General Information - Lobometrics High Power Outdoor/Indoor
Contents
1. The Remote router will be the pptp client admin Remot interface pptp client gt add name pptp user joe connect to 192 168 1 1 password top_s3 mtu 1500 mru 1500 admin Remot interface pptp client gt enable pptp admin Remot interface pptp client gt print Flags X disabled R running 0 R name pptp mtu 1500 mru 1500 connect to 192 168 1 1 user joe password top_s2 profile default add default route no admin Remote interface pptp client gt monitor pptp status connected uptime 39m46s encoding none admin Remote interface pptp client gt See the PPTP Interface Manual for more details on setting up encrypted channels Other trademarks and registred trademarks mentioned herein are properties of their respective owners 2 Configure the EoIP tunnel by adding the eoip tunnel interfaces at both routers Use the ip addresses of the pptp tunnel interfaces when specifying the argument values for the EoIP tunnel admin Our_GW interface eoip gt add name eoip remote tunnel id 0 remote address 10 0 0 2 admin Our_GW interfac oip gt enabl oip remot admin Our_GW interface eoip gt print Flags X disabled R running 0 nam oip remote mtu 1500 arp enabled remote address 10 0 0 2 tunnel id 0 admin Our_GW interface eoip gt admin Remot interfac oip gt add name eoip tunnel id 0 r2. DST ADDRESS G GATEWAY DISTANCE INTERFACE O A S 10 1 12 0 24 r 192 168 0 253 Local 1 ADC 10 5 8 0 24 Public 2 ADC 192 168 0 0 24 Local 3 AS 0 0 0 0 0 E TOSS Biel Public admin Lobo924 ip route gt General Information Other trademarks and registred trademarks mentioned herein are properties of their respective owners Static Equal Cost Multi Path routing Consider the following situation where we have to route packets from the network 192 168 0 0 24 to 2 gateways 10 1 0 1 and 10 1 1 1 Note that the ISP1 gives us 2Mbps and ISP2 4Mbps so we want a traffic ratio 1 2 1 3 of the source destination IP pairs from 192 168 0 0 24 goes through ISP1 and 2 3 through ISP2 IP addresses of the router admin ECMP Router ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 Local 1 10 1 0 2 28 10 1 0 0 10 1 0 15 Publicl 2 10 1 1 2 28 WO rected eU LO dd 5 Public2 admin ECMP Router ip address gt Add the default routes one for ISP1 and 2 for ISP2 so we can get the ratio 1 3 admin ECMP Router ip route gt add gateway 10 1 0 1 10 1 1 1 10 1 1 1 admin ECMP Router ip route gt print Flags X disabled A active D dynamic Cc connect S static t rip B bgp ospf DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 10 1 0 0 28 Publicl 1 ADC 10
3. admin Lobo924 interface pptp client gt monitor test2 uptime 4h35s encoding MPPE 128 bit stateless status Connected admin Lobo924 interface pptp client gt PPTP Server Setup Home menu level interface pptp server server Description The PPTP server creates a dynamic interface for each connected PPTP client The PPTP connection count from clients depends on the license level you have Levell license allows 1 PPTP client Level3 or Level4 licenses up to 200 clients and Level5 or Level6 licenses do not have PPTP client limitations Other trademarks and registred trademarks mentioned herein are properties of their respective owners To create PPTP users you should consult the PPP secret and PPP Profile manuals It is also possible to use the Lobo router as a RADIUS client to register the PPTP users see the manual how to do it Property Description authentication multiple choice pap chap mschapl mschap2 default mschap2 authentication algorithm default profile default profile to use enabled yes no default no defines whether PPTP server is enabled or not keepalive timeout time default 30 defines the time period in seconds after which the router is starting to send keepalive packets every second If no traffic and no keepalive responses has came for that period of time i e 2 keepalive timeout not responding client is proclaimed disconnected mru integer default 1460 Max
4. admin Lobo924 ip arp gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 10 0 0 255 eth LAN 1D 10 0 0 217 32 10 0 0 230 0 0 0 0 pppoe in25 2 D 10 0 0 217 32 10 0 0 231 0 0 0 0 pppoe in26 admin Lobo924 ip arp gt ip route print Flags X disabled I invalid D dynamic J rejected iC connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 e10 0 0 1 1 eth LAN 1 DC 10 0 0 0 24 r 0 0 0 0 0 eth LAN 2 DC 10 0 0 230 32 r 0 0 0 0 0 pppoe in25 3 DC 10 0 0 231 32 r 0 0 0 0 0 pppoe in26 admin Lobo924 ip arp gt Unnumbered Interfaces Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description Unnumbered interfaces can be used on serial point to point links e g MOXA or Cyclades interfaces A private address should be put on the interface with the network being the same as the address on the router on the other side of the p2p link there may be no IP on that interface but there is an ip for that router Example admin Lobo924 ip address gt add address 10 0 0 214 32 network 192 168 0 1 interface pppsync admin Lobo924 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 214 32 192 168 0 1 192 168 0
5. NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 0 0 101 5 no Al none admin WiFi routing ospf area gt Networks Home menu level routing ospf network Description There can be Point to Point networks or Multi Access networks Multi Access network can be a broadcast network a single message can be sent to all routers To start the OSPF protocol you have to define the networks on which it will run and the area ID for each of those networks Property Description area name default backbone the OSPF area to be associated with the specified address range network IP address mask default 20 the network associated with the area The network argument allows defining one or multiple interfaces to be associated with a specific OSPF area Only directly connected networks of the router may be specified Notes You should set the network address exactly the same as the remote point IP address for point to point links The right netmask in this case is 32 Example Other trademarks and registred trademarks mentioned herein are properties of their respective owners To enable the OSPF protocol on the 10 10 1 0 24 network and include it into the backbone area do the following admin Lobo924 routing ospf network gt add area backbone network 10 10 1 0 24 admin Lobo924 routing ospf network gt print Flags X disabled NETWORK AREA 0 10 10 1 0 24 backbone admin Lobo924 routing
6. Other trademarks and registred trademarks mentioned herein are properties of their respective owners auth key 9cf2123b8b5add950e3e67b9eac7 9421d406aa09 nce key ffe7ec65b7a385c3 add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jul 12 2002 16 13 21 current usetime jul 12 2002 16 13 21 current bytes 71896 IE spi 319317260 direction in src address 10 0 1 2 dst address 10 0 1 1 auth algorithm shal enc algorithm des replay 4 state matur auth key 7575 5624914dd312839694db2622a318030bc3b enc key 633593f809c9d6af add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jul 12 2002 16 13 21 current usetime jul 12 2002 16 13 21 current bytes 0 admin Lobo924 ip ipsec installed sa gt on CISCO router cisco show interface Serial 0 interface Seriall Crypto map tag mymap local addr 10 0 1 2 local ident addr mask prot port 10 0 2 0 255 255 255 0 0 0 remote ident addr mask prot port 10 0 0 0 255 255 255 0 0 0 current_peer 10 0 1 1 PERMIT flags origin_is_acl ts encaps 1810 pkts encrypt 1810 pkts digest 1810 ts decaps 1861 pkts decrypt 1861 pkts verify 1861 ts compressed 0 pkts decompressed 0 pkts not compressed 0 pkts compr failed 0 pkts decompress failed 0 send errors 0 recv errors 0 local crypto endpt 10 0 1 2 remote crypto endpt 10 0 1 1 path mtu 1500 media mtu 1500 current outbound spi 1308650C inbound esp sas spi 0x9
7. MIR Maximal Information Rate the maximal data rate router will provide e Priority the order of importance in what traffic will be processed You can give priority to some traffic in order it to be handeled before some other traffic e Contention Ratio the ratio to which the defined data rate is shared among users when data rate is allocated to a number of subscribers It is the number of subscribers that have a single speed limitation applied to all of them together For example the contention ratio of 1 4 means that the allocated data rate may be shared between no more than 4 users Before sending data over an interface it is processed with a queuing discipline By default queuing Other trademarks and registred trademarks mentioned herein are properties of their respective owners disciplines are set under queue interface for each physical interface there is no default queuing discipline for virtual interfaces Once we add a queue in queue tree to a physical interface the interface default queue defined in queue interface for that particular interface gets ignored It means when a packet does not match any filter it is sent through the interface with the highest priority Scheduler and Shaper qdiscs We can classify queuing disciplines by their influence to packet flow e schedulers queuing disciplines only reschedule packets regarding their algorithm and drop packets which do not fit in the queue Schedule
8. receive data using 2 4ghz b band Example To enable the nstreme2 protocol on a router 1 Having two Atheros AR5212 based cards which are not used for anything else to group them into a nstreme interface switch both of them into nstreme slave mode admin Lobo924 interface wireless gt print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0B 6B 31 02 4F arp enabled disable running check no interface type Atheros AR5212 radio name 000B6B31024F mode station ssid Lobo frequency 5180 band 5GHz scan list default ism supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default noise floor threshold default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge non update stats interval disabled default authentication yes default forwarding yes hide ssid no 802 1x mode none 1 name wlan2 mtu 1500 mac address 00 0B 6B 30 B4 A4 arp enabled disable running check no interface type Atheros AR5212 radio name 000B6B30B4A4 mode station ssid Lobo frequency 5180 band 5GHz scan list default ism supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rate
9. symbols Other trademarks and registred trademarks mentioned herein are properties of their respective owners password text default user password If not specified it is left blank hit Enter when logging in It conforms to standard Unix characteristics of passwords and may contain letters digits and _ symbols Notes There is one predefined user with full access rights admin Lobo924 user gt print Flags X disabled NAME GROUP ADDRESS 0 i777 system default user admin full 0 0 0 0 0 admin Lobo924 user gt There always should be at least one user with fulls access rights If the user with full access rights is the only one it cannot be removed Example To add user joe with password j102e3 belonging to write group enter the following command admin Lobo924 user gt add name joe password j102e3 group write admin Lobo924 user gt print Flags X disabled 0 777 system default user name admin group full address 0 0 0 0 0 1 name joe group write address 0 0 0 0 0 admin Lobo924 user gt Monitoring Active Router Users Command name user active print Description This command shows the currently active users along with respective statisics information Property Description address read only IP address host IP address from which the user is accessing the router e 0 0 0 0 the user is logged in locally from the console name read only name user name via read
10. wds ignor t authentication yes ssid no ant a ssid no security profile default disconnect timeout 3s on fail retry tim admin PPPol interfac wireless gt E Server 100ms preamble mode both Now configure the Ethernet interface add the IP address and set the default route admin PP admin PP Flags ADDRI 0 Pol E Server Pol E Server XxX disabled ESS 10 1 0 3 24 Other trademarks and registred trademarks mentioned herein are properties of their respective owners ip address gt add address 10 1 0 3 24 in ip address gt print I invalid D dynamic NETWORK BROADCAST 10 1 0 0 1041405255 INTERFACE Local terface Local admin PPPoE Server ip address gt ip route admin PPPoE Server ip route gt add gateway 10 1 0 1 admin PPPoE Server ip route gt print Flags X disabled A active D dynamic C connect S static r rip b bgp o ospf DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 10 1 0 0 24 Local L AS 0 0 0 0 0 E LOs LOL 1 Local admin PPPoE Server ip route gt interfac thernet admin PPPoE Server interfac thernet gt set Local arp proxy arp admin PPPoE Server interfac thernet gt print Hj m ma lags X disabled R running NAME MTU MAC ADDRESS ARP 0 R Local 1500 00 0C 42 03 25 53 proxy arp admin PPPoE Server interfac thernet gt We should add P
11. After that we can see that HTTPS is running on hotspot interface Bypass hotspot for some devices in hotspot network All IP binding entries with type property set to bypassed will not be asked to authorize it means that they will have login free access If all fields has been filled in the ip binding table and type has been set to bypassed then the IP address of this entry will be accessible from public interfaces immediately Other trademarks and registred trademarks mentioned herein are properties of their respective owners HTTP Proxy Document revision 1 1 Wed Jul 06 09 55 38 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Quick Setup Guide Specifications Related Documents Description Setup Property Description Notes Example Access List Description Property Description Notes Direct Access List Description Property Description Notes HTTP Methods Description General Information Summary The Lobo OSB implements the following proxy server features Regular HTTP proxy Transparent proxy Can be transparent and regular at the same time Access list by source destination URL and requested method Direct Access List specifies which resources should be accessed directly and which through another proxy server Logging facility Quick Setup Guide To enable HTTP proxy do the following admin Lobo924 ip proxy gt set enabled yes
12. General Information Dynamic Addressing using DHCP Relay Let us consider that you have several IP networks behind other routers but you want to keep all DHCP servers on a single router To do this you need a DHCP relay on your network which relies DHCP requests from clients to DHCP server This example will show you how to configure a DHCP server and a DHCP relay which serve 2 IP networks 192 168 1 0 24 and 192 168 2 0 24 that are behind a router DHCP Relay IP addresses of DHCP Server admin DHCP Server ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 1 24 192 168 0 0 192 168 0 255 To DHCP Relay 1 10 1 0 2 24 10 1 0 0 10 1 0 255 Public admin DHCP Server ip address gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners IP addresses of DHCP Relay admin DHCP Relay ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST I 0 192 168 0 1 24 192 168 0 0 192 168 0 255 T 1 192 168 1 1 24 192 168 1 0 192 168 1255 L 2 192 168 2 1 24 192 168 2 0 192 168 2 255 L admin DHCP Relay ip address gt To setup 2 DHCP Servers on DHCP Server router add 2 pools 192 168 2 ip pool add name ip pool admin DHCP Server NAME By 0 add name 0 Locall Pool 1 Local2 Pool admin DHCP Server Locall Pool range
13. General Information Summary Lobo OSB offers several features for monitoring and managing the system resources Specifications Packages required system License required levell Home menu level system Standards and Technologies None Hardware usage Not significant Related Documents e Software Package Management NTP Network Time Protocol System Resource Home menu level system resource Notes In monitor command priotout the values for cpu usage and free memory are in percentage and kilobytes respectively Other trademarks and registred trademarks mentioned herein are properties of their respective owners Reboot Command name system reboot Description The system reboot is required when upgrading or installing new software packages The packages are installed during the system shutdown The reboot process sends termination signal to all running processes unmounts the file systems and reboots the router Notes Only users which are members of groups with reboot privileges are permitted to reboot the router Reboot can be called from scripts in which case it does not prompt for confirmation Example admin Lobo924 gt system reboot Reboot yes y N y system will reboot shortly admin Lobo924 gt Shutdown Command name system shutdown Description Before turning the power off for the router the system should be brought to halt The shutdown process sends termination
14. Other trademarks and registred trademarks mentioned herein are properties of their respective owners General Interface Settings Document revision 1 1 Fri Mar 05 08 08 52 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Description Interface Status Property Description Example Traffic Monitoring Description Property Description Notes Example General Information Summary Lobo OSB supports a variety of Network Interface Cards as well as some virtual interfaces like Bonding Bridge VLAN etc Each of them has its own submenu but there is also a list of all interfaces where some common properties can be configured Description The Manual describes general settings of Lobo OSB interfaces Interface Status Home menu level interface Property Description name text the name of the interface type read only arlan bonding bridge cyclades eoip ethernet farsync ipip isdn client isdn server l2tp client 12tp server moxa c101 moxa c502 mtsync pc ppp client ppp server pppoe client pppoe server pptp client pptp server pvc radiolan sbe vlan wavelan wireless xpeed interface type mtu integer maximum transmission unit for the interface in bytes rx rate integer default 0 maximum data rate for receiving data e 0 no limits tx rate integer default 0 maximum data rate for transmitting data Other
15. Ping uses Internet Control Message Protocol ICMP Echo messages to determine if a remote host is active or inactive and to determine the round trip delay when communicating with it Specifications Packages required system License required level Home menu level tool mac server ping Standards and Technologies ICMP Hardware usage Not significant Related Documents Software Package Management Description Ping sends ICMP echo ICMP type 8 message to the host and waits for the ICMP echo reply ICMP type 0 from that host The interval between these events is called round trip If the response that is called pong has not come until the end of the interval we assume it has timed out The second significant parameter reported is ttl Time to Live Is is decremented at each machine in Other trademarks and registred trademarks mentioned herein are properties of their respective owners which the packet is processed The packet will reach its destination only when the ttl is greater than the number of routers between the source and the destination The Ping Command Command name ping Property Description arp interface name ping using ARP requests on this interface instead of ICMP requests UP address MAC address IP or MAC address for destination host count integer default 0 how many times ICMP packets will be sent e 0 Ping continues till Ctrl C is pressed do not fragment if added packets will not
16. Scripting Host Document revision 2 7 Thu Sep 22 13 33 55 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Console Command Syntax Description Notes Example Expression Grouping Description Notes Example Variables Description Notes Example Command Substitution and Return Values Description Example Operators Description Command Description Notes Example Data types Description Command Reference Description Command Description Special Commands Description Notes Example Additional Features Description Script Repository Description Property Description Command Description Notes Example Other trademarks and registred trademarks mentioned herein are properties of their respective owners Task Management Description Property Description Example Script Editor Description Command Description Notes Example General Information Summary This manual provides introduction to OSB built in powerful scripting language Scripting host provides a way to automate some router maintenance tasks by means of executing user defined scripts bounded to some event occurence A script consists of configuration commands and expressions ICE internal console expression The configuration commands are standard OSB commands e g ip firewall filter add chain forward protocol gre action drop that are described in the relevant manuals while expre
17. admin Lobo924 system script gt scheduler admin Lobo924 system scheduler gt add name x up start time 00 00 00 interval 24h on event enable x admin Lobo924 system scheduler gt add name x down start time 12 00 00 interval 24h on event disable x admin Lobo924 system scheduler gt add name x start time 00 00 00 interval l1h on event log x admin Lobo924 system scheduler gt print Flags X disabled NAME ON EVENT START DATE START TIME INTERVAL RUN COUNT 0 x up enable x oct 30 2008 00 00 00 ld 0 1 x down disab oct 30 2008 12 00 00 ld 0 2 x log x oct 30 2008 00 00 00 1h 0 admin Lobo924 system scheduler gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Traffic Monitor Document revision 1 Thu Jul 07 08 34 34 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Traffic Monitor Description Property Description Example General Information Summary Traffic monitor executes scripts on a specific datarate throough an interface Specifications Packages required advanced tools License required levell Home menu level tool traffic monitor Standards and Technologies none Hardware usage Not significant Related Documents e Software Package Management Scripting Host Traffic Monitor Home menu level
18. contains some examples a E 64kb s 1562 Example To enable the OSPF protocol redisrtibute routes to the connected networks as typel metrics with the cost of 1 you need do the following admin Lobo924 routing ospf gt set redistribute connected as type 1 metric connected 1 admin Lobo924 routing ospf gt print router id 0 0 0 0 distribute default never redistribute connected as type 1 redistribute static no redistribute rip no redistribute bgp no metric default 1 metric connected 1 metric static 20 metric rip 20 metric bgp 20 admin Lobo924 routing ospf gt Areas Home menu level routing ospf area Description OSPF allows collections of routers to be grouped together Such group is called an area Each area runs a separate copy of the basic link state routing algorithm This means that each area has its own link state database and corresponding graph The structure of an area is invisible from the outside of the area This isolation of knowledge enables the protocol to effect a marked reduction in routing traffic as compared to treating the entire Autonomous System as a single link state domain 60 80 routers have to be the maximum in one area Property Description area id IP address default 0 0 0 0 OSPF area identifier Default area id 0 0 0 0 is the backbone area The OSPF backbone always contains all area border routers The backbone is responsible for distributing routing in
19. encoding text encryption and encoding if asymmetric separated with being used in this Other trademarks and registred trademarks mentioned herein are properties of their respective owners connection uptime time connection time displayed in days hours minutes and seconds service name text name of the service the client is connected to ac name text name of the AC the client is connected to ac mac MAC address MAC address of the access concentrator AC the client is connected to Example To monitor the pppoe out1 connection admin Lobo924 interface pppoe client gt monitor pppoe outl status connected uptime 10s encoding none service name testSN ac name 10 0 0 1 ac mac 00 C0O DF 07 5E E6 admin Lobo924 interface pppoe client gt PPPoE Server Setup Access Concentrator Home menu level interface pppoe server server Description The PPPoE server access concentrator supports multiple servers for each interface with differing service names Currently the throughput of the PPPoE server has been tested to 160 Mb s on a Celeron 600 CPU Using higher speed CPUs throughput should increase proportionately The access concentrator name and PPPoE service name are used by clients to identity the access concentrator to register with The access concentrator name is the same as the identity of the router displayed before the command prompt The identity may be set w
20. 10 0 103 1 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms Test the connection through the PPTP tunnel to the LocalHomeOffice interface admin RemoteOffice gt ping 10 150 2 254 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss Other trademarks and registred trademarks mentioned herein are properties of their respective owners round trip min avg max 3 3 0 3 ms To bridge a LAN over this secure tunnel please see the example in the EoIP section of the manual To set the maximum speed for traffic over this tunnel please consult the Queues section Connecting a Remote Client via PPTP Tunnel The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has without need of bridging over EoIP tunnels Please consult the respective manual on how to set up a PPTP client with the software You are using The router in this example RemoteOffice Interface ToInternet 192 168 81 1 24 Interface Office 10 150 1 254 24 The client computer can access the router through the Internet On the PPTP server a user must be set up for the client admin RemoteOffice ppp secret gt a
21. 9Mbps 27 12Mbps 27 18Mbps 27 24Mbps 27 36Mbps 26 48Mbps 25 54Mbps 24 interface wireless gt The ess stands for Extended Service Set IEEE 802 11 wireless networking Nstreme Settings Home menu level Ainterface wireless nstreme Description You can switch a wireless card to the nstreme mode In that case the card will work only with nstreme clients Property Description enable nstreme yes no default no whether to switch the card into the nstreme mode enable polling yes no default yes whether to use polling for clients framer limit integer default 3200 maximal frame size framer policy none best fit exact size dynamic size default none the method how to combine frames like fast frames setting in interface configuration A number of frames may be combined into a bigger one to reduce the amount of protocol overhead and thus increase speed The card is not waiting for frames but in case a number of packets are queued for transmitting they can be combined There are several methods of framing e none do nothing special do not combine packets best fit put as much packets as possible in one frame until the framer limit limit is met but do not fragment packets e exact size put as much packets as possible in one frame until the framer limit limit is met even if fragmentation will be needed best performance Other trademarks and registred trademarks mentioned herein are p
22. HTTP level Walled Garden Description Property Description Notes Example IP level Walled Garden Description Property Description Example One to one NAT static address bindings Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description Property Description Notes Active Host List Description Property Description Command Description Service Port Description Property Description Example Customizing HotSpot Firewall Section Description Customizing HotSpot HTTP Servlet Pages Description Notes Example Possible Error Messages Description HotSpot How to s Description General Information Summary The Lobo HotSpot Gateway enables providing of public network access for clients using wireless or wired network connections HotSpot Gateway features e authentication of clients using local client database or RADIUS server e accounting using local database or RADIUS server e Walled garden system accessing some web pages without authorization Quick Setup Guide The most noticeable difference in user experience setting up HotSpot system in version 2 9 from the previous OSB versions is that it has become in order of magnitude easier to set up a correctly working HotSpot system Given a router with two interfaces Local where HotSpot clients are connected to and Public which is connected to the Internet To set up HotSpot on the Local interface 1 first a vali
23. IP address IP address specifies the address range an IP packet is originated from Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 src address list name matches source address of a packet against user defined address list src address type unicast local broadcast multicast matches source address type of the IP packet one of the e unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case e local matches addresses assigned to router s interfaces e broadcast the IP packet is sent from one point to all other points in the IP subnetwork e multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points src mac address MAC address source MAC address src port integer 0 65535 integer 0 65535 source port number or range tcp flags multiple choice ack cwr ece fin psh rst syn urg tcp flags to match e ack acknowledging data e cwr congestion window reduced e ece ECN echo flag explicit congestion notification e fin close connection e psh push function e rst drop connection e syn new connection e urg urgent data tcep mss integer 0 65535 matches TCP MSS value of an IP packet time time time sat fri thu wed tue mon sun allows to create filter
24. Notes RADIUS user database is consulted only if the required username is not found in local user database Example To enable RADIUS AAA admin Lobo924 ppp aaa gt set use radius yes admin Lobo924 ppp aaa gt print use radius yes accounting yes interim update Os admin Lobo924 ppp aaa gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners RADIUS client Document revision 0 4 Mon Aug 01 07 32 30 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description RADIUS Client Setup Description Property Description Notes Example Suggested RADIUS Servers Description Supported RADIUS Attributes Description Troubleshooting Description General Information Summary This document provides information about OSB built in RADIUS client configuration supported RADIUS attributes and recommendations on RADIUS server selection Specifications Packages required system License required level Home menu level radius Standards and Technologies RADIUS Related Documents HotSpot User AAA e Router User AAA PPP User AAA e Software Package Management IP Addresses and ARP Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description RADIUS short for Remote Authentication Dial In User Service is a remote server
25. Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description IP pools simply group IP addresses for further usage It is a single configuration point for all features that assign IP addresses to clients Notes Whenever possible the same ip address is given out to each client OWNER INFO pair Setup Home menu level ip pool Property Description name name the name of the pool next pool name when address is acquired from pool that has no free addresses and next pool property is set to another pool then next IP address will be acquired from next pool ranges JP address IP address list of non overlapping IP address ranges in form of from1 tol from2 to2 fromN toN For example 10 0 0 1 10 0 0 27 10 0 0 32 10 0 0 47 Example To define a pool named ip pool with the 10 0 0 1 10 0 0 125 address range excluding gateway s address 10 0 0 1 and server s address 10 0 0 100 and the other pool dhcp pool with the 10 0 0 200 10 0 0 250 address range admin Lobo924 ip pool gt add name ip pool ranges 10 0 0 2 10 0 0 99 10 0 0 101 10 0 0 126 admin Lobo924 ip pool gt add name dhcp pool ranges 10 0 0 200 10 0 0 250 admin Lobo924 ip pool gt print NAME RANGES 0 ip pool 10 0 0 2 10 0 0 99 10 0 0 101 10 0 0 126 1 dhcp pool 10 0 0 200 10 0 0 250 admin Lobo924 ip pool gt Used Addresses from Pool Home menu level ip pool used Description Here yo
26. dh group multiple choice modp768 modp1024 modp1536 default esp Diffie Hellman MODP group cipher strength enc algorithm multiple choice des 3des aes 128 aes 192 aes 256 default 3des encryption algorithm Algorithms are named in strength increasing order exchange mode multiple choice main aggressive base default main different ISAKMP phase 1 exchange modes according to RFC 2408 DO not use other modes then main unless you know what you are doing generate policy yes no default no allow this peer to establish SA for non existing policies Such policies are created dynamically for the lifetime of SA This way it is possible for example to create IPsec secured L2TP tunnels or any other setup where remote peer s IP address is not known at configuration time Other trademarks and registred trademarks mentioned herein are properties of their respective owners hash algorithm multiple choice md5 sha default md5 hashing algorithm SHA Secure Hash Algorithm is stronger but slower lifebytes integer default 0 phase 1 lifetime specifies how much bytes can be transferred before SA is discarded e 0 SA expiration will not be due to byte count excess lifetime time default 1d phase 1 lifetime specifies how long the SA will be valid SA will be discarded after this time proposal check multiple choice claim exact obey strict default strict phase 2 lifetime check logic e
27. gt ping 66 102 11 104 The DNS name www google lv changed to IP address 66 102 11 104 Ping using arp requests To ping a host in our local network using ARP requests instead of ICMP ping 10 5 8 130 arp interface local 10 5 8 130 with hw addr 00 30 4F 14 AB 58 ping time 1 ms 10 5 8 130 with hw addr 00 30 4F 14 AB 58 ping time 1 ms 10 5 8 130 with hw addr 00 30 4F 14 AB 58 ping time 1 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 1 1 0 1 ms admin Lobo924 gt MAC Ping Server Home menu level tool mac server ping Property Description enabled yes no default yes whether MAC pings to this router are allowed Example To disable MAC pings admin Lobo924 tool mac server ping gt set enabled no admin Lobo924 tool mac server ping gt print enabled no admin Lobo924 tool mac server ping gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Torch Realtime Traffic Monitor Document revision 1 8 Fri Nov 05 12 25 04 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description The Torch Command Property Description Notes Example General Information Summary Realtime traffic monitor may be used to monitor the traffic flow through an interface Specifications Packages required system Lice
28. matches packets received from clients against various Hot Spot All values can be negated Other trademarks and registred trademarks mentioned herein are properties of their respective owners e from client true if a packet comes from HotSpot client e auth true if a packet comes from authenticted client e local dst true if a packet has local destination IP address icmp options integer integer matches ICMP Type Code fields in interface name interface the packet has entered the router through ipv4 options any loose source routing no record route no router alert no source routing no timestamp none record route router alert strict source routing timestamp match ipv4 header options e any match packet with at least one of the ipv4 options e loose source routing match packets with loose source routing option This option is used to route the internet datagram based on information supplied by the source no record route match packets with no record route option This option is used to route the internet datagram based on information supplied by the source no router alert match packets with no router alter option no source routing match packets with no source routing option no timestamp match packets with no timestamp option record route match packets with record route option router alert match packets with router alter option strict source routing match packets with strict sou
29. use only antenna b e rxa txb use antenna a for receiving packets use antenna b for transmitting packets e txa rxb use antenna a for transmitting packets antenna b for receiving packets area text default a string value which is used to describe an access point It is a value by which a station chooses whether to connect to it or not using area prefix parameter from connect list arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting band operating band 2 4ghz b IEEE 802 11b 2 4ghz b g IEEE 802 11g supports also IEEE 802 11b 2 4ghz g turbo IEEE 802 11g up to 108 Mbit e 2 4ghz onlyg only IEEE 802 11g e 5ghz IEEE 802 11a up to 54 Mbit e 5ghz turbo IEEE 802 11a up to 1O8Mbit basic rates a g multiple choice 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps default 6Mbps basic rates in 802 11a or 802 11g standard this should be the minimal speed all the wireless network nodes support It is recommended to leave this as default basic rates b multiple choice 1Mbps 2Mbps 5 5Mbps 11Mbps default 1Mbps basic rates in 802 11b mode this should be the minimal speed all the wireless network nodes support It is recommended to leave this as default burst time time default disabled time in microseconds which will be used to send data without stopping Note that other wireless cards in that network will not be able to transm
30. ADDRESS INTERFACE O D 2 25252 00 30 4F 1B B3 D9 ether2 Other trademarks and registred trademarks mentioned herein are properties of their respective owners 1D 10 5 7 242 00 A0 24 9D 52 A4 etherl 2 1041010 10 06 21 00 56 00 12 ether2 admin Lobo924 ip arp gt If static arp entries are used for network security on an interface you should set arp to reply only on that interface Do it under the relevant interface menu admin Lobo924 ip arp gt interfac thernet set ether2 arp reply only admin Lobo924 ip arp gt print Flags X disabled I invalid H DHCP D dynamic ADDRESS MAC ADDRESS INTERFACE 0 D 10 5 7 242 00 A0 24 9D 52 A4 etherl 1 10 10 10 10 06 21 00 56 00 12 ether2 admin Lobo924 ip arp gt Proxy ARP feature Description A router with properly configured proxy ARP feature acts like a transparent ARP proxy between directly connected networks Consider the following network diagram Suppose the host A needs to communicate to host C To do this it needs to know host s C MAC address As shown on the diagram above host A has 24 network mask That makes host A to believe that it is directly connected to the whole 192 168 0 0 24 network When a computer needs to communicate to another one on a directly connected network it sends a broadcast ARP request Therefore host A sends a broadcast ARP request for the host C MAC address Broadcast ARP requests are sent to th
31. All rates should be numbers with optional k 1 000s or M 1 000 000s If tx rate is not specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified 1s is used as default smtp server IP address default 0 0 0 0 default SMTP server to be used to redirect unconditionally all user SMTP requests to split user domain yes no default no whether to split username from domain name when the username is given in user domain or in domain user format ssl certificate name none default none name of the SSL certificate to use for HTTPS Other trademarks and registred trademarks mentioned herein are properties of their respective owners authentication Not used for other authentication methods use radius yes no default no whether to use RADIUS to authenticate HotSpot users Notes If dns name property is not specified hotspot address is used instead If hotspot address is also absent then both are to be detected automatically In order to use RADIUS authentication the radius menu must be set up accordingly Example HotSpot User Profiles Home menu level ip hotspot user profile Description Article moved to HotSpot AAA section HotSpot Users Home menu leve
32. Flags X disabled R running 0O R name to_mt2 mtu 1500 arp enabled remote address 10 5 8 1 tunnel id 1 admin Lobo924 interface eoip gt EolIP Application Example Description Let us assume we want to bridge two networks Office LAN and Remote LAN The networks are connected to an IP network through the routers Our_GW and Remote The IP network can be a private intranet or the Internet Both routers can communicate with each other through the IP network Example Other trademarks and registred trademarks mentioned herein are properties of their respective owners Our goal is to create a secure channel between the routers and bridge both networks through it The network setup diagram is as follows IP Metwark Remote our S 192 168 2 1 192 168 1 1 FPTP Tunnel Remote Office LAN LAN To make a secure Ethernet bridge between two routers you should 1 Create a PPTP tunnel between them Our_GW will be the pptp server admin Our_GW interface pptp server gt ppp secret add name joe service pptp password top_s3 local address 10 0 0 1 remote address 10 0 0 2 admin Our_GW interface pptp server gt add name from_remote user jo admin Our_GW interface pptp server gt server set enable yes admin Our_GW interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 from_remote joe admin Our_GW interface pptp server gt
33. Lobo OSB has very powerful firewall implementation with features including e stateful packet filtering e peer to peer protocols filtering e traffic classification by e source MAC address IP addresses network or list and address types broadcast local multicast unicast port or port range e IP protocols e protocol options ICMP type and code fields TCP flags IP options and MSS e interface the packet arrived from or left through e internal flow and connection marks e ToS DSCP byte e packet content e rate at which packets arrive and sequence numbers e packet size Other trademarks and registred trademarks mentioned herein are properties of their respective owners e packet arrival time and much more General Filtering Principles The firewall operates by means of firewall rules A rule is a definitive form expression that tells the router what to do with a particular IP packet Each rule consists of two parts that are the matcher which matches traffic flow against given conditions and the action which defines what to do with the mathched packets Rules are organized in chains for better management The filter facility has three default chains input forward and output that are responsible for traffic coming from throurh and to the router respectively New user defined chains can be added as necessary Since these chains have no default traffic to match rules with action jump and relevant jump target should be add
34. MAC address client s MAC address uptime read only time how long the client is connected to the server Example To see active MAC Telnet sessions admin Lobo924 tool mac server sessions gt print INTERFACE SRC ADDRESS UPTIME 0 wlanl 00 0B 6B 31 08 22 00 03 01 admin Lobo924 tool mac server sessions gt MAC Telnet Client Command name tool mac telnet MAC address Example admin Lobo924 gt tool mac telnet 00 02 6F 06 59 42 Login admin Password Trying 00 02 6F 06 59 42 Connected to 00 02 6F 06 59 42 Terminal linux detected using multiline input mode admin Lobo924 gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners SSH Secure Shell Server and Client Document revision 2 0 Fri Mar 05 09 09 40 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Additional Documents SSH Server Description Property Description Example SSH Client Property Description Example General Information Summary SSH Client authenticates server and encrypts traffic between the client and server You can use SSH just the same way as telnet you run the client tell it where you want to connect to give your username and password and everything is the same after that After that you won t be able to tell that you re using SSH The SSH feature can b
35. Notes Example Running Packet Sniffer Description Example Sniffed Packets Description Property Description Example Packet Sniffer Protocols Description Property Description Example Packet Sniffer Host Description Property Description Example Packet Sniffer Connections Description Property Description Example Sniff MAC Address General Information Summary Packet sniffer is a feature that catches all the data travelling over the network that it is able to get when using switched network a computer may catch only the data addressed to it or is forwarded through it Specifications Other trademarks and registred trademarks mentioned herein are properties of their respective owners Packages required system License required level Home menu level tool sniffer Standards and Technologies none Hardware usage Not significant Related Documents Software Package Management Description It allows you to sniff packets going through the router and any other traffic that gets to the router when there is no switching in the network and view them using specific software Packet Sniffer Configuration Home menu level tool sniffer Property Description interface name all default all the name of the interface that receives the packets only headers yes no default no whether to save in the memory packets headers only not the whole packet memory limit integer default 10 maximum
36. Provides load balancing and fault tolerance e balance tlb Outgoing traffic is distributed according to the current load on each slave Incoming traffic is received by the current slave If receiving slave fails then another slave takes the MAC address of the failed slave Doesn t require any special switch support e balance xor Use XOR policy for transmit Provides only failover in very good quality but not load balancing yet e broadcast Broadcasts the same data on all interfaces at once This provides fault tolerance but slows down traffic throughput on some slow machines name name descriptive name of bonding interface primary name default none Interface is used as primary output media If primary interface fails only then others slaves will be used This value works only with mode active backup slaves name at least two ethernet like interfaces separated by a comma which will be used for bonding up delay time default 00 00 00 if a link has been brought up bonding interface is disabled for up delay time and after this time it is enabled Value should be a multiple of mii interval Notes Link failure detection and failover is working significantly better with expensive network cards for example made by Intel then with more cheap ones For example on Intel cards failover is taking place in less than a second after link loss while on some other cards it may require up to 20 seconds Also the Active load
37. Sa src address 1 0 0 2 sa dst address 1 0 0 1 admin Router2 gt ip ipsec peer add address 1 0 0 1 exchange mode aggressive secret gvejimezyfopmekun Lobo router to CISCO Router Baseband Modem Baseband Modem V 35 V 35 10 0 1 1 10 0 0 18 net sy sync 10 0 1 2 ethart ether 10 0 2 254 10 0 0 0 24 10 0 2 0 24 We will configure IPsec in tunnel mode in order to protect traffic between attached subnets 1 Add peer with phasel configuration parameters DES and SHA1 will be used to protect IKE traffic e for Lobo router admin Lobo924 gt ip ipsec peer add address 10 0 1 2 secret gvejimezyfopmekun enc algorithm des for CISCO router Other trademarks and registred trademarks mentioned herein are properties of their respective owners Configure ISAKMP policy phasel config must match configuration of ip ipsec peer on OSB Note that DES is default encryption algorithm on Cisco SHAl is default authentication algorithm crypto isakmp policy 9 encryption des authentication pre share group 2 hash md5 exit Add preshared key to be used when talking to OSB crypto isakmp key gvejimezyfopmekun address 10 0 1 1 255 255 255 255 2 Set encryption proposal phase2 proposal settings that will be used to encrypt actual data to use DES to encrypt data for Lobo router admin Lobo924 gt ip ipsec proposal set default enc algorithms des e for
38. This situation imposes some tradeoffs exempli gratia the path with the lowest delay may be among the ones with the smallest throughput Therefore the optimal path for a packet to follow through the Internet may depend on the needs of the application and its user As the network itself has no knowledge on how to optimize path choosing for a particular application or user the IP protocol provides a method for upper layer protocols to convey hints to the Internet Layer about how the tradeoffs should be made for the particular packet This method is implemented with the help of a special field in the IP protocol header the Type of Service field The fundamental rule is that if a host makes appropriate use of the TOS facility its network service should be at least as good as it would have been if the host had not used this facility Type of Service ToS is a standard field of IP packet and it is used by many network applications and hardware to specify how the traffic should be treated by the gateway Lobo OSB works with the full ToS byte It does not take account of reserverd bits in this byte because they have been redefined many times and this approach provides more flexibility It means that it is possible to work with DiffServ marks Differentiated Services Codepoint DSCP as defined in RFC2474 and ECN codepoints Explicit Congestion Notification ECN as defined in RFC3168 which are using the same field in the IP protocol header Note
39. When the link comes up again the interface value will not change it will remain as unknown That s why it is not recommended to add IP addresses to dynamic WDS interfaces If you want to use dynamic WDS in a bridge set the wds default bridge value to desired bridge interface name When the link will go down and then it comes up the dynamic WDS interface will be put in the specified bridge automatically As the routers which are in WDS mode have to communicate at equal frequencies it is not recommended to use WDS and DFS simultaneously it is most probable that these routers will not connect to each other WDS significantly faster than EoIP up to 10 20 so it is recommended to use WDS whenever possible Example admin Lobo924 interface wireless wds gt add master interface wlanl wds address 00 0B 6B 30 2B 27 disabled no admin Lobo924 interface wireless wds gt print Flags X disabled R running D dynamic 0O R name wdsi mtu 1500 mac address 00 0B 6B 30 2B 23 arp enabled disable running check no master inteface wlanl wds address 00 0B 6B 30 2B 27 admin Lobo924 interface wireless wds gt Align Home menu level Ainterface wireless align Description This feature is created to position wireless links The align submenu describes properties which are used if interface wireless mode is set to alignment only In this mode the interface listens to those packets which are sent to it from other device
40. characters and match any one character Regular expressions are also accepted here but if the property should be treated as a regular expression it should start with a colon Small hits in using regular expressions e symbol sequence is used to enter character in console e pattern means only in regular expressions single dot in pattern means any symbol e to show that no symbols are allowed before the given pattern we use symbol at the beginning of the pattern e to specify that no symbols are allowed after the given pattern we use symbol at the end of the pattern You can not use path property for HTTPS requests as router can not and should not that is what the HTTPS protocol was made for decrypt the request Example To allow unauthorized requests to the www example com domain s paynow html page admin Lobo924 ip hotspot walled garden gt add path paynow html dst host www example com admin Lobo924 ip hotspot walled garden gt print Flags X disabled D dynamic 0 dst host www example com path paynow html action allow admin Lobo924 ip hotspot walled garden gt IP level Walled Garden Home menu level ip hotspot walled garden ip Description This menu is manages Walled Garden for generic IP requests See the previous section for managing HTTP and HTTPS protocol specific properties like the actual DNS name HTTP method and path used in requests Property
41. do not check this property packet marks name default packet mark to match from ip firewall mangle More packet marks are separated by a comma parent name name of the parent queue in the hierarchy Can be only other simple queue priority integer 1 8 priority of the queue is the highest 8 the lowest queue name name default default default name of the queue from queue type in form of in out target addresses JP address netmask limitation target IP addresses source addresses To use multiple addresses separate they with comma time time time sat fri thu wed tue mon sun default at which time and day of week to allow this queue total burst limit integer burst limit for global total queue total burst threshold integer burst threshold for global total queue total burst time time burst time for global total queue total limit at integer limit at for global total queue limits upload download to total limit at bps total max limit integer max limit for global total queue limits upload download to total max limit bps total queue name queuing discipline to use for global total queue Queue Trees Home menu level queue tree Description The queue trees should be used when you want to use sophisticated data rate allocation based on protocols ports groups of IP addresses etc At first you have to mark packet flows with a mark under ip f
42. frequency 5805 band 5ghz mode bridge disabled no The remote interface should be configured to station as showed below To make the wireless interface as a wireless station working in 802 11a standard and Service Set Identifier p2p interface wireless set wlanl ssid p2p band 5ghz mode station disabled no Specifications Packages required wireless License required level4 station and bridge mode level5 station bridge and AP mode levelfreq more frequencies Home menu level interface wireless Standards and Technologies JEEE802 11la IEEE802 11b TEEE802 11g Hardware usage Not significant Related Documents Software Package Management Device Driver List IP Addresses and ARP Description The Atheros card has been tested for distances up to 20 km providing connection speed up to 17Mbit s With appropriate antennas and cabling the maximum distance should be as far as 50 km These values of ack timeout were approximated from the tests done by us as well as by some of our customers Other trademarks and registred trademarks mentioned herein are properties of their respective owners default Please note that these are not the precise values Depending on hardware used and many other factors they may vary up to 15 microseconds You can also use dynamic ack timeout value the router will determine ack timeout setting automatically by sending periodically packets with a different a
43. measured in kilobytes file name text default name of the file where to save packets in PCAP format If file name is not defined packets are not saved into a file memory limit integer default 1000 how much memory to use in kilobytes for sniffed packets multiple channels yes no default no whether to sniff multiple channels or a single channel e no wireless sniffer sniffs only one channel in frequency that is configured in interface wireless e yes sniff in all channels that are listed in the scan list in interface wireless only headers yes no default no sniff only wireless packet heders receive errors yes no default no whether to receive packets with CRC errors streaming enabled yes no default no whether to send packets to server in TZSP format streaming max rate integer default 0 how many packets per second the router will accept e 0 no packet per second limitation streaming server IP address default 0 0 0 0 streaming server s IP address Sniffer Sniff Home menu level interface wireless sniffer sniff Description Wireless Sniffer Sniffs packets Property Description file over limit packets read only integer how many packets are dropped because of exceeding file limit file saved packets read only integer number of packets saved to file file size read only integer current file size kB memory over limit packets read only integer number of pa
44. name default none the default bridge for WDS interface If you use dynamic WDS then it is very useful in cases when wds connection is reset the newly created dynamic WDS interface will be put in this bridge wds ignore ssid yes no default no if set to yes the AP will create WDS links with any other AP in this frequency If set to no the ssid values must match on both APs wds mode disabled dynamic static WDS mode e disabled WDS interfaces are disabled e dynamic WDS interfaces are created on the fly e static WDS interfaces are created manually Notes It is strongly suggested to leave basic rates at the lowest setting possible Other trademarks and registred trademarks mentioned herein are properties of their respective owners Using compression the AP can serve approximately 50 clients with compression enabled If disable running check value is set to no the router determines whether the network interface is up and running in order to show flag R for AP one or more clients have to be registered to it for station it should be connected to an AP If the interface does not appear as running R its route in the routing table is shown as invalid If set to yes the interface will always be shown as running The tx power default setting is the maximum tx power that the card can use If you want to use larger tx rates you are able to set them but do it at your own risk Usually you can use this par
45. name can have suffix in or out that will install rule only for incoming or outgoing traffic Multiple Filter id can be provided but only last ones for incoming and outgoing is used For PPPs filter rules in ppp chain that will jump to the specified chain if a packet has come to from the client that means that you should first create a ppp chain and make jump rules that would put actual traffic to this chain The same applies for HotSpot but the rules will be created in hotspot chain Other trademarks and registred trademarks mentioned herein are properties of their respective owners e Mark Id firewall mangle chain name HotSpot only The Lobo RADIUS client upon receiving this attribute creates a dynamic firewall mangle rule with action jump chain hotspot and jump target equal to the atribute value Mangle chain name can have suffixes in or out that will install rule only for incoming or outgoing traffic Multiple Mark id attributes can be provided but only last ones for incoming and outgoing is used e Acct Interim Interval interim update for RADIUS client if 0 uses the one specified in RADIUS client e MS MPPE Encryption Policy require encryption property PPPs only e MS MPPE Encryption Types use encryption property non zero value means to use encryption PPPs only e Ascend Data Rate tx rx data rate limitation if multiple attributes are provided first limits tx data rate second rx data rate If used together with As
46. rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified 1s is used as default e Group Router local user group name defines in user group for local users HotSpot default profile for HotSpot users e Advertise URL URL of the page with advertisements that should be displayed to clients If this attribute is specified advertisements are enabled automatically including transparent proxy even if they were explicitly disabled in the corresponding user profile Multiple attribute instances may be send by RADIUS server to specify additional URLs which are choosen in round robin fashion e Advertise Interval Time interval between two adjacent advertisements Multiple attribute Other trademarks and registred trademarks mentioned herein are properties of their respective owners instances may be send by RADIUS server to specify additional intervals All interval values are threated as a list and are taken one by one for each successful advertisement If end of list is reached the last value is continued to be used Note that the received attributes override the default ones set in the default profile but if an attribute is not received from RADIUS server the default one is to be used Here ar
47. wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin Nstreme Client interface wireless gt nstreme admin Nstreme Client interface wireless nstreme gt set wlanl enable nstreme yes admin Nstreme Client interface wireless nstreme gt print 0 name wlanl enable nstreme yes enable polling yes framer policy non framer limit 3200 admin Nstreme Client interface wireless nstreme gt And monitor the link admin Nstreme Client interface wireless gt monitor wlanl status connected to ess band 5ghz frequency 5805MHz tx rate 24Mbps rx rate 18Mbps ssid nstreme bssid 00 0C 42 05 00 22 radio name 000C42050022 signal strength 70dBm tx signal strength 68dBm tx ccq 0 rx ccq 3 wds link no nstreme yes polling yes framing mode none routeros version 2 9rc2 current tx powers 1Mbps 11 2Mbps 11 5 5Mbps 11 11Mbps 11 6Mbps 28 9Mbps 28 12Mbps 28 18Mbps 28 24Mbps 28 36Mbps 25 48Mbps 23 54Mbps 22 Q quit D dump C z pause admin Nstreme Client interface wireless gt Dual Nstreme Other trademarks and registred trademarks mentioned herein are
48. 0 0 0 Usually that is the default route It is substituted as first argument to ip route set command which changes gateway of this route to 10 0 0 217 The script gw_1 is executed once when status of host becomes down It does the following admin Lobo924 gt ip route set ip route find dst 0 0 0 0 gateway 10 0 0 1 It changes the default gateway if 10 0 0 217 address has become unreachable Here is another example that sends e mail notification whenever the 10 0 0 215 host goes down admin Lobo924 system script gt add name e down source tool e mail send from rieks mt lv server 159 148 147 198 body Router down subject Router at second floor is down to rieks latnet lv admin Lobo924 system script gt add name e up source tool e mail send from rieks mt lv server 159 148 147 198 body Router up Ssubject Router at second floor is up to rieks latnet 1lv admin Lobo924 system script gt admin Lobo924 system script gt tool netwatch admin Lobo924 system netwatch gt add host 10 0 0 215 timeout 999ms interval 20s up script e up down script e down admin Lobo924 tool netwatch gt print detail Flags X disabled 0 host 10 0 0 215 timeout 998ms interval 20s since feb 27 2003 14 15 36 status up up script up down script e down fadmin Lobo924 tool netwatch gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners
49. 0 24 right 192 168 0 155 rightsubnet 10 0 0 0 24 authby secret pfs no auto add e ipsec secrets config file 192 168 0 108 192 168 0 155 PSK gvejimezyfopmekun e Lobo Router configuration admin Lobo924 gt ip ipsec peer add address 192 168 0 108 secret gvejimezyfopmekun hash algorithm md5 enc algorithm 3des dh group modp1024 lifetime 28800s admin Lobo924 gt ip ipsec proposal auth algorithms md5 enc algorithms 3des pfs group non admin Lobo924 gt ip ipsec policy add sa src address 192 168 0 155 sa dst address 192 168 0 108 src address 10 0 0 0 24 dst address 192 168 87 0 24 tunnel yes Other trademarks and registred trademarks mentioned herein are properties of their respective owners IPIP Tunnel Interfaces Document revision 1 1 Fri Mar 05 08 25 43 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Quick Setup Guide Specifications Related Documents Additional Documents IPIP Setup Description Property Description Notes Description General Information Summary The IPIP tunneling implementation on the Lobo OSB is RFC 2003 compliant IPIP tunnel is a simple protocol that encapsulates IP packets in IP to make a tunnel between two routers The IPIP tunnel interface appears as an interface under the interface list Many routers including Cisco and Linux based support this protocol
50. 1 0 admin Lobo924 queue simple gt print Flags X disabled I invalid D dynamic 0 name Server target addresses 192 168 0 1 32 dst address 0 0 0 0 0 interface Local parent none priority 8 queue default default limit at 0 0 max limit 0 0 total queue default 1 name Limit Local target addresses 192 168 0 0 24 dst address 0 0 0 0 0 interface Local parent none priority 8 queue default default limit at 0 0 max limit 65536 131072 total queue default admin Lobo924 queue simple gt Queue Tree Example With Masquerading In the previous example we dedicated 128Kib s download and 64Kib s upload traffic for the local network In this example we will guarantee 256Kib s download 128Kib s for the server 64Kib s for the Workstation and also 64Kib s for the Laptop and 128Kib s for upload 64 32 32Kib s respectivelly for local network devices Additionally if there is spare bandwidth share it among users equally For example if we turn off the laptop share its 64Kib s download and 32Kib s upload to the Server and Workstation When using masquerading you have to mark the outgoing connection with new connection mark and take the mark connection action When it is done you can mark all packets which belong to this connection with the new packet mark and use the mark packet action 1 At first mark the Server s download and upload traffic With the first rule we will mark the outgoing connection and with the second one
51. 1 1 0 28 Public2 2 ADC 192 168 0 0 24 Local 3 AS 0 0 0 0 0 10 12 0 1 Publicl r 10 1 1 1 Public2 r 110 1 1 1 Public2 admin ECMP Router ip route gt Standard Policy Based Routing with Failover This example will show how to route packets using an administrator defined policy The policy for this setup is the following route packets from the network 192 168 0 0 24 using gateway 10 0 0 1 and packets from network 192 168 1 0 24 using gateway 10 0 0 2 If GW_1 does not respond to pings use GW_Backup for network 192 168 0 0 24 if GW_2 does not respond to pings use GW_Backup also for network 192 168 1 0 24 instead of GW_2 The setup Configuration of the IP addresses admin PB Router ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 1 24 192 168 0 0 1 92 168 0 255 Locall 1 192 168 1 1 24 192 168 1 0 19237068 14255 Local2 2 10 0 0 7 24 10 0 0 0 10 0 0 255 Public admin PB Router ip address gt To achieve the described result follow these configuration steps 1 Mark packets from network 192 168 0 0 24 with a new routing mark net1 and packets from network 192 168 1 0 24 with a new routing mark net2 admin PB Router ip firewall mangle gt add src address 192 168 0 0 24 action mark routing new routing mark netl chain prerouting admin PB Router ip firewall mangle gt add src address 192 168 1 0 24 action mark routing ne
52. 10 10 2 24 interface test admin Lobo924 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 201 24 10 0 0 0 10 0 0 255 etherl 1 10 10 10 2 24 10 10 10 0 10 10 10 255 test admin Lobo924 ip address gt If it set up correctly then it is possible to ping Router 2 from Router 1 and vice versa admin Lobo924 ip address gt ping 10 10 10 1 10 10 10 1 64 byte pong tt1l 255 time 3 ms 10 10 10 1 64 byte pong tt1l 255 time 4 ms 10 10 10 1 64 byte pong tt1l 255 time 10 ms 10 10 10 1 64 byte pong ttl 255 time 5 ms 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 3 10 5 10 ms admin Lobo924 ip address gt ping 10 10 10 2 10 10 10 2 64 byte pong tt1l 255 time 10 ms 10 10 10 2 64 byte pong tt1l 255 time 11 ms 10 10 10 2 64 byte pong tt1l 255 time 10 ms 10 10 10 2 64 byte pong tt1l 255 time 13 ms 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 10 11 13 ms admin Lobo924 ip address gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Graphing Document revision 1 0 09 08 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Description General Options Property Description Example Health Graphing Description Property Descr
53. 213 174 71 134 139ms 146ms 135ms 213 174 70 245 132ms 131ms 136ms 213 174 70 58 211ms 215ms 215ms 195 158 229 130 225ms 239ms Os 10 216 32 223 114 283ms 269ms 281ms 11 216 32 132 14 267ms 260ms 266ms 12 209 185 9 102 296ms 296ms 290ms 13 216 109 66 1 288ms 297ms 294ms 14 216 109 66 90 297ms 317ms 319ms 15 216 239 47 66 137ms 136ms 134ms 16 216 239 47 46 135ms 134ms 134ms 17 216 239 39 101 134ms 134ms 135ms admin Lobo924 tool gt ODANHDUOBWNHE Other trademarks and registred trademarks mentioned herein are properties of their respective owners Scheduler Document revision 0 9 Wed Nov 24 12 48 55 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Network Watching Tool Specifications Description Property Description Example General Information Summary System Scheduler executes scripts at designated time Specifications Packages required system License required levell Home menu level system scheduler Standards and Technologies None Hardware usage Not significant Related Documents e Package Management Scripting Examples Scripting Examples Network Watching Tool Specifications Packages required advanced tools License required levell Home menu level tool netwatch Standards and Technologies none Hardware usage Not significant Other trademarks and registred trademarks mentioned herein are properties of
54. CHAP by default and may use also PAP if unencrypted passwords are enabled it can not use MSCHAP Access Accept e Framed IP Address IP address given to client PPPs if address belongs to 127 0 0 0 8 or 224 0 0 0 3 networks IP pool is used from the default profile to allocate client IP address HotSpot used only for dhcp pool login method ignored for enabled address method if address is 255 255 255 254 IP pool is used from HotSpot settings if Framed IP Address is specified Framed Pool is ignored e Framed IP Netmask client netmask PPPs if specified a route will be created to the network Framed IP Address belongs to via the Framed IP Address gateway HotSpot ignored by HotSpot e Framed Pool IP pool name on the router from which to get IP address for the client If specified overrides Framed IP Address NOTE if Framed IP Address or Framed Pool is specified it overrides remote address in default configuration e Idle Timeout overrides idle timeout in the default configuration e Session Timeout overrides session timeout in the default configuration e Max Session Time maximum session length uptime the user is allowed to e Class cookie will be included in Accounting Request unchanged e Framed Route routes to add on the server Format is specified in RFC2865 Ch 5 22 can be specified as many times as needed e Filter Id firewall filter chain name It is used to make a dynamic firewall rule Firewall chain
55. Command Description unary minus Inverts given number value binary minus Substracts two numbers two time values two IP addresses or an IP address and a number logical NOT Unary operator which inverts given boolean value division Binary operator Divides one number by another gives number or a time value by a number gives time value concatenation Binary operator concatenates two string or append one list to another or appends an element to a list bitwise XOR The argumens and the result are both IP addresses bit inversion Unary operator which inverts bits in IP address multiplication Binary operator which can multiply two numbers or a time value by a number amp bitwise AND The argumens and the result are both IP addresses amp amp logical AND Binary operator The argumens and the result are both logical values binary plus Adds two numbers two time values or a number and an IP address lt less Binary operator which compares two numbers two time values or two IP addresses Returns boolean value Other trademarks and registred trademarks mentioned herein are properties of their respective owners lt lt left shift Binary operator which shifts IP address by a given amount of bits The first argument is an IP address the second is an integer and the result is an IP address lt less or equal Binary operator which compares two numbers two time values or t
