroTik Flags X disabled 0 I 2 3 4 5 X name hotspot ssl port 443 address 0 0 0 0 0 certificate none admin MikroTik ip service gt print detail I invalid name telnet port 23 address 0 0 0 0 0 name ftp port 21 address 0 0 0 0 0 name www port 80 address 0 0 0 0 0 name hotspot port 8088 address 0 0 0 0 0 name ssh port 65 address 0 0 0 0 0 ip service gt Telnet Client Command name system telnet IP address port Description MikroTik RouterOS telnet client is used to connect to other hosts in the network via Telnet protocol Example An example of Telnet connection admineMikroTik gt system telnet 10 1 0 1 Trying
308. iority 8 limit at 0 0 max limit 0 0 name LimitClients target address 0 0 0 0 0 dst address 0 0 0 0 0 interface Local queue default priority 8 limit at 0 0 max 1imit 131072 65536 admin MikroTik queue simple gt Example of Guaranteed Quality of Service This example shows how to limit data rate on a channel and guarantee minimum speed to the FTP server allowing other traffic to use the rest of the channel Assume we want to emulate a 128k download and 64k upload line connecting IP network 192 168 0 0 24 as in the previous examples But if these speeds are the best that you can get from your Internet connection you may want to guarantee certain speeds to the 192 168 0 17 server so that your customers could download from and upload to this server with the speeds not dependent Page 297 of 398 on the other traffic using the same channel for example we will guarantee this server the minimum data rate of 32k for each flow direction First of all you should limit the interface speed admin MikroTik queue tree gt add name Up parent Public max limit 65536 admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic 0 name Up parent Public flow limit at 0 queue default priority 8 max limit 65536 burst 1limit 0 burst threshold 0 burst time 0 admin MikroTik queue tree gt Next mark the traffic from the FTP server We will mark only TCP ports 20 21 because these ports are used to send an
309. ip only Not only Ethernal http www ethereal com and Packetyzer http www packetyzer com can receive the sniffer s stream but also MikroTik s program trafr http www mikrotik com download html that runs on any 1A32 Linux computer and saves received packets libpcap file format Example In the following example streaming server will be added streaming will be enabled file name will be set to test and packet sniffer will be started and stopped after some time admineMikroTik streaming admineMikroTik tool sniffer gt set streaming server 10 0 0 241 A nabled yes file name test tool sniffer gt prin interface all only headers no memory limit 10 file name test file limit 10 streaming enabled yes streaming server 10 0 0 241 filter stream yes filter protocol ip only filter address1 0 0 0 0 0 0 65535 filter address2 0 0 0 0 0 0 65535 running no admineMikroTik tool sniffer gt start admin MikroTik tool sniffer gt stop Running Packet Sniffer Command name tool sniffer start tool sniffer stop tool sniffer save Description The commands are used to control runtime operation of the packet sniffer The start command is used to start reset sniffering stop stops sniffering To save currently sniffed packets in a specific file save command is used Example In the following example the packet sniffer will be started and after some time stopped admineMikroTik adm
310. is option is provided by the flush command Property Description sa type multiple choice ah all esp default all specifies SA types to flush e ah delete AH protocol SAs only e esp delete ESP protocol SAs only e all delete both ESP and AH protocols SAs Example To flush all the SAs installed admin MikroTik ip ipsec installed sa gt flush admin MikroTik ip ipsec installed sa gt print admin MikroTik ip ipsec installed sa gt Counters Home menu level ip ipsec counters Property Description out accept read only integer shows how many outgoing packets were matched by accept Page 187 of 398 policy including the default accept all case out accept isakmp read only integer shows how many locally originated UDP packets on source port 500 which is how ISAKMP packets look were let through without policy matching out drop read only integer shows how many outgoing packets were matched by drop policy or encrypt policy with level require that does not have all necessary SAs out encrypt read only integer shows how many outgoing packets were encrypted successfully in accept read only integer shows how many incoming packets were matched by accept policy in accept isakmp read only integer shows how many incoming UDP packets on port 500 were let through without matching a policy in drop read only integer shows how many incoming packets were matched by drop policy or en
311. isdn server gt print Flags X disabled 0 X name isdn inl mtu 1500 mru 1500 msn 7542159 authentication chap pap profile default 12 protocol hldc bundle 128K no Configure PPP settings and add users to router s database admineMikroTik ppp profile gt print Flags default 0 name default local address 0 0 0 0 remote address 0 0 0 0 session timeout 0s idle timeout 0s use compression no use vj compression yes us ncryption no require encryption no only one no tx bit rate 0 rx bit rate 0 incoming filter outgoing filter admin Mikrotik ppp profile gt set default idle timeout 5s local address 10 99 8 1 remote address 10 9 88 1 Add user john to the router s user database Assuming that the password is 31337 admin MikroTik ppp secret gt add name john password 31337 service isdn admineMikroTik ppp secret gt print admin ISDN ppp secret gt print Flags X disabled NAME SERVICE CALLER ID PASSWORD PROFILI 0 john isdn 31337 defaul admineMikroTik ppp secret gt cm FI Check the status of the ISDN server interface and wait for the call fadmin MikroTik interface isdn server gt monitor isdn inl status Waiting for call ISDN Backup Page 90 of 398 Backup systems are used in specific cases when you need to maintain a connection even if a fault occurs For example if someone cuts the wires the router can automatically con
312. isement LSA to its neighbor it keeps the LSA until it receives back the acknowledgment If it receives no acknowledgment in time it will retransmit the LSA Page 275 of 398 transmit delay time default 1s link state transmit delay is the estimated time it takes to transmit a link state update packet on the interface hello interval time default 10s the interval between hello packets that the router sends on the interface The smaller the hello interval the faster topological changes will be detected but more routing traffic will ensue This value must be the same for all routers on a specific network dead interval time default 40s specifies the interval after which a neighbor is declared as dead The interval is advertised in the router s hello packets This value must be the same for all routers and access servers on a specific network Example To add an entry that specifies that ether2 interface should send Hello packets every 5 seconds do the following admin MikroTik routing ospf gt interface add interface ether2 hello interval 5s admin MikroTik routing ospf gt interface print O interface ether2 cost 1 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 5s dead interval 40s fadmin MikroTik routing ospf gt Virtual Links Home menu level routing ospf virtual link Description As stated in OSPF RFC the backbone area must be contiguous However it is po
313. ission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MRU to 1460 to avoid fragmentation of packets connect to 1P address The IP address of the PPTP server to connect to user text user name to use when logging on to the remote server password text default user password to use when logging to the remote server profile name default default profile to use when connecting to the remote server allow multiple choice mschap2 mschapl chap pap default mschap2 mschap1 chap pap the protocol to allow the client to use for authentication add default route yes no default no whether to use the server which this client is connected to as its default router gateway Example To set up PPTP client named test2 using unsername john with password john to connect to the 10 1 1 12 PPTP server and use it as the default gateway admin MikroTik interface pptp client gt add name test2 connect to 10 1 1 12 X user john add default route yes password john admin MikroTik interface pptp client gt print Flags X disabled R running 0O X name test2 mtu 1460 mru 1460 connect to 10 1 1 12 us
314. it and next symbol is not a valid variable name may be used with the same result In most cases it is required login page to use main variable And it is strongly suggested to place it BEFORE form input input form Otherwise situation can happen that user already has entered his username password but MD5 encryption JavaScript is not yet loaded It may result in password being sent over network in plain text And of course that login will fail in this case too 1f allow unencrypted password property is not set to yes The resulting password to be sent to the HotSpot gateway is formed MD5 hashing the concatenation of the following chap id the password of the user and chap challenge in the given order Example With basic HTML language knowledge and the examples below it should be easy to implement the Page 247 of 398 ideas described above e To provide predefined value as username in login html change lt input type text Sinput users gt to this line lt input type hidden name user value hsuser gt where hsuser is the username you are providing e To provide predefined value as password in login html change lt input type password Sinput password gt to this line lt input type hidden name password value hspass gt where hspass is the password you are providing e To send client s MAC address to a registration server in form of https www server serv register html mac XX XX XX
315. k Soulseek MLDonkey BitTorrent BitTorrent Shareaza MLDonkey Blubster Blubster Piolet Please note that it is impossible to recognize peer to peer traffic from the first packet Only already establilished connections can be matched Traffic Marking Home menu level ip firewall mangle Description Peer to peer traffic marking provided by Mangle facility labels the traffic for future processing aginst the firewall filters or queues Property Description p2p any all p2p bit torrent direct connect fasttrack soulseek blubster edonkey gnutella default any match Peer to Peer P2P connections e all p2p match all known P2P traffic e any match any packet i e do not check this property mark flow text default change flow mark of the packet to this value mark connection text default change connection mark of the packet to this value Traffic Filtering Home menu level ip firewall Description RouterOS gives you ability to filter out traffic generated by P2P networks Property Description p2p any all p2p bit torrent direct connect fasttrack soulseek blubster edonkey gnutella default any match Peer to Peer P2P connections e all p2p match all known P2P traffic e any match any packet 1 e do not check this property flow text flow mark to match Only packets marked in the MANGLE would be matched connection text default connection mark to
316. kage then the marked package cannot be uninstalled You should uninstall the dependent package too For the list of package dependencies see the Software Package LIsk section below The system package will not be uninstalled even if marked for uninstallation Example Suppose we need to uninstall security package from the router admin MikroTik system package gt print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 8beta8 oct 21 2003 13 27 59 no 1 ppp 2 8beta8 oct 21 2003 12 31 52 no 2 advanced tools 2 8beta8 oct 21 2003 12 31 42 no 3 dhcp 2 8beta8 oct 21 2003 12 31 49 no 4 routing 2 8beta8 oct 21 2003 12 31 55 no 5 security 2 8beta8 oct 21 2003 12 31 47 no 6 synchronous 2 8beta8 oct 21 2003 12 32 05 no 7 wireless 2 8beta8 oct 21 2003 12 32 09 no admin MikroTik system package gt set 5 uninstall yes admineMikroTik gt reboot Software Package List Description System Software Package The system software package provides the basic functionality of the MikroTik RouterOS namely e IP address management ARP static IP routing policy routing firewall packet filtering content filtering masquerading and static NAT traffic shaping queues IP traffic Page 9 of 398 accounting MikroTik Neighbour Discovery IP Packet Packing DNS client settings IP service servers Ethernet interface support IP over IP tunnel interface support Ethernet over IP tunnel interface support driv
317. kets leaving the router The source destination addresses of the packets do not match the values specified in the queue setting Make sure the source and destination addresses as well as network masks are specified correctly The most common mistake is wrong address netmask e g 10 0 0 217 24 wrong 10 0 0 217 32 right or 10 0 0 0 24 right Queue Applications Description One of the ways to avoid network traffic jams is usage of traffic shaping in large networks Traffic Page 295 of 398 shaping and data rate allocation is implemented in the MikroTik RouterOS as queuing mechanism Thus the network administrator is able to allocate a definite portion of the total data rate and grant 1t to a particular network segment or interface Also the data rate of particular nodes can be limited by using this mechanism Example of Emulating a 128k 64k Line Assume we want to emulate a 128k download and 64k upload line connecting IP network 192 168 0 0 24 The network is served through the Local interface of customer s router The basic network setup is in the following diagram Internet Internet Pre Gatewa e NE 10 0 0 254 o G4kbps interface Public address 10 0 0 217 netmask 250 255 200 0 interface Local address 192 168 0 254 netmask 255 255 255 0 MikroTik 128kbps do a e Workstation Laptop Sener 192 166 0 1 192 168 0 2 192 168 0 17 The IP addresses and routes of the MikroTik router are as follows
318. kroTik interface ppp client gt Page 173 of 398 IP Addresses and ARP Document revision 0 0 3 30 Jan 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents IP Addressing Description Property Description Notes Example Address Resolution Protocol Description Property Description Notes Example Proxy ARP feature Description Example Unnumbered Interfaces Description Example General Information Summary The following Manual discusses IP address management and the Address Resolution Protocol settings IP addresses serve as identification when communicating with other network devices using the TCP IP protocol In turn communication between devices in one physical network proceeds with the help of Address Resolution Protocol and ARP addresses Specifications Packages required system Home menu level ip address ip arp Protocols utilized LP ARP Hardware usage Not significant Related Documents Software Package Management Page 174 of 398 IP Addressing Home menu level ip address Description IP addresses serve for a general host identification purposes in IP networks Tupical IPv4 address consists of four octets For proper addressing the router also needs the network mask value id est which bits of the complete IP address refer to the address of the host and which to the address of the network The network add
319. l be sent in the respective field of DHCP request It use peer dns property is enabled the DHCP client will uncoditionally rewrite the settings in ip dns submenu In case two or more DNS servers were received first two of them are set as primary and secondary servers respectively In case one DNS server was received it is put as primary server and the secondary server is left intact Example To enable DHCP client on ether1 interface admineMikroTik ip dhcp client gt set enabled yes interface etherl admin MikroTik ip dhcp client gt print enabled yes interface etherl host name client id add default route yes use peer dns yes admin MikroTik ip dhcp client gt DHCP Client Lease Home menu level ip dhcp client lease Description This submenu shows the actual IP address lease received by the client Property Description status read only searching requesting bound renewing rebinding the current state of DHCP client Page 259 of 398 e DHCP client is not enabled e searching the DHCP client is searching for DHCP server but has not yet received an offer e requesting the DHCP client has received an offer from a DHCP server and requesting an IP address now bound the DHCP client has received an IP address status bound should also appear on the DHCP server e renewing the DHCP client is trying to renew the lease e rebinding the rene
320. l its features without registration for about one day from the first run During this period you must get a key otherwise you will need to reinsall the system A purchased license key allows you to use RouterOS features according to the chosen license level for unlimited time and gives you rights to freely upgrade and downgrade its versions for the term of one year since the key was purchased A free registred license key referred as a SOHO key further on allows you to use a restricted set of functions for unlimited period of time but does not allows upgrading and downgrading versions There are 6 licensing levels each providing some additional features Level 0 means that there is no Page 389 of 398 key and all the features are enabled for one day Level 2 is a transitional license level that allows to use all the features were allowed by your original license key for a previus version 1 SOHO 3 ISP 4 WISP 5 WISP AP 6 Controller Wireless Client and Bridge Wireless AP AP E AP interfaces _EoIP tunnels tunnels SS tunnels PPTP tunnels E L2TP L2TPtunnels 1 En interfaces E ES active users RADIUS ea saa a RIP OSPF BGP yes yes protocols configuration Upgrade erased on upgrade Note that Wireless Client and Bridge means that wireless cards can be used in station and bridge modes Bridge mode allows one wireless station to connect it You can not do WDS in this mode W
321. le ISDN Examples ISDN Dial out ISDN Dial in ISDN Backup General Information Summary The MikroTik router can act as an ISDN client for dialing out or as an ISDN server for accepting incoming calls The dial out connections may be set as dial on demand or as permanent connections simulating a leased line The remote IP address provided by the ISP can be used as the default gateway for the router Specifications Packages required isdn ppp Home menu level interface isdn server interface isdn client Protocols utilized PPP RFC 1661 Hardware usage Not significant Related Documents Page 85 of 398 Software Package Management Device Driver Management Log Management Additional Documents PPP over ISDN RFC3057 ISDN Q 921 User Adaptation Layer ISDN Hardware and Software Installation Command name driver add Description Please install the ISDN adapter into the PC accordingly the instructions provided by the adapter manufacturer Appropriate packages have to be downloaded from MikroTik s web page http www mikrotik com After all the ISDN driver should be loaded using the driver add command MikroTik RouterOS supports passive PCI adapters with Siemens chipset Eicon Diehl Diva diva Sedlbauer Speed sedlbauer ELSA Quickstep 1000 quickstep NETjet netjet Teles teles Dr Neuhaus Niccy niccy AVM avm Gazel gazel HFC 2BDS0 based adapters hfc W6692 based adapte
322. licy reboot read write policy test last started dec 06 1999 20 07 37 run count 1 admin MikroTik system script gt Task Management Page 371 of 398 Home menu level system script job Description This facility is used to manage the active or scheduled tasks Property Description name read only name the name of the script to be referenced when invoking it source read only text the script source code itself owner text the name of the user who created the script Example admin MikroTik system script gt job print SCRIPT OWNER STARTED 0 DelayeD admin dec 27 2003 11 17 33 admin MikroTik system script gt You can cancel execution of a script by removing it from the job list admin MikroTik system script gt job remove 0 admin MikroTik system script gt job print admin MikroTik system script gt Script Editor Command name system script edit Description RouterOS console has a simple full screen editor for scripts with support for multiline script writing Keyboard Shortcuts Command Description edit name opens the script specified by the name argument in full screen editor Notes All characters that are deleted by backspace delete or Ctrl k keys are accumulated in the buffer Pressing any other key finishes adding to this buffer Ctrl y can paste it s contents and the next delete operation will replace it s contents Undo doesn t change contents of cut buffer Scri
323. lients but it can potentially disturb some network protocols Example To enable Universal Client Interface on etherl interface that will take the addresses to translate to from the exp pool admineMikroTik ip hotspot universal gt add address pool exp interface etherl fadmin MikroTik ip hotspot universal gt print Flags X disabled I invalid INTERFACE ADDRESS POOL ADDRESSES PER MAC ARP USE DHCP IDLE TIMEOUT 0 X ether1 exp 2 all arp yes 5m admin MikroTik ip hotspot universal gt enable 0 admin MikroTik ip hotspot universal gt print Flags X disabled I invalid INTERFACE ADDRESS POOL ADDRESSES PER MAC ARP USE DHCP IDLE TIMEOUT 0 etherl exp 2 all arp yes 5m admineMikroTik ip hotspot universal gt Page 268 of 398 Universal Host List Home menu level ip hotspot universal host Description The list shows the current translation table There are three ways a client may be added to the table e Each time router receives a packet from an unknown client determined by three properties mac address address and interface it adds the client to the list e Client may be added by DHCP server Property Description mac address read only MAC address client s MAC address address read only IP address client s IP address to address read only IP address IP address to translate the address to interface r
324. lized IP RFC 791 Hardware usage Not significant Related Documents e Package Management e IP Addresses and ARP Firewall Filters Network Address Translation Page 192 of 398 Description MikroTik RouterOS has following types of routes e Connected Routes are created automatically when adding address to an interface These routes specify networks which can be accessed directly through the interface e Static routes are user defined routes that specify the router that can forward traffic to the specified network They are useful for specifying the default gateway You do not need to add routes to networks directly connected to the router since they are added automatically when adding the IP addresses However unless you use some routing protocol RIP or OSPF you may want to specify static routes to specific networks or the default route More than one gateway for one destination network may be used This approach is called Equal Cost Multi Path Routing and is used for load balancing Note that this doed not provide failover With ECMP a router ppotentially has several available next hops towards any given destination A new gateway is chosen for each new source destination IP pair This means that for example one FTP connection will use only one link but new connection to a different server will use other link This also means that routes to often used sites will always be over the same provider But on big backbones this
325. ller id password test profile default local address 3 3 3 1 remote address 3 3 3 2 routes admin MikroTik ppp secret gt int ppp server admineMikroTik interface ppp server gt add port seriall disabled no admin MikroTik interface ppp server gt print Flags X disabled R running 0 name ppp in1 mtu 1500 mru 1500 port seriall authentication mschap2 mschap1 chap pap profile default modem init ring count 1 null modem no admineMikroTik interface ppp server gt Now we need to setup the client to connect to the server admin MikroTik interface ppp client gt add port seriall user test password test phone 132 fadmin MikroTik interface ppp client gt print Flags X disabled R running 0 X name ppp out1 mtu 1500 mru 1500 port seriall user test password test profile default phone 132 tone dial yes modem init null modem no dial on demand no add default route no use peer dns no admin MikroTik interface ppp client gt enable 0 After a short duration of time the routers will be able to ping each other Page 172 of 398 admin MikroTik interface ppp client gt ping 3 3 3 1 3 3 3 1 64 byte ping tt1 64 time 43 ms 3 3 3 1 64 byte ping tt1 64 time 11 ms 3 3 3 1 64 byte ping tt1 64 time 12 ms 3 3 3 1 64 byte ping tt1 64 time 11 ms 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 11 19 2 43 ms admin Mi
326. lock speed and you do not need to restart the interface or router Example fadmin MikroTik interface gt moxa c101 admin MikroTik interface moxa c101 gt print Flags X disabled R running O R name moxa c101 1 mtu 1500 line protocol sync ppp clock rate 64000 clock source external frame relay lmi type ansi frame relay dce no cisco hdlc keepalive interval 10s ignore dcd no admineMikroTik interface moxa c101 gt You can monitor the status of the synchronous interface fadmin MikroTik interface moxa c101 gt monitor 0 dtr yes rts yes cts no dsr no dcd no fadmin MikroTik interface moxa c101 gt Connect a communication device e g a baseband modem to the V 35 port and turn it on If the link is working properly the status of the interface is fadmin MikroTik interface moxa c101 gt monitor 0 dtr yes rls yes ts Yes dsr yes Page 148 of 398 dcd yes admineMikroTik interface moxa c101 gt Troubleshooting Description The synchronous interface does not show up under the interfaces list Obtain the required license for synchronous feature The synchronous link does not work Check the V 35 cabling and the line between the modems Read the modem manual Synchronous Link Application Examples MikroTik Router to MikroTik Router Let us consider the following network setup with two MikroTik Routers connected to a leased line with baseband modems Page 149 of 398 Intern
327. m is rebooted Property Description available read only yes no whether the watchdog is available enabled yes no default no whether the watchdogs are enabled Example To enable the watchdogs admin MikroTik gt system watchdog print available yes enabled no admin MikroTik gt system watchdog set enabled yes admin MikroTik gt system watchdog print available yes enabled yes admineMikroTik gt LED Managment Command name led Description The four user LEDs of the RouterBOARD can be controlled from user space scripts Property Description led1 yes no default no whether the LED1 is on led2 yes no default no whether the LED2 is on led3 yes no default no whether the LED3 is on led4 yes no default no whether the LED3 is on length time default 0s how long to hold the given combination e Os no limit Notes The command does not imply a pause in execution It works asynchronously allowing execution to continue just after the command was entered not waiting for LEDs to switch off After the given time length property the LEDs will return to the default off condition Any new led command overrides the the previous state and resets the LED state after the length time interval Page 387 of 398 Example To turn LED1 on for a minute adminetMikroTik gt led ledl yes length 1m fadmin MikroTik gt Console Reset Jumper Description
328. mand Substitution and Return Values Description Some console commands are most useful if their output can be used as an argument value in other commands In console this is done by returning value from commands Return value is not displayed on the screen When you type such a command between square brackets this command is executed and it s return value is used as the value of these brackets This is called command substitution The commands that return usefull values are but not limited to find ping returns the number of sucessful pings time returns the measured time value incr and decr return the new value of a variable add return the internal number of newly created item Example Consider the usage of find command gt interface interface gt find type ether interface gt interface gt put find type ether admin MikroTik admin MikroTik admin MikroTik admineMikroTik 1 2 admineMikroTik interface gt This way you can see console internal numbers of items Naturally you can use them in other commands admineMikroTik interface gt enabl find type ether admineMikroTik interface gt Operators Description Console can do simple calculations with numbers time values ip addresses strings and lists It 1s achieved by writing expressions and putting them in parentheses and The result of the expression serves as a return value for the parentheses Command Descripti
329. match Only connections including related marked in the MANGLE would be matched jump target name name of the target chain if the action jump is used action accept drop jump passthrough reject return default accept ation to undertake if Page 212 of 398 the packet matches the rule one of the e accept accept the packet No action i e the packet is passed through without undertaking any action except for mangle and no more rules are processed in the relevant list chain e drop silently drop the packet without sending the ICMP reject message e jump jump to the chain specified by the value of the jump target argument e passthrough ignore this rule except for mangle go on to the next one Acts the same way as a disabled rule except for ability to count and mangle packets e reject reject the packet and send an ICMP reject message e return return to the previous chain from where the jump took place Traffic Limiting Home menu level queue Description You can limit peer to peer traffic to a given amount of Kbits per second or give it lower priority than for example HTTP traffic It is also possible to prioritize small file downloading over large ones using queue bursts Point to Point Traffic Control Examples Summary This section will give you two examples of tupical peer to peer traffic control configurations Cumulative Bandwith Limiting Consider the following example Suppose we ne
330. max 4 4 4 6 ms admin Neighbour ip address gt Wireless Security Example Page 122 of 398 Let us consider that we want to secure all data for all wireless clients that are connecting to our AP At first add addresses to the wireless interfaces On the AP admin AP ip address gt add address 192 168 1 1 24 interface wlanl admin AP ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 1 1 24 92 51 68 5 L 0 192 168 1255 wlanl admin AP ip address gt And on the client admin Client ip address gt add address 192 168 1 2 24 interface wlanl admin AP ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 1 2 24 192 168 1 0 192 168 1 255 wlanl admin Client ip address gt On the AP set the security to required and choose which encryption algorithm to use admin AP interface wireless security gt set 0 security required algo 0 40bit wep key 0 0123456789 transmit key key 1 admin AP interface wireless security gt print 0 name prisml security required algo O none key 0 algo 1 40bit wep key 1 0123456789 algo 2 none key 2 algo 3 none key 3 transmit key key 1 sta private algo none sta private key radius mac authentication no admin AP interface wireless security gt On the client side
331. me interface wireless align monitor Description This command is used to monitor current signal parameters to from a remote host Property Description address read only MAC address MAC address of the remote host ssid read only text service set identifier rxq read only integer signal strength of last received packet avg rxq read only integer average signal strength of received packets since last display update on screen last rx read only time time in seconds before the last packet was received Page 116 of 398 txq read only integer the last received signal strength from our host to the remote one last tx read only time time in seconds when the last TXQ info was received correct read only percentage how many undamaged packets were received Example admin MikroTik interface wireless align gt monitor wlanl ADDRESS SSID RXO AVG RXO LAST RX TXO LAST TX CORRECT 00 01 24 70 3C 70 align test 13 12 0 02 15 0 02 100 admin MikroTik interface wireless align gt Network Scan Description This is a feature that allows you to scan all avaliable wireless networks While scanning the card unregisters itself from the access poing in station mode or unregisters all clients in bridge or ap bridge mode Thus network connections are lost while scanning Property Description name interface name to use for scanning refresh interval time default 1s time in seconds to refresh
332. me menu level interface Property Description name text the name of the interface status shows the interface status type read only arlan bridge cyclades eoip ethernet farsync ipip isdn client isdn server l2tp client l2tp server moxa cl01 moxa c502 mtsync pc ppp client ppp server pppoe client pppoe server pptp client pptp server pvc radiolan sbe vlan wavelan wireless xpeed interface type mtu integer maximum transmission unit for the interface in bytes rx rate integer default 0 maximum data rate for receiving data e no limits tx rate integer default 0 maximum data rate for transmitting data e no limits Example To see the list of all available interfaces admineMikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU O R etherl ether 0 0 1500 1 R bridgel bridge 0 0 1500 2 R ether2 ether 0 0 1500 3 R wlanl wlan 0 0 1500 admineMikroTik interface gt Traffic Monitoring Command name interface monitor traffic Description The traffic passing through any interface can be monitored Notes One or more interfaces can be monitored at the same time Example Page 29 of 398 Multiple interface monitoring admineMikroTik interface gt monitor traffic etherl wlanl received packets per second 1 0 received bits per second 475bps Obps sent packets per second 1 1 sent
333. me menu level interface ppp client Description The section describes PPP clients configuration routines Property Description port name default unknown serial port user text default P2P user name on the remote server to use for dialout password text default P2P user password on the remote server to use for dialout profile name default default local profile to use for dialout allow multiple choice mschap2 mschapl chap pap default mschap2 mschap1 chap pap the protocol to allow the client to use for authentication phone integer default phone number for dialout tone dial yes no default yes defines whether use tone dial or pulse dial mtu integer default 1500 Maximum Transmission Unit Maximum packet size to be transmitted mru integer default 1500 Maximum Receive Unit null modem no yes default no enable disable null modem mode when enabled no modem initialization strings are sent modem init text default modem initialization strings You may use s11 40 to improve dialing speed dial on demand yes no default no enable disable dial on demand add default route yes no default no add PPP remote address as a default route use peer dns yes no default no use DNS server settings from the remote server Notes e Additional client profiles must be configured on the server side for clients to accomplish logon procedure
334. menu level certificate Description MikroTik RouterOS can import Certificates for the SSL services it provides only HotSpot for now This submenu is used to manage Certificates for this services Property Description name name reference name subject read only text holder subject of the certificate issuer read only text issuer of the certificate serial number read only text serial number of the certificate invalid before read only date date the certificate is valid from invalid after read only date date the certificate is valid until ca yes no default yes whether the certificate is used for building or verifying certificate chains as Certificate Authority Command Description import install new certificates e file name import only this file all files are searched for certificates by default e passphrase passphrase for the found encrypted private key e certificates imported how many new certificates were successfully imported e private keys imported how many private keys for existing certificates were successfully imported e files imported how many files contained at least one item that was successfully imported e decryption failures how many files could not be decrypted e keys with no certificate how many public keys were successfully decrypted but did not have matching certificate already installed reset certificate cache delete all cached decrypted public keys a
335. min MikroTik gt system identity print name MikroTik admineMikroTik gt To set the router identity admin MikroTik gt system identity set name Gateway admin Gateway gt Date and Time Home menu level system clock Property Description time time date and time in format mm DD Y Y Y HH MM SS time zone text UTC timezone Notes It is recommended that you reboot the router after time change to obviate the possible errors in time measurments and logging Date and time settings become permanent and effect BIOS settings Example To view the current date and time settings admin Gateway system clock gt print Page 341 of 398 time dec 24 2003 15 53 05 time zone 02 00 admintGateway system clock gt To set the system date and time admin Gateway system clock gt set date dec 31 2022 time 12 11 32 time zone 0 admin Gateway system clock gt print time dec 31 2022 12 11 33 time zone 00 00 admin Gateway system clock gt Configuration Change History Home menu level Command name system history undo redo Description The history of system configuration changes is held until the next router shutdown The invoked commands can be undone in reverse order they have been invoked The undone commands may be redone in reverse order they have been undone Command Description undo undoes previous configuration changing command except another undo command redo und
336. min Mikrol ik system backup gt save name test Configuration backup saved admin Mikrol To see the files admin Mikrol NAME rik system backup gt stored on the router Tik gt file print TYPI SIZE E 0 test backup backup 12567 admin Mikrol Tik gt Configuration Load Command Example To load the sav ed backup file test admineMikroTik system backup gt load name test Restore and reboot y N N Page 354 of 398 CREATION TIME aug 12 2002 21 07 50 Serial Console and Terminal Document revision 2 0 24 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Additional Documents Description Serial Console Configuration Description Setting Serial Console Property Description Example Using Serial Terminal Description Property Description Notes Example General Information Summary The Serial Console and Terminal are tools used to communicate with devices and other systems that are interconnected via serial port The serial terminal may be used to monitor and configure many devices including modems network devices including MikroTik routers and any device that can be connected to a serial asynchronous port Specifications Packages required system License required Any Home menu level system Protocols utilized RS 232 Hardware usage Not significant
337. min threshold 10 red max threshold 50 red burst 20 sfq perturb 5 sfq allot 1514 pcq rate 0 pcq limit 50 pcq classifier 1 name ethernet defaul red limit 60 red min sfgq perturb 5 sfq all kind pfifo bfifo limit 15000 pfifo limit 50 hreshold 10 red max threshold 50 red burst 20 1514 pcg rate 0 pcq limit 50 pcq classifier Q ftri ct 2 name wireless defaul red limit 60 red min sfgq perturb 5 sfq all kind sfq bfifo limit 15000 pfifo limit 50 hold 10 red max threshold 50 red burst 20 14 peq rate 0 pca limit 50 pcq classifier odd mrp R ao 3 name synchronous default kind red bfifo limit 15000 pfifo limit 50 red limit 60 red min threshold 10 red max threshold 50 red burst 20 sfq perturb 5 sfq allot 1514 pcq rate 0 pcq limit 50 pcq classifier 4 name CUSTOMER def kind red bfifo limit 15000 pfifo limit 50 red limit 60 red min threshold 0 red max threshold 50 red burst 0 sfq perturb 5 sfq allot 1514 pcq rate 0 pcq limit 50 pcq classifier admin MikroTik queue type gt Interface Default Queues Home menu level queue interface Property Description interface name interface name queue name default default default queue for the interface Example To change t
338. mmary The support file is used for debugging MikroTik RouterOS and to solve the support questions faster All MikroTik Router information is saved in a binary file which is stored on the router and can be downloaded from the router using ftp Specifications Packages required system License required Any Home menu level system Hardware usage Not significant Generating Support Output File Command name system sup output Example To make a Support Output File admin MikroTik gt system sup output creating supout rif file might take a while Done admineMikroTik gt To see the files stored on the router admin MikroTik gt file print NAME TYPE SIZE CREATION TIME 0 supout rif unknown 108787 dec 24 2003 10 12 38 admineMikroTik gt Connect to the router using FTP and download the supout rif file using BINARY file transfer mode Send the supout rif file to MikroTik Support support mikrotik com with detailed description of the problem Page 349 of 398 Secure Shell SSH Server and Client Document revision 2 0 24 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Additional Documents SSH Server Description Property Description Example SSH Client Example General Information Summary SSH Client authenticates server and encrypts traffic between the client and server You can us
339. n Summary Related Documents Description Packet Sniffer Configuration Property Description Notes Example Running Packet Sniffer Description Example Sniffed Packets Description Property Description Example Packet Sniffer Protocols Description Property Description Example Packet Sniffer Host Description Property Description Example Packet Sniffer Connections Description Property Description Example General Information Summary Packet sniffer is a feature that catches all the data travelling over the network that it is able to get when using switched network a computer may catch only the data addressed to it or is forwarded through it Specifications Packages required system Page 325 of 398 License required Any Home menu level tool sniffer Protocols utilized none Hardware usage Not significant Related Documents Software Package Installation and Upgrading Description It allows you to sniff packets going through the router and any other traffic that gets to the router when there is no switching in the network and view them using specific software Packet Sniffer Configuration Home menu level tool sniffer Property Description interface name all default all the name of the interface that receives the packets only headers yes no default no whether to save in the memory packets headers only not the whole packet memory limit integer default 10 maximum amo
340. n the interface i e arp disabled is used ARP requests from clients are not answered by the router Therefore static arp entry should be added to the clients as well For example the router s IP and MAC addresses should be added to the Windows workstations using the arp command C gt arp s 10 5 8 254 00 aa 00 62 c6 09 Example admin MikroTik ip arp gt add address 10 10 10 10 interface ether2 mac address 06 21 00 56 00 12 admin MikroTik ip arp gt print Flags X disabled I invalid H DHCP D dynamic ADDRESS MAC ADDRESS INTERFACE 0 D 2 222 00 30 4F 1B B3 D9 ether2 1 D 10 5 7 242 00 A0 24 9D 52 A4 etherl 2 10 10 10 10 06 21 00 56 00 12 ether2 adminetMikroTik ip arp gt Tf static arp entries are used for network security on an interface you should set arp to reply only on that interface Do 1t under the relevant interface menu admin MikroTik ip arp gt interfac thernet set ether2 arp reply only admineMikroTik ip arp gt print Flags X disabled I invalid H DHCP D dynamic ADDRESS MAC ADDRESS INTERFACE O D 10 5 7 242 00 A0 24 9D 52 A4 ether1 1 10 10 10 10 06 21 00 56 00 12 ether2 admineMikroTik ip arp gt Page 176 of 398 Proxy ARP feature Description All physical interfaces like Ethernet Atheros Prism Aironet PC WaveLAN etc can be set to use the Address Resolution Protocol or not The other possible setting i
341. n this case the router will wait until the UPS reports that the battery power is below 10 min run time time default 5m minimal run time remaining After a utility failure the router will monitor the run time left value When the value reaches the min run time value the router will go to hibernate mode e the router will go to hibernate mode when the battery low signal is sent indicating that the battery power is below 10 alarm setting delayed immediate low battery none default immediate UPS sound alarm setting e delayed alarm is delayed to the on battery event e immediate alarm immediately after the on battery event e low battery alarm only when the battery is low e none do not alarm Page 375 of 398 rtc alarm setting delayed immediate low battery none default none UPS sound alarm setting during run time calibration e delayed alarm is delayed to the on battery event e immediate alarm immediately after the on battery event e low battery alarm only when the battery is low e none do not alarm model read only text less than 32 ASCII character string consisting of the UPS model name the words on the front of the UPS itself version read only text UPS version consists of three fields SKU number firmware revision country code The county code may be one of the following e I 220 230 240 Vac e D 115 120 Vac e A 100 Vac e M 208 Vac e J 200 Vac
342. name and if it is not ambiguous console will accept it as a full name So typing admin MikroTik gt pi 10 1 c 3 s 100 equals to admin MikroTik gt ping 10 0 0 1 count 3 size 100 Notes Pressing Tab key while entering IP address will do a DNS lookup instead of completion If what Page 4 of 398 is typed before cursor is a valid IP address it will be resolved to a DNS name reverse resolve otherwise it will be resolved directly i e to an IP address To use this feature DNS server must be configured and working To avoid input lockups any such lookup will timeout after half a second so you might have to press Tab several times before the name is actually resolved It is possible to complete not only beginning but also any distinctive substring of a name if there is no exact match console starts looking for words that have string being completed as first letters of a multiple word name or that simply contain letters of this string in the same order If single such word is found it is completed at cursor position For example admineMikroTik gt interface x TAB _ admin MikroTik gt interface export _ admineMikroTik gt interface mt TAB _ admineMikroTik gt interface monitor traffic _ Additional Information Description Built in Help The console has a built in help which can be accessed by typing General rule is that help shows what you can type in position where the was pressed s
343. nd rebuild the certificate cache Page 280 of 398 decrypt decrypt and cache public keys e passphrase passphrase for the found encrypted private key e keys decrypted how many keys were successfully decrypted and cached create certificate request creates the certificate request to be signed by a Certificate Authority Notes Server certificates may have ca property set to no but Certificate Authority certificates must have it set to yes Certificates and encrypted private keys are imported from and exported to the router s FTP server Public keys are not stored on a router in unencrypted form Cached decrypted private keys are stored in encrypted form using key that is derived from the router ID Passphrases are not stored on router Configuration backup does not include cached decrypted private keys After restoring backup all certificates with private keys must be decrypted again using decrypt command with the correct passphrase Example To import a certificate and the respective private key already uploaded on the router admineMikroTik certificate gt import passphrase XXXX certificates imported private keys imported files imported decryption failures keys with no certificate admin MikroTik certificate gt print Flags K decrypted private key Q private key R rsa D dsa O OR name cert1 subject C LV ST 0 CN cert test mt lv issuer C LV ST 0 CN third serial number 01 invalid before sep 17 2003
344. nect to a different interface to continue its work Such a backup is based on an utility that monitors the status of the connection netwatch and a script which runs the netwatch This is an example of how to make simple router backup system In this example we ll use an ISDN connection for purpose to backup a standard Ethernet connection You can however use instead of the ISDN connection anything you need PPP for example When the Ethernet fail the router nr 1 cannot ping the router nr 2 to 2 2 2 2 see picture the router nr 1 will establish an ISDN connection so called backup link to continue communicating with the nr 2 You must keep in mind that in our case there are just two routers but this system can be extended to support more different networks The backup system example is shown in the following picture DST ADDRESS GATEWAY 1 1 1 0 24 10 0 0 125 N N N Router 1 backup backup k Router 2 3 3 3 1 32 3 3 3 254 32 ether2 10 0 0 125 ether1 2 2 2 2 DEFAULT GATEWAY DST ADDRESS GATEWAY DST ADDRESS GATEWAY 1 1 1 2 0 0 0 0 0 2 2 2 2 0 0 0 0 0 10 0 0 1 1 1 1 0 24 2 2 2 1 In this case the backup interface is an ISDN connection but in real applications it can be substituted by a particular connection Follow the instructions below on how to set up the backup link At first you need to set up ISDN connection To use ISDN the ISDN card driver must be loaded admineMikroTik driver gt add name hfc
345. ned IP address only when half a lease time Page 263 of 398 is past it tries to renew several times Only when full lease time is past and IP address was not renewed new lease is asked rebind operation the deault mac address value will never work You should specify a correct MAC address there Example To assign 10 5 2 100 static IP address for the existing DHCP client shown in the lease table as item 0 admin MikroTik ip dhcp server lease gt print Flags X disabled H hotspot D dynamic ADDRESS MAC ADDRESS EXPIRES AFTER SERVER STATUS 0 D 10 5290 00 04 EA C6 0E 40 1h48m59s switch bound 1 D 10 52 91 00 04 EA 99 63 C0 1h42m51s switch bound admin MikroTik ip dhcp server lease gt add copy from 0 address 10 5 2 100 admin MikroTik ip dhcp server lease gt print Flags X disabled H hotspot D dynamic ADDRESS MAC ADDRESS EXPIRES AFTER SERVER STATUS LD 10 52 91 00 04 EA 99 63 C0 1h42m18s switch bound 2 10 5 2 100 00 04 EA C6 0E 40 1h48m26s switch bound admineMikroTik ip dhcp server lease gt DHCP relay Home menu level ip dhcp relay Description DHCP Relay is just a proxy that is able to receive a DHCP request and resend it to the real DHCP server Property Description name name descriptive name for relay interface name interface name the DHCP relay will be working on dhcp server text
346. new upgrade key request a new key 1P address key server s IP address text username to log into the key server text password to log into the key server integer 2 6 license level to request credit card credit keys credit money debit keys debit money Payment method to use text default script to execute while the command is running time default 1s how frequently to execute the given script 1f specified executes the sctipt once and then terminates the command command s execution status Resolving www mikrotik com resolving DNS name e Failed to resolve www mikrotik com check your dns settings check whether DNS client is set up on the router and that it is allowed to resolve a DNS name on the DNS server set e Failed to connect probably no IP address self explanatory e Failed to connect is your router public check whether the router has a default route and is able to reack the key server e Connecion failed connection has timed out e Bad response from server try again e ERROR You don t have appropriate debit key no existing debit keys on your account matches the requested one e ERROR You don t have enought debit money self explanatory e ERROR Credit key limit exceeded self explanatory e ERROR Your credit limit is exceeded self explanatory ERROR This payment method is not more allowed Go to www mikrotik com log on and Page 391 of 398 purchase key there
347. ng e peq Per Connection Queuing bfifo limit integer default 15000 BFIFO queue limit Maximum packet number that queue can hold pfifo limit integer default 10 PFIFO queue limit Maximum byte number that queue can hold red limit integer default 60 RED queue limit red min threshold integer default 10 RED minimum threshold red max threshold integer default 50 RED maximum threshold red burst integer default 20 RED burst Page 291 of 398 sfq perturb integer default 5 how often to change hash function sfq allot integer default 1514 amount of data in bytes that can be sent in one round robin round pceq rate integer default 0 maximal data rate in bits per second assigned to one group e 0 do not limit data rate peq limit integer default 50 peq classifier multiple choice dst address dst port target address target port default the classifier of grouping traffic flow Notes For small limitations 64kbps 128kbps RED is more preferable For larger speeds PFIFO will be as good as RED RED consumes much more memory and CPU than PFIFO amp BFIFO Example To add red queue type with minimum threshold of 0 without any burst and named CUSTOMER def admin MikroTik queue type gt add name CUSTOMER def kind red XV red min threshold 0 red burst 0 admin MikroTik queue type gt print 0 name default kind pfifo bfifo limit 15000 pfifo limit 50 red limit 60 red
348. ng Protocol e xns idp Xerox ns idp e rdp Reliable Datagram Protocol iso tp4 ISO Transport Protocol class 4 xtp Xpress Transfer Protocol e ddp Datagram Delivery Protocol e idpr cmtp idpr Control Message Transport e gre General Routing Encapsulation e esp IPsec ESP protocol e ah IPsec AH protocol e rspf Radio Shortest Path First e vmtp Versatile Message Transport Protocol ospf Open Shortest Path First e ipip IP encapsulation e encap IP encapsulation packets integer the number of packets port name the port of TCP UDP protocol share integer specific type of traffic compared to all traffic in bytes Example admin MikroTik tool sniffer protocol gt print PROTOCOL IP PR PORT PACKETS BYTES SHARE 0 ip TT 4592 100 1 ip tcp 74 4328 94 25 2 ip gre 3 264 5 74 3 ip tcp 22 ssh 49 3220 70 12 4 ip tcp 23 telnet 25 1108 24 12 admin MikroTik tool sniffer protocol gt Page 330 of 398 Packet Sniffer Host Home menu level tool sniffer host Description The submenu shows the list of hosts that were participating in data excange you ve sniffed Property Description address read only IP address the address of the host peek rate read only integer integer the maximum data rate received transmitted rate read only integer integer current data rate received transmitted total read only integer integer total packets received transmitted Example In th