56. Description action allow deny default allow action to undertake if a packet matches the rule e allow allow the access to the page without prior authorization e deny the authorization is required to access this page dst address JP address IP address of the destination web server Other trademarks and registred trademarks mentioned herein are properties of their respective owners dst host text default domain name of the destination web server this is not a regular expression or a wildcard of any kind The DNS name specified is resolved to a list of IP addresses when the rule is added and all those IP addresses are used dst port integer default the TCP or UDP port protocol MUST be specified explicitly in the protocol property a client has send the request to protocol integer ddp egp encap ggp gre hmp icmp idpr cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp IP protocol name server name name of the HotSpot server this rule applied to src address JP address IP address of the user sending the request Example One to one NAT static address bindings Home menu level ip hotspot ip binding Description You can setup NAT translations statically based on either the original IP address or IP network or the original MAC address You can also allow some addresses to bypass HotSpot authenticati
57. HTTP and FTP firewall for example denying access to mp3 files or to redirect requests to external proxy transparently Setup Home menu level ip web proxy Property Description cache administrator text default webmaster administrator s e mail displayed on proxy error page cache drive system name default system specifies the target disk drive to be used for storing cached objects You can use shell expansion to see available drives enabled yes no default no specifies whether the web proxy is enabled hostname text default proxy hostname DNS or IP address of the web proxy max cache size none unlimited integer 0 4294967295 default none specifies the maximal disk cache size measured in kibibytes max object size integer default 4096 objects larger than the size specified will not be saved on disk The value is measured in kibibytes If you wish to get a high bytes hit ratio you should probably increase this one 2 MiB object hit counts for 2048 1KiB hits If you wish to increase speed more than your want to save bandwidth you should leave this low max ram cache size none unlimited integer 0 4294967295 default unlimited specifies the maximal memory cache size measured in kibibytes parent proxy P address port default 0 0 0 0 0 specifies upper level parent proxy port port default 3128 specifies the port s the web proxy will be listening on reserved for cache r
58. Host A admin Lobo924 ip dhcp server option gt Use this option in DHCP server network list admin Lobo924 ip dhcp server network gt add address 10 1 0 0 24 gateway 10 1 0 1 dhcp option Option Hostname dns server 159 148 60 20 admin Lobo924 ip dhcp server network gt print detail 0 address 10 1 0 0 24 gateway 10 1 0 1 dns server 159 148 60 20 dhcp option Option Hostname admin Lobo924 ip dhcp server network gt Now the DHCP server will reply with its Hostname Host A to DHCP client if requested DHCP Relay Home menu level ip dhcp relay Description DHCP Relay is just a proxy that is able to receive a DHCP request and resend it to the real DHCP server Property Description dhcp server text list of DHCP servers IP addresses which should the DHCP requests be forwarded to delay threshold time default none if secs field in DHCP packet is smaller than delay threshold then this packet is ignored interface name interface name the DHCP relay will be working on local address ZP address default 0 0 0 0 the unique IP address of this DHCP relay needed for DHCP server to distinguish relays Other trademarks and registred trademarks mentioned herein are properties of their respective owners e 0 0 0 0 the IP address will be chosen automatically name name descriptive name for relay Notes DHCP relay does not choose the particular DHCP server in the dhcp server list it just
59. In this submenu you can configure Static Equal Cost Multi Path and Policy Based Routing and see the routes Property Description as path text manual value of BGP s as path for outgoing route atomic aggregate yes no BGP attribute An indication to receiver that it cannot deaggregate the prefix check gateway arp ping default ping which protocol to use for gateway reachability Other trademarks and registred trademarks mentioned herein are properties of their respective owners distance integer 0 255 administrative distance of the route When forwarding a packet the router will use the route with the lowest administrative distance and reachable gateway dst address IP address netmask default 0 0 0 0 0 destination address and network mask where netmask is number of bits which indicate network number Used in static routing to specify the destination which can be reached using a gateway 0 0 0 0 0 any network gateway IP address gateway host that can be reached directly through some of the interfaces You can specify multiple gateways separated by a comma for ECMP routes local pref integer local preference value for a route med integer a BGP attribute which provides a mechanism for BGP speakers to convey to an adjacent AS the optimal entry point into the local AS origin incomplete igp egp the origin of the route prefix prefsre JP address source IP address of packets leaving rout
60. License required levell limited to 1 tunnel level3 Home menu level Ainterface eoip Standards and Technologies GRE RFC1701 Hardware usage Not significant Related Documents e Package Management e IP Addresses and ARP e Bridge Interfaces PPTP Interface Description An EolP interface should be configured on two routers that have the possibility for an IP level connection The EoIP tunnel may run over an IPIP tunnel a PPTP 128bit encrypted tunnel a PPPoE connection or any connection that transports IP Specific Properties e Each EolP tunnel interface can connect with one remote router which has a corresponding interface configured with the same Tunnel ID e The EoIP interface appears as an Ethernet interface under the interface list e This interface supports all features of an Ethernet interface IP addresses and other tunnels may be run over the interface e The EolP protocol encapsulates Ethernet frames in GRE IP protocol number 47 packets just like PPTP and sends them to the remote side of the EoIP tunnel e Maximal count of EoIP tunnels is 65536 Notes WDS significantly faster than EoIP up to 10 20 so it is recommended to use WDS whenever possible EolP Setup Home menu level Ainterface eoip Other trademarks and registred trademarks mentioned herein are properties of their respective owners Property Description name name default eoip tunnelN interface name for reference mtu i
61. Point to Point protocol e ISDN phone number dialled MSN e PPPoE service name e PPTP server s IP address e L2TP server s IP address domain text default Microsoft Windows domain of client passed to RADIUS servers that require domain validation realm text explicitly stated realm user domain so the users do not have to provide proper ISP domain name in user name secret text default shared secret used to access the RADIUS server service multiple choice hotspot login ppp telephony wireless dhcp default router services that will use this RADIUS server e hotspot HotSpot authentication service e login router s local user authentication Other trademarks and registred trademarks mentioned herein are properties of their respective owners e ppp Point to Point clients authentication e telephony IP telephony accounting e wireless wireless client authentication client s MAC address is sent as User Name e dhcp DHCP protocol client authentication client s MAC address is sent as User Name timeout time default 100ms timeout after which the request should be resend Notes The order of the items in this list is significant Microsoft Windows clients send their usernames in form domain username When RADIUS server is authenticating user with CHAP MS CHAPv1 MS CHAPv2 it is not using shared secret secret is used only in authentication reply and router is verifying
62. Port Type Ethernet e Calling Station Id client identifier active client id Framed IP Address IP address of the client active address e Called Station Id name of DHCP server e User Name MAC address of the client active mac address nn e Password Access Accept Framed IP Address IP address that will be assigned to client e Framed Pool ip pool from which to assign ip address to client e Rate Limit Datarate limitation for clients DHCP clients Format is rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time All rates should be numbers with optional k 1 000s or M 1 000 000s If tx rate is not specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified 1s is used as default e Ascend Data Rate tx rx data rate limitation if multiple attributes are provided first limits tx data rate second rx data rate If used together with Ascend Xmit Rate specifies rx rate 0 if unlimited e Ascend Xmit Rate tx data rate limitation It may be used to specify tx limit only instead of sending two sequental Ascend Data Rate attributes in that case Ascend Data Rate will specify the receive rate 0 if
63. ProhibitIpSec Data Type REG_DWORD Value 1 You must restart the Windows 2000 for the changes to take effect For more information on configuring Windows 2000 see Configuring Cisco IOS and Windows 2000 Clients for L2TP Using Microsoft IAS e Disabling IPSEC Policy Used with L2TP e How to Configure a L2TP IPsec Connection Using Pre shared Key Authentication Other trademarks and registred trademarks mentioned herein are properties of their respective owners PPPoE Document revision 1 4 Fri Apr 30 06 43 11 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Quick Setup Guide Specifications Related Documents Additional Documents PPPoE Client Setup Description Property Description Notes Example Monitoring PPPoE Client Property Description Example PPPoE Server Setup Access Concentrator Description Property Description Notes Example PPPoE Server Users Property Description Example Application Examples PPPoE in a multipoint wireless 802 11 network Troubleshooting Description General Information Summary The PPPoE Point to Point Protocol over Ethernet protocol provides extensive user management network management and accounting benefits to ISPs and network administrators Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain Ethernet networks PPPoE is an extension of the s
64. Related Documents Description General Setup Description Property Description Notes Example Areas Description Property Description Example Networks Description Property Description Notes Example Interfaces Description Property Description Example Virtual Links Description Property Description Notes Example Neighbours Description Property Description Notes Example OSPF backup without using a tunnel Routing tables with Revised Link Cost Functioning of the Backup General Information Summary Other trademarks and registred trademarks mentioned herein are properties of their respective owners Lobo OSB implements OSPF Version 2 RFC 2328 The OSPF protocol is the link state protocol that takes care of the routes in the dynamic network structure that can employ different paths to its subnetworks It always chooses shortest path to the subnetwork first Specifications Packages required routing License required level3 Home menu level routing ospf Standards and Technologies OSPF Hardware usage Not significant Related Documents e Package Management IP Addresses and ARP e Routes Equal Cost Multipath Routing Policy Routing Log Management Description Open Shortest Path First protocol is a link state routing protocol It s uses a link state algorithm to build and calculate the shortest path to all known destinations The shortest path is calculated using the Dijkstra algorithm OSPF distributes
65. TXQ LAST TX CORRECT 0O 00 01 24 70 4B FC wirelesa 60 60 0 01 67 0 01 100 admin Lobo924 interface wireless align gt Frequency Monitor Description Aproximately shows how loaded are the wireless channels Property Description freq read only integer shows current channel use read only percentage shows usage in current channel Example Monitor 802 11b network load admin Lobo924 interface wireless gt frequency monitor wlanl FREQ 2412MH 2417MH 2422MH 2427MH 2432MH 2437MH de VN FI o ol co oe 2442 2447 2452 2457 2462 OAIYWNCODONOWG er rr NNNNNNNNNNWN AP oP ANP o o o ONnOoOROW To monitor other bands change the the band setting for the respective wireless interface Manual Transmit Power Table Home menu level Ainterface wireless manual tx power table Description In this submenu you can define signal strength for each rate You should be aware that you can Other trademarks and registred trademarks mentioned herein are properties of their respective owners damage your wireless card if you set higher output power than it is allowed Note that the values in this table are set in dBm NOT in mW Therefore this table is used mainly to reduce the transmit power of the card Property Description manual tx powers text define tx power in dBm for each rate separate by commas Example To set the following transmit powers at each rates
66. URI identifies one or more currently cached entities those entries should be treated as stale Responses to this method are not cacheable TRACE This method invokes a remote application layer loop back of the request message The final recipient of the request should reflect the message received back to the client as the entity body of a 200 OK response The final recipient is either the origin server or the first proxy or gateway to receive a Max Forwards value of 0 in the request A TRACE request must not include an entity Responses to this method MUST NOT be cached Other trademarks and registred trademarks mentioned herein are properties of their respective owners IP Pools Document revision 0 0 Thu Mar 04 20 47 26 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Notes Setup Property Description Example Used Addresses from Pool Description Property Description Example General Information Summary IP pools are used to define range of IP addresses that is used for DHCP server and Point to Point servers Specifications Packages required system License required levell Home menu level ip pool Standards and Technologies none Hardware usage Not significant Related Documents e Package Management IP Addresses and ARP e AAA DHCP Client and Server HotSpot Gateway Universal Client Interface
67. WEP_StationX interface wireless gt set wlanl name WEP STAX ssid mt_wep band 5ghz security profile StationX mode station disabled no admin WEP_StationX interface wireless gt print 0 R name WEP STAX mtu 1500 mac address 00 0C 42 05 06 B2 arp enabled disable running check no interface type Atheros AR5413 radio name 000C420506B2 mode station ssid mt_wep area frequency mode superchannel country no_country_set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile StationxX disconnect timeout 3s on fail retry time 100ms preamble mode both admin WEP_StationX interface wireless gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Troubleshooting Description If I use W
68. accept let the bridging code decide what to do with this packet e drop extract the packet from bridging code making it appear just like it would come from a not bridged interface no further bridge decisions or filters will be applied to this packet except if the packet would be router out to a bridged interface in which case the packet would be processed normally just like any other routed packet e dst nat change destination MAC address of a packet only valid in dstnat chain an let bridging code to decide further actions e jump jump to the chain specified by the value of the jump target argument e log log the packet e mark mark the packet to use the mark later e passthrough ignore this rule and go on to the next one Acts the same way as a disabled rule except for ability to count packets e redirect redirect the packet to the bridge itself only valid in dstnat chain an let bridging code to decide further actions e return return to the previous chain from where the jump took place to dst mac address MAC address destination MAC address to put in Ethernet frames when action dst nat is selected Troubleshooting Description e Router shows that my rule is invalid e in interface in bridge or in bridge port is specified but such an interface does not exist Other trademarks and registred trademarks mentioned herein are properties of their respective owners there is an action mark packet but no
69. admin Lobo924 gt system sup output creating supout rif file might take a while Done admin Lobo924 gt To see the files stored on the router admin Lobo924 gt file print NAME TYPE SIZE CREATION TIME 0 supout rif unknown 108787 dec 24 2003 10 12 38 admin Lobo924 gt Connect to the router using FTP and download the supout rif file using BINARY file transfer mode Send the supout rif file to Lobo Support m dobson lobometrics com with detailed description of the problem Other trademarks and registred trademarks mentioned herein are properties of their respective owners System Resource Management Document revision 2 1 Tue Sep 27 17 38 19 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents System Resource Notes Example IRQ Usage Monitor Description Example IO Port Usage Monitor Description Example USB Port Information Description Property Description Example PCI Information Property Description Example Reboot Description Notes Example Shutdown Description Notes Example Router Identity Description Example Date and Time Property Description Notes Example Configuration Change History Description Command Description Notes Example System Note Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description Property Description Notes
70. amount of memory to use Sniffer will stop after this limit is reached file name text default the name of the file where the sniffed packets will be saved to file limit integer default 10 the limit of the file in KB Sniffer will stop after this limit is reached streaming enabled yes no default no whether to send sniffed packets to a remote server streaming server IP address default 0 0 0 0 Tazmen Sniffer Protocol TZSP stream receiver filter stream yes no default yes whether to ignore sniffed packets that are destined to the stream server filter protocol all frames ip only mac only no ip default ip only specific protocol group to filter e all frames sniff all packets e ip only sniff IP packets only e mac only no ip sniff non IP packets only filter address1 IP address mask port default 0 0 0 0 0 0 65535 criterion of choosing the packets to process filter address2 IP address mask port default 0 0 0 0 0 0 65535 criterion of choosing the packets to process running yes no default no if the sniffer is started then the value is yes otherwise no Notes Other trademarks and registred trademarks mentioned herein are properties of their respective owners filter address1 and filter address2 are used to specify the two participients in communication i e they will match only in the case if one of them matches the source address and the other one matches the destina
71. and totime functions convert a value accordingly to list boolean internal number IP address number string or time The number type is internally represented as 64 bit signed integer so the value a number type variable can take is in range from 9223372036854775808 to 9223372036854775807 It is possible to input number value in hexadecimal form by prefixing it with Ox e g admin Lobo924 gt global MyVar 0x10 admin Lobo924 gt put MyVar 16 admin Lobo924 gt Lists are treated as comma separated sequence of values Putting whitespaces around commas is not recommended because it might confuse console about words boundaries Boolean values can be either true or false Console also accepts yes for true and no for false Internal numbers are preceided sign Time intervals can be entered either using HH MM SS MS notation e g admin Lobo924 gt put 01 12 1 01 0112401010 admin Lobo924 gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners or as sequence of numbers optionally followed by letters specifying the units of time measure d dor days h for hours m for minutes s for seconds and ms for milliseconds e g admin Lobo924 gt put 2d11h12 2011 00 12 admin Lobo924 gt As can bee seen time values with omitted unit specificators are treated as expressed in seconds e d day days one day or 24 hours h hour hours one hour e m mi
72. based and many Layer 2 switches also support it A VLAN is a logical grouping that allows end users to communicate as if they were physically connected to a single isolated LAN independent of the physical configuration of the network VLAN support adds a new dimension of security and cost savings permitting the sharing of a physical network while logically maintaining separation among unrelated users Specifications Packages required system License required levell limited to 1 vlan level3 Home menu level Ainterface vlan Standards and Technologies VLAN IEEE 802 10 Hardware usage Not significant Related Documents e Software Package Management IP Addresses and ARP Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description VLANs are simply a way of grouping a set of switch ports together so that they form a logical network separate from any other such group Within a single switch this is straightforward local configuration When the VLAN extends over more than one switch the inter switch links have to become trunks on which packets are tagged to indicate which VLAN they belong to You can use Lobo OSB as well as Cisco IOS and Linux to mark these packets as well as to accept and route marked ones As VLAN works on OSI Layer 2 it can be used just as any other network interface without any restrictions And VLAN successfully passes through Ethernet bridges fo
73. based on the packets arrival time and date or for locally generated packets departure time and date tos max reliability max throughput min cost min delay normal specifies a match for the value of Type of Service ToS field of an IP header e max reliability maximize reliability ToS 4 e max throughput maximize throughput ToS 8 e min cost minimize monetary cost ToS 2 e min delay minimize delay ToS 16 e normal normal service ToS 0 General Information Description The following section discusses some examples of using the mangle facility Peer to Peer Traffic Marking Other trademarks and registred trademarks mentioned herein are properties of their respective owners To ensure the quality of service for network connection interactive traffic types such as VoIP and HTTP should be prioritized over non interactive such as peer to peer network traffic OSB QOS implementation uses mangle to mark different types of traffic first and then place them into queues with different limits The following example enforces the P2P traffic will get no more than 1Mbps of the total link capacity when the link is heavily used by other traffic otherwice expanding to the full link capacity admin Lobo924 gt ip firewall mangle add chain forward Na p2p all p2p action mark connection new connection mark p2p_conn admin Lobo924 gt ip firewall mangle add chain forward connection mark p2p_conn action mark p
74. be added to the interface with the respective netmask The default gateway will be added to the routing table as a dynamic entry Should the DHCP client be disabled or not renew an address the dynamic default route will be removed If there is already a default route installed prior the DHCP client obtains one the route obtained by the DHCP client would be shown as invalid Property Description address JP address netmask IP address and netmask which is assigned to DHCP Client from the Server add default route yes no default yes whether to add the default route to the gateway specified by the DHCP server client id text corresponds to the settings suggested by the network administrator or ISP Commonly it is set to the client s MAC address but it may as well be any test string Other trademarks and registred trademarks mentioned herein are properties of their respective owners dhcp server IP address IP address of the DHCP Server enabled yes no default no whether the DHCP client is enabled expires after time time which is assigned by the DHCP Server after which the lease expires gateway P address IP address of the gateway which is assigned by DHCP Server host name text the host name of the client as sent to a DHCP server interface name any Ethernet like interface this includes wireless and EoIP tunnels on which the DHCP Client searches the DHCP Server primary dns P address IP addres
75. chains The actions imposed by various router facilities are sequentially applied to a packet in each of the default chains The exact order they are applied is pictured in the bottom of the flow diagram Exempli gratia for a packet passing postrouting chain the mangle rules are applied first two types of queuing come in second place and finally source NAT is performed on packets that need to be natted Note that a given packet can come through only one of the input forward or output chains Bridged Traffic Other trademarks and registred trademarks mentioned herein are properties of their respective owners In case the incoming traffic needs to be bridged do not confuse it with the traffic coming from the bridge interface which should be routed it is first determined whether it is an IP traffic or not After that the IP traffic goes through the prerouting forward and postrouting chains while non IP traffic goes directly to the interface queue Both types of traffic however undergo the bridge firewall check first Additional arrows from IPsec boxes shows the processing of encrypted packets they need to be encrypted decrypted first and then processed as usual id est from the point an ordinal packet enters the router If the packet is bridged one the Routing Decision changes to Bridge Forwarding Decision In case the bridge is forwarding non IP packets all things regarding IP protocol are not applicable Universal Cl
76. claim take shortest of proposed and configured lifetimes and notify initiator about it e exact require lifetimes to be the same e obey accept whatever is sent by an initiator e strict If proposed lifetime IS longer than default then reject proposal otherwise accept proposed lifetime secret text default secret string If it starts with Ox it is parsed as a hexadecimal value send initial contact yes no default yes specifies whether to send initial IKE information or wait for remote side Notes AES Advanced Encryption Standard encryption algorithms are much faster than DES so it is recommended to use this algorithm class whenever possible But AES s speed is also its drawback as it potentially can be cracked faster so use AES 256 when you need security or AES 128 when speed is also important Both peers MUST have the same encryption and authentication algorithms DH group and exchange mode Some legacy hardware may support only DES and MDS You should set generate policy flag to yes only for trusted peers because there is no verification done for the established policy To protect yourself against possible unwanted events add policies with action accept for all networks you don t want to be encrypted at the top of policy list Since dynamic policies are added at the bottom of the list they will not be able to override your configuration Example To define new peer configuration for 10 0 0 147 peer wit
77. common setup opening any HTTP page will bring up the HotSpot servlet login page which can be customized extensively as will be described later on As normal user behavior is to open web pages by their DNS names a valid DNS configuration should be set up on the HotSpot gateway itself it is possible to reconfigure the gateway so that it will not require local DNS configuration but such a configuration is impractical and thus not recommended Walled Garden Other trademarks and registred trademarks mentioned herein are properties of their respective owners You may wish not to require authorization for some services for example to let clients access the web server of your company without registration or even to require authorization only to a number of services for example for users to be allowed to access an internal file server or another restricted area This can be done by setting up Walled Garden system When a not logged in user requests a service allowed in the Walled Garden configuration the HotSpot gateway does not intercept it or in case of HTTP simply redirects the request to the original destination or to a specified parent proxy When a user is logged in there is no effect of this table on him her To implement the Walled Garden feature for HTTP requests an embedded web proxy server has been designed so all the requests from not authorized users are really going through this proxy Note that the embedded proxy server
78. delay minimize delay ToS 16 e normal normal service ToS 0 new ttl decrement increment set integer specify the new TTL field value used in conjunction with action change ttl e decrement the value of the TTL field will be decremented for value e increment the value of the TTL field will be incremented for value e set the value of the TTL field will be set to value nth integer integer 0 15 integer match a particular Nth packet received by the rule One of 16 available counters can be used to count packets e Every match every Nth packet e Counter specifies which counter to use e Packet match on the given packet number The value by obvious reasons must be between 0 and Every 1 If this option is used for a given counter then there must be at least Every rules with this option covering all values between 0 and Every 1 inclusively out interface name match the interface name a packet left the router through p2p all p2p bit torrent direct connect edonkey fasttrack gnutella soulseek warez winmx match packets belonging to connections of the above P2P protocols packet mark name match the packets marked in mangle with specific packet mark packet size integer 0 65535 integer 0 65535 matches packet of the specified size or size range in bytes e Min specifies lower boundary of the size range or a standalone value e Max specifies upper boundary of the size range phys
79. disabled R running 0 R name nstremel mtu 1500 mac address disable running check no tx radio wla remote mac 00 00 00 00 00 00 tx band limit 0 default client tx limit 0 disconnect timeout 3s e both e dual dual gt add rx radio wlan1 uency 5805 disabled no dual gt print 00 0C 42 05 04 36 arp enabled n2 rx radio wlan1 5ghz tx frequency 5805 rx band 5ghz rx frequency 5180 rates b 1Mbps 2Mbps 5 5Mbps 11Mbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 2 framer policy none framer limit 4000 admin DualNS 1 interface wireless nstreme 4Mbps 36Mbps 48Mbps 54Mbps dual gt Note the MAC address of the interface nstremel You will need it to configure the remote DualNS 2 router As we have not configured the DualNS 2 router we cannot define the remote mac parameter on DualNS 1 We will do it after configuring DualNS 2 The configuration of DualNS 2 f admin DualNS 2 interface wireless gt set 0 admin DualNS 2 interface wireless gt print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 1 mode nstreme dual slav 0C 42 05 00 22 arp enabled disable running check no interfac type Atheros AR5413 Other trademarks and registred trademarks mentioned herein are properties of their respective owners radio name 000C42050022 mode nstreme dual slave ssid Lobo area frequency mode superchannel country no_country_set antenna gain 0 frequen
80. dstnat used for redirecting some pakets to another destinations e broute makes bridge a brouter router that performs routing on some of the packets and bridging on others Has one predefined chain brouting which is traversed right after a packet enters an enslaved interface before Bridging Decision Note the bridge destination NAT is executed before bridging desision You can put packet marks in bridge firewall filter broute and NAT which are the same as the packet marks in IP firewall put by mangle So packet marks put by bridge firewall can be used in IP firewall and vice versa General bridge firewall properties are described in this section Some parameters that differ between nat broute and filter rules are described in further sections Property Description 802 3 sap integer DSAP Destination Service Access Point and SSAP Source Service Access Point are 2 one byte fields which identify the network protocol entities which use the link layer service These bytes are always equal Two hexadecimal digits may be specified here to match an SAP byte 802 3 type integer Ethernet protocol type placed after the IEEE 802 2 frame header Works only if 802 3 sap is OxAA SNAP Sub Network Attachment Point header For example AppleTalk can be indicated by SAP code of OxAA followed by a SNAP type code of 0x809B arp dst address P address default 0 0 0 0 0 ARP destination address arp dst mac address MAC addres
81. e unnamed parameter these are required by some actions and should be entered in fixed order after the action name like in 10 0 0 1 in admin Lobo924 ip firewall mangle gt ping 10 0 0 1 e name value a sequence of parameter names followed by respective values if required like ssid myssid in interface wireless set wlanl ssid myssid Notes Variable substitution command substitution and expressions are allowed only for path_args and unnamed parameter values prefix path action and name value pairs can be given only directly as a word Therefore put 1 2 is valid and pu t 3 is not Example The parts of internal console commands are futher explained in the following examples ping 10 0 0 1 count 5 to ing ip firewall rule input for i from 1 to 10 do put i Other trademarks and registred trademarks mentioned herein are properties of their respective owners a pname value from 1 to 10 do put i interface monitor traffic etherl ether2 ipipl eae Expression Grouping Description This feature provides an easy way to execute commands from within one command level by enclosing them in braces Notes Subsequent script commands are executed from the same menu level as the entire script Consider the following example admin Lobo924 ip route gt user ip route Pase Se nite F lags X disabled NAME GROUP ADDRESS 0 777 system defaul
82. each of the rules Any packet that traverse the router from unauthorized client will be sent to the hs unauth chain The hs unauth implements the IP based Walled Garden filter Other trademarks and registred trademarks mentioned herein are properties of their respective owners Everything that comes to clients through the router gets redirected to another chain called hs unauth to This chain should reject unauthorized requests to the clients Everything that comes from clients to the router itself gets to another chain called hs input Allow client access to the local authentication and proxy services as described earlier All other traffic from unauthorized clients to the router itself will be treated the same way as the traffic traversing the routers Unlike NAT table where only TCP protocol related Walled Garden entries were added in the packet filter hs unauth chain is added everything you have set in the ip hotspot walled garden ip menu That is why although you have seen only one entry in the NAT table there are two rules here Everything else that has not been while listed by the Walled Garden will be rejected Note usage of TCP Reset for rejecting TCP connections Reject all packets to the clients with ICMP reject message Customizing HotSpot HTTP Serviet Pages Description You can create a completely different set of servlet pages for each HotSpot server you have specifying the directory it will be stored in html dir
83. etherl dst port 80 protocol tcp action redirect to ports 8080 chain dstnat admin Lobo924 gt ip firewall nat print Flags X disabled I invalid D dynamic 0 chain dstnat protocol tcp in interface etherl dst port 80 action redirect to ports 8080 admin Lobo924 gt Be aware that you will not be able to access the router s web page after addition of the rule above unless you will change the port for the www service under ip service submenu to a different value or explicitly exclude router s IP address from those to be matched like It is assumed that the router s address is 1 1 1 1 32 HTTP Methods Description OPTIONS This method is a request of information about the communication options available on the chain between the client and the server identified by the Request URI The method allows the client to determine the options and or the requirements associated with a resource without initiating any resource retrieval GET Other trademarks and registred trademarks mentioned herein are properties of their respective owners This method retrieves whatever information identified by the Request URI If the Request URI refers to a data processing process than the response to the GET method should contain data produced by the process not the source code of the process procedure s unless the source is the result of the process The GET method can become a conditional GET if the request message i
84. feature of the Lobo router The masquerading will change the source IP address and port of the packets originated from the network 192 168 0 0 24 to the address 10 5 8 109 of the router when the packet is routed through it To use masquerading a source NAT rule with action masquerade should be added to the firewall configuration ip firewall nat add chain srcnat action masquerade out interface Public All outgoing connections from the network 192 168 0 0 24 will have source address 10 5 8 109 of the router and source port above 1024 No access from the Internet will be possible to the Local addresses If you want to allow connections to the server on the local network you should use destination Network Address Translation NAT Example of Destination NAT If you want to link Public IP 10 5 8 200 address to Local one 192 168 0 109 you should use Other trademarks and registred trademarks mentioned herein are properties of their respective owners destination address translation feature of the Lobo router Also if you want allow Local server to talk with outside with given Public IP you should use source address translation too Add Public IP to Public interface ip address add address 10 5 8 200 32 interface Public Add rule allowing access to the internal server from external networks ip firewall nat add chain dstnat dst address 10 5 8 200 action dst nat to addresses 192 168 0 109 Add rule allowing the internal server to
85. gt find searches for substring inside a string or for an element with particular value inside an array depending on argument types and returns position at which the value is found The elements in list and characters in string are numbered from 0 upwards text the string or value list the search will be performed in text value to be searched for integer position after which the search is started admin Lobo924 interfac pppoe server gt put find 13sdflsdfsslsfsdf324333 0 admin Lobo924 interface pppoe server gt put find 13sdflsdfsslsfsdf 324333 3 admin Lobo924 interface pppoe server gt put find 13sdflsdfssisfsdf324333 3 3 ET admin Lobo924 interface pppoe server gt put find 12515 15237 37 45 p69 178 97 Op ly 273 3 4 admin Lobo924 interface pppoe server gt put find lied o2y 3 37 4 0 Op 1985 97071 2h n 3 3 4 admin Lobo924 interface pppoe server gt put whan Mit lee So Shy Sy Or pe lO y gy ego 3 4 5 admin Lobo924 interface pppoe server gt put find 15 17 14 2737 37 45 DOr 17 85 940715243 3 5 15 admin Lobo924 for executes supplied commands over a given number of iterations which is explicity set through from and to parameters name the name of the loop counter variable integer start value of the loop counter variable integer end value of the loop counter variable integer default 1 increment value De
86. gt add interface etherl disabled no admin Lobo924 tool mac server gt print Flags X disabled INTERFACE 0 etherl admin Lobo924 tool mac server gt MAC WinBox Server Home menu level tool mac server mac winbox Property Description interface name all default all interface name to which it is alowed to connect with Winbox using MAC based protocol e all all interfaces Notes There is an interface list in this submenu level If you add some interfaces to this list you allow MAC Winbox to that interface Disabled disabled yes item means that interface is not allowed to accept MAC Winbox sessions on that interface Example To enable MAC Winbox server on ether1 interface only admin Lobo924 tool mac server mac winbox gt print Other trademarks and registred trademarks mentioned herein are properties of their respective owners Flags X disabled INTERFACE 0 all admin Lobo924 tool mac server mac winbox gt remove 0 admin Lobo924 tool mac server mac winbox gt add interface etherl disabled no admin Lobo924 tool mac server mac winbox gt print Flags X disabled INTERFACE 0 etherl admin Lobo924 tool mac server mac winbox gt Monitoring Active Session List Home menu level ool mac server sessions Property Description interface read only name interface to which the client is connected to src address read only
87. gt print name default mode none wpa unicast cip pre shared key static algo 0O none sta static key l static algo 2 none stati static key 3 static transmit key key static sta private key _radius mac aut tic key 0 static a hers _wpa group ciphers lgo 1 none c key 2 static algo 3 none 0 static sta privat hentication no group algo non key update 5m name Stationl mode static keys required wpa unicast ciphers wpa group ciphers pre shared key _s static algo l none static key 1 stati static algo 3 none static key 3 stati static sta private algo 104bit wep static sta private key 6543210987654321 radius mac authentication no group key u tatic algo O none sta c algo 2 none static c transmit key key 0 0987654321 pdate 5m tic key 0 key 2 name StationX mode static keys required wpa unicast ciphers wpa group ciphers pre shared key _s static algo 1 40bit wep static key 1 12 static key 2 static algo 3 none stati tatic algo O none sta 34567890 static algo c key 3 static transmit key key 1 static sta pri static sta private key _radius mac aut vate algo non hentication no group admin WEP_AP interface wireless security admin Lobo924 interface wireless gt set 0 n profiles gt tic key 0 2 none ke
88. i e 2 keepalive timeout not responding client is proclaimed disconnected one session per host yes no default no allow only one session per host determined by MAC address If a host will try to establish a new session the old one will be closed default profile name default default default profile to use Notes The default keepalive timeout value of 10 is OK in most cases If you set it to 0 the router will not disconnect clients until they log out or router is restarted To resolve this problem the one session per host property can be used Security issue do not assign an IP address to the interface you will be receiving the PPPoE requests on Example To add PPPoE server on ether1 interface providing ex service and allowing only one connection per host admin Lobo924 interface pppoe server server gt add interface etherl service name ex one session per host yes admin Lobo924 interface pppoe server server gt print Flags X disabled 0 X service name ex interface etherl mtu 1480 mru 1480 authentication mschap2 mschap chap pap keepalive timeout 10 one session per host yes default profile default admin Lobo924 interface pppoe server server gt PPPoE Server Users Home menu level interface pppoe server Property Description name name interface name service name name name of the service the user is connected to remote address read only MAC address MAC addr
89. icmp icmp options 11 0 action accept comment allow time exceed add chain icmp protocol icmp icmp options 12 0 action accept comment allow parameter bad add chain icmp action drop comment deny all other types i An ae io ae Other trademarks and registred trademarks mentioned herein are properties of their respective owners Address Lists Document revision 2 7 Mon May 02 10 18 10 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Address Lists Description Property Description Example General Information Summary Firewall address lists allow to create a list of IP addresses to be used for packet matching Specifications Packages required system License required levell Home menu level ip firewall address list Standards and Technologies JP Hardware usage Not significant Related Documents Software Package Management NAT e Filter e Packet Flow e Packet Flow Address Lists Description Firewall address lists allow user to create lists of IP addresses grouped together Firewall filter mangle and NAT facilities can use address lists to match packets against them Other trademarks and registred trademarks mentioned herein are properties of their respective owners The address list records could be updated dynamically via the action add src to address list or action add dst to add
90. in its IP address list Example To enable the proxy on port 8080 admin Lobo924 admin Lobo924 ip web proxy gt set ip web proxy gt print nabled yes port 8080 enabled yes src address 0 0 0 0 port 8080 hostname proxy transparent proxy no parent proxy 0 0 0 0 0 cache administrator webmaster max object size 4096 KiB cache drive system max cache size non max ram cache size unlimited status running reserved for cache 0 KiB reserved for ram cache 2048 KiB admin Lobo924 Access List ip web proxy gt Home menu level ip web proxy access Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description Access list is implemented in the same way as Lobo OSB firewall rules Rules are processed from the top to the bottom First matching rule specifies decision of what to do with this connection There is a total of 6 classifiers that specify matching constraints If none of these classifiers is specified the particular rule will match every connection If connection is matched by a rule action property of this rule specifies whether connection will be allowed or not If the particular connection does not match any rule it will be allowed By default there exists one rule which prevents connect requests to ports other then 443 and 563 Property Description action allow deny default allow specifies whether to pass or den
91. interface wireless gt ip add admin AccessPoint ip address gt add address 10 1 0 1 24 interface AP admin AccessPoint ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 1 24 10 1 0 0 10 1 0 255 AP admin AccessPoint ip address gt Configure the station and add an IP address 10 1 0 2 to it admin Station interface wireless gt set wlanl name To AP mode station ssid test band 5ghz disabled no admin Station interface wireless gt print Flags X disabled R running 0O R name To AP mtu 1500 mac address 00 0B 6B 34 5A 91 arp enabled disable running check no interface type Atheros AR5213 radio name 000B6B345A91 mode station ssid test area frequency mode superchannel country no_country_set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forw
92. level interface I2tp server interface 12tp client Standards and Technologies L2TP RFC 2661 Hardware usage Not significant Related Documents e Package Management JP Addresses and ARP AAA e EoIP Tunnel Interface e IP Security Description L2TP is a secure tunnel protocol for transporting IP traffic using PPP L2TP encapsulates PPP in virtual lines that run over IP Frame Relay and other protocols that are not currently supported by Lobo OSB L2TP incorporates PPP and MPPE Microsoft Point to Point Encryption to make encrypted links The purpose of this protocol is to allow the Layer 2 and PPP endpoints to Other trademarks and registred trademarks mentioned herein are properties of their respective owners reside on different devices interconnected by a packet switched network With L2TP a user has a Layer 2 connection to an access concentrator LAC e g modem bank ADSL DSLAM etc and the concentrator then tunnels individual PPP frames to the Network Access Server NAS This allows the actual processing of PPP packets to be divorced from the termination of the Layer 2 circuit From the user s perspective there is no functional difference between having the L2 circuit terminate in a NAS directly or using L2TP It may also be useful to use L2TP just as any other tunneling protocol with or without encryption The L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec Note that it
93. limit 65536 131072 total queue default admin Lobo924 queue simple gt The max limit parameter cuts down the maximum available bandwidth From the clients point of view the value 65536 131072 means that they will get maximum of 131072bps for download and 65536bps for upload The target addresses parameter defines the target network or networks separated by a comma to which the queue rule will be applied Now see the traffic load admin Lobo924 interface gt monitor traffic Local received packets per second 7 received bits per second 68kbps sent packets per second 13 sent bits per second 135kbps admin Lobo924 interface gt Probably you want to exclude the server from being limited if so add a queoe for it without any limitation max limit 0 0 which means no limitation and move it to the beginning of the list admin Lobo924 queue simple gt add name Server target addresses 192 168 0 1 32 interface Local admin Lobo924 queue simple gt print Flags X disabled I invalid D dynamic 0 name Limit Local target addresses 192 168 0 0 24 dst address 0 0 0 0 0 interface Local parent none priority 8 queue default default limit at 0 0 max limit 65536 131072 total queue default 1 name Server target addresses 192 168 0 1 32 dst address 0 0 0 0 0 interface Local parent none priority 8 queue default default limit at 0 0 max limit 0 0 total queue default admin Lobo924 queue simple gt mo
94. list has default action equal to deny It takes place when no rules are specified or a particular request did not match any rule HTTP Methods Description OPTIONS This method is a request of information about the communication options available on the chain between the client and the server identified by the Request URI The method allows the client to determine the options and or the requirements associated with a resource without initiating any resource retrieval GET This method retrieves whatever information identified by the Request URI If the Request URI refers to a data processing process than the response to the GET method should contain data produced by the process not the source code of the process procedure s unless the source is the result of the process The GET method can become a conditional GET if the request message includes an If Modified Since If Unmodified Since If Match If None Match or If Range header field The conditional GET method is used to reduce the network traffic specifying that the transfer of the entity should occur only under circumstances described by conditional header field s The GET method can become a partial GET if the request message includes a Range header field The partial GET method intends to reduce unnecessary network usage by requesting only parts of entities without transferring data already held by client The response to a GET request is cacheable if and only if it meets the
95. lost The snapshot image will be made when the connection from wget is initiated Web browsers or wget should connect to URL http routerIP accounting ip cgi Property Description accessible via web yes no default no wheather the snapshot is available via web address JP address netmask default 0 0 0 0 IP address range that is allowed to access the snapshot Example To enable web access from 10 0 0 1 server only admin Lobo924 ip accounting web access gt set accessible via web yes address 10 0 0 1 32 admin Lobo924 ip accounting web access gt print accessible via web yes address 10 0 0 1 32 admin Lobo924 ip accounting web access gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners PPP User AAA Document revision 2 3 Fri Jul 08 11 57 26 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Local PPP User Profiles Description Property Description Notes Example Local PPP User Database Description Property Description Example Monitoring Active PPP Users Property Description Example PPP User Remote AAA Property Description Notes Example General Information Summary This documents provides summary configuration reference and examples on PPP user management This includes asynchronous PPP PPTP PPPoE and ISDN users Specifica
96. lt SAFE gt system history print Flags U undoable R redoable F floating undo ACTION BY POLICY F route added admin write Now if telnet connection is cut then after a while TCP timeout is 9 minutes all changes that were made while in safe mode will be undone Exiting session by Ctrl D emphasis gt also undoes all safe mode changes while quit does not If another user tries to enter safe mode he s given following message admin Lobo924 gt Hijacking Safe Mode from someone unroll release don t take it u r d e u undoes all safe mode changes and puts the current session in safe mode e d leaves everything as is e r keeps all current safe mode changes and puts current session in a safe mode Previous Other trademarks and registred trademarks mentioned herein are properties of their respective owners owner of safe mode is notified about this admin Lobo924 ip firewall rule input Safe mode released by another user If too many changes are made while in safe mode and there s no room in history to hold them all currently history keeps up to 100 most recent actions then session is automatically put out of the safe mode no changes are automatically undone Thus it is best to change configuration in small steps while in safe mode Pressing Ctrl X twice is an easy way to empty safe mode action list Other trademarks and registred trademarks mentioned herein are properties of their re
97. maximize reliability ToS 4 e max throughput maximize throughput ToS 8 e min cost minimize monetary cost ToS 2 min delay minimize delay ToS 16 normal normal service ToS 0 Notes Because the NAT rules are applied first it is important to hold this in mind when setting up firewall rules since the original packets might be already modified by the NAT Filter Applications Protect your OSB router To protect your router you should not only change admin s password but also set up packet filtering All packets with destination to the router are processed against the ip firewall input chain Note that the input chain does not affect packets which are being transferred through the router ip firewall filter add chain input connection state invalid action drop comment Drop Invalid connections add chain input connection state established action accept comment Allow Established connections add chain input protocol udp action accept comment Allow UDP add chain input protocol icmp action accept comment Allow ICMP add chain input src address 192 168 0 0 24 action accept comment Allow access to router from known network add chain input action drop comment Drop anything else Protecting the Customer s Network To protect the customer s network we should check all traffic which goes through router and block unwanted For icmp tcp udp traffic we will create chains where will be droped all
98. new name to a copy add command returns internal number of item it has added places a new item before an existing item with specified position Thus you do not need to use the move command after adding an item to the list controls disabled enabled state of the newly added item s holds the description of a newly created item remove removes item s from a list contains number s or name s of item s to remove move changes the order of items in list where one is relevant Item numbers after move command are left in a consistent but hardly intuitive order so it s better to resync them by using print after each move command first argument Specifies the item s being moved second argument Other trademarks and registred trademarks mentioned herein are properties of their respective owners Specifies the item before which to place all items being moved they are placed at the end of the list if the second argument is omitted find The find command has the same arguments as set and an additional from argument which works like the from argument with the print command Plus find command has flag arguments like disabled invalid that take values yes or no depending on the value of respective flag To see all flags and their names look at the top of print command s output The find command returns internal numbers of all items that have the same values of arguments as specified edit this command is in every place that
99. new packet mark there is an action mark connection but no new connection mark there is an action mark routing but no new routing mark Other trademarks and registred trademarks mentioned herein are properties of their respective owners Ethernet Interfaces Document revision 1 2 Fri Apr 16 12 35 37 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents Ethernet Interface Configuration Property Description Notes Example Monitoring the Interface Status Property Description Notes Example Troubleshooting Description General Information Summary Lobo OSB supports various types of Ethernet Interfaces The complete list of supported Ethernet NICs can be found in the Device Driver List Specifications Packages required system License required levell Home menu level Ainterface ethernet Standards and Technologies IEEE 802 3 Hardware usage Not significant Related Documents e Package Management Device Driver List IP Addresses and ARP DHCP Client and Server Other trademarks and registred trademarks mentioned herein are properties of their respective owners Additional Documents http www ethermanage com ethernet ethernet html http www dcs gla ac uk liddelljmct ethernet_protocol html Ethernet Interface Configuration Home menu level interface ethernet Property De
100. no redistribute bgp no metric default 1 metric connected metric static metric rip metric bgp 0 0 0 0 Add the same area as in main router admin OSPF_peer_1 routing ospf area gt print Flags X disabled I invalid NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 0 0 0 1 no 1 none Add connected networks with area local_10 admin OSPF_peer_1 routing ospf network gt print Flags X disabled I invalid NETWORK AREA 0 10 3 0 0 24 local_10 1 10 1 0 0 24 local_10 Finally set up the OSPF_peer_2 router Enable the following interfaces admin OSPF_peer_2 interface gt print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R to_main ether 0 0 1500 1 R to_peer_1 ether 0 0 1500 Add the needed IP addresses admin OSPF_peer_2 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 2 0 1 24 LO 2 0 0 10 240 255 to_main 1 10 3 0 2 24 10 3 0 0 10 3 0 255 to_peer_1 Add the same area as in previous routers admin OSPF_peer_2 routing ospf area gt print Flags X disabled I invalid NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 Or 0304 L no 1 none Add connected networks with the same area admin OSPF_peer_2 Flags X disabled routing ospf network gt print I
101. not specified OSPF uses the largest IP address configured on the interfaces as its router ID Notes Within one area only the router that is connected to another area i e Area border router or to another AS i e Autonomous System boundary router should have the propagation of the default route enabled OSPF protocol will try to use the shortest path path with the smallest total cost if available OSPF protocol supports two types of metrics e typel external metrics are expressed in the same units as OSPF interface cost In other words the router expects the cost of a link to a network which is external to AS to be the same order of magnitude as the cost of the internal links e type2 external metrics are an order of magnitude larger any type2 metric is considered greater than the cost of any path internal to the AS Use of type2 external metric assumes that routing between AS is the major cost of routing a packet and climinates the need conversion of external costs to internal link state metrics Both Type 1 and Type 2 external metrics can be used in the AS at the same time In that event Type 1 external metrics always take precedence In ip route you can see routes with Io status Because router receives routers from itself The metric cost can be calculated from line speed by using the formula 10e 8 line speed The table Other trademarks and registred trademarks mentioned herein are properties of their respective owners
102. one MASTER node in a virtual router This node sends VRRP advertisement packets to all the backup routers using multicast address every once in a while set in interval property e BACKUP state when the VRRP router monitors the availability and state of the Master Router It does not answer any requests to the instance s IP addresses Should master become unavailable if at least three sequential VRRP packets are lost election process happens and new master is proclaimed based on its priority For more details on virtual routers see RFC2338 VRRP Routers Home menu level ip vrrp Description A number of VRRP routers may form a virtual router The maximal number of clusters on one network is 255 each having a unique VRID Virtual Router ID Each router participating in a VRRP cluster must have it priority set to a valid value Property Description name name assigned name of the VRRP instance interface name interface name the instance is running on vrid integer 0 255 default 1 Virtual Router Identifier must be unique on one interface priority integer 1 255 default 100 priority of the current node higher values mean higher priority e 255 RFC requires that the router that owns the IP addresses assigned to this instance had the priority of 255 interval integer 1 255 default 1 VRRP update interval in seconds Defines how frequently the master of the given cluster sends VRRP advertisement packets
103. only console telnet ssh winbox user s access method e console user is logged in locally e telnet user is logged in remotely via telnet e ssh user is logged in remotely via secure shell protocol e winbox user is logged in remotely via WinBox tool Other trademarks and registred trademarks mentioned herein are properties of their respective owners when read only date log in date and time Example To print currently active users enter the following command admin rb13 user gt active print Flags R radius WHEN NAME ADDRESS VIA 0 feb 27 2004 00 41 41 admin 11 1200 ssh 1 feb 27 2004 01 22 34 admin Lelet 200 winbox admin rb13 user gt Router User Remote AAA Home menu level user aaa Description Router user remote AAA enables router user authentication and accounting via RADIUS server Property Description accounting yes no default yes specifies whether to use RADIUS accounting default group name default read user group used by default for users authenticated via RADIUS server interim update time default 0s RADIUS Interim Update interval use radius yes no default no specifies whether a user database on a RADIUS server should be consulted Notes The RADIUS user database is consulted only if the required username is not found in the local user database Example To enable RADIUS AAA enter the following command admin Lobo924 user aaa gt s
104. ospf gt Interfaces Home menu level routing ospf interface Description This facility provides tools for additional in depth configuration of OSPF interface specific parameters You do not have to configure interfaces in order to run OSPF Property Description authentication key text default authentication key have to be used by neighboring routers that are using OSPF s simple password authentication cost integer 1 65535 default 1 interface cost expressed as link state metric dead interval time default 40s specifies the interval after which a neighbor is declared as dead The interval is advertised in the router s hello packets This value must be the same for all routers and access servers on a specific network hello interval time default 10s the interval between hello packets that the router sends on the interface The smaller the hello interval the faster topological changes will be detected but more routing traffic will ensue This value must be the same on each end of the adjancency otherwise the adjacency will not form interface name default all interface on which OSPF will run e all is used for the interfaces not having any specific settings priority integer 0 255 default 1 router s priority It helps to determine the designated router for the network When two routers attached to a network both attempt to become the designated router the one with the higher router s prio
105. out read only integer how many bytes did the router send to the client domain read only text domain of the user if split from username idle time read only time the amount of time has the user been idle idle timeout read only time the exact value of idle timeout that applies to this user This property shows how long should the user stay idle for it to be logged off automatically keepalive timeout read only time the exact value of keepalive timeout that applies to this user This property shows how long should the user s computer stay out of reach for it to be logged off automatically limit bytes in read only integer maximal amount of bytes the user is allowed to send to the router limit bytes out read only integer maximal amount of bytes the router is allowed to send to the client mac address read only MAC address actual MAC address of the user packets in read only integer how many packets did the router receive from the client packets out read only integer how many packets did the router send to the client radius read only yes no whether the user was authenticated via RADIUS server read only name the particular server the used is logged on at Other trademarks and registred trademarks mentioned herein are properties of their respective owners session timeout read only time the exact value of session timeout that applies to this user This property shows how long should
106. place once per phase 1 exchange which happens only once between any host pair and then is kept for long time PFS adds this expensive operation also to each phase 2 exchange Diffie Hellman MODP Groups Diffie Hellman DH key exchange protocol allows two parties without any initial shared secret to create one securely The following Modular Exponential MODP Diffie Hellman also known as Oakley Groups are supported Other trademarks and registred trademarks mentioned herein are properties of their respective owners IKE Traffic To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA that this packet perhaps is trying to establish locally originated packets with UDP source port 500 are not processed with SPD The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check Setup Procedure To get IPsec to work with automatic keying using IKE ISAKMP you will have to configure policy peer and proposal optional entries For manual keying you will have to configure policy and manual sa entries Policy Settings Home menu level ip ipsec policy Description Policy table is needed to determine whether encryption should be applied to a packet Property Description action accept drop encrypt default accept specifies what action to undertake with a packet that matches the policy e accept pass the packe
107. port default a classifier by which PCQ will group its subqueues Can be used several classifiers at once e g src address src port will group all packets with different source address and source ports into separate subqueues peq limit integer default 50 number of packets that can hold a single PCQ sub queue pceq rate integer default 0 maximal data rate allowed for each PCQ sub queue Value 0 means that there is no limitation set pceq total limit integer default 2000 number of packets that can hold the whole PCQ queue pfifo limit integer maximum number of packets that the PFIFO queue can hold red avg packet integer default 1000 used by RED for average queue size calculations red burst integer value in bytes which is used for determining how fast the average queue size will be influenced by the real queue size Larger values will slow down the calculation by RED longer bursts will be allowed red limit integer value in bytes If the real queue size not average exceeds this value then all packets above this value are dropped red max threshold integer value in bytes It is the average queue size at which packet marking probability is the highest red min threshold integer average queue size in bytes When average RED queue size reaches this value packet marking becomes possible sfq allot integer default 1514 amount of bytes that a subqueue is allowed to send before the next subqueu
108. preemption mode yes no default yes whether preemption mode is enabled e no a backup node will not be elected to be a master until the current master fail even if the backup node has higher priority than the current master e yes the master node always has the priority authentication none simple ah default none authentication method to use for VRRP Other trademarks and registred trademarks mentioned herein are properties of their respective owners advertisement packets e none no authentication e simple plain text authentication e ah Authentication Header using HMAC MD5 96 algorithm password text default password required for authentication depending on method used can be ignored if no authentication used 8 character long text string for plain text authentication or 16 character long text string 128 bit key required for AH authentication on backup name default script to execute when the node switch to backup state on master name default script to execute when the node switch to master state Notes All the nodes of one cluster must have the same vrid interval preemption mode authentication and password As said before priority of 255 is reserved for the real owner of the virtual router s IP addresses Theoretically the owner should have the IP address added statically to its IP address list and also to the VRRP virtual address list but you should never do this An
109. property use peer dns under ip dhcp client is set to yes then primary dns under ip dns will change to a DNS address given by DHCP Server Example To set 159 148 60 2 as the primary DNS server and allow the router to be used as a DNS server do the following admin Lobo924 ip dns gt set primary dns 159 148 60 2 allow remote requests yes admin Lobo924 ip dns gt print primary dns 159 148 60 2 Other trademarks and registred trademarks mentioned herein are properties of their respective owners secondary dns 0 0 0 0 allow remote requests yes cache size 2048KiB cache max ttl lw cache used 17KiB admin Lobo924 ip dns gt Cache Monitoring Home menu level ip dns cache Property Description address read only IP address IP address of the host name read only name DNS name of the host ttl read only time remaining time to live for the record Static DNS Entries Home menu level ip dns static Description The Lobo OSB has an embedded DNS server feature in DNS cache It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server Property Description address IP address IP address to resolve domain name with name text DNS name to be resolved to a given IP address ttl time time to live of the DNS record Example To add a static DNS entry for www example com to be resolved