349. ng on demand 12 protocol dlc x75i x75ui x75bui default hdlc level 2 protocol to be used user text user name that will be provided to the remote server Page 87 of 398 password text password that will be provided to the remote server allow multiple choice mschap2 mschapl chap pap default mschap2 mschap1 chap pap the protocol to allow the client to use for authentication add default route yes no default no add default route to remote host on connect profile name default default profile to use when connecting to the remote server use peer dns yes no default no use or not peer DNS bundle 128K yes no default yes use both channels instead of just one Example admin MikroTik interface isdn client gt add msn 142 user test password test phone 144 bundle 128K no admin MikroTik interface isdn client gt print Flags X disabled R running 0 X name isdn out1 mtu 1500 mru 1500 msn 142 user test password test profile default phone 144 12 protocol hdlc bundle 128K no dial on demand no add default route no use peer dns no admin MikroTik interface isdn client gt ISDN Server Interface Configuration Home menu level interface isdn client Description ISDN server is used to accept remote dial in connections form ISDN clients ISDN server interfaces can be added using the add command Property Description name name d
350. nly MAC address Media Access Control address for the interface forward protocols multiple choice ip arp appletalk ipx ipv6 other default ip arp appletalk ipx ipv6 other list of forwarded protocols e other all other protocols than AppleTalk ARP IP IPv6 or IPX e g NetBEUI VLAN etc priority integer 0 65535 default 32768 bridge interface priority The priority argument is used by Spanning Tree Protocol to determine which port remains enabled if two or even more ports form a loop stp no yes default no whether to enable or disable the Spanning Tree Protocol ageing time time default 5m how long the host information will be kept in the bridge database forward delay time default 15s time which is spent in listening learning state garbage collection interval time default 4s how often to drop old host entries in the bridge database Notes forwarded protocols is a simple filter that also affects the locally destined and locally originated packets So disabling ip protocol you will not be able to communicate with the router from the bridged interfaces Example To add and enable a bridge interface that will forward all the protocols admineMikroTik interface bridge gt add print Flags X disabled R running 0 X name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp appletalk ipx ipv6 other stp no priority 32768 ageing time 5m forward delay 15s g
351. no enable client connections for bandwidth test authenticate yes no default yes communicate only with authenticated by valid username and password clients allocate udp ports from allocate UDP ports from max sessions maximal number of bandwidth test clients Notes The list of current connections can be get in session submenu Example Bandwidth Server admineMikroTik tool bandwidth server gt print enabled no Page 322 of 398 authenticate yes allocate udp ports from 2000 max sessions 10 admineMikroTik tool gt Active sessions admin MikroTik tool gt bandwidth server session print CLIENT PROTOCOL DIRECTION USER 0 Bge udp send admin L 255 250 2 DL udp send admin 2 36 36 36 L udp send admin admineMikroTik tool gt To enable bandwidth test server without client authentication admin MikroTik tool bandwidth server gt set enabled yes authenticate no admineMikroTik tool bandwidth server gt print enabled yes authenticate no allocate udp ports from 2000 max sessions 10 admineMikroTik tool gt Client Configuration Command name tool bandwidth test Property Description address 1P address IP address of destination host assume lost time time default 0s assume that connection is lost if Bandwidth Server is not responding for that time direction receive transmit both default receive the direction of the test do name string default sc
352. nonncnoncnnnnanannnnennnnnnns 146 EA ON sex ttc et fesse ret tales I 146 Synchronous Interface Conti UAM di esas ha saves A ai eee 147 A dean sve da ectivadonctva aloes dua Douala sevnsqun A aE Ea 149 Synchronous Link Application Examples cc cccssccssssceeeseeeeeseeeeceseeeesseeeessneeesseeensneeens 149 Cyclades PC300 PCI AdapterS oooccoccccccccccccccccnconcconocaconannnnnnnnnnnaann 154 General InformMati0N cccccnccnnnnnnccnnnnnnnnnnnnnnnnnrnnnnnnnnnnnnorrnnnnnnnnnnnnnn rr rnnnnnnnnnnnnnnrrrnnnnnnnnonininnss 154 Synchronous Interface Cone Urra dci 155 Troubleshooting ch A A sete ease senate sah E NR tees 156 RSV V 35 Synchronous Link ApplicatiONS oooocccnoncncnoncncnonononononcnnonnnnconnnnnonnnncnonnnnnannnnnns 156 Point to Point Protocol over Ethernet PPPOE s seseeeeesees 159 Genera Amini AIN AAA a 159 PPPOE Cuentas 160 Menitotine PPPOE CU ooo a 161 PPPoE Server Setup Access Concentrados ia aid 162 PPPOE Server US a pida 163 Troubleshoot banal 164 Applicaton A ot 165 Point to Point Protocol PPP and Asynchronous Interfaces 168 Gener l dE AD nier r e e RE E E SE E A 168 Senal Port Confieuratioi osiensa eie a E E E E E E T SS 169 PPR SER vet AA a EE E A A E hee ee 170 PPP Chent SUD E EE A N 171 PPP Application Example iirin s ie ii AA A E RE i does De 172 IP Addresses and ARP csssssssescssssensecenseeneeueneseecneseseeenseeneeessees 174 General Tt TENN A AAA A AAA A A A AA AE Co WL
353. ntents Table of Contents Summary Specifications Description Traffic Marking Description Property Description Traffic Filtering Description Property Description Traffic Limiting Description Point to Point Traffic Control Examples Summary Cumulative Bandwith Limiting Per Address Queuing General Information Summary This manual section describes techniques needed to control traffic from peer to peer P2P networks Peer to peer is a concept whereby one individual host directly communicates with another as opposed to each client referring to a common hub or server This type of network connection allows users to share various information including audio and video files and application programs Uncontrolled P2P connections take all the available bandwith and left no space for other activities like mail or HTTP browsing Specifications Packages required system 3 Home menu level ip firewall ip firewall mangle queue Hardware usage Increases with rule count Description RouterOS is able to recognize connections of the most popular P2P protocols Fasttrack Kazaa KazaaLite Grokster iMesh Gnutella Shareaza XoLoX Gnucleus BearShare LimeWire Morpheus Phex Swapper Gtk Gnutella linux Mutella linux Qtella linux MLDonkey Page 211 of 398 Gnutella2 Shareaza MLDonkey DirectConnect DirectConnect AKA DC MLDonkey eDonkey eDonkey2000 eMule xMule linux Shareaza MLDonkey Soulsee
354. nterface aironet ip address gt print Page 56 of 398 Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 11 1 30 192 168 11 0 192 168 113 aironet 1 192 168 0 254 24 192 168 0 0 192 160800 209 Local admin MikroTik ip address gt The second router will have address 192 168 11 2 The network connectivity can be tested by using ping or bandwidth test admin wnet_gw ip address gt add address 192 168 11 2 30 interface aironet admin wnet_gw ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 11 2 30 192 168 11 0 LIZ 108 dL 3 aironet 1 10 1 1 12 24 10 1 1 0 1021 e295 Public admin wnet_gw ip address gt ping 192 168 11 1 192 168 11 1 pong ttl 255 time 3 ms 192 168 11 1 pong ttl 255 time 1 ms 192 168 11 1 pong ttl 255 time 1 ms 192 168 11 1 pong tt1 255 ping interrupted 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 1 1 5 3 ms admin wnet_gw interface pc gt tool bandwidth test 192 168 11 1 protocol tcp status running rx current 4 61Mbps rx 10 second average 4 25Mbps rx total average 4 27Mbps admin wnet_gw interface pc gt tool bandwidth test 192 168 11 1 protocol udp size 1500 status running rx current 5 64Mbps rx 10 second average 5 32Mbps rx total average 4 87Mbps admin wnet_gw interface pc gt Page
355. o the master state admin MikroTik ip vrrp gt print Flags X disabled I invalid M master B backup 0 M name vr1 interface local vrid 1 priority 100 interval 1 preemption mode yes authentication none password on backup on master admin MikroTik ip vrrp gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 1 24 10 0 0 0 1040 0259 public 1 192 168 1 3 24 192 168 1 0 192 168 1 255 local 2 D 192 168 1 1 24 192 1685140 192 168 290 local admin MikroTik ip vrrp gt Page 219 of 398 Network Address Translation Document revision 1 2 15 Sep 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Common NAT Parameters Description Property Description Source NAT Description Property Description Notes Example Destination NAT Description Property Description Example General Information Summary Network Address Translation NAT provides ways for hiding local networks as well as to maintain public services on servers from these networks Besides through NAT additional applications like transparent proxy service can be made Specifications Packages required system License required Any Home menu level ip firefall src nat ip firewall dst nat Protocols utilized ZP Hardware us
356. o work properly Example We have masquerading already enabled on our router admin MikroTik ip upnp interfaces gt ip firewall src nat print Flags X disabled I invalid D dynamic 0 src address 0 0 0 0 0 0 65535 dst address 0 0 0 0 0 0 65535 Page 226 of 398 out interface etherl protocol all icmp options any any flow connection action masquerade to src address 0 0 0 0 to src port 0 65535 admineMikroTik content limit count 0 limit burst 0 limit time 0s ip upnp interfaces gt Now all we have to do is to add interfaces and enable UPnP admin MikroTik ip upnp admin MikroTik ip upnp admin MikroTik ip upnp Flags X disabled INTERFACE TYPE 0 X etherl xternal 1 X ether2 internal admin MikroTik ip upnp admin MikroTik ip upnp admin MikroTik ip upnp interfaces gt interfaces gt interfaces gt interfaces gt add interface etherl type external add interface ether2 type internal print interfaces gt interfaces gt nable 0 1 set enabled yes Page 227 of 398 DNS Client and Cache Document revision 2 0 17 Nov 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description DNS Client Configuration Description Property Description Notes General Information Summary DNS cache is used to minimize DNS requests to an external DNS
357. oTik cga IDE 1 serial port PCI conf1 National Semiconductor Corporation DP83815 MacPhyter Et etherl National Semiconductor Corporation DP83815 MacPhyter Et ether2 PCI device 100b 0511 National Semiconductor Corporation PCI device 100b 0510 National Semiconductor Corporation PCI device 100b 0510 National Semiconductor Corporation PCI device 100b 0515 National Semiconductor Corporation National Semiconductor Corporation SCx200 IDE PCI CardBus 01 PCI CardBus 01 PCI CardBus 05 PCI CardBus 05 system resource gt irq print t s system Instruments PCI1250 PC card Cardbus Controller resource gt Instruments PCI1250 PC card Cardbus Controller 2 Suppose we need to load a driver for a NE2000 compatible ISA card Assume we had considered the information above and have checked avalable resources in our system To add the driver we must do the following admineMikroTik driver gt add name ne2k isa io 0x280 admin MikroTik driver gt print Flags DRIVER RealTek 813 9 Intel Ether PCI NE2000 ISA NE2000 DWN RO 3 Gog I invalid D dynamic ExpressPro Moxa C101 Synchronous admineMikroTik driver gt Removing Device Drivers Description IRQ IO MEMORY ISDN PROTOCOL 280 C8000 You can remove only statically loaded drivers id est those which do not have the D flag before the driver name The device driver
358. oTik ip route gt Although the current command level is changed to ip route it has effect only on next command entered from prompt print command is still considered to be user print Example We will add two users to the user menu in the example below admin MikroTik ip address gt user add name x password y group write add name y password z group read los PEINE ovale Flags X disabled 0 777 system default user name admin group full address 0 0 0 0 0 1 name x group write address 0 0 0 0 0 2 name y group read address 0 0 0 0 0 admin MikroTik ip address gt Variables Description Console allows you to create and use global system wide and local only usable within the current script variables Variables can be accessed by writing followed by a name of variable Variable names can contain letters digits and character A variable must be declared prior to using it in scripts There are three types of declaration available You can assign a new value to a variable using set action It has two arguments the name of the variable and the new value of the variable Notes Page 364 of 398 Loop variables shadows already introduced local variables with the same name Example admin MikroTik ip route gt admin MikroTik gt global gl admin MikroTik gt set gl this is global variable admin MikroTik gt put gl this is global vari admineMikroTik gt Com
359. oTik tool gt Page 334 of 398 ICMP Bandwidth Test Document revision 1 2 13 10 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents ICMP Bandwidth Test Description Property Description Example General Information Summary The ICMP Bandwidth Tester Ping Speed can be used to approximately evaluate the throughput to any remote computer and thereby help to discover network bottlenecks Specifications Packages required advanced tools License required Any Home menu level tool Protocols utilized ICMP RFC792 Hardware usage Not significant Related Documents Software Package Installation and Upgrading e IP Addresses and Address Resolution Protocol ARP Log Management ICMP Bandwidth Test Description The ICMP test uses two standard echo requests per second The time between these pings can be changed Ping packet size variation makes it possible to approximately evaluate connection parameters and speed with different packet sizes Statistics for throughput is calculated using the size of the ICMP packet the interval between ICMP echo request and echo reply and the differences between parameters of the first and the second packet Property Description Page 335 of 398 do name assigned name of the script to start first ping size integer 32 64000 default 32 first ICMP packet size second ping size intege
360. ocols are going through the ether1 interface admin MikroTik tool gt torch etherl protocol any ip port any PRO DRCHPORT DST PORT TX RX tcp 3430 22 ssh 1 06kbps 608bps udp 2812 1813 radius acct 512bps 2 11kbps tcp 1059 139 netbios ssn 248bps 360bps Page 319 of 398 admineMikroTik tool gt Page 320 of 398 Bandwidth Test Document revision 1 5 13 10 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Server Configuration Property Description Notes Example Client Configuration Property Description Example General Information Summary The Bandwidth Tester can be used to monitor the throughput only to a remote MikroTik router either wired or wireless and thereby help to discover network bottlenecks Specifications Packages required system License required Any Home menu level tool Protocols utilized TCP RFC 793 UDP RFC768 Hardware usage significant Related Documents Software Package Installation and Upgrading Description Protocol Description The TCP test uses the standard TCP protocol with acknowledgments and follows the TCP algorithm on how many packets to send according to latency dropped packets and other features in the TCP algorithm Please review the TCP protocol for details on its internal speed settings and how to analyze its behavior Statisti
361. oes previous undo command system history print print a list of last configuration changes specifying whether the action can be undone or redone Notes Floating undo actions are created within the current SAFE mode session They are automatically converted to undoable and redoable when SAFE mode terminated successfully and are all undone irreverively when SAFE mode terminated insuccessfully Undo command cannot undo commands past start of the SAFE mode Example To show the list of configuration changes admin MikroTik system history gt print Flags U undoable R redoable F floating undo ACTION BY POLICY U system time zone changed admin write U system time zone changed admin write U system time zone changed admin write U system identity changed admin write admin MikroTik system clock gt What the undo command does admin MikroTik system history gt print Flags U undoable R redoable F floating undo ACTION BY POLICY R system time zone changed admin write U system time zone changed admin write Page 342 of 398 U system time zone changed admin write U system identity changed admin write admineMikroTik system clock gt Page 343 of 398 Liquid Crystal Display LCD Manual Document revision 2 0 23 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Configuring the LCD s Se
362. of that group as we can do with simple queues attached to the main HTB but with upper limit Each queue represents a virtual interface with the allowed data rate It can be borrowed from sibling queues queues that are children of one queue when max limit is greater than limit at If so the queue would use over the allocated data rate whenever possible Only when other queues are getting too long and a connection is not to be satisfied then the borrowing queues would be limited at their allocated data rate When a parent is allowed to send some amount of traffic it asks its inner queues in order of priority priorities are processed one after another from 1 to 8 where 1 means the highest priority When a queue reaches its limit at value its priority is not to be taken in account such a queue will be less prioritative than the ones not reached this limit Information Rates and Contention Ratios Quality of Service QoS means that router should prioritize and shape network traffic QoS is not so much about limiting it is more about providing quality The main terms used to describe the level of QoS for network applications are e CIR Committed Information Rate the guaranteed data rate It means that traffic not exceeding this rate should always be delivered MIR Maximal Information Rate the maximal data rate router will provide e Contention Ratio the ratio to which the defined data rate is shared between users i e data rat
363. oft Point to Point Encryption to make encrypted links The purpose of this protocol is to make well managed secure connections between routers as well as between routers and PPTP clients clients are available for and or included in almost all OSs including Windows PPTP includes PPP authentication and accounting for each PPTP connection Full authentication and accounting of each connection may be done through a RADIUS client or locally MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported PPTP traffic uses TCP port 1723 and IP protocol GRE Generic Routing Encapsulation IP protocol ID 47 as assigned by the Internet Assigned Numbers Authority IANA PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router PPTP connections may be limited or impossible to setup though a masqueraded NAT IP connection Please see the Microsoft and RFC links at the end of this section for more information Additional Documents http support microsoft com support kb articles q162 8 47 asp http www ietf org rfc rfc2637 txt number 2637 http www ietf org rfc rfc3078 txt number 3078 http www ietf org rfc rfc3079 txt number 3079 PPTP Client Setup Page 94 of 398 Home menu level interface pptp client Property Description name name default pptp outN interface name for reference mtu integer default 1460 Maximum Transm
364. og configuration configuration configuration configuration configuration configuration admin MikroTik gt log print follow TIME dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 dec 24 2003 08 Ctrl C to quit 000000000000 gt Page 398 of 398 MESSAGE 20 36 log 24 34 log 24 51 log 29299 log 25 59 log 30 05 log 30 05 log con con con con con con con figuration figuration figuration figuration figuration figuration figuration 35 56 system started 35 57 isdn ou 35 57 isdn ou changed changed changed changed changed changed changed changed changed changed changed changed changed tl initializing tl dialing 35 58 Prism firmware loading OK 37 48 user admin logged in from 10 New entries will appear at bottom admin admin admin admin admin admin admin admin admin admin admin admin admin 1 0 60 via telnet
365. om username address read only IP address IP address of the user uptime read only time current session time logged in time of the user session timeout read only time how much time is left for the user until he she will be automatically logged out idle timeout read only time how much idle time it is left for the user until he she will be automatically logged out bytes in read only time how many bytes did the router receive from the client bytes out read only time how many bytes did the router send to the client Page 242 of 398 packets in read only time how many packets did the router receive from the client packets out read only time how many packets did the router send to the client keepalive lost read only time how much time past since last packed from the client has been received Example To get the list of active users admin MikroTik ip hotspot active gt print Flags R radius H DHCP USER ADDRESS UPTIME SESSION TIMEOUT IDLE TIMEOUT 0 Ex 10 0 0 144 4m17s 55m43s admin MikroTik ip hotspot active gt HotSpot Remote AAA Home menu level ip hotspot aaa Property Description use radius yes no default no whether user database in a RADIUS server should be consulted accounting yes no default yes whether RADIUS accounting should be used have no effect if RADIUS is not used interim update time default Os Interim U
366. on Page 365 of 398 logical NOT Unary operator which inverts given boolean value unary minus Inverts given number value bit inversion Unary operator which inverts bits in IP address binary plus Adds two numbers two time values or a number and an IP address binary minus Substracts two numbers two time values two IP addresses or an IP address and a number multiplication Binary operator which can multiply two numbers or a time value by a number division Binary operator Divides one number by another gives number or a time value by a number gives time value lt less Binary operator which compares two numbers two time values or two IP addresses Returns boolean value gt greater Binary operator which compares two numbers two time values or two IP addresses Returns boolean value lt less or equal Binary operator which compares two numbers two time values or two IP addresses Returns boolean value gt greater or equal Binary operator which compares two numbers two time values or two IP addresses Returns boolean value amp amp logical AND Binary operator The argumens and the result are both logical values Il logical OR Binary operator The argumens and the result are both logical values amp bitwise AND The argumens and the result are both IP addresses bitwise OR The argumens and the result are both IP addresses A bitwise XOR The argumens and th
367. on Example Troubleshooting Description Application Examples PPPoE in a multipoint wireless 802 11 network General Information Summary The PPPoE Point to Point Protocol over Ethernet protocol provides extensive user management network management and accounting benefits to ISPs and network administrators Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems PPPoE is an extension of the standard dial up and synchronous protocol PPP The transport is over Ethernet as opposed to modem transport Generally speaking the PPPoE is used to hand out IP addresses to clients based on the user and workstation if desired authentication as opposed to workstation only authentication when static IP addresses or DHCP is used Do not use static IP addresses or DHCP on interfaces on which the PPPoE is used for security reasons Page 159 of 398 A PPPoE connection is composed of a client and an access concentrator server The client may be a Windows computer that has the PPPoE client protocol installed The MikroTik RouterOS supports both client and access concentrator implementations of PPPoE The PPPoE client and server work over any Ethernet level interface on the router wireless 802 11 Aironet Cisco WaveLan Prism Atheros 10 100 1000 Mbit s Ethernet RadioLan and EoIP Ethernet over IP tunnel No encryption MPPE 40bit RSA and MPPE 128bit RSA encryption is supported Supported connections
368. on Example Suppose we want to add an IPIP tunnel between routers R1 and R2 Page 59 of 398 WAN Gloud SKS Ce IPIP tunnel A R1 R2 IF address 10 0 0 1 IP address 22 63 11 6 At first we need to configure IPIP interfaces and then add IP addresses to them The configuration for router R1 is as follows admin MikroTik interface ipip gt add local address 10 0 0 1 remote address 22 63 11 6 admin MikroTik interface ipip gt print Flags X disabled R running NAME MTU LOCAL ADDRESS REMOTE ADDRESS E 0 X ipipl 1480 10 0 0 1 22 63 11 6 admin MikroTik interface ipip gt en 0 admin MikroTik interface ipip gt ip address add address 1 1 1 1 24 interface ipipl The configuration of the R2 is shown below admin MikroTik interface ipip gt add local address 22 63 11 6 remote address 10 0 0 1 admin MikroTik interface ipip gt print Flags X disabled R running NAME MTU LOCAL ADDRESS REMOTE ADDRESS E 0O X ipipl 1480 22 63 11 6 10 0 0 1 admineMikroTik interface ipip gt enable 0 admin MikroTik interface ipip gt ip address add address 1 1 1 2 24 interface ipipl Now both routers can ping each other admin MikroTik interface ipip gt ping 1 1 1 2 1 1 2 64 byte ping ttl 64 time 24 ms 1 1 2 64 byte ping ttl 64 time 19 ms 1 1 1 2 64 byte ping tt1 64 time 20 ms 3 packets transmitted 3 packets received 0
369. one myzone com address 68 42 14 4 key name dns update key key updat Page 317 of 398 Realtime Traffic Monitor torch Document revision 1 2 13 10 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description The Torch Command Property Description Notes Example General Information Summary Realtime traffic monitor may be used to monitor the traffic flow through an interface Specifications Packages required system License required Any Home menu level tool Protocols utilized none Hardware usage Not significant Related Documents e Software Package Installation and Upgrading Description Realtime Traffic Monitor called also torch is used for monitoring traffic that is going through an interface You can monitor traffic classified by protocol name source address destination address port Torch shows the protocols you have chosen and mean transmitted and received data rate for each of them The Torch Command Command name tool torch Property Description Page 318 of 398 interface name the name of the interface to monitor protocol any any ip icmp igmp ipip ospf pup tcp udp integer the name or number of the protocol e any any ethernet or IP protocol e any ip any IP protocol port name integer the name or number of the port source address IP address
370. onfigured from the scratch enable universal client yes no default no whether to enable Universal Client on the HotSpot interface login method dhcp pool enabled address smart default enabled address login method to use local address of temporary network IP address default 192 168 0 1 24 temporary HotSpot address for the interface for dhcp pool method masquerade temporary network yes no default yes whether to masquerade the temporary network address pool of temporary network name IP address pool the for temporary HotSpot network local address of hotspot network JP address default 10 5 50 1 24 HotSpot address for the interface masquerade hotspot network yes no default yes whether to masquerade the HotSpot network address pool of hotspot network name IP address pool for the HotSpot network use ssl yes no default no whether to use secure SSL authentication import and setup certificate yes no default yes if the setup should try to import and set up a certificate passphrase text the passphrase of the certificate select certificate name which certificate to use another port for service integer default 4430 if there is already a service on the 443 TCP port setup will move that service on an another port so that HotSpot secure authentication page would be on standard port for SSL ip address of smtp server IP address default 0 0 0 0 IP address of t
371. onfirmation Example admin MikroTik gt system reboot Reboot yes y N y system will reboot shortly admineMikroTik gt Shutdown Command name system shutdown Description Before turning the power off for the router the system should be brought to halt The shutdown process sends termination signal to all running processes unmounts the file systems and halts the router For most systems it is necessary to wait approximately 30 seconds for a safe power down Notes Only users which are members of groups with reboot privileges are permitted to shutdown the router Shutdown can be called from scripts in which case it does not prompt for confirmation Example admin MikroTik gt system shutdown Shutdown yes y N y system will shutdown promptly admin MikroTik gt Configuration Reset Description Page 340 of 398 The command clears all configuration of the router and sets it to the default including the login name and password admin and no password After the reset command the router is rebooted Example admin MikroTik gt system reset Dangerous Reset anyway y N n action cancelled admineMikroTik gt Router Identity Home menu level system identity Description The router identity is displayed before the command prompt It is also used for DHCP client as host name parameter when reporting it to the DHCP server Example To view the router identity ad
372. only the interface will only reply to the requests originated to its own IP addresses but neighbor MAC addresses will be gathered from ip arp statically set table only vlan id integer default 1 Virtual LAN identifier or tag that is used to distinguish VLANs Must be equal for all computers in one VLAN Notes MTU should be set to 1500 bytes as on Ethernet interfaces But this may not work with some Ethernet cards that do not support receiving transmitting of full size Ethernet packets with VLAN header added 1500 bytes data 4 bytes VLAN header 14 bytes Ethernet header In this situation MTU 1496 can be used but note that this will cause packet fragmentation if larger packets have to be sent over interface At the same time remember that MTU 1496 may cause problems if path MTU discovery is not working properly between source and destination Example To add and enable a VLAN interface named test with vlan id 1 on interface ether1 admin MikroTik interface vlan gt add name test vlan id 1 interface etherl admin MikroTik interface vlan gt print Flags X disabled R running 4 gt AME MTU ARP VLAN ID INTERFACE 0 X test 1500 enabled di etherl admin MikroTik interface vlan gt enable 0 admin MikroTik interface vlan gt print Flags X disabled R running AME MTU ARP VLAN ID INTERFACE 0 R test 1500 enabled 1 ether1 admin MikroTik interface vlan gt Ap
373. oposed algorithm for signing DNS messages Specifications Packages required advanced tools License required Any Command name tool dns update Protocols utilized Dynamic Updates in the DNS RFC 2136 Secure DNS Dynamic Update RFC 3007 Hardware usage Not significant Related Documents Software Package Installation and Upgrading Description Dynamic DNS Update is a tool that should be manually run to update dynamic DNS server Note that you have to have a DNS server that supports DNS updates properly configured Additional Documents Page 316 of 398 e DNS related RFCs Dynamic DNS Update Command name tool dns update Property Description address 1P address defines IP address associated with the domain name dns server IP address DNS server to send update to key text default authorization key password of a kind to access the server key name text default authorization key name username of a kind to access the server name text name to attach with the IP address ttl integer default 0 time to live for the item in seconds zone text DNS zone where to update the domain name in Notes Example To tell 23 34 45 56 DNS server to re associate mydomain name in the myzone com zone with 68 42 14 4 IP address specifying that the name of the key is dns update key and the actual key is update admin MikroTik tool gt dns update dns server 23 34 45 56 name mydomain z
374. or action redirect dst address is changed Information about translation of addresses including original dst address is kept in router s internal tables Transparent web proxy working on router when web requests get redirected to proxy port on router can access this information from internal tables and get address of web server from them If you are dst natting to some different proxy server it has no way to find web server s address from IP header because dst address of IP packet that previously was address of web server has changed to address of proxy server Starting from HTTP 1 1 there is special header in HTTP request which tells web server address so proxy server can use it instead of dst address of IP packet If there is no such header older HTTP version on client proxy server can not determine web server address and therefore can not work It means that it is impossible to correctly transparently redirect HTTP traffic from router to some other transparent proxy box Only correct way is to add transparent proxy on the router itself and configure it so that your real proxy is parent proxy In this situation your real proxy does not have to be transparent any more as proxy on router will be transparent and will forward proxy style requests according to standard these requests include all necessary information about web server to real proxy Common NAT Parameters Description The sre nat and the dst nat have some common p
375. or destination NAT rules as well as for applying queuing to them It is also possible to mark the packets associated including related with the same connection as the marked packet in other words to mark a connection with all related connections you need to mark only one packet belonging to that connection Page 202 of 398 You may also want to change the TCP Maximum Segment Size MSS to a value which is your desired MTU value less 40 The MSS can be set only for TCP SYN packets Property Description action accept passthrough default accept action to undertake if the packet matches the rule one of the e accept accept the packet applying the appropriate attributes marks MSS and no more rules are processed in the list e passthrough apply the appropriate attributes marks MSS and go on to the next rule disabled yes no default no specifies whether the rule is disabled or not in interface name default all interface the packet has entered the router through If the default value all is used it may include the local loopback interface for packets originated from the router src address JP address default 0 0 0 0 0 0 65535 source IP address src netmask 1P address default accept source netmask in decimal form x x x x sre port integer 0 65535 default 0 65535 source port number or range e all ports from 01 to 65535 comment text default a descriptive comment for the rule ds
376. or use other payment methods you can not use the selected payment method from the router anymore due to system changes for credit cards now e ERROR You must enable this feature in account server change user information section you should enable Allow to use my account in netinstall feature on the accout server in change user information section e ERROR Incorrect username or password self explanatory e ERROR You are not allowed to use this service please contact sales mikrotik com for further assistance Key upgraded successfully the upgrade procedure has been completed successfully output exports the current key to a key file update key request a free update of your existing key to the version s 2 8 one this can be done during your existing key upgrade term IP address key server s IP address text username to log into the key server text password to log into the key server text default script to execute while the command is running time default 1s how frequently to execute the given script if specified executes the sctipt once and then terminates the command command s execution status e Resolving www mikrotik com resolving DNS name Failed to resolve www mikrotik com check your dns settings check whether DNS client is set up on the router and that it is allowed to resolve a DNS name on the DNS server set e Failed to connect probably no IP address self explanatory e Faile
377. or your server it will be possible for this user to change tome on your server at his will Example To enable NTP server to answer unicast requests only admin MikroTik system ntp server gt set manycast no enabled yes admin MikroTik system ntp server gt print enabled yes broadcast no multicast no manycast no admin MikroTik system ntp server gt Time Zone Home menu level system clock Notes NTP changes local clock to UTC GMT time by default Page 381 of 398 Example Time zone is specified as a difference between local time and GMT time For example if GMT time is 10 24 40 but correct local time is 12 24 40 then time zone has to be set to 2 hour admineMikroTik system clock gt print time dec 24 2003 10 24 40 time zone 00 00 admin MikroTik system clock gt set time zone 02 00 admineMikroTik system clock gt print time dec 24 2003 12 24 42 time zone 02 00 admin MikroTik system clock gt If local time is before GMT time time zone value will be negative For example if GMT is 18 00 00 but correct local time is 15 00 00 time zone has to be set to 3 hours admineMikroTik system clock gt set time zon 3 admin MikroTik system clock gt print time dec 24 2003 07 29 33 time zone 03 00 admin MikroTik system clock gt Page 382 of 398 RouterBOARD specific Functions Document revision 2 4 18 Feb 2004 This document applies to MikroTik RouterOS V2 8 Table of
378. ork interface cards most ISA and PCI ISDN cards require the device drivers to be loaded manually using the driver add command Users cannot add their own device drivers only drivers included in the Mikrotik RouterOS software packages can be used If you need a support for a device which hasn t a driver yet you are welcome to suggest it at suggestion page on our web site Home menu level driver Protocols utilized PCI ISA PCMCIA miniPCI CardBus Hardware usage Not significant Related Documents Software Package Managemet License Managemet Device Driver List Loading Device Drivers Page 24 of 398 Home menu level driver Description In order to use network interface card which has a driver that is not loaded automatically exempli gratia NE2000 compatible ISA card you need to add driver manually This is accomplished by issuing add command under the driver submenu level To see system resources occupied by the installed devices use the system resource io print and system resource irq print commands Property Description io integer input output port base address irq integer interrupt request number isdn protocol euro german default euro line protocol setting for ISDN cards memory integer default 0 shared memory base address name name driver name Notes Not all combinatios of irq and io base addresses might work on your particular system It is recommended that you first fin
379. ost Configuration Protocol protocol is needed for easy distribution of IP addresses in a network The MikroTik RouterOS implementation includes both server and client parts and is compliant with RFC2131 IP assignment in LAN cable modem and wireless systems e Obtaining IP settings on cable modem systems IP addresses can be bound to MAC addresses using static lease feature DHCP server can be used with MikroTik RouterOS HotSpot feature to authenticate and account DHCP clients See the HotSpot Manual for more information Specifications Packages required dhcp License required Any Home menu level Ap dhcp client ip dhcp server ip dhcp relay Protocols utilized DHCP Description The DHCP protocol gives and allocates IP addresses to IP clients DHCP is basically insecure and should only be used in trusted networks DHCP server always listens on UDP 67 port DHCP client on UDP 68 port The initial negotiation involves communication between broadcast addresses on some phases sender will use source address of 0 0 0 0 and or destination address of 255 255 255 255 You should be aware of this when building firewall Additional Documents DHCP Client Setup Home menu level ip dhcp client Description The MikroTik RouterOS DHCP client may be enabled on one Ethernet like interface at a time The client will accept an address netmask default gateway and two dns server addresses The received IP address will be added to the
380. ost property can be used Security issue do not assign an IP address to the interface you will be receiving the PPPoE requests on Example To add PPPoE server on etherl interface providing ex service and allowing only one connection per host admin MikroTik interface pppoe server server gt add interface etherl service nam x one session per host yes admin MikroTik interface pppoe server server gt print Flags X disabled 0 X service name ex interface etherl mtu 1480 mru 1480 authentication mschap2 mschap chap pap keepalive timeout 10 one session per host yes default profile default admin MikroTik interface pppoe server server gt PPPoE Server Users Home menu level interface pppoe server Property Description name name interface name service name name name of the service the user is connected to remote address MAC address MAC address of the connected client user name the name of the connected user encoding text encryption and encoding if asymmetric separated with being used in this connection Page 163 of 398 uptime shows how long the client is connected Example To view the currently connected users admin MikroTik interface pppoe server gt print Flags R running NAME SERVICE REMOTE ADDRESS USER ENCO UPTIME 0 R lt pppoe ex gt ex 00 C0 CA 16 16 A5 ex 12s admineMikroTik interf
381. otes Software Package Uninstalling Description Notes Example Software Package List Description General Information Summary The MikroTik RouterOS is distributed in the form of software packages The basic functionality of the router and the operating system itself is provided by the system software package Other packages contain additional software features as well as support to various network interface cards License required Any Home menu level system package Protocols utilized FTP Hardware usage Not significant Related Documents Basic Setup Guide Device Drivers Management Licenses Management Description Features The modular software package system of MikroTik RouterOS has the following features e Ability to extend RouterOS functions by installing additional software packages e Optimal usage of the storage space by employing modular compressed system e Unused software packages can be uninstalled Page 7 of 398 e The RouterOS functions and the system itself can be easily upgraded e Multiple packages can be installed at once e The package dependency is checked before installing a software package The package will not be installed if the required software package is missing e The version of the feature package should be the same as that of the system package e The packages can be uploaded on the router using ftp and installed only when the router is going for shutdown during the reboot process e
382. ould be enabled according to the instructions given above The IP addresses assigned to the cyclades interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface cycladesl admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 219 24 10 0 0 0 10 0 0 255 etherl 1 1 1 1 1 32 1 1 1 1 Ds Be Ls cycladesl 2 192 168 0 254 24 192 168 0 0 192 168 0 255 ether2 admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong ttl 255 time 12 ms 1 1 1 2 64 byte pong tt1l 255 time 8 ms 1 1 1 2 64 byte pong ttl 255 time 7 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 7 9 0 12 ms admin MikroTik ip address gt tool flood ping 1 1 1 2 size 1500 count 50 sent 50 received 50 min rtt 1 avg rtt 1 max rtt 9 admin MikroTik ip address gt Note that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 The default route should be set to gateway router 1 1 1 2 Page 157 of 398 admin MikroTik ip route gt add gateway 1 1 1 2 interface cycladesl admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected de connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY
383. oute for it It is shown as 0 in the example above Page 178 of 398 IP Security Document revision 2 7 06 Nov 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Specifications Related Documents Description Policy Settings Description Property Description Notes Example Peers Description Property Description Notes Example Remote Peer Statistics Description Property Description Example Installed SAs Description Property Description Example Flushing Installed SA Table Description Property Description Example Counters Property Description Example MikroTik Router to MikroTik Router IPsec Between two Masquerading MikroTik Routers MikroTik router to CISCO Router General Information Specifications Packages required security License required Any Home menu level ip ipsec Protocols utilized Psec Page 179 of 398 Hardware usage consumes a lot of CPU time Intel Pentium MMX or AMD K6 suggested as a minimal configuration Related Documents Software Package Management IP Addresses and ARP Firewall Filters and Network Address Translation NAT Description IPsec IP Security supports secure encrypted communications over IP networks Encryption After packet is src natted but before putting it into interface queue IPsec policy database is consulted to find out if packet should be encrypted Security Policy Database SPD is a list of rules
384. p under the interfaces list Obtain the required license for 2 4 5GHz Wireless Client feature The wireless card does not register to the Access Point Check the cabling and antenna alignment Page 53 of 398 Application Examples Point to Multipoint Wireless LAN Let us consider the following network setup with CISCO Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client Wireless Accesspoint ERES ssid mt A frequency 2442 address 10 1 1 250 24 A o 2 4GHz 10 11 254 Wireless Network 11Mbps Y 10 1 1 0 24 pl interface aironet ssid1 mt Wireless Router mode infrastructure mikrotik address 10 1 1 12 24 o MP interface Local address 192 168 0 254 24 Local Network 192 168 0 0 24 pr _ Workstation Laptop 192 168 0 1 192 168 0 2 The access point is connected to the wired network s HUB and has IP address from the network 10 1 1 0 24 The minimum configuration required for the AP is 1 Setting the Service Set Identifier up to 32 alphanumeric characters In our case we use ssid mt 2 Setting the allowed data rates at 1 11Mbps and the basic rate at 1Mbps 3 Choosing the frequency in our case we use 2442MHz 4 For CISCO Aironet Bridges only Set Configuration Radio Extended Bridge mode access_point If you leave it to bridge_only it wont register clients 5 Setting the identity parameters Configuration Ident Inaddr Inmask and Gateway These
385. p2 default profile default admin HomeOffice interface pptp server server gt Add a PPTP client to the RemoteOffice router admin RemoteOffice interface pptp client gt add connect to 192 168 80 1 user ex XV password lkjrht disabled no admin RemoteOffice interface pptp client gt print Flags X disabled R running 0 R name pptp out1 mtu 1460 mru 1460 connect to 192 168 80 1 user ex password 1kjrht profile default add default route no admin RemoteOffice interface pptp client gt Thus a PPTP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addresses 10 0 103 1 and 10 0 103 2 at each router It enables direct communication between the routers over third party networks Hetwork Setup with PPTP Internet a S SA Q 3 ES g Q Sh Encrypted ISP 1 2 PPTP Tunnel my ISP 0 network 192 168 804 network 192 168 81 0 netmask 255 255 2 netritask 255 255 255 0 f 4 RemoteOffice To Ple re To intemet 192168 80 1 24 gi 0103 12 ees hag 192 168 81 1 24 LocalH m OFI m ae gt LocalRemoteOffice 70450 0 954A 40 150 1 254 24 network 10 150 2 0 network 10 150 1 0 netmask 255 255 255 0 netmask 255 255 255 0 al EE Workstation 10 150 2 1 24 10 150 1 1 24 To route the local Intranets over the PPTP tunnel add these routes admin HomeOffice gt ip route add dst address 10 150 1 0 24 gateway 10 0 10
386. packet loss round trip min avg max 19 21 0 24 ms admineMikroTik interface ipip gt al 1 Page 60 of 398 Ethernet Interfaces Document revision 1 1 08 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents Ethernet Interface Configuration Property Description Notes Example Monitoring the Interface Status Property Description Notes Example General Information Summary MikroTik RouterOS supports the following types of Ethernet Network Interface Cards most NE2000 compatible ISA and PCI cards 3com 3c509 ISA cards DEC Intel Tulip chip based cards Intel Pro Gigabit PCI cards The complete list of supported Ethernet NICs can be found in the Device Driver Management Manual Specifications Packages required system Home menu level interface ethernet Protocols utilized IEEE 802 3 Hardware usage Not significant Related Documents Software Package Management Device Driver Management IP Addresses and ARP DHCP Dynamic Host Configuration Protocol Client and Server Page 61 of 398 Additional Documents http infocomp csuchico edu metis internet topology topo3_ethernet htm http www dcs gla ac uk liddellj nct ethernet_protocol html Ethernet Information Site Ethernet Interface Configuration Home menu level interface ethernet Property Description name n
387. pdate time interval e Os do not send accounting updates Notes RADIUS user database is consulted only if the required username is not found in local user database The value set in interim update is overridden by the value sent by a RADIUS server 1f any Example To enable RADIUS AAA admin MikroTik ip hotspot aaa gt set use radius yes admin MikroTik ip hotspot aaa gt print use radius yes accounting yes interim update Os admin MikroTik ip hotspot aaa gt HotSpot Server Settings Home menu level ip hotspot server Page 243 of 398 Description HotSpot Server configuration is used to modify DHCP leases for logged in users in order them to get non temporary addresses When a user has successfully authenticated the HotSpot Server communicates with the DHCP server to change the lease information the user will receive next time he she will request the DHCP lease that is why the lease of temporary address should be as short as possible The new lease should not be for a long time either for users to be able to switch fast on one machine as well as to reuse the IP addresses of this pool users are logged out just as they click the log out button but their addresses stay allocated to the machines they have been using making it impossible for another users to log in from these machines Property Description name name server profile name dhcp server name DHCP server with which to use this profile lease time
388. pe crystalfontz serial port seriall admin MikroTik system lcd gt As You see the first try to set LCD type failed because it wanted to use serial0 that is commonly used for Serial Console by default LCD Information Display Configuration Home menu level system Icd page Description The submenu is used for configuring LCD information display what pages and how long will be Page 346 of 398 shown Property Description display time time default 5s how long to display the page description text page description Notes You cannot neither add your own pages they are created dynamically depending on the configuration nor change pages description Example To enable displaying all the pages admin MikroTik system lcd page gt print Flags X disabled DISPLAY TIME DESCRIPTION 0 X 5s System date and time 1 X 5s System resources cpu and memory load 2 X 5s System uptime 3 X 5s Aggregate traffic in packets sec 4 X 5s Aggregate traffic in bits sec SOX DS Software version and build info 6 X 5s etherl 7 X 5s prisml admin MikroTik system lcd page gt enable find admin MikroTik system lcd page gt print Flags X disabled DISPLAY TIME DESCRIPTION 0 5s System date and time 1 5s System resources cpu and memory load 2 5s System uptime 3 5s Aggregate traffic in packets sec 4 5s Aggregate traffic in bits sec 5 53 Software version an
389. pecifications Description RadioLAN Specifications Description Synchronous Specifications Description Asynchronous Specifications Description ISDN Specifications Description VoIP Specifications Description xDSL Specifications Description HomePNA Specifications Description LCD Specifications Description PCMCIA Adapters Specifications Description General Information Page 13 of 398 Summary The document lists the drivers included in MikroTik RouterOS and the devices that are tested to work with MikroTik RouterOS If a device is not listed here it does not mean the device is not supported it still may work It just means that the device was not tested Ethernet Specifications Packages required system Description 3Com 509 Series Chipset type 3Com 509 Series ISA 10Base e 3ComEtherLink II 3Com FastEtherLink Chipset type 3Com 3c590 3c900 3Com FastEtherLink and FastEtherLink XL PCI 10 100Base 30590 Vortex 10Mbps 3c592 chip 30595 Vortex 100baseTX 30595 Vortex 100baseT4 30595 Vortex 100base MII 3c597 chip 3Com Vortex 3c900 Boomerang 10baseT 3c900 Boomerang 10Mbps Combo 3c900 Cyclone 10Mbps Combo 3c900B FL Cyclone 10base FL 3c905 Boomerang 100baseTX 3c905 Boomerang 100baseT4 3c905B Cyclone 100baseTX 3c905B Cyclone 10 100 BNC 3c905B FX Cyclone 100baseFX 3c905C Tornado 3c980 Cyclone 3cSOHO100 TX Hurricane 30555 Laptop Hurricane 3c575 Boomerang CardBus 3CCFE575 Cyclone CardBus 3CCFE656
390. peedo3 Intel EtherExpressPro PCI 10 100Base Intel 182557 182558 1182559ER 182801BA 7 EtherExpressPro PCI cards Intel PRO 1000 Chipset type Intel 18254x Intel PRO 1000 PCI 10 100 1000Base Intel PRO 1000 Gigabit Server Adapter 182542 Board IDs 700262 xxx 717037 xxx Intel PRO 1000 F Server Adapter 182543 Board IDs 738640 xxx A38888 xxx Intel PRO 1000 T Server Adapter 182543 Board IDs A19845 xxx A33948 xxx Intel PRO 1000 XT Server Adapter 182544 Board IDs A51580 xxx Intel PRO 1000 XF Server Adapter 182544 Board IDs A50484 xxx Intel PRO 1000 T Desktop Adapter 182544 Board IDs A62947 xxx Intel PRO 1000 MT Desktop Adapter 182540 Board IDs A78408 xxx C91016 xxx Intel PRO 1000 MT Server Adapter 182545 Board IDs A92165 xxx C31527 xxx Intel PRO 1000 MT Dual Port Server Adapter 182546 Board IDs A92111 xxx C29887 xxx Intel PRO 1000 MT Quad Port Server Adapter 182546 Board IDs C32199 xxx Intel PRO 1000 MF Server Adapter 182545 Board IDs A91622 xxx C33915 xxx Intel PRO 1000 MF Server Adapter LX 182545 Board IDs A91624 xxx C33916 xxx Intel PRO 1000 MF Dual Port Server Adapter 182546 Board IDs A91620 xxx C30848 xxx Marvell Yukon Chipset type Marvell Yukon 88E80xx PCI 10 100 1000Base 3Com 3C940 Gigabit LOM Ethernet Adapter 3Com 3C941 Gigabit LOM Ethernet Adapter Allied Telesyn AT 2970LX Gigabit Ethernet Adapter Allied Telesyn AT 2970LX 2SC Gigabit Ethernet Adapter Allied Teles