110. protocol any ip port any PRO SRC PORT DST PORT TX RX tcp 3430 22 ssh 1 06kbps 608bps udp 2812 1813 radius acct 512bps 2 11kbps tcp 1059 139 netbios ssn 248bps 360bps admin Lobo924 tool gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Traceroute Document revision 1 8 Fri Nov 26 13 00 20 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description The Traceroute Command Property Description Notes Example General Information Summary Traceroute determines how packets are being routed to a particular host Specifications Packages required system License required levell Home menu level tool Standards and Technologies ICMP UDP Traceroute Hardware usage Not significant Related Documents e Software Package Management IP Addresses and ARP Firewall Filters e Ping Description Traceroute is a TCP IP protocol based utility which allows user to determine how packets are being routed to a particular host Traceroute works by increasing the time to live value of packets and seeing how far they get until they reach the given destination thus a lengthening trail of hosts passed through is built up Traceroute shows the number of hops to the given host address of every passed gateway Traceroute Other trademarks and registred tr
111. put bridge routing put yes false put true aye put yes amp amp yes yes amp amp no sput no no amp amp no yes bitwise AND bitwise OR bitwise XOR admin Lobo924 0 0 0 134 admin Lobo924 shift operators admin Lobo924 2552592959 28 admin Lobo924 Concatenation interface gt interface gt interface gt interface gt sput sput 10 16 0 134 amp 255 255 255 0 OOO lt lt YE L Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 interface gt put 1 3 admin Lobo924 interface gt put 1 2 3 127 3 admin Lobo924 interface gt put 1 3 4 13 4 admin Lobo924 interface gt put 1 2 3 4 17 23 4 admin Lobo924 interface gt put 1 3 1 14 admin Lobo924 interface gt Data types Description The OSB console differentiates between several data types which are string boolean number time interval IP address internal number and list The console tries to convert any value to the most specific type first backing if it fails The order in which the console attempts to convert an entered value is presented below list internal number number IP address time e boolean e string Internal scripting language supplies special functions to explicitly control type conversion The toarray tobool toid toip tonum tostr
112. running check yes no whether the interface should always be treated as running even if there is no connection to a remote peer framer limit integer default 4000 maximal frame size framer policy none best fit exact size default none the method how to combine frames like Other trademarks and registred trademarks mentioned herein are properties of their respective owners fast frames setting in interface configuration A number of frames may be combined into one bigger one to reduce the amout of protocol overhead and thus increase speed The card are not waiting for frames but in case a number packets are queued for transmitting they can be combined There are several methods of framing e none do nothing special do not combine packets best fit put as much packets as possible in one frame until the framer limit limit is met but do not fragment packets e exact size put as much packets as possible in one frame until the framer limit limit is met even if fragmentation will be needed best performance mac address read only MAC address MAC address of the receiving wireless card in the set mtu integer 0 1600 default 1500 Maximum Transmission Unit name name reference name of the interface rates a g multiple choice 6Mbps 9Mbps 12Mbps 1SMbps 24Mbps 36Mbps 48Mbps 54Mbps rates to be supported in 802 1 1a or 802 11g standard rates b multiple choice 1Mbps 2Mbps 5 5Mbps 11Mbps
113. same tasks as using the regular console Overview of Common Functions You can use the menu bar to navigate through the router s configuration menus open configuration windows By double clicking on some list items in the windows you can open configuration windows for the specific items and so on There are some hints for using the Winbox Console e To open the required window simply click on the corresponding menu item e Add a new entry e Remove an existing entry e Enable an item e Disable an item e Make or edit a comment e Refresh a window e Undo an action e Redo an action e Logout from the Winbox Console Troubleshooting Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description e Can I run WinBox on Linux Yes you can run WinBox and connect to OSB using Wine e I cannot open the Winbox Console Check the port and address for www service in ip service print list Make sure the address you are connecting from matches the network you ve specified in address field and that you ve specified the correct port in the Winbox loader The command ip service set www port 80 address 0 0 0 0 0 will change these values to the default ones so you will be able to connect specifying just the correct address of the router in the address field of Winbox loader e The Winbox Console uses TCP port 8291 Make sure you have access to it through the firewall O
114. search key text third search key Display console commands that have hotspot add and user parts in the command s name and path admin Lobo924 gt List user hotspot add y List of console commands under matching user and hotspot and add ip hotspot profile add name hotspot address dns name Na html directory rate limit http proxy smtp server Navas login by http cookie lifetime ssl certificate split user domain x Neate use radius radius accounting radius interim updat copy from ip hotspot user add server name password address mac address Neas profile routes limit uptime limit bytes in limit bytes out Asis copy from comment disabled ip hotspot user profile add name address pool session timeout Nias idle timeout keepalive timeout status autorefresh ewes shared users rate limit incoming filter outgoing filter incoming mark outgoing mark open status pag on login on logout copy from admin Lobo924 gt local declares local variable name name of the variable text value which should be assigned to the variable admin Lobo924 gt local MyString This is a string admin Lobo924 gt local IPAddr 10 0 0 1 admin Lobo924 gt local time 0 10 admin Lobo924 gt environment print Global Variables Local Variables TPAddr 10 0 0 1 time 00 10 00 yString This is a string admin Lobo924 gt log adds a mess
115. secret gt add name ex service pptp password l1kjrht local address 10 0 103 1 remote address 10 0 103 2 admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password l1kjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret gt Then the user should be added in the PPTP server list admin HomeOffice interface pptp server gt add user ex admin HomeOffice interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC Other trademarks and registred trademarks mentioned herein are properties of their respective owners 0 pptp inl admin HomeOf fice ex And finally the server admin HomeOffice interfac interface pptp server gt must be enabled admin HomeOf fice interfac pptp server server gt set pptp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 default profil default admin HomeOf fice interfac pptp server server gt nabled yes Add a PPTP client to the RemoteOffice router admin RemoteOffice interface pptp client gt add connect to 192 168 80 1 user ex password lkjrht disabled no admin RemoteOffice interface pptp client gt print Flags X disabled R running 0 R name pptp out1 mtu 1460 mru 1460 connect
116. servers as soon as they appear in your network DHCP Alert tool can be used It will monitor ethernet for all DHCP replies and check whether this reply comes from a valid DHCP server If reply from unknown DHCP server is detected alert gets triggered admin Lobo924 ip dhcp server alert gt log print 00 34 23 dhcp critical error warning info debug dhcp alert on Public discovered unknown dhcp server mac 00 02 29 60 36 E7 ip 10 5 8 236 admin Lobo924 ip dhcp server alert gt When the system alerts about a rogue DHCP server it can execute a custom script As DHCP replies can be unicast rogue dhcp detector may not receive any offer to other dhcp clients at all To deal with this rogue dhcp server acts as a dhcp client as well it sends out dhcp discover requests once a minute Property Description alert timeout none time default none time after which alert will be forgotten If after that time the same server will be detected new alert will be generated e none infinite time interface name interface on which to run rogue DHCP server finder invalid server read only text list of MAC addresses of detected unknown DHCP servers Server is removed from this list after alert timeout on alert text script to run when an unknown DHCP server is detected valid server text list of MAC addresses of valid DHCP servers Notes All alerts on an interface can be cleared at any time using command ip dhep server
117. set to 2 hour admin Lobo924 system clock gt print time dec 24 2003 10 24 40 time zone 00 00 admin Lobo924 system clock gt set time zone 02 00 admin Lobo924 system clock gt print time dec 24 2003 12 24 42 time zone 02 00 admin Lobo924 system clock gt If local time is before GMT time time zone value will be negative For example if GMT is 18 00 00 but correct local time is 15 00 00 time zone has to be set to 3 hours admin Lobo924 system clock gt set time zon 3 admin Lobo924 system clock gt print time sep 24 2004 08 13 28 time zone admin Lobo924 Other trademarks and registred trademarks mentioned herein are properties of their respective owners 03 00 system clock gt Support Output File Document revision 2 1 0 Wed Mar 03 16 11 16 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Generating Support Output File Example General Information Summary The support file is used for debugging Lobo OSB and to solve the support questions faster All Lobo Router information is saved in a binary file which is stored on the router and can be downloaded from the router using ftp Specifications Packages required system License required levell Home menu level system Hardware usage Not significant Generating Support Output File Command name system sup output Example To make a Support Output File
118. signal to all running processes unmounts the file systems and halts the router For most systems it is necessary to wait approximately 30 seconds for a safe power down Notes Only users which are members of groups with reboot privileges are permitted to shutdown the router Shutdown can be called from scripts in which case it does not prompt for confirmation Other trademarks and registred trademarks mentioned herein are properties of their respective owners Example admin Lobo924 gt system shutdown Shutdown yes y N y system will shutdown promptly admin Lobo924 gt Router Identity Home menu level system identity Description The router identity is displayed before the command prompt It is also used for DHCP client as host name parameter when reporting it to the DHCP server Example To view the router identity admin Lobo924 gt system identity print name Lobo admin Lobo924 gt To set the router identity admin Lobo924 gt system identity set name Gateway admin Gateway gt Date and Time Home menu level system clock Property Description date text date in format mm DD YYY time time time in format HH MM SS time zone text UTC timezone in format HH MM or HH MM Notes It is recommended that you reboot the router after time change to obviate the possible errors in time measurments and logging Date and time settings become permanent and effect BI
119. snews dst port 443 563 method connect action deny 1 url mp 3g action deny 2 src address 10 0 0 1 32 action allow 3 url ftp action deny admin Lobo924 ip web proxy access gt Direct Access List Home menu level Ap web proxy direct Description If parent proxy property is specified it is possible to tell proxy server whether to try to pass the request to the parent proxy or to resolve it connecting to the requested server directly Direct Access List is managed just like Proxy Access List described in the previous chapter except the action argument Property Description action allow deny default allow specifies the action to perform on matched packets e allow always resolve matched requests directly bypassing the parent router e deny resolve matched requests through the parent proxy If no one is specified this has the same effect as allow dst address ZP address netmask destination address of the IP packet dst port port a list or range of ports the packet is destined to local port port specifies the port of the web proxy via which the packet was received This value should match one of the ports web proxy is listening on method any connect delete get head options post put trace HTTP method used in the request see HTTP Methods section in the end of this document Other trademarks and registred trademarks mentioned herein are properties of their respective owne
120. sre port integer 0 65535 source port number or range only for TCP or UDP protocols stp flags topology change topology change ack The BPDU Bridge Protocol Data Unit flags Bridge exchange configuration messages named BPDU peridiocally for preventing from loop e topology change topology change flag is set when a bridge detects port state change to force all other bridges to drop their host tables and recalculate network topology e topology change ack topology change acknowledgement flag is sen in replies to the Other trademarks and registred trademarks mentioned herein are properties of their respective owners notification packets stp forward delay time 0 65535 forward delay timer stp hello time time 0 65535 stp hello packets time stp max age time 0 65535 maximal STP message age stp msg age time 0 65535 STP message age stp port integer 0 65535 stp port identifier stp root address MAC address root bridge MAC address stp root cost integer 0 65535 root bridge cost stp root priority time 0 65535 root bridge priority stp sender address MAC address stp message sender MAC address stp sender priority integer 0 65535 sender priority stp type config tcn the BPDU type e config configuration BPDU e ten topology change notification vlan encap 802 2 arp ip ipv6 ipx rarp vlan the MAC protocol type encapsulated in the VLAN frame vlan id integer 0 409
121. static lease e testing testing whether this address is used or not only for dynamic leases by pinging it with timeout of 0 5s Other trademarks and registred trademarks mentioned herein are properties of their respective owners e authorizing waiting for response from radius server e busy this address is assigned statically to a client or already exists in the network so it can not be leased e offered server has offered this lease to a client but did not receive confirmation from the client e bound server has received client s confirmation that it accepts offered address it is using it now and will free the address not later than the lease time will be over tx rate integer default 0 maximal transmit bitrate to the client for users it is download bitrate e 0 no limitation Command Description check status Check status of a given busy dynamic lease and free it in case of no response make static convert a dynamic lease to static one Notes If rate limit is specified a simple queue is added with corresponding parameters when lease enters bound state Arp entry is added right after adding of queue is done only if add arp is enabled for dhcp server To be sure that client cannot use his ip address without getting dhcp lease and thus avoiding rate limit reply only mode must be used on that ethernet interface Even though client address may be changed with adding a new item in lease print list it will
122. talk to the outer networks having its source address translated to 10 5 8 200 ip firewall nat add chain srcnat src address 192 168 0 109 action sre nat to addresses 10 5 8 200 Example of 1 1 mapping If you want to link Public IP subnet 11 11 11 0 24 to local one 2 2 2 0 24 you should use destination address translation and source address translation features with action netmap ip firewall nat add chain dstnat dst address 11 11 11 1 11 11 11 254 action netmap to addresses 2 2 2 1 2 2 2 254 ip firewall nat add chain srcnat src address 2 2 2 1 2 2 2 254 action netmap to addresses 11 11 11 1 11 11 11 254 Other trademarks and registred trademarks mentioned herein are properties of their respective owners Packet Flow Document revision 2 6 Tue Jun 14 17 24 04 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Packet Flow Description General Firewall Information Description General Information Summary This manual describes the order in which an IP packet traverses various internal facilities of the router and some general information regarding packet handling common IP protocols and protocol options Specifications Packages required system License required level3 Home menu level ip firewall Standards and Technologies JP Hardware usage Increases with NAT mangle and filter rules count Related
123. template is sent to the receiving host only for NetFlow version 9 v9 template timeout after how long to send the template if it has not been sent version 5 9 which version format of NetFlow to use General Information Traffic Flow Example Other trademarks and registred trademarks mentioned herein are properties of their respective owners This example shows how to configure Traffic Flow on a router 1 Enable Traffic Flow on the router admin Lobo924 ip traffic flow gt set enabled yes admin Lobo924 ip traffic flow gt print enabled yes interfaces all cache entries 1k active flow timeout 30m inactive flow timeout 15s admin Lobo924 ip traffic flow gt 2 Specify IP address and port of the host which will receive Traffic Flow packets admin Lobo924 ip traffic flow target gt add address 192 168 0 2 2055 version 9 admin Lobo924 ip traffic flow target gt print Flags X disabled ADDRESS VERSION 0 t927 168403232055 9 admin Lobo924 ip traffic flow target gt Now the router starts to send packets with Traffic Flow information Some screenshots from NTop program which has gathered Traffic Flow information from our router and displays it in nice graphs and statistics For example where what kind of traffic has flown Top three hosts by upload and download each minute Overall network load each minute Traffic usage by each protocol Other trademarks and registred trademarks m
124. than 1Mbps and less than 2Mbps so its parent ClassB has to borrow from ClassA and becomes yellow Leaf3 still has no packets to send This scenario shows that Leafl has reached its max limit and cannot even borrow from its parent ClassA Leaf2 has hierarchical reached Level2 and borrows from ClassB which recursively must borrow from ClassA because it has not enough rate available As Leaf3 has no packets to send the only one class who sends them is Leaf2 Assume that Leaf2 is borrowing from ClassB ClassB from ClassA but ClassA reaches its max limit 2Mbps In this situation Leaf2 is in yellow state but it cannot borrow as Class B cannot borrow from Class A Finally let s see what happens if Leaf1 Leaf2 Leaf3 and ClassB are in the yellow state and ClassA is green Leafl borrows from ClassA Leaf2 and Leaf3 from ClassB and ClassB also borrows from ClassA Now all the priorities have moved to Level2 So Leaf2 is on the highest priority and is served at first As Leafl and Leaf3 are at the same priority 8 on the same level 2 they are served using the round robin algorithm Bursts Other trademarks and registred trademarks mentioned herein are properties of their respective owners Bursts are used to allow higher data rates for a short period of time Every second the router calculates the average data rate of each class over the last burst time seconds If this average data rate is less than burst threshold burst is e
125. than one gateway for one destination network Note This approach does not provide failover With ECMP a router potentially has several available next hops towards a given destination A new gateway is chosen for each new source destination IP pair It means that for example one FTP connection will use only one link but new connection to a different server will use another link ECMP routing has another good feature single connection packets do not get reordered and therefore do not kill TCP performance The ECMP routes can be created by routing protocols RIP or OSPF or by adding a static route with multiple gateways separated by a comma eg ip route add gateway 192 168 0 1 192 168 1 1 The routing protocols may create routes dynamic with equal cost automatically if the cost of the interfaces is adjusted propery For more information on using routing protocols please read the corresponding Manual Policy Based Routing It is a routing approach where the next hop gateway for a packet is chosen based on a policy which is configured by the network administrator In OSB the procedure the follwing mark the desired packets with a routing mark e choose a gateway for the marked packets Note In routing process the router decides which route it will use to send out the packet Afterwards when the packet is masqueraded its source address is taken from the prefsrce field Routes Home menu level ip route Description
126. their respective owners Description Netwatch monitors state of hosts on the network It does so by sending ICMP pings to the list of specified IP addresses For each entry in netwatch table you can specify IP address ping interval and console scripts The main advantage of netwatch is it s ability to issue arbitrary console commands on host state changes Property Description down script name a console script that is executed once when state of a host changes from unknown or up to down host IP address default 0 0 0 0 IP address of host that should be monitored interval time default 1s the time between pings Lowering this will make state changes more responsive but can create unnecessary traffic and consume system resources since read only time indicates when state of the host changed last time status read only up down unknown shows the current status of the host e up the host is up e down the host is down e unknown after any properties of this list entry were changed or the item is enabled or disabled timeout time default 1s timeout for each ping If no reply from a host is received during this time the host is considered unreachable down up script name a console script that is executed once when state of a host changes from unknown or down to up Example This example will run the scripts gw_1 or gw_2 which change the default gateway depending on the status of one of the
127. this services Property Description name name reference name subject read only text holder subject of the certificate issuer read only text issuer of the certificate serial number read only text serial number of the certificate invalid before read only date date the certificate is valid from invalid after read only date date the certificate is valid until ca yes no default yes whether the certificate is used for building or verifying certificate chains as Certificate Authority Command Description import install new certificates e file name import only this file all files are searched for certificates by default e passphrase passphrase for the found encrypted private key e certificates imported how many new certificates were successfully imported e private keys imported how many private keys for existing certificates were successfully imported e files imported how many files contained at least one item that was successfully imported decryption failures how many files could not be decrypted keys with no certificate how many public keys were successfully decrypted but did not have matching certificate already installed reset certificate cache delete all cached decrypted public keys and rebuild the certificate cache Other trademarks and registred trademarks mentioned herein are properties of their respective owners decrypt decrypt and cache public keys e pas
128. time stopped fadmin Lobo924 tool sniffer gt start admin Lobo924 tool sniffer gt stop Below the sniffed packets will be saved in the file named test fadmin Lobo924 tool sniffer gt save file name test admin Lobo924 tool sniffer gt file print NAME TYPE SIZE CREATION TIME 0 test unknown 1350 apr 07 2003 16 01 52 admin Lobo924 tool sniffer gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Sniffed Packets Home menu level tool sniffer packet Description The submenu allows to see the list of sniffed packets Property Description data read only text specified data inclusion in packets dst address read only IP address IP destination address fragment offset read only integer IP fragment offset identification read only integer IP identification ip header size read only integer the size of IP header ip packet size read only integer the size of IP packet ip protocol ip icmp igmp ggp ipencap st tcp egp pup udp hmp xns idp rdp iso tp4 xtp ddp idrp cmtp gre esp ah rspf vmtp ospf ipip encap the name number of IP protocol e ip Internet Protocol e icmp Internet Control Message Protocol e igmp Internet Group Management Protocol e ggp Gateway Gateway Protocol e ipencap IP Encapsulated in IP e st st datagram mode e tcp Transmission Control Proto
129. to 192 168 80 1 user ex password 1kjrht profile default add default route no admin RemoteOffice interface pptp client gt Thus a PPTP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addresses 10 0 103 1 and 10 0 103 2 at each router It enables direct communication between the routers over third party networks To route the local Intranets over the PPTP tunnel you need to add these routes admin HomeOffice gt ip route add dst address 10 150 1 0 24 gateway 10 0 103 2 admin RemoteOffice gt ip route add dst address 10 150 2 0 24 gateway 10 0 103 1 On the PPTP server it can alternatively be done using routes parameter of the user configuration admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password l1kjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret gt set 0 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password l1kjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret gt Test the PPTP tunnel connection admin RemoteOffice gt ping 10 0 103 1 10 0 103 1 pong ttl 255 time 3 ms 10 0 103 1 pong ttl 255 time 3 ms
130. to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Client Property Description Example Server Property Description Notes Example Time Zone Notes Example General Information Summary NTP protocol allows synchronizing time among computers in network It is good if there is an internet connection available and local NTP server is synchronized to correct time source List of publec NTP servers is available at http www eecis udel edu mills ntp servers html Specifications Packages required ntp License required levell Home menu level system ntp Standards and Technologies NTP version 3 RFC 1305 Hardware usage Not significant Related Documents e Package Management IP Addresses and ARP Description Network Time Protocol NTP is used to synchronize time with some NTP servers in a network Other trademarks and registred trademarks mentioned herein are properties of their respective owners Lobo OSB provides both NTP client and NTP server NTP server listens on UDP port 123 NTP client synchronizes local clock with some other time source NTP server There are 4 modes in which NTP client can operate at unicast Client Server mode NTP client connects to specified NTP server IP address of NTP server must be set in ntp server and or second ntp server parameters At first client synchronizes to NTP server Afterwards client periodic
131. to detect TCP and UDP scans It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives such as from passive mode FTP transfers e WeightThreshold total weight of the latest TCP UDP packets with different destination ports coming from the same host to be treated as port scan sequence e DelayThreshold delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence e LowPortWeight weight of the packets with privileged lt 1024 destination port e HighPortWeight weight of the packet with non priviliged destination port random integer 1 99 matches packets randomly with given propability reject with icmp admin prohibited icmp echo reply l icmp host prohibited icmp host unreachable icmp net prohibited icmp network unreachable icmp port unreachable icmp protocol unreachable tcp reset integer alters the reply packet of reject action routing mark name matches packets marked by mangle facility with particular routing mark src address ZP address netmask IP address IP address specifies the address range an IP packet is originated from Note that console converts entered address netmask value to a valid network address 1 e 1 1 1 1 24 is converted to 1 1 1 0 24 src address list name matches source address of a packet against user defined address list src address type unicast local broa
132. to tell proxy server whether to try to pass the request to the parent proxy or to resolve it connecting to the requested server directly Direct Access List is managed just like Proxy Access List described in the previous chapter except the action argument Property Description action allow deny default allow specifies the action to perform on matched packets e allow always resolve matched requests directly bypassing the parent router e deny resolve matched requests through the parent proxy If no one is specified this has the same effect as allow dst address JP address netmask destination address of the IP packet dst host text IP address or DNS name used to make connection the target server this is the string user wrote in his her browser before specifying port and path to a particular web page dst port port a list or range of ports the packet is destined to method any connect delete get head options post put trace HTTP method used in the Other trademarks and registred trademarks mentioned herein are properties of their respective owners request see HTTP Methods section in the end of this document path wildcard name of the requested page within the target server i e the name of a particular wed page or document without the name of the server it resides on src address JP address netmask source address of the IP packet Notes Unlike the access list the direct proxy access
133. to the network e unknown the connection is not recognized rate 10 Mbps 100 Mbps 1 Gbps the actual data rate of the connection auto negotiation done incomplete fast link pulses FLP to the adjacent link station to negotiate the SPEED and MODE of the link e done negotiation done e incomplete negotiation failed full duplex yes no whether transmission of data occurs in two directions simultaneously Notes See the IP Addresses and ARP section of the manual for information how to add IP addresses to the interfaces Example admin Lobo924 interfac thernet gt monitor etherl ether2 status link ok link ok auto negotiation done done rate 100Mbps 100Mbps full duplex yes yes Troubleshooting Description e Interface monitor shows wrong information In some very rare cases it is possible that the device driver does not show correct information Other trademarks and registred trademarks mentioned herein are properties of their respective owners but it does not affect the NIC s performance of course if your card is not broken Other trademarks and registred trademarks mentioned herein are properties of their respective owners M3P Document revision 0 3 0 Wed Mar 03 16 07 55 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Setup Description Property Description Notes Example General Informatio
134. to turn the router s external interface off without any authentication procedure is required by the standard but as it is sometimes not expected or unwanted in UPnP deployments which the standard was not designed for it was designed mostly for home users to establish their local networks you can disable this behavior enabled yes no default no whether UPnP feature is enabled show dummy rule yes no default yes this is to enable a workaround for some broken implementations which are handling the absense of UPnP rules inincorrectly for example popping up error messages This option will instruct the server to install a dummy meaningless UPnP rule that can be observed by the clients which refuse to work correctly otherwise Example To enable UPnP feature admin Lobo924 ip upnp gt set enable yes admin Lobo924 ip upnp gt print enabled yes allow disabl xternal interface yes show dummy rule yes admin Lobo924 ip upnp gt UPnP Interfaces Home menu level Ap upnp interfaces Property Description interface name interface name UPnP will be run on type external internal interface type one of the e external the interface global IP address is assigned to internal router s local interface Other trademarks and registred trademarks mentioned herein are properties of their respective owners Notes It is highly recommended to upgrade DirectX runtime libraries to version DirectX 9 0
135. use peer dns yes no default no whether to set the router s default DNS to the PPP peer DNS i e whether to get DNS settings from the peer Notes If there is a default route add default route will create a new default route but will not set it active In order to make the default route created by add default route active all other default routes have to be disabled Example To add and enable PPPoE client on the gig interface connecting to the AC that provides testSN service using user name john with the password password admin RemoteOffice interface pppoe client gt add interface gig service name testSN user john password password disabled no admin RemoteOffice interface pppoe client gt print Flags X disabled R running 0 R name pppoe out1 mtu 1480 mru 1480 interface gig user john password password profile default service name testSN ac name add default route no dial on demand no use peer dns no Monitoring PPPoE Client Command name interface pppoe client monitor Property Description status text status of the client e Dialing attempting to make a connection e Verifying password connection has been established to the server password verification in progress e Connected self explanatory e Terminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minutes and seconds
136. used instead Note that to ports is meaningful for redirect rules this is the port of the service on the router that will handle these requests e g web proxy When packet is dst natted no matter action nat or action redirect dst address is changed Information about translation of addresses including original dst address is kept in router s internal tables Transparent web proxy working on router when web requests get redirected to proxy port on router can access this information from internal tables and get address of web server from them If you are dst natting to some different proxy server it has no way to find web server s address from IP header because dst address of IP packet that previously was address of web server has changed to address of proxy server Starting from HTTP 1 1 there is special header in HTTP request which tells web server address so proxy server can use it instead of dst address of IP packet If there is no such header older HTTP version on client proxy server can not determine web server address and therefore can not work Other trademarks and registred trademarks mentioned herein are properties of their respective owners It means that it is impossible to correctly transparently redirect HTTP traffic from router to some other transparent proxy box Only correct way is to add transparent proxy on the router itself and configure it so that your real proxy is parent proxy In this situation your real
137. value If no SA is found the packet is dropped If SA is found packet is decrypted Then decrypted packet s fields are compared to policy rule that SA is linked to If the packet does not match the policy rule it is dropped If the packet is decrypted fine or authenticated fine it is received once more it goes through dst nat and routing which finds out what to do either forward or deliver locally again Note that before forward and input firewall chains a packet that was not decrypted on local host is compared with SPD reversing its matching rules If SPD requires encryption there is valid SA associated with matching SPD rule the packet is dropped This is called incoming policy check Other trademarks and registred trademarks mentioned herein are properties of their respective owners Internet Key Exchange The Internet Key Exchange IKE is a protocol that provides authenticated keying material for Internet Security Association and Key Management Protocol ISAKMP framework There are other key exchange schemes that work with ISAKMP but IKE is the most widely used one Together they provide means for authentication of hosts and automatic management of security associations SA Most of the time IKE daemon is doing nothing There are two possible situations when it is activated e There is some traffic caught by a policy rule which needs to become encrypted or authenticated but the policy doesn t have any SAs The policy not
138. vrrp gt address print Flags X disabled A activ ADDRESS NETWORK BROADCAST VIRUAL ROUTER 0 192 168 1 1 24 192 168 1 0 192 168 1 255 vrl admin Lobo924 ip vrrp gt A simple example of VRRP fail over Description 192 168 1 1 192 168 1 0 24 VRRP protocol may be used to make a redundant Internet connection with seamless fail over Let us assume that we have 192 168 1 0 24 network and we need to provide highly available Internet connection for it This network should be NATted to make fail over with public IPs use such dynamic routing protocols as BGP or OSPF together with VRRP We have connections to two different Internet Service Providers ISPs and one of them is preferred for example it is cheaper or faster Other trademarks and registred trademarks mentioned herein are properties of their respective owners This example shows how to configure VRRP on the two routers shown on the diagram The routers must have initial configuration interfaces are enabled each interface have appropriate IP address note that each of the two interfaces should have an IP address routing table is set correctly it should have at least a default route SRC NAT or masquerading should also be configured before See the respective manual chapters on how to make this configuration We will assume that the interface the 192 168 1 0 24 network is connected to is named local on both VRRP routers Configuring Master VRRP rout
139. where the jump took place e tarpit captures and holds incoming TCP connections replies with SYN ACK to the inbound TCP SYN packet address list name specifies the name of the address list to collect IP addresses from rules having action add dst to address list or action add src to address list actions These address lists could be later used for packet matching address list timeout time default 00 00 00 time interval after which the address will be removed from the address list specified by address list parameter Used in conjunction with add dst to address list or add src to address list actions e 00 00 00 leave the address in the address list forever chain forward input output name specifies the chain to put a particular rule into As the different traffic is passed through different chains always be careful in choosing the right chain for a new rule If the input does not match the name of an already defined chain a new chain will be created comment text a descriptive comment for the rule A comment can be used to identify rules form scripts connection mark name matches packets marked via mangle facility with particular connection mark connection bytes integer integer matches packets only if a given amount of bytes has been transfered through the particular connection e 0 means infinity exempli gratia connection bytes 2000000 0 means that the rule matches if more than 2MB has been transfered thro
140. 0 5260 5280 5300 5320 5745 5765 5785 5805 for 5GHz turbo 5210 5250 5290 5760 5800 security profile text default default which security profile to use Define security profiles under interface wireless security profiles where you can setup WPA or WEP wireless security for further details see the Security Profiles section of this manual ssid text default Lobo Service Set Identifier Used to separate wireless networks supported rates a g multiple choice 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps rates to be supported in 802 1 1a or 802 11g standard supported rates b multiple choice 1Mbps 2Mbps 5 5Mbps 11Mbps rates to be supported in 802 11b standard tx power integer 30 30 default 17 manually sets the transmit power of the card in dBm if tx power mode is set to manual or all rates fixed see tx power mode description below e default default value of the card tx power mode all rates fixed card rates default manual table default default choose the transmit power mode for the card e all rates fixed use one transmit power value for all rates as configured in tx power e card rates use card default rates e default use the default tx power e manual table use the transmit powers as defined in interface wireless manual tx power table update stats interval time how often to update statistics in interface wireless registration table wds default bridge
141. 0 0 0 8000 proxy no O 0 0 0 20 webmaster 4096 KiB cache drive max cache size unlimited status reserved for cache reserved for ram cache max ram cache siz system 1048576 KiB rebuilding cache 9216 KiB 2048 KiB admin Lobo924 ip web proxy gt Remember to secure your proxy by preventing unauthorized access to it Specifications Packages required web proxy License required level3 Home menu level Ap web proxy Standards and Technologies HTTP 1 0 HTTP 1 1 FTP Hardware usage uses memory and disk space if available see description below Related Documents Software Package Management e IP Addresses and ARP Description Web proxy performs Internet object cache function by storing requested Internet objects i e data available via HTTP and FTP protocols on a system positioned closer to the recipient than the site the data is originated from Here closer means increased path reliability speed or both Web browsers can then use the local proxy cache to speed up access and reduce bandwidth consumption When setting up Web proxy make sure it serves only your clients and is not misused as relay Please read the security notice in the Access List Section Other trademarks and registred trademarks mentioned herein are properties of their respective owners Note that it may be useful to have Web proxy running even with no cache when you want to use it as something like
142. 0 0 5005 0 5010 0 5015 0 5020 0 5025 0 5030 0 5035 5040 0 5045 0 5050 0 5055 0 5060 0 5065 0 5070 0 5075 5080 0 5085 0 5090 0 5095 0 5100 0 5105 0 5110 0 5115 oo0oo0oo0oooo oO O yy SSN YYW 5ghz turbo channels 4920 0 4925 0 4930 0 4935 0 4940 0 4945 0 4950 0 4955 4960 0 4965 0 4970 0 4975 0 4980 0 4985 0 4990 0 4995 5000 0 5005 0 5010 0 5015 0 5020 0 5025 0 5030 0 5035 5040 0 5045 0 5050 0 5055 0 5060 0 5065 0 5070 0 5075 5080 0 5085 0 5090 0 5095 0 5100 0 5105 0 5110 0 5115 eet eteteteexe yy NNN YY Other trademarks and registred trademarks mentioned herein are properties of their respective owners ol en od oO lo ol o A ol O U oO ol io oO ol o gt ol uo ie ol fon o gt io o ol oO fon ol ie ol Oo I io i ol Oo NJ ol OGOGOOGGOOOOGOGGOGOOOGOOOGOOGOGOOO ee ee ee ee ee nn 2ghz g channels 2312 0 2317 0 2322 0 2327 0 2332 0 2337 0 2342 0 2347 2352 0 2357 0 2362 0 2367 0 2372 0 2377 0 2382 0 2387 2392 0 2397 0 2402 0 2407 0 2412 0 2417 0 2422 0 2427 2432 0 2437 0 2442 0 2447 0 2452 0 2457 0 2462 0 2467 2472 0 2477 0 2482 0 2487 0 2492 0 2497 0 2314 0 2319 2324 0 2329 0 2334 0 2339 0 2344 0 2349 0 2354 0 2359 2364 0 2369 0 2374 0 2379 0 2384 0 2389 0 2394 0 2399 2404 0 2409 0 2414 0 2419 0 2424 0 2429 0 2434 0 2439 2444 0 2449 0 2454 0 2459 0 2464 0 2469 0 2474 0 2479 2484 0 2489 0 2494 0 2499 0 2ghz g tu
143. 0 24 e transport mode example using ESP with automatic keying e for Router1 admin Routerl gt ip ipsec action encrypt admin Routerl gt ip ipsec secret gvejimezyfopm for Router2 admin Router2 gt ip ipsec action encrypt admin Router2 gt ip ipsec secret gvejimezyfopm policy add sa src address 1 0 0 1 sa dst address 1 0 0 2 peer add address 1 0 0 2 kun policy add sa src address 1 0 0 2 sa dst address 1 0 0 1 peer add address 1 0 0 1 kun e transport mode example using ESP with automatic keying and automatic policy generating on Router 1 and static policy on Router 2 e for Router1 admin Routerl gt ip ipsec peer add address 1 0 0 0 24 secret gvejimezyfopm for Router2 admin Router2 gt ip ipsec action encrypt admin Router2 gt ip ipsec kun generate policy yes policy add sa src address 1 0 0 2 sa dst address 1 0 0 1 peer add address 1 0 0 1 Other trademarks and registred trademarks mentioned herein are properties of their respective owners secret gvejimezyfopmekun tunnel mode example using AH with manual keying e for Router1 admin Routerl gt ip ipsec manual sa add name ah sal ah spi 0x101 0x100 ah key abcfed admin Routerl gt ip ipsec policy add src address 10 1 0 0 24 dst address 10 2 0 0 24 action encrypt ipsec protocols ah tunnel yes sa src 1 0 0 1 sa dst 1 0 0 2
144. 000 queue tree add parent Upload queue pcq upload packet mark users Note If your ISP cannot guarantee you a fixed amount of traffic you can use just one queue for upload and one for download attached directly to the interface queue tree add parent Local queue pcq download packet mark users queue tree add parent Public queue pcq upload packet mark users Other trademarks and registred trademarks mentioned herein are properties of their respective owners Filter Document revision 2 6 Tue Mar 08 11 13 55 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Quick Setup Guide Specifications Related Documents Firewall Filter Description Property Description Notes Filter Applications Protect your OSB router Protecting the Customer s Network General Information Summary The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to from and through the router Along with the Network Address Translation it serve as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic Quick Setup Guide e To add a firewall rule which drops all TCP packets that are destined to port 135 and going through the router use the following command ip firewall filter add chain forward dst port 135 protocol tcp action drop e To deny acces to the router via Tel
145. 0012A 9437482 transform esp des esp sha hmac in use settings Tunnel slot 0 conn id 2000 flow_id 1 crypto map mymap sa timing remaining key lifetime k sec 4607891 1034 IV size 8 bytes replay detection support Y inbound ah sas inbound pcp sas outbound esp sas spi 0x1308650C 319317260 transform esp des esp sha hmac in use settings Tunnel slot 0 conn id 2001 flow_id 2 crypto map mymap sa timing remaining key lifetime k sec 4607893 1034 IV size 8 bytes replay detection support Y outbound ah sas outbound pcp sas ge n aa we Lobo Router and Linux FreeS WAN In the test scenario we have 2 private networks 10 0 0 0 24 connected to the MT and 192 168 87 0 24 connected to Linux MT and Linux are connected together over the public network 192 168 0 0 24 Other trademarks and registred trademarks mentioned herein are properties of their respective owners interface ether1 address 192 168 0 155 interface ethO address 192 168 0 108 interface ethi address 192 168 87 5 network 192 168 87 0 24 interface ether2 address 10 0 0 254 network 10 0 0 0 24 e FreeS WAN configuration config setup interfaces ipsec0O eth0 klipsdebug none plutodebug all plutoload search plutostart search uniqueids yes conn default keyingtries 0 disablearrivalcheck no authby rsasig conn mt left 192 168 0 108 leftsubnet 192 168 87
146. 020 6025 6030 6035 6040 6045 6050 6055 6060 6065 6070 6075 6080 6085 6090 6095 6100 the list of 5GHz channels frequencies are given in MHz 5ghz turbo channels multiple choice read only 4920 4925 4930 4935 4940 4945 4950 4955 4960 4965 4970 4975 4980 4985 4990 4995 5000 5005 5010 5015 5020 5025 5030 5035 5040 5045 5050 5055 5060 5065 5070 5075 5080 5085 5090 5095 5100 5105 5110 5115 5120 5125 5130 5135 5140 5145 5150 5155 5160 5165 5170 5175 5180 5185 5190 5195 5200 5205 5210 5215 5220 5225 5230 5235 5240 5245 5250 5255 5260 5265 5270 5275 5280 5285 5290 5295 5300 5305 5310 5315 5320 5325 5330 5335 5340 5345 5350 5355 5360 5365 5370 5375 5380 5385 5390 5395 5400 5405 5410 5415 5420 5425 5430 5435 5440 5445 5450 5455 5460 5465 5470 5475 5480 5485 5490 5495 5500 5505 5510 5515 5520 5525 5530 5535 5540 5545 5550 5555 5560 5565 5570 5575 5580 5585 5590 5595 5600 5605 5610 5615 5620 5625 5630 5635 5640 5645 5650 5655 5660 5665 5670 5675 5680 5685 5690 5695 5700 5705 5710 5715 5720 5725 5730 5735 5740 5745 5750 5755 5760 5765 5770 5775 5780 5785 5790 5795 5800 5805 5810 5815 5820 5825 5830 5835 5840 5845 5850 5855 5860 5865 5870 5875 5880 5885 5890 5895 5900 5905 5910 5915 5920 5925 5930 5935 5940 5945 5950 5955 5960 5965 5970 5975 59
147. 0s e refresh timeout secs status page refresh timeout in seconds 90s e session timeout session time left for the user 5h or if none wer e session timeout secs session time left for the user in seconds 3475 or if there is such timeout e uptime current session uptime 10h2m33s e uptime secs current session uptime in seconds 125 User status information bytes in number of bytes received from the user 15423 bytes in nice user friendly form of number of bytes received from the user 15423 e bytes out number of bytes sent to the user 11352 e bytes out nice user friendly form of number of bytes sent to the user 11352 e packets in number of packets received from the user 251 e packets out number of packets sent to the user 211 e remain bytes in remaining bytes until limit bytes in will be reached 337465 or if there is no limit e remain bytes out remaining bytes until limit bytes out will be reached 124455 or if there is no limit Traffic counters which are available only in status page e session id value of session id parameter in the last request e var value of var parameter in the last request e error error message if something failed invalid username or password e error orig original error message without translations retrieved from errors txt if something failed invalid username or password e chap i
148. 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 60404020 0 to_peer_1l 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 E 10 0 0 0 0 to_main 5 Do 10 1 0 0 24 r 10 2 0 2 110 to_main Functioning of the Backup If the link between routers OSPF_MAIN and OSPF_peer_1 goes down we have the following situation a ae Tit to_ peer 10 2 0 2 cost 1 to main 10 2 0 1 a The OSPF routing changes as follows Routes on OSPF_MAIN router admin OSPF_MAIN ip route gt print Flags X disabled I invalid D dynamic J rejected Cc connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE Other trademarks and registred trademarks mentioned herein are properties of their respective owners On OSPF_peer_1 admin OSPF_peer_1 O Io 192 168 0 0 24 1 DC 192 168 0 0 24 2 Do 10 3 0 0 24 3 Io 10 2 0 0 24 4 DC 10 2 0 0 24 5 Io 10 1 0 0 24 6 DC 10 1 0 0 24 Flags X disabled I invalid D dynamic connect S static i rip ospi DST ADDRESS G GATEWAY 0 Do 192 168 0 0 24 r 10 3 0 2 1 Io 192 168 0 0 24 2 DC 10 3 0 0 24 r 0 0 0 0 3 Do 10 2 0 0 24 10534022 4 Io 10 1 0 0 24 5 DC 10 1 0 0 24 02 0 0 0 On OSPF_peer_2 admin OSPF_peer_2 Flags X disabled C connect S stat DST ADDRESS 0 Do 192 168 0 0 24 1 Io 10 3 0 0 24 2 DC 10 3 0 0 24 3 Io 10 2 0 0 24 4 DC 10 2 0 0 24 5 Do 10 1 0 0 24 The change of the routing take
149. 1 pppsync admin Lobo924 ip address gt admin Lobo924 ip address gt route print detail Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp 0 S dst address 0 0 0 0 0 preferred source 0 0 0 0 gateway 192 168 0 1 gateway state reachable distance 1 interface pppsync 1 DC dst address 192 168 0 1 32 preferred source 10 0 0 214 gateway 0 0 0 0 gateway state reachable distance 0 interface pppsync admin Lobo924 ip address gt As you can see a dynamic connected route has been automatically added to the routes list If you want the default gateway be the other router of the p2p link just add a static route for it It is shown as 0 in the example above Troubleshooting Description e Router shows that the IP address is invalid Check whether the interface exists to which the IP address is assigned Or maybe it is disabled It is also possible that the system has crashed reboot the router e Router shows that the ARP entry is invalid Check whether the interface exists to which the ARP entry is assigned Or maybe it is disabled Check also for an IP address for the particular interface Other trademarks and registred trademarks mentioned herein are properties of their respective owners OSPF Document revision 1 3 Mon Sep 06 04 56 42 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications
150. 13 ppp profile gt Use Van Jacobson compression only if you have to because it may slow down the communications on bad or congested channels incoming filter and outgoing filter arguments add dynamic jump rules to chain ppp where the jump target argument will be equal to incoming filter or outgoing filter argument in ppp profile Therefore chain ppp should be manually added before changing these arguments only one parameter is ignored if RADIUS authentication is used Example To add the profile ex that assigns the router itself the 10 0 0 1 address and the addresses from the ex pool to the clients filtering traffic coming from clients through mypppclients chain admin rb13 ppp profile gt add name ex local address 10 0 0 1 remote address ex incoming filter mypppclients admin rb13 ppp profile gt print Flags default 0 name default use compression no use vj compression no us ncryption no only one no change tcp mss yes 1 name ex local address 10 0 0 1 remote address ex use compression default use vj compression default use encryption default only one default change tcp mss default incoming filter mypppclients 2 name default encryption use compression default use vj compression default use encryption yes only one default change tcp mss default admin rb13 ppp profile gt Local PPP User Database Home menu level ppp secret Description PPP User Database stores PPP user acc
151. 2 Notes For bidirectional connections two entries will be created Each IP pair uses approximately 100 bytes When the threshold limit is reached no new IP pairs will be added to the accounting table Each packet that is not accounted in the accounting table will then be added to the uncounted counter Example Enable IP accounting admin Lobo924 ip accounting gt set enabled yes admin Lobo924 ip accounting gt print enabled yes threshold 256 admin Lobo924 ip accounting gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Example See the uncounted packets admin Lobo924 ip accounting uncounted gt print packets 0 bytes 0 admin Lobo924 ip accounting uncounted gt Local IP Traffic Accounting Table Home menu level ip accounting snapshot Description When a snapshot is made for data collection the accounting table is cleared and new IP pairs and traffic data are added The more frequently traffic data is collected the less likelihood that the IP pairs thereshold limit will be reached Property Description bytes read only integer total number of bytes matched by this entry dst address read only IP address destination IP address dst user read only text recipient s name if aplicable packets read only integer total number of packets matched by this entry src address read only IP address source IP address src user rea
152. 2 6F 01 C designated port 28417 designated cost 0 Q quit D dump C z pause 31 2 31 Bridge Host Monitoring Command name interface bridge host Property Description age read only time the time since the last packet was received from the host bridge read only name the bridge the entry belongs to local read only flag whether the host entry is of the bridge itself that way all local interfaces are shown mac address read only MAC address host s MAC address on interface read only name which of the bridged interfaces the host is connected to Example To get the active host table admin Lobo924 interface bridge host gt print Flags L local BRIDGE MAC ADDRESS ON INTERFACE AGE bridgel 00 00 B4 5B A6 58 etherl 4m48s bridgel 00 30 4F 18 58 17 etherl 4m50s L bridgel 00 50 08 00 00 F5 etherl Os L bridgel 00 50 08 00 00 F6 ether2 Os bridgel 00 60 52 0B B4 81 etherl 4m50s bridgel 00 CO DF 07 5E E6 etherl 4m46s bridgel 00 E0 C5 6E 23 25 prisml 4m48s bridgel 00 E0 F7 7F 0A B8 etherl 1s admin Lobo924 interface bridge host gt Bridge Firewall General Description Home menu level Ainterface bridge filter interface bridge nat interface bridge broute Description The bridge firewall implements packet filtering and thereby provides security functions that are Other trademarks and registred trademarks mentioned herein are propert
153. 24 The network is served through the Local interface of customer s router The basic network setup is in the following diagram To solve this situation we will use simple queues IP addresses on Lobo router admin Lobo924 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 Local l 10 5 8 104 24 10 5 8 0 10 5 8 255 Public admin Lobo924 ip address gt And routes admin Lobo924 ip route gt print Flags X disabled A active D dynamic connect S static r rip b bgp ospf DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 10 5 8 0 24 Public 1 ADC 192 168 0 0 24 Local 2A S 0 0 0 0 0 E 10 5 8 1 Public admin Lobo924 ip route gt Add a simple queue rule which will limit the download traffic to 128Kib s and upload to 64Kib s for clients on the network 192 168 0 0 24 served by the interface Local admin Lobo924 queue simple gt add name Limit Local interface Local target address 192 168 0 0 24 max limit 65536 131072 admin Lobo924 queue simple gt print Other trademarks and registred trademarks mentioned herein are properties of their respective owners Flags X disabled I invalid D dynamic 0 name Limit Local target addresses 192 168 0 0 24 dst address 0 0 0 0 0 interface Local parent none priority 8 queue default default limit at 0 0 max
154. 300 accounting backup no realm admin DHCP Server radius gt Setup DHCP Server 1 Create an address pool ip pool add name Radius Clients ranges 192 168 0 11 192 168 0 100 2 Adda DHCP server ip dhcp server add address pool Radius Clients use radius yes interface Local disabled no 3 Configure DHCP networks ip dhcp server network add address 192 168 0 0 24 gateway 192 168 0 1 dns server 159 148 147 194 159 148 60 20 Now the client with MAC address 00 0B 6B 31 02 4B will always receive IP address 192 168 0 55 Other trademarks and registred trademarks mentioned herein are properties of their respective owners DNS Client and Cache Document revision 1 2 Fri Apr 15 17 37 43 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Additional Documents Client Configuration and Cache Setup Description Property Description Notes Example Cache Monitoring Property Description Static DNS Entries Description Property Description Example Flushing DNS cache Command Description Example General Information Summary DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time This is a simple recursive DNS server with local items Specifications Packages required system License required level Home menu level ip dns Standards and Technologie
155. 445 action drop comment deny cifs add chain tcp protocol tcp dst port 2049 action drop comment deny NFS add chain tcp protocol tcp dst port 12345 12346 action drop comment deny NetBus add chain tcp protocol tcp dst port 20034 action drop comment deny NetBus add chain tcp protocol tcp dst port 3133 action drop comment deny BackOriffice add chain tcp protocol tcp dst port 67 68 action drop comment deny DHCP Deny udp ports in udp chain add chain udp protocol udp dst port 69 action drop comment deny TFTP add chain udp protocol udp dst port 111 action drop comment deny PRC portmapper add chain udp protocol udp dst port 135 action drop comment deny PRC portmapper add chain udp protocol udp dst port 137 139 action drop comment deny NBT add chain udp protocol udp dst port 2049 action drop comment deny NFS add chain udp protocol udp dst port 3133 action drop comment deny BackOriffice Allow only needed icmp codes in icmp chain add chain icmp protocol icmp icmp options 0 0 action accept comment drop invalid connections add chain icmp protocol icmp icmp options 3 0 action accept comment allow established connections add chain icmp protocol icmp icmp options 3 1 action accept comment allow already established connections add chain icmp protocol icmp icmp options 4 0 action accept comment allow source quench add chain icmp protocol icmp icmp options 8 0 action accept comment allow echo request add chain icmp protocol
156. 5 VLAN identifier field vlan priority integer 0 7 the user priority field Notes stpmatchers are only valid if destination MAC address is 01 80 C2 00 00 00 FF FF FF FF FF FF Bridge Group address also stp should be enabled ARP matchers are only valid if mac protocol is arp or rarp VLAN matchers are only valid for vlan ethernet protocol IP related matchers are only valid if mac protocol is set as ipv4 802 3 matchers are only consulted if the actual frame is compliant with IEEE 802 2 and IEEE 802 3 standards note it is not the industry standard Ethernet frame format used in most networks worldwide These matchers are ignored for other packets Bridge Packet Filter Home menu level Ainterface bridge filter Description This section describes bridge packet filter specific filtering options which were omitted in the general firewall description Property Description action accept drop jump log mark passthrough return default accept action to undertake Other trademarks and registred trademarks mentioned herein are properties of their respective owners if the packet matches the rule one of the e accept accept the packet No action i e the packet is passed through without undertaking any action and no more rules are processed in the relevant list chain e drop silently drop the packet without sending the ICMP reject message e jump jump to the chain specified by the value of the jump targe
157. 500 gt interface set 0 1 2 mtu 1460 gt interface print X disabled D dynamic R running TYPE MTU ether 1460 ether 1460 ether 1460 ether 1500 gt General Commands Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description There are some commands that are common to nearly all menu levels namely print set remove add find get export enable disable comment move These commands have similar behavior throughout different menu levels Command Description print shows all information that s accessible from particular command level Thus system clock print shows system date and time ip route print shows all routes etc If there s a list of items in current level and they are not read only i e you can change remove them example of read only item list is system history which shows history of executed actions then print command also assigns numbers that are used by all commands that operate with items in this list applicable only to lists of items The action is performed with all items in this list in the same order in which they are given forces the print command to use tabular output form forces the print command to use property value output form shows the number of items prints the contents of the specific submenu into a file This file will be available in the router s ftp shows the output from the print command for every interval se
158. 54321 mac address 00 0C 42 05 00 22 admin WEP_AP interface wireless access li Flags X disabled mac address 00 0C 42 05 00 22 interface WEP AP authenticati 0 e both ist st gt add private algo interface WEP AP for st gt print forwarding yes ap tx limit 0 client tx private key 6543210987654321098765432 admin WEP_AP interface wireless access li Configure WEP_StationX 104bit wep warding yes on yes limit 0 private algo 17 st gt 104bit wep admin WEP_Stationl interface wireless security profiles gt add name Stationl mode static keys required static sta private algo 104bit wep Static sta private key 65432109876543210987654321 admin WEP_Stationl interface wireless security profiles gt print 0 name default mode none wpa unicast ciphers wpa group ciphers pre shared key static algo O none static key 0 static algo 1l none static key l static algo 2 none static key 2 static algo 3 none static key 3 _static transmit key key 0 static sta private algo none static sta private key radius mac authentication no group key update 5m Other trademarks and registred trademarks mentioned herein are properties of their respective owners 1 name Stationl mode static keys required wpa unicast ciphers wpa group ciphers pre shared key static algo
159. 7 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Quick Setup Guide Specifications Related Documents Description Setup Property Description Notes Example Access List Description Property Description Notes Example Direct Access List Description Property Description Notes Cache Management Description Property Description Complementary Tools Description Command Description Transparent Mode Description Notes Example HTTP Methods Description General Information Summary The Lobo OSB implements the following proxy server features e Regular HTTP proxy e Transparent proxy Can be transparent and regular at the same time Other trademarks and registred trademarks mentioned herein are properties of their respective owners e Access list by source destination URL and requested method e Cache access list specifies which objects to cache and which not e Direct Access List specifies which resources should be accessed directly and which through another proxy server e Logging facility Quick Setup Guide To set up a 1 GiB large web cache which will listen on port 8000 do the following admin Lobo924 admin Lobo924 ip web proxy gt set ip web proxy gt print enabled src address port hostname transparent proxy parent proxy cache administrator max object size nabled yes port 8000 max cache size 1048576 yes 0
160. 80 5985 5990 5995 6000 6005 6010 6015 6020 6025 6030 6035 6040 6045 6050 6055 6060 6065 6070 6075 6080 6085 6090 6095 6100 the list of 5GHz turbo channels frequencies are given in MHz ack timeout control read only yes no provides information whether this device supports transmission acceptance timeout control alignment mode read only yes no is the alignment only mode supported by this interface burst support yes no whether the interface supports data bursts burst time chip info read only text information from EEPROM default periodic calibration read only yes no whether the card supports periodic calibration firmware read only text current firmware of the interface used only for Prism chipset based cards interface type read only text shows the hardware interface type noise floor control read only yes no does this interface support noise floor thershold detection nstreme support read only yes no whether the card supports n streme protocol scan support yes no whether the interface supports scan function interface wireless scan supported bands multiple choice read only 2ghz b 5ghz 5ghz turbo 2ghz g the list of supported bands tx power control read only yes no provides information whether this device supports Other trademarks and registred trademarks mentioned herein are properties of their respective owners transmissio
161. A S 2 2 2 0 24 E eles 0 isp2 2 ADC 3 3 3 0 24 bondingl 3 ADC 10 1 0 0 24 ispl 4 AS 0 0 0 0 0 a coum 0 ee ere area 0 ispl admin Lobo924 ip route gt Notice that the prompt changes in order to reflect where you are located in the menu hierarchy at the moment To move to the top level again type admin Lobo924 gt ip route admin Lobo924 ip route gt admin Lobo924 gt To move up one command level type admin Lobo924 ip route gt admin Lobo924 ip gt You can also use and to execute commands from other menu levels without changing the current level Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 ip route gt ping 10 0 0 1 10 0 0 1 ping timeout 2 packets transmitted 0 packets received 100 packet loss admin Lobo924 ip firewall nat gt service port print Flags X disabled I invalid NAME PORTS 0 ftp 21 I tftp 69 2 irc 6667 3 X h323 4 quake3 5 mms 6 gre 7 pptp admin Lobo924 ip firewall nat gt Lists and Item Names Description Lists Many of the command levels operate with arrays of items interfaces routes users etc Such arrays are displayed in similarly looking lists All items in the list have an item number followed by its parameter values To change parameters of an item you have to specify it s number to the set command Item Names Some lists have items that have specific names as
162. AN and in the Remote LAN Troubleshooting Description e The routers can ping each other but EoIP tunnel does not seem to work Other trademarks and registred trademarks mentioned herein are properties of their respective owners Check the MAC addresses of the EoIP interfaces they should not be the same Other trademarks and registred trademarks mentioned herein are properties of their respective owners IP Security Document revision 3 3 Fri May 06 09 14 43 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Specifications Related Documents Description Policy Settings Description Property Description Notes Example Peers Description Property Description Notes Example Remote Peer Statistics Description Property Description Example Installed SAs Description Property Description Example Flushing Installed SA Table Description Property Description Example Counters Property Description Example Lobo Router to Lobo Router IPsec Between two Masquerading Lobo Routers Lobo router to CISCO Router Lobo Router and Linux FreeS WAN General Information Specifications Packages required security License required levell Home menu level ip ipsec Other trademarks and registred trademarks mentioned herein are properties of their respective owners Standards and Technologies IPsec Hardware usage consumes a lot of CPU time Intel Pentium MMX or AMD K6 suggested as a minim
163. C ADDRESS DST ADDRESS IP SIZE 0 0 12 etherl 10 0 0 241 1839 10 0 0 181 23 telnet tcp 46 10 12 etherl 10 0 0 24121839 10 0 0 181 23 telnet tcp 40 2 0 12 etherl 10 0 0 181 23 telnet 10 0 0 24171839 tcp 78 3 0 292 etherl 10 0 0 181 10 0 0 4 gre 88 4 0 32 ether1 100r 024141839 10 0 0 181 23 telnet tcp 40 5 0 744 ether1 10 0 0 144 2265 10 0 0 181 22 ssh tcp 76 6 0 744 etherl 10 0 0 144 2265 10 0 0 181 22 ssh tcp 76 7 0 744 etherl 10 0 0 181 22 ssh 10 0 0 144 2265 tcp 40 8 0 744 etherl 10 0 0 181 22 ssh 10 0 0 144 2265 tcp 76 more Packet Sniffer Protocols Home menu level tool sniffer protocol Description In this submenu you can see all kind of protocols that have been sniffed Property Description bytes integer total number of data bytes protocol read only ip arp rarp ipx ipv6 the name number of ethernet protocol e ip Internet Protocol e arp Address Resolution Protocol e rarp Reverse Address Resolution Protocol e ipx Internet Packet exchange protocol Other trademarks and registred trademarks mentioned herein are properties of their respective owners e ipv6 Internet Protocol next generation ip protocol ip icmp igmp ggp ipencap st tcp egp pup udp hmp xns idp rdp iso tp4 xtp ddp idrp cmtp gre esp ah rspf vmtp ospf ipip encap the name number of IP protocol e ip Internet Protocol e icmp Internet Control Message Protocol e ig