391. perating in ad hoc mode will try to connect to an existing network rather than create a new one e 0 do not create own network beacon period integer 20 976 default 100 Specifies beaconing period applicable to ad hoc mode only arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol card type read only text your CISCO Aironet adapter model and type Example Interface informational printouts admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE TU O R etherl ether 1500 1 X ether2 ether 1500 2 X pel pe 1500 admin MikroTik interface gt set 1 name aironet fadmin MikroTik interface gt enable aironet admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE TU 0 R etherl ether 1500 1 X ether2 ether 1500 2 R aironet pe 1500 admin MikroTik gt interface pc fadmin MikroTik interface pc gt print Flags X disabled R running 0 R name aironet mtu 1500 mac address 00 40 96 29 2F 80 arp enabled client name ssidl tsunami ssid2 ssid3 mode infrastructure Page 52 of 398 data rate 1Mbit s frequency 2437MHz modulation cck tx power 100 ap1 00 00 00 00 00 00 ap2 00 00 00 00 00 00 ap3 00 00 00 00 00 00 ap4 00 00 00 00 00 00 rx antenna right tx antenna right beacon period 100 long retry limit 16 short retry limit 16 rts threshold 2312 fragmentation thres
392. perty Description action accept drop jump passthrough reject return default accept ation to undertake if the packet matches the rule one of the e accept accept the packet No action i e the packet is passed through without undertaking any action except for mangle and no more rules are processed in the relevant list chain e drop silently drop the packet without sending the ICMP reject message e jump jump to the chain specified by the value of the jump target argument e passthrough ignore this rule except for mangle go on to the next one Acts the same way as a disabled rule except for ability to count and mangle packets e reject reject the packet and send an ICMP reject message e return return to the previous chain from where the jump took place disabled yes no default no specifies whether the rule is disabled or not in interface name default all interface the packet has entered the router through e all may include the local loopback interface for packets originated from the router out interface name default name interface the packet is leaving the router from e all may include the local loopback interface for packets with destination to the router src port integer 0 65535 source port number or range 0 65535 Page 207 of 398 e all ports 1 65535 comment text default a descriptive comment for the rule dst address JP address mask port default 0 0 0 0 0
393. plication Example VLAN example on MikroTik Routers Let us assume that we have two or more MikroTik RouterOS routers connected with a hub Interfaces to the physical network where VLAN is to be created is ether1 for all of them it is needed only for example simplification it is NOT a must To connect computers through VLAN they must be connected physically and unique IP addresses should be assigned them so that they could ping each other Then on each of them the VLAN interface should be created admineMikroTik interface vlan gt add name test vlan id 32 interface etherl admin MikroTik interface vlan gt print Flags X disabled R running NAME MTU ARP VLAN ID INTERFACE 0 R test 1500 enabled 32 ether1 admineMikroTik interface vlan gt If the interfaces were successfully created both of them will be running If computers are connected incorrectly through network device that does not retransmit or forward VLAN packets either both or one of the interfaces will not be running When the interface is running IP addresses can be assigned to the VLAN interfaces Page 73 of 398 On the Router 1 admin MikroTik ip address gt add address 10 10 10 1 24 interface test admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 204 24 10 0 0 0 10 0 0 255 etherl 1 10 20 0 1 24 10 20 0 0 10 20
394. prisml mtu 1480 mru 1480 authentication mschap2 mschap chap pap keepalive timeout 10 one session per host yes default profile default admin MT_Prism_AP interface pppoe server server gt MSS should be changed for the packets flowing through the PPPoE link admin MT_Prism_AP ip firewall mangle gt add protocol tcp tcp options syn only action passthrough tcp mss 1440 admineMT_Prism_AP ip firewall mangle gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 protocol tcp tcp options syn only icmp options any any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action passthrough mark flow tcp mss 1440 admineMT_Prism_AP ip firewall mangle gt And finally we can set up PPPoE clients admin MT_Prism_AP ip pool gt add name pppoe ranges 10 0 0 230 10 0 0 240 admin MT_Prism_AP ip pool gt print NAME RANGES Page 166 of 398 0 pppoe 10 0 0 230 10 0 0 240 admin MT_Prism_AP ip pool gt ppp profile admin MT_Prism_AP ppp profile gt set default use encryption yes local address 10 0 0 217 remote address pppo admin MT_Prism_AP ppp profile gt print Flags default 0 name default local address 10 0 0 217 remote address pppo session timeout 0s idle timeout 0s use compression no use vj compression no us ncryption yes requir ncryption no only one
395. pt editor works only on VT102 compatible terminals terminal names vt102 linux xterm rxvt are recognized as VT102 at the moment Delete backspace and cursor keys might not work with all terminal programs use Ctrl alternatives in such cases Page 372 of 398 Example The following example shows the script editor window with a sample script open This script is used for writing message hello and 3 messages kuku to the system log Network Watching Tool Specifications Packages required advanced tools License required Any Home menu level tool netwatch Hardware usage Not significant Description Netwatch monitors state of hosts on the network It does so by sending ICMP pings to the list of specified IP addresses For each entry in netwatch table you can specify IP address ping interval and console scripts The main advantage of netwatch is it s ability to issue arbitrary console commands on host state changes Property Description host IP address default 0 0 0 0 IP address of host that should be monitored interval time default 1s the time between pings Lowering this will make state changes more responsive but can create unnecessary traffic and consume system resources timeout time default 1s timeout for each ping If no reply from a host is received during this time the host is considered unreachable down up script name a console script that is executed once when state of a host
396. pter hardware please see http www moxa com product sync C502 htm the product on line documentation e C502 Dual Port Sync Board User s Manuall the user s manual in PDF format Synchronous Interface Configuration Home menu level interface moxa c502 Description Moxa c502 synchronous interface is shown under the interfaces list with the name moxa c502 N Property Description name name default moxa c502 N interface name cisco hdlc keepalive interval time default 10s keepalive period in seconds clock rate integer default 64000 speed of internal clock clock source external internal tx from rx tx internal default external clock source frame relay dce yes no default no operate or not in DCE mode frame relay Imi type ansi ccitt default ansi Frame relay Local Management Interface type e ansi set LMI type to ANSI 617d also known as Annex A e ccitt set LMI type to CCITT Q933a also known as Annex A ignore dcd yes no default no ignore or not DCD line protocol cisco hdlc frame relay sync ppp default sync ppp line protocol name mtu integer default 1500 Maximum Transmit Unit Notes There will be TWO interfaces for each MOXA C502 card since the card has TWO ports The MikroTik driver for the MOXA C502 Dual Synchronous adapter allows you to unplug the V 35 cable from one modem and plug it into another modem with a different clock speed and you do not need to restar
397. ptp server gt add name from_remote user jo admin Our_GW interface pptp server gt server set enable yes admin Our_GW interface pptp server gt print d Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 from_remote joe admin Our_GW interface pptp server gt The Remote router will be the pptp client admin Remot interface pptp client gt add name pptp user joe connect to 192 168 1 1 password top_s3 mtu 1500 mru 1500 admin Remot interface pptp client gt enable pptp admin Remot interface pptp client gt print Flags X disabled R running 0 R name pptp mtu 1500 mru 1500 connect to 192 168 1 1 user joe password top_s2 profile default add default route no admin Remote interface pptp client gt monitor pptp status connected uptime 39m46s encoding none admin Remote interface pptp client gt See the PPTP Interface Manual for more details on setting up encrypted channels 2 Configure the EoIP tunnel by adding the eoip tunnel interfaces at both routers Use the ip addresses of the pptp tunnel interfaces when specifying the argument values for the EoIP tunnel admin Our_GW interface eoip gt add name eoip remote tunnel id 0 remote address 10 0 0 2 admin Our_GW interfac oip gt enabl oip remot admin Our_GW interface eoip gt print Flags X disabled R
398. r 32 64000 default 1500 second ICMP packet size time between pings integer the time between the first and the second ICMP echo requests in seconds A new ICMP packet pair will never be sent before the previous pair is completely sent and the algorithm itself will never send more than two requests in one second once specifies that the ping will be performed only once interval time 20ms 5s time interval between two ping repetitions Example In the following example we will test the bandwidth to a host with IP address 159 148 60 2 The interval between repetitions will be 1 second admin MikroTik tool gt ping speed 159 148 60 2 interval 1s current 2 23Mbps average 2 61Mbps admineMikroTik tool gt Page 336 of 398 System Resource Management Document revision 2 0 24 Dec 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents System Resource Notes Example IRQ Usage Monitor Description Example IO Port Usage Monitor Description Example Reboot Description Notes Example Shutdown Description Notes Example Configuration Reset Description Example Router Identity Description Example Date and Time Property Description Notes Example Configuration Change History Description Command Description Notes Example General Information Summary Page 337 of 398 MikroTik RouterOS offers several features
399. r1 address 192 168 0 254 24 LAN 192 168 0 0 24 LAN 10 0 0 0 24 The driver for MOXA C101 card should be loaded and the interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface wan network 1 1 1 2 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 10 0 0 255 ether2 1 192 168 0 254 24 192 168 0 254 192 168 0 259 etherl 2 1 1 1 1 32 1 1 1 2 255 255 255 255 wan admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1 255 time 31 ms 1 1 1 2 64 byte pong tt1 255 time 26 ms 1 1 1 2 64 byte pong tt1 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admineMikroTik ip address gt The default route should be set to the gateway router 1 1 1 2 admin MikroTik ip route gt add gateway 1 1 1 2 admin MikroTik ip route gt print Page 152 of 398 Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O Ss 0 0 0 0 0 Gg bape pee Mae I wan 1 DC 10 0 0 0 24 r 10 0 0 254 0 ether2 2 DC 192 168 0 0 24 r 192 168 0 254
400. re as dynamic entries You can also add static leases to issue the definite client determined by MAC address the specified IP address Generally the DHCP lease it allocated as follows 1 an unused lease is in waiting state 2 ifa client asks for an IP address the server chooses one 3 if the client will receive statically assigned address the lease becomes offered and then bound with the respective lease time Page 262 of 398 4 if the client will receive a dynamic address taken from an IP address pool the router sends a ping packet and waits for answer for 0 5 seconds During this time the lease is marked testing 5 in case the address does not respond the lease becomes offered and then bound with the respective lease time 6 in other case the lease becomes busy for the lease time there is a command to retest all busy addresses and the client s request remains unanswered the client will try again shortly Then a client may free the leased address Then the dynamic lease is removed and the allocated address is returned to the address pool But the static lease becomes busy until the client will reacquire the address Note that the IP addresses assigned statically are not probed Property Description address 1P address default 0 0 0 0 lended IP address for the client mac address MAC address default 00 00 00 00 00 00 MAC address of the client It is the base for static lease assignment lease time time
401. reat deal of radio interference tx power 115120150 100 default 100 transmit power in mW rx antenna both default left right default both receive antennas Page 51 of 398 tx antemna both default left right default both transmit antennas long retry limit integer 0 128 default 16 specifies the number of times an unfragmented packet is retried before it is dropped short retry limit integer 0 128 default 16 specifies the number of times a fragmented packet is retried before it is dropped frequency Channel Frequency in MHz applicable to ad hoc mode only data rate data rate in Mbit s apl MAC address forces association to the specified access point ap2 MAC address forces association to the specified access point ap3 MAC address forces association to the specified access point ap4 MAC address forces association to the specified access point ssid1 text default tsunami establishes the adapter s service set identifier This value must match the SSID of the system in order to operate in infrastructure mode ssid2 text default service set identifier 2 ssid3 text default service set identifier 3 modulation cck default mbok default eck modulation mode e cck Complementary Code Keying e mbok M ary Bi Orthogonal Keying client name text default client name join net time default 10 an amount of time during which the interface o
402. ress for point to point links The right netmask in this case is 32 Example To enable the OSPF protocol on the 10 10 1 0 24 network and include it into the backbone area do the following admin MikroTik routing ospf network gt add area backbone network 10 10 1 0 24 admin MikroTik routing ospf network gt print Flags X disabled NETWORK AREA 0 10 10 1 0 24 backbone admin MikroTik routing ospf gt Interfaces Home menu level routing ospf interface Description This facility profides tools for additional in depth configuration of OSPF interface specific parameters You do not have to configure interfaces in order to run OSPF Property Description interface name default all interfaceon which OSPF will run e all is used for the interfaces not having any specific settings cost integer 1 65535 default 1 interface cost expressed as link state metric priority integer 0 255 default 1 router s priority It helps to determine the designated router for the network When two routers attached to a network both attempt to become the designated router the one with the higher router s priority takes precedence authentication key text default authentication key to be used by neighboring routers that are using OSPF s simple password authentication retransmit interval time default 5s time between retransmitting lost link state advertisements When a router sends a link state advert
403. ress value is calculated by binary AND operation from network mask and IP address values It s also possible to specify IP address followed by slash and amount of bits assigned to a network mask In most cases it is enough to specify the address the netmask and the interface arguments The network prefix and the broadcast address are calculated automatically It is possible to add multiple IP addresses to an interface or to leave the interface without any addresses assigned to it Leaving a physical interface without an IP address is a must when the bridging between interfaces is used In case of bridging the IP address is assigned to a bridge interface MikroTik RouterOS has following types of addresses Property Description address IP address IP address of the host broadcast P address default 255 255 255 255 broadcasting IP address calculated by default from an IP address and a network mask disabled yes no default no specifies whether the address is disabled or not interface name interface name the IP address is assigned to netmask P address default 0 0 0 0 specifies network address part of an IP address network IP address default 0 0 0 0 IP address for the network For point to point links it should be the address of the remote end Notes You cannot have two different IP addresses from the same network assigned to the router Exempli gratia the combination of IP address 10 0 0 1 24 on the
404. rface have appropriate IP address note that each of the two interfaces should have an IP address routing table is set correctly it should have at least a default route SRC NAT or masquerading should also be configured before See the respective manual chapters on how to make this configuration We will assume that the interface the 192 168 1 0 24 network is connected to is named local on both VRRP routers Configuring Master VRRP router First of all we should create a VRRP instance on this router We will use the priority of 255 for this router as it should be preferred router admin MikroTik ip vrrp gt add interface local priority 255 admineMikroTik ip vrrp gt print Flags X disabled I invalid M master B backup 0 M name vr1 interface local vrid 1 priority 255 interval 1 preemption mode yes authentication none password on backup on master admin MikroTik ip vrrp gt Next the virtual IP address should be added to this VRRP instance admin MikroTik ip vrrp gt address add address 192 168 1 1 24 group vrl admineMikroTik ip vrrp gt address print Flags X disabled A activ ADDRESS NETWORK BROADCAST GROUP 0 192 168 1 1 24 192 168 1 0 192 168 1 255 vrl admin MikroTik ip vrrp gt Now this address should appear in ip address list Page 218 of 398 admineMikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BR
405. rialO address 1 1 1 2 32 rn al v 35 dikat Baseband Modem interface wan address 1 1 1 1 32 interface ether2 address 10 0 0 254 24 interface ether 1 address 192 168 0 254 24 LAN 192 168 0 0 24 LAN 10 0 0 0 24 The driver for MOXA C502 card should be loaded and the interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface wan network 1 1 1 2 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 10 0 0 255 ether2 1 192 168 0 254 24 192 168 0 254 192 168 0 255 etherl 2 1 1 1 1 32 ML 2 259 255 255 255 wan admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1 255 time 31 ms 1 1 1 2 64 byte pong tt1 255 time 26 ms 1 1 1 2 64 byte pong tt1 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt The default route should be set to the gateway router 1 1 1 2 admin MikroTik ip route gt add gateway 1 1 1 2 admin MikroTik ip route gt print Page 69 of 398 Flags X disabled I invalid D dynamic J rejected E connect S static R rip O ospf B bgp DST ADDRESS G GA
406. ript source duration time default Os duration of the test e Os test duration is not limited interval time 20ms 5s default 1s delay between reports in seconds local tx speed integer default 0 transfer test maximum speed bits per second e 0 no speed limitations password text default password for the remote user protocol udp tcp default udp protocol to use random data yes no default no whether to use random data sending method or not if set to yes the speeds will be lower remote tx speed integer default 0 receive test maximum speed bits per second e no speed limitations size packet size in bytes only for UDP protocol user name default remote user Example Page 323 of 398 To run 15 second long bandwidth test to the 10 0 0 211 host sending and receiving 1000 byte UDP packets and using username admin to connect admin MikroTik tool gt bandwidth test 10 0 0 211 duration 15s direction both size 1000 protocol udp user admin status done testing duration 15s tx current 3 62Mbps tx 10 second averag 3 87Mbps tx total average 3 53Mbps 3 3 3 rx current 33Mbps rx 10 second averag 68Mbps rx total averag 49Mbps admin MikroTik tool gt Page 324 of 398 Packet Sniffer Document revision 1 2 13 10 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Informatio
407. risml interface so no dynamic entries are added to the ARP table DHCP server will add entries only for clients which have obtained DHCP leases interface prism set prisml arp reply only 4 ip ip 5 ip ip 6 ip 7 ip ip 8 ip ip 9 ip Add two IP addresses to the prisml interface address add address 192 168 0 1 24 interface prisml comment hotspot temporary network address add address 10 5 50 1 24 interface prisml comment hotspot real network add 2 IP address pools pool add name hs pool temp ranges 192 168 0 2 192 168 0 254 pool add name hs pool real ranges 10 5 50 2 10 5 50 254 add masquerading rule for temporary IP pool which is not routed firewall src nat add src address 192 168 0 0 24 action masquerade comment masquerade hotspot temporary network Make sure you have routing for authenticated address space Try to ping 10 5 50 1 from your Internet gateway 10 5 6 1 for example See the Basic Setup Guide on how to set up routing Add dhcp server for temporary IP addresses dhcp server add name hs dhcp server interface prisml lease time 14s address pool hs pool temp add arp yes disabled no dhcp server network add address 192 168 0 0 24 gateway 192 168 0 1 dns server 159 148 60 2 159 148 108 1 domain example com Add hotspot server setup for real IP addresses hotspot server add name hs server dhcp server hs dhcp server
408. rminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minutes and seconds encoding text encryption and encoding if asymmetric separated with being used in this connection Page 41 of 398 Example Example of an established connection admin MikroTik interface 12tp client gt monitor test2 status connected uptime 4m27s encoding MPPE128 stateless admin MikroTik interface 12tp client gt L2TP Server Setup Home menu level interface l2tp server server Description The L2TP server supports unlimited connections from clients For each current connection a dynamic interface is created Property Description enabled yes no default no defines whether L2TP server is enabled or not mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MTU to 1460 to avoid fragmentation of packets mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MRU to 1460 to avoid fragmentation of packets authentication multiple choice pap chap mschapl mschap2 default mschap2 authentication algorithm default profile default profile to use Example To ena
409. roTik interfac thernet gt print Flags X disabled R running NAME MTU MAC ADDRESS ARP O R etherl 1500 00 50 08 00 00 F5 enabled admin MikroTik interfac thernet gt print detail Flags X disabled R running 0 R name ether1 mtu 1500 mac address 00 50 08 00 00 F5 arp enabled Page 62 of 398 disable running check yes admineMikroTik interfac thernet gt Monitoring the Interface Status Command name interface ethernet monitor Property Description status link ok no link unknown status of the interface one of the e link ok the card has connected to the network e no link the card has not connected to the network e unknown the connection is not recognized data rate 10 Mbps 100 Mbps 1000 Mbps the actual data rate of the connection auto negotiation done incomplete fast link pulses FLP to the adjacent link station to negotiate the SPEED and MODE of the link e done negotiation done e incomplete negotiation failed full duplex yes no whether transmission of data occurs in two directions simultaneously Notes See the IP Addresses and Address Resolution Protocol ARP section of the manual for information how to add IP addresses to the interfaces Example admineMikroTik interfac thernet gt monitor ether2 status link ok auto negotiation done rate 100Mbps full duplex yes Page 63 of 398 Moxa C502 Synchronous Interface Document revision 1 1
410. roperties listed below In turn properties specific to each type of NAT will be listed in appropriate sections Page 221 of 398 Property Description dst address JP address default 0 0 0 0 0 0 65535 destination IP address src address JP address default 0 0 0 0 0 0 65535 source IP address flow flow mark to match Only packets marked in the mangle facility would be matched limit time time default 0 time interval used in limit count protocol ah all ddp egp encap esp ggp gre hmp icmp idpr cmtp igmp ipencap ipip iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp default any protocol setting e all cannot be used if you want to match packets by ports icmp options ICMP options content text default the text packets should contain in order to match the rule comment text default a descriptive comment for the rule connection text default connection mark to match Only packets marked in the mangle facility would be matched limit burst integer default 0 allowed burst for the limit count during the limit time limit count integer default 0 specifies how many times to use the rule during the limit time period src netmask IP address source netmask in decimal form x x x x sre port integer 0 65535 source port number or range e 0 means all ports from 0 to 65535 dst netmask IP address destination netmask in decim
411. roperty Description Example Bridge Firewall Description Property Description Example Application Example Example Troubleshooting Description General Information Summary MAC level bridging of Ethernet Ethernet over IP EoIP Prism Atheros and RadioLAN interfaces are supported All 802 11b and 802 11a client wireless interfaces both ad hoc and infrastructure or station modes do not support this because of the limitations of 802 11 it is possible to bridge over them using the Ethernet over IP protocol please see documentation on EoIP For preventing loops in a network you can use the Spanning Tree Protocol STP This protocol also makes redundant paths possible Features include e Spanning Tree Protocol STP Page 138 of 398 Multiple bridge interfaces Bridge associations on a per interface basis Protocol can be selected to be forwarded or discarded MAC address table can be monitored in real time IP address assignment for router access Bridge interfaces can be firewalled Specifications Packages required system Home menu level interface bridge Protocols utilized Media Access Control IEEE801 1D Hardware usage Not significant Related Documents Software Package Installation and Upgrading IP Addresses and Address Resolution Protocol ARP EoIP Ethernet over IP Tunnel Interface Firewall Filters Description Ethernet like networks Ethernet Ethernet over IP IEEE802 11 Wireless interfac
412. route When forwarding a packet the router will use the route with the lowest administrative distance and reachable gateway gateway state read only r u shows the status of the next hop Can be r reachable or u unreachable e unknown the gateway cannot be reached directly or the route has been disabled Notes You can specify more than one or two gateways in the route Moreover you can repeat some routes in the list several times to do a kind of cost setting for gateways Example To add two static routes to networks 192 168 0 0 16 and 0 0 0 0 0 the default destination address on a router with two interfaces and two IP addresses admin MikroTik ip route gt add dst address 192 168 0 0 16 gateway 10 10 10 2 fadmin MikroTik ip route gt add gateway 10 10 10 1 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected Cc connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 192 168 0 0 16 r 10 10 10 2 1 Local 1 S 0 0 0 0 0 E 10 10 10 1 1 Public 2 DC 10 10 10 0 24 r 0 0 0 0 0 Public admin MikroTik ip route gt print detail Flags X disabled I invalid D dynamic J rejected Cc connect S static r rip o ospf b bgp O S dst address 192 168 0 0 16 preferred source 0 0 0 0 gateway 10 10 10 2 gateway state reachable distance 1 interface Local 1 S dst address 0 0 0 0 0 preferred so