164. CISCO router Create IPsec transform set transformations that should be applied to traffic ESP encryption with DES and ESP authentication with SHA1 This must match ip ipsec proposal crypto ipsec transform set myset esp des esp sha hmac 3 mode tunnel exit Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode for Lobo router admin Lobo924 gt ip ipsec policy add src address 10 0 0 0 24 dst address 10 0 2 0 24 action encrypt tunnel yes sa src 10 0 1 1 sa dst 10 0 1 2 for CISCO router Create access list that matches traffic that should be encrypted access list 101 permit ip 10 0 2 0 0 0 0 255 10 0 0 0 0 0 0 255 Create crypto map that will use transform set myset use peer 10 0 1 1 to establish SAs and encapsulate traffic and use access list 101 to match traffic that should be encrypted crypto map mymap 10 ipsec isakmp set peer 10 0 1 1 set transform set myset set pfs group2 match address 101 exit And finally apply crypto map to serial interface interface Serial 0 crypto map mymap exit 4 Testing the IPsec tunnel on Lobo router we can see installed SAs admin Lobo924 ip ipsec installed sa gt print Flags A AH B ESP P pfs M manual OE spi 9437482 direction out src address 10 0 1 1 dst address 10 0 1 2 auth algorithm shal enc algorithm des replay 4 state matur
165. Console When connecting to the Lobo router via http TCP port 80 by default the router s Welcome Page is displayed in the web browser By clicking on the Winbox link you can start the winbox exe download Choose Open to start the Winbox loader program you can also save this program to your local disk and run it from there The winbox exe program opens the Winbox login window Other trademarks and registred trademarks mentioned herein are properties of their respective owners where e discovers and shows MNDP Lobo Neighbor Discovery Protocol or CDP Cisco Discovery Protocol devices e logs on to the router by specified IP address and the port number if you have changed it from the default value of 80 or MAC Address if the router is in the same subnet user name and password e saves the current sessions to the list to run them just double click on an item e removes selected item from the list e removes all items from the list clears cache on the local disk imports addresses from wbx file or exports them to wbx file e Secure Mode provides privacy and data integrity between WinBox and OSB by means of TLS Transport Layer Security protocol e Keep Password Saves password as a plain text on a local hard drive The Winbox Console of the router The Winbox Console uses TCP port 8291 After logging onto the router you can work with the Lobo router s configuration through the Winbox console and perform the
166. DS and DFS the routers do not connect to each other As the WDS routers must operate at the same frequency it is very probable that DFS will not select the frequency that is used by the peer router Lobo OSB does not send any traffic through Cisco Wireless Access Point or Wireless Bridge If you use CISCO Aironet Wireless Ethernet Bridge or Access Point you should set the Configuration Radio I80211 Extended Allow proprietary extensions to off and the Configuration Radio I80211 Extended Encapsulation Default encapsulation method to RFC1042 If left to the default on and 802 1H respectively you won t be able to pass traffic through the bridge Prism wireless clients don t connect to AP after upgrade to 2 9 Prism wireless card s primary firmware version has to be at least 1 0 7 in order to boot wireless card s secondary firmware which allows Prism card correctly operate under OSB Check the log file to see whether the wireless card s secondary firmware was booted Other trademarks and registred trademarks mentioned herein are properties of their respective owners EolP Tunnel Interface Document revision 1 3 Tue Mar 09 08 15 37 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Quick Setup Guide Related Documents Description Notes EoIP Setup Property Description Notes Example EoIP Application Example Description Example Troubleshooting Description Genera
167. DS interface dynamic is created on the fly and appers under wds menu as a dynamic interface e static is created manually Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol e disabled the interface will not use ARP e enabled the interface will use ARP e proxy arp the interface will use the ARP proxy feature e reply only the interface will only reply to the requests originated to its own IP addresses Neighbour MAC addresses will be resolved using ip arp statically set table only disable running check yes no default no disable running check For broken wireless cards it is a good idea to set this value to yes mac address read only MAC address default 00 00 00 00 00 00 MAC address of the master interface Specifying master interface this value will be set automatically Other trademarks and registred trademarks mentioned herein are properties of their respective owners master interface name wireless interface which will be used by WDS mtu integer 0 65336 default 1500 Maximum Transmission Unit name name default wdsN WDS interface name wds address MAC address MAC address of the remote WDS host Notes When the link between WDS devices using wds mode dynamic goes down the dynamic WDS interfaces disappear and if there are any IP addresses set on this interface their interface setting will change to unknown
168. Documents Software Package Management NAT e Mangle Filter Packet Flow Description Lobo OSB is designed to be easy to operate in various aspects including IP firewall Other trademarks and registred trademarks mentioned herein are properties of their respective owners Therefore regular firewall policies can be created and deployed without the knowledge about how the packets are processed in the router For example if all that required is just natting internal clients to a public address the following command can be issued assuming the interface to the Internet in named Public ip firewall nat add action masquerade out interface Public chain srcnat Regular packet filtering bandwith management or packet marking can be configured with ease in a similar manner However a more complicated configuration could be deployed only with a good understanding of the underlying processes in the router The packet flow through the router is depicted in the following diagram As can be seen on the diagram there are five chains in the processing pipeline These are prerouting input forward output and postrouting The actions performed on a packet in each chain are discussed later in this chapter A paket can enter processing conveyer of the router in two ways First a packet can come from one of the interfaces present in the roter then the interface is referred as input interface Second it can be originated from a local p
169. IMbps 10dBm 2Mbps 10dBm 5 5Mbps 9dBm 11Mbps 7dBm do the following admin Lobo924 interface wireless manual tx power table gt print 0 name wlanl manual tx powers 1Mbps 17 2Mbps 17 5 5Mbps 17 11Mbps 17 6Mbps 17 L 9Mbps 17 12Mbps 17 18Mbps 17 24Mbps 17 36Mbps 17 48Mbps 17 54Mbps 17 admin Lobo924 interface wireless manual tx power table gt set 0 manual tx powers 1Mbps 10 2Mbps 10 5 5Mbps 9 11Mbps 7 admin Lobo924 interface wireless manual tx power table gt print 0 name wlanl manual tx powers 1Mbps 10 2Mbps 10 5 5Mbps 9 11Mbps 7 admin Lobo924 interface wireless manual tx power table gt Network Scan Command name interface wireless scan interface_name Description This is a feature that allows you to scan all avaliable wireless networks While scanning the card unregisters itself from the access point in station mode or unregisters all clients in bridge or ap bridge mode Thus network connections are lost while scanning Property Description address read only MAC address MAC address of the AP band read only text in which standard does the AP operate bss read only yes no basic service set freeze time interval time default 1s time in seconds to refresh the displayed data freq read only integer the frequency of AP interface_name name the name of interface which will be used for scanning APs privacy read only yes no whether all data is encrypted or not
170. LDonkey NeoModus Direct Connect BCDC CZDC eDonkey eDonkey2000 eMule xMule linux Shareaza MLDonkey mlMac Overnet Soulseek Soulseek MLDonkey BitTorrent BitTorrent BitTorrent Shareaza MLDonkey ABC Azureus BitAnarch SimpleBT BitTorrent Net mlMac Blubster Blubster Piolet WPNP WinMX Warez Warez Ares starting from 2 8 18 this protocol can only be dropped speed limiting is impossible Other trademarks and registred trademarks mentioned herein are properties of their respective owners DHCP Client and Server Document revision 2 7 Mon Apr 18 22 24 18 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Quick Setup Guide Specifications Description Additional Documents DHCP Client Setup Description Property Description Command Description Notes Example DHCP Server Setup Description Property Description Notes Example Store Leases on Disk Description Property Description DHCP Networks Property Description Notes DHCP Server Leases Description Property Description Command Description Notes Example DHCP Alert Description Property Description Notes DHCP Option Description Property Description Notes Example DHCP Relay Description Property Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners Notes Example Question amp Answer Based Setup Command Descri
171. Management Description Dynamic DNS Update is a tool that should be manually run to update dynamic DNS server Note that you have to have a DNS server that supports DNS updates properly configured Other trademarks and registred trademarks mentioned herein are properties of their respective owners Additional Documents DNS related RFCs Dynamic DNS Update Command name tool dns update Property Description address IP address defines IP address associated with the domain name dns server IP address DNS server to send update to key text default authorization key password of a kind to access the server key name text default authorization key name username of a kind to access the server name text name to attach with the IP address ttl integer default 0 time to live for the item in seconds zone text DNS zone where to update the domain name in Notes Example To tell 23 34 45 56 DNS server to re associate mydomain name in the myzone com zone with 68 42 14 4 IP address specifying that the name of the key is dns update key and the actual key is update admin Lobo924 tool gt dns update dns server 23 34 45 56 name mydomain zone myzone com address 68 42 14 4 key name dns update key key updat Other trademarks and registred trademarks mentioned herein are properties of their respective owners MNDP Document revision 1 4 Fri Mar 05 08 36 57 GMT 2004 This documen
172. Mbps 40m43s760ms 61dBm 18Mbps 40m43s330ms 60dBm 24Mbps 40m43s 61dBm 36Mbps 33m10s230ms 62dBm 48Mbps 33m9s760ms 66dBm 54Mbps 10ms tx signal strength 65dBm tx ccq 24 rx ccq 20 ack timeout 28 distance 28 nstreme no framing mode none routeros version 2 9rc5 last ip 192 168 63 8 admin Lobo924 interface wireless gt Connect List Home menu level interface wireless connect list Description The Connect List is a list of rules order is important that determine to which AP the station should connect to At first the station is searching for APs all frequencies from scan list in the respective band and makes a list of Access Points If the ssid is set under interface wireless the router removes all Access Points from its AP list which do not have such ssid If a rule is matched and the parameter connect is set to yes the station will connect to this AP If the parameter says connect no or the rule is not matched we jump to the next rule Other trademarks and registred trademarks mentioned herein are properties of their respective owners If we have gone through all rules and haven t connected to any AP yet The router chooses an AP with the best signal and ssid that is set under interface wireless In case when the station has not connected to any AP this process repeats from beginning Property Description area prefix text a string that indicates the beginning from the area string of t
173. NAT Example of 1 1 mapping General Information Summary Network Address Translation NAT is a router facility that replaces source and or destination IP addresses of the IP packet as it pass through thhe router It is most commonly used to enable multiple host on a private network to access the Internet using a single public IP address Specifications Packages required system License required levell number of rules limited to 1 level3 Home menu level ip firewall nat Standards and Technologies IP RFC1631 RFC2663 Hardware usage Increases with the count of rules Related Documents e Software Package Management Filter e Mangle Packet Flow NAT Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications A LAN that uses NAT is referred as natted network For NAT to function there should be a NAT gateway in each natted network The NAT gateway NAT router performs IP address rewriting on the way a packet travel from to LAN There are two types of NAT e source NAT or srcnat This type of NAT is performed on packets that are originated from a natted network A NAT router replaces the private source address of an IP packet with a new public IP addr
174. Notes For point to point links you should specify the remote endpoint IP address as the network IP address For this case the correct netmask will be 32 Other trademarks and registred trademarks mentioned herein are properties of their respective owners Example To enable RIP protocol on 10 10 1 0 24 network admin Lobo924 routing rip network gt add address 10 10 1 0 24 admin Lobo924 routing rip network gt print ADDRESS O 10 10 1 0 24 admin Lobo924 routing rip gt Neighbors Description This submenu is used to define a neighboring routers to exchange routing information with Normally there is no need to add the neighbors if multicasting is working properly within the network If there are problems with exchanging routing information neighbor routers can be added to the list It will force the router to exchange the routing information with the neighbor using regular unicast packets Property Description address ZP address default 0 0 0 0 IP address of neighboring router Example To force RIP protocol to exchange routing information with the 10 0 0 1 router admin Lobo924 routing rip gt neighbor add address 10 0 0 1 admin Lobo924 routing rip gt neighbor print Flags I inactive ADDRESS 0 10 0 0 1 admin Lobo924 routing rip gt Routes Home menu level routing rip route Property Description dst address read only IP address mask network address and netmask of destination g
175. O none static key 0 static algo l none static key 1l _static algo 2 none static key 2 static algo 3 none static key 3 static transmit key key 0 static sta private algo 104bit wep static sta private key 65432109876543210987654321 radius mac authentication no group key update 5m admin WEP_Stationl interface wireless security profiles gt admin WEP_Stationl interface wireless gt set wlanl mode station ssid mt_wep band 5ghz security profile Stationl name WEP STA1 disabled no admin WEP_Stationl interface wireless gt print Flags X disabled R running 0 R name WEP STA1 mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode station ssid mt_wep area frequency mode superchannel country no_country_set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client
176. OS settings Example To view the current date and time settings admin Local system clock gt print time 08 26 37 Other trademarks and registred trademarks mentioned herein are properties of their respective owners date nov 18 2004 time zone 00 00 admin Local system clock gt To set the system date and time admin Local system clock gt set date nov 22 2022 time 11 10 21 time zone 0 admin Local system clock gt print time 11 10 25 date nov 22 2022 time zone 00 00 admin Local system clock gt Configuration Change History Home menu level Command name system history undo redo Description The history of system configuration changes is held until the next router shutdown The invoked commands can be undone in reverse order they have been invoked The undone commands may be redone in reverse order they have been undone Command Description redo undoes previous undo command system history print print a list of last configuration changes specifying whether the action can be undone or redone undo undoes previous configuration changing command except another undo command Notes Floating undo actions are created within the current SAFE mode session They are automatically converted to undoable and redoable when SAFE mode terminated successfully and are all undone irreverively when SAFE mode terminated insuccessfully Undo command cannot undo commands past start
177. Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 ip proxy gt print enabled yes port 8080 parent proxy 0 0 0 0 0 maximal client connecions 1000 maximal server connectons 1000 admin Lobo924 ip proxy gt Remember to secure your proxy by preventing unauthorized access to it Also you need to setup destination NAT in order to utilize transparent proxying facility admin Lobo924 ip firewall nat gt add chain dstnat protocol tcp dst port 80 action redirect to ports 8080 admin Lobo924 ip firewall nat gt print Flags X disabled I invalid D dynamic 0 chain dstnat protocol tcp dst port 80 action redirect to ports 8080 admin Lobo924 ip firewall nat gt Specifications Packages required system License required level3 Home menu level ip proxy Standards and Technologies HTTP 1 0 HTTP 1 1 FTP Related Documents Software Package Management IP Addresses and ARP Description This service performs proxying of HTTP and HTTP proxy for FTP HTTP and HTTPS protocols requests It does not support caching transactions yet When setting up proxy service make sure it serves only your clients and is not misused as relay Please read the security notice in the Access List Section Note that the proxy may be used as something like HTTP and FTP firewall for example denying access to mp3 files or to redirect requests to ex
178. P Hardware usage Not significant Description Lobo HotSpot Gateway should have at least two network interfaces 1 HotSpot interface which is used to connect HotSpot clients 2 LAN WAN interface which is used to access network resources For example DNS and RADIUS server s should be accessible The diagram below shows a sample HotSpot setup The HotSpot interface should have an IP address assigned to it Physical network connection has to be established between the HotSpot user s computer and the gateway It can be wireless the wireless card should be registered to AP or wired the NIC card should be connected to a hub or a switch Note that the most noticeable difference in user experience setting up HotSpot system in version 2 9 from the previous OSB versions is that it has become in order of magnitude easier to set up a correctly working HotSpot system Introduction to HotSpot HotSpot is a way to authorize users to access some network resources It does not provide traffic encryption To log in users may use almost any web browser either HTTP or HTTPS protocol so they are not required to install additional software The gateway is accounting the uptime and amount of traffic each of its clients have used and also can send this information to a RADIUS server The HotSpot system may limit each particular user s bitrate total amount of traffic uptime Other trademarks and registred trademarks mentioned herein are properti
179. P to support WDS connections e Set wds default bridge to bridge1l On WDS station e Configure it as a WDS Station using mode station wds Configure the WDS Access Point Configure the wireless interface and put it into a bridge and define that the dynamic WDS links should be automatically put into the same bridge admin WDS_AP gt interface bridge admin WDS_AP interface bridge gt add admin WDS_AP interface bridge gt print Flags X disabled R running 0 R name bridgel mtu 1500 arp enabled mac address B0 62 0D 08 FF FF stp no priority 32768 ageing time 5m forward delay 15s garbage collection interval 4s hello time 2s max message age 20s admin WDS_AP interface bridge gt port admin WDS_AP interface bridge port gt print INTERFACE BRIDGE PRIORITY PATH COST 0 Public none 128 10 1 wlanl none 128 10 admin WDS_AP interface bridge port gt set 0 bridge bridgel admin WDS_AP interface bridge port gt in wireless admin WDS_AP interface wireless gt set wlanl mode ap bridge ssid wds sta test wds mode dynamic wds default bridge bridgel disabled no band 2 4ghz b g frequency 2437 admin WDS_AP interface wireless gt print Flags X disabled R running 0 name wlan1l mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode ap bridge ssid wds sta test area frequency mode superchannel country no_country_set antenna gain 0 frequency 2437 b
180. PPPoE client If the service name is not set or it does not match the service name of the Lobo PPPoE server you get the line is busy errors or the system shows verifying password unknown error I want to have logs for PPPoE connection establishment Configure the logging feature under the system logging facility and enable the PPP type logs Other trademarks and registred trademarks mentioned herein are properties of their respective owners PPTP Document revision 1 4 Tue Aug 09 12 01 21 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Quick Setup Guide Related Documents Description Additional Documents PPTP Client Setup Property Description Example Monitoring PPTP Client Property Description Example PPTP Server Setup Description Property Description Example PPTP Server Users Description Property Description Example PPTP Application Examples Router to Router Secure Tunnel Example Connecting a Remote Client via PPTP Tunnel PPTP Setup for Windows Sample instructions for PPTP VPN installation and client setup Windows 98SE Troubleshooting Description General Information Summary PPTP Point to Point Tunnel Protocol supports encrypted tunnels over IP The Lobo OSB implementation includes support for PPTP client and server General applications of PPTP tunnels e For secure router to router tunnels over the Internet e To link bridge l
181. PPoE server to the wireless interface admin PPPoE Server interface pppoe server server gt add interface wlanl service name mt one session per host yes disabled no admin PPPoE Server interface pppoe server server gt print Flags X disabled 0 service name mt interface wlanl max mtu 1480 max mru 1480 authentication pap chap mschapl mschap2 keepalive timeout 10 one session per host yes max sessions 0 default profile default admin PPPoE Server interface pppoe server server gt Finally we can set up PPPoE clients admin PPPoE Server ip pool gt add name pppoe ranges 10 1 0 100 10 1 0 200 admin PPPoE Server ip pool gt print NAME RANGES 0 pppoe 10 1 0 100 10 1 0 200 admin PPPoE Server ip pool gt ppp profile admin PPPoE Server ppp profile gt set default use encryption yes local address 10 1 0 3 remote address pppo admin PPPoE Server ppp profile gt print Flags default 0 name default local address 10 1 0 3 remote address pppo use compression no use vj compression no us neryption yes only one no change tcp mss yes 1 name default encryption use compression default use vj compression default use encryption yes only one default change tcp mss default admin PPPoE Server ppp profile gt secret admin PPPoE Server ppp secret gt add name w password wkst service pppo admin PPPoE Server ppp secret gt add name l password ltp se
182. PTP RFC 2637 Hardware usage Not significant Related Documents Software Package Management JP Addresses and ARP PPP User AAA EoIP Description PPTP is a secure tunnel for transporting IP traffic using PPP PPTP encapsulates PPP in virtual lines that run over IP PPTP incorporates PPP and MPPE Microsoft Point to Point Encryption to make encrypted links The purpose of this protocol is to make well managed secure connections between Other trademarks and registred trademarks mentioned herein are properties of their respective owners routers as well as between routers and PPTP clients clients are available for and or included in almost all OSs including Windows PPTP includes PPP authentication and accounting for each PPTP connection Full authentication and accounting of each connection may be done through a RADIUS client or locally MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported PPTP traffic uses TCP port 1723 and IP protocol GRE Generic Routing Encapsulation IP protocol ID 47 as assigned by the Internet Assigned Numbers Authority IANA PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router PPTP connections may be limited or impossible to setup though a masqueraded NAT IP connection Please see the Microsoft and RFC links at the end of this section for more information Additional Documen
183. Packet Packer may be enabled on a per interface basis The MNDP protocol will then keep information about what routers have enabled the unpack feature and the Packet Packer will be used for traffic between these routers Specific features e works on interfaces that support IP protocol and have at least one IP address and on all ethernet like interfaces even without IP addresses is enabled by default for all new Ethernet like interfaces Ethernet wireless EoIP IPIP tunnels PPTP static server e when older versions on the OSB are upgraded from a version without discovery to a version with discovery current Ethernet like interfaces will not be automatically enabled for MNDP e uses UDP protocol port 5678 e a UDP packet with router info is broadcasted over the interface every 60 seconds e every 30 seconds the router checks if some of the neighbor entries are not stale e if no info is received from a neighbor for more than 180 seconds the neighbor information is discarded Setup Home menu level ip neighbor discovery Property Description name read only name interface name for reference discover yes no default yes specifies whether the neighbour discovery is enabled or not Example To disable MNDP protocol on Public interface admin Lobo924 ip neighbor discovery gt set Public discover no admin Lobo924 ip neighbor discovery gt print NAME DISCOVER 0 Public no 1 Local yes Neighbour Lis
184. STANCE INTERFACE 0 Do 192 168 0 0 24 e 110 2 0 2 110 to_main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 to_peer_1l 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to_main 5 Do 10 1 0 0 24 E aa E OE E O 110 to_peer_1 r 10 2 0 2 to_main Routing tables with Revised Link Cost This example shows how to set up link cost Let us assume that the link between the routers OSPF_peer_1 and OSPF_peer_2 has a higher cost might be slower we have to pay more for the traffic through it etc Other trademarks and registred trademarks mentioned herein are properties of their respective owners rn to_peerl 10 1 0 2 i a cost 1 __to_main 10 2 0 1 cost 1 OSPF _peer_2 cost 30 topeerl 10 3 0 2 p a backup 10 3 0 1 to_main 100 1 0 1 We should change cost value in both routers OSPF_peer_1 and OSPF_peer_2 to 50 To do this we need to add a following interface admin OSPF_peer_1 routing ospf interface gt add interface backup cost 50 admin OSPF_peer_1 routing ospf interface gt print 0 interface backup cost 50 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 10s dead interval 40s admin OSPF_peer_2 routing ospf interface gt add interface to_peer_1l cost 50 admin OSPF_peer_2 routing ospf interface gt print 0 interface to_peer_1l cost 50 priority 1 authentication key retransmit interval 5s transmit delay ls hello interval 10s dead interva
185. Specifications Description Certificates Description Property Description Command Description Notes Example General Information Summary SSL Secure Socket Layer is a security technology to ensure encrypted transactions over a public network To protect the data an encryption key should be negotiated SSL protocol is using Certificates to negotiate a key for data encryption Specifications Packages required system License required level Home menu level certificate Standards and Technologies SSLv2 SSLv3 TLS Hardware usage high CPU usage Description SSL technology was first introduced by Netscape to ensure secure transactions between browsers and web servers When a browser requests a secure web page usually on TCP port 443 a web server first sends a Certificate which contains a public key for the encryption key negotiation to take place After the encryption key is negotiated the web server will send the requested page encrypted using this key to the browser and also the browser will be able to submit its data securely to the server SSL Certificate confirms the web server identity The Certificate contains information about its holder like DNS name and Country issuer the entity has signed the Certificate and also the public key used to negotiate the encryption key In order a Certificate to play its role it should be signed by a third party Certificate Authority which both parties trust Modern browse
186. Specifications Sheet Document revision 2 6 Mon Mar 14 12 38 07 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Description General Information Description Major features Firewall and NAT stateful packet filtering Peer to Peer protocol filtering source and destination NAT classification by source MAC IP addresses networks or a list of networks and address types port range IP protocols protocol options ICMP type TCP flags and MSS interfaces internal packet and connection marks ToS DSCP byte content matching sequence frequency packet size time and more Routing Static routing Equal cost multi path routing Policy based routing classification done in firewall RIP v1 v2 OSPF v2 BGP v4 Data Rate Management Hierarchical HTB QoS system with bursts per IP protocol subnet port firewall mark PCQ RED SFQ FIFO queue CIR MIR contention ratios dynamic client rate equalizing PCQ bursts Peer to Peer protocol limitation HotSpot HotSpot Gateway with RADIUS authentication and accounting true Plug and Play access for network users data rate limitation differentiated firewall traffic quota real time status information walled garden customized HTML login pages iPass support SSL secure authentication advertisement support Point to Point tunneling protocols PPTP PPPoE and L2TP Access Concentrators and clients PAP CHAP MSCHAPv1 and MSCHAPv2 authen
187. TU LOCAL ADDRESS REMOTE ADDRESS O X ipipl 1480 22 63 11 6 10 0 0 1 admin Lobo924 interface ipip gt enable 0 admin Lobo924 interface ipip gt ip address add address 1 1 1 2 24 interface ipipl Now both routers can ping each other admin Lobo924 interface ipip gt ping 1 1 1 2 1 1 1 2 64 byte ping ttl 64 time 24 ms 1 1 1 2 64 byte ping ttl 64 time 19 ms 1 1 1 2 64 byte ping ttl 64 time 20 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 19 21 0 24 ms admin Lobo924 interface ipip gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners L2TP Interface Document revision 1 1 Fri Mar 05 08 26 01 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Quick Setup Guide Related Documents Description L2TP Client Setup Property Description Example Monitoring L2TP Client Property Description Example L2TP Server Setup Description Property Description Example L2TP Server Users Description Property Description Example L2TP Application Examples Router to Router Secure Tunnel Example Connecting a Remote Client via L2TP Tunnel L2TP Setup for Windows Troubleshooting Description General Information Summary L2TP Layer 2 Tunnel Protocol supports encrypted tunnels over IP The Lobo OSB implementation includes support for both L2TP client a
188. There might be situations when both hosts want to use maximum bandwidth 10 Mibps then they will receive 5 Mibps each the same goes for upload This setup is also valid for more than 2 users At first mark all traffic coming from local network 192 168 0 0 24 with a mark users ip firewall mangle add chain forward src address 192 168 0 0 24 action mark connection new connection mark users con ip firewall mangle add connection mark users con action mark packet new packet mark users chain forward Now we will add 2 new PCQ types The first called peq download will group all traffic by destination address As we will attach this queue type to the Local interface it will create a dynamic queue for each destination address user which is downloading to the network 192 168 0 0 24 The second type called peq upload will group the traffic by source address We will attach this queue to the Public interface so it will make one dynamic queue for each user who is uploading to Internet from the local network 192 168 0 0 24 queue type add name pcq download kind pcq pcq classifier dst address queue type add name pcq upload kind pcq pcq classifier src address Finally make a queue tree for download traffic queue tree add name Download parent Local max limit 10240000 queue tree add parent Download queue pcq download packet mark users And for upload traffic queue tree add name Upload parent Public max limit 2048
189. This protocol makes multiple network schemes possible IP tunneling protocol adds the following possibilities to a network setups to tunnel Intranets over the Internet e touse it instead of source routing Quick Setup Guide To make an IPIP tunnel between 2 Lobo routers with IP addresses 10 5 8 104 and 10 1 0 172 using IPIP tunnel addresses 10 0 0 1 and 10 0 0 2 follow the next steps e Configuration on router with IP address 10 5 8 104 1 Add an IPIP interface by default its name will be ipip1 admin 10 5 8 104 interface ipip gt add local address 10 5 8 104 remote address 10 1 0 172 disabled no 2 Add an IP address to created ipip1 interface admin 10 5 8 104 ip address gt add address 10 0 0 1 24 interface ipipl e Configuration on router with IP address 10 1 0 172 Other trademarks and registred trademarks mentioned herein are properties of their respective owners 1 Add an IPIP interface by default its name will be ipip1 admin 10 1 0 172 interface ipip gt add local address 10 1 0 172 remote address 10 5 8 104 disabled no 2 Add an IP address to created ipip1 interface admin 10 1 0 172 ip address gt add address 10 0 0 2 24 interface ipipl Specifications Packages required system License required levell limited to 1 tunnel level3 200 tunnels level5 unlimited Home menu level interface ipip Standards and Technologies PIP RFC 2003 Hardware usage Not significant Relat
190. U client address shows the IP of the connected client uptime shows how long the client is connected encoding text encryption and encoding if asymmetric separated with being used in this connection Example To add a static entry for ex1 user Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 interface 12tp server gt add user exl admin Lobo924 interface 12tp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 DR lt l2tp ex gt ex 1460 10 0 0 202 6m32s none 1 l2tp inl ex1 admin Lobo924 interface l2tp server gt In this example an already connected user ex is shown besides the one we just added L2TP Application Examples Router to Router Secure Tunnel Example Network Setup without L2TP enabled Internet ISP 1 network 192 168 80 0 netmask 255 255 255 0 ISP 2 network 192 168 81 0 netmask 255 255 255 0 To Intemet 192 168 81 41 24 LocaiRemoteOffice 10750 74 254 24 To Internet HomeOffice RemoteOffice 192 168 80 14 24 LocaitlomeOffice 10 450 2 254 24 network 10 150 2 0 network 10 150 1 0 netmask 255 255 255 0 netmask 255 255 255 0 p Laptop Work station 10 950 2 14 24 10 150 14 1 24 There are two routers in this example HomeOffice Interface LocalHomeOffice 10 150 2 254 24 Interfa
191. a network specify this network in allow address parameter for the respective item General Options Home menu level tool graphing Property Description store every Smin hour 24hours default Smin how often to store information on system drive Example To store information on system drive every hour tool graphing set stor very hour admin Lobo924 tool graphing gt print store every hour admin Lobo924 tool graphing gt Health Graphing Home menu level tool graphing health Description This submenu provides information about systems s health voltage and temperature Property Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners allow address JP address netmask default 0 0 0 0 0 network which is allowed to view graphs of router health store on disk yes no default yes whether to store information about traffic on system drive or not If not the information will be stored in RAM and will be lost after a reboot Interface Graphing Home menu level tool graphing interface Description Shows how much traffic is passed through an interface over a period of time Property Description allow address IP address netmask default 0 0 0 0 0 IP address range which is allowed to view information about the interface If a client PC not belonging to this IP address range tries to open http Router_IP_address graphs it wi
192. a or higher and Windows Messenger to versionWindows Messenger 5 0 or higher in order to get UPnP to work properly Example Internet ether 10 0 0 17172 24 ether2 192 168 0124 LAN 192 168 0 0 24 We have masquerading already enabled on our router admin Lobo924 ip upnp interfaces gt ip firewall src nat print Flags X disabled I invalid D dynamic 0 src address 0 0 0 0 0 0 65535 dst address 0 0 0 0 0 0 65535 out interface etherl protocol all icmp options any any flow connection _content _limit count 0 limit burst 0 limit time 0s action masquerade to src address 0 0 0 0 to src port 0 65535 admin Lobo924 ip upnp interfaces gt Now all we have to do is to add interfaces and enable UPnP admin Lobo924 ip upnp interfaces gt add interface etherl type external admin Lobo924 ip upnp interfaces gt add interface ether2 type internal admin Lobo924 ip upnp interfaces gt print Flags X disabled Other trademarks and registred trademarks mentioned herein are properties of their respective owners INTERFACE TYPE 0 X etherl xternal 1 X ether2 internal admin Lobo924 ip upnp interfaces gt enable 0 1 admin Lobo924 ip upnp interfaces gt set enabled yes admin Lobo924 ip upnp interfaces gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Web Proxy Document revision 1 1 Wed Jul 06 10 01 4
193. abled INTERFACE PACKING UNPACKING AGGREGATED SIZE 0 etherl compress all compress all 1500 admin Lobo924 ip packing gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Wireless Client and Wireless Access Point Manual Document revision 2 Mon Aug 08 07 47 54 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Quick Setup Guide Related Documents Description Wireless Interface Configuration Description Property Description Notes Example Nstreme Settings Description Property Description Notes Example Nstreme2 Group Settings Description Property Description Notes Example Registration Table Description Property Description Example Connect List Description Property Description Access List Description Property Description Notes Example Info Description Property Description Notes Example Virtual Access Point Interface Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners Property Description WDS Interface Configuration Description Property Description Notes Example Align Description Property Description Notes Example Align Monitor Description Property Description Example Frequency Monitor Description Property Description Example Manual Transmit Power Table Description Property Descr
194. ace http chap use CHAP challenge response method with MD5 hashing algorithm for hashing passwords This way it is possible to avoid sending clear text passwords over an insecure network This is the default authentication method e http pap use plain text authentication over the network Please note that in case this method will be used your user passwords will be exposed on the local networks so it will be possible to intercept them e https use encrypted SSL tunnel to transfer user communications with the HotSpot server Note that in order this to work a valid certificate must be imported into the router see a separate manual on certificate management e mac try to use client s MAC address first as its username If the matching MAC address exists in the local user database or on the RADIUS server the client will be authenticated without asking to fill the login form radius accounting yes no default yes whether to send RADIUS server accounting information on each user once in a while the while is defined in the radius interim update property radius interim update time received default received how often to sent cumulative accounting reports e Os same as received e received use whatever value received from the RADIUS server rate limit text default Rate limitation in form of rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time
195. ace bridge port Description The submenu is used to enslave interfaces in a particular bridge interface Property Description bridge name default none the bridge interface the respective interface is grouped in e none the interface is not grouped in any bridge interface read only name interface name which is to be included in a bridge path cost integer 0 65535 default 10 path cost to the interface used by STP to determine the best path priority integer 0 255 default 128 interface priority compared to other interfaces which are destined to the same network Example To group ether1 and ether2 in the already created bridgel bridge admin Lobo924 interface bridge port gt set etherl ether2 bridge bridgel admin Lobo924 interface bridge port gt print Other trademarks and registred trademarks mentioned herein are properties of their respective owners INTERFACE BRIDGE PRIORITY PATH COST 0 etherl bridgel 128 10 1 ether2 bridgel 128 10 2 wlan1 none 128 10 admin Lobo924 interface bridge port gt Bridge Monitoring Command name interface bridge monitor Description Used to monitor the current status of a bridge Property Description bridge id text the bridge ID which is in form of bridge priority bridge MAC address designated root text ID of the root bridge path cost integer the total cost of the path to the root bridge root port name port t
196. acket new packet mark p2p admineLioho 24 gt ip firewall mangle add chain forward connection mark p2p_conn action mark packet new packet mark other admin Lobo924 gt ip firewall mangle print Flags X disabled I invalid D dynamic 0 chain forward p2p all p2p action mark connection new connection mark p2p_conn 1 chain forward connection mark p2p_conn action mark packet new packet mark p2p 2 chain forward packet mark p2p_conn action mark packet new packet mark other admin Lobo924 gt admin Lobo924 gt queue tree add parent Public packet mark p2p limit at 1000000 max limit 100000000 priority 8 admin Lobo924 gt queue tree add parent Local packet mark p2p limit at 1000000 max limit 100000000 priority 8 admin Lobo924 gt queue tree add parent Public packet mark other limit at 1000000 max limit 100000000 priority 1 admin Lobo9241 gt queue tree add parent Local packet mark other limit at 1000000 Ne max limit 100000000 priority 1 Mark by MAC address To mark traffic from a known MAC address which goes to the router or through it do the following E E gt ip firewall mangle add chain prerouting XS src mac address 00 01 29 60 36 E7 action mark connection new connection mark known_mac_conn Na sage ae is gt ip firewall mangle add chain prerouting connection mark known_mac_conn action mark packet n
197. address name IP address or IP address pool name for PPP clients session timeout time maximum time the connection can stay up By default no time limit is set e Os no connection timeout use compression yes no default default default specifies whether to use data compression or not e yes enable data compression e no disable data compression e default accept this setting from the peer use encryption yes no default default default specifies whether to use data encryption or not e yes enable data encryption e no disable data encryption e default accept this setting from the peer use vj compression yes no default default default specifies whether to use Van Jacobson header compression algorithm e yes enable Van Jacobson header compression e no disable Van Jacobson header compression e default accept this setting from the peer wins server IP address IP address of the WINS server to supply to Windows clients Other trademarks and registred trademarks mentioned herein are properties of their respective owners Notes There are two default profiles that cannot be removed admin rb13 ppp profile gt print Flags default 0 name default use compression no use vj compression no us ncryption no only one no change tcp mss yes 1 name default encryption use compression default use vj compression default use encryption yes only one default change tcp mss default admin rb
198. address through that interface some wireless bridges may change client s MAC address If authoritative property is set to yes the DHCP server is sending rejects for the leases it cannot bind or renew It also may although not always help to prevent the users of the network to run illicitly their own DHCP servers disturbing the proper way this network should be functioning If relay property of a DHCP server is not set to 0 0 0 0 the DHCP server will not respond to the direct requests from clients Example To add a DHCP server to interface ether1 lending IP addresses from dhep clients IP pool for 2 hours ip dhcp server add name dhcp office disabled no address pool dhcp clients interface etherl lease time 2h admin Lobo924 ip dhcp server gt print Flags X disabled I invalid NAME INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP 0 dhcp office etherl dhcp clients 02 00 00 admin Lobo924 ip dhcp server gt Store Leases on Disk Home menu level ip dhcp server config Description Leases are always stored on disk on graceful shutdown and reboot If on every lease change it is stored on disk a lot of disk writes happen There are no problems if it happens on a hard drive but is very bad on Compact Flash especially if lease times are very short To minimize writes on disk all changes are flushed together every store leases disk seconds If this time will be very short i
199. ademarks mentioned herein are properties of their respective owners utility sends packets three times to each passed gateway so it shows three timeout values for each gateway in ms The Traceroute Command Command name tool traceroute Property Description IP address IP address of the host you are tracing route to port integer 0 65535 UDP port number protocol UDP ICMP type of protocol to use If one fails for example it is blocked by a firewall try the other size integer 28 1500 default 64 packet size in bytes timeout time 1s 8s default 1s response waiting timeout i e delay between messages tos integer 0 255 default 0 Type Of Service parameter of IP packet use dns yes no default no specifies whether to use DNS server which can be set in ip dns menu src address JP address change the source address of the packet max hops integer utmost hops through which packet can be reached Notes Traceroute session may be stopped by pressing Ctrl C Example To trace the route to 216 239 39 101 host using ICMP protocol with packet size of 64 bytes setting ToS field to 8 and extending the timeout to 4 seconds admin Lobo924 tool gt traceroute 216 239 39 101 protocol icmp size 64 tos 8 timeout 4s ADDRESS STATUS 159 148 60 227 3ms 3ms 3ms 195 13 173 221 80ms 169ms 14ms 195 13 173 28 6ms 4ms 4ms 195 158 240 21 111ms 110ms 110ms 213 174 71 49 124ms 120ms 129ms
200. age age 20s admin WDS_Station interface bridge gt port admin WDS_Station interface bridge port gt print Negus 8 admin Flags O R admin admin WDS_Station inter admin WDS_Station inter admin WDS_Station interface wireless gt set wlanl mode station wds disabled no INTERFACE BRIDGE PRIORITY PATH COST 0 Local none 128 10 1 wlanl none 128 10 ace bridge port gt set 0 1 bridge bridgel ace bridge port gt interface wireless h fh sid wds sta test band 2 4ghz b g WDS_Station interface wireless gt print X disabled R running name wlan1 mtu 1500 mac address 00 0B 6B 34 5A 91 arp enabled disable running check no interface type Atheros AR5213 radio name 000B6B345A91 mode station wds ssid wds sta test area frequency mode superchannel country no_country_set antenna gain 0 frequency 2412 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default clien
201. age specified by message parameter to the system logs name name of the logging facility to send message to text the text of the message to be logged Send message to info log admin Lobo924 gt log info Very Good thing happened We have received our first packet admin Lobo924 gt log print follow 19 57 46 script info Very Good thing happened We have received our first packet pick returns a range of elements or a substring depending on the type of input value text the string or value list from which a substring or a subrange should be returned integer start position of substring or subrange integer end position for substring or subrange admin Lobo924 gt set a Lye 2p sree op Tes admin Lobo924 gt put len Sa 8 Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 gt put pick a 1 admin Lobo924 gt put pick Sa 0 4 1 2 3 4 admin Lobo924 gt put pick Sa 2 4 3 4 admin Lobo924 gt put pick a 2 3 admin Lobo924 gt ipt pick a 5 1000000 6 7 8 admin Lobo924 gt set a abcdefghij admin Lobo924 gt put len Sa 10 admin Lobo924 gt put pick Sa a admin Lobo924 gt put pick Sa 0 4 abcd admin Lobo924 gt put pick Sa 2 4 cd admin Lobo924 a put pick Sa 2 e admin Lobo924 gt put pick a 5 1000000 fghij put echoes supplied argument to the console tex the
202. ain sweden switzerland Other trademarks and registred trademarks mentioned herein are properties of their respective owners syria taiwan thailand trinidad amp tobago tunisia turkey ukraine united arab emirates united kingdom united states uruguay uzbekistan venezuela viet nam yemen zimbabwe default no_country_set limits wireless settings frequency and transmit power to those which are allowed in the respective country e no_country_set no regulatory domain limitations default ap tx limit integer default 0 limits data rate for each wireless client in bps e 0 no limits default authentication yes no default yes specifies the default action on the clients side for APs that are not in connect list or on the APs side for clients that are not in access list e yes enables AP to register a client even if it is not in access list In turn for client it allows to associate with AP not listed in client s connect list default client tx limit integer default 0 limits each client s transmit data rate in bps Works only if the client is also a Lobo Router e 0 no limits default forwarding yes no default yes to use data forwarding by default or not If set to no the registered clients will not be able to communicate with each other dfs mode none radar detect no radar detect default none used for APs to dynamically select frequency at which this AP will operate e
203. ain the adjacency and the routing information state changes read only integer number of connection state changes Notes The neighbour s list also displays the router itself with 2 Way state Example The following text can be observed just after adding an OSPF network admin Lobo924 routing ospf gt neighbor print router id 10 0 0 204 address 10 0 0 204 priority 1 state 2 Way state changes 0 ls retransmits 0 ls requests 0 db summaries 0 dr id 0 0 0 0 backup dr id 0 0 0 0 admin Lobo924 routing ospf gt General Information Other trademarks and registred trademarks mentioned herein are properties of their respective owners OSPF backup without using a tunnel Let us assume that the link between the routers OSPF Main and OSPF peer 1 is the main one If it goes down we want the traffic switch over to the link going through the router OSPF peer 2 This example shows how to use OSPF for backup purposes if you are controlling all the involved routers and you can run OSPF on them to_peer1 10 1 0 2 i a cost 1 to main 10 2 0 1 to_ main 10 1 0 1 cost 1__ to peer1 10 3 0 2 a i backup 10 3 0 1 For this 1 We introduce an OSPF area with area D 0 0 0 1 which includes all three routers shown on the diagram 2 Only the OSPF Main router will have the default route configured Its interfaces peerl and peer2 will be configured for the OSPF protocol The interface main_gw will not be used for distri
204. al configuration Related Documents e Software Package Management Description IPsec IP Security supports secure encrypted communications over IP networks Encryption After packet is src natted but before putting it into interface queue IPsec policy database is consulted to find out if packet should be encrypted Security Policy Database SPD is a list of rules that have two parts Packet matching packet source destination protocol and ports for TCP and UDP are compared to values in policy rules one after another e Action if rule matches action specified in rule is performed e e accept continue with packet as if there was no IPsec e drop drop packet e encrypt encrypt packet Each SPD rule can be associated with several Security Associations SA that determine packet encryption parameters key algorithm SPI Note that packet can only be encrypted if there is usable SA for policy rule By setting SPD rule security level user can control what happens when there is no valid SA for policy rule e use if there is no valid SA send packet unencrypted like accept rule e acquire send packet unencrypted but ask IKE daemon to establish new SA e require drop packet and ask IKE daemon to establish new SA Decryption When encrypted packet is received for local host after dst nat and input filter the appropriate SA is looked up to decrypt it using packet source destination security protocol and SPI
205. alert reset alert lt interface gt Note that e mail can be sent using system logging action add target email DHCP Option Home menu level ip dhcp server option Description With help of DHCP Option it is possible to define additional custom options for DHCP Server Property Description code integer 1 254 dhcp option code All codes are available at http www iana org assignments bootp dhcp parameters name name descriptive name of the option value text parameter s value in form of a string If the string begins with Ox it is assumed as a Other trademarks and registred trademarks mentioned herein are properties of their respective owners hexadecimal value Notes The defined options you can use in ip dhcp server network submenu According to the DHCP protocol a parameter is returned to the DHCP client only if it requests this parameter specifying the respective code in DHCP request Parameter List code 55 attribute If the code is not included in Parameter List attribute DHCP server will not send it to the DHCP client Example This example shows how to set DHCP server to reply on DHCP client s Hostname request code 12 with value Host A Add an option named Option Hostname with code 12 Hostname and value Host A admin Lobo924 ip dhcp server option gt add name Hostname code 12 value Host A admin Lobo924 ip dhcp server option gt print NAME CODE VALUE 0 Option Hostname 12
206. alf a second so you might have to press Tab several times before the name is actually resolved It is possible to complete not only beginning but also any distinctive substring of a name if there is no exact match console starts looking for words that have string being completed as first letters of a multiple word name or that simply contain letters of this string in the same order If single such word is found it is completed at cursor position For example admin Lobo924 admin Lobo924 admin Lobo924 admin Lobo924 gt interface x TAB _ gt interface export _ gt interface mt TAB _ gt interface monitor traffic _ Additional Information Description Built in Help The console has a built in help which can be accessed by typing General rule is that help shows what you can type in position where the was pressed similarly to pressing Tab key twice but in verbose form and with explanations Internal Item Numbers You can specify multiple items as targets to some commands Almost everywhere where you can write the number of item you can also write a list of numbers admin Lobo924 Flags NAME 0 R etherl 1 R ether2 2 R ether3 3 R ether4 admin Lobo924 admin Lobo924 Flags NAME 0 R etherl 1 R ether2 2 R ether3 3 R ether4 admin Lobo924 gt interface print X disabled D dynamic R running TYPE MTU ether 1500 ether 1500 ether 1500 ether 1
207. alive and reachable If check will fail during this period user will be dropped of the host list and the address used buy the user will be freed e none do not timeout unreachable users profile name default default default HotSpot profile for the interface Command Description reset html name overwrite the existing HotSpot servlet with the original HTML files It is used if you have changed the servlet and it is not working after that Notes addresses per mac property works only if address pool is defined Also note that in case you are authenticating users connected through a router than all the IP addresses will seem to have come from one MAC address Example To add HotSpot system to the local interface allowing the system to do one to one NAT for each client addresses from the HS real address pool will be used for the NAT admin Lobo924 ip hotspot gt add interface local address pool HS real admin Lobo924 ip hotspot gt print Flags X disabled I invalid S HTTPS NAME INTERFACE ADDRESS POOL PROFILE IDLE TIMEOUT 0 hs local local HS real default 00 05 00 admin Lobo924 ip hotspot gt HotSpot Server Profiles Home menu level ip hotspot profile Property Description dns name text DNS name of the HotSpot server This is the DNS name used as the name of the HotSpot server i e it appears as the location of the login page This name will automatically be adde
208. all packets which belong to this connection Other trademarks and registred trademarks mentioned herein are properties of their respective owners 2 3 admin Lobo924 ip firewall mangle gt add src address 192 168 0 1 32 Wakes action mark connection new connection mark server con chain prerouting admin Lobo924 ip firewall mangle gt add connection mark server con Nois action mark packet new packet mark server chain prerouting admin Lobo924 ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 1 chain prerouting src address 192 168 0 1 action mark connection new connection mark server con chain prerouting connection mark server con action mark packet new packet mark server admin Lobo924 ip firewall mangle gt The same for Laptop and Workstation admin Lobo924 ip firewall mangle gt add src address 192 168 0 2 sot action mark connection new connection mark lap_works con chain prerouting admin Lobo924 ip firewall mangle gt add src address 192 168 0 3 Naam action mark connection new connection mark lap_works con chain prerouting admin Lobo924 ip firewall mangle gt add connection mark lap_works con Nef ts action mark packet new packet mark lap_work chain prerouting admin Lobo924 ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 4 admi As y
209. ally 64 1024s sends time requests to NTP server Unicast mode is the only one which uses ntp server and second ntp server parameters broadcast mode NTP client listens for broadcast messages sent by NTP server After receiving first broadcast message client synchronizes local clock using unicast mode and afterwards does not send any packets to that NTP server It uses received broadcast messages to adjust local clock multicast mode acts the same as broadcast mode only instead of broadcast messages IP address 255 255 255 255 multicast messages are received IP address 224 0 1 1 manycast mode actually is unicast mode only with unknown IP address of NTP server To discover NTP server client sends multicast message IP 239 192 1 1 If NTP server is configured to listen for these multicast messages manycast mode is enabled it replies After client receives reply it enters unicast mode and synchronizes to that NTP server But in parallel client continues to look for more NTP servers by sending multicast messages periodically Client Home menu level system ntp client Property Description enabled yes no default no whether the NTP client is enabled or not mode unicast broadcast multicast manycast default unicast NTP client mode primary ntp P address default 0 0 0 0 specifies IP address of the primary NTP server secondary ntp ZP address default 0 0 0 0 specifies IP address of the secondar
210. alm Recy Limit Service Type Session Timeout User Name User Password Wireless Enc Algo Wireless Enc Key Wireless Forward Wireless Skip Dot1x Xmit Limit Troubleshooting SS RFC2865 RFC2865 RFC2865 RFC2865 Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description e My radius server accepts authentication request from the client with Auth Login OK but the user cannot log on The bad replies counter is incrementing under radius monitor This situation can occur if the radius client and server have high delay link between them Try to increase the radius client s timeout to 600ms or more instead of the default 300ms Also double check if the secrets match on client and server Other trademarks and registred trademarks mentioned herein are properties of their respective owners Router User AAA Document revision 2 3 Fri Jul 08 11 58 32 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Router User Groups Description Property Description Notes Example Router Users Description Property Description Notes Example Monitoring Active Router Users Description Property Description Example Router User Remote AAA Description Property Description Notes Example General Information Summary This documents provides summary configuration reference and e
211. alue as username in login html change lt type text value S username gt to this line lt input type hidden name user value hsuser gt where hsuser is the username you are providing e To provide predefined value as password in login html change lt input type password gt to this line lt input type hidden name password value hspass gt where hspass is the password you are providing e To send client s MAC address to a registration server in form of https www server serv register html mac XX XX XX XX XX XX change the Login button link in login html to https www server serv register html mac mac you should correct the link to point to your server e To show a banner after user login in alogin html after if popup true add the following line open http your web server your banner page html my banner name you should correct the link to point to the page you want to show e To choose different page shown after login in login html change lt input type hidden name dst value S link orig gt to this line lt input type hidden name dst value http your web server gt you should correct the link to point to your server Other trademarks and registred trademarks mentioned herein are properties of their respective owners e To erase the cookie on logoff in the page containing link to the logout for example in status html
212. ameter is set to 0 and the only one parameter in PPP profile settings is set to yes then the clients might be able to connect only once To resolve this problem one session per host parameter in PPPoE server configuration should be set to yes I can get through the PPPoE link only small packets eg pings You need to change mss of all the packets passing through the PPPoE link to the value of PPPoE link s MTU 40 at least on one of the peers So for PPPoE link with MTU of 1480 admin MT interface pppoe server server gt set 0 max mtu 1440 max mru 1440 admin MT interface pppoe server server gt print Flags X disabled service name mt interface wlanl max mtu 1440 max mru 1440 authentication pap chap mschapl mschap2 keepalive timeout 10 one session per host yes max sessions 0 default profile default admin MT interface pppoe server server gt My windows PPPoE client obtains IP address and default gateway from the Lobo PPPoE server but it cannot ping beyond the PPPoE server and use the Internet PPPoE server is not bridging the clients Configure masquerading for the PPPoE client addresses or make sure you have proper routing for the address space used by the clients or you enable Proxy ARP on the Ethernet interface See the IP Addresses and Address Resolution Protocol ARP Manual My Windows XP client cannot connect to the PPPoE server You have to specify the Service Name in the properties of the XP
213. ameter to reduce the tx power You should set tx power property to an appropriate value as many cards do not have their default setting set to the maximal power it can work on For the cards Lobo is selling SG ABM 20dBm 100mW is the maximal power in 5GHz bands and 18dBm 65mW is the maximal power in 2 4GHz bands For different versions of Atheros chipset there are different value range of ack timeout property 40 NANA 2 aw If the wireless interfaces are put in nstreme dual slave mode all configuration will take place in interface wireless nstreme dual submenu described further on in this manual In that case configuration made in this submenu will be partially ignored WDS cannot be used together with the Nstreme dual Example This example shows how configure a wireless client To see current interface settings admin Lobo924 interface wireless gt print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0B 6B 34 54 FB arp enabled disable running check no interface type Atheros AR5213 radio name 000B6B3454FB mode station ssid Lobo frequency mode superchannel country no_country_set antenna gain 0 frequency 2412 band 2 4ghz b scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx pow
214. an contain is determined initially by the amount of physical memory present in the router Thus for example a router with 64 MB of RAM can hold the information about up to 65536 connections but a router with 128 MB RAM increases this value to more than 130000 Please ensure that your router is equipped with sufficient amount of physical memory to properly handle all connections ICMP TYPE CODE values In order to protect your router and attached private networks you need to configure firewall to drop or reject most of ICMP traffic However some ICMP packets are vital to maintain network Other trademarks and registred trademarks mentioned herein are properties of their respective owners reliability or provide troubleshooting services The following is a list of ICMP TYPE CODE values found in good packets It is generally suggested to allow these types of ICMP traffic e 8 0 echo request e 0 0 echo reply Ping e e 11 0 TTL exceeded e 3 3 Port unreachable Trace e 3 4 Fragmentation DF Set Path MTU discovery General suggestion to apply ICMP filtering e Allow ping ICMP Echo Request outbound and Echo Reply messages inbound e Allow traceroute TTL Exceeded and Port Unreachable messages inbound e Allow path MTU ICMP Fragmentation DF Set messages inbound e Block everything else Type of Service Internet paths vary in quality of service they provide They can differ in cost reliability delay and throughput
215. and interface wireless align monitor then it will automatically change the wireless interface s mode from station bridge or ap bridge to alignment only Example admin Lobo924 interface wireless align gt print frame size 300 active mode yes receive all yes audio monitor 00 00 00 00 00 00 filter mac 00 00 00 00 00 00 ssid all no frames per second 25 audio min 100 audio max 20 admin Lobo924 interface wireless align gt Align Monitor Command name interface wireless align monitor Description This command is used to monitor current signal parameters to from a remote host Property Description address read only MAC address MAC address of the remote host avg rxq read only integer average signal strength of received packets since last display update on screen correct read only percentage how many undamaged packets were received Other trademarks and registred trademarks mentioned herein are properties of their respective owners last rx read only time time in seconds before the last packet was received last tx read only time time in seconds when the last TXQ info was received rxq read only integer signal strength of last received packet ssid read only text service set identifier txq read only integer the last received signal strength from our host to the remote one Example admin Lobo924 interface wireless align gt monitor wlan2 ADDRESS SSID RXQ AVG RXQ LAST RX
216. and 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode dynamic wds default bridge bridgel wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin WDS_AP interface wireless gt Now configure the WDS station and put the wireless wlan1 and ethernet Local interfaces into a Other trademarks and registred trademarks mentioned herein are properties of their respective owners bridge admin WDS_Station gt interface bridge admin WDS_Station interface bridge gt add admin WDS_Station interface bridge gt print Flags O R Xx disabled R running name bridge1 mtu 1500 arp enabled mac address 11 05 00 00 02 00 stp no priority 32768 ageing time 5m forward delay 15s garbage collection interval 4s hello time 2s max mess
217. anism though it is better than no encryption at all The configuration of WEP is quite simple using Lobo OSB security profiles Property Description group key update time default 5m how often to update group key This parameter is used only if the wireless card is configured as an Access Point mode none static keys optional static keys required wpa psk default none security mode e none do not encrypt packets and do not accept encrypted packets static keys optional if there is a static sta private key set use it Otherwise if the interface is set in an AP mode do not use encryption if the the interface is in station mode use encryption if the static transmit key is set e static keys required encrypt all packets and accept only encrypted packets e wpa psk use WPA Pre Shared Key mode name name descriptive name for the security profile pre shared key text default string which is used as the WPA Pre Shared Key It must be the same on AP and station to communicate radius mac authentication no yes default no whether to use Radius server for MAC Other trademarks and registred trademarks mentioned herein are properties of their respective owners authentication static algo 0 none 40bit wep 104bit wep aes ccm tkip default none which encryption algorithm to use e none do not use encryption and do not accept encrypted packets e 40bit wep use the 40bit encryption al
218. arding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin Station interface wireless gt ip address admin Station ip address gt add address 10 1 0 2 24 interface To AP admin Station ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 172 16 0 2 24 L721 6 0 0 LIZ 16 0259 To AP 1 192 168 2 3 24 192 168 2 0 192 168 2 255 To AP 2 10 1 0 2 24 10 1 0 0 10 1 0 255 To AP admin Station ip address gt Check whether you can ping the Access Point from Station admin Station gt ping 10 1 0 1 10 1 0 1 64 byte ping ttl 64 time 3 ms Other trademarks and registred trademarks mentioned herein are properties of their respective owners 10 1 0 1 64 byte ping tt1l 64 time 3 ms 10 1 0 1 64 byte ping tt1l 64 time 3 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms admin Station gt WDS Station Using 802 11 set of standards you cannot simply bridge wireless stations To solve this problem the wds station mode was created it works just like a station but connects only to APs that support WDS This example shows you how to make a transparent network using the Station WDS feature On WDS Access Point e Configure A
219. are set as primary and secondary servers respectively In case one DNS server was received it is put as primary server and the secondary server is left intact Example To add a DHCP client on ether interface ip dhcp client add interface etherl disabled no admin Lobo924 ip dhcp client gt print detail Flags X disabled I invalid 0 interface etherl add default route no use peer dns no status bound address 192 168 25 100 24 dhcp server 10 10 10 1 expires after 2d21 25 12 admin Lobo924 ip dhcp client gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners DHCP Server Setup Home menu level ip dhcp server Description The router supports an individual server for each Ethernet like interface The Lobo OSB DHCP server supports the basic functions of giving each requesting client an IP address netmask lease default gateway domain name DNS server s and WINS server s for Windows clients information set up in the DHCP networks submenu In order DHCP server to work you must set up also IP pools do not include the DHCP server s IP address into the pool range and DHCP networks It is also possible to hand out leases for DHCP clients using the RADIUS server here are listed the parameters for used in RADIUS server Access Request e NAS Identifier router identity e NAS IP Address IP address of the router itself e NAS Port unique session ID NAS
220. arp admin RemoteOffice interfac thernet gt L2TP Setup for Windows Microsoft provides L2TP client support for Windows XP 2000 NT4 ME and 98 Windows 2000 and XP include support in the Windows setup or automatically install L2TP For 98 NT and ME installation requires a download from Microsoft L2TP IPsec VPN Client For more information see Microsoft L2TP IPsec VPN Client Microsoft L2TP IPsec VPN Client On Windows 2000 L2TP setup without IPsec requires editing registry Disabling IPsec for the Windows 2000 Client Disabling IPSEC Policy Used with L2TP Troubleshooting Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners e use firewall and I cannot establish L2TP connection Make sure UDP connections can pass through both directions between your sites e My Windows L2TP IPsec VPN Client fails to connect to L2TP server with Error 789 or Error 781 The error messages 789 and 781 occur when IPsec is not configured properly on both ends See the respective documentation on how to configure IPsec in the Microsoft L2TP IPsec VPN Client and in the Lobo OSB If you do not want to use IPsec it can be easily switched off on the client side Note if you are using Windows 2000 you need to edit system registry using regedt32 exe or regedit exe Add the following registry value to HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters Value Name
221. ased by 40 so for 1500 byte Ethernet link set the MTU to 1460 to avoid fragmentation of packets mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MRU to 1460 to avoid fragmentation of packets authentication multiple choice pap chap mschapl mschap2 default mschap2 authentication algorithm default profile default profile to use Example To enable L2TP server admin Lobo924 interface 12tp server server gt set enabled yes admin Lobo924 interface 12tp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin Lobo924 interface 12tp server server gt L2TP Server Users Home menu level interface I2tp server Description There are two types of items in L2TP server configuration static users and dynamic connections A dynamic connection can be established if the user database or the default profile has its local address and remote address set correctly When static users are added the default profile may be left with its default values and only PPP user in ppp secret should be configured Note that in both cases PPP users must be configured properly Property Description name name interface name user text the name of the user that is configured statically or added dynamically mtu shows client s MT
222. ask port default 0 0 0 0 32 any source IP address tunnel yes no default no specifies whether to use tunnel mode Notes All packets are IPIP encapsulated in tunnel mode and their new IP header sre address and dst address are set to sa src address and sa dst address values of this policy If you do not use tunnel mode id est you use transport mode then only packets whose source and destination addresses are the same as sa sre address and sa dst address can be processed by this policy Transport mode can only work with packets that originate at and are destined for IPsec peers hosts that established security associations To encrypt traffic between networks or a network and a host you have to use tunnel mode It is good to have dont fragment cleared because encrypted packets are always bigger than original and thus they may need fragmentation If you are using IKE to establish SAs automatically then policies on both routers must exactly match each other id est src address 1 2 3 0 27 on one router and dst address 1 2 3 0 28 on another would not work Source address values on one router MUST be equal to destination address Other trademarks and registred trademarks mentioned herein are properties of their respective owners values on the other one and vice versa Example To add a policy to encrypt all the traffic between two hosts 10 0 0 147 and 10 0 0 148 we need do the following admin WiFi ip ipsec policy gt add
223. assword web 3 name test policy ssh read policy local telnet ftp reboot write test winbox password web fadmin rb13 gt Exclamation sign just before policy item name means NOT Example To add reboot group that is allowed to reboot the router locally or using telnet as well as read the router s configuration enter the following command admin rb13 user group gt add name reboot policy telnet reboot read local admin rb13 user group gt print 0 name read policy local telnet ssh reboot read test winbox password web ftp write policy 1 name write policy local telnet ssh reboot read write test winbox password web ftp policy 2 name full policy local telnet ssh ftp reboot read write policy test winbox password web 3 name reboot policy local telnet reboot read ssh ftp write policy test winbox password web admin rb13 user group gt Router Users Home menu level user Description Router user database stores the information such as username password allowed access addresses and group about router management personnel Property Description address IP address netmask default 0 0 0 0 0 host or network address from which the user is allowed to log in group name name of the group the user belongs to name name user name Although it must start with an alphanumeric character it may contain MRI ae ee and
224. ate 30secs admin office2 ip address gt add address 3 3 3 2 24 interface bondingl admin office2 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 22 etic Vf 24 2 22240 Zi Lit 20 isp2 T 10 1 0 112 24 10 1 0 0 10 1 0 255 ispl 2 3 3 3 2 24 S E FOS LO 3 313820 9 bondingl a n office2 ip address gt ping 3 3 3 1 admi 3 3 3 1 64 byte ping ttl 64 time 2 ms Other trademarks and registred trademarks mentioned herein are properties of their respective owners 3 3 3 1 64 byte ping ttl 64 time 2 ms 2 packets transmitted 2 packets received 0 packet loss round trip min avg max 2 2 0 2 ms Other trademarks and registred trademarks mentioned herein are properties of their respective owners Bridge Document revision 2 1 Fri May 13 12 36 08 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Quick Setup Guide Related Documents Description Additional Documents Bridge Interface Setup Description Property Description Example Port Settings Description Property Description Example Bridge Monitoring Description Property Description Example Bridge Port Monitoring Description Property Description Example Bridge Host Monitoring Property Description Example Bridge Firewall General Description Description Property Description Notes Bridge Packet Filter Description P
225. ateway read only IP address last gateway on the route to destination metric read only integer distance vector length to the destination network from IP address specifies the IP address of the router from which the route was received Notes This list shows routes learned by all dynamic routing protocols RIP OSPF and BGP Other trademarks and registred trademarks mentioned herein are properties of their respective owners Example To view the list of the routes admin Lobo924 routing rip route gt print Flags S static R rip O ospf connect B bgp 0 O dst address 0 0 0 0 32 gateway 10 7 1 254 metric 1 from 0 0 0 0 33 R dst address 159 148 10 104 29 gateway 10 6 1 1 metric 2 from 10 6 1 1 34 R dst address 159 148 10 112 28 gateway 10 6 1 1 metric 2 from 10 6 1 1 admin Lobo924 routing rip route gt General Information Example Let us consider an example of routing information exchange between Lobo router a Cisco router and the ISP also Lobo routers Serial 1 192 168 1 2 32 ISP 192 168 1 1 30 Cisco Internet Leased Ethernet0 Line 10 0 0 26 24 Local 10 0 0 0 24 ether1 10 0 0 1 74 24 Remote 192 168 0 0 24 92 168 0 1 24 e Lobo Router Configuration admin Lobo924 gt interface print Flags X disabled D dynamic R running NAME TYPE MTU Other trademarks and registred trademarks mentioned herein are properties of their respec
226. ation unit name e common name CN the server s common name For SSL web servers this must be the fully qualified domain name FQDN of the server that will use this certificate like www example com This is checked by web browsers e email address Email e mail address of the person responsible for the certificate e challenge password the challenge password It s use depends on your CA It may be used to revoke this certificate e unstructured address unstructured address like street address Enter only if your CA accepts or requires it Notes Server certificates may have ca property set to no but Certificate Authority certificates must have it set to yes Certificates and encrypted private keys are imported from and exported to the router s FTP server Public keys are not stored on a router in unencrypted form Cached decrypted private keys are stored in encrypted form using key that is derived from the router ID Passphrases are not stored on router Configuration backup does not include cached decrypted private keys After restoring backup all certificates with private keys must be decrypted again using decrypt command with the correct passphrase No other certificate operations are possible while generating a key When making a certificate request you may leave some of the fields empty CA may reject your certificate request if some of these values are incorrect or missing so please check what are the Other tradema
227. balancing mode balance alb does not work on some cheap cards Other trademarks and registred trademarks mentioned herein are properties of their respective owners General Information Bonding two Eoip tunnels Assume you need to configure the Lobo router for the following network setup where you have two offices with 2 ISP for each You want combine links for getting double speed and provide failover We are assuming that connections to Internet through two ISP are configured for both routers e Configuration on routers e on Officel admin officel gt interface print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0O R ispl ether 0 O 1500 R isp2 ether 0 0 1500 admin officel gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 1 1 1 24 Ls e Dedede Zio isp2 10 1 0 111 24 LO 160730 10 1 50 255 ispl on Office2 admin office2 interface gt print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R isp2 ether 0 0 1500 R ispl ether 0 0 1500 admin office2 interface gt ip add print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 2 2 2 1 24 2e2e2e0 2 202 299 isp2 10 1 0 112 24 10 1 0 0 10 1 0 255 ispl e Eoip tunnel confguration e for Officel through ISP1 admin offic
228. be fragmented interval time 10ms 5s default 1s delay between messages size integer 28 65535 default 64 size of the IP packet in bytes including the IP and ICMP headers ttl integer 1 255 default 255 time To Live TTL value of the ICMP packet src address ZP address Source address for ping Notes If DNS service is configured it is possible to ping by DNS address To do it from Winbox you should resolve DNS address first pressing right mouse button over its address and choosing Lookup Address You cannot ping with packets larger that the MTU of that interface so the packet size should always be equal or less than MTU If pinging by MAC address minimal packet size iz 50 bytes Only neighbour Lobo OSB routers with MAC ping feature enabled can be pinged by MAC address Example of ping command An example of Ping command pi 159 148 95 16 count 5 interval 500ms 159 148 95 16 64 byte ping ttl 59 time 21 ms 159 148 95 16 ping timeout 159 148 95 16 ping timeout 159 148 95 16 ping timeout 159 148 95 16 64 byte ping ttl 59 time 16 ms 5 packets transmitted 2 packets received 60 packet loss round trip min avg max 16 18 5 21 ms admin Lobo924 gt Resolve IP address To resolve IP address from a DNS name type the command ping www google lv Other trademarks and registred trademarks mentioned herein are properties of their respective owners and press the Tab key admin Lobo924
229. binding IP addresses to hosts on hotspot interfaces ip hotspot service port address translation helpers for the one to one NAT ip hotspot walled garden Walled Garden rules at HTTP level DNS names HTTP request substrings ip hotspot walled garden ip Walled Garden rules at IP level IP addresses IP protocols e ip hotspot user local HotSpot system users ip hotspot user profile local HotSpot system users profiles user groups ip hotspot active dynamic list of all authenticated HotSpot users ip hotspot cookie dynamic list of all valid HTTP cookies Question amp Answer Based Setup Command name ip hotspot setup Command Description address pool of network name IP address pool for the HotSpot network dns name text DNS domain name of the HotSpot gateway will be statically configured on the local DNS proxy dns servers IP address IP address DNS servers for HotSpot clients hotspot interface name interface to run HotSpot on ip address of smtp server IP address default 0 0 0 0 IP address of the SMTP server to redirect SMTP requests TCP port 25 to e 0 0 0 0 no redirect local address of network IP address default 10 5 50 1 24 HotSpot gateway address for the interface masquerade network yes no default yes whether to masquerade the HotSpot network name of local hotspot user text default admin username of one automatically created user Other trademarks a
230. ble to a particular user Example To add the user ex with password Ikjrht and profile ex available for PPTP service only enter the following command admin rb13 ppp secret gt add name ex password lkjrht service pptp profile ex admin rb13 ppp secret gt print Flags X disabled NAME SERVICE CALLER ID PASSWORD PROFILE REMOTE ADDRESS 0 ex pptp lkjrht ex 0 0 0 0 admin rb13 ppp secret gt Monitoring Active PPP Users Command name ppp active print Property Description address read only IP address IP address the client got from the server bytes read only integer integer amount of bytes transfered through tis connection First figure represents amount of transmitted traffic from the router s point of view while the second one shows amount of received traffic caller id read only text for PPTP and L2TP it is the IP address the client connected from For PPPoE it is the MAC address the client connected from For ISDN it is the caller s number the client dialed in from _ no restrictions on where clients may connect from encoding read only text shows encryption and encoding separated with if asymmetric being used in this connection limit bytes in read only integer maximal amount of bytes the user is allowed to send to the router limit bytes out read only integer maximal amount of bytes the router is allowed to send to the client Other trademarks a
231. bo OSB routers connected with a hub Interfaces to the physical network where VLAN is to be created is ether1 for all of them it is needed only for example simplification it is NOT a must To connect computers through VLAN they must be connected physically and unique IP addresses should be assigned them so that they could ping each other Then on each of them the VLAN interface should be created admin Lobo924 interface vlan gt add name test vlan id 32 interface etherl admin Lobo924 interface vlan gt print Flags X disabled R running NAME MTU ARP VLAN ID INTERFACE 0 R test 1500 enabled 32 ether1 admin Lobo924 interface vlan gt If the interfaces were successfully created both of them will be running If computers are connected incorrectly through network device that does not retransmit or forward VLAN packets either both or one of the interfaces will not be running When the interface is running IP addresses can be assigned to the VLAN interfaces On the Router 1 admin Lobo924 ip address gt add address 10 10 10 1 24 interface test admin Lobo924 ip address gt print Flags X disabled I invalid D dynamic 4 ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 204 24 10 0 0 0 10 0 0 255 etherl 1 10 20 0 1 24 10 20 0 0 10 20 0 255 pel 2 10 10 10 1 24 104 2010 0 10410 107255 test admin Lobo924 ip address gt On the Router 2 admin Lobo924 ip address gt add address 10
232. bo reference dictionary which incorporates all the needed RADIUS attributes This dictionary is the minimal dictionary which is enough to support all features of Lobo OSB It is designed for FreeRADIUS but may also be used with many other UNIX RADIUS servers eg XTRadius Note that it may conflict with the default configuration files of RADIUS server which have references to the Attributes absent in this dictionary Please correct the configuration files not the dictionary as no other Attributes are supported by Lobo OSB Definitions e PPPs PPP PPTP PPPoE and ISDN e default configuration settings in default profile for PPPs or HotSpot server settings for HotSpot Access Request e Service Type always is Framed only for PPPs e Framed Protocol always is PPP only for PPPs e NAS Identifier router identity NAS IP Address IP address of the router itself e NAS Port unique session ID e NAS Port Type async PPP Async PPTP and L2TP Virtual PPPoE Ethernet ISDN ISDN Sync HotSpot Ethernet Cable Wireless 802 11 according to the value of nas port type parameter in ip hotspot profile e Calling Station Id PPPoE client MAC address with capital letters PPTP and L2TP client public IP address HotSpot MAC address of the client if it is known or IP address of the client if MAC address is unknown ISDN client MSN e Called Station Id PPPoE service name PPTP and L2TP serve
233. both HTTP and HTTP proxy requests are processed by the same code HTTPS proxy is listening on the 64875 port Redirect for SMTP protocol may also be defined in the HotSpot configuration In case it is a redirect rule will be put in the hs smtp chain This is done so that users with unknown SMTP configuration would be able to send their mail through the service provider s your SMTP server instead of going to possibly unavailable outside their network of origin the SMTP server users have configured in their computers Providing HTTP proxy service for authorized users Authenticated user requests may need to be subject to the transparent proxying the Universal Proxy technique and for the advertisement feature This http mark is put automatically on the HTTP proxy requests to the servers detected by the HotSpot HTTP proxy the one that is listening on the 64874 port to be HTTP proxy requests to unknown proxy servers This is done so that users that have some proxy settings would use the HotSpot gateway instead of the possibly unavailable outside their network of origin proxy server users have configured in their computers The mark is as well put on any HTTP requests done form the users whoose profile is configured to transparently proxy their requests Providing SMTP proxy for authorized users the same as in rule 12 Packet filter rules From ip firewall filter print dynamic command you can get something like this comments follow after
234. bps on ether1 admin Lobo924 system script gt add name eth up source interfac nabl ther2 admin Lobo924 system script gt add name eth down source interface disable ether2 admin Lobo924 system script gt tool traffic monitor admin Lobo924 tool traffic monitor gt add name turn_on interface etherl on event eth up threshold 15000 trigger above traffic received admin Lobo924 tool traffic monitor gt add name turn_off interface etherl on event eth down threshold 12000 trigger below traffic received admin Lobo924 tool traffic monitor gt print Flags X disabled I invalid NAME INTERFACE TRAFFIC TRIGGER THRESHOLD ON EVENT 0 turn_on etherl received above 15000 eth up 1 turn_off etherl received below 12000 eth down admin Lobo924 tool traffic monitor gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners System Watchdog Document revision 1 2 Tue Mar 09 08 45 49 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Hardware Watchdog Management Description Property Description Example General Information Summary System watchdog feature is needed to reboot the system in case of software failures Specifications Packages required system License required levell Home menu level system watchdog Hardware usage Not significa
235. buting the OSPF routing information 3 The routers OSPF peer 1 and OSPF peer 2 will distribute their connected route information and receive the default route using the OSPF protocol Now let s setup the OSPF_MAIN router The router should have 3 NICs admin OSPF_MAIN interface gt print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R main_gw ether 0 0 1500 1 R to_peer_1 ether 0 0 1500 Other trademarks and registred trademarks mentioned herein are properties of their respective owners 2 R to_peer_2 ether 0 0 1500 Add all needed ip addresses to interfaces as it is shown here admin OSPF_MAIN ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 11 24 T92 1680 40 192 168 0 255 main_gw T 10 1 0 2 24 10 1 0 0 TOs 1 0255 to_peer_1 2 10 2 0 2 24 10 2 0 0 10 2 0 255 to_peer_2 You should set distribute default as if installed as type 2 redistribute connected as as type 1 and redistribute static as as type 2 Metric connected metric static metric rip metric bgp should be zero admin OSPF_MAIN routing ospf gt print router id 0 0 0 0 distribute default if installed as type 2 redistribute connected as type 1l redistribute static as type 2 redistribute rip no redistribute bgp no metric default metric connected metric static metric rip metric bgp OOOOF Define
236. c address 00 0B 6B 30 B4 A4 arp enabled disable running check no tx radio wlanl rx radio wlan2 Other trademarks and registred trademarks mentioned herein are properties of their respective owners remote mac 00 0C 42 05 0B 12 tx band 5GHz tx frequency 5180 rates b 1Mbps 2Mbps 5 5Mbps 11Mbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps rx band 5GHz rx frequency 5320 framer policy exact siz framer limit 4000 Registration Table Home menu level Ainterface wireless registration table Description In the registration table you can see various information about currently connected clients It is used only for Access Points Property Description ap read only no yes whether the connected device is an Access Point or not bytes read only integer integer number of sent and received packet bytes frames read only integer integer number of sent and received 802 11 data frames excluding retransmitted data frames frame bytes read only integer integer number of sent and received data bytes excluding header information framing current size read only integer current size of combined frames framing limit read only integer maximal size of combined frames framing mode read only none best fit exact size default none the method how to combine frames hw frames read only integer integer number of sent and received 802 11 data frames including retran
237. cation server IP address RX read only integer bytes received src address read only IP address source application client IP address TX read only integer bytes sent Example To see current TCP connections admin Lobo924 ip socks connections gt print SRC ADDRESS DST ADDRESS TX RX 0 192 168 0 2 3242 159 148 147 196 80 4847 2880 1 192 168 0 2 3243 159 148 147 196 80 3408 2127 2 192 168 0 2 3246 159 148 95 16 80 10172 25207 3 192 168 0 2 3248 194 8 18 26 80 474 1629 4 192 168 0 2 3249 159 148 95 16 80 6477 18695 5 192 168 0 2 3250 159 148 95 16 80 4137 27568 6 192 168 0 2 3251 159 148 95 16 80 1712 14296 7 192 168 0 2 3258 80 91 34 241 80 314 208 8 192 168 0 2 3259 80 91 34 241 80 934 524 9 192 168 0 2 3260 80 91 34 241 80 930 524 10 192 168 0 2 3261 80 91 34 241 80 312 158 11 192 168 0 2 3262 80 91 34 241 80 312 158 admin Lobo924 ip socks connections gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners General Information FTP service through SOCKS server Let us consider that we have a network 192 168 0 0 24 which is masqueraded using a router with a public IP 10 1 0 104 24 and a private IP 192 168 0 1 24 Somewhere in the network is an FTP server with IP address 10 5 8 8 We want to allow access to this FTP server for a client in our local network with IP address 192 168 0 2 24 We have already masqueraded our local network admin L
238. ce QoS means that the router should prioritize and shape network traffic QoS is not so much about limiting it is more about providing quality Below are listed the some features of Lobo OSB Bandwidth Control mechanism limit data rate for certain IP adresses subnets protocols ports and other parameters e limit peer to peer traffic e prioritize some packet flows over others e use queue bursts for faster WEB browsing e apply queues on fixed time intervals e share available traffic among users equally or depending on the load of the channel The queuing is applied on packets leaving the router through a real interface i e the queues are applied on the outgoing interface regarding the traffic flow or any of the 3 additional virtual interfaces global in global out global total The QoS is performed by means of dropping packets In case of TCP protocol the dropped packets will be resent so there is no need to worry that with shaping we lose some TCP information The main terms used to describe the level of QoS for network applications are e queuing discipline qdisc an algorithm that holds and maintains a queue of packets It specifies the order of the outgoing packets it means that queuing discipline can reorder packets and which packets to drop if there is no space for them e CIR Committed Information Rate the guaranteed data rate It means that traffic rate not exceeding this value should always be delivered
239. ce ToInternet 192 168 80 1 24 RemoteOffice Interface ToInternet 192 168 81 1 24 Interface LocalRemoteOffice 10 150 1 254 24 Each router is connected to a different ISP One router can access another router through the Internet Other trademarks and registred trademarks mentioned herein are properties of their respective owners On the L2TP server a user must be set up for the client admin HomeOffice ppp secret gt add name ex service l12tp password lkjrht local address 10 0 103 1 remote address 10 0 103 2 admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service l12tp caller local address 10 0 103 1 remot id password l1kjrht profile default admin HomeOffice ppp secret gt address 10 0 103 2 routes Then the user should be added in the L2TP server list admin HomeOffice interface 12tp s rver gt add user ex admin HomeOffice interface 12tp s Flags X disabled D dynamic R NAME USER 0 12tp inl ex rver gt print running MTU CLIENT ADDRESS UPTIME ENC admin HomeOffice interface 12tp s And finally the server must be enabled rver gt admin HomeOffice interface 12tp s rver server gt set enabled yes admin HomeOffice interface 12tp s enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin HomeOffice interface 12tp s rver server gt print rv
240. cend Xmit Rate specifies rx rate 0 if unlimited e Ascend Xmit Rate tx data rate limitation It may be used to specify tx limit only instead of sending two sequental Ascend Data Rate attributes in that case Ascend Data Rate will specify the receive rate 0 if unlimited e MS CHAP2 Success auth response if MS CHAPv2 was used for PPPs only e MS MPPE Send Key MS MPPE Recv Key encryption keys for encrypted PPPs provided by RADIUS server only is MS CHAPv 2 was used as authentication for PPPs only e Ascend Client Gateway client gateway for DHCP pool HotSpot login method HotSpot only e Recv Limit total receive limit in bytes for the client e Xmit Limit total transmit limit in bytes for the client e Wireless Forward not forward the client s frames back to the wireless infrastructure if this attribute is set to 0 Wireless only e Wireless Skip Dot1x disable 802 1x authentication for the particulat wireless client if set to non zero value Wireless only e Wireless Enc Algo WEP encryption algorithm 0 no encryption 1 40 bit WEP 2 104 bit WEP Wireless only e Wireless Enc Key WEP encruption key for the client Wireless only e Rate Limit Datarate limitation for clients Format is rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time All rates should be numbers with optional k 1 000s or M 1 000 000s If tx rate is not specified
241. cepting changes e Ctrl x exits editor discarding changes Other trademarks and registred trademarks mentioned herein are properties of their respective owners edit name opens the script specified by the name argument in full screen editor All characters that are deleted by backspace delete or Ctrl k keys are accumulated in the buffer Pressing any other key finishes adding to this buffer Ctrl y can paste it s contents and the next delete operation will replace it s contents Undo doesn t change contents of cut buffer Script editor works only on VT102 compatible terminals terminal names vt102 linux xterm rxvt are recognized as VT102 at the moment Delete backspace and cursor keys might not work with all terminal programs use Ctrl alternatives in such cases The following example shows the script editor window with a sample script open quit c q savwecqguit undo cut line paste This script is used for writing message hello and 3 messages kuku to the system log Other trademarks and registred trademarks mentioned herein are properties of their respective owners Scheduler Document revision 0 9 Wed Nov 24 12 48 55 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Scheduler Configuration Description Property Description Notes Example General Information Summary System Scheduler executes scripts at d
242. change open S link logout hotspot_logout to this open S link logout erase cookie on hotspot_logout or alternatively add this line lt input type hidden name erase cookie value on gt before this one lt input type submit value log off gt An another example is making HotSpot to authenticate on a remote server which may for example perform creditcard charging Allow direct access to the external server in walled garden either HTTP based or IP based e Modify login page of the HotSpot servlet to redirect to the external authentication server The external server should modify RADIUS database as needed Here is an example of such a login page to put on the HotSpot router it is redirecting to https auth example com login php replace with the actual address of an external authentication server lt html gt lt title gt lt title gt lt body gt lt form name redirect action https auth example com login php method post gt lt input type hidden name mac value mac gt lt input type hidden name ip value ip gt lt input type hidden name user value username gt lt input type hidden name Link login value link login gt lt input type hidden name link orig value S link orig gt lt input type hidden name error value error gt lt form gt lt script language JavaScript gt lt document redirect subm
243. ck timeout Ack timeout values by which ACK frame was received are saved and used later to determine the real ack timeout The Nstreme protocol may be operated in three modes Point to Point mode controlled point to point mode with one radio on each side Dual radio Point to Point mode Nstreme2 the protocol will use two radios on both sides simultaneously one for transmitting data and one for receiving allowing superfast point to point connection e Point to Multipoint controlled point to multipoint mode with client polling like AP controlled TokenRing Wireless Interface Configuration Home menu level interface wireless Description In this section we will discuss the most important part of the configuration Property Description ack timeout integer dynamic indoors acknowledgement code timeout transmission acceptance timeout in microseconds for acknowledgement messages Can be one of these e dynamic ack timeout is chosen automatically e indoors standard constant for indoor usage Other trademarks and registred trademarks mentioned herein are properties of their respective owners antenna gain integer default 0 antenna gain in dBi This parameter will be used to calculate whether your system meets regulatory domain s requirements in your country antenna mode ant a ant b rxa txb txa rxb default ant a which antenna to use for transmit receive data e ant a use only antenna a e ant b
244. ckets that are dropped because of exceeding memory limit memory saved packets read only integer how many packets are stored in mermory memory size read only integer how much memory is currently used for sniffed packets kB processed packets read only integer number of sniffed packets real file limit read only integer the real file size limit It is calculated from the beginning of sniffing to reserve at least IMB free space on the disk real memory limit read only integer the real memory size limit It is calculated from the beginning of sniffing to reserve at least 1MB of free space in the memory stream dropped packets read only integer number of packets that are dropped because of exceeding streaming max rate stream sent packets read only integer number of packets that are sent to the streaming server Other trademarks and registred trademarks mentioned herein are properties of their respective owners Command Description save saves sniffed packets from the memory to file name in PCAP format Sniffer Packets Description Wireless Sniffer sniffed packets If packets Cyclic Redundancy Check CRC field detects error it will be displayed by crc error flag Property Description dst read only MAC address the receiver s MAC address freq read only integer frequency interface read only text wireless interface that captures packets signal rate read only text at which signal st
245. col e egp Exterior Gateway Protocol e pup Parc Universal packet Protocol e udp User Datagram Protocol e hmp Host Monitoring Protocol e xns idp Xerox ns idp e rdp Reliable Datagram Protocol e iso tp4 ISO Transport Protocol class 4 e xtp Xpress Transfer Protocol e ddp Datagram Delivery Protocol e idpr cmtp idpr Control Message Transport e gre General Routing Encapsulation e esp IPsec ESP protocol e ah IPsec AH protocol e rspf Radio Shortest Path First e vmtp Versatile Message Transport Protocol Other trademarks and registred trademarks mentioned herein are properties of their respective owners ospf Open Shortest Path First e ipip IP encapsulation protocol 4 e encap IP encapsulation protocol 98 protocol read only ip arp rarp ipx ipv6 the name number of ethernet protocol e ip Internet Protocol e arp Address Resolution Protocol e rarp Reverse Address Resolution Protocol e ipx Internet Packet exchange protocol ipv6 Internet Protocol next generation size read only integer size of packet src address JP address source address time read only time time when packet arrived tos read only integer IP Type Of Service ttl read only integer IP Time To Live Example In the example below it s seen how to get the list of sniffed packets admin Lobo924 tool sniffer packet gt pr TIME INTERFACE SR
246. conds prints the oid value which is useful for SNMP prints the output without paging to see printed output which does not fit in the screen use Shift PgUp key combination It is possible to sort print output Like this admin Lobo924 interface gt print type ether Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R ispil ether 0 0 1500 1 R isp2 ether 0 0 1500 admin Lobo924 interface gt set allows you to change values of general parameters or item parameters The set command has arguments with names corresponding to values you can change Use or double Tab to see list of all arguments If there is a list of items in this command level then set has one action argument that accepts the number of item or list of numbers you wish to set up This command does not return anything add this command usually has all the same arguments as set except the action number argument It adds a new item with values you have specified usually to the end of list in places where order is relevant There are some values that you have to supply like the interface for a new route other values are set to defaults unless you explicitly specify them Copies an existing item It takes default values of new item s properties from another item If you do not want to make exact copy you can specify new values for some properties When copying items that have names you will usually have to give a
247. cription UPnP enables data communication between any two devices under the command of any control device on the network Universal Plug and Play is completely independent of any particular physical medium It supports networking with automatic discovery without any initial configuration whereby a device can dynamically join a network DHCP and DNS servers are optional and will be used if available on the network UPnP implements simple yet powerfull NAT traversal solution that enables the client to get full peer to peer network support from behind the NAT There are two interface types for UPnP internal the one local clients are connected to and external the one the Internet is connected to A router may only have one external interface with a public Other trademarks and registred trademarks mentioned herein are properties of their respective owners IP address on it and as many internal IP addresses as needed all with source NATted internal IP addresses The UPnP protocol is used for most of DirectX games as well as for various Windows Messenger features remote asisstance application sharing file transfer voice video from behind a firewall Additional Documents Enabling Universal Plug n Play Home menu level Ap upnp Property Description allow disable external interface yes no default yes whether or not should the users be allowed to disable router s external interface This functionality for users to be able
248. ction e initiator phase negotiation was started by this router e responder phase 1 negotiation was started by peer state read only text state of phase 1 negotiation with the peer e estabilished normal working state Example To see currently estabilished SAs admin WiFi ip ipsec gt remote peers print 0 local address 10 0 0 148 remote address 10 0 0 147 state established side initiator established jan 25 2003 03 34 45 ph2 active 0 ph2 total 1 admin WiFi ip ipsec gt Installed SAs Home menu level ip ipsec installed sa Description This facility provides information about installed security associations including the keys Property Description add lifetime read only time soft hard expiration time counted from installation of SA auth algorithm multiple choice read only none md5 sha authentication algorithm used in SA auth key read only text authentication key presented in form of hex string current addtime read only text time when this SA was installed Other trademarks and registred trademarks mentioned herein are properties of their respective owners current bytes read only integer amount of data processed by this SA s crypto algorithms current usetime read only text time when this SA was first used direction multiple choice read only in out SA direction dst address read only IP address destination address of SA taken from respective policy e
249. cy 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both 1 name wlan2 mtu 1500 mac address 00 0C 42 05 06 B2 arp enabled disable running check no interface type Atheros AR5413 radio name 000C420506B2 mode nstreme dual slave ssid Lobo area frequency mode superchannel country no_country_set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast
250. d dst port integer 0 65535 integer 0 65535 destination port number or range packet mark text matches packets marked via mangle facility with particular packet mark hotspot multiple choice from client auth local dst http matches packets received from clients against various Hot Spot All values can be negated e from client true if a packet comes from HotSpot client e auth true if a packet comes from authenticted client e local dst true if a packet has local destination IP address e hotspot true if it is a TCP packet from client and either the transparent proxy on port 80 is enabled or the client has a proxy address configured and this address is equal to the address port pair of the IP packet icmp options integer integer matches ICMP Type Code fields in interface name interface the packet has entered the router through ipv4 options any loose source routing no record route no router alert no source routing no timestamp none record route router alert strict source routing timestamp match ipv4 header options e any match packet with at least one of the ipv4 options e loose source routing match packets with loose source routing option This option is used to Other trademarks and registred trademarks mentioned herein are properties of their respective owners route the internet datagram based on information supplied by the source e no record route match packets with n
251. d value of chap ID 371 e chap challenge value of chap challenge 357 015 330 013 02 1 234 145 245 303 253 142 246 133 175 375 3 16 e popup whether to pop up checkbox true or false Other trademarks and registred trademarks mentioned herein are properties of their respective owners e advert pending whether an advertisement is pending to be displayed yes or no Miscellaneous variables Working with variables if lt var_name gt statements can be used in theses pages Following content will be included if value of lt var_name gt will not be an empty string It is an equivalent to if lt var_name gt It is possible to compare on equivalence as well if lt var_name gt lt value gt These statements have effect until elif lt var_name gt else OF endif In general case it looks like this Only one of those expressions will be shown Which one depends on values of those variables for each client Customizing Error Messages All error messages are stored in the errors txt file within the respective HotSpot servlet directory You can change and translate all these messages to your native language To do so edit the errors txt file You can also use variables in the messages All instructions are given in that file Multiple Versions of HotSpot Pages Multiple hotspot page sets for the same hotspot server are supported They can be chosen by user to select language or automa
252. d read only integer shows how many incoming packets were successfully decrypted in drop read only integer shows how many incoming packets were matched by drop policy or encrypt policy with level require that does not have all necessary SAs in drop encrypted expected read only integer shows how many incoming packets were matched by encrypt policy and dropped because they were not encrypted out accept read only integer shows how many outgoing packets were matched by accept policy including the default accept all case out accept isakmp read only integer shows how many locally originated UDP packets on source port 500 which is how ISAKMP packets look were let through without policy matching out drop read only integer shows how many outgoing packets were matched by drop policy or encrypt policy with level require that does not have all necessary SAs out encrypt read only integer shows how many outgoing packets were encrypted successfully Example To view current statistics admin WiFi ip ipsec gt counters print out accept 6 out accept isakmp 0 out drop 0 out encrypt 7 in accept 12 in accept isakmp 0 in drop 0 in decrypted 7 in drop encrypted expected 0 admin WiFi ip ipsec gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners General Information Lobo Router to Lobo Router 10 1 0 0 24 1 0 0 0 24 10 2 0
253. d Documents e Package Management System Resource Management Telnet Server Home menu level Ap service Description Telnet protocol is intended to provide a fairly general bi directional eight bit byte oriented communications facility The main goal is to allow a standard method of interfacing terminal devices to each other Other trademarks and registred trademarks mentioned herein are properties of their respective owners Lobo OSB implements industry standard Telnet server It uses port 23 which must not be disabled on the router in order to use the feature You can enable disable this service or allow the use of the service to certain IP addresses Example admin Lobo924 ip service gt print detail Flags X disabled I invalid 0 name telnet port 23 address 0 0 0 0 0 1 name ftp port 21 address 0 0 0 0 0 2 name www port 80 address 0 0 0 0 0 3 name hotspot port 8088 address 0 0 0 0 0 4 name ssh port 65 address 0 0 0 0 0 5 X name hotspot ssl port 443 address 0 0 0 0 0 certificate none admin Lobo924 ip service gt Telnet Client Command name system telnet IP address port Description Lobo OSB telnet client is used to connect to other hosts in the network via Telnet protocol Example An example of Telnet connection admin Lobo924 gt system telnet 172 16 0 1 Trying 172lbs 0s Tres Connected to 172 16 0 1 Escape character is Lobo v2 9 Login admin Password Ter
254. d IP config is required on both interfaces This can be done with setup command In this example we will assume the configuration with DHCP server on the Local interface 2 valid DNS configuration must be set up in the ip dns submenu To put HotSpot on the Local interface using the same IP address pool as DHCP server uses Other trademarks and registred trademarks mentioned herein are properties of their respective owners for that interface ip hotspot add interface local address pool dhcp pool 1 4 and finally add at least one HotSpot user ip hotspot user add name admin These simple steps should be sufficient to enable HotSpot system Please find many HotSpot How to s which will answer most of your questions about configuring a HotSpot gateway at the end of this manual It is still recommended that you read and understand all the Description section below before deploying a HotSpot system If this does not work e check that ip dns contains valid DNS servers try to ping www lobometrics com to see that DNS resolving works make sure that connection tracking is enabled ip firewall connection tracking set enabled yes Specifications Packages required hotspot dhcp optional License required levell Limited to 1 active user level3 Limited to I active user level4 Limited to 200 active users level5 Limited to 500 active users level6 Home menu level ip hotspot Standards and Technologies ICMP DHC
255. d as a static DNS entry in the DNS cache hotspot address JP address default 0 0 0 0 IP address for HotSpot service html directory text default name of the directory accessible with FTP which stores the Other trademarks and registred trademarks mentioned herein are properties of their respective owners HTML servlet pages when changed the default pages are automatically copied into specified directory if it does not exist already http cookie lifetime time default 3d validity time of HTTP cookies http proxy IP address default 0 0 0 0 the address of the proxy server the HotSpot service will use as a proxy server for all those requests intercepted by Universal Proxy system and not defined in the ip proxy direct list If not specified the address defined in parent proxy parameter of ip proxy If that is absent too the request will be resolved by the local proxy login by multiple choice cookie http chap http pap https mac default cookie http chap which authentication methods to use e cookie use HTTP cookies to authenticate without asking user credentials Other method will be used in case the client does not have cookie or the stored username and password pair are not valid anymore since the last authentication May only be used together with other HTTP authentication methods HTTP PAP HTTP CHAP or HTTPS as in the other case there would be no way for the cookies to be generated in the first pl
256. d only text sender s name if aplicable Notes Usernames are shown only if the users are connected to the router via a PPP tunnel or are authenticated by HotSpot Before the first snapshot is taken the table is empty Example To take a new snapshot admin Lobo924 ip accounting snapshot gt take admin Lobo924 ip accounting snapshot gt print SRC ADDRESS DST ADDRESS PACKETS BYTES SRC USER DST USER 0 192 168 0 2 159 148 172 197 474 19130 1 192 168 0 2 10 0 0 4 3 120 2 192 168 0 2 192 150 200 254 32 3142 3 192 150 20 254 192 168 0 2 26 2857 4 10 0 0 4 192 168 0 2 2 117 5 159 148 147 196 192 168 0 2 2 136 6 192 168 0 2 159 148 147 196 1 40 7 159 148 172 197 192 168 0 2 835 1192962 admin Lobo924 ip accounting snapshot gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Web Access to the Local IP Traffic Accounting Table Home menu level ip accounting web access Description The web page report make it possible to use the standard Unix Linux tool wget to collect the traffic data and save it to a file or to use Lobo shareware Traffic Counter to display the table If the web report is enabled and the web page is viewed the snapshot will be made when connection is initiated to the web page The snapshot will be displayed on the web page TCP protocol used by http connections with the wget tool guarantees that none of the traffic data will be
257. dards and Technologies FTP RFC 959 Hardware usage Not significant Related Documents Software Package Management Configuration Management File Transfer Protocol Server Home menu level file Description Lobo OSB has an industry standard FTP server feature It uses ports 20 and 21 for communication with other hosts on the network Uploaded files as well as exported configuration or backup files can be accessed under file menu There you can delete unnecessary files from your router Other trademarks and registred trademarks mentioned herein are properties of their respective owners Authorization for FTP service uses router s system user account names and passwords Property Description creation time read only time item creation date and time name read only name item name size read only integer package size in bytes type read only file directory unknown script package backup item type Command Description print shows a list of files stored shows contents of files less that 4kb long offers to edit file s contents with editor sets the file s contents to content Other trademarks and registred trademarks mentioned herein are properties of their respective owners MAC Level Access Telnet and Winbox Document revision 2 2 Wed Oct 05 16 26 50 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Doc
258. dcast multicast matches source address type of the IP packet one of the e unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case e local matches addresses assigned to router s interfaces e broadcast the IP packet is sent from one point to all other points in the IP subnetwork e multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points src mac address MAC address source MAC address src port integer 0 65535 integer 0 65535 source port number or range tcp flags ack cwr ece fin psh rst syn urg tep flags to match e ack acknowledging data e cwr congestion window reduced e ece ECN echo flag explicit congestion notification e fin close connection e psh push function e rst drop connection e syn new connection e urg urgent data tep mss integer 0 65535 matches TCP MSS value of an IP packet time time time sat fri thu wed tue mon sun allows to create filter based on the packets arrival time and date or for locally generated packets departure time and date tos max reliability max throughput min cost min delay normal specifies a match for the Other trademarks and registred trademarks mentioned herein are properties of their respective owners value of Type of Service ToS field of an IP header e max reliability
259. dd name ex service pptp password lkjrht local address 10 150 1 254 remote address 10 150 1 2 admin RemoteOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password 1kjrht profile default local address 10 150 1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret gt Then the user should be added in the PPTP server list admin RemoteOffic interface pptp server gt add name FromLaptop user ex admin RemoteOffic interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 FromLaptop ex admin RemoteOffic interface pptp server gt And the server must be enabled admin RemoteOffice interface pptp server server gt set enabled yes admin RemoteOffice interface pptp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin RemoteOffice interface pptp server server gt Finally the proxy APR must be enabled on the Office interface admin RemoteOffice interfac thernet gt set Office arp proxy arp admin RemoteOffice interfac thernet gt print Flags X disabled R running NAME MTU MAC ADDRESS ARP 0 R ToInternet 1500 00 30 4F 0B 7B C1 enabled 1 R Office 1500 00 30 4F 06 62 12 proxy arp admin RemoteOffice interfac thernet gt Other trademarks and regi
260. ddress 00 0C 42 05 04 36 arp enabled disable running check no tx radio wlan2 rx radio wlan1 remote mac 00 0C 42 05 00 22 tx band 5ghz tx frequency 5805 rx band 5ghz rx frequency 5180 rates b 1Mbps 2Mbps 5 5Mbps 11Mbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps framer policy none framer limit 4000 admin DualNS 1 interface wireless nstreme dual gt WEP Security This example shows how to configure WEP Wired Equivalent Privacy on Access Point and Clients In example we will configure an Access Point which will use 104bit wep for one station and 40bit wep for other clients The configuration of stations is also present The key used for connection between WEP_AP and WEP _ Stationi will be 65432109876543210987654321 key for WEP_AP and WEP_StationX will be 1234567890 Other trademarks and registred trademarks mentioned herein are properties of their respective owners Configure the Access Point admin WEP_AP interface wireless security name Stationl mode static keys requir static sta private key 654321098765432 profiles gt add d static sta privat 10987654321 algo 104bit wep admin WEP_AP interface wireless security profiles gt add name StationX mode static keys required static algo 1 40bit wep static key 1 1234567890 static transmit key key 1 admin WEP_AP interface wireless security 0 profiles
261. ddress FE FD 00 00 00 01 arp enabled remote address 1 1 1 1 tunnel id 1 1 R name eoip tunnel2 mtu 1500 mac address FE FD 00 00 00 02 arp enabled remote address 10 1 0 111 tunnel id 2 Bonding confguration e for Officel admin officel interface bonding gt add slaves eoip tunnell eoip tunnel2 admin officel interface bonding gt print Flags X disabled R running 0 R name bondingl mtu 1500 mac address 00 0C 42 03 20 E7 arp enabled slaves eoip tunnell eoip tunnel2 mode balance rr primary none link monitoring none arp interval 00 00 00 100 arp ip targets mii interval 00 00 00 100 down delay 00 00 00 up delay 00 00 00 lacp rate 30secs admin officel ip address gt add address 3 3 3 1 24 interface bondingl admin officel ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 1 1 1 24 tetela tetel 235 isp2 1 10 1 0 111 24 10 1 0 0 10 1 0 255 ispl 2 3 3 3 1 24 SPT KAO 3 34 3 299 bondingl e for Office2 admin office2 interface bonding gt add slaves eoip tunnell eoip tunnel2 admin office2 interface bonding gt print Flags X disabled R running 0 R name bondingl mtu 1500 mac address 00 0C 42 03 20 E7 arp enabled slaves eoip tunnell eoip tunnel2 mode balance rr primary none link monitoring none arp interval 00 00 00 100 arp ip targets mii interval 00 00 00 100 down delay 00 00 00 up delay 00 00 00 lacp r
262. default no specifies whether to redistribute static routes to neighbour routers or not redistribute connected yes no default no specifies whether to redistribute connected routes to neighbour routers or not redistribute ospf yes no default no specifies whether to redistribute routes learned via OSPF protocol to neighbour routers or not redistribute bgp yes no default no specifies whether to redistribute routes learned via bgp protocol to neighbour routers or not metric static integer default 1 specifies metric the number of hops for the static routes metric connected integer default 1 specifies metric the number of hops for the connected Other trademarks and registred trademarks mentioned herein are properties of their respective owners routes metric ospf integer default 1 specifies metric the number of hops for the routes learned via OSPF protocol metric bgp integer default 1 specifies metric the number of hops for the routes learned via BGP protocol update timer time default 30s specifies frequency of RIP updates timeout timer time default 3m specifies time interval after which the route is considered invalid garbage timer time default 2m specifies time interval after which the invalid route will be dropped from neighbor router table Notes The maximum metric of RIP route is 15 Metric higher than 15 is considered infinity and routes with such m
263. direct all HTTPS login requests to the HTTPS login servlet The 64875 is HotSpot HTTPS servlet port All other packets except DNS and login requests from unauthorized clients should pass through the hs unauth chain And packets from the authorized clients through the hs auth chain First in the hs unauth chain is put everything that affects TCP protocol in the ip hotspot walled garden ip submenu i e everything where either protocol is not set or set to TCP Here we are excluding www lobometrics com from being redirected to the login page All other HTTP requests are redirected to the Walled Garden proxy server which listens the 64874 port If there is an allow entry in the ip hotspot walled garden menu for an HTTP request it is being forwarded to the destination Otherwise the request will be automatically redirected to the HotSpot login servlet port 64873 HotSpot by default assumes that only these ports may be used for HTTP proxy requests These two entries are used to catch client requests to unknown proxies I e to make it possible for the clients with unknown proxy settings to work with the HotSpot system This feature is called Universal Proxy If it is detected that a client is using some proxy server the system will automatically mark that packets with the http hotspot mark to work around the unknown proxy problem as we will see later on Note that the port used 64874 is the same as for HTTP requests in the rule 8 so
264. disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both name V AP mtu 1500 mac address 00 0C 42 12 34 56 arp enabled disable running check no interface type virtual AP master interface wlanl ssid virtual test area max station count 2007 wds mode disabled wds default bridge non wds ignore ssid no default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default admin VAP interface wireless gt When scanning from another router for an AP you will see that you have 2 Access Points instead of one admin Lobo924 interface wireless gt scan Station Flags A active B bss P privacy R routeros network N nstreme AB R AB R ADDRESS SSID BAND FREQ SIG RADIO NAME 00 0C 42 12 34 56 virtual test 2 4ghz g 2437 72 000042050022 00 0C 42 05 00 22 test 2 4ghz g 2437 72 000042050022 Q quit D dump C z pause admin Lobo924 interface wireless gt Note that the master interface must be configured as an Access Point ap bridge or bridge mode Nstreme This example shows you how to configure a point to
265. does not have caching function yet Also note that this embedded proxy server is in the system software package and does not require web proxy package It is configurable under ip proxy Authentication HTTP PAP simplest method which shows the HotSpot login page and expect to get the authentication info i e username and password in plain text Note that passwords are not being encrypted when transferred over the network An another use of this method is the possibility of hard coded authentication information in the servlet s login page simply creating the appropriate link HTTP CHAP standard method which includes CHAP challenge in the login page The CHAP MDS hash challenge is to be used together with the user s password for computing the string which will be sent to the HotSpot gateway The hash result as a password together with username is sent over network to HotSpot service so password is never sent in plain text over IP network On the client side MD5 algorithm is implemented in JavaScript applet so if a browser does not support JavaScript like for example Internet Explorer 2 0 or some PDA browsers it will not be able to authenticate users It is possible to allow unencrypted passwords to be accepted by turning on HTTP PAP authentication method but it is not recommended because of security considerations to use that feature HTTPS the same as HTTP PAP but using SSL protocol for encrypting transmissions HotSpot us
266. dress 192 168 0 0 24 limit at 64000 admin Lobo924 queue simple gt print Flags X disabled I invalid 0 name Cust0 target address 0 0 0 0 0 dst address 192 168 0 0 24 interface etherl limit at 64000 queue default priority 8 bounded yes admin Lobo924 queue simple gt system script admin Lobo924 system script gt add name start_limit source queue simple set CustO limit at 64000 Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 system script gt add name stop_limit source queue simple set Cust0O limit at 128000 admin Lobo924 system script gt print 0 name Start_limit source queue simple set Cust0O limit at 64000 owner admin run count 0 1 name stop_limit source queue simple set Cust0O limit at 128000 owner admin run count 0 admin Lobo924 system script gt scheduler admin Lobo924 system scheduler gt add interval 24h name set 64k start time 9 00 00 on event start_limit admin Lobo924 system scheduler gt add interval 24h name set 128k start time 17 00 00 on event stop_limit admin Lobo924 system scheduler gt print Flags X disabled NAME ON EVENT START DATE START TIME INTERVAL RUN COUNT 0 set 64k start oct 30 2008 09 00 00 ld 0 1 set 128k stop_ oct 30 2008 17 00 00 1d 0 admin Lobo924 system scheduler gt The following example sche
267. dules a script that sends each week a backup of router configuration by e mail admin Lobo924 system script gt add name e backup source system backup Save name email tool mail send to root host com subject system identity get name Backup file email backup admin Lobo924 system script gt print 0 name e backup source system backup save name ema owner admin run count 0 admin Lobo924 system script gt scheduler admin Lobo924 system scheduler gt add interval 7d name email backup on event e backup admin Lobo924 system scheduler gt print Flags X disabled NAME ON EVENT START DATE START TIME INTERVAL RUN COUNT 0 email e backup oct 30 2008 15 19 28 7d 1 admin Lobo924 system scheduler gt Do not forget to set the e mail settings i e the SMTP server and From address under tool e mail For example admin Lobo924 tool e mail gt set server 159 148 147 198 from SysAdmin host com admin Lobo924 tool e mail gt print server 159 148 147 198 from SysAdmin host com fadmin Lobo924 tool e mail gt Example below will put x in logs each hour from midnight till noon admin Lobo924 system script gt add name enable x source system scheduler enable x admin Lobo924 system script gt add name disable x source system scheduler disable x admin Lobo924 system script gt add name log x source log message x
268. e To allow authentication and forwarding for the client 00 01 24 70 3A BB from the wlan interface using WEP 40bit algorithm with the key 1234567890 admin Lobo924 interface wireless access list gt add mac address 00 01 24 70 3A BB interface wlanl private algo 40bit wep private key 1234567890 admin Lobo924 interface wireless access list gt print Flags X disabled 0 mac address 00 01 24 70 3A BB interface wlanl authentication yes forwarding yes ap tx limit 0 client tx limit 0 private algo 40bit wep private key 1234567890 admin Lobo924 interface wireless access list gt Info Home menu level interface wireless info Description This facility provides you with general wireless interface information Property Description 2ghz b channels multiple choice read only 2312 2317 2322 2327 2332 2337 2342 2347 2352 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 2512 2532 2552 2572 2592 2612 2632 2652 2672 2692 2712 2732 the list of 2GHz IEEE 802 11b channels frequencies are given in MHz 2ghz g channels multiple choice read only 2312 2317 2322 2327 2332 2337 2342 2347 2352 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2512 2532 2552 2572 2592 2612 2632 2652 2672 2692 2712 2732 2454 the list of 2GHz IEEE 802 11g channels frequencies are g
269. e 3 ms 10 150 2 254 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms To bridge a LAN over this secure tunnel please see the example in the EoIP section of the manual To set the maximum speed for traffic over this tunnel please consult the Queues section Connecting a Remote Client via L2TP Tunnel The following example shows how to connect a computer to a remote office network over L2TP encrypted tunnel giving that computer an IP address from the same network as the remote office has without need of bridging over EoIP tunnels Please consult the respective manual on how to set up a L2TP client with the software you are using Internet Encrypted se ISP 1 7 L2TP Tunnel SP 2 network 192 168 8041 network 192 168 81 0 netmask 255 255 25 net hask 259 2552900 5 f ToRemoteOffice RemoteCrice 70 750 7 2 32 FromLaptop 4 To intemet 10 150 7 254 32 Weg 192 168 81 1 24 Wore Laptop 192 168 80 111 24 q0 150 1 254 24 network 10 150 1 0 netmask 255 255 255 0 J Work station 10 150 1 1 24 The router in this example RemoteOffice Interface ToInternet 192 168 81 1 24 Interface Office 10 150 1 254 24 The client computer can access the router through the Internet Other trademarks and registred trademarks mentioned herein are properties of their respective owners On the L2TP serv
270. e Connected self explanatory Terminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minutes and seconds encoding text encryption and encoding if asymmetric separated with being used in this connection Example Example of an established connection admin Lobo924 interface 12tp client gt monitor test2 status connected uptime 4m27s encoding MPPE128 stateless admin Lobo924 interface 12tp client gt L2TP Server Setup Home menu level interface I2tp server server Description The L2TP server creates a dynamic interface for each connected L2TP client The L2TP connection count from clients depends on the license level you have Levell license allows 1 L2TP client Level3 or Level4 licenses up to 200 clients and Level5 or Level6 licenses do not have L2TP client limitations To create L2TP users you should consult the PPP secret and PPP Profile manuals It is also possible to use the Lobo router as a RADIUS client to register the L2TP users see the manual how to do it Property Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners enabled yes no default no defines whether L2TP server is enabled or not mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decre
271. e MTU of the interface the tunnel is working over decreased by 20 so for 1500 byte ethernet link set the MTU to 1480 to avoid fragmentation of packets mru integer default 1480 Maximum Receive Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 20 so for 1500 byte ethernet link set the MTU to 1480 to avoid fragmentation of packets Other trademarks and registred trademarks mentioned herein are properties of their respective owners user text default a user name that is present on the PPPoE server password text default a user password used to connect the PPPoE server profile name default profile for the connection allow multiple choice mschap2 mschap1 chap pap default mschap2 mschap1 chap pap the protocol to allow the client to use for authentication service name text default specifies the service name set on the access concentrator Leave it blank unless you have many services and need to specify the one you need to connect to ac name text default this may be left blank and the client will connect to any access concentrator that offers the service name selected add default route yes no default no whether to add a default route automatically dial on demand yes no default no connects to AC only when outbound traffic is generated and disconnects when there is no traffic for the period set in the idle timeout value
272. e added by DHCP PPP etc e always as type 1 always send the default route with type 1 metric e always as type 2 always send the default route with type 2 metric metric bgp integer default 20 specifies the cost of the routes learned from BGP protocol metric connected integer default 20 specifies the cost of the routes to directly connected networks metric default integer default 1 specifies the cost of the default route metric rip integer default 20 specifies the cost of the routes learned from RIP protocol metric static integer default 20 specifies the cost of the static routes redistribute bgp as type as type 2 no default no with this setting enabled the router will redistribute the information about all routes learned by the BGP protocol redistribute connected as type as type 2 no default no if set the router will redistribute the information about all connected routes i e routes to directly reachable networks redistribute rip as type 1 as type 2 no default no with this setting enabled the router will redistribute the information about all routes learned by the RIP protocol redistribute static as type as type 2 no default no if set the router will redistribute the information about all static routes added to its routing database i e routes that have been created using the ip route add command router id IP address default 0 0 0 0 OSPF Router ID If