413. rs w6692 For example for the HFC based PCI card it is enough to use driver add name hfc command to get the driver loaded Note ISDN ISA adapters are not supported Property Description name name name of the driver isdn protocol euro german default euro data channel protocol ISDN Channels ISDN channels are added to the system automatically when the ISDN card driver is loaded Each channel corresponds to one physical 64K ISDN data channel The list of available ISDN channels can be viewed using the isdn channels print command The channels are named channell channel2 and so on E g if you have two ISDN channels and one Page 86 of 398 of them currently used by an ISDN interface but the other available the output should look like this admin MikroTik isdn channels gt print Flags X disabled E exclusive NAME CHANNEL DIR TYPE PHONE 0 channell 0 1 channel2 T admineMikroTik isdn channels gt ISDN channels are very similar to PPP serial ports Any number of ISDN interfaces can be configured on a single channel but only one interface can be enabled for that channel at a time It means that every ISDN channel is either available or used by an ISDN interface MSN and EAZ numbers In Euro ISDN a subscriber can assign more than one ISDN number to an ISDN line For example an ISDN line could have the numbers 1234067 and 1234068 Each of these numbers can be used to dial th
414. rs provide high availability for routers without using clumsy ping based scripts Specifications Packages required system License required Any Home menu level 1p vrrp Protocols utilized VRRP AH HMAC MD5 96 within ESP and AH Hardware usage Not significant Related Documents Page 215 of 398 Software Package Management e IP Addresses and ARP Description Virtual Router Redundancy Protocol is an election protocol that provides high availability for routers A number of routers may participate in one or more virtual routers One or more IP addresses may be assigned to a virtual router A node of a virtual router can be in one of the following states MASTER state when the node answers all the requests to the instance s IP addresses There may only be one MASTER node in a virtual router This node sends VRRP advertisement packets to all the backup routers using multicast address every once in a while set in interval property e BACKUP state when the VRRP router monitors the availability and state of the Master Router It does not answer any requests to the instance s IP addresses Should master become unavailable if at least three sequential VRRP packets are lost election process happens and new master is proclaimed based on its priority For more details on virtual routers see RFC2338 VRRP Routers Home menu level ip vrrp Description A number of VRRP routers may form a virtual router The maximal numb
415. rsil Prism II PC PCI Atheros ARS5000 AR5001X and AR5001X chipset based wireless adapter cards for working as wireless clients station mode wireless bridges bridge mode wireless access points ap bridge mode and in alignment only mode for antenna positioning For furher information about supported wireless adapters see Device Driver List On account of that MikroTik RouterOS provides a complete support for IEEE 802 11a 802 11b and 802 11g wireless networking standards Specifications Packages required wireless 2 Home menu level interface wireless Protocols utilized IEEE802 11a IEEE802 11b IEEES02 11g Hardware usage Not significant Related Documents Software Package Management Device Driver Management IP Addresses and ARP Log Management Notes on PCMCIA Adapters Description Atheros 5G ABM Wireless adapter is a new generation solution for wireless applications This universal Multi Band 2 4 GHz 5 2 GHz 5 8 GHz PCI operates in any existing IEEE wireless standard It minimizes any potential confusion or incompatibilities caused by having three separate wireless devices MikroTik RouterOS supports Virtual Access Point function that allows you to make multiple Page 105 of 398 Virtual Access Points from a single physical Access Point The Multi Band Wireless PCI operates in both 2 4 GHz and 5 GHz wireless bands The Atheros card has been tested for distances up to 20 km providing connection speed
416. rt 8088 Hotspot clients are connected to the interface named prism1 3 set up HotSpot to use one of the router s local IP addresses 10 5 50 1 ip hotspot set hotspot address 10 5 50 1 4 set up web proxy to run on the same IP address on the port 3128 ip web proxy set enabled yes address 10 5 50 1 3128 transparent proxy yes 5 configure hotspot service to use this web proxy as its parent proxy ip hotspot set parent proxy 10 5 50 1 3128 6 redirect all requests from hotspot interface to port 80 except to 10 5 50 1 to the web proxy ip firewall dst nat add in interface prisml dst address 10 5 50 1 32 dst port 80 protocol tcp action redirect to dst port 8088 comment transparent proxy 7 Now everything should be working fine Only traffic of the redirected requests to the web proxy will not be accounted It s because this traffic will not pass through the forward chain to enable accounting for the HotSpot user traffic to from transparent web proxy additional firewall rules should be added ip firewall rule input add in interface prisml dst port 3128 protocol tcp action jump jump target hotspot comment account traffic from hotspot client to local web proxy ip firewall rule output add src port 3128 protocol tcp out interface prisml action jump jump target hotspot comment account traffic from local web proxy to hotspot client You may want to allow multiple logins using the same username password Set
417. s Packages required system 2 Home menu level ip firewall Protocols utilized ZP Hardware usage Increases with filtering rules count Related Documents Software Package Management IP Addresses and ARP Routes Management Network Address Translation Page 205 of 398 Description Network firewalls keep outside threats away from sensitive data available inside the network Whenever different networks are joined together there is always a threat that someone from outside of your network will break into your LAN Such break ins may result in private data being stolen and distributed valuable data being altered or destroyed or entire hard drives being erased Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks MikroTik RouterOS implements wide firewalling features as well as masquerading capabilities which allows you to hide your network infrastructure from the outside world Packet Flow Description MikroTik RouterOS simplifies the creation and deployment of sophisticated firewall policies In fact you can easily create a simple one to filter your traffic or enable source NAT without need to know how packets are processed in the router But in case you want to deploy more complicated policies it is worth to know the underlying process details IP packet flow through the router is depicted in the following diagram As we can see a packet can enter the convey
418. s of item flags like the disabled in the example below You can use tab key completions to see what properties any particular get action can return Example In the example below monitor action will execute given script each time it prints stats on the screen and it will assign all printed values to local variables with the same name admin MikroTik interface gt monitor traffic ether2 once do environment print received packets per second 0 received bits per second Obps sent packets per second 0 sent bits per second Obps Global Variables i 1 Local Variables sent bits per second 0 received packets per second 0 received bits per second 0 sent packets per second 0 admineMikroTik interface gt Scripts Home menu level system script Description In RouterOS a script may be started in three different ways e according to a specific time or an interval of time e onan event for example if the netwatch tool sees that an address does not respond to pings e by another script Page 370 of 398 Property Description source text default the script source code itself owner name default admin the name of the user who created the script run count integer default 0 script usage counter This counter is incremented each time the script is executed The counter will reset after reboot last started time date and time when the script has been last invoked The ar
419. s 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action passthrough mark flow tcp mss 1440 dmin MikroTik ip firewall mangle gt My windows PPPoE client obtains IP address and default gateway from the MikroTik PPPoE server but it cannot ping beyond the PPPoE server and use the Internet PPPoE server is not bridging the clients Configure masquerading for the PPPoE client addresses or make sure you have proper routing for the address space used by the clients or you enable Proxy ARP on the Ethernet interface See the IP Addresses and Address Resolution Protocol ARP Manual My Windows XP client cannot connect to the PPPoE server You have to specify the Service Name in the properties of the XP PPPoE client If the service name is not set or it does not match the service name of the MikroTik PPPoE server you get the line is busy errors or the system shows verifying password unknown error Page 164 of 398 e I want to have logs for PPPoE connection establishment Configure the logging feature under the system logging facility and enable the PPP type logs Application Examples PPPoE in a multipoint wireless 802 11 network In a wireless network the PPPoE server may be attached to an Access Point as well as to a regular station of wireless infrastructure Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication Further for RouterOS clients the radio interfac
420. s can be removed only if the appropriate interface has been disabled To remove a device driver use the driver remove command Unloading a device driver is useful when you swap or remove a network device it saves system resources by avoiding to load drivers for removed devices Page 26 of 398 The device driver needs to be removed and loaded again if some parameters memory range i o base address have been changed for the network interface card Notes on PCMCIA Adapters Description Currently only the following PCMCIA ISA and PCMCIA PCI adapters are tested to comply with MikroTik RouterOS e RICOH PCMCIA PCI Bridge with R5C475 II or RC476 II chip one or two PCMCIA ports e CISCO Aironet PCMCIA adapter ISA and PCI versions for CISCO Aironet PCMCIA cards only Other PCMCIA ISA and PCMCIA PCI adapters might not function properly Notes The Ricoh adapter might not work properly with some older motherboards When recognized properly by the BIOS during the boot up of the router 1t should be reported under the PCI device listing as PCI CardBus bridge Try using another motherboard if the adapter or the PCMCIA card are not recognized properly The maximum number of PCMCIA ports for a single system is equal to 8 If you will try to install 9 or more ports no matter one port or two port adapters no one will be recognized Page 27 of 398 General Interface Settings Document revision 1 1 06 01 2004 This document applies
421. s consider following example HotSpot setup Page 252 of 398 There are clients at prism1 interface which are able to use Internet already You want all these clients to authenticate before they are able to use Internet For hotspot client accounting hotspot will add dynamic firewall rules in firewall hotspot chain This chain has to be created manually And all network packets to from hotspot clients have to pass this chain Example 1 Setup hotspot service to run on port 80 www service has to be assigned another port e g 8081 ip service set www port 8081 ip service set hotspot port 80 Note Changing www service to other port than 80 requires that you specify the new port when connecting to MikroTik router using WinBox e g use 10 5 50 1 8081 in this case 2 Setup hotspot profile to mark authenticated users with flow name hs auth ip hotspot profile set default mark flow hs auth login method enabled address 3 Add local hotspot user ip hotspot user add name Ex password Ex 4 Redirect all TCP requests from unauthorized clients to the hotspot service ip firewall dst nat add in interface prisml flow hs auth protocol tcp dst port 443 action redirect to dst port 443 comment redirect unauthorized hotspot clients to hotspot service ip firewall dst nat add in interface prisml flow hs auth protocol tcp action redirect to dst port 80 comment redirect unauthorized clients to hotspot serv
422. s no traffic for the period set in the idle timeout value use peer dns yes no default no whether to set the router s default DNS to the PPP peer DNS 1 e whether to get DNS settings from the peer Notes If there is a default route add default route will not create a new one Example To add and enable PPPoE client on the gig interface connecting to the AC that provides testSN service using user name john with the password password admin RemoteOffice interface pppoe client gt add interface gig service name testSN user john password password disabled no admin RemoteOffice interface pppoe client gt print Flags X disabled R running O R name pppoe out1 mtu 1480 mru 1480 interface gig user john password password profile default service name testSN ac name add default route no dial on demand no use peer dns no Monitoring PPPoE Client Command name interface pppoe client monitor Property Description Page 161 of 398 status text status of the client e Dialing attempting to make a connection e Verifying password connection has been established to the server password verification in progress e Connected self explanatory Terminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minutes and seconds encoding text encryption and encoding if asymmetric separated wit
423. s the other value or even to zero License Agreement some predefined values general for all users or client s MAC address may be used as username and password e Registration may occur on a different server for example on a server that is able to charge Credit Cards Client s MAC address may be passed to it so that this information need not be written in manually After the registration the server may change RADIUS database enabling client to log in for some amount of time To insert variable in some place in HTML file variable name surrounded by symbols is used This construction may be used in any HotSpot HTML file accessed as login status or logout For example to show a link to the login page following construction can be used lt a href Slink Login gt login lt a gt Variables All of the Servlet HTML pages use variables to show user specific values Variable names appear only in the source they are automatically replaced with the respective values by the HotSpot Servlet For each variable there is an example included in brackets e Common variables available in all pages redirect html rlogin html rstatus html fstatus html flogout html e login html flogin html e alogin html e logout html e status html error html Notes To insert symbol as a text not as a part of variable construction has to be used if there is only one symbol on a page or string between
424. s the web server identity The Certificate contains information about its holder like DNS name and Country issuer the entity has signed the Certificate and also the public key used to negotiate the encryption key In order a Certificate to play its role it should be signed by a third party Certificate Authority which both parties trust Modern browsers that support SSL protocol have a list of the Certificate Authorities they trust the most known and trusted CA is VeriSign Page 279 of 398 To use a Certificate which contain a public key server needs a private key One of the keys is used for encryption and the other for decryption It is important to understand that both keys can encrypt and decrypt but what is encrypted by one of them can be decrypted only by the another Private key must be kept securely so that nobody else can get it and use this certificate Usually private key is encrypted with a passphrase Most trusted Certificate Authorities sell the service of signing Certificates Certificates also have a finite validity term so you will have to pay regularly You may also possible to create a self signed Certificate all Root Certificate Authorities have self signed Certificates but if it is not present in a browser s database the browser will pop up a security warning saying that the Certificate is not trusted note also that most browsers support importing custom Certificates to their databases Certificates Home
425. s to use Proxy ARP feature The Proxy ARP means that the router will be listening to ARP requests on the relevant interface and respond to them with it s own MAC address if the requests matches any other IP address of the router This can be usefull for example if you want to assign dial in ppp pppoe pptp clients IP addresses from the same address space as used on the connected LAN Example Consider the following configuration The MikroTik Router setup is as follows admin MikroTik Flags ip arp gt interfac X disabled R running thernet print NAME MTU MAC ADDRESS ARP O R eth LAN 1500 00 50 08 00 00 F5 proxy arp admin MikroTik ip arp gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 eth LAN ether 1500 1 prisml prism 1500 2D pppoe in25 pppoe in 3 D pppoe in26 pppoe in admin MikroTik ip arp gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 10 0 0 255 eth LAN 1D 10 0 0 217 32 10 0 0 230 0 0 0 0 pppoe in25 2 D 10 0 0 217 32 10 0 0 231 0 0 0 0 pppoe in26 admin MikroTik ip arp gt ip route print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 0 0 0 0 0 r 10 0 0 1 1 eth LAN 1 DC 10 0 0 0 24 r 0 0 0 0 0 eth LAN 2 DC 10 0 0 230 32 r 0 0
426. see the example in the EoIP section of the manual To set the maximum speed for traffic over this tunnel please consult the Queues section Connecting a Remote Client via PPTP Tunnel The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has without need of bridging over EoIP tunnels Please consult the respective manual on how to set up a PPTP client with the software You are using Page 100 of 398 Internet E R La p e R 3 A a a nerypted g PPTP Tunnel Say ISP 4 network 192 168 81 0 netmask 255 255 255 0 o n f ToRemoteOffice RemoteOfiice f 40 150 1 2 32 Fromiaptop To Intemet po 10 150 1 254 32 We59192 168 81 1 24 omic Laptop 192 168 80 111 24 10 150 17 254 24 network 10 150 1 0 netmask 255 255 255 0 J York station 10 150 1 1 24 The router in this example RemoteOffice Interface ToInternet 192 168 81 1 24 Interface Office 10 150 1 254 24 The client computer can access the router through the Internet On the PPTP server a user must be set up for the client admin RemoteOffice ppp secret gt add name ex service pptp password 1k gt 3rht local address 10 150 1 254 remote address 10 150 1 2 admin RemoteOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password 1k3jrht profile
427. ser menu or at the RADIUS server specified in the ip ppp settings Property Description port name default unknown serial port authentication multiple choice mschap2 mschapl chap pap default mschap2 mschapl chap pap authentication protocol profile name default default profile name used for the link mtu integer default 1500 Maximum Transmission Unit Maximum packet size to be transmitted mru integer default 1500 Maximum Receive Unit null modem no yes default no enable disable null modem mode when enabled no modem initialization strings are sent modem init text default modem initialization string You may use s11 40 to improve dialing speed ring count integer default 1 number of rings to wait before answering phone name name default ppp inN interface name for reference Example You can add a PPP server using the add command admin MikroTik interface ppp server gt add name test port seriall fadmin MikroTik interface ppp server gt print Flags X disabled R running 0 X name test mtu 1500 mru 1500 port seriall authentication mschap2 chap pap profile default modem init ring count 1 null modem no admineMikroTik interface ppp server gt enable 0 admin MikroTik interface ppp server gt monitor test status waiting for call admin MikroTik interface ppp server gt Page 170 of 398 PPP Client Setup Ho
428. ser that is configured statically or added dynamically mtu integer cannot be set here client s MTU client address 1P address shows cannot be set here the IP address of the connected client uptime time shows how long the client is connected encoding text encryption and encoding if asymmetric separated with being used in this connection Example To add a static entry for ex1 user admin MikroTik interface pptp server gt add user ex1 admin MikroTik interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC O DR lt pptp ex gt ex 1460 10 0 0 202 6m32s none 1 pptp inl ex1 admin MikroTik interface pptp server gt In this example an already connected user ex is shown besides the one we just added PPTP Application Examples Router to Router Secure Tunnel Example The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet Page 97 of 398 Hetwork Setup without PPTP enabled ISP 1 network 192 168 80 0 netmask 255 255 255 0 To Internet HomeOffice 192 168 80 14 24 LocalttomeOffice 10 750 2 254 24 network 10 150 2 0 netmask 255 255 255 0 ISP 2 network 192 168 81 0 netmask 255 255 255 0 To intemet 192 168 081 1 24 LocalRemoteOffice 10 7150 1 254 24 RemoteOffice network 10 150 1 0 netmask 255 255 255
429. serial read only text a string of at least 8 characters directly representing the UPS s serial number as set at the factory Newer SmartUPS models have 12 character serial numbers manufacture date read only text the UPS s date of manufacture in the format mm dd yy month day year nominal battery voltage read only integer the UPS s nominal battery voltage rating this is not the UPS s actual battery voltage Notes In order to enable UPS monitor the serial port should be available Example To enable the UPS monitor for port seriall admin MikroTik system ups gt set port seriall enabled yes admin MikroTik system ups gt print enabled yes port seriall off line time 5m min run time 5m alarm setting immediate rtc alarm setting immediate model Back UPS Pro 420 version 11 4 I serial number NB9941252992 manufacture date 10 08 99 nominal battery voltage 12 admineMikroTik system ups gt Runtime Calibration Command name system ups run time calibration Description Page 376 of 398 The run time calibration command causes the UPS to start a run time calibration until less than 25 of full battery capacity is reached This command calibrates the returned run time value Notes The test begins only if the battery capacity is 100 Example MikroTik system ups gt run time calibration UPS Monitoring Command name system ups monitor Property Description on line yes no
430. server as well as to minimize DNS resolution time This is a simple recursive DNS server with local items Specifications Packages required system License required Any Home menu level ip dns Protocols utilized DNS Hardware usage Not significant Related Documents Software Package Management HotSpot Gateway Authentication Authorization and Accounting Description The MikroTik router with DNS cache feature enabled can be set as a primary DNS server for any DNS compliant clients Moreover MikroTik router can be specified as a primary DNS server under its dhcp server settings When the DNS cache is enabled the MikroTik router responds to DNS TCP and UDP requests on port 53 DNS Client Configuration Home menu level ip dns Page 228 of 398 Description DNS client is used to provide domain name resolution for router itself as well as for the P2P clients connected to the router Property Description allow remote requests yes no the type of domain name resolution e remote dns names will be resolved by asking remote DNS servers e local dns cache names will be resolved using local DNS cache primary dns IP address default 0 0 0 0 primary DNS server secondary dns P address default 0 0 0 0 secondary DNS server Notes resolve mode automatically changes to local dns cache when dns cache is enabled Page 229 of 398 Services Protocols and Ports Document revision 1 0 0 28 Jan 200
431. should distribute traffic fine Also this has another good feature single connection packets do not get reordered and therefore do not kill TCP performance Equal cost multipath routes can be created by routing protocols RIP or OSPF or adding a static route with multiple gateways in the form gateway x x x x y y y y The routing protocols may create routes with equal cost automatically if the cost of the interfaces is adjusted properly For more information on using the routing protocols please read the corresponding section of the Manual Additional Documents e RFC 2328 e RFC 2992 e RFC1102 Static Routes Home menu level ip route Property Description dst address IP address mask default 0 0 0 0 0 destination address and network mask where netmask is number of bits which indicate network number netmask IP address network mask gateway IP address gateway host that can be reached directly through some of the interfaces You can specify multiple gateways separated by comma for ECMP routes See more information on that below preferred source IP address default 0 0 0 0 source address of packets leaving the router via this route Must be a valid address of the router which is assigned to the router s interface through which the packet leaves e 0 0 0 0 determined at the time of sending the packet out through the interface Page 193 of 398 distance integer default 1 administrative distance of the
432. signed so all the requests from not authorized used are really going through this proxy Note that the embedded proxy server does not have caching function yet Also note that this embedded proxy server is in the hotspot software package and does not require web proxy package Authentication In case of HTTP protocol HotSpot servlet generates an MD5 hash challenge to be used together with the user s password for computing the string which will be sent to the HotSpot gateway The hash result together with username is sent over network to HotSpot service so password is never sent in plain text over IP network On the client side MD5 algorithm is implemented in JavaScript applet so if a browser does not support JavaScript like for example Internet Explorer 2 0 it will not be able to authenticate users It is possible to allow unencrypted passwords to be accepted but it 1s not recommended to use this feature If HTTPS protocol is used HotSpot user just send his her password without additional hashing In either case HTTP POST method if not possible then HTTP GET method is used to send data to the HotSpot gateway HotSpot can authenticate users using local user database or a RADIUS server local database is consulted first then a RADIUS server If authentication is done locally profile corresponding to that user is used otherwise in case of RADIUS default profile is used to set default values for parameters which are not set in