273. e broadcast MAC address FF FF FF FF FF FF Since the ARP request is a broadcast it will reach all hosts in the network A including the router R1 but it will not reach host C because routers do not forward broadcasts by default A router with enabled proxy ARP knows that the host C is on another subnet and will reply with its own MAC adress The router with enabled proxy ARP always answer with its own MAC address if it has a route to the destination This behaviour can be usefull for example if you want to assign dial in ppp pppoe pptp clients IP addresses from the same address space as used on the connected LAN Example Consider the following configuration Other trademarks and registred trademarks mentioned herein are properties of their respective owners Internet Internet Gatewa Server 10 0 0 10 002 interface eth LAN Ethernet LAM address 10 0 0 217 10 0 0 0 24 dynamic interfaces Be es oad pppoe inxX Reseed for dial in cents a addresses 10 0 0 217 32 F Si aC P m Laptop Workstation 10 0 0 231 10 0 0 230 The Lobo Router setup is as follows admin Lobo924 ip arp gt interfac thernet print Flags X disabled R running NAME MTU MAC ADDRESS ARP 0 R eth LA 1500 00 50 08 00 00 F5 proxy arp admin Lobo924 ip arp gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 eth LaA ether 1500 1 prisml prism 1500 2 D pppoe in25 pppoe in 3 D pppoe in26 pppoe in
274. e gets a turn amount of bytes which can be sent from a subqueue in a single round robin turn sfq perturb integer default 5 time in seconds Specifies how often to change SFQ s hashing algorithm Other trademarks and registred trademarks mentioned herein are properties of their respective owners Interface Default Queues Home menu level queue interface Description In order to send packets over an interface they have to be enqueued in a queue even if you do not want to limit traffic at all Here you can specify the queue type which will be used for transmitting data Note that if other queues are applied for a particular packet then these settings are not used Property Description interface read only name default name of the interface name of the interface queue name default default queue type which will be used for the interface Example Set the wireless interface to use wireless default queue admin Lobo924 queue interface gt set 0 queue wireless default admin Lobo924 queue interface gt print INTERFACE QUEUE 0 wlanl wireless default admin Lobo924 queue interface gt Simple Queues Description The simpliest way to limit data rate for specific IP addresses and or subnets is to use simple queues You can also use simple queues to build advanced QoS applications They have useful integrated features e Peer to peer traffic queuing e Applying queue r
275. e of the requested page within the target server i e the name of a particular wed page or document without the name of the server it resides on src address JP address netmask source address of the IP packet Notes Wildcard properties dst host and dst path match a complete string 1 e they will not match example com if they are set to example Available wildcards are match any number of any characters and match any one character Regular expressions are also accepted here but if the property should be treated as a regular expression it should start with a colon Small hits in using regular expressions e symbol sequence is used to enter character in console e pattern means only in regular expressions single dot in pattern means any symbol e to show that no symbols are allowed before the given pattern we use symbol at the beginning of the pattern e to specify that no symbols are allowed after the given pattern we use symbol at the end of the pattern e to enter or symbols you should escape them with backslash It is strongly recommended to deny all IP addresses except those behind the router as the proxy still may be used to access your internal use only intranet web servers Also consult examples in Firewall Manual on how to protect your router Direct Access List Home menu level Ap proxy direct Description If parent proxy property is specified it is possible
276. e simple target address simple queue name default all name of simple queue which will be monitored store on disk yes no default yes whether to store information about traffic on hard drive or not If not the information will be stored in RAM and will be lost after a reboot Example Add a simple queue to Grapher list with simple queue name queuel allow limited clients to access Grapher from web store information about traffic on disk admin Lobo924 tool graphing queue gt add simple queue queuel allow address yes store on disk yes Daily graphic for queuel Resource Graphing Home menu level tool graphing resource Description Provides with router resource usage information over a period of time e CPU usage e Memory usage e Disk usage Property Description allow address IP address netmask default 0 0 0 0 0 IP address range which is allowed to view information about the resource usage If a client PC not belonging to this IP address range tries to open http Router_IP_address graphs it will not see this entry store on disk yes no default yes whether to store information about traffic on hard drive or not If not the information will be stored in RAM and will be lost after a reboot Example Add IP range 192 168 0 0 24 from which users are allowed to monitor Grapher s resource usage admin Lobo924 tool graphing resource gt add allow address 192 168 0 0 24 store on disk
277. e some Rate Limit examples 128k rx rate 128000 tx rate 128000 no bursts 64k 128M rx rate 64000 tx rate 128000000 64k 256k rx tx rate 64000 rx tx burst rate 256000 rx tx burst threshold 64000 rx tx burst time 1s 64k 64k 256k 256k 128k 128k 10 10 rx tx rate 64000 rx tx burst rate 256000 rx tx burst threshold 128000 rx tx burst time 10s Accounting Request Acct Status Type Start Stop or Interim Update Acct Session Id accounting session ID Service Type same as in request PPPs only Framed Protocol same as in request PPPs only NAS Identifier same as in request NAS IP Address same as in request User Name same as in request MS CHAP Domain same as in request only for PPPs NAS Port Type same as in request NAS Port same as in request NAS Port Id same as in request Calling Station Id same as in request Called Station Id same as in request Acct Authentic either authenticated by the RADIUS or Local authority PPPs only Framed IP Address IP address given to the user Framed IP Netmask same as in RADIUS reply Class RADIUS server cookie PPPs only Acct Delay Time how long does the router try to send this Accounting Request packet Stop and Interim Update Accounting Request Acct Session Time connection uptime in seconds Acct Input Octets bytes received from the client Acct Input Gigawords 4G 2 32 bytes received from the client bits 32 63 when bits 0 31 are d
278. e used with various SSH Telnet clients to securely connect to and administrate the router The Lobo OSB supports e SSH 1 3 1 5 and 2 0 protocol standards e server functions for secure administration of the router e telnet session termination with 40 bit RSA SSH encryption is supported e secure ftp is supported e preshared key authentication is not supported The Lobo OSB has been tested with the following SSH telnet terminals e PuTTY e Secure CRT e OpenSSH GNU Linux client Specifications Packages required security Other trademarks and registred trademarks mentioned herein are properties of their respective owners License required levell Home menu level system ssh Standards and Technologies SSH Hardware usage Not significant Related Documents e Package Management Additional Documents http www freessh org SSH Server Home menu level ip service Description SSH Server is already up and running after Lobo router installation The default port of the service is 22 You can set a different port number Property Description name name service name port integer 1 65535 port the service listens to address IP address netmask default 0 0 0 0 0 IP address from which the service is accessible Example Let s change the default SSH port 22 to 65 on which the SSH server listens for requests admin Lobo924 ip service gt set ssh port 65 admin Lobo924 ip service
279. ead only integer default 0 specifies allocated memory cache size measured in kibibytes reserved for ram cache read only integer default 2048 specifies allocated memory cache size measured in kibibytes src address JP address default 0 0 0 0 the web proxy will use this address connecting to the parent proxy or web site e 0 0 0 0 appropriate src address will be automatically taken from the routing table status read only text default stopped display status information of the proxy server e stopped proxy is disabled and is not running e rebuilding cache proxy is enabled and running existing cache is being verified e running proxy is enabled and running e stopping proxy is shutting down max 10s e clearing cache proxy is stopped cache files are being removed e creating cache proxy is stopped cache directory structure is being created e dns missing proxy is enabled but not running because of unknown DNS server you should specify it under ip dns e invalid address proxy is enabled but not running because of invalid address you should Other trademarks and registred trademarks mentioned herein are properties of their respective owners change address or port invalid cache administrator proxy is enabled but not running because of invalid cache administrator s e mail address invalid hostname proxy is enabled but not running because of invalid hostname you should set a valid hostna
280. econds freeze frame interval time time in seconds for which the screen output is paused Notes If there will be specific port given then only tep and udp protocols will be filtered 1 e the name of the protocol can be any any ip tcp udp Except TX and RX there will be only the field you ve specified in command line in the command s output e g you will get PROTOCOL column only in case if protocol property is explicitly specified Example The following example monitors the traffic that goes through the ether1 interface generated by telnet protocol admin Lobo924 tool gt torch etherl port telnet SRC PORT DST PORT TX RX 1439 23 telnet 1 7kbps 368bps admin Lobo924 tool gt To see what IP protocols are going through the ether1 interface admin Lobo924 tool gt torch etherl protocol any ip PRO TX RX tcp 1 06kbps 608bps udp 896bps 3 7kbps icmp 480bps 480bps ospf Obps 192bps admin Lobo924 tool gt To see what IP protocols are interacting with 10 0 0 144 32 host connected to the ether1 interface admin Lobo924 tool gt torch etherl src address 10 0 0 144 32 protocol any PRO SRC ADDRESS TX RX tcp 10 0 0 144 1 01kbps 608bps icmp 10 0 0 144 480bps 480bps admin Lobo924 tool gt To see what tcp udp protocols are going through the ether1 interface Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 tool gt torch etherl
281. ectory property of a HotSpot server profile ip hotspot profile The default servlet pages are copied in the directory of your choice right after you create the profile This directory can be accessed by connecting to the router with an FTP client You can modify the pages as you like using the information from this section of the manual Available Servlet Pages e redirect html redirects user to another url for example to login page e login html login page shown to a user to ask for username and password e md5 js javascript for md5 password encryption Used together with http chap login method alogin html page shown after client has logged in It pops up status page and redirects browser to originally requested page before he she was redirected to the HotSpot login page e status html status page shows statistics for the client e logout html logout page shown after user is logged out Shows final statistics about the finished session e error html error page shown on fatal errors only Main HTML servlet pages which are shown to user e rlogin html page which redirects client from some other URL to the login page if authorization of the client is required to access that URL e rstatus html similarly to rlogin html only in case if the client is already logged in and the original URL is not known flogin html shown instead of login html if some error has happened invalid username or Other trademarks and r
282. ed Documents e Package Management e Device Driver List IP Addresses and ARP e Log Management Additional Documents http www ietf org rfc rfc1853 txt number 1853 http www ietf org rfc rfc2003 txt number 2003 http www ietf org rfc rfc1241 txt number 1241 IPIP Setup Home menu level Ainterface ipip Description An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are RFC 2003 compliant The IPIP tunnel may run over any connection that transports IP Each IPIP tunnel interface can connect with one remote router that has a corresponding interface configured An unlimited number of IPIP tunnels may be added to the router For more details on IPIP tunnels see RFC 2003 Property Description name name default ipipN interface name for reference mtu integer default 1480 Maximum Transmission Unit Should be set to 1480 bytes to avoid fragmentation of packets May be set to 1500 bytes if mtu path discovery is not working properly Other trademarks and registred trademarks mentioned herein are properties of their respective owners on links local address JP address local address on router which sends IPIP traffic to the remote host remote address JP address the IP address of the remote host of the IPIP tunnel may be any RFC 2003 compliant router Notes Use ip address add command to assign an IP address to the IPIP interface There i
283. ed in username was not supplied no error message appeared login html is showed e if login procedure has failed error message is supplied flogin html is displayed if flogin html is not found login html is used in case of fatal errors error html is showed 4 request for status page e jf user is logged in status html is displayed e if user is not logged in fstatus html is displayed if fstatus html is not found redirect html is used to redirect to the login page 5 request for logout page e if user is logged in logout html is displayed e if user is not logged in flogout html is displayed if flogout html is not found redirect html is used to redirect to the login page Note that if it is not possible to meet a request using the pages stored on the router s FTP server Other trademarks and registred trademarks mentioned herein are properties of their respective owners Error 404 is displayed There are many possibilities to customize what the HotSpot authentication pages look like e The pages are easily modifiable They are stored on the router s FTP server in the directory you choose for the respective HotSpot server profile e By changing the variables which client sends to the HotSpot servlet it is possible to reduce keyword count to one username or password for example the client s MAC address may be used as the other value or even to zero License Agreement some predefined values general for all users
284. ed to one or more of the three default chains Filter Chains As mentioned before the firewall filtering rules are grouped together in chains It allows a packet to be matched against one common criterion in one chain and then passed over for processing against some other common criteria to another chain For example a packet should be matched against the IP address port pair Of course it could be achieved by adding as many rules with IP address port match as required to the forward chain but a better way could be to add one rule that matches traffic from a particular IP address e g ip firewall filter add src address 1 1 1 2 32 jump target mychain and in case of successfull match passes control over the IP packet to some other chain id est mychain in this example Then rules that perform matching against separate ports can be added to mychain chain without specifying the IP addresses e input used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router s addresses Packets passing through the router are not processed against the rules of the input chain e forward used to process packets passing through the router e output used to process packets originated from the router and leaving it through one of the interfaces Packets passing through the router are not processed against the rules of the output chain There are three predefined chains which cannot be de
285. egistred trademarks mentioned herein are properties of their respective owners password for example e fstatus html shown instead of redirect if status page is requested but client is not logged in e flogout html shown instead of redirect if logout page is requested but client is not logged in Some other pages are available as well if more control is needed Serving Serviet Pages The HotSpot servlet recognizes 5 different request types 1 request for a remote host e jf user is logged in the requested page is served e if user is not logged in but the destination host is allowed by walled garden then the request is also served e if user is not logged in and the destination host is disallowed by walled garden rlogin html is displayed if rlogin html is not found redirect html is used to redirect to the login page 2 request for on the HotSpot host e if user is logged in rstatus html is displayed if rstatus html is not found redirect html is used to redirect to the status page e if user is not logged in rlogin html is displayed if rlogin html is not found redirect html is used to redirect to the login page 3 request for login page e if user has successfully logged in or is already logged in alogin html is displayed if alogin html is not found redirect html is used to redirect to the originally requested page or the status page in case original destination page was not given e if user is not logg
286. el gt interface eoip add remote address 10 1 0 112 tunnel id 2 mac address FE FD 00 00 00 04 admin officel gt interface eoip print Flags X disabled R running 0O R name eoip tunnel2 mtu 1500 mac address FE FD 00 00 00 04 arp enabled remote address 10 1 0 112 tunnel id 2 e for Office2 through ISP1 admin office2 gt interface eoip add remote address 10 1 0 111 tunnel id 2 mac address FE FD 00 00 00 02 admin office2 gt interface eoip print Flags X disabled R running 0 R name eoip tunnel2 mtu 1500 mac address FE FD 00 00 00 02 arp enabled remote address 10 1 0 111 tunnel id 2 Other trademarks and registred trademarks mentioned herein are properties of their respective owners e for Office1through ISP2 admin officel gt interface eoip add remote address 2 2 2 1 tunnel id 1 mac address FE FD 00 00 00 03 admin officel interfac oip gt print Flags X disabled R running 0 R name eoip tunnell mtu 1500 mac address FE FD 00 00 00 03 arp enabled remote address 2 2 2 1 tunnel id 1 1 R name eoip tunnel2 mtu 1500 mac address FE FD 00 00 00 04 arp enabled remote address 10 1 0 112 tunnel id 2 e for Office2through ISP2 admin office2 gt interface eoip add remote address 1 1 1 1 tunnel id 1 mac address FE FD 00 00 00 01 admin office2 interfac oip gt print Flags X disabled R running 0 R name eoip tunnell mtu 1500 mac a
287. el ip arp Description Even though IP packets are addressed using IP addresses hardware addresses must be used to actually transport data from one host to another Address Resolution Protocol is used to map OSI level 3 IP addreses to OSI level 2 MAC addreses A router has a table of currently used ARP entries Normally the table is built dynamically but to increase network security it can be built statically by means of adding static entries Property Description address ZP address IP address to be mapped interface name interface name the IP address is assigned to mac address MAC address default 00 00 00 00 00 00 MAC address to be mapped to Notes Maximal number of ARP entries is 8192 If arp feature is turned off on the interface i e arp disabled is used ARP requests from clients are not answered by the router Therefore static arp entry should be added to the clients as well For example the router s IP and MAC addresses should be added to the Windows workstations using the arp command C gt arp s 10 5 8 254 00 aa 00 62 c6 09 If arp property is set to reply only on the interface then router only replies to ARP requests Neighbour MAC addresses will be resolved using ip arp statically Example admin Lobo924 ip arp gt add address 10 10 10 10 interface ether2 mac address 06 221 00 56 00 12 admin Lobo924 ip arp gt print Flags X disabled I invalid H DHCP D dynamic ADDRESS MAC
288. elay when the server will lend the directly connected network Example To configure DHCP server on ether1 interface to lend addresses from 10 0 0 2 to 10 0 0 254 which Other trademarks and registred trademarks mentioned herein are properties of their respective owners belong to the 10 0 0 0 24 network with 10 0 0 1 gateway and 159 148 60 2 DNS server for the time of 3 days admin Lobo924 ip dhcp server gt setup Select interface to run DHCP server on dhcp server interface etherl Select network for DHCP addresses dhcp address space 10 0 0 0 24 Select gateway for given network gateway for dhcp network 10 0 0 1 Select pool of ip addresses given out by DHCP server addresses to give out 10 0 0 2 10 0 0 254 Select DNS servers dns servers 159 148 60 20 Select lease tim lease time 3d admin Lobo924 ip dhcp server gt The wizard has made the following configuration based on the answers above admin Lobo924 ip dhcp server gt print Flags X disabled I invalid AME INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP 0 dhcp1 ether1 0 0 0 0 dhcp_pooll 3d no admin Lobo924 ip dhcp server gt network print ADDRESS GATEWAY DNS SERVER WINS SERVER DOMAIN O 10 0 0 0 24 10 0 0 1 159 148 60 20 admin Lobo924 ip dhcp server gt ip pool print NAME RANGES 0 dhcp_pooll 10 0 0 2 10 0 0 254 admin Lobo924 ip dhcp server gt
289. elivered in Acct Input Octets HotSpot only Acct Input Packets nubmer of packets received from the client Other trademarks and registred trademarks mentioned herein are properties of their respective owners Acct Output Octets bytes sent to the client Acct Output Gigawords 4G 2432 bytes sent to the client bits 32 63 when bits 0 31 are delivered in Acct Output Octets HotSpot only Acct Output Packets number of packets sent to the client Stop Accounting Request These packets can additionally have e Acct Terminate Cause session termination cause see RFC2866 ch 5 10 Attribute Numeric Values E s66 ee O O e866 O a O ow O i o E e Ooo o E e Acct Output Gigaword S Acct Output Octets Lo Acct Output Packets Ld Acct Session Id Le Acct Session Time 4 Acct Status Type ee Acct Terminate Cause fo Ascend Client Gatewa Ascend Data Rate Ascend Xmit Rate Called Station Id Lo Calling Station Id as CHAP Challenge sid CHAP Password _ Framed IP Address os o Other trademarks and registred trademarks mentioned herein are properties of their respective owners Framed IP Netmask Framed Pool Framed Protocol Framed Route Group Idle Timeout MS CHAP Challenge MS CHAP Domain MS CHAP Response lt 2 Q gt mw N MS CHAP2 Success ra lae H gri 5 77 MS MPPE Recv Key MS MPPE Send Key NAS Identifier NAS Port NAS Port Id NAS Port Type Rate Limit Re
290. emote address 10 0 0 1 admin Remot interfac oip gt enabl oip main admin Remot interfac oip gt print Flags X disabled R running 0 name eoip mtu 1500 arp enabled remote address 10 0 0 1 tunnel id 0 Remote interfac oip gt 3 Enable bridging between the EoIP and Ethernet interfaces on both routers On the Our_GW admin Our_GW interface bridge gt add forward protocols ip arp other disabled no admin Our_GW interface bridge gt print Flags X disabled R running 0 R name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp other priority 1 admin Our_GW interface bridge gt port print Flags X disabled INTERFACE BRIDGE 0 eoip remote none 1 office eth none 2 isp none admin Our_GW interface bridge gt port set 0 1 bridge bridgel And the same for the Remote admin Remote interface bridge gt add forward protocols ip arp other disabled no admin Remote interface bridge gt print Flags X disabled R running 0 R name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp other priority 1 admin Remote interface bridge gt port print Flags X disabled INTERFACE BRIDGE 0 ether none 1 adsl none 2 eoip main none admin Remote interface bridge gt port set 0 2 bridge bridgel 4 Addresses from the same network can be used both in the Office L
291. en number characters static key 2 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 0 If AES CCM is used the key must consist of even number of characters and must be at least 32 characters long For TKIP the key must be at least 64 characters long and also must consist of even number characters static key 3 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 0 If AES CCM is used the key must consist of even number of characters and must be at least 32 characters long For TKIP the key must be at least 64 characters long and also must consist of even number characters static sta private algo none 40bit wep 104bit wep aes ccm tkip algorithm to use if the static sta private key is set Used to commumicate between 2 devices static sta private key text if this key is set in station mode use this key for encryption In AP mode you have to specify static private keys in the access list or use the Radius server using radius mac authentication Used to commumicate between 2 devices static transmit key static key 0 static key I static key 2 static key 3 default static key 0 which key to use for broadcast packets Used in AP mode wpa group ciphers aes ccm tkip default which algorithms to use for WPA group communications for multicast and broadcast packets If the interface is an Access Poin
292. ent will use this as the DNS domain setting for the network adapter gateway IP address default 0 0 0 0 the default gateway to be used by DHCP clients netmask integer 0 32 default 0 the actual network mask to be used by DHCP client e 0 netmask from network address is to be used next server ZP address IP address of next server to use in bootstrap wins server text the Windows DHCP client will use these as the default WINS servers Two comma separated WINS servers can be specified to be used by DHCP client as primary and secondary WINS servers Notes The address field uses netmask to specify the range of addresses the given entry is valid for The actual netmask clients will be using is specified in netmask property DHCP Server Leases Home menu level ip dhcp server lease Description DHCP server lease submenu is used to monitor and manage server s leases The issued leases are showed here as dynamic entries You can also add static leases to issue the definite client determined by MAC address the specified IP address Generally the DHCP lease it allocated as follows 1 an unused lease is in waiting state 2 ifa client asks for an IP address the server chooses one if the client will receive statically assigned address the lease becomes offered and then bound with the respective lease time 4 if the client will receive a dynamic address taken from an IP address pool the router sends a ping packe
293. entication yes default forwarding yes default ap tx hide ssid no security profile default on fail retry time 100ms preamble mod name wlan2 mtu 1500 mac address 00 limit 0 default client tx limit 0 disconnect timeout 3s e both 0C 42 05 00 28 arp enabled disable running check no interface ty pe Atheros AR5413 radio name 000C42050028 mode nstrem area frequency mode superchannel c antenna gain 0 frequency 5180 band 5g rate set default supported rates b 1M supported rates a g 6Mbps 9Mbps 12Mbp 54Mbps basic rates b 1Mbps basic rates a g 6 ack timeout dynamic tx power default noise floor threshold default periodi dual slave ssid Lobo ountry no_country_set hz scan list default bps 2Mbps 5 5Mbps 11Mbps s 18Mbps 24Mbps 36Mbps 48Mbps bps max station count 2007 tx power mode default c calibration default burst time disabled fast frames no df wds mode disabled wds default bridg s mode none antenna mode ant a none wds ignore ssid no update stats interval disabled defaul t authentication yes default forwarding yes default ap tx hide ssid no security profile default on fail retry time 100ms preamble mod admin DualNS 1 interface wireless gt nstrem admin DualNS 1 interface wireless nstreme tx radio wlan2 rx frequency 5180 tx freq admin DualNS 1 interface wireless nstreme Flags X
294. entioned herein are properties of their respective owners Bandwidth Control Document revision 1 3 Wed Jul 20 01 32 02 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Additional Documents Queue Types Description Property Description Interface Default Queues Description Property Description Example Simple Queues Description Property Description Queue Trees Description Property Description Example of emulating a 128Kibps 64Kibps Line Queue Tree Example With Masquerading Equal bandwidth sharing among users General Information Summary Bandwidth Control is a set of mechanisms that control data rate allocation delay variability timely delivery and delivery reliability The Lobo OSB supports the following queuing disciplines e PFIFO Packets First In First Out e BFIFO Bytes First In First Out e SFQ Stochastic Fairness Queuing e RED Random Early Detect e PCQ Per Connection Queue e HTB Hierarchical Token Bucket Specifications Other trademarks and registred trademarks mentioned herein are properties of their respective owners Packages required system License required levell limited to 1 queue level3 Home menu level queue Standards and Technologies None Hardware usage significant Related Documents e Software Package Management e IP Addresses and ARP e Mangle Description Quality of Servi
295. er First of all we should create a VRRP instance on this router We will use the priority of 255 for this router as it should be preferred router admin Lobo924 ip vrrp gt add interface local priority 255 admin Lobo924 ip vrrp gt print Flags X disabled I invalid M master B backup 0 M name vrl interface local vrid 1 priority 255 interval 1 preemption mode yes authentication none password on backup on master admin Lobo924 ip vrrp gt Next the virtual IP address should be added to this VRRP instance admin Lobo924 ip vrrp gt address add address 192 168 1 1 24 Virtual router vrl admin Lobo924 ip vrrp gt address print Flags X disabled A activ ADDRESS NETWORK BROADCAST VIRTUAL ROUTER 0 192 168 1 1 24 192 168 1 0 192 168 1 255 vrl admin Lobo924 ip vrrp gt Now this address should appear in ip address list admin Lobo924 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 1 24 10 0 0 0 10 0 0 255 public iL 192 168 1 2 24 192 168 1 0 192 168 1 255 local 2 D 192 168 1 1 24 192 168140 192 168 1 2595 local admin Lobo924 ip address gt Configuring Backup VRRP router Now we will create VRRP instance with lower priority we can use the default value of 100 so this router will back up the preferred one admin Lobo924 ip vrrp gt add interface local admin Lobo924 i
296. er mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 00 00 03 on fail retry time 00 00 00 100 preamble mode both admin Lobo924 interface wireless gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Set the ssid to mmt band to 2 4 b g and enable the interface Use the monitor command to see the connection status admin Lobo924 interfac wireless gt set 0 ssid mmt disabled no band 2 4ghz b g admin Lobo924 interface wireless gt monitor wlanl status band frequency tx rate rx rate ssid bssid radio name signal strength connected to ess 2 4ghz g 2432MHz 36Mbps 36Mbps mmt 00 0B 6B 34 5A 91 000B6B345A91 77qdBm tx signal strength tx ccq gt rx ccq current ack timeout current distance wds link nstreme framing mode routeros version last ip current tx powers admin Lobo924 76dBm 21 21 56 56 no no none 2 9betal6 2525022002 1Mbps 28 2Mbps 28 5 5Mbps 28 11Mbps 28 6Mbps 27
297. er packet e compress headers further increase network performance by compressing IP packet header consumes more CPU resources e compress all increase network performance even more by using header and data compression extensive CPU usage Other trademarks and registred trademarks mentioned herein are properties of their respective owners unpacking none simple compress all compress headers default simple specifies the unpacking mode e none accept only usual packets e simple accept usual packets and aggregated packets without compression e compress headers accept all packets except those with payload compression e compress all accept all packets Notes Level of packet compression increases like this none gt simple gt compress headers gt compress all When router has to send a packet it choses minimum level of packet compression from what its own packing type is set and what other router s unpacking type is set Same is with aggregated size setting minimum value of both ends is actual maximum size of aggregated packet used aggregated size can be bigger than interface MTU if network device allows it to be 1 e it supports sending and receiving frames bigger than 1514 bytes Example To enable maximal compression on the ether1 interface admin Lobo924 ip packing gt add interface etherl packing compress all unpacking compress all admin Lobo924 ip packing gt print Flags X dis
298. er a user must be set up for the client admin RemoteOffice ppp secret gt add name ex service 12tp password lkjrht local address 10 150 1 254 remote address 10 150 1 2 admin RemoteOffice ppp secret gt print detail Flags X disabled 0 name ex service l2tp caller id password 1kjrht profile default local address 10 150 1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret gt Then the user should be added in the L2TP server list admin RemoteOffice interface 12tp server gt add name FromLaptop user ex admin RemoteOffice interface l12tp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 FromLaptop ex admin RemoteOffice interface 12tp server gt And the server must be enabled admin RemoteOffice interface 12tp server server gt set enabled yes admin RemoteOffice interface 12tp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin RemoteOffice interface 12tp server server gt Finally the proxy APR must be enabled on the Office interface admin RemoteOffice interfac thernet gt set Office arp proxy arp admin RemoteOffice interfac thernet gt print Flags X disabled R running NAME MTU MAC ADDRESS ARP 0 R ToInternet 1500 00 30 4F 0B 7B C1 enabled 1 R Office 1500 00 30 4F 06 62 12 proxy
299. er alternative connections that would otherwise form loops are put to standby so that should the main connection fail another connection could take its place This algorithm exchange configuration messages BPDU Bridge Protocol Data Unit periodically so that all bridges would be updated with the newest information about changes in network topology STP selects root bridge which is responosible for network reconfiguration such as blocking and opening ports of the other bridges The root bridge is the bridge with lowest bridge ID Additional Documents http ebtables sourceforge net Bridge Interface Setup Home menu level interface bridge Description To combine a number of networks into one bridge a bridge interface should be created later all the desired interfaces should be set up as its ports One MAC address will be assigned to all the bridged interfaces the smallest MAC address will be chosen automatically Property Description ageing time time default 5m how long a host information will be kept in the bridge database arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting forward delay time default 15s time which is spent during the initialization phase of the bridge interface i e after router startup or enabling the interface in listening learning state before the bridge will start functioning normally garbage collection interval time default 4s
300. er just send his her password without additional hashing note that there is no need to worry about plain text password exposure over the network as the transmission itself is encrypted In either case HTTP POST method if not possible then HTTP GET method is used to send data to the HotSpot gateway HTTP cookie after each successful login a cookie is sent to web browser and the same cookie is added to active HTTP cookie list Next time the same user will try to log in web browser will send http cookie This cookie will be compared with the one stored on the HotSpot gateway and only if source MAC address and randomly generated ID match the ones stored on the gateway user will be automatically logged in using the login information username and password pair was used when the cookie was first generated Otherwise the user will be prompted to log in and in the case authentication is successful old cookie will be removed from the local HotSpot active cookie list and the new one with different random ID and expiration time will be added to the list and sent to the web browser It is also possible to erase cookie on user manual logoff not in the default server pages This method may only be used together with HTTP PAP HTTP CHAP or HTTPS methods as there would be nothing to generate cookies in the first place otherwise Other trademarks and registred trademarks mentioned herein are properties of their respective owners e MAC address try
301. er second Obps Global Variables i 1 Local Variables sent bits per second 0 received packets per second 0 received bits per second 0 sent packets per second 0 admin Lobo924 interface gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Additional Features Description To include comment in the console script prefix it with In a line of script that starts with all characters until the newline character are ignored To put multiple commands on a single line separate them with Console treats as the end of line in scripts Any of the characters should be escaped in a reqular string with character Console takes any character following literally without assigning any special meaning to it except for such cases a bell alarm character code 7 b backspace character code 8 form feed character code 12 n newline character code 10 xr carriage return character code 13 t tabulation character code 9 v vertical tabulation character code 11 _ space character code 32 Note that followed by any amount of whitespace characters spaces newlines carriage returns tabulations followed by newline is treated as a single whitespace except inside quotes where it is treated as nothing This is used by console to break up long lines in scripts generated by export commands Script Repo
302. er server gt Add a L2TP client to the RemoteOffice router admin RemoteOffice interface 12tp password lkjrht disabled no client gt add connect to 192 168 80 1 user ex admin RemoteOffice interface 12tp Flags X disabled R running client gt print 0 R name 12tp out1 mtu 1460 mru 1460 connect to 192 168 80 1 user ex password 1kjrht profile default add default route no admin RemoteOffice interface 12tp client gt Thus a L2TP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addresses 10 0 103 1 and 10 0 103 2 at each router It enables direct communication between the routers over third party networks Other trademarks and registred trademarks mentioned herein are properties of their respective owners Hetwork Setup with L2TP Internet jn al oy gt Sh Encrypted SE od ISP 1 r L2TP Tunnel Shy ISP 2 network 192 168 8041 network 192 168 81 0 netmask 255 255 2 netmask 255 255 255 0 HomeOff Fi 4 RemoteOffice nomeenes FromRemoteOffice To Intemet To Internet r anes 492 168 80 1 24 gay 1 9 1032 024 ee are haley 192 168 81 1 24 LocalHomeOffi LocaiRemoteOffice 1 0150 2 254 24 10 150 1 25424 network 10 150 2 0 network 10 150 1 0 netmask 255 255 255 0 netmask 255 255 255 0 l i J Laptop Workstation 10 150 2 41 24 10 450 4 4 24 To route the local Intranet
303. er via this route e 0 0 0 0 prefsrc is determined automatically prepend integer 0 16 number which indicates how many times to prepend AS_NAME to AS_PATH routing mark name a mark for packets defined under ip firewall mangle Only those packets which have the according routing mark will be routed using this gateway With this parameter we provide policy based routing scope integer 0 255 a value which is used to recursively lookup the nexthop addresses Nexthop is looked up only through routes that have scope lt target scope of the nexthop target scope integer 0 255 a value which is used to recursively lookup the next hop addresses Each nexthop address selects smallest value of target scope from all routes that use this nexthop address Nexthop is looked up only through routes that have scope lt target scope of the nexthop Notes You can specify more than one or two gateways in the route Moreover you can repeat some routes in the list several times to do a kind of cost setting for gateways Example To add two static routes to networks 10 1 12 0 24 and 0 0 0 0 0 the default destination address on a router with two interfaces and two IP addresses admin Lobo924 ip route gt add dst address 10 1 12 0 24 gateway 192 168 0 253 admin Lobo924 ip route gt add gateway 10 5 8 1 admin Lobo924 ip route gt print Flags X disabled A active D dynamic ic connect S static r rip b bgp o ospf
304. erated it can be sent by email send email from text default e mail address to send the support output file from If not set the value set in tool e mail is used send email to text default e mail address to send the support output file to send smtp server text default SMTP server address to send the support output file through If not set the value set in tool e mail is used Example To make system generate a support output file and sent it automatically to support example com throught the 192 0 2 1lin case of a software crash admin Lobo924 system watchdog gt set auto send supout yes send to email support example com send smtp server 192 0 2 1 admin Lobo924 system watchdog gt print reboot on failure yes watch address none watchdog timer yes no ping delay 5m automatic supout yes auto send supout yes send smtp server 192 0 2 1 send email to support example com admin Lobo924 system watchdog gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners VRRP Document revision 1 4 Fri Mar 05 08 42 58 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description VRRP Routers Description Property Description Notes Virtual IP addresses Property Description Notes A simple example of VRRP fail over Descri
305. ery 64s enabled yes no default no whether the NTP server is enabled manycast yes no default yes whether NTP server listens for multicast messages sent to 239 192 1 1 and responds to them multicast yes no default no whether NTP multicast message is sent to 224 0 1 1 every 64s Notes NTP server activities only when local NTP client is in synchronized or using local clock mode If NTP server is disabled all NTP requests are ignored If NTP server is enabled all individual time requests are answered CAUTION Using broadcast multicast and manycast modes is dangerous Intruder or simple user can set up his own NTP server If this new server will be chosen as time source for your server it will be possible for this user to change time on your server at his will Example To enable NTP server to answer unicast requests only admin Lobo924 system ntp server gt set manycast no enabled yes admin Lobo924 system ntp server gt print enabled yes broadcast no multicast no manycast no admin Lobo924 system ntp server gt Time Zone Other trademarks and registred trademarks mentioned herein are properties of their respective owners Home menu level system clock Notes NTP changes local clock to UTC GMT time by default Example Time zone is specified as a difference between local time and GMT time For example if GMT time is 10 24 40 but correct local time is 12 24 40 then time zone has to be
306. es of their respective owners and some other parameters mentioned further in this document The HotSpot system is targeted to provide authentication within a local network to access the Internet but may as well be used to authorize access from outer networks to access local resources Configuring Walled Garden feature it is possible to allow users to access some web pages without the need of prior authentication Getting Address First of all a client must get an IP address It may be set on the client statically or leased from a DHCP server The DHCP server may provide ways of binding lent IP addresses to clients MAC addresses if required The HotSpot system does not care how did a client get an address before he she gets to the HotSpot login page Moreover HotSpot server may automatically and transparently change any IP address yes meaning really any IP address of a client to a valid unused address from the selected IP pool This feature gives a possibility to provide a network access for example Internet access to mobile clients that are not willing or are disallowed not qualified enough or otherwise unable to change their networking settings The users will not notice the translation i e there will not be any changes in the users config but the router itself will see completely different from what is actually set on each client source IP addresses on packets sent from the clients even firewall mangle table will see t
307. esignated time Specifications Packages required system License required levell Home menu level system scheduler Standards and Technologies None Hardware usage Not significant Related Documents e Package Management Scripting Examples Scripting Examples Scheduler Configuration Description The scheduler can trigger script execution at a particular time moment after a specified time interval or both Property Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners interval time default Os interval between two script executions if time interval is set to zero the script is only executed at its start time otherwise it is executed repeatedly at the time interval is specified name name name of the task on event name name of the script to execute It must be presented at system script run count read only integer to monitor script usage this counter is incremented each time the script is executed start date date date of the first script execution start time time time of the first script execution e startup execute the script 3 seconds after the system startup Notes Rebooting the router will reset run count counter If more than one script has to be executed simultaneously they are executed in the order they appear in the scheduler configuration This can be important if one scheduled script is used to disable anot
308. ess broadcast IP address default 255 255 255 255 broadcasting IP address calculated by default from an IP address and a network mask disabled yes no default no specifies whether the address is disabled or not interface name interface name the IP address is assigned to netmask P address default 0 0 0 0 specifies network address part of an IP address network IP address default 0 0 0 0 IP address for the network For point to point links it should be the address of the remote end Notes You cannot have two different IP addresses from the same network assigned to the router Exempli gratia the combination of IP address 10 0 0 1 24 on the etherl interface and IP address 10 0 0 132 24 on the ether2 interface is invalid because both addresses belong to the same network 10 0 0 0 24 Use addresses from different networks on different interfaces or enable proxy arp on Other trademarks and registred trademarks mentioned herein are properties of their respective owners ether1 or ether2 Example admin Lobo924 ip address gt add address 10 10 10 1 24 interface ether2 admin Lobo924 ip address gt print Flags X disabled I invalid D dynamic 4 ADDRESS NETWORK BROADCAST INTERFACE 0 228 25 24 2 2 2 0 2 2 2 255 ether2 1 10 5 7 244 24 10 5 7 0 10655 7 295 etherl 2 10 10 10 1 24 10 10 10 0 10 10 10 255 ether2 admin Lobo924 ip address gt Address Resolution Protocol Home menu lev
309. ess JP address name IP address or IP address pool name for PPP server name name PPP profile name only one yes no default default default defines whether a user is allowed to have more then one connection at a time e yes a user is not allowed to have more than one connection at a time e no the user is allowed to have more than one connection at a time e default accept this setting from the peer outgoing filter name firewall chain name for outgoing packets Specified chain gets control for each packet going to the client The ppp chain should be manually added and rules with action jump jump target ppp should be added to other relevant chains in order for this feature to work For more information look at the Examples section rate limit text default rate limitation in form of rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time All rates are measured in bits per second unless followed by optional k suffix kilobits per second or M suffix megabits per second If tx rate is not specified rx rate serves as tx rate too The same applies for tx burst rate tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate are used as burst thresholds If both rx burst time and tx burst time are not specified 1s is used as default remote address JP
310. ess as it travels through the router A reverse operation is applied to the reply packets travelling in the other direction e destination NAT or dstnat This type of NAT is performed on packets that are destined to the natted network It is most comonly used to make hosts on a private network to be acceesible from the Internet A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network NAT Drawbacks Hosts behind a NAT enabled router do not have true end to end connectivity Therefore some Internet protocols might not work in scenarios with NAT Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP can be disrupted Moreover some protocols are inherently incompatible with NAT a bold example is AH protocol from the IPsec suite OSB includes a number of so called NAT helpers that enable NAT traversal for various protocols Redirect and Masquerade Redirect and masquerade are special forms of destination NAT and source NAT respectively Redirect is similar to the regular destination NAT in the same way as masquerade is similar to the source NAT masquerade is a special form of source NAT without need to specify to addresses outgoing interface address is used automatically The same is for redirect it is a form of destination NAT where to addresses is not used incoming interface address is
311. ess of the connected client user name the name of the connected user encoding read only text encryption and encoding if asymmetric separated with being used in this connection uptime time shows how long the client is connected Example Other trademarks and registred trademarks mentioned herein are properties of their respective owners To view the currently connected users admin Lobo924 interface pppoe server gt print Flags R running NAME SERVICE REMOTE ADDRESS USER 0 R lt pppoe ex gt ex 00 C0O CA 16 16 A5 ex admin Lobo924 interface pppoe server gt To disconnect the user ex admin Lobo924 interface pppoe server gt remov admin Lobo924 interface pppoe server gt print admin Lobo924 interface pppoe server gt Application Examples ENCO UPTIME 12s find user ex PPPoE in a multipoint wireless 802 11g network In a wireless network the PPPoE server may be attached to an Access Point as well as to a regular station of wireless infrastructure Either our OSB client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication Further for OSB clients the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500 This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500 It has not been determined how to change the MTU of
312. ess records with PPP user profile assigned to each user Property Description caller id text default for PPTP and L2TP it is the IP address a client must connect from For PPPoE it is the MAC address written in CAPITAL letters a client must connect from For ISDN it is the caller s number that may or may not be provided by the operator the client may dial in from _ no restrictions on where clients may connect from Other trademarks and registred trademarks mentioned herein are properties of their respective owners limit bytes in integer default 0 maximal amount a client can upload in bytes for a session limit bytes out integer default 0 maximal amount a client can download in bytes for a session local address JP address name IP address or IP address pool name for PPP server name name user s name used for authentication password text default user s password used for authentication profile name default default profile name to use together with this access record for user authentication remote address JP address name IP address or IP address pool name for PPP clients routes text routes that appear on the server when the client is connected The route format is dst address gateway metric for example 10 1 0 0 24 10 0 0 1 1 Several routes may be specified separated with commas service any async isdn I2tp pppoe pptp default any specifies the services availa
313. et use radius yes admin Lobo924 user aaa gt print use radius yes accounting yes interim update 0s default group read fadmin Lobo924 user aaa gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Traffic Flow Document revision 1 0 30 jun 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Specifications Related Documents Description Additional Documents General Configuration Description Property Description Traffic Flow Target Description Property Description Traffic Flow Example General Information Specifications Packages required system License required levell Home menu level ip traffic flow Hardware usage Not significant Related Documents Cisco NetFlow NTop e Integrating ntop with NetFlow Description Lobo Traffic Flow is a system that provides statistic information about packets which pass through the router Besides network monitoring and accounting system administrators can identify various problems that may occur in the network With help of Traffic Flow it is possible to analyze and optimize the overall network performance As Traffic Flow is compatible with Cisco NetFlow it can be used with various utilities which are designed for Cisco s NetFlow Traffic Flow supports the following NetFlow formats e version 1 the first version of NetFlow data format do not use it unless y
314. etric are considered unreachable Thus RIP cannot be used on networks with more than 15 hops between any two routers and using redistribute metrics larger that 1 further reduces this maximum hop count Example To enable RIP protocol to redistribute the routes to the connected networks admin Lobo924 admin Lobo924 routing rip gt set redistribut routing rip gt print connected yes redistribute static no redistribut connected redistribute ospf redistribute bgp yes no no metric static 1 metric connected 1 metric ospf 1 metric bgp 1 update timer timeout timer 3m garbage timer 2m admin Lobo924 routing rip gt Interfaces Home menu level routing rip interface Description In general you do not have to configure interfaces in order to run RIP This command level is provided only for additional configuration of specific RIP interface parameters Property Description interface name default all interface on which RIP runs e all sets defaults for interfaces not having any specific settings send v v7 2 v2 default v2 specifies RIP protocol update versions to distribute Other trademarks and registred trademarks mentioned herein are properties of their respective owners receive v v 2 v2 default v2 specifies RIP protocol update versions the router will be able to receive authentication none simple md5 default none specifies authenticatio
315. ew packet mark known_mac Change MSS It is a well known fact that VPN links have smaller packet size due to incapsulation overhead A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection However if the packet has DF flag set it cannot be fragmented and should be discarded On links that have broken path MTU discovery PMTUD it may lead to a number of problems including problems with FTP and HTTP data transfer and e mail services In case of link with broken PMTUD a decrease of the MSS of the packets coming through the VPN link solves the problem The following example demonstrates how to decrease the MSS value via mangle admin Lobo924 gt ip firewall mangle add out interface pppoe out action change mss new mss 1300 chain forward admin Lobo924 gt ip firewall mangle print Flags X disabled I invalid D dynamic 0 chain forward out interface pppoe out action change mss new mss 1300 admin Lobo924 gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners NAT Document revision 2 6 Tue Apr 19 11 39 09 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents NAT Description Property Description NAT Applications Description Example of Source NAT Masquerading Example of Destination
316. ext one Acts the same way as a disabled rule except for ability to count packets e redirect redirect the packet to the bridge itself only valid in dstnat chain e return return to the previous chain from where the jump took place e src nat change source MAC address of a packet only valid in srcnat chain out bridge name outgoing bridge interface out interface name interface via packet is leaving the bridge to arp reply mac address MAC address source MAC address to put in Ethernet frame and ARP payload when action arp reply is selected Other trademarks and registred trademarks mentioned herein are properties of their respective owners to dst mac address MAC address destination MAC address to put in Ethernet frames when action dst nat is selected to src mac address MAC address source MAC address to put in Ethernet frames when action src nat is selected Bridge Brouting Facility Home menu level Ainterface bridge broute Description This section describes broute facility specific options which were omitted in the general firewall description The Brouting table is applied to every packet entering a forwarding enslaved interface i e it does not work on regular interfaces which are not included in a bridge Property Description action accept drop dst nat jump log mark passthrough redirect return default accept action to undertake if the packet matches the rule one of the e
317. ey once has no effect However pressing it for the second time shows all possible completions in compact form admin Lobo924 gt interface set e Tab admin Lobo924 interface set ether Tab admin Lobo924 gt interface set ether Tab etherl ether5 admin Lobo924 gt interface set ether_ 5 1 v The Tab key can be used almost in any context where the console might have a clue about possible values command names argument names arguments that have only several possible values like names of items in some lists or name of protocol in firewall and NAT rules You cannot complete numbers IP addresses and similar values Another way to press fewer keys while typing is to abbreviate command and argument names You can type only beginning of command name and if it is not ambiguous console will accept it as a full name So typing admin Lobo924 gt pi 10 1 c 3 si 100 equals to admin Lobo924 gt ping 10 0 0 1 count 3 size 100 Other trademarks and registred trademarks mentioned herein are properties of their respective owners Notes Pressing Tab key while entering IP address will do a DNS lookup instead of completion If what is typed before cursor is a valid IP address it will be resolved to a DNS name reverse resolve otherwise it will be resolved directly i e to an IP address To use this feature DNS server must be configured and working To avoid input lockups any such lookup will timeout after h
318. f a given logical condition evaluates to true then the do block of commands is executed Otherwice an optional else block is executed yes no logical condition which is evaluated once before the execution of enclosed statements text this block of commands is executed if the logical condition evaluates to true text this block of commands is executed if the logical condition evaluates to false Check if the firewall has any rules added admin Lobo924 gt if len ip firewall filter find gt 0 do put true else put false true admin Lobo924 gt Check whether the gateway is reachable In this example the IP address of the gateway is 10 0 0 254 admin Lobo924 gt if ping 10 0 0 254 count 1 0 do put gateway unreachable 10 0 0 254 ping timeout 1 packets transmitted 0 packets received 100 packet loss gateway unreachable admin Lobo924 gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners len returns the number of characters in string or the number of elements in list depending on the type of the argument name string or list the length of which should be returned admin Lobo924 gt sput len gvejimezyfopmekun le fadmin Lobo924 gt put len gve jim ezy fop mek un 6 admin Lobo924 gt list displays a list of all available console commands that match given search key s text first search key text second
319. f explanatory Other trademarks and registred trademarks mentioned herein are properties of their respective owners user username has reached traffic limit either limit bytes in or limit bytes out limit is reached e no more sessions are allowed for user username the shared users limit for the user s profile is reached Solution wait until someone with this username logs out use different login name or extend the shared users limit RADIUS client non fatal errors e invalid username or password RADIUS server has rejected the username and password sent to it without specifying a reason Cause either wrong username and or password or other error Solution should be clarified in RADIUS server s log files e lt error_message_sent_by_radius_server gt this may be any message any text string sent back by RADIUS server Consult with your RADIUS server s documentation for further information RADIUS client fatal errors e RADIUS server is not responding user is being authenticated by RADIUS server but no response is received from it Solution check whether the RADIUS server is running and is reachable from the HotSpot router HotSpot How to s Description This section will focus on some simple examples of how to use your HotSpot system as well as give some useful ideas Setting up https authorization At first certificate must be present with decrypted private key Then we can use that certificate for hotspot
320. ff automatically mac address read only MAC address the actual MAC address of the user packets in read only integer how many packets did the router receive from the client packets out read only integer how many packets did the router send to the client server read only name name of the server which the host is connected to static read only flag whether this translation has been taken from the static IP binding list to address read only IP address what address is the original IP address of the host translated to uptime read only time current session time of the user i e how long has the user been in the active host list Command Description make binding copy a dynamic entry from this list to the static IP bindings list name item number text custom comment to the static entry to be created regular bypassed blocked the type of the static entry Other trademarks and registred trademarks mentioned herein are properties of their respective owners Service Port Home menu level ip hotspot service port Description Just like for classic NAT the HotSpot embedded one to one NAT breaks some protocols that are incompatible with address translation To leave these protocols consistent helper modules must be used For the one to one NAT the only such a module is for FTP protocol Property Description name read only name protocol name ports read only integer list of the port
321. formation between non backbone areas The backbone must be contiguous However areas do not need to be physical connected to backbone It can be done with virtual link The name and area id for this area can not be changed authetication none simple md5 default none specifies authentication method for OSPF protocol messages Other trademarks and registred trademarks mentioned herein are properties of their respective owners e none do not use authentication e simple plain text authentication e md5 keyed Message Digest 5 authentication default cost integer default 1 specifies the default cost used for stub areas Applicable only to area boundary routers name name default OSPF area s name stub yes no default no a stub area is an area which is out from part with no routers or areas beyond it A stub area is configured to avoid AS External Link Advertisements being flooded into the Stub area One of the reason to configure a Stub area is that the size of the link state database is reduced along with the routing table and less CPU cycles are used to process Any router which is trying access to a network outside the area sends the packets to the default route Example To define additional OSPF area named local_10 with area id 0 0 10 5 do the following admin WiFi routing ospf area gt add area id 0 0 10 5 name local_10 admin WiFi routing ospf area gt print Flags X disabled I invalid
322. frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin DualNS 2 interface wireless gt nstreme dual admin DualNS 2 interface wireless nstreme dual gt add rx radio wlanl tx radio wlan2 rx frequency 5805 tx frequency 5180 disabled no remote mac 00 0C 42 05 04 36 admin DualNS 2 interface wireless nstreme dual gt print Flags X disabled R running 0 R name nstremel mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no tx radio wlan2 rx radio wlan1 remote mac 00 0C 42 05 04 36 tx band 5ghz tx frequency 5180 rx band 5ghz rx frequency 5805 rates b 1Mbps 2Mbps 5 5Mbps 11Mbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps framer policy none framer limit 4000 admin DualNS 2 interface wireless nstreme dual gt Now complete the configuration for DualNS 1 admin DualNS 1 interface wireless nstreme dual gt set 0 remote mac 00 0C 42 05 00 22 admin DualNS 1 interface wireless nstreme dual gt print Flags X disabled R running 0 R name nstremel mtu 1500 mac a
323. g duration 15s tx current 3 62Mbps tx 10 second averag 3 87Mbps tx total averag 3 53Mbps rx current 3 33Mbps 3 3 rx 10 second averag 68Mbps rx total averag 49Mbps admin Lobo924 tool gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners ICMP Bandwidth Test Document revision 1 2 Fri Mar 05 09 36 41 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents ICMP Bandwidth Test Description Property Description Example General Information Summary The ICMP Bandwidth Tester Ping Speed can be used to approximately evaluate the throughput to any remote computer and thereby help to discover network bottlenecks Specifications Packages required advanced tools License required levell Home menu level tool Standards and Technologies ICMP RF C792 Hardware usage Not significant Related Documents e Software Package Management JP Addresses and ARP Log Management ICMP Bandwidth Test Description The ICMP test uses two standard echo requests per second The time between these pings can be changed Ping packet size variation makes it possible to approximately evaluate connection parameters and speed with different packet sizes Statistics for throughput is calculated using the size of the ICMP packet the interval between ICMP echo request and echo reply a
324. gateways admin Lobo924 system script gt add name gw_l source ip route set ip route find dst 0 0 0 0 gateway 10 0 0 1 admin Lobo924 system script gt add name gw_2 source ip route set ip route find dst 0 0 0 0 gateway 10 0 0 217 admin Lobo924 system script gt tool netwatch admin Lobo924 tool netwatch gt add host 10 0 0 217 interval 10s timeout 998ms up script gw_2 down script gw_l admin Lobo924 tool netwatch gt print Flags X disabled HOST TIMEOUT INTERVAL STATUS 0 10 0 0 217 997ms 10s up admin Lobo924 tool netwatch gt print detail Flags X disabled 0 host 10 0 0 217 timeout 997ms interval 10s since feb 27 2003 14 01 03 status up up script gw_2 down script gw_1 admin Lobo924 tool netwatch gt Without scripts netwatch can be used just as an information tool to see which links are up or which specific hosts are running at the moment Let s look at the example above it changes default route if gateway becomes unreachable How it s Other trademarks and registred trademarks mentioned herein are properties of their respective owners done There are two scripts The script gw_2 is executed once when status of host changes to up In our case it s equivalent to entering this console command admin Lobo924 gt ip route set ip route find dst 0 0 0 0 gateway 10 0 0 217 The ip route find dst 0 0 0 0 command returns list of all routes whose dst address value is 0
325. ge in case of mac login as well outgoing filter name name of the firewall chain applied to outgoing packets to the users of this profile outgoing packet mark name packet mark put on all the packets to every user of this profile automatically rate limit text default Rate limitation in form of rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time All rates should be numbers with optional k 1 000s or M 1 000 000s If tx rate is not specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified 1s is used as default session timeout time default Os session timeout maximal allowed session time for client After this time the user will be logged out unconditionally e 0 no timeout shared users integer default 1 maximal number of simultaneously logged in users with the same username status autorefresh time none default none HotSpot servlet status page autorefresh interval transparent proxy yes no default yes whether to use transparent HTTP proxy for the authorized users of this profile Notes When idle timeout or keepalive is reached session time for that user is reduced by
326. gh the command structure is similar to the Unix shell you can get additional information about the command structure in the Scripting Host and Complementary Tools manual Since there is a lot of available commands they are split into groups organized in a way of hierarchical menu levels The name of a menu level reflects the configuration information accessible in the relevant section exempli gratia fip hotspot In general all menu levels hold the same commands The difference is expressed mainly in command parameters Example For example you can issue the ip route print command admin Lobo924 gt ip route print Flags A active X disabled I invalid D dynamic G connect S static r rip b bgp o ospf d dynamic DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 1 1 1 0 24 isp2 1 A S 2 2 2 0 24 r 11 1 2 0 isp2 2 ADC 3 3 3 0 24 bondingl 3 ADC 10 1 0 0 24 ispl 4 AS 0 0 0 0 0 yr 10 1 0 1 0 ispl admin Lobo924 gt Instead of typing ip route path before each command the path can be typed only once to move into this particular branch of menu hierarchy Thus the example above could also be executed like this admin Lobo924 gt ip route admin Lobo924 ip route gt print Flags A active X disabled I invalid D dynamic C connect S static r rip b bgp o ospf d dynamic DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 1 1 1 0 24 isp2 1
327. gies SOCKS version 4 Hardware usage Not significant Related Documents Web Proxy e NAT Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description SOCKS is a proxy server that allows TCP based application data to relay across the firewall even if the firewall would block the packets The SOCKS protocol is independent from application protocols so it can be used for many services e g WWW FTP TELNET and others At first an application client connects to the SOCKS proxy server then the proxy server looks in its access list to see whether the client is permited to access the remote application server or not if it is permitted the proxy server relies the packet to the application server and creates a connection between the application server and client Notes Remember to configure your application client to use SOCKS version 4 You should secure the SOCKS proxy using its access list and or firewall to disallow access from outisde Failing to secure the proxy server may introduce security issues to your network and may provide a way for spammers to send junk mail through the router Additional Documents Information about SOCKS SOCKS Configuration Description In this section you will learn how to enable the SOCKS proxy server and do its configuration Property Description connection idle timeout time default 2m time after which idle connections are