433. ssible to define areas in such a way that the backbone is no longer contiguous In this case the system administrator must restore backbone connectivity by configuring virtual links Virtual links can be configured between any two backbone routers that have an interface to a common non backbone area Virtual links belong to the backbone The protocol treats two routers joined by a virtual link as if they were connected by an unnumbered point to point network Property Description neighbor id JP address default 0 0 0 0 specifies router id of the neighbour transit area name default anknown a non backbone area the two routers have in common Notes Virtual links can not be estabilished through stub areas Example To add a virtual link with the 10 0 0 201 router through the ex area do the following admin MikroTik routing ospf virtual link gt add neighbor id 10 0 0 201 transit area ex admineMikroTik routing ospf virtual link gt print Page 276 of 398 Flags X disabled I invalid NEIGHBOR ID TRANSIT AREA 0 10 0 0 201 ex admin MikroTik routing ospf virtual link gt Neighbours Home menu level routing ospf neigbor Description The submenu provides an access to the list of OSPF neighbors id est the routers adjacent to the current router and supplies brief statistics Property Description router id read only IP address the router id parameter of the neighbour address read only IP addr
434. st can be accessed by typing after the prefix Page 367 of 398 Command Description put this action takes one argument which it echoes to console The action cannot be used in scripts since scripts do not have a place to display values on if this action takes one argument a logical condition id est an expression which must return a boolean value It has also two parameters do and else If the logical condition is evaluated to true then the part after the do parameter is executed otherwise the else part takes place Note that else part is optional fadmin MikroTik gt E yes do put yes else put no true admin MikroTik gt if ping 10 0 0 1 count 1 0 do put gw unreachable 10 0 0 1 pong timeout 1 packets transmitted 0 packets received 100 packet loss gw unreachable admin MikroTik gt while this action takes one argument a logical condition id est an expression which must return a boolean value It has also one parameter do The logical condition is evaluated every time before executing do statement admin MikroTik gt global i set i Oy while Si lt 10 ad do put Sis vincr IFF unset 1 0 ak 2 3 4 5 6 7 8 9 admin MikroTik gt do this action takes one argument which holds the console commands that must be executed It is similar to the do statement of other commands It has also two parameters while and if If no parameters are given do just
435. st hrSystem hrSystemUptime host hrSystem hrSystemDate host hrStorage hrMemorySize host hrStorage hrStorageTable hrStorageEntry hrStoragelndex host hrStorage hrStorageTable hrStorageEntry hrStorageType host hrStorage hrStorageTable hrStorageEntry hrStorageDescr host hrStorage hrStorageTable hrStorageEntry hrStorageAllocationUnits Page 308 of 398 host hrStorage hrStorageTable hrStorageEntry hrStorageSize host hrStorage hrStorageTable hrStorageEntry hrStorageUsed CISCO AAA SESSION MIB Note that this MIB is supported only when ppp package is installed It reports both ppp and hotspot active users enterprises cisco ciscoMgmt ciscoAA ASessionMIB casnMIBObjects casnActive casnActiveTableEntries enterprises cisco ciscoMgmt ciscoAA ASessionMIB casnMIBObjects casnActive casnActiveTable casnActiv enterprises cisco ciscoMgmt ciscoAA ASessionMIB casnMIBObjects casnActive casnActiveTable casnActiv enterprises cisco ciscoMgmt ciscoAA ASessionMIB casnMIBObjects casnActive casnActiveTable casnActiv RFC2863 ifMIB ifMIB Objects ifXTable ifXEntry ifInMulticastPkts ifMIB ifMIBObjects ifXTable ifXEntry ifInBroadcastPkts ifMIB ifMIB Objects ifXTable ifXEntry ifOutMulticastPkts ifMIB ifMIBObjects ifXTable ifXEntry ifOutBroadcastPkts ifMIB ifMIBObjects ifXTable ifXEntry ifHCInMulticastPkts ifMIB ifMIBObjects ifXTable ifXEntry ifHCInBroadcastPkts ifMIB ifMIBObjects ifXTable ifXEntry ifHCOutMulticastPkts ifMIB ifMIBObjects ifXTable ifXEntry ifHCOutBroa
436. t Description The logging feature sends all of your actions on the router to a log file or to a logging daemon Router has several global configuration settings that are applied to logging Logs have different facilities Logs from each facility can be configured to be discarded logged locally or remotely Page 395 of 398 General Settings Home menu level system logging Property Description default remote address JP address default 0 0 0 0 remote log server IP address Used when remote logging is enabled but no IP address of the remote server is specified default remote port integer default 0 remote log server UDP port Used when remote logging is enabled but no UDP port of the remote server is specified disk buffer lines integer default 100 number of lines kept on hard drive memory buffer lines integer default 100 number of lines kept in memory Example To use the 10 5 13 11 host listening on 514 port as the default remote system log server admin MikroTik system logging gt set default remote address 10 5 13 11 default remote port 514 admineMikroTik system logging gt print default remote address 10 5 13 11 default remote port 514 disk buffer lines 100 memory buffer lines 100 admin MikroTik system logging gt Log Classification Home menu level system logging facility Property Description facility name name of the log group message type local disk memory none defaul
437. t memory how to treat local logs e disk logs are saved to hard drive e memory logs are saved to local buffer They can be viewed using the log print command e none logs from this source are discarded remote none syslog default none how to treat logs that are sent to remote host e none do not send logs to a remote host e syslog send logs to remote syslog daemon prefix text default local log prefix remote address JP address default remote log server IP address Used when logging type is remote If not set default log server IP address is used remote port integer default 0 remote log server UDP port Used when logging type is remote If not set default log server UDP port is used echo yes no default no whether to echo the message of this type to the active logged in consoles Page 396 of 398 Notes You cannot add delete or rename the facilities they are added and removed with the packages they are associated with System Echo facility has its default echo property set to yes Example To force the router to send Firewall Log to the 10 5 13 11 server admin MikroTik system logging facility gt set Firewall Log remote syslog remote address 10 5 13 11 remote port 514 admin MikroTik system logging facility gt print FACILITY LOCAL REMOTE PREFIX REMOT
438. t L2TP IPsec VPN Client and in the MikroTik RouterOS If you do not want to use IPsec it can be easily switched off on the client side Note if you are using Windows 2000 you need to edit system registry using regedt32 exe or regedit exe Add the following registry value to HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters Value Name ProhibitIpSec Data Type REG_DWORD Value 1 You must restart the Windows 2000 for the changes to take effect For more information on configuring Windows 2000 see Configuring Cisco IOS and Windows 2000 Clients for L2TP Using Microsoft IAS Page 48 of 398 Disabling IPSEC Policy Used with L2TP How to Configure a L2TP IPsec Connection Using Pre shared Key Authentication Page 49 of 398 CISCO Aironet 2 4GHz 11Mbps Wireless Interface Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Additional Documents Wireless Interface Configuration Description Property Description Example Example Troubleshooting Description Application Examples Point to Multipoint Wireless LAN Point to Point Wireless LAN General Information Summary The MikroTik RouterOS supports the following CISCO Aironet 2 4GHz Wireless ISA PCI PC Adapter hardware e Aironet ISA PCI PC4800 2 4GHz DS 11Mbps Wireless LAN Adapters 100mW e Aironet ISA PCI PC4500 2 4GHz DS 2
439. t address 1P address default 0 0 0 0 0 0 65535 destination IP address dst netmask IP address default accept destination netmask in decimal form x x x x dst port integer 0 65535 default 0 65535 destination port number or range e 0 all ports from 01 to 65535 icmp options ICMP options tcp options any syn only non syn only default any TCP options protocol ah egp ggp icmp ipencap ospf rspf udp xtp all encap gre idpr cmtp ipip pup st vmtp ddp esp hmp igmp iso tp4 rdp tcp xns idp default all protocol setting e all cannot be used if you want to specify ports content text default the text packets should contain in order to match the rule flow text flow mark to match Only packets marked in the MANGLE would be matched p2p any all p2p bit torrent direct connect fasttrack soulseek blubster edonkey gnutella default any match Peer to Peer P2P connections e all p2p match all known P2P traffic e any match any packet 1 e do not check this property connection text default connection mark to match Only connections including related marked in the MANGLE would be matched limit burst integer default 0 allowed burst regarding the limit count limit time limit time time default 0 time interval used in limit count e 0 forever limit count integer default 0 how many times to use the rule during the limit t
440. t the interface or router Example fadmin MikroTik interface gt moxa c502 admin MikroTik interface moxa c502 gt print Flags X disabled R running 0 R name moxa c502 1 mtu 1500 line protocol sync ppp clock rate 64000 Page 65 of 398 clock source external frame relay lmi type ansi frame relay dce no cisco hdlc keepalive interval 10s 1 R name moxa c502 2 mtu 1500 line protocol sync ppp clock rate 64000 clock source external frame relay lmi type ansi frame relay dce no cisco hdlc keepalive interval 10s admineMikroTik interface moxa c502 gt You can monitor the status of the synchronous interface admineMikroTik interface moxa c502 gt monitor 0 dtr Ets cts dsr ded yes yes no no no admin MikroTik interface moxa c502 gt Connect a communication device e g a baseband modem to the V 35 port and turn it on If the link is working properly the status of the interface is admin MikroTik interface moxa c502 gt monitor 0 dtr FLS cts dsr dcd yes yes yes yes yes admin MikroTik interface moxa c502 gt Troubleshooting Description The synchronous interface does not show up under the interfaces list Obtain the required license for synchronous feature The synchronous link does not work Check the V 35 cabling and the line between the modems Read the modem manual Synchronous Link Application Examples MikroTik Router to MikroTik Ro
441. t to get full peer to peer network support from behind the NAT There are two interface types for UPnP internal the one local clients are connected to and external the one the Internet is connected to A router may only have one external interface with a public IP address on it and as many internal IP addresses as needed all with source NATted internal IP Page 225 of 398 addresses The UPnP protocol is used for most of DirectX games as well as for various Windows Messenger features remote asisstance application sharing file transfer voice video from behind a firewall Additional Documents Enabling Universal Plug n Play Home menu level Ap upnp Property Description enabled yes no default no whether UPnP feature is enabled Example To enable UPnP feature admin MikroTik ip upnp gt set enable yes admin MikroTik ip upnp gt print enabled yes admin MikroTik ip upnp gt UPnP Interfaces Home menu level Ap upnp interfaces Property Description interface name interface name UPnP will be run on type external internal unused interface type one of the e external the interface global IP address is assigned to e internal router s local interface e unused the interface is not used by UPnP Notes It is highly recommended to upgrade DirectX runtime libraries to version DirectX 9 0a or higher and Windows Messenger to versionWindows Messenger 5 0 or higher in order to get UPnP t
442. t users dhcp pool and enabled address The enabled address is the preferred one on most cases but if you want to bind together usernames and IP addresses i e if you want a user to get the same IP address no matter which computer is he she using then the dhcp pool method is the only possibility The Initial Contact First a client gets an IP address It may be set statically or be given out by a DHCP server If the client tries to access network resources using a web browser the destination NAT rule redirects that TCP connection request to the HotSpot servlet TCP port 8088 for HTTP by default HTTPS may also be used on its default TCP port 443 This brings up the HotSpot Welcome Login page where the user should input his her username and password the page may be customized as described later on It is a very important to understand that login method for a particular user is determined only after the user is authenticated and no assumptions are made by the router before Walled Garden It is possilbe to specify a number of domains which can be accessed without prior registration This feature is called Walled Garden When a not logged in user sends a HTTP request to an allowed web page the HotSpot gateway redirects the request to the original destination or to a specified parent proxy When a user is logged in there is no effect of this table for him her To implement the Walled Garden feature an embedded web proxy server has been de
443. tSpot interface should be set to reply only to prevent network access using static IP addresses the DHCP server should add static ARP entries for each DHCP client Note also that Universal Client feature can not be used with dhcp pool method Introduction to HotSpot HotSpot is a way to authorize users to access some network resources It does not provide traffic encryption To log in users may use almost any web browser either HTTP or HTTPS protocol so they are not required to install additional software The gateway is accounting the uptime and amount of traffic each of its clients have used and also can send this information to a RADIUS server The HotSpot system may limit each particular user s bitrate total amount of traffic uptime and some other parameters mentioned further in this document The HotSpot system is targeted to provide authentication within a local network but may as well be used to authorize access from outer networks to local networks Configuring firewall rules it is possible to exlude some IP networks and protocols from authentication and or accounting The walled garden feature allows users to access some web pages without the need of prior authentication HotSpot system is rather simple by itself but it must be used in conjunction with other features of RouterOS Using many RouterOS features together it is possible to make a Plug and Play access Page 235 of 398 system There are two login methods for HotSpo
444. ted in BIOS includes reading and writing e LED3 is on while sector is read from BIOS LED4is on while new sector contents is sent to BIOS Note that BIOS sector read write is a repetitive process Property Description routerboard read only yes no whether the motherboard has been detected as a RouterBOARD current firmware read only text the version and build date of the BIOS already flashed upgrade firmware read only text the version and build date of the BIOS that is available for flashing Command Description upgrade write the uploaded firmware to the BIOS asks confirmation and then reboots the router Example To check the current and available firmware version numbers admin MikroTik gt system routerboard print routerboard yes current firmware 1 0 8 Oct 03 2003 08 50 48 upgrade firmware 1 0 8 Oct 17 2003 19 06 26 admin MikroTik gt To upgrade the BIOS version admin MikroTik gt system routerboard upgrade Firmware upgrade requires reboot of the router Continue y n y Firmware upgrade can take up to 20s Do NOT turn off the power Page 384 of 398 BIOS Configuration Home menu level system routerboard bios Description In addition to BIOS own setup possibilities it is possible to configure BIOS parameters in RouterOS condole Property Description baud rate 7200 2400 4800 9600 19200 38400 57600 115200 default 9600 initian bitrate of the on
445. terface pvcl admin hq interface pvc gt ip addr print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 112 24 10 0 0 0 10 0 0 255 etherl 1 192 168 0 1 24 192 168 0 0 192 01 68 20 2255 ether2 2 2 2 2 1 24 DL 260 DADA LADO pvcl admin hq interface pvc gt enable 0 admin hq interface pvc gt and on the office router admin office interface pvc gt ip addr add address 2 2 2 2 24 interface pvcl admin office interface pvc gt ip addr print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 112 24 10 0 0 0 10 0 0 255 etherl 1 LLL ZA 22242 0 23242 255 pvcl admin offic interface pvc gt enable 0 admin office interface pvc gt Now we can monitor the synchronous link status interface byte ping byte ping byte ping byte ping 4 packets transmitted pve gt ping 2 2 2 2 tt1 64 time 20 ms tt1 64 time 20 ms tt1 64 time 21 ms tt1 64 time 21 ms round trip min avg max adminthg interface card type State firmware id firmware version physical cable clock input signals output signals admin hq interface Page 38 of 398 2 1 0 X 2 det det CTS RTS pvc gt 4 packets received 20 20 5 21 ms pve gt interface farsync monitor 0 T2P FarSync T Series running normally 1 1 ected ected DTR 0 packet loss Layer 2 Tunnel Protocol L2TP Document revision 1 1 22 09 2003 This docum
446. terface the packet is coming into the bridge e all any interface mac protocol all integer default all the MAC protocol of the packet Most widely used MAC protocols are many other exist e all all MAC protocols e 2048 IP e 2054 ARP e 32821 RARP e 32823 IPX e 32923 AppleTalk EtherTalk e 33011 AppleTalk Address Resolution Protocol AARP e 33169 NetBEUI e 34525 IPv6 sre address JP address mask default 0 0 0 0 0 source IP address of the packet dst address JP address mask default 0 0 0 0 0 destination IP address of the packet protocol all egp ggp icmp igmp ip encap ip sec tcp udp integer default all IP protocol name number e all match all the IP protocols action accept drop passthrough default accept action to undertake if the packet matches the rule e accept accept the packet No action i e the packet is passed through without undertaking any action and no more rules are processed e drop silently drop the packet without sending the ICMP reject message e passthrough ignore this rule Acts the same way as a disabled rule except for ability to count packets Example To make a brouter the router that routes routable IP in our case protocols and bridges unroutable protocols make a rule that drops IP ARP and RARP traffic these protocols should be disabled in bridge firewall not in forwarded protocols as in the other case the router w
447. the matcher set and the action set For each packet you need to define a rule with appropriate match and action Management of the firewall rules can be accessed by selecting the desired chain If you use the WinBox console select the desired chain and then press the List button on the toolbar to open the window with the rules Peer to Peer Traffic Filtering MikroTik RouterOS provides a way to filter traffic from most popular peer to peer programs that uses different P2P protocols Type of Service Internet paths vary in quality of service they provide They can differ in cost reliability delay and throughput This situation imposes some tradeoffs exempli gratia the path with the lowest delay may be among the slowest Therefore the optimal path for a packet to follow through the Internet may depend on the needs of the application and its user Because the network itself has no knowledge on how to optimize path choosing for a particular application or user the IP protocol provides a facility for upper layer protocols to convey hints to the Internet Layer about how the tradeoffs should be made for the particular packet This facility 1s called the Type of Service facility The fundamental rule is that if a host makes appropriate use of the TOS facility its network service should be at least as good as it would have been if the host had not used this facility The TOS can be one of five types each of them is an instruction to Pro
448. ther key exchange schemes that work with ISAKMP but IKE is the most widely used one Together they provide means for authentication of hosts and automatic management of security associations SA Most of the time IKE daemon is doing nothing There are two possible situations when it is activated e There is some traffic caught by a policy rule which needs to become encrypted or authenticated but the policy doesn t have any SAs The policy notifies IKE daemon about that Page 180 of 398 and IKE daemon initiates connection to remote host e IKE daemon responds to remote connection In both cases peers establish connection and execute 2 phases There are two lifetime values soft and hard When SA reaches it s soft lifetime treshhold the IKE daemon receives a notice and starts another phase 2 exchange to replace this SA with fresh one If SA reaches hard lifetime it is discarded IKE can optionally provide a Perfect Forward Secrecy PFS whish is a property of key exchanges that in turn means for IKE that compromising the long term phase 1 key will not allow to easily gain access to all IPsec data that is protected by SAs established through this phase 1 It means an additional keying material is generated for each phase 2 Generation of keying material is computationally very expensive Exempli gratia the use of modp8192 group can take several seconds even on very fast computer It usually takes place once per phase 1 exchange wh
449. tication open system accepted authentication open system default authentication yes default forwarding yes 802 1x enable no admin MikroTik interface wireless gt set 0 ssid hotspot band 2 4GHz admineMikroTik interface wireless gt enable 0 admineMikroTik interface wireless gt monitor 0 status connected to ess band 2 4GHz frequency 2437 tx rate 11Mbps ssid hotspot bssid 00 03 2F 04 27 73 signal strength 16 rx rate 11Mbps admineMikroTik interface wireless gt The ess stands for Extended Service Set IEEE 802 11 wireless networking Registration Table Home menu level interface wireless registration table Description The wireless interface operates using IEEE 802 11 set of standards It uses radio waves as a physical signal carrier and is capable of wireless data transmission with speeds up to 108 Mbps in turbo mode Property Description interface read only name interface that client is registered to mac address read only MAC address MAC address of the registered client type read only name type of the client Page 109 of 398 parent read only MAC address parent access point s MAC address 1f forwarded from another access point ap read only no yes whether the connected node is an Access Point or not packets read only integer integer namber of received and sent packets packing size integer maximum packet size in bytes tx packed integer
450. to Cisco Router General Information Summary The MikroTik RouterOS supports MOXA C101 Synchronous 4Mb s Adapter hardware The V 35 synchronous interface is the standard for VSAT and other satellite modems However you must check with the satellite system supplier for the modem interface type Specifications Packages required synchronous Home menu level interface moxa c101 Protocols utilized Cisco HDLC X 25 RFC 1356 Frame Relay RFC1490 PPP RFC 1661 PPP RFC 1662 Hardware usage Not significant Related Documents Software Package Management Device Driver Management e IP Addresses and ARP Log Management Description Page 146 of 398 You can install up to four MOXA C101 synchronous cards in one PC box if you have so many slots and IRQs available Assuming you have all necessary packages and licenses installed in most cases it should to be done nothing at that point all drivers are loaded automatically However if you have a non Plug and Play ISA card the corresponding driver requires to be loaded MOXA C101 PCI variant cabling The MOXA C101 PCI requires different from MOXA C101 ISA cable It can be made using the following table RACA short 9 and 25 pin Additional Documents For more information about the MOXA C101 synchronous 4Mb s adapter hardware please see http www moxa com product sync C101 htm the product on line documentation e C101 SuperSync Board User s Manual the user s man
451. to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Related Documents Description Interface Status Property Description Example Traffic Monitoring Description Notes Example General Information Summary MikroTik RouterOS supports a variety of Network Interface Cards as well as some virtual interfaces like VLAN Bridge etc Each of them has its own submenu but there is also a list of all interfaces where some common properties can be configured Related Documents Bridge Interfaces ARLAN 655 Wireless Client Card Cyclades PC300 PCI Adapters Ethernet Interfaces FarSync X 21 Interface IPIP IP over IP Tunnel Interfaces MOXA C101 Synchronous Interface RadioLAN 5 8GHz Wireless Interface VLAN Virtual LAN Interface Page 28 of 398 Wireless Client and Wireless Access Point Manual CISCO Aironet 2 4GHz 11Mbps Wireless Interface EoIP Ethernet over IP Tunnel Interface FrameRelay PVC Private Virtual Circuit Interface ISDN Integrated Services Digital Network Interface L2TP Layer 2 Tunnel Protocol Interface MOXA C502 Dual port Synchronous Interface PPP Point to Point Protocol and Asynchronous Interfaces PPPoE Point to Point Protocol over Ethernet Interface PPTP Point to Point Tunnel Protocol Interface Xpeed SDSL Single line Digital Subscriber Line Interface Description The Manual describes general settings of MikroTik RouterOS interfaces Interface Status Ho
452. to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Related Documents Description The Traceroute Command Property Description Notes Example General Information Summary Traceroute determines how packets are being routed to a particular host Specifications Packages required system License required Any Home menu level tool Protocols utilized ICMP RFC792 UDP RFC768 Traceroute RFC2925 Hardware usage Not significant Related Documents Software Package Installation and Upgrading IP Addresses and Address Resolution Protocol ARP Firewall Filters and Network Address Translation NAT ICMP Bandwidth Test Ping Description Traceroute is a TCP IP protocol based utility which allows user to determine how packets are being routed to a particular host Traceroute works by increasing the time to live value of packets and seeing how far they get until they reach the given destination thus a lengthening trail of hosts passed through is built up Traceroute shows the number of hops to the given host address of every passed gateway Traceroute utility sends packets three times to each passed gateway so it shows three timeout values for each Page 333 of 398 gateway in ms The Traceroute Command Command name tool traceroute Property Description IP address IP address of the host you are tracing route to port integer 0 65535 UDP port number protocol UD
453. to bridged interfaces ether1 or ether2 has no sense Thus when you assign an interface to a bridge you should move its IP address to the bridge interface at the same time Hosts on LAN segments 1 and 2 should use IP addresses from the same network 192 168 0 0 24 and have the default gateway set to 192 168 0 254 MikroTik router Troubleshooting Description e After I configure the bridge there is no ping response from hosts on bridged networks It may take up to 20 30s for bridge to learn addresses and start responding When I do a Bridge between the Ethernet and Wireless Interface I lost the network connection to the router via Ethernet When network interface is assigned to a bridge its ip address should be set on the bridge interface as well Leaving IP address on a bridged interface has no sense I have added a bridge interface but no IP traffic is passed You should include arp in forwarded protocols list e g forward protocols ip arp other Page 145 of 398 Moxa C101 Synchronous Interface Document revision 1 1 22 09 2003 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Additional Documents Synchronous Interface Configuration Description Property Description Notes Example Troubleshooting Description Synchronous Link Application Examples MikroTik Router to MikroTik Router MikroTik Router
454. to enable the SNMP agent on MikroTik RouterOS Property Description enabled yes no whether the SNMP service is enabled contact text default contact information for the NMS location text default location information for the NMS Example To enable the service specifying some info admineMikroTik snmp gt set contact admintriga 2 location 3rd floor enabled yes admineMikroTik snmp gt print enabled yes contact admin riga 2 location 3rd floor admin MikroTik snmp gt SNMP Communities Home menu level snmp community Description The community name is a value in SNMPvl header It is like a username for connecting to the SNMP agent The default community for SNMP is public Page 304 of 398 Property Description name name community name address IP address mask default 0 0 0 0 0 allow requests only from these addresses e 0 0 0 0 0 allow access for any address read access yes no default yes whether the read access is enabled for the community Example To view existing communities admineMikroT NAME 0 public admineMikroT ik snmp community gt print ik snmp community gt ADDRESS 0 0 0 0 0 You can disable read access for the community public admin MikroT admin MikroT NAME 0 public admin MikroT ik snmp community gt set 0 read access no ik snmp community gt print ik snmp community gt ADDRESS
455. tries 0 sent 11 successfully sent 11 max retries 0 average retries 0 min retries 0 sent 21 successfully sent 21 max retries 0 average retries 0 min retries 0 sent 31 successfully sent 31 max retries 0 average retries 0 min retries 0 sent 41 successfully sent 41 max retries 0 average retries 0 min retries 0 sent 50 successfully sent 50 max retries 0 average retries 0 min retries 0 admineMikroTik interface radiolan gt Troubleshooting Description The radiolan interface does not show up under the interfaces list Obtain the required license for RadioLAN 5 8GHz wireless feature The wireless card does not obtain the MAC address of the default destination Check the cabling and antenna alignment Wireless Network Applications Point to Point Setup with Routing Let us consider the following network setup Page 78 of 398 radiolan1 10 1 0 2 30 radiolan1 10 1 0 1 30 distance 6km sid ba72 Router 1 Router2 ether1 10 1 1 12 24 ether1 192 168 0 254 24 LAN 192 168 0 0 The minimum configuration required for the RadioLAN interfaces of both routers is 1 Setting the Service Set Identifier up to alphanumeric characters In our case we use SSID ba72 2 Setting the distance parameter in our case we have 6km link The IP addresses assigned to the wireless interface of Router 1 should be from the network 10 1 0 0 30 e g admin MikroT
456. ttings Property Description Example LCD Information Display Configuration Description Property Description Notes Example LCD Troubleshooting Description General Information Summary LCDs are used to display system information The MikroTik RouterOS supports the following LCD hardware e Crystalfontz http www crystalfontz com Intelligent Serial LCD Module 632 16x2 characters and 634 20x4 characters Powertip http www powertip com tw PC2404 25x4 characters Specifications Packages required led License required Any Home menu level system lcd Protocols utilized None Hardware usage Not significant Related Documents Software Package Management Description Page 344 of 398 How to Connect PowerTip LCD to a Parallel Port Data signals are connected that way ate a att A ata A at A Se E a Powering As there are only 16 pins for the PC1602 modules you need not connect power to the 17th pin GND and 5V can be taken from computer s internal power supply use black wire for GND and red wire for 5V WARNING Be very careful connecting power supply We do not recommend using external power supplies In no event shall MikroTik liable for any hardware damages Note that there are some PowerTip PC2404A modules that have different pin out Compare From www powertip com tw probably newer one From www actron de probably older one Some LCDs may be connected without resistors
457. tunnels or any other setup where remote peer s IP address is not known at configuration time exchange mode multiple choice main aggressive base default main different ISAKMP phase 1 exchange modes according to RFC 2408 DO not use other modes then main unless you know what you are doing send initial contact yes no default yes specifies whether to send initial IKE information or wait for remote side proposal check multiple choice claim exact obey strict default strict phase 2 lifetime check logic e claim take shortest of proposed and configured lifetimes and notify initiator about it e exact require lifetimes to be the same e obey accept whatever is sent by an initiator e strict If proposed lifetime IS longer than default then reject proposal otherwise accept proposed lifetime hash algorithm multiple choice md5 sha default md5 hashing algorithm SHA Secure Hash Algorithm is stronger but slower enc algorithm multiple choice des 3des aes 128 aes 192 aes 256 default 3des encryption algorithm Algorithms are named in strength increasing order dh group multiple choice modp768 modp1024 modp1536 default esp Diffie Hellman MODP group cipher strength lifetime time default 1d phase 1 lifetime specifies how long the SA will be valid SA will be discarded after this time lifebytes integer default 0 phase 1 lifetime specifies how much bytes can be transferred
458. ual in PDF format Synchronous Interface Configuration Home menu level interface moxa c101 Description Moxa c101 synchronous interface is shown under the interfaces list with the name moxa c101 N Page 147 of 398 Property Description name name default moxa c101 N interface name cisco hdlc keepalive interval time default 10s keepalive period in seconds clock rate integer default 64000 speed of internal clock clock source external internal tx from rx tx internal default external clock source frame relay dce yes no default no operate or not in DCE mode frame relay Imi type ansi ccitt default ansi Frame relay Local Management Interface type e ansi set LMI type to ANSI 617d also known as Annex A e ccitt set LMI type to CCITT Q933a also known as Annex A ignore dcd yes no default no ignore or not DCD line protocol cisco hdlc frame relay sync ppp default syne ppp line protocol name mtu integer default 1500 Maximum Transmit Unit Notes If you purchased the MOXA C101 Synchronous card from MikroTik you have received a V 35 cable with it This cable should work for all standard modems which have V 35 connections For synchronous modems which have a DB 25 connection you should use a standard DB 25 cable The MikroTik driver for the MOXA C101 Synchronous adapter allows you to unplug the V 35 cable from one modem and plug it into another modem with a different c
459. ult accept specifies what action to undertake with a packet that matches the policy e accept pass the packet e drop drop the packet e encrypt apply transformations specified in this policyand it s SA level acquire require use default require specifies what to do if some of the SAs for this policy cannot be found e use skip this transform do not drop packet and do not acquire SA from IKE daemon e acquire skip this transform but acquire SA for it from IKE daemon e require drop packet but acquire SA ipsec protocols multiple choice ah esp default esp specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic AH is applied after ESP and in case of tunnel mode ESP will be applied in tunnel mode and AH in transport mode tunnel yes no default no specifies whether to use tunnel mode sa src address IP address default 0 0 0 0 SA source IP address sa dst address 1P address default 0 0 0 0 SA destination IP address proposal name default default name of proposal information that will be sent by IKE daemon to establish SAs for this policy manual sa name default none name of manual sa template that will be used to create SAs for this policy e none no manual keys are set dont fragment clear inherit set default clear The state of the don t fragment IP header field e clear clear unset the fiel
460. ult route with type 1 metric only if it has been installed a static default route or route added by DHCP PPP etc e if installed as type 2 send the default route with type 2 metric only if it has been installed a static default route or route added by DHCP PPP etc e always as type 1 always send the default route with type 1 metric e always as type 2 always send the default route with type 2 metric redistribute connected as type 1 as type 2 no default no if set the router will redistribute the information about all connected routes 1 e routes to directly reachable networks redistribute static as type 1 as type 2 no default no if set the router will redistribute the information about all static routes added to its routing database i e routes that have been created using the ip route add command redistribute rip as type 1 as type 2 no default no with this setting enabled the router will redistribute the information about all routes learned by the RIP protocol redistribute bgp as type 1 as type 2 no default no with this setting enabled the router will redistribute the information about all routes learned by the BGP protocol metric default integer default 1 specifies the cost of the default route metric connected integer default 20 specifies the cost of the routes to directly connected networks metric static integer default 20 specifies the cost of the static rout
461. unicast mode only with unknown IP address of NTP server To discover NTP server client sends multicast message IP 239 192 1 1 If NTP server is configured to listen for these multicast messages manycast mode is enabled it replies After client receives reply it enters unicast mode and synchronizes to that NTP server But in parallel client continues to look for more NTP servers by sending multicast messages periodically Client Home menu level system ntp client Property Description enabled yes no default no whether the NTP client is enabled or not mode unicast broadcast multicast manycast default unicast NTP client mode primary ntp IP address default 0 0 0 0 specifies IP address of the primary NTP server secondary ntp 1P address default 0 0 0 0 specifies IP address of the secondary NTP server status read only text status of the NTP client e stopped NTP is not running NTP is disabled e error there was some internal error starting NTP service please try to restart disable and enable NTP service e started NTP client service is started but NTP server is not found yet e failed NTP server sent invalid response to our NTP client NTP server is not synchronized to some other time source e reached NTP server contacted Comparing local clock to NTP server s clock duration of this phase is approximately 30s e timeset local time changed to NTP server s time duration
462. unt of memory to use Sniffer will stop after this limit is reached file name text default the name of the file where the sniffed packets will be saved to file limit integer default 10 the limit of the file in KB Sniffer will stop after this limit is reached streaming enabled yes no default no whether to send sniffed packets to a remote server streaming server P address default 0 0 0 0 Tazmen Sniffer Protocol TZSP stream receiver filter stream yes no default yes whether to ignore sniffed packets that are destined to the stream server filter protocol all frames ip only mac only no ip default ip only specific protocol group to filter e all frames sniff all packets e ip only sniff IP packets only e mac only no ip sniff non IP packets only filter address1 JP address mask port default 0 0 0 0 0 0 65535 criterion of choosing the packets to process filter address2 IP address mask port default 0 0 0 0 0 0 65535 criterion of choosing the packets to process ruming yes no default no if the sniffer is started then the value is yes otherwise no Notes filter address1 and filter address2 are used to specify the two participients in communication i e Page 326 of 398 they will match only in the case if one of them matches the source address and the other one matches the destination address of a packet These properties are taken in account only if filter protocol is
463. urce 0 0 0 0 gateway 10 10 10 1 gateway state reachable distance 1 interface Public 2 DC dst address 10 10 10 0 24 preferred source 10 10 10 1 gateway 0 0 0 0 gateway state reachable distance 0 interface Public admin MikroTik ip route gt To set the 192 168 0 0 16 network is reachable via both 10 10 10 2 and 10 10 10 254 gateways admin MikroTik ip route gt set 0 gateway 10 10 10 2 10 10 10 254 admineMikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected C connect S static r rip ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 192 168 0 0 16 r 10 10 10 2 1 Local r 10 10 10 254 Local 1 S 0 0 0 0 0 r 10 10 10 1 1 Public 2 DC 10 10 10 0 24 r 0 0 0 0 0 Public admin MikroTik ip route gt Routing Tables Home menu level ip policy routing Description Policy routing allows to select routes in order to variate the use of network resources to certain Page 194 of 398 classes of users in other words you can set different routes to the same networks depending on some classifiers This is implemented using multiple routing tables and a list of rules specifying how these tables should be used The Policy Routing is implemented in the MikroTik RouterOS based on source and destination addresses of a packet the interface the packet arrives to the router and the firewall mark that may be associated with some packets When find
464. ure WinBox connections 2 4GHz 5GHz Wireless Client IP telephony support telephony 5323 PP forces PCI to CardBus Bridge to use IRQ 11 as in ThinRouters APC Smart Mode UPS support HTTP Web prox Provides support for Cisco Aironet cards wireless PrismlII and Atheros wireless stations and APs thinrouter pcipc 2 4GHz 5GHz Wireless Client 2 4GHz 5GHz Wireless Server optional support for Frame Relay and Moxa C101 Moxa C502 synchronous Farsync Cyclades Synchronous PC300 LMC SBE and XPeed synchronous cards Page 11 of 398 Specifications Sheet Document revision 2 4 18 Feb 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Description General Information Description Major features Hardware requirements Hardware needed for installation time only Configuration possibilities Clean and consistent user interface Runtime configuration and monitoring Multiple connections User policies Action history undo redo actions safe mode operation Scripts can be scheduled for executing at certain times periodically or on events All command line commands are supported in scripts Page 12 of 398 Device Driver List Document revision 2 1 10 Feb 2004 This document applies to MikroTik RouterOS V2 8 Table of Contents Table of Contents Summary Ethernet Specifications Description Notes Wireless Specifications Description Aironet Arlan S
465. username domain read only text domain name if split from username mac address read only MAC address user s MAC address expires in read only time how long the cookie is valid Example To get the list of valid cookies admin MikroTik ip hotspot cookie gt print USER DOMAIN MAC ADDRESS EXPIRES IN 0 Ex 01 23 45 67 89 AB 23h54m16s admin MikroTik ip hotspot cookie gt Walled Garden Home menu level ip hotspot walled garden Description Walled garden is a system which allows unauthorized use of some resources but requires authorization to access other resources This is useful for example to give access to some general information about HotSpot service provider or billing options Property Description dst host text default domain name of the destination web server this is regular expression dst port integer default the TCP port a client has send the request to path text default the path of the request this is regular expression action allow deny default allow action to undertake if a packet matches the rule e allow allow the access to the page without prior authorization e deny the authorization is required to access this page Example To allow unauthorized requests to the www example com domain s paynow html page admin MikroTik ip hotspot walled garden gt add path paynow html1S dst host wwwXX exampleXl com admin
466. using outer networks e g Internet i e there is NO TRAFFIC coming from that client and going through the router keepalive timeout is used to detect that the computer of the client is still alive and reachable If check will fail during this period client will be logged out session timeout is an unconditional uptime limit Example To use enabled address method that uses logged in mark and logs a client off if he disappears for more then a minute admin MikroTik ip hotspot profile gt set default login method enabled address mark flow logged in keepalive timeout 1m admineMikroTik ip hotspot profile gt print Flags default 0 name default session timeout 0s idle timeout 0s only one yes tx bit rate 0 rx bit rate 0 incoming filter outgoing filter mark flow logged in login method enabled address keepalive timeout 1m admineMikroTik ip hotspot profile gt To define an additional profile that will also limit download speed to 64 kilobyte s and upload data rate to 32 kilobyte s and call it limited admin MikroTik ip hotspot profile gt add copy from default tx bit rate 65536 XV rx bit rate 32768 name limited admineMikroTik ip hotspot profile gt print Flags default 0 name default session timeout 0s idle timeout 0s only one yes tx bit rate 0 rx bit rate 0 incoming filter outgoing filter mark flow logged in login method enabled address keepalive timeout 1m
467. ut1 name of the PPPoE interface interface name interface the PPPoE server can be connected through mtu integer default 1480 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 20 so for 1500 byte ethernet link set the MTU to 1480 to avoid fragmentation of packets mru integer default 1480 Maximum Receive Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 20 so for 1500 byte ethernet link set the MTU to 1480 to avoid fragmentation of packets user text default a user name that is present on the PPPoE server password text default a user password used to connect the PPPoE server profile name default profile for the connection allow multiple choice mschap2 mschapl chap pap default mschap2 mschap1 chap pap the protocol to allow the client to use for authentication service name text default the service name set on the access concentrator Many ISPs give user name and address in the form of user name Oservice name ac name text default this may be left blank and the client will connect to any access concentrator that offers the service name selected add default route yes no default no whether to add a default route automatically dial on demand yes no default no connects to AC only when outbound traffic is generated and disconnects when there i
468. uter Let us consider the following network setup with two MikroTik Routers connected to a leased line with baseband modems Page 66 of 398 Internet interface Public address 10 1 1 12 24 interface moxa address 1 1 1 2 32 A v 35 METE Baseband Modem Baseband Modem MikroTik V3 interface wan address 1 1 1 1 32 interface ether interface ether 1 address 10 0 0 254 24 address 192 168 0 254 24 LAN 192 168 0 0 24 LAN 10 0 0 0 24 The driver for MOXA C502 card should be loaded and the interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface wan network 1 1 1 2 broadcast 255 255 255 255 admineMikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 10 0 0 255 ether2 1 192 168 0 254 24 192 168 0 254 192 168 0 255 etherl 2 Lda A382 VW 2 255 255 255 255 wan admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1 255 time 31 ms 1 1 1 2 64 byte pong tt1 255 time 26 ms 1 1 1 2 64 byte pong tt1 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt The default route should be set to the gateway router 1 1 1 2 admin MikroTik ip rout
469. vrrp gt Virtual IP addresses Home menu level ip vrrp address Property Description address 1P address IP address belongs to the virtual router network 1P address IP address of the network broadcast IP address broadcasting IP address group name VRRP router s name the address belongs to Notes The virtual IP addresses should be the same for each node of a virtual router Page 217 of 398 Example To add a virtual address of 192 168 1 1 24 to the vr1 VRRP router admin MikroTik ip vrrp gt address add address 192 168 1 1 24 group vrl admin MikroTik ip vrrp gt address print Flags X disabled A activ ADDRESS NETWORK BROADCAST GROUP 0 192 168 1 1 24 192 168 1 0 192 168 1 255 vrl admineMikroTik ip vrrp gt A simple example of VRRP fail over Description VRRP protocol may be used to make a redundant Internet connection with seamless fail over Let us assume that we have 192 168 1 0 24 network and we need to provide highly available Internet connection for it This network should be NATted to make fail over with public IPs use such dynamic routing protocols as BGP or OSPF together with VRRP We have connections to two different Internet Service Providers ISPs and one of them is preferred for example it is cheaper or faster This example shows how to configure VRRP on the two routers shown on the diagram The routers must have initial configuration interfaces are enabled each inte
470. w operation has failed and lease time is over so the DHCP client is trying to request an IP address once again address read only IP address mask the address received dhcp server read only IP address IP address of the DHCP server that have given out the current lease expires read only text expiration time of the lease gateway read only IP address the gateway address received primary dns read only IP address the address of the primary DNS server received secondary dns read only IP address the address of the secondary DNS server received Example To check the obtained lease fadmin MikroTik ip dhcp client lease gt print status bounded address 80 232 241 15 21 dhcp server 10 1 0 172 expires oct 20 2002 09 43 50 gateway 80 232 240 1 primary dns 195 13 160 52 secondary dns 195 122 1 59 admineMikroTik ip dhcp client lease gt DHCP Server Setup Home menu level Ap dhcp server Description The router supports an individual server for each Ethernet like interface The MikroTik RouterOS DHCP server supports the basic functions of giving each requesting client an IP address netmask lease default gateway domain name DNS server s and WINS server s for Windows clients information set up in the DHCP networks submenu In order DHCP server to work you must set up also IP pools do not inlude the DHCP server s IP address into the pool range and DHCP networks Property Description name n
471. well as to accept and route marked ones As VLAN works on OSI Layer 2 it can be used just as any other network interface without any restrictions And VLAN successfully passes through Ethernet bridges for MikroTik RouterOS bridges you should set forward protocols to ip arp and other for other bridges there should be analogical settings Currently Supported Interfaces This is a list of network interfaces on which VLAN was tested and worked e Realtek 8139 e Intel PRO 100 e Intel PRO1000 server adapter This is a list of network interfaces on which VLAN was tested and worked but WITHOUT LARGE PACKET gt 1496 bytes SUPPORT 3Com 3c59x PCI DEC 21140 tulip Additional Documents http l www csd uwo ca courses CS45 Za reports handin jpbojtos A 2 trunking htm nr ices boeing ble TATE biie ng http www cisco com warp public 538 7 html http l www nwfusion com news tech 2001 0305tech html VLAN Setup Home menu level interface vlan Property Description name name interface name for reference mtu integer default 1500 Maximum Transmission Unit interface name physical interface to the network where are VLANs arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting e disabled the interface will not use ARP protocol e enabled the interface will use ARP protocol e proxy arp the interface will be an ARP proxy Page 72 of 398 e reply
472. wn in interface Public admin MikroTik ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 src address 192 168 0 17 32 20 21 in interface Local protocol tcp ac tion accept mark flow Server_Up T in interface Local action accept mark flow Local_Up 2 in interface Public dst address 192 168 0 17 32 20 21 protocol tcp action accept mark flow Server_Down 3 in interface Public action accept mark flow Local_Down admin MikroTik ip firewall mangle gt queue tr admin MikroTik queue tree gt add name Server_Down parent Down limit at 32000 flow Server_Down max limit 128000 priority 7 admin MikroTik queue tree gt add name Local_Down parent Down limit at 0 flow Local_Down admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic 0 name Up parent Public flow limit at 0 queue default priority 8 max 1limit 65536 burst 1limit 0 burst threshold 0 burst time 0 i name Server_Up parent Up flow Server_Up limit at 32768 queue default priority 7 max limit 65536 burst limit 0 burst threshold 0 burst time 0 2 name Local_Up parent Up flow Local_Up limit at 0 queue default priority 8 max limit 0 burst limit 0 burst threshold 0 burst time 0 3 name Down parent Local flow limit at 0 queue default priority 8 max 1limit 131072 burst 1limit 0 burst threshold 0 burst time 0 4 name Server_Down parent Down flow Server_Down limit at 32768 queue def
473. yn AT 2970SX Gigabit Ethernet Adapter Allied Telesyn AT 2970SX 2SC Gigabit Ethernet Adapter Page 16 of 398 Allied Telesyn AT 2970TX Gigabit Ethernet Adapter Allied Telesyn AT 2970TX 2TX Gigabit Ethernet Adapter Allied Telesyn AT 2971SX Gigabit Ethernet Adapter Allied Telesyn AT 2971T Gigabit Ethernet Adapter DGE 530T Gigabit Ethernet Adapter EG1032 v2 Instant Gigabit Network Adapter EG1064 v2 Instant Gigabit Network Adapter Marvell 88E8001 Gigabit LOM Ethernet Adapter Marvell RDK 80xx Adapter Marvell Yukon Gigabit Ethernet 10 100 1000Base T Adapter N Way PCI Bus Giga Card 1000 100 10Mbps L SK 9521 10 100 1000Base T Adapter SK 98xx Gigabit Ethernet Server Adapter SMC EZ Card 1000 Marvell Yukon 88E8010 based Marvell Yukon 88E8003 based Marvell Yukon 88E8001 based National Semiconductor DP83810 Chipset type National Semiconductor DP83810 PCI 10 100BaseT RouterBoard 200 built in Ethernet e RouterBoard 24 4 port Ethernet NS DP8381x based cards National Semiconductor DP83820 Chipset type National Semiconductor DP83820 PCI 10 100 1000BaseT Planet ENW 9601T NS DP8382x based cards NE2000 ISA Chipset type NE2000 ISA 10Base various ISA cards NE2000 PCI Chipset type NE2000 PCI 10Base RealTek RTL 8029 Winbond 89C940 and 89C940F Compex RL2000 KTI ET32P2 NetVin NV5000SC Via 86C926 SureCom NE34 Holtek HT80232 Holtek HT80229 Page 17 of 398 IMC EtherNic PCI FO NS8390 Chipset type NS
Download Pdf Manuals
Related Search