328. gt print Flags X disabled I invalid NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0 0 0 0 0 i ftp 21 0 0 0 0 0 2 www 80 0 0 0 0 0 3 ssh 65 0 0 0 0 0 4 X www ssl 443 0 0 0 0 0 admin Lobo924 ip service gt SSH Client Command name system ssh Property Description port integer default 22 which TCP port to use for SSH connection to a remote host user text default admin username for the SSH login Other trademarks and registred trademarks mentioned herein are properties of their respective owners Example admin Lobo924 gt system ssh 192 168 0 1 user pakalns port 22 admin 192 168 0 1 s password Terminal unknown detected using single line input mode admin Lobo924 gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Telnet Server and Client Document revision 2 1 Mon Jul 19 07 31 04 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Telnet Server Description Example Telnet Client Description Example General Information Summary Lobo OSB has a build in Telnet server and client features These two are used to communicate with other systems over a network Specifications Packages required system License required levell Home menu level system ip service Standards and Technologies Telnet RFC 854 Hardware usage Not significant Relate
329. h secret gwejimezyfopmekun admin WiFi ip ipsec peer gt add address 10 0 0 147 32 secret gwejimezyfopmekun admin WiFi ip ipsec peer gt print Flags X disabled 0 address 10 0 0 147 32 500 secret gwejimezyfopmekun generate policy no exchange mode main send initial contact yes proposal check obey hash algorithm md5 enc algorithm 3des dh group modp1024 lifetime ld lifebytes 0 admin WiFi ip ipsec peer gt Remote Peer Statistics Other trademarks and registred trademarks mentioned herein are properties of their respective owners Home menu level ip ipsec remote peers Description This submenu provides you with various statistics about remote peers that currently have established phase connections with this router Note that if peer doesn t show up here it doesn t mean that no IPsec traffic is being exchanged with it For example manually configured SAs will not show up here Property Description estabilished read only text shows date and time when phase was established with the peer local address read only IP address local ISAKMP SA address ph2 active read only integer how many phase 2 negotiations with this peer are currently taking place ph2 total read only integer how many phase 2 negotiations with this peer took place remote address read only IP address peer s IP address side multiple choice read only initiator responder shows which side initiated the conne
330. has set command it can be used to edit values of properties exempli gratia admin Lobo924 ip route gt print Flags A active X disabled I invalid D dynamic C connect S static r rip b bgp O ospf d dynamic DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 1 1 1 0 24 isp2 1 A S 2 2 2 0 24 r 1 1 1 2 0 isp2 2 ADC 3 3 3 0 24 bondingl 3 ADC 10 1 0 0 24 ispl 4 A S 0 0 0 0 0 r 10 1 0 1 0 ispl admin Lobo924 ip route gt edit 1 gateway Safe Mode Description It is possible to change router configuration in a way that will make it not accessible except from local console Usually this is done by accident but there is no way to undo last change when connection to router is already cut Safe mode can be used to minimize such risk Safe mode is entered by pressing Ctrl X To quit safe mode press Ctrl X again admin Lobo924 ip route gt Ctr1 X Safe Mode taken admin Lobo924 ip route lt SAFE gt Message Safe Mode taken is displayed and prompt changes to reflect that session is now in safe mode All configuration changes that are made also from other login sessions while router is in safe mode are automatically undone if safe mode session terminates abnormally You can see all such changes that will be automatically undone tagged with an F flag in system history admin Lobo924 ip route gt Safe Mode taken admin Lobo924 ip route lt SAFE gt add admin Lobo924 ip route
331. hat matches the rule e mark packet place a mark specified by the new packet mark parameter on a packet that matches the rule e mark routing place a mark specified by the new routing mark parameter on a packet This kind of marks is used for policy routing purposes only e passthrough ignore this rule go on to the next one e return pass control back to the chain from where the jump took place e strip ipv4 options strip IPv4 option fields from the IP packet address list name specify the name of the address list to collect IP addresses from rules having action add dst to address list or action add src to address list actions These address lists could be later used for packet matching address list timeout time default 00 00 00 time interval after which the address will be removed from the address list specified by address list parameter Used in conjunction with add dst to address list or add sre to address list actions e 00 00 00 leave the address in the address list forever Other trademarks and registred trademarks mentioned herein are properties of their respective owners chain forward input output postrouting prerouting specify the chain to put a particular rule into As the different traffic is passed through different chains always be careful in choosing the right chain for a new rule If the input does not match the name of an already defined chain a new chain will be created comment text free fo
332. he connect button is selected To install the Virtual Private Networking support for Windows 98SE go to the Setting menu from the main Start menu Select Control Panel select Add Remove Program select the Windows setup tab select the Communications software for installation and Details Go to the bottom of the list of software and select Virtual Private Networking to be installed Troubleshooting Description e use firewall and I cannot establish PPTP connection Make sure the TCP connections to port 1723 can pass through both directions between your sites Also IP protocol 47 should be passed through Other trademarks and registred trademarks mentioned herein are properties of their respective owners VLAN Document revision 1 2 Mon Sep 19 13 46 34 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Additional Documents VLAN Setup Property Description Notes Example Application Example VLAN example on Lobo Routers General Information Summary VLAN is an implementation of the 802 1Q VLAN protocol for Lobo OSB It allows you to have multiple Virtual LANs on a single ethernet or wireless interface giving the ability to segregate LANs efficiently It supports up to 4095 vlan interfaces each with a unique VLAN ID per ethernet device Many routers including Cisco and Linux
333. he AP If the AP s area begins with area prefix then this parameter returns true connect yes no whether to connect to AP that matches this rule interface name name of the wireless interface mac address MAC address MAC address of the AP If set to 00 00 00 00 00 00 all APs are accepted min signal strength integer signal strength in dBm Rule is matched if the signal from AP is stronger than this security profile name default none name of the security profile used to connect to the AP If none then those security profile is used which is configured for the respective interface ssid text the ssid of the AP If none set all ssid s are accepted Different ssids will be meaningful if the ssid for the respective interface is set to Access List Home menu level Ainterface wireless access list Description The access list is used by the Access Point to restrict associations of clients This list contains MAC addresses of clients and determines what action to take when client attempts to connect Also the forwarding of frames sent by the client is controlled The association procedure is as follows when a new client wants to associate to the AP that is configured on interface wlanN an entry with client s MAC address and interface wlanN is looked up in the access list If such entry is found action specified in the access list is performed else default authentication and default forwarding arguments of i
334. he default profile but if some parameters are not received they are taken from the respective default profile Local PPP User Profiles Home menu level ppp profile Description PPP profiles are used to define default values for user access records stored under ppp secret submenu Settings in ppp secret User Database override corresponding ppp profile settings except that single IP addresses always take precedence over IP pools when specified as local address or remote address parameters Property Description change tcp mss yes no default default default modifies connection MSS settings e yes adjust connection MSS value e no do not atjust connection MSS value e default accept this setting from the peer dns server P address IP address of the DNS server to supply to clients idle timeout time specifies the amount of time after which the link will be terminated if there was no activity present There is no timeout set by default Other trademarks and registred trademarks mentioned herein are properties of their respective owners e Os no link timeout is set incoming filter name firewall chain name for incoming packets Specified chain gets control for each packet coming from the client The ppp chain should be manually added and rules with action jump jump target ppp should be added to other relevant chains in order for this feature to work For more information look at the Examples section local addr
335. he md5 js which must be already loaded before the Submit action of the login form Otherwise CHAP login will fail The resulting password to be sent to the HotSpot gateway in case of HTTP CHAP method is formed MD5 hashing the concatenation of the following chap id the password of the user and chap challenge in the given order Other trademarks and registred trademarks mentioned herein are properties of their respective owners In case if variables are to be used in link directly then they must be escaped accordingly For example in login page lt a href https login example com login mac mac amp user username gt link lt a gt will not work as intended if username will be 123 amp 456 1 2 In this case instead of user its escaped version must be used user esc lt a href https login server serv login mac mac esc amp user user esc gt link lt a gt Now the same username will be converted to 123 26456 3D1 2 which is the valid representation of 123 amp 456 1 2 in URL This trick may be used with any variables not only with username There is a boolean parameter erase cookie to the logout page which may be either on or true to delete user cookie on logout so that the user would not be automatically logged on when he she opens a browser next time Example With basic HTML language knowledge and the examples below it should be easy to implement the ideas described above e To provide predefined v
336. he translated addresses This technique is called one to one NAT but is also known as Universal Client as that is how it was called in the OSB version 2 8 One to one NAT accepts any incoming address from a connected network interface and performs a network address translation so that data may be routed through standard IP networks Clients may use any preconfigured addresses If the one to one NAT feature is set to translate a client s address to a public IP address then the client may even run a server or any other service that requires a public IP address This NAT is changing source address of each packet just after it is received by the router it is like source NAT that is performed earlier so that even firewall mangle table which normally sees received packets unaltered can only see the translated address Note also that arp mode must be enabled on the interface you use one to one NAT on Before the authentication When enabling HotSpot on an interface the system automatically sets up everything needed to show login page for all clients that are not logged in This is done by adding dynamic destination NAT rules which you can observe on a working HotSpot system These rules are needed to redirect all HTTP and HTTPS requests from unauthorized users to the HotSpot servlet 1 e the authentication procedure e g the login page Other rules that are also inserted we will describe later in a special section of this manual In most
337. he user will be freed and the session time accounted will be decreased by this value e none do not timeout idle users incoming filter name name of the firewall chain applied to incoming packets from the users of this profile incoming packet mark name packet mark put on all the packets from every user of this profile automatically keepalive timeout time none default 00 02 00 keepalive timeout for authorized clients Used to detect that the computer of the client is alive and reachable If check will fail during this period user will be logged out dropped of the host list the address used by the user will be freed and the session time accounted will be decreased by this value e none do not timeout unreachable users Other trademarks and registred trademarks mentioned herein are properties of their respective owners as name name profile reference name on login text default script name to launch after a user has logged in on logout text default script name to launch after a user has logged out open status page always http login default always whether to show status page also for users authenticated using mac login method Useful if you want to put some information for example banners or popup windows in the alogin html page so that all users would see it e http login open status page only in case of http login including cookie and https login methods e always open http status pa
338. heir respective owners Description There are two kinds of errors fatal non fatal Fatal errors are shown on a separate HTML page called error html Non fatal errors are basically indicating incorrect user actions and are shown on the login form General non fatal errors e You are not logged in trying to access the status page or log off while not logged in Solution log in e already authorizing retry later authorization in progress Client already has issued an authorization request which is not yet complete Solution wait for the current request to be completed and then try again chap missing web browser did not send challenge response try again enable JavaScript trying to log in with HTTP CHAP method using MDS hash but HotSpot server does not know the challenge used for the hash This may happen if you use BACK buttons in browser if JavaScript is not enabled in web browser if login html page is not valid or if challenge value has expired on server more than 1h of inactivity Solution instructing browser to reload refresh the login page usually helps if JavaScript is enabled and login html page is valid invalid username username this MAC address is not yours trying to log in using a MAC address username different from the actual user s MAC address Solution no users with usernames that look like a MAC address eg 12 34 56 78 9a bc may only log in from the MAC address specified as their user name sess
339. her one The order of scripts can be changed with the move command If a more complex execution pattern is needed it can usually be done by scheduling several scripts and making them enable and disable each other if scheduler item has start time set to startup it behaves as if start time and start date were set to time 3 seconds after console starts up It means that all scripts having start time startup and interval 0 will be executed once each time router boots Example We will add a task that executes the script log test every hour admin Lobo924 system script gt add name log test source log message test admin Lobo924 system script gt print 0 name log test source log messgae test owner admin run count 0 admin Lobo924 system script gt scheduler admin Lobo924 system scheduler gt add name run 1h interval 1h on event log test admin Lobo924 system scheduler gt print Flags X disabled NAME ON EVENT START DATE START TIME INTERVAL RUN COUNT 0 run 1h log test mar 30 2004 06 11 35 1h 0 admin Lobo924 system scheduler gt In another example there will be two scripts added that will change the bandwidth setting of a queue rule Cust0 Every day at 9AM the queue will be set to 64Kb s and at SPM the queue will be set to 128Kb s The queue rule the scripts and the scheduler tasks are below admin Lobo924 queue simple gt add name Cust0O interface etherl dst ad
340. his time and will request a new address after time limit expires name name reference name ntp server text the DHCP client will use these as the default NTP servers Two comma separated NTP servers can be specified to be used by DHCP client as primary and secondary NTP servers relay JP address default 0 0 0 0 the IP address of the relay this DHCP server should process requests from 0 0 0 0 the DHCP server will be used only for direct requests from clients no DHCP really allowed e 255 255 255 255 the DHCP server should be used for any incomming request from a DHCP relay except for those which are processed by another DHCP server that exists in the ip dhcp server submenu src address JP address default 0 0 0 0 the address which the DHCP client must send requests to in order to renew an IP address lease If there is only one static address on the DHCP server interface and the source address is left as 0 0 0 0 then the static address will be used If there are multiple addresses on the interface an address in the same subnet as the range of given addresses should be used use radius yes no default no whether to use RADIUS server for dynamic leases Notes If using both Universal Client and DHCP Server on the same interface client will only receive a Other trademarks and registred trademarks mentioned herein are properties of their respective owners DHCP lease in case it is directly reachable by its MAC
341. how often to drop old expired host entries in the Other trademarks and registred trademarks mentioned herein are properties of their respective owners bridge database The garbage collection process expurges the entries older than defined by the ageing time property hello time time default 2s how often send hello packets to other bridges mac address read only MAC address MAC address for the interface max message age time default 20s how long to remember Hello messages received from other bridges mtu integer default 1500 Maximum Transmission Unit name name default bridgeN a descriptive name of the bridge interface priority integer 0 65535 default 32768 bridge interface priority The priority argument is used by Spanning Tree Protocol to determine which port remains enabled if at least two ports form a loop stp no yes default no whether to enable the Spanning Tree Protocol Bridging loops will only be prevented if this property is turned on Example To add and enable a bridge interface that will forward all the protocols admin Lobo924 interface bridge gt add print Flags X disabled R running 0 R name bridgel mtu 1500 arp enabled mac address 61 64 64 72 65 73 stp no priority 32768 ageing time 5m forward delay 15s garbage collection interval 4s hello time 2s max message age 20s admin Lobo924 interface bridge gt enable 0 Port Settings Home menu level Ainterf
342. idge bridge nstreme dual slave sniffer station station wds wds slave default station operating mode e alignment only this mode is used for positioning antennas to get the best direction e ap bridge the interface is operating as an Access Point e bridge the interface is operating as a bridge This mode acts like ap bridge with the only difference being it allows only one client nstreme dual slave the interface is used for nstreme dual mode e sniffer promiscuous mode of operation of the wireless card The card captures wireless frames from all existing transmissions and saves them to a file Additional configuration resides in the interface wireless sniffer menu e station the interface is operating as a client e station wds the interface is working as a station but can communicate with a WDS peer e wds slave the interface is working as it would work in ap bridge mode but it adapts to its WDS peer s frequency if it is changed mtu integer 68 1600 default 1500 Maximum Transmission Unit name name default wlanN assigned interface name noise floor threshold integer default 128 127 default default value in dBm below which we Say that it is rather noise than a normal signal on fail retry time time default 100ms time after which we repeat to communicate with a wireless device if a data transmission has failed periodic calibration default disabled enabled default default t
343. ient Conntrack Mangle et cetera General Firewall Information Description Connection Tracking Connection tracking refers to the ability to maintain the state information about connections such as source and destination IP address and ports pairs connection states protocol types and timeouts Firewalls that do connection tracking are known as stateful and are inherently more secure that those who do only simple stateless packet processing The state of a particular connection could be estabilished meaning that the packet is part of already known connection new meaning that the packet starts a new connection or belongs to a connection that has not seen packets in both directions yet related meaning that the packet starts a new connection but is associated with an existing connection such as FTP data transfer or ICMP error message and finally invalid meaning that the packet does not belong to any known connection Connection tracking is done either in the prerouting chain or the output chain for locally generated packets Another function of connection tracking which cannot be overestimated is that it is needed for NAT You should be aware that no NAT can be performed unless you have connection tracking enabled the same applies for p2p protocols recognition Connection tracking also assembles IP packets from fragments before further processing The maximum number of connections the ip firewall connection state table c
344. ies of their respective owners used to manage data flow to from and through bridge Note that packets between bridged interfaces just like any other IP traffic are also passed through the generic ip firewall rules but bridging filters are always applied before IP filters NAT of the built in chain of the same name except for the output which is executed after IP Firewall Output These rules can be used with real physical receiving transmitting interfaces as well as with bridge interface that simply groups the bridged interfaces There are three bridge filter tables e filter bridge firewall with three predefined chains e input filters packets which destination is the bridge including those packets that will be routed as they are anyway destined to the bridge MAC address e output filters packets which come from the bridge including those packets that has been routed normally e forward filters packets which are to be bridged note this chain is not applied to the packets that should be routed through the router just to those that are traversing between the ports of the same bridge e nat bridge network address translation provides ways for changing source destination MAC addresses of the packets traversing a bridge Has two built in chains e scnat used for hiding a host or a network behind a different MAC address This chain is applied to the packets leaving the router through a bridged interface e
345. ifies IKE daemon about that and IKE daemon initiates connection to remote host e IKE daemon responds to remote connection In both cases peers establish connection and execute 2 phases e Phase 1 The peers agree upon algorithms they will use in the following IKE messages and authenticate The keying material used to derive keys for all SAs and to protect following ISAKMP exchanges between hosts is generated also e Phase 2 The peers establish one or more SAs that will be used by IPsec to encrypt data All SAs established by IKE daemon will have lifetime values either limiting time after which SA will become invalid or amount of data that can be encrypted by this SA or both There are two lifetime values soft and hard When SA reaches it s soft lifetime treshold the IKE daemon receives a notice and starts another phase 2 exchange to replace this SA with fresh one If SA reaches hard lifetime it is discarded IKE can optionally provide a Perfect Forward Secrecy PFS whish is a property of key exchanges that in turn means for IKE that compromising the long term phase 1 key will not allow to easily gain access to all IPsec data that is protected by SAs established through this phase 1 It means an additional keying material is generated for each phase 2 Generation of keying material is computationally very expensive Exempli gratia the use of modp8192 group can take several seconds even on very fast computer It usually takes
346. imum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MRU to 1460 to avoid fragmentation of packets mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets Example To enable PPTP server admin Lobo924 interface pptp server server gt set enabled yes admin Lobo924 interface pptp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 mschapl keepalive timeout 30 default profile default admin Lobo924 interface pptp server server gt PPTP Server Users Home menu level interface pptp server Description There are two types of items in PPTP server configuration static users and dynamic connections A dynamic connection can be established if the user database or the default profile has its local address and remote address set correctly When static users are added the default profile may be left with its default values and only PPP user in ppp secret should be configured Note that in both cases PPP users must be configured properly Property Description client address JP address shows cannot be set here the IP address of the connected client encoding text encryption and encoding if asymmetric separated
347. in interface name matches the bridge port physical input device added to a bridge device It is only useful if the packet has arrived through the bridge protocol ddp egp encap ggp gre hmp icmp idrp cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp integer matches particular IP protocol specified by protocol name or number You should specify this setting if you want to specify ports psd integer time integer integer attempts to detect TCP and UDP scans It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives such as from passive mode FTP transfers e WeightThreshold total weight of the latest TCP UDP packets with different destination ports coming from the same host to be treated as port scan sequence e DelayThreshold delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence e LowPortWeight weight of the packets with privileged lt 1024 destination port e HighPortWeight weight of the packet with non priviliged destination port random integer 1 99 matches packets randomly with given propability routing mark name matches packets marked with the specified routing mark Other trademarks and registred trademarks mentioned herein are properties of their respective owners src address JP address netmask
348. ings Profiles are like user groups they are grouping users with the same limits Property Description address pool name none default none the IP poll name which the users will be given IP addresses from This works like dhcp pool method in earlier versions of Lobo OSB except that it does not use DHCP but rather the embedded one to one NAT e none do not reassign IP addresses to the users of this profile advertise yes no default no whether to enable forced advertisement popups for this profile advertise interval multiple choice time default 30m 10m set of intervals between showing advertisement popups After the list is done the last value is used for all further advertisements advertise timeout time immediately never default Im how long to wait for advertisement to be shown before blocking network access with walled garden advertise url multiple choice text default http www lobometrics com http www wikipedia org list of URLs to show advertisement popups The list is cyclic so when the last item reached next time the first is shown idle timeout time none default none idle timeout maximal period of inactivity for authorized clients It is used to detect that client is not using outer networks e g Internet i e there is NO TRAFFIC coming from that client and going through the router Reaching the timeout user will be logged out dropped of the host list the address used by t
349. int command before using an item number in a command admin Lobo924 interface gt print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R Public ether 0 0 1500 1 R Local ether 0 0 1500 2 R wlanl wlan 0 0 1500 admin Lobo924 interface gt set 0 disabled mtu nam rx rat tx rat admin Lobo924 interface gt set 0 mtu 1200 admin Lobo924 interface gt set wlanl mtu 1300 admin Lobo924 interface gt print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R Public ether 0 0 1200 1 R Local ether 0 0 1500 2 R wlanl wlan 0 0 1300 admin Lobo924 interface gt Quick Typing Description There are two features in the console that help entering commands much quicker and easier the Tab key completions and abbreviations of command names Completions work similarly to the bash shell in UNIX If you press the Tab key after a part of a word console tries to find the command within the current context that begins with this word If there is only one match it is automatically appended followed by a space inte Tab _ becomes interface _ If there is more than one match but they all have a common beginning which is longer than that what you have typed then the word is completed to this common part and no space is appended interface set e Tab __ becomes interface set ether If you ve typed just the common part pressing the tab k
350. invalid Other trademarks and registred trademarks mentioned herein are properties of their respective owners NETWORK AREA 0 10 2 0 0 24 local_10 i 10 3 0 0 24 local_10 After all routers have been set up as described above and the links between them are operational the routing tables of the three routers look as follows admin OSPF_MAIN ip route gt print Flags X disabled I invalid D dynamic J rejected Cc connect S static r rip ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 192 168 0 0 24 110 1 DC 192 168 0 0 24 r 0 0 0 0 0 main_gw 2 Do 10 3 0 0 24 1022 30 551 110 to_peer_2 Yr o10 1 0 2 to_peer_1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 204 O O LO 0 to_peer_2 5 Io 10 1 0 0 24 110 6 DC 10 1 0 0 24 r 0 0 0 0 0 to_peer_1 admin OSPF_peer_1 ip route gt print Flags X disabled I invalid D dynamic J rejected C connect S static r rip ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 e 10 51 20 52 110 to_main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 backup 3 Do 10 2 0 0 24 1041 0 2 110 to_main r 10 3 lt 0 2 backup 4 Io 10 1 0 0 24 TIO 5 DC 10 1 0 0 24 r 0 0 0 0 0 to_main admin OSPF_peer_2 ip route gt print Flags X disabled I invalid D dynamic J rejected connect S Static t rip o Jospf b bgp DST ADDRESS G GATEWAY DI
351. ion limit reached error orig depending on licence number of active hotspot clients is limited to some number The error is displayed when this limit is reached Solution try to log in later when there will be less concurrent user sessions or buy an another license that allows more simultaneous sessions e hotspot service is shutting down OSB is currently being restarted or shut down Solution wait until the service will be available again General fatal errors e internal error error orig this should never happen If it will error page will be shown displaying this error message error orig will describe what has happened Solution correct the error reported e configuration error error orig the HotSpot server is not configured properly error orig will describe what has happened Solution correct the error reported e cannot assign ip address no more free addresses from pool unable to get an IP address from an IP pool as there is no more free IP addresses in that pool Solution make sure there is a sufficient amount of free IP addresses in IP pool Local HotSpot user database non fatal errors e invalid username or password self explanatory user username is not allowed to log in from this MAC address trying to log in from a MAC address different from specified in user database Solution log in from the correct MAC address or take out the limitation user username has reached uptime limit sel
352. iption Interface Graphing Description Property Description Example Simple Queue Graphing Description Property Description Example Resource Graphing Description Property Description Example General Information Summary Graphing is a tool which is used for monitoring various OSB parameters over a period of time Specifications Packages required system License required levell Home menu level tool graphing Hardware usage Not significant Description The Graphing tool can display graphics for Other trademarks and registred trademarks mentioned herein are properties of their respective owners e Voltage and temperature e Resource usage CPU Memory and Disk usage e Traffic which is passed through interfaces e Traffic which is passed through simple queues Graphing consists of two parts first part collects information and other part displays data in a Web page To access the graphics type http Router_IP_address graphs and choose a graphic to display in your Web browser Data from the router is gathered every 5 minutes but saved on the system drive every store every time After rebooting the router graphing will display information that was last time saved on the disk before the reboot OSB generates four graphics for each item e Daily Graph 5 Minute Average e Weekly Graph 30 Minute Average e Monthly Graph 2 Hour Average e Yearly Graph 1 Day Average To access each graphic from
353. iption Example Network Scan Description Property Description Example Security Profiles Description Property Description Notes Sniffer Description Property Description Sniffer Sniff Description Property Description Command Description Sniffer Packets Description Property Description Example Snooper Description Property Description Command Description Example Station and AccessPoint WDS Station Other trademarks and registred trademarks mentioned herein are properties of their respective owners Virtual Access Point Nstreme Dual Nstreme WEP Security Troubleshooting Description General Information Summary The wireless interface operates using IEEE 802 11 set of standards It uses radio waves as a physical signal carrier and is capable of wireless data transmission with speeds up to 108 Mbps in 5GHz turbo mode Lobo OSB supports the Intersil Prism II PC PCI Atheros AR5000 AR5001X ARS5001X AR5002X AR5004X and AR5006 chipset based wireless adapter cards for working as wireless clients station mode wireless bridges bridge mode wireless access points ap bridge mode and for antenna positioning alignment only mode For furher information about supported wireless adapters see Device Driver List Lobo OSB provides a complete support for IEEE 802 11a 802 11b and 802 11g wireless networking standards There are several features implemented for the wireless data communication in OSB WPA Wi Fi Pr
354. irewall mangle and then use this mark as an identifier for packet flows in queue trees Other trademarks and registred trademarks mentioned herein are properties of their respective owners Property Description burst limit integer maximum data rate which can be reached while the burst is active burst threshold integer used to calculate whether to allow burst If the average data rate over the last burst time seconds is less than burst threshold the actual data rate may reach burst limit burst time time used to calculate average data rate flow text packet flow which is marked in ip firewall mangle Current queue parameters apply only to packets which are marked with this flow mark limit at integer guaranteed data rate to this queue max limit integer data rate which can be reached if there is enough bandwidth available name text descriptive name for the queue parent text name of the parent queue The top level parents are the available interfaces actually main HTB Lower level parents can be other queues priority integer 1 8 priority of the queue is the highest 8 the lowest queue text name of the queue type Types are defined under queue type This parameter applies only to the leaf queues in the tree hierarchy General Information Example of emulating a 128Kibps 64Kibps Line Assume we want to emulate a 128Kibps download and 64Kibps upload line connecting IP network 192 168 0 0
355. is default mode for Microsoft L2TP client as all L2TP control and data packets for a particular tunnel appear as homogeneous UDP IP data packets to the IPsec system L2TP includes PPP authentication and accounting for each L2TP connection Full authentication and accounting of each connection may be done through a RADIUS client or locally MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported L2TP traffic uses UDP protocol for both control and data packets UDP port 1701 is used only for link establishment further traffic is using any available UDP port which may or may not be 1701 This means that L2TP can be used with most firewalls and routers even with NAT by enabling UDP traffic to be routed through the firewall or router L2TP Client Setup Home menu level interface 12tp client Property Description name name default 12tp outN interface name for reference mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MTU to 1460 to avoid fragmentation of packets mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MRU to 1460 to avoid fragmentation of packets connect to IP address The IP address of the L2TP server to connect to user text user name to
356. it gt lt script gt lt body gt lt html gt e The external server can log in a HotSpot client by redirecting it back to the original HotSpot servlet login page specifying the correct username and password Here is an example of such a page it is redirecting to https hotspot example com login replace with the actual address of a HotSpot router also it is displaying www lobometrics com after successful login replace with what needed lt html gt lt title gt Hotspot login page lt title gt lt body gt lt form name login action https hotspot example com login method post gt lt input type text name username value demo gt lt input type password name password value none gt lt input type hidden name domain value gt lt input type hidden name dst value http www lobometrics com gt lt input type submit name login value log in gt lt form gt lt body gt lt html gt e Hotspot will ask RADIUS server whether to allow the login or not If not allowed alogin html page will be displayed it can be modified to do anything If not allowed flogin html or login html page will be displayed which will redirect client back to the external authentication server e Note as shown in these examples HTTPS protocol and POST method can be used to secure communications Possible Error Messages Other trademarks and registred trademarks mentioned herein are properties of t
357. it So if you have wrong shared secret RADIUS server will accept request but router won t accept reply You can see that with radius monitor command bad replies number should increase whenever somebody tries to connect Example To set a RADIUS server for HotSpot and PPP services that has 10 0 0 3 IP address and ex shared secret you need to do the following admin Lobo924 radius gt add service hotspot ppp address 10 0 0 3 secret ex admin Lobo924 radius gt print Flags X disabled SERVICE CALLED ID DOMAIN ADDRESS SECRET 0 ppp hotspot 10 0 0 3 ex admin Lobo924 radius gt AAA for the respective services should be enabled too admin Lobo924 radius gt ppp aaa set use radius yes admin Lobo924 radius gt ip hotspot profile set default use radius yes To view some statistics for a client admin Lobo924 radius gt monitor 0 pending 0 requests 10 accepts 4 rejects 1 resends 15 timeouts 5 bad replies 0 last request rtt Os admin Lobo924 radius gt Suggested RADIUS Servers Description Lobo OSB RADIUS Client should work well with all RFC compliant servers It has been tested with e FreeRADIUS e XTRadius does not currently support MS CHAP e Steel Belted Radius Other trademarks and registred trademarks mentioned herein are properties of their respective owners Supported RADIUS Attributes Description Lobo RADIUS Dictionaries Here you can download Lo
358. it data for burst time microseconds This setting is available only for AR5000 ARS5001X and AR5001X chipset based cards compression yes no default no if enabled on AP in ap bridge or bridge mode it advertizes that it is capable to use hardware data compression If a client connected to this AP also supports and is configured to use the hardware data compression it requests the AP to use compression This property does not affect clients which do not support compression country albania algeria argentina armenia australia austria azerbaijan bahrain belarus belgium belize bolvia brazil brunei darussalam bulgaria canada chile china colombia costa rica croatia cyprus czech republic denmark dominican republic ecuador egypt el salvador estonia finland france france_res georgia germany greece guatemala honduras hong kong hungary iceland india indonesia iran ireland israel italy japan japan Japan2 japan3 japan4 japanS jordan kazakhstan korea republic korea republic2 kuwait latvia lebanon liechtenstein lithuania luxemburg macau macedonia malaysia mexico monaco morocco netherlands new zealand no_country_set north korea norway oman pakistan panama peru philippines poland portugal puerto rico qatar romania russia saudi arabia singapore slovak republic slovenia south africa sp
359. ither a built in one or a user defined dst address ZP address default 0 0 0 0 0 destination IP address only if MAC protocol is set to IPv4 dst mac address MAC address default 00 00 00 00 00 00 destination MAC address dst port integer 0 65535 destination port number or range only for TCP or UDP protocols flow text individual packet mark to match in bridge name bridge interface through which the packet is coming in in interface name physical interface i e bridge port through which the packet is coming in ip protocol ipsec ah ipsec esp ddp egp ggp gre hmp idpr cmtp icmp igmp ipencap encap ipip iso tp4 ospf pup rspf rdp st tcp udp vmtp xns idp xtp IP protocol only if MAC protocol is set to IPv4 e ipsec ah IPsec AH protocol e ipsec esp IPsec ESP protocol e ddp datagram delivery protocol e egp exterior gateway protocol e ggp gateway gateway protocol e gre general routing encapsulation e hmp host monitoring protocol e idpr cmtp idpr control message transport e icmp internet control message protocol e igmp internet group management protocol Other trademarks and registred trademarks mentioned herein are properties of their respective owners e ipencap ip encapsulated in ip e encap ip encapsulation e ipip ip encapsulation e iso tp4 iso transport protocol class 4 e ospf open shortest path first e pup parc universa
360. ithin the system identity submenu PPPoE users are created in ppp secret menu see the AAA manual for further information Note that if no service name is specified in WindowsXP it will use only service with no name So if you want to serve WindowsXP clients leave your service name empty Property Description service name text the PPPoE service name max mtu integer default 1480 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 20 so for 1500 byte Ethernet link set the MTU to 1480 to avoid fragmentation of packets max mru integer default 1480 Maximum Receive Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 20 so for 1500 byte Ethernet link set the MTU to 1480 to avoid fragmentation of packets max sessions integer default 0 maximum number of clients that the AC can serve e 0 unlimited Other trademarks and registred trademarks mentioned herein are properties of their respective owners interface name interface to which the clients will connect to authentication multiple choice mschap2 mschap1 chap pap default mschap2 mschap1 chap pap authentication algorithm keepalive timeout time default 10 defines the time period in seconds after which the router is starting to send keepalive packets every second If no traffic and no keepalive responses has came for that period of time
361. iven in MHz 5ghz channels multiple choice read only 4920 4925 4930 4935 4940 4945 4950 4955 4960 4965 4970 4975 4980 4985 4990 4995 5000 5005 5010 5015 5020 5025 5030 5035 5040 5045 5050 5055 5060 5065 5070 5075 5080 5085 5090 5095 5100 5105 5110 5115 5120 5125 5130 5135 5140 5145 5150 5155 5160 5165 5170 5175 5180 5185 5190 5195 5200 Other trademarks and registred trademarks mentioned herein are properties of their respective owners 5205 5210 5215 5220 5225 5230 5235 5240 5245 5250 5255 5260 5265 5270 5275 5280 5285 5290 5295 5300 5305 5310 5315 5320 5325 5330 5335 5340 5345 5350 5355 5360 5365 5370 5375 5380 5385 5390 5395 5400 5405 5410 5415 5420 5425 5430 5435 5440 5445 5450 5455 5460 5465 5470 5475 5480 5485 5490 5495 5500 5505 5510 5515 5520 5525 5530 5535 5540 5545 5550 5555 5560 5565 5570 5575 5580 5585 5590 5595 5600 5605 5610 5615 5620 5625 5630 5635 5640 5645 5650 5655 5660 5665 5670 5675 5680 5685 5690 5695 5700 5705 5710 5715 5720 5725 5730 5735 5740 5745 5750 5755 5760 5765 5770 5775 5780 5785 5790 5795 5800 5805 5810 5815 5820 5825 5830 5835 5840 5845 5850 5855 5860 5865 5870 5875 5880 5885 5890 5895 5900 5905 5910 5915 5920 5925 5930 5935 5940 5945 5950 5955 5960 5965 5970 5975 5980 5985 5990 5995 6000 6005 6010 6015 6
362. ke use of these marks e g queue trees and NAT They identify a packet based on its mark and process it accordingly The mangle marks exist only within the router they are not transmitted across the network Property Description action accept add dst to address list add src to address list change mss change tos change ttl jump log mark connection mark packet mark routing passthrough return strip ipv4 options default accept action to undertake if the packet matches the rule e accept accept the packet No action i e the packet is passed through and no more rules are applied to it add dst to address list add destination address of an IP packet to the address list specified by address list parameter e add src to address list add source address of an IP packet to the address list specified by address list parameter e change mss change Maximum Segment Size field value of the packet to a value specified by the new mss parameter e change tos change Type of Service field value of the packet to a value specified by the new tos parameter e change ttl change Time to Live field value of the packet to a value specified by the new ttl parameter e jump jump to the chain specified by the value of the jump target parameter e log each match with this action will add a message to the system log e mark connection place a mark specified by the new connection mark parameter on the entire connection t
363. ks and registred trademarks mentioned herein are properties of their respective owners Property Description name read only name the name of the script to be referenced when invoking it owner text the name of the user who created the script source read only text the script source code itself Example admin Lobo924 system script gt job print SCRIPT OWNER STARTED 0 DelayeD admin dec 27 2003 11 17 33 admin Lobo924 system script gt You can cancel execution of a script by removing it from the job list admin Lobo924 system script gt job remove 0 admin Lobo924 system script gt job print admin Lobo924 system script gt Script Editor Command name system script edit Description OSB console has a simple full screen editor for scripts with support for multiline script writing Keyboard Shortcuts e Delete deletes character at cursor position e Ctrl h backspase deletes character before cursor Unindents line e Tab indents line e Ctrl b LeftArrow moves cursor left e Ctrl f RightArrow moves cursor right e Ctrl p UpArrow moves cursor up Ctrl n DownArrow moves cursor down e Ctrl a Home moves cursor to the beginning of line or script e Ctrl e End moves cursor to the end of line or script e Ctrl y inserts contents of buffer at cursor position e Ctrl k deletes characters from cursor position to the end of line e Ctrl u undoes last action e Ctrl o exits editor ac
364. ks mentioned herein are properties of their respective owners e Min specifies lower boundary of the size range or a standalone value e Max specifies upper boundary of the size range phys in interface name matches the bridge port physical input device added to a bridge device It is only useful if the packet has arrived through the bridge phys out interface name matches the bridge port physical output device added to a bridge device It is only useful if the packet will leave the router through the bridge protocol ddp egp encap ggp gre hmp icmp idrp cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp integer matches particular IP protocol specified by protocol name or number You should specify this setting if you want to specify ports psd integer time integer integer attempts to detect TCP and UDP scans It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives such as from passive mode FTP transfers e WeightThreshold total weight of the latest TCP UDP packets with different destination ports coming from the same host to be treated as port scan sequence e DelayThreshold delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence e LowPortWeight weight of the packets with privileged lt 1024 destination
365. l ip address 192 168 1 1 255 255 255 252 ip directed broadcast router rip version 2 redistribute connected redistribute static network 10 0 0 0 network 192 168 1 0 1 ip classless The routing table of the Cisco router is Cisco show ip route Codes C connected S static I I D EIGRP EX EIGRP external 1 OSPF NSSA external type 1 GRP R RIP M mobile O OSPF IA OSPF inter N2 OSPF NSSA external type 2 B BGP area El OSPF external type 1 E2 OSPF external type 2 E EGP Te A SS Sy il IS IS level 1 L2 U per user static route o ODR Gateway of last resort is 192 168 1 2 to network 0 0 0 0 10 0 0 0 24 is subnetted 1 subnet S C 10 0 0 0 is directly connected R 192 168 0 0 24 120 1 via 10 0 0 Ethernet0 174 00 00 19 192 168 1 0 30 is subnetted 1 subnets C 192 168 1 0 is directly connect R 192 168 3 0 24 120 1 via 192 168 R 0 0 0 0 0 120 1 via 192 168 1 2 Cisco ed Seriall ht 0 03 00 05 Ethernet0O Seriall 00 00 05 Seriall IS IS level 2 candidate default As we can see the Cisco router has learned RIP routes both from the Lobo router 192 168 0 0 24 and from the ISP router 0 0 0 0 0 and 192 168 3 0 24 Other trademarks and registred trademarks mentioned herein are properties of their respective owners Routes Equal Cost Multipath Routing Policy Routing Docume
366. l ip hotspot user Description Article moved to HotSpot AAA section HotSpot Active Users Home menu level ip hotspot active Description Article moved to HotSpot AAA section HotSpot Cookies Home menu level ip hotspot cookie Description Cookies can be used for authentication in the Hotspot service Property Description domain read only text domain name if split from username expires in read only time how long the cookie is valid Other trademarks and registred trademarks mentioned herein are properties of their respective owners mac address read only MAC address user s MAC address user read only name username Notes There can be multiple cookies with the same MAC address For example there will be a separate cookie for each web browser on the same computer Cookies can expire that s the way how it is supposed to be Default validity time for cookies is 3 days 72 hours but it can be changed for each individual HotSpot server profile for example ip hotspot profile set default http cookie lifetime 1d Example To get the list of valid cookies admin USE 0 ex 01 23 45 67 89 AB 23h54m16s admin Lobo924 ip hotspot cookie gt Lobo924 ip hotspot cookie gt print R DOMAIN MAC ADDRESS EXPIRES IN EC D HTTP level Walled Garden Home menu level ip hotspot walled garden Description Walled garden is a system which allows unauthorized use of so
367. l 40s After changing the cost settings we have only one equal cost multipath route left to the network 10 3 0 0 24 from OSPF_MAIN router Routes on OSPF_MAIN router admin OSPF_MAIN ip route gt print Flags X disabled I invalid D dynamic J rejected Cc connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O Io 192 168 0 0 24 110 1 DC 192 168 0 0 24 E O00 0 main_gw 2 Do 10 3 0 0 24 ce AOL 260151 110 to_peer_2 lOs isO to_peer_1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to_peer_2 5 Io 10 1 0 0 24 110 6 DC 10 1 0 0 24 r 0 0 0 0 0 to_peer_1l On OSPF_peer_1 admin OSPF_peer_1 gt ip route pr Flags X disabled I invalid D dynamic J rejected Other trademarks and registred trademarks mentioned herein are properties of their respective owners C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 E LOr Tag 110 to_main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 backup 3 Do 10 2 0 0 24 10 1 0 2 110 to_main 4 Io 10 1 0 0 24 110 5 De 10 1 0 0 24 r 0 0 0 0 0 to_main On OSPF _peer 2 admin OSPF_peer_2 gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 r 10 2 0 2 110 to_main
368. l Information Summary Ethernet over IP EoIP Tunneling is a Lobo OSB protocol that creates an Ethernet tunnel between two routers on top of an IP connection The EoIP interface appears as an Ethernet interface When the bridging function of the router is enabled all Ethernet traffic all Ethernet protocols will be bridged just as if there where a physical Ethernet interface and cable between the two routers with bridging enabled This protocol makes multiple network schemes possible Network setups with EoIP interfaces e Possibility to bridge LANs over the Internet e Possibility to bridge LANs over encrypted tunnels e Possibility to bridge LANs over 802 11b ad hoc wireless networks Quick Setup Guide To make an EoIP tunnel between 2 routers which have IP addresses 10 5 8 1 and 10 1 0 1 1 On router with IP address 10 5 8 1 add an EolIP interface and set its MAC address interface eoip add remote address 10 1 0 1 tunnel id 1 mac address 00 00 5E 80 00 01 disabled no Other trademarks and registred trademarks mentioned herein are properties of their respective owners 2 On router with IP address 10 1 0 1 add an EolIP interface and set its MAC address interface eoip add remote address 10 5 8 1 tunnel id 1 mac address 00 00 5E 80 00 02 disabled no Now you can add IP addresses to the created EoIP interfaces from the same subnet Specifications Packages required system
369. l packet protocol e rspf radio shortest path first e rdp reliable datagram protocol e st st datagram mode e tcp transmission control protocol e udp user datagram protocol e vmtp versatile message transport e xns idp xerox ns idp e xtp xpress transfer protocol jump target name if action jump specified then specifies the user defined firewall chain to process the packet limit integer time integer restricts packet match rate to a given limit Usefull to reduce the amount of log messages e Count maximum average packet rate measured in packets per second pps unless followed by Time option e Time specifies the time interval over which the packet rate is measured e Burst number of packets to match in a burst log prefix text defines the prefix to be printed before the logging information mac protocol integer 802 2 arp ip ipv6 ipx rarp vlan Ethernet payload type MAC level protocol mark flow name marks existing flow packet type broadcast host multicast other host MAC frame type e broadcast broadcast MAC packet e host packet is destined to the bridge itself e multicast multicast MAC packet e other host packet is destined to some other unicast address not to the bridge itself src address JP address default 0 0 0 0 0 source IP address only if MAC protocol is set to IPv4 src mac address MAC address default 00 00 00 00 00 00 source MAC address
370. less the response includes appropriate Cache Control or Expires header fields PUT This method requests that the enclosed entity be stored under the supplied Request URI If another entity exists under specified Request URI the enclosed entity should be considered as updated newer version of that residing on the origin server If the Request URI is not pointing to an existing resource the origin server should create a resource with that URI If the request passes through a cache and the Request URI identifies one or more currently cached entities those entries should be treated as stale Responses to this method are not cacheable TRACE This method invokes a remote application layer loop back of the request message The final recipient of the request should reflect the message received back to the client as the entity body of a Other trademarks and registred trademarks mentioned herein are properties of their respective owners 200 OK response The final recipient is either the origin server or the first proxy or gateway to receive a Max Forwards value of 0 in the request A TRACE request must not include an entity Responses to this method MUST NOT be cached Other trademarks and registred trademarks mentioned herein are properties of their respective owners Certificate Management Document revision 2 3 Fri Mar 05 13 58 17 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary
371. leted When processing a chain rules are taken from the chain in the order they are listed there from top to bottom If a packet matches the criteria of the rule then the specified action is performed on it and no more rules are processed in that chain the exception is the passthrough action If a packet has not matched any rule within the chain then it is accepted Property Description action accept add dst to address list add src to address list drop jump log passthrough reject return tarpit default accept action to undertake if the packet matches the rule e accept accept the packet No action is taken i e the packet is passed through and no more rules are applied to it e add dst to address list adds destination address of an IP packet to the address list specified Other trademarks and registred trademarks mentioned herein are properties of their respective owners by address list parameter e add src to address list adds source address of an IP packet to the address list specified by address list parameter e drop silently drop the packet without sending the ICMP reject message e jump jump to the chain specified by the value of the jump target parameter e log each match with this action will add a message to the system log e passthrough ignores this rule and goes on to the next one e reject reject the packet and send an ICMP reject message e return passes control back to the chain from
372. limited default 2 number of IP addresses allowed to be bind with any particular MAC address it is a small chance to reduce denial of service attack based on taking over all free IP addresses unlimited number of IP addresses per one MAC address is not limited address pool name none default none IP address pool name for performing one to one NAT You can choose not to use the one to one NAT e none do not perform one to one NAT for the clients of this HotSpot interface HTTPS read only flag whether the HTTPS service is actually running on the interface i e it is Other trademarks and registred trademarks mentioned herein are properties of their respective owners set up in the server profile and a valid certificate is imported in the router idle timeout time none default 00 05 00 idle timeout maximal period of inactivity for unauthorized clients It is used to detect that client is not using outer networks e g Internet i e there is NO TRAFFIC coming from that client and going through the router Reaching the timeout user will be dropped of the host list and the address used buy the user will be freed e none do not timeout idle users ip of dns name read only IP address IP address of the HotSpot gateway s DNS name set in the HotSpot interface profile keepalive timeout time none default none keepalive timeout for unauthorized clients Used to detect that the computer of the client is
373. list name matches destination address of a packet against user defined address list dst address type unicast local broadcast multicast matches destination address type of the IP packet one of the e unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case e local matches addresses assigned to router s interfaces e broadcast the IP packet is sent from one point to all other points in the IP subnetwork e multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points dst limit integer time integer dst address dst port src address time limits the packet per second pps rate on a per destination IP or per destination port base As opposed to the limit match every destination IP address destination port has it s own limit The options are as follows in order of appearance e Count maximum average packet rate measured in packets per second pps unless followed by Time option e Time specifies the time interval over which the packet rate is measured e Burst number of packets to match in a burst e Mode the classifier s for packet rate limiting e Expire specifies interval after which recorded IP addresses ports will be deleted dst port integer 0 65535 integer 0 65535 destination port number or range hotspot multiple choice from client auth local dst
374. lize rate among subqueues classified by the peq classifier set the peq rate to 0 PCQ can be used to dynamically equalize or shape traffic for multiple users using little administration RED Random Early Detection is a queuing mechanism which tries to avoid network congestion by Other trademarks and registred trademarks mentioned herein are properties of their respective owners controlling the average queue size When the average queue size reaches red min threshold RED randomly chooses which arriving packet to drop The probability how many packets will be dropped increases when the average queue size becomes larger If the average queue size reaches red max threshold the packets are dropped However there may be cases when the real queue size not average is much greater than red max threshold then all packets which exceed red limitare dropped Mainly RED is used on congested links with high data rates Works great with TCP protocol but not so great with UDP Property Description bfifo limit integer default 15000 maximum number of bytes that the BFIFO queue can hold kind bfifo pcq pfifo red sfq which queuing discipline to use bfifo Bytes First In First Out e pcq Per Connection Queue pfifo Packets First In First Out e red Random Early Detection sfq Stohastic Fairness Queuing name name associative name of the queue type peq classifier dst address dst port src address src
375. ll not see this entry interface name default all name of the interface which will be monitored store on disk yes no default yes whether to store information about traffic on system drive or not If not the information will be stored in RAM and will be lost after a reboot Example To monitor traffic which is passed through interface etherl only from local network 192 168 0 0 24 and write information on disk admin Lobo924 tool graphing interface gt add interface etherl allow address 192 168 0 0 24 store on disk yes admin Lobo924 tool graphing interface gt print Flags X disabled INTERFACE ALLOW ADDRESS STORE ON DISK 0 etherl 192 168 0 0 24 yes admin Lobo924 tool graphing interface gt Graph for interface ether1 Simple Queue Graphing Home menu level tool graphing queue Description In this submenu you can specify a queue from the queue simple list to make a graphic for it Property Description allow address IP address netmask default 0 0 0 0 0 IP address range which is allowed to view information about the queue If a client PC not belonging to this IP address range tries to open http Router_IP_address graphs it will not see this entry allow target yes no default yes whether to allow access to web graphing from IP range that is Other trademarks and registred trademarks mentioned herein are properties of their respective owners specified in queu
376. ly these packets e tkip use the TKIP Temporal Key Integrity Protocol and accept only these packets static algo 3 none 40bit wep 104bit wep aes ccm tkip default none which encryption algorithm to use e none do not use encryption and do not accept encrypted packets e 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets e 104bit wep use the 104bit encryption also known as 128bit wep and accept only these packets e aes ccm use the AES CCM Advanced Encryption Standard in Counter with CBC MAC encryption algorithm and accept only these packets e tkip use the TKIP Temporal Key Integrity Protocol and accept only these packets static key 0 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 0 If AES CCM is used the key must consist of even number of characters and must be at least 32 characters long For TKIP the key must be at least 64 characters long and also must consist of even number characters static key 1 text hexadecimal key which will be used to encrypt packets with the 40bit wep or Other trademarks and registred trademarks mentioned herein are properties of their respective owners 104bit wep algorithm algo 0 If AES CCM is used the key must consist of even number of characters and must be at least 32 characters long For TKIP the key must be at least 64 characters long and also must consist of ev
377. m to exchange routing information It always uses the best path the path with the fewest number of hops i e routers available Specifications Other trademarks and registred trademarks mentioned herein are properties of their respective owners Packages required routing License required level3 Home menu level routing rip Standards and Technologies RIPv1 RIPv2 Hardware usage Not significant Related Documents e Package Management IP Addresses and ARP Routes Equal Cost Multipath Routing Policy Routing Description Routing Information Protocol RIP is one protocol in a series of routing protocols based on Bellman Ford or distance vector algorithm This Interior Gateway Protocol IGP lets routers exchange routing information across a single autonomous system in the way of periodic RIP updates Routers transmit their own RIP updates to neighboring networks and listen to the RIP updates from the routers on those neighboring networks to ensure their routing table reflects the current state of the network and all the best paths are available Best path considered to be a path with the fewest hop count id est that include fewer routers The routes learned by RIP protocol are installed in the route list ip route print with the distance of 120 Additional Documents e RIPy1 Protocol e RIPy2 Protocol e Cisco Systems RIP protocol overview General Setup Property Description redistribute static yes no
378. mac address 00 0C 42 03 02 C7 interface bridgel src address 10 1 0 172 3987 winbox tls dst address 10 5 8 104 1125 protocol ip ip protocol tcp size 253 ip packet size 253 ip header size 20 tos 0 identification 41744 fragment offset 0 ttl 64 2 time 0 071 src mac address 00 0C 42 03 02 C7 dst mac address 00 30 4F 08 3A E7 interface bridgel src address 10 5 8 104 1125 dst address 10 1 0 172 3987 winbox tls protocol ip ip protocol tcp size 40 ip packet size 40 ip header size 20 tos 0 identification 5089 fragment offset 0 tt1 126 3 time 0 071 src mac address 00 30 4F 08 3A E7 dst mac address 00 0C 42 03 02 C7 interface bridgel src address 10 1 0 172 3987 winbox tls dst address 10 5 8 104 1125 protocol ip ip protocol tcp size 213 ip packet size 213 ip header size 20 tos 0 identification 41745 fragment offset 0 ttl 64 Q quit D dump down Other trademarks and registred trademarks mentioned herein are properties of their respective owners Ping Document revision 1 Mon Jul 19 09 36 24 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description The Ping Command Property Description Notes Example of ping command Resolve IP address Ping using arp requests MAC Ping Server Property Description Example General Information Summary
379. manual sa ah sal e for Router2 admin Router2 gt ip ipsec manual sa add name ah sal ah spi 0x100 0x101 ah key abcfed admin Router2 gt ip ipsec policy add src address 10 2 0 0 24 dst address 10 1 0 0 24 action encrypt ipsec protocols ah tunnel yes sa src 1 0 0 2 sa dst 1 0 0 1 manual sa ah sal IPsec Between two Masquerading Lobo Routers 1 0 0 0 24 10 2 0 0 24 10 1 0 0 24 1 Add accept and masquerading rules in SRC NAT e for Router1 admin Routerl gt ip firewall nat add src address 10 1 0 0 24 dst address 10 2 0 0 24 Neee admin Routerl gt ip firewall nat add out interface public action masquerade for Router2 Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Router2 gt ip firewall nat add src address 10 2 0 0 24 dst address 10 1 0 0 24 admin Router2 gt ip firewall nat add out interface public action masquerade 2 configure IPsec e for Router1 admin Routerl gt ip ipsec policy add src address 10 1 0 0 24 dst address 10 2 0 0 24 action encrypt tunnel yes Sa src address 1 0 0 1 sa dst address 1 0 0 2 admin Routerl gt ip ipsec peer add address 1 0 0 2 exchange mode aggressive secret gvejimezyfopmekun for Router2 admin Router2 gt ip ipsec policy add src address 10 2 0 0 24 dst address 10 1 0 0 24 action encrypt tunnel yes
380. me resources but requires authorization to access other resources This is useful for example to give access to some general information about HotSpot service provider or billing options This menu only manages Walled Garden for HTTP and HTTPS protocols Other protocols can also be included in Walled Garden but that is configured elsewhere in ip hotspot walled garden ip see the next section of this manual for details Property Description action allow deny default allow action to undertake if a packet matches the rule e allow allow the access to the page without prior authorization e deny the authorization is required to access this page dst address JP address IP address of the destination web server dst host wildcard default domain name of the destination web server this is a wildcard dst port integer default the TCP port a client has send the request to method text HTTP method of the request path text default the path of the request this is a wildcard server name name of the HotSpot server this rule applied to Other trademarks and registred trademarks mentioned herein are properties of their respective owners src address JP address IP address of the user sending the request Notes Wildcard properties dst host and dst path match a complete string i e they will not match example com if they are set to example Available wildcards are match any number of any
381. me value error logged proxy is not running because of unknown error This error is logged as System Error Please send us this error and some description how it happened reserved for cache integer maximal cache size that is accessible to web proxy transparent proxy yes no default no specifies whether the proxy uses transparent mode or not Notes By default the proxy cache can use as much disk space as there is allocated for it When the system allocates the space for the proxy cache 1 7th of the total partition disk size is reserved for the system but not less than SOMB The rest is left for the proxy cache The system RAM size is considered as well when allocating the cache size The cache size is limited so that there are at least 15MB of RAM per 1GB of cache plus 55MB of RAM is reserved for the system max cache size is also taken in account so the cache will not occupy more than it is specified in this property The effective limit is calculated as a minimum of all three limits Note also that OSB supports up to 950MB of memory Considering the previous note you should be aware that you will not be able to enable web proxy if you have less than 60MB of RAM on your router Expire time of cache entries can be different for each HTML page specified in headers But if there is no such header the entry will be considered fresh for not more than 72 hours The web proxy listens to all IP addresses that the router has
382. ment If status page is unable to display an advertisement for configured timeout starting from moment when it is scheduled to be shown client access is blocked within walled garden as unauthorized clients are Client is unblocked when the scheduled page is finally shown Note that if popup windows are blocked in the browser the link on the status page may be used to open the advertisement manually Other trademarks and registred trademarks mentioned herein are properties of their respective owners While client is blocked FTP and other services will not be allowed Thus requiring client to open an advertisement for any Internet activity not especially allowed by the Walled Garden Accounting The HotSpot system implement accounting internally you are not required to do anything special for it to work The accounting information for each user may be sent toa RADIUS server Configuration menus ip hotspot HotSpot servers on particular interfaces one server per interface HotSpot server must be added in this menu in order for HotSpot system to work on an interface e ip hotspot profile HotSpot server profiles Settings which affect login procedure for HotSpot clients are configured here More than one HotSpot servers may use the same profile e ip hotspot host dynamic list of active network hosts on all HotSpot interfaces Here you can also find IP address bindings of the one to one NAT ip hotspot ip binding rules for
383. mic DNS update tool TCP IP protocol suite e Wireless IEEE802 11a b g wireless client and Access Point Nsetreme and Nstreme2 proprietary protocols Wireless Distribution System WDS support virtual AP 40 and 104 bit WEP WPA pre shared key authentication access control list authentication on RADIUS server roaming for wireless client Access Point bridging e Bridge spanning tree protocol multiple bridge interfaces bridge firewalling MAC NATting e VLAN JEEE802 1q Virtual LAN support on Ethernet and wireless links multiple VLANs VLAN bridging Layer 2 connectivity Other trademarks and registred trademarks mentioned herein are properties of their respective owners Configuration possibilities OSB provides powerful command line configuration interface You can also manage the router through WinBox the easy to use remote configuration GUI for Windows which provides all the benefits of the command line interface without the actual command line which may scare novice users Web based configuration is provided for some most popular functionality Major features e Clean and consistent user interface e Runtime configuration and monitoring e Multiple connections e User policies e Action history undo redo actions e safe mode operation e Scripts can be scheduled for executing at certain times periodically or on events All command line commands are supported in scripts Local teminal console AT PS 2
384. minal unknown detected using single line input mode admin Lobo924 gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Terminal Console Document revision 1 0 Mon Nov 8 13 15 54 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Common Console Functions Description Example Lists and Item Names Description Notes Example Quick Typing Description Notes Additional Information Description General Commands Description Command Description Safe Mode Description General Information Summary The Terminal Console is used for accessing the Lobo Router s configuration and management features using text terminals id est remote terminal clients or locally attached monitor and keyboard The Terminal Console is also used for writing scripts This manual describes the general console operation principles Please consult the Scripting Manual on some advanced console commands and on how to write scripts Specifications Packages required system License required levell Hardware usage Not significant Related Documents Scripting Host and Complementary Tools Other trademarks and registred trademarks mentioned herein are properties of their respective owners Common Console Functions Description The console allows configuration of the router s settings using text commands Althou
385. mmediately then no changes will be lost even in case of hard reboots and power losts But on CF there may be too many writes in case of short lease times as in case of hotspot If this time will be very long never then there will be no writes on disk but information about active leases may be lost in case of power loss In these cases dhcp server may give out the same ip address to another client if first one will not respond to ping requests Property Description store leases disk time interval immediately never default 5min how frequently lease changes should be stored on disk DHCP Networks Home menu level ip dhcp server network Property Description address IP address netmask the network DHCP server s will lend addresses from boot file name text Boot file name Other trademarks and registred trademarks mentioned herein are properties of their respective owners dhcp option text add additional DHCP options from ip dhcp server option list You cannot redefine parameters which are already defined in this submenu e Subnet Mask code 1 netmask e Router code 3 gateway e Domain Server code 6 dns server Domain Name code 15 domain e NETBIOS Name Server wins server dns server text the DHCP client will use these as the default DNS servers Two comma separated DNS servers can be specified to be used by DHCP client as primary and secondary DNS servers domain text the DHCP cli
386. mp Internet Group Management Protocol e ggp Gateway Gateway Protocol e ipencap IP Encapsulated in IP e st st datagram mode e tcp Transmission Control Protocol e egp Exterior Gateway Protocol e pup Parc Universal packet Protocol e udp User Datagram Protocol e hmp Host Monitoring Protocol e xns idp Xerox ns idp e rdp Reliable Datagram Protocol e iso tp4 ISO Transport Protocol class 4 e xtp Xpress Transfer Protocol e ddp Datagram Delivery Protocol e idpr cmtp idpr Control Message Transport e gre General Routing Encapsulation e esp IPsec ESP protocol e ah IPsec AH protocol e rspf Radio Shortest Path First e vmtp Versatile Message Transport Protocol e ospf Open Shortest Path First e ipip IP encapsulation e encap IP encapsulation packets integer the number of packets port name the port of TCP UDP protocol share integer specific type of traffic compared to all traffic in bytes Example admin Lobo924 tool sniffer protocol gt print PROTOCOL IP PR PORT PACKETS BYTES SHARE 0 ip 77 4592 100 1 ip tcp 74 4328 94 25 2 ip gre 3 264 5 74 3 ip tcp 22 ssh 49 3220 70 12 4 ip tcp 23 telnet 25 1108 24 12 admin Lobo924 tool sniffer protocol gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Packet Sniffer Host Home menu level tool sniffer host Description The submenu shows the list of hosts that were
387. n Summary The Lobo Packet Packer Protocol M3P optimizes the data rate usage of links using protocols that have a high overhead per packet transmitted The basic purpose of this protocol is to better enable wireless networks to transport VoIP traffic and other traffic that uses small packet sizes of around 100 bytes M3P features e enabled by a per interface setting e other routers with Lobo Discovery Protocol enabled will broadcast M3P settings e significantly increases bandwidth availability over some wireless links by approximately four times e offer configuration settings to customize this feature Specifications Packages required system License required level Home menu level ip packing Standards and Technologies M3P Hardware usage Not significant Related Documents e Package Management e MNDP Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description The wireless protocol IEEE 802 11 and to a lesser extent Ethernet protocol have a high overhead per packet as for each packet it is necessary to access the media check for errors resend in case of errors occured and send network maintenance messages network maintenance is applicable only for wireless The Lobo Packet Packer Protocol improves network performance by aggregating many small packets into a big packet thereby minimizing the network per packet overhead cost The M3P is very effective when
388. n one minute e s one second e ms one millisecond id est 0 001 second Possible aliases for time units The console also accepts time values with decimal point admin Lobo924 gt put O ldayl 2s 02 24 01 200 admin Lobo924 gt Command Reference Description OSB has a number of built in console commands and expressions ICE that do not depend on the current menu level These commands do not change configuration directly but they are useful for automating various maintenance tasks The full ICE list can be accessed by typing after the prefix therefore it can be safely assumed that all ICE have prefix for example admin Lobo924 gt beep environment for LE List pick set tobool tonum typeof delay execute foreach led local put time toid tostr unset do find global len log resolve toarray toip totime while admin Lobo924 gt Command Description beep forces the built in PC beeper to produce a signal for length seconds at frequency Hz integer default 1000 signal frequency measured in Hz time default 100ms signal length admin Lobo924 gt beep length 2s frequency 10000 admin Lobo924 gt delay does nothing for a given amount of time time amount of time to wait e omitted delay forever do executes commands repeatedly until given conditions are met If no parameters are given do just executes its payload once which does not make much use If a logical condition is s
389. n HTB If packets are sent from the router they are applied in global out and interface queue Additional Documents http linux ip net articles Traffic Control HOWTO overview html http Nuxik cdi cz devik qos htb http www docum org docum org docs Queue Types Home menu level queue type Description In this submenu you can create your custom queue types Afterwards you will be able to use them in queue tree queue simple or queue interface Other trademarks and registred trademarks mentioned herein are properties of their respective owners PFIFO and BFIFO These queuing disciplines are based on the FIFO algorithm First In First Out The difference between PFIFO and BFIFO is that one is measured in packets and the other one in bytes There is only one parameter called pfifo limit bfifo limit which defines how much data a FIFO queue can hold Every packet that cannot be enqueued if the queue is full is dropped Large queue sizes can increase latency Use FIFO queuing disciplines if you haven t a congested link SFQ Stochastic Fairness Queuing SFQ cannot limit traffic at all Its main idea is to equalize traffic flows TCP sessions or UDP streams when your link is completely full The fairness of SFQ is ensured by hashing and round robin algorithms Hashing algorithm divides the session traffic over a limited number of subqueues After sfq perturb seconds the hashing algorithm changes and divides the se
390. n Lobo924 interface gt put 10 0 0 15 0 0 10 0 cannot add ip address to ip address admin Lobo924 interface gt put 10 0 0 15 10 10 05 0225 admin Lobo924 interface gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners subtraction admin Lobo924 interface gt 5 admin Lobo924 interface gt 1D admin Lobo924 interface gt TO 003 admin Lobo924 interface gt 143 59 58 admin Lobo924 interface gt multiplication admin Lobo924 interface gt 00 00 48 admin Lobo924 interface gt 10 admin Lobo924 interface gt division admin Lobo924 interface gt 00 00 03 333 admin Lobo924 interface gt 2 admin Lobo924 interface gt admin Lobo924 gt put 0 0 00 00 02 admin Lobo924 gt comparison admin Lobo924 interface gt false admin Lobo924 interface gt true admin Lobo924 interface gt true admin Lobo924 interface gt false admin Lobo924 interface gt false admin Lobo924 interface gt false admin Lobo924 interface gt logical AND logical OR admin Lobo924 interface gt true admin Lobo924 interface gt false admin Lobo924 interface gt sput 15 10 sput 10 0 0 5 10 0043 sput 10 0 0 175 12 sput 15h 2s sput 12s 4 put 25 G2 puto 10s 3 sput 5 2 10 3 put 10 0 2 3 lt 2 0 3 10 put 100000s gt 27h put 60s 1d 1m 3600s
391. n are properties of their respective owners License required levell limited to 1 interface level3 limited to 200 interfaces level4 limited to 200 interfaces level5 limited to 500 interfaces level6 unlimited Home menu level Ainterface pppoe server interface pppoe client Standards and Technologies PPPoE RFC 2516 Hardware usage PPPoE server may require additional RAM uses approx 9KiB plus extra 10KiB if data rate limitation is used for each connection and CPU power Supports maximum of 65535 connections Related Documents Package Management IP Addresses and ARP Log Management Additional Documents Links for PPPoE documentation e http www fags org rfcs rfc2516 html PPPoE Clients e RASPPPoE for Windows 95 98 98SE ME NT4 2000 XP NET http www raspppoe com PPPoE Client Setup Home menu level jinterface pppoe client Description The PPPoE client supports high speed connections It is fully compatible with the Lobo PPPoE server access concentrator Note for Windows Some connection instructions may use the form where the phone number us Lobo_AC mt1 to indicate that Lobo_AC is the access concentrator name and mt1 is the service name Property Description name name default pppoe out1 name of the PPPoE interface interface name interface the PPPoE server can be connected through mtu integer default 1480 Maximum Transmission Unit The optimal value is th
392. n method to use for RIP messages e none no authentication performed e simple plain text authentication e md5 Keyed Message Digest 5 authentication authentication key text default specifies authentication key for RIP messages prefix list in name default name of the filtering prefix list for received routes prefix list out name default name of the filtering prefix list for advertised routes Notes It is recommended not to use RIP version wherever it is possible due to security issues Example To add an entry that specifies that when advertising routes through the ether1 interface prefix list plout should be applied admin Lobo924 routing rip gt interface add interface etherl prefix list out plout admin Lobo924 routing rip gt interface print Flags I inactive 0 interface etherl receive v2 send v2 authentication none authentication key prefix list in plout prefix list out non admin Lobo924 routing rip gt Networks Home menu level routing rip network Description To start the RIP protocol you have to define the networks on which RIP will run Property Description address IP address mask default 0 0 0 0 0 specifies the network on which RIP will run Only directly connected networks of the router may be specified netmask IP address default 0 0 0 0 specifies the network part of the address if it is not specified in the address argument
393. n power control virtual aps read only yes no whether this interface supports Virtual Access Points interface wireless add Notes There is a special argument for the print command print count only It forces the print command to print only the count of information topics interface wireless info print command shows only channels supported by a particular card Example admin Lobo924 interface wireless info gt print 0O interface type Atheros AR5413 chip info mac 0xa 0x5 phy 0x61 a5 0x63 a2 0x0 eeprom 0x5002 tx power control yes ack timeout control yes alignment mode yes virtual aps yes noise floor control yes scan support yes burst support yes nstreme support yes default periodic calibration enabled supported bands 2ghz b 5ghz 5ghz turbo 2ghz g 2ghz g turbo 2ghz b channels 2312 0 2317 0 2322 0 2327 0 2332 0 2337 0 2342 0 2347 2352 0 2357 0 2362 0 2367 0 2372 0 2377 0 2382 0 2387 2392 0 2397 0 2402 0 2407 0 2412 0 2417 0 2422 0 2427 2432 0 2437 0 2442 0 2447 0 2452 0 2457 0 2462 0 2467 0 0 0 2472 0 2477 0 2482 0 2487 0 2492 0 2497 0 2314 0 2319 2324 0 2329 0 2334 0 2339 0 2344 0 2349 0 2354 0 2359 2364 0 2369 rere ere ad 2394 0 2399 2404 0 2409 0 2414 0 2419 0 2424 0 2429 2444 0 2449 0 2454 0 2459 0 2464 0 2469 2484 0 2489 0 2494 0 2499 0 5ghz channels 4920 0 4925 0 4930 0 4935 0 4940 0 4945 0 4950 0 4955 4960 0 4965 0 4970 0 4975 0 4980 0 4985 0 4990 0 4995 500
394. n values from commands Return values are not displayed on the screen To get the return value from a command it should be enclosed in square brackets Upon execution the return value of the the command will become the value of these brackets This is called command substitution Other trademarks and registred trademarks mentioned herein are properties of their respective owners The commands that produce return values are but not limited to find which returns a reference to a particular item ping which returns the number of sucessful pings time which returns the measured time value iner and decr which return the new value of a variable and add which returns the internal number of newly created item Example Consider the usage of find command admin Lobo924 gt interface admin Lobo924 interface gt find type ether admin Lobo924 interface gt admin Lobo924 interface gt put find type ether EISZ admin Lobo924 interface gt This way you can see internal console numbers of items Naturally you can use them as arguments in other commands admin Lobo924 interface gt enable find type ether admin Lobo924 interface gt Operators Description OSB console can do simple calculations with numbers time values IP addresses strings and lists To get result from an expression with operators enclose it in parentheses and The expression result serves as a return value for the parentheses
395. nabled and the actual data rate reaches burst limit bps otherwise the actual data rate falls to max limit or limit at Let us consider that we have a setup where max limit 256000 burst time 8 burst threshold 192000 and burst limit 5 12000 When a user is starting to download a file via HTTP we can observe such a situation At the beginning the average data rate over the last 8 seconds is Obps because before applying the queue rule no traffic was passed using this rule Since this average data rate is less than burst threshold 192kbps burst is allowed After the first second the average data rate is 0 0 0 0 0 0 0 512 8 64kbps which is under burst threshold After the second second average data rate is 0 0 0 0 0 0 5124512 8 128kbps After the third second comes the breakpoint when the average data rate becomes larger than burst threshold At this moment burst is disabled and the current data rate falls down to max limit 256kbps HTB s in OSB There are 4 HTB trees maintained by OSB e global in e globa total e global out e interface queue When adding a simple queue it creates 3 HTB classes in global in global total and global out but it does not add any classes in interface queue Queue tree is more flexible you can add it to any of these HTB s When packet travels through the router it passes 3 HTB trees global total global out and interface queue If it is directed to the router it passes only global i
396. nated router s router id for this neighbor db summaries read only integer number of records in link state database advertised by the neighbour dr id read only IP address designated router s router id for this neighbor Is requests read only integer number of link state requests Is retransmits read only integer number of link state retransmits priority read only integer the priority of the neigbour which is used in designated router elections via Hello protocol on this network router id read only IP address the router id parameter of the neighbour state read only Down Attempt Init 2 Way ExStart Exchange Loading Full the state of the connection e Down the connection is down e Attempt the router is sending Hello protocol packets e Init Hello packets are exchanged between routers to create a Neighbour Relationship e 2 Way the routers add each other to their Neighbour database and they become neighbours e ExStart the DR Designated Router and BDR Backup Designated Router create an adjancency with each other and they begin creating their link state databases using Database Description Packets e Exchange is the process of discovering routes by exchanging Database Description Packets e Loading receiving information from the neighbour e Full the link state databases are completely synchronized The routers are routing traffic and continue sending each other hello packets to maint
397. nc algorithm multiple choice read only none des 3des aes encryption algorithm used in SA enc key read only text encryption key presented in form of hex string not applicable to AH SAs lifebytes read only integer soft hard expiration threshold for amount of processed data replay read only integer size of replay window presented in bytes This window protects the receiver against replay attacks by rejecting old or duplicate packets spi read only integer SPI value of SA represented in hexadecimal form src address read only IP address source address of SA taken from respective policy state multiple choice read only larval mature dying dead SA living phase use lifetime read only time soft hard expiration time counted from the first use of SA Example Sample printout looks as follows admin WiFi ip ipsec gt installed sa print Flags A AH E ESP P pfs M manual 0E spi E727605 direction in src address 10 0 0 148 dst address 10 0 0 147 auth algorithm shal enc algorithm 3des replay 4 state matur auth key ecc5f4aee1b297739ec88e324d7cfb8594aabc35 enc key d6943b8ea582582e44 9bde085c9471ab0b209783c9eb4bbd add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jan 28 2003 20 55 12 current usetime jan 28 2003 20 55 23 current bytes 128 1 E Spi E15CEE06 direction out src address 10 0 0 147 dst address 10 0 0 148 auth algorithm shal enc algorithm 3des repla
398. ncludes an If Modified Since If Unmodified Since If Match If None Match or If Range header field The conditional GET method is used to reduce the network traffic specifying that the transfer of the entity should occur only under circumstances described by conditional header field s The GET method can become a partial GET if the request message includes a Range header field The partial GET method intends to reduce unnecessary network usage by requesting only parts of entities without transferring data already held by client The response to a GET request is cacheable if and only if it meets the requirements for HTTP caching HEAD This method shares all features of GET method except that the server must not return a message body in the response This retrieves the metainformation of the entity implied by the request which leads to a wide usage of it for testing hypertext links for validity accessibility and recent modification The response to a HEAD request may be cacheable in the way that the information contained in the response may be used to update previously cached entity identified by that Request URI POST This method requests that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request URI The actual action performed by the POST method is determined by the origin server and usually is Request URI dependent Responses to POST method are not cacheable un
399. nd registred trademarks mentioned herein are properties of their respective owners name read only name user name supplied at authentication stage packets read only integer integer amount of packets transfered through tis connection First figure represents amount of transmitted traffic from the router s point of view while the second one shows amount of received traffic service read only async isdn 12tp pppoe pptp the type of service the user is using session id read only text shows unique client identifier uptime read only time user s uptime Example admin rb13 gt ppp active print Flags R radius NAME SERVICE CALLER ID ADDRESS UPTIME ENCODING 0 ex pptp 10 0 11 12 10 0 0 254 1m16s PPE128 admin rb13 gt ppp active print detail Flags R radius 0 name ex service pptp caller id 10 0 11 12 address 10 0 0 254 uptime 1m22s encoding MPPE128 stateless session id 0x8180002B limit bytes in 200000000 limit bytes out 0 admin rb13 gt ppp active print stats Flags R radius NAMI BYTES PACKETS 0 ex 10510 159690614 187 210257 admin rb13 gt PPP User Remote AAA Home menu level ppp aaa fl Property Description accounting yes no default yes enable RADIUS accounting interim update time default Os Interim Update time interval use radius yes no default no enable user authentication via RADIUS
400. nd registred trademarks mentioned herein are properties of their respective owners passphrase text the passphrase of the certificate you are importing password for the user text password for the automatically created user select certificate name none import other certificate choose SSL certificate from the list of the imported certificates e none do not use SSL e import other certificate setup the certificates not imported yet and ask this question again Notes Depending on current settings and answers to the previous questions default values of following questions may be different Some questions may disappear if they become redundant Example To configure HotSpot on etherl interface which is already configured with address of 192 0 2 1 25 and adding user admin with password rubbish admin Lobo924 gt ip hotspot setup hotspot interface etherl local address of network 192 0 2 1 24 masquerade network yes address pool of network 192 0 2 2 192 0 2 126 select certificate none ip address of smtp server 0 0 0 0 dns servers 192 0 2 254 dns name hs example net name of local hotspot user admin password for the user rubbish admin Lobo924 gt HotSpot Interface Setup Home menu level Ap hotspot Description HotSpot system is put on individual interfaces You can run completely different HotSpot configurations on different interfaces Property Description addresses per mac integer un
401. nd server General applications of L2TP tunnels include e secure router to router tunnels over the Internet linking bridging local Intranets or LANs in cooperation with EoIP e extending PPP user connections to a remote location for example to separate authentication and Internet access points for ISP Other trademarks and registred trademarks mentioned herein are properties of their respective owners e accessing an Intranet LAN of a company for remote mobile clients employees Each L2TP connection is composed of a server and a client The Lobo OSB may function as a server or client or for various configurations it may be the server for some connections and client for other connections Quick Setup Guide To make a L2TP tunnel between 2 Lobo routers with IP addresses 10 5 8 104 L2TP server and 10 1 0 172 L2TP client follow the next steps e Configuration on L2TP server router 1 Adda L2TP user admin L2TP Server ppp secret gt add name james password pass local address 10 0 0 1 remote address 10 0 0 2 2 Enable the L2TP server admin L2TP Server interface 12tp server server gt set enabled yes e Configuration on L2TP client router 1 Adda L2TP client admin L2TP Client interface 12tp client gt add user james password pass connect to 10 5 8 104 Specifications Packages required ppp License required levell limited to 1 tunnel level3 limited to 200 tunnels levelS Home menu
402. nd the differences between parameters of the first and the second packet Other trademarks and registred trademarks mentioned herein are properties of their respective owners Property Description do name assigned name of the script to start first ping size integer 32 64000 default 32 first ICMP packet size second ping size integer 32 64000 default 1500 second ICMP packet size time between pings integer the time between the first and the second ICMP echo requests in seconds A new ICMP packet pair will never be sent before the previous pair is completely sent and the algorithm itself will never send more than two requests in one second once specifies that the ping will be performed only once interval time 20ms 5s time interval between two ping repetitions Example In the following example we will test the bandwidth to a host with IP address 159 148 60 2 The interval between repetitions will be 1 second admin Lobo924 tool gt ping speed 159 148 60 2 interval 1s current 2 23Mbps average 2 61Mbps admin Lobo924 tool gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Packet Sniffer Document revision 1 5 Thu May 20 14 56 46 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Packet Sniffer Configuration Property Description
403. ner self slots present on each inner class inner feed slot similar to self slot Each inner feed consists of inner slots which represent a priority Each class has a parent and may have one or more children Classes that do not have children are put at level 0 where queues are maintained and are called leaf classes Each class in the hierarchy can prioritize and shape traffic There are 2 main parameters in OSB which refer to shaping and one to prioritizing e limit at data rate that is guaranteed to a class CIR e max limit maximal data rate that is allowed for a class to reach MIR e priority order in which classes are served at the same level 8 is the lowest priority 1 is the highest Each HTB class can be in one of 3 states depending on data rate that it consumes e green a class the actual rate of which is equal or less than limit at At this state the class is attached to self slot at the corresponding priority at its level and is allowed to satisfy its limit at limitation regardless of what limitations its parents have For example if we have a leaf class with limit at 5 12000 and its parent has max limit limit at 128000 the class will get its 512kbps e yellow a class the actual rate of which is greater than limit at and equal or less than max limit At this state the class is attached to the inner slot of the corresponding priority of its parent s inner feed which in turn may be attached to either i
404. net protocol TCP port 23 type the following command ip firewall filter add chain input protocol tcp dst port 23 action drop e To only allow not more than 5 simultaneous connections from each of the clients do the following ip firewall filter add chain forward protocol tcp tcp flags syn connection limit 6 32 action drop Specifications Packages required system License required levell P2P filters limited to 1 level3 Other trademarks and registred trademarks mentioned herein are properties of their respective owners Home menu level ip firewall filter Standards and Technologies IP RF C2113 Hardware usage Increases with filtering rules count Related Documents e Software Package Management IP Addresses and ARP gt NAT Mangle Packet Flow Firewall Filter Home menu level ip firewall filter Description Network firewalls keep outside threats away from sensitive data available inside the network Whenever different networks are joined together there is always a threat that someone from outside of your network will break into your LAN Such break ins may result in private data being stolen and distributed valuable data being altered or destroyed or entire hard drives being erased Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks Properly configured firewall plays a key role in efficient and secure network infrastrure deployment
405. new OSPF area named local_10 with area id 0 0 0 1 admin OSPF_MAIN routing ospf area gt print Flags X disabled I invalid NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none i local_10 0 0 0 1 no 1 none Add connected networks with area local_10 in ospf network admin OSPF_MAIN routing ospf network gt print Flags X disabled I invalid NETWORK AREA 0 10 1 0 0 24 local_10 i 10 2 0 0 24 local_10 For main router the configuration is done Next you should configure OSPF_peer_1 router Enable followong interfaces on OSPF_peer_1 admin OSPF_peer_1 interface gt print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R backup ether 0 0 1500 1 R to_main ether 0 0 1500 Assign IP addresses to these interfaces admin OSPF_peer_1 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 1 24 10 1 0 0 10 1 0 255 to_main 1 10 3 0 1 24 1 0 3 05 0 10 3 0 255 backup Other trademarks and registred trademarks mentioned herein are properties of their respective owners Set redistribute connected as as type 1 Metric connected metric static metric rip metric bgp should be zero admin OSPF_peer_1 routing ospf gt print router id 0 0 0 0 distribute default never redistribute connected as type 1 redistribute static no redistribute rip
406. nks Virtual link can be configured between two routers through common area called transit area one of them should have to be connected with backbone Virtual links belong to the backbone The protocol treats two routers joined by a virtual link as if they were connected by an unnumbered point to point network Property Description neighbor id JP address default 0 0 0 0 specifies router id of the neighbour transit area name default unknown a non backbone area the two routers have in common Notes Virtual links can not be estabilished through stub areas Example To add a virtual link with the 10 0 0 201 router through the ex area do the following admin Lobo924 routing ospf virtual link gt add neighbor id 10 0 0 201 transit area ex admin Lobo924 routing ospf virtual link gt print Flags X disabled I invalid NEIGHBOR ID TRANSIT AREA 0 10 0 0 201 ex admin Lobo924 routing ospf virtual link gt Virtual link should be configured on both routers Neighbours Home menu level routing ospf neigbor Description The submenu provides an access to the list of OSPF neighbors id est the routers adjacent to the current router and supplies brief statistics Other trademarks and registred trademarks mentioned herein are properties of their respective owners Property Description address read only IP address appropriate IP address of the neighbour backup dr id read only IP address backup desig
407. nly one sender and one receiver in this case e local match addresses assigned to router s interfaces e broadcast the IP packet is sent from one point to all other points in the IP subnetwork e multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points dst limit integer time integer dst address dst port src address time limit the packet per second pps rate on a per destination IP or per destination port base As opposed to the limit match every destination IP address destination port has it s own limit The options are as follows in order of appearance e Count maximum average packet rate measured in packets per second pps unless followed by Time option e Time specifies the time interval over which the packet rate is measured e Burst number of packets to match in a burst e Mode the classifier s for packet rate limiting e Expire specifies interval after which recorded IP addresses ports will be deleted dst port integer 0 65535 integer 0 65535 destination port number or range hotspot multiple choice from client auth local dst http match packets received from clients against various Hot Spot All values can be negated e from client true if a packet comes from HotSpot client Other trademarks and registred trademarks mentioned herein are properties of their respective owners e auth true if a packet comes fr
408. no On client station e mode station e band 5ghz Other trademarks and registred trademarks mentioned herein are properties of their respective owners ssid test disabled no Configure the Access Point and add an IP address 10 1 0 1 to it admin AccessPoint interface wireless gt set 0 mode ap bridge frequency 5805 band 5ghz disabled no ssid test name AP admin AccessPoint interface wireless gt print Flags X disabled R running 0 name AP mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode ap bridge ssid test area frequency mode superchannel country no_country_set antenna gain 0 frequency 5805 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin AccessPoint
409. none do not use DFS e no radar detect AP scans channel list from scan list and chooses the frequency which is with the lowest amount of other networks detected e radar detect AP scans channel list from scan list and chooses the frequency which is with the lowest amount of other networks detected if no radar is detected in this channel for 60 seconds the AP starts to operate at this channel if radar is detected the AP continues searching for the next available channel which is with the lowest amount of other networks detected disable running check yes no default no disable running check If value is set to no the router determines whether the card is up and running for AP one or more clients have to be registered to it for station it should be connected to an AP This setting affects the records in the routing table in a way that there will be no route for the card that is not running the same applies to dynamic routing protocols If set to yes the interface will always be shown as running disconnect timeout time default 3s only above this value the client device is considered as disconnected fast frames yes no default no whether to pack smaller packets into a larger one which makes larger data rates possible frequency integer operating frequency of the card frequency mode regulatory domain manual tx power superchannel default superchannel defines which frequency channels to allow e
410. not change for the client It is true for any changes in the DHCP server configuration because of the nature of the DHCP protocol Client tries to renew assigned IP address only when half a lease time is past it tries to renew several times Only when full lease time is past and IP address was not renewed new lease is asked rebind operation the deault mac address value will never work You should specify a correct MAC address there Example To assign 10 5 2 100 static IP address for the existing DHCP client shown in the lease table as item 0 admin Lobo924 ip dhcp server lease gt print Flags X disabled H hotspot D dynamic ADDRESS MAC ADDRESS EXPIRES AFTER SERVER STATUS 0D 10 5 2 90 00 04 EA C6 0E 40 1h48m59s switch bound i D I0 52 91 00 04 EA 99 63 C0 1h42m51s switch bound admin Lobo924 ip dhcp server lease gt add copy from 0 address 10 5 2 100 admin Lobo924 ip dhcp server lease gt print Flags X disabled H hotspot D dynamic ADDRESS MAC ADDRESS EXPIRES AFTER SERVER STATUS 1D 10 5 2 91 00 04 EA 99 63 CO 1h42m18s switch bound 2 10 5 2 100 00 04 EA C6 0E 40 1h48m26s switch bound admin Lobo924 ip dhcp server lease gt DHCP Alert Home menu level Ap dhcp server alert Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description To find any rogue DHCP
411. nse required level Home menu level tool Standards and Technologies none Hardware usage Not significant Related Documents e Software Package Management Description Realtime Traffic Monitor called also torch is used for monitoring traffic that is going through an interface You can monitor traffic classified by protocol name source address destination address port Torch shows the protocols you have chosen and mean transmitted and received data rate for each of them The Torch Command Command name tool torch Property Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners interface name the name of the interface to monitor protocol any any ip ddp egp encap ggp gre hmp icmp idpr cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp the name or number of the protocol e any any ethernet or IP protocol e any ip any IP protocol port name integer the name or number of the port src address ZP address mask source address and network mask to filter the traffic only with such an address any source address 0 0 0 0 0 dst address JP address mask destination address and network mask to filter the traffic only with such an address any destination address 0 0 0 0 0 average seconds integer 1 10 the average speed will be shown in the last average s
412. nt Hardware Watchdog Management Home menu level system watchdog Description This menu allows to configure system to reboot on kernel panic when an IP address does not respond or in case the system has locked up Software watchdog timer is used to provide the last option so in very rare cases caused by hardware malfunction it can lock up by itself There is a hardware watchdog device available which can reboot the system in any case Property Description reboot on failure yes no default no whether to reboot on kernel panic watch address JP address default none if set the system will reboot in case 6 sequental pings to the given IP address sent once per 10 seconds will fail e none disable this option watchdog timer yes no default no whether to reboot if system is unresponsive for a minute Other trademarks and registred trademarks mentioned herein are properties of their respective owners no ping delay time default 5m specifies how long after reboot not to test and ping watch address The default setting means that if watch address is set and is not reachable the router will reboot about every 6 minutes automatic supout yes no default yes when software failure happens a file named autosupout rif is generated automatically The previous autosupout rif file is renamed to autosupout old rif auto send supout yes no default no after the support output file is automatically gen
413. nt revision 2 2 Thu Jun 30 10 44 50 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Routes Description Property Description Notes Example Static Equal Cost Multi Path routing Standard Policy Based Routing with Failover General Information Summary The following manual surveys the IP routes management equal cost multi path ECMP routing technique and policy based routing Specifications Packages required system License required levell Home menu level Ap route Standards and Technologies IP RFC 791 Hardware usage Not significant Related Documents IP Addresses and ARP e Filter e NAT Description Lobo OSB has following types of routes Other trademarks and registred trademarks mentioned herein are properties of their respective owners e dynamic routes automatically created routes for networks which are directly accessed through an interface They appear automatically when adding a new IP address Dynamic routes are also added by routing protocols e static routes user defined routes that specify the router which can forward traffic to the specified destination network They are useful for specifying the default gateway ECMP Equal Cost Multi Path Routing This routing mechanism enables packet routing along multiple paths with equal cost and ensures load balancing With ECMP routing you can use more
414. nteger default 1 Virtual LAN identifier or tag that is used to distinguish VLANs Must be equal for all computers in one VLAN Notes MTU should be set to 1500 bytes as on Ethernet interfaces But this may not work with some Ethernet cards that do not support receiving transmitting of full size Ethernet packets with VLAN header added 1500 bytes data 4 bytes VLAN header 14 bytes Ethernet header In this situation MTU 1496 can be used but note that this will cause packet fragmentation if larger packets have to be sent over interface At the same time remember that MTU 1496 may cause problems if path MTU discovery is not working properly between source and destination Example To add and enable a VLAN interface named test with vlan id 1 on interface ether1 admin Lobo924 interface vlan gt add name test vlan id 1 interface etherl admin Lobo924 interface vlan gt print Flags X disabled R running NAME MTU ARP VLAN ID INTERFACE 0 X test 1500 enabled 1 ether1 admin Lobo924 interface vlan gt enable 0 admin Lobo924 interface vlan gt print Flags X disabled R running NAME MTU ARP VLAN ID INTERFACE 0 R test 1500 enabled 1 ether1 admin Lobo924 interface vlan gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Application Example VLAN example on Lobo Routers Let us assume that we have two or more Lo
415. nteger default 1500 Maximum Transmission Unit The default value provides maximal compatibility arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol tunnel id integer a unique tunnel identifier remote address the IP address of the other side of the EoIP tunnel must be a Lobo router mac address MAC address MAC address of the EoIP interface You can freely use MAC addresses that are in the range from 00 00 5E 80 00 00 to 00 00 5E FF FF FF Notes tunnel id is method of identifying tunnel There should not be tunnels with the same tunnel id on the same router tunnel id on both participant routers must be equal mtu should be set to 1500 to eliminate packet refragmentation inside the tunnel that allows transparent bridging of Ethernet like networks so that it would be possible to transport full sized Ethernet frame over the tunnel For EoIP interfaces you can use MAC addresses that are in the range from 00 00 5E 80 00 00 to 00 00 5E FF FF FF Example To add and enable an EoIP tunnel named to_mtz2 to the 10 5 8 1 router specifying tunnel id of 1 admin Lobo924 interface eoip gt add name to_mt2 remote address 10 5 8 1 tunnel id 1 admin Lobo924 interface eoip gt print Flags X disabled R running 0 X name to_mt2 mtu 1500 arp enabled remote address 10 5 8 1 tunnel id 1 admin Lobo924 interface eoip gt enable 0 admin Lobo924 interface eoip gt print
416. nterface wlanN are taken Property Description ap tx limit integer default 0 limits data rate for this wireless client in bps e 0 no limits authentication yes no default yes whether to accept or to reject this client when it tries to connect client tx limit integer default 0 limits this client s transmit data rate in bps Works only if the client is also a Lobo Router e 0 no limits forwarding yes no default yes whether to forward the client s frames to other wireless clients interface name name of the respective interface Other trademarks and registred trademarks mentioned herein are properties of their respective owners mac address MAC address MAC address of the client private algo 104bit wep 40bit wep none which encryption algorithm to use private key text default private key of the client Used for private algo skip 802 1x yes no not implemented yet Notes If you have default authentication action for the interface set to yes you can disallow this node to register at the AP s interface wlanN by setting authentication no for it Thus all nodes except this one will be able to register to the interface wlanN If you have default authentication action for the interface set to no you can allow this node to register at the AP s interface wlanN by setting authentication yes for it Thus only the specified nodes will be able to register to the interface wlanN Exampl
417. o e plain passwd a yes no representation of whether HTTP PAP login method is allowed no e server address HotSpot server address 10 5 50 1 80 e ssl login a yes no representation of whether HTTPS method was used to access that servlet page no e link login link to login page including original URL requested http 10 5 50 1 login dst http www example com e link login plain link to login page not including original URL requested http 10 5 50 1 login e link logout link to logout page http 10 5 50 1 logout e link status link to status page http 10 5 50 1 status e link orig original URL requested http www example com Links Other trademarks and registred trademarks mentioned herein are properties of their respective owners domain domain name of the user mt lv e ip IP address of the client 10 5 50 2 e logged in yes if the user is logged in otherwise no yes e mac MAC address of the user 01 23 45 67 89 AB e username the name of the user John General client information e idle timeout idle timeout 20m or if none wer e idle timeout secs idle timeout in seconds 88 or if there is such timeout e limit bytes in byte limit for send 1000000 or if there is no limit e limit bytes out byte limit for receive 1000000 or if there is no limit e refresh timeout status page refresh timeout 1m3
418. o Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 dst address list name matches destination address of a packet against user defined address list dst address type unicast local broadcast multicast matches destination address type of the IP packet one of the e unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case e local matches addresses assigned to router s interfaces e broadcast the IP packet is sent from one point to all other points in the IP subnetwork e multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points dst limit integer time integer dst address dst port src address time limits the packet per second pps rate on a per destination IP or per destination port base As opposed to the limit match every destination IP address destination port has it s own limit The options are as follows in order of appearance e Count maximum average packet rate measured in packets per second pps unless followed by Time option e Time specifies the time interval over which the packet rate is measured e Burst number of packets to match in a burst e Mode the classifier s for packet rate limiting e Expire specifies interval after which recorded IP addresses ports will be delete
419. o ensure performance of chipset over temperature and environmental changes the software performs periodic calibration preamble mode both long short default both sets the synchronization field in a wireless packet e long has a long synchronization field in a wireless packet 128 bits Is compatible with 802 11 standard e short has a short synchronization field in a wireless packet 56 bits Is not compatible with 802 11 standard With short preamble mode it is possible to get slightly higher data rates e both supports both short and long preamble Other trademarks and registred trademarks mentioned herein are properties of their respective owners prism cardtype 30mW 100mW 200mW specify the output of the Prism chipset based card radio name name descriptive name of the card Only for Lobo devices rate set default configured which rate set to use e default basic and supported rates settings are not used instead default values are used e configured basic and supported rates settings are used as configured scan list multiple choice integer default default default the list of channels to scan e default represents all frequencies allowed by the regulatory domain in the respective country If no country is set these frequencies are used for 2 4GHz mode 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 for 2 4GHz g turbo mode 2437 for 5GHz mode 5180 5200 5220 524
420. o log in remotely via secure shell protocol e ftp policy that grants remote rights to log in remotely via FTP and to transfer files from and to the router e reboot policy that allows rebooting the router e read policy that grants read access to the router s configuration All console commands that do not alter router s configuration are allowed e write policy that grants write access to the router s configuration except for user management This policy does not allow to read the configuration so make sure to enable read policy as well e policy policy that grants user management rights Should be used together with write policy e test policy that grants rights to run ping traceroute bandwidth test and wireless scan sniffer and snooper commands e web policy that grants rights to log in remotely via WebBox e winbox policy that grants rights to log in remotely via WinBox Other trademarks and registred trademarks mentioned herein are properties of their respective owners e password policy that grants rights to change the password Notes There are three system groups which cannot be deleted admin rb13 gt user group print 0 name read policy local telnet ssh reboot read test winbox password web ftp write policy 1 name write policy local telnet ssh reboot read write test winbox password web ftp policy 2 name full policy local telnet ssh ftp reboot read write policy test winbox p
421. o record route option This option is used to route the internet datagram based on information supplied by the source e no router alert match packets with no router alter option e no source routing match packets with no source routing option no timestamp match packets with no timestamp option e record route match packets with record route option e router alert match packets with router alter option e strict source routing match packets with strict source routing option e timestamp match packets with timestamp jump target forward input output name name of the target chain to jump to if the action jump is used limit integer time integer restricts packet match rate to a given limit Usefull to reduce the amount of log messages e Count maximum average packet rate measured in packets per second pps unless followed by Time option e Time specifies the time interval over which the packet rate is measured e Burst number of packets to match in a burst log prefix text all messages written to logs will contain the prefix specified herein Used in conjunction with action log nth integer integer 0 15 integer match a particular Nth packet received by the rule One of 16 available counters can be used to count packets e Every match every Nth packet e Counter specifies which counter to use e Packet match on the given packet number The value by obvious reasons must be between 0 and Ever
422. o which the root bridge is connected to Example To monitor a bridge admin Lobo924 interface bridge gt monitor bridgel bridge id 32768 00 02 6F 01 CE 31 designated root 32768 00 02 6F 01 CE 31 root port ether2 path cost 180 admin Lobo924 interface bridge gt Bridge Port Monitoring Command name interface bridge port monitor Description Statistics of an interface that belongs to a bridge Property Description designated port text port of designated root bridge designated root text ID of bridge which is nearest to the root bridge port id integer port ID which represents from port priority and port number and is unique status disabled blocking listening learning forwarding the status of the bridge port e disabled the interface is disabled No frames are forwarded no Bridge Protocol Data Units BPDUs are heard blocking the port does not forward any frames but listens for BPDUs Other trademarks and registred trademarks mentioned herein are properties of their respective owners e listening the port does not forward any frames but listens to them learning the port does not forward any frames but learns the MAC addresses e forwarding the port forwards frames and learns MAC addresses Example To monitor a bridge port admin Lobo924 interface bridge port gt mo 0 status forwarding port id 28417 designated root 32768 00 02 6F 01 C designated bridge 32768 00 0
423. obo924 ip firewall nat gt print Flags X disabled I invalid D dynamic 0 chain srcnat src address 192 168 0 0 24 action masquerade admin Lobo924 ip firewall nat gt And the access to public FTP servers is denied in firewall admin Lobo924 ip firewall filter gt print Flags X disabled I invalid D dynamic 0 chain forward src address 192 168 0 0 24 dst address 21 action drop admin Lobo924 ip firewall filter gt We need to enable the SOCKS server admin Lobo924 ip socks gt set enabled yes admin Lobo924 ip socks gt print enabled yes port 1080 connection idle timeout 2m max connections 200 admin Lobo924 ip socks gt Add access to a client with an IP address 192 168 0 2 32 to SOCKS access list allow data transfer from FTP server to client allow destionation ports from 1024 to 65535 for any IP address and drop everything else admin Lobo924 ip socks access gt add src address 192 168 0 2 32 dst address 21 action allow admin Lobo924 ip socks access gt add dst address 1024 65535 action allow admin Lobo924 ip socks access gt add action deny admin Lobo924 ip socks access gt print Flags X disabled 0 src address 192 168 0 2 32 dst address 21 action allow 1 dst address 1024 65535 action allow 2 action deny admin Lobo924 ip socks access gt That s all the SOCKS server is configured To see active connections and data transmitted and received admin Lobo924 ip socks c
424. ocal Intranets or LANs when EoIP is also used Other trademarks and registred trademarks mentioned herein are properties of their respective owners e For mobile or remote clients to remotely access an Intranet LAN of a company see PPTP setup for Windows for more information Each PPTP connection is composed of a server and a client The Lobo OSB may function as a server or client or for various configurations it may be the server for some connections and client for other connections For example the client created below could connect to a Windows 2000 server another Lobo Router or another router which supports a PPTP server Quick Setup Guide To make a PPTP tunnel between 2 Lobo routers with IP addresses 10 5 8 104 PPTP server and 10 1 0 172 PPTP client follow the next steps e Setup on PPTP server 1 Add a user admin PPTP Server ppp secret gt add name jack password pass local address 10 0 0 1 remote address 10 0 0 2 2 Enable the PPTP server admin PPTP Server interface pptp server server gt set enabled yes e Setup on PPTP client 1 Add the PPTP client admin PPTP Client interface pptp client gt add user jack password pass connect to 10 5 8 104 disabled no Specifications Packages required ppp License required levell limited to 1 tunnel level3 limited to 200 tunnels levelS Home menu level Ainterface pptp server interface pptp client Standards and Technologies P
425. of the SAFE mode Example To show the list of configuration changes admin Lobo924 system history gt print Flags U undoable R redoable F floating undo ACTION BY POLICY U system time zone changed admin write U system time zone changed admin write U system time zone changed admin write U system identity changed admin write admin Lobo924 system clock gt What the undo command does admin Lobo924 system history gt print Flags U undoable R redoable F floating undo ACTION BY POLICY R system time zone changed admin write Other trademarks and registred trademarks mentioned herein are properties of their respective owners U system time zone changed admin write U system time zone changed admin write U system identity changed admin write admin Lobo924 system clock gt System Note Home menu level system note Description System note feature allows you to assign arbitrary text notes or messages that will be displayed on each login right after banner For example you may distribute warnings between system administrators this way or describe what does that particular router actually do To configure system note you may upload a plain text file named sys note txt on the router s FTP server or additionally edit the settings in this menu Property Description note text default the note show at login yes no default yes whether to show system note on each login Note
426. om authenticted client e local dst true if a packet has local destination IP address e hotspot true if it is a TCP packet from client and either the transparent proxy on port 80 is enabled or the client has a proxy address configured and this address is equal to the address port pair of the IP packet icmp options integer integer match ICMP Type Code fields in interface name interface the packet has entered the router through ipv4 options any loose source routing no record route no router alert no source routing no timestamp none record route router alert strict source routing timestamp match ipv4 header options e any match packet with at least one of the ipv4 options e loose source routing match packets with loose source routing option This option is used to route the internet datagram based on information supplied by the source no record route match packets with no record route option This option is used to route the internet datagram based on information supplied by the source no router alert match packets with no router alter option no source routing match packets with no source routing option no timestamp match packets with no timestamp option record route match packets with record route option router alert match packets with router alter option strict source routing match packets with strict source routing option e timestamp match packets with timestamp jump targe
427. on i e they will be able work without having to log in to the network first and completely block some addresses Property Description address JP address netmask default the original IP address or network of the client mac address MAC address default the source MAC address of the client server name all default all the name of the server the client is connecting to to address JP address default IP address to translate the original client address to If address property is given as network this is the starting address for the translation i e the first address is translated to to address address 1 to to address 1 and so on type regular bypassed blocked type of the static binding entry e regular perform a one to one NAT translation according to the values set in this entry e bypassed perform the translation but exclude the client from having to log in to the HotSpot system e blocked the translation will not be preformed and all packets from the host will be dropped Notes This is an ordered list so you can put more specific entries on the top of the list for them to override the more common that appear lower Active Host List Other trademarks and registred trademarks mentioned herein are properties of their respective owners Home menu level ip hotspot host Description This menu shows all active network hosts that are connected to the HotSpot gateway This li
428. onnections gt print SRC ADDRESS DST ADDRESS TX RX 0 192 168 0 2 1238 10 5 8 8 21 1163 4625 1 192 168 0 2 1258 10 5 8 8 3423 0 3231744 admin Lobo924 ip socks connections gt Note In order to use SOCKS proxy server you have to specify its IP address and port in your FTP Other trademarks and registred trademarks mentioned herein are properties of their respective owners client In this case IP address would be 192 168 0 1 router s SOCKS server s local IP and port 1080 Other trademarks and registred trademarks mentioned herein are properties of their respective owners UPnP Document revision 2 2 Tue Mar 08 19 21 08 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Description Additional Documents Enabling Universal Plug n Play Property Description Example UPnP Interfaces Property Description Notes Example General Information Summary The Lobo OSB supports Universal Plug and Play architecture for transparent peer to peer network connectivity of personal computers and network enabled intelligent devices or appliances UPnP builds enables these devices to automatically connect with one another and work together to make networking possible for more people Specifications Packages required system License required levell Home menu level Ap upnp Standards and Technologies TCP IP HTTP XML IGD Hardware usage Not significant Des
429. or USB keyboard and VGA compatible video controller card with monitor e Telnet telnet server is running on 23 TCP port by default e SSH SSH secure shell server is running on 22 TCP port by default available only if security package is installed e MAC Telnet Lobo MAC Telnet potocol server is by default enabled on all Ethernet like interfaces e Winbox Winbox is a OSB remote administration GUI for Windows that use 8290 TCP port or 8291 if security package is installed It may also connect routers by their MAC addresses Router may be managed through the following interfaces note that until a valid IP configuration is enteres telnet and SSH connections are not possible Other trademarks and registred trademarks mentioned herein are properties of their respective owners FTP File Transfer Protocol Server Document revision 2 3 Fri Jul 08 15 52 48 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents File Transfer Protocol Server Description Property Description Command Description General Information Summary Lobo OSB implements File Transfer Protocol FTP server feature It is intended to be used for software packages uploading configuration script exporting and importing procedures as well as for storing HotSpot servlet pages Specifications Packages required system License required levell Home menu level file Stan
430. or client s MAC address may be used as username and password e Registration may occur on a different server for example on a server that is able to charge Credit Cards Client s MAC address may be passed to it so that this information need not be written in manually After the registration the server may change RADIUS database enabling client to log in for some amount of time To insert variable in some place in HTML file the var_name syntax is used where the var_name is the name of the variable without quotes This construction may be used in any HotSpot HTML file accessed as login status or logout as well as any text or HTML file stored on the HotSpot server For example to show a link to the login page following construction can be used Variables All of the Servlet HTML pages use variables to show user specific values Variable names appear only in the HTML source of the servlet pages they are automatically replaced with the respective values by the HotSpot Servlet For each variable there is an example of its possible value included in brackets All the described variables are valid in all servlet pages but some of them just might be empty at the time they are accesses for example there is no uptime before a user has logged in e Common server variables e hostname DNS name or IP address if DNS name is not given of the HotSpot Servlet hotspot example net e identity OSB identity name Lob
431. or the client so that a particular user would always receive the same IP address regardless of what PC is he she working at The system will automatically detect and redirect requests to a proxy server a client is using if any it may be set in his her settings to use an unknown to us proxy server to the proxy server embedded in the router Authorization may be delegated to a RADIUS server which delivers similar configuration options as the local database For any user requiring authorization a RADIUS server gets queried first and if no reply received the local database is examined RADIUS server may send a Change of Authorization request according to standards to alter the previously accepted parameters Advertisement The same proxy used for unauthorized clients to provide Walled Garden facility may also be used for authorized users to show them advertisement popups Transparent proxy for authorized users allows to monitor http requests of the clients and to take some action if required It enables the possibility to open status page even if client is logged in by mac address as well as to show advertisements time after time When time has come to show an advertisement the server redirects client s web browser to the status page Only requests which provide html content are redirected images and other content will not be affected The status page displays the advertisement and next advertise interval is used to schedule next advertise
432. ot drop packet and do not acquire SA from IKE daemon e acquire skip this transform but acquire SA for it from IKE daemon e require drop packet but acquire SA manual sa name default none name of manual sa template that will be used to create SAs for this policy e none no manual keys are set not decrypted integer how many incoming packets the policy attempted to decrypt but discarded for any reason not encrypted integer how many outgoing packets the policy attempted to encrypt but discarded for any reason out accepted integer how many outgoing packets were passed through by the policy without an attempt to encrypt out dropped integer how many outgoing packets were dropped by the policy without an attempt to encrypt ph2 state read only expired no phase2 established indication of the progress of key establishing e expired there are some leftovers from previous phase2 In general it is similar to no phase2 e no phase2 no keys are estabilished at the moment e estabilished Appropriate SAs are in place and everything should be working fine proposal name default default name of proposal information that will be sent by IKE daemon to establish SAs for this policy protocol name integer default all protocol name or number sa dst address IP address default 0 0 0 0 SA destination IP address sa src address IP address default 0 0 0 0 SA source IP address src address JP address netm
433. otected Access WEP Wired Equivalent Privacy WDS Wireless Distribution System DFS Dynamic Frequency Selection Alignment mode for positioning antennas and monitoring wireless signal disable packet forwarding among clients and others The nstreme protocol is Lobo proprietary i e incompatible with other vendors wireless protocol created to improve point to point and point to multipoint wireless links Nstreme2 works with double radio systems one for transmitting data and one for receiving Benefits of nstreme protocol e Client polling e Very low protocol overhead per frame allowing super high data rates e No protocol limits on link distance e No protocol speed degradation for long link distances e Dynamic protocol adjustment depending on traffic type and resource usage Quick Setup Guide Let s consider that you have a wireless interface called wlan1 e To set it as an Access Point working in 802 11g standard using frequency 2442 MHz and Service Set Identifier test do the following configuration interface wireless set wlanl ssid test frequency 2442 band 2 4ghz b g mode ap bridge disabled no Now your router is ready to accept wireless clients Other trademarks and registred trademarks mentioned herein are properties of their respective owners e To make a point to point connection using 802 1la standard frequency 5805 MHz and Service Set Identifier p2p write interface wireless set wlanl ssid p2p
434. ou can see we marked connections that belong for Laptop and Workstation with the same chain prerouting src address 192 168 0 1 action mark connection new connection mark server con chain prerouting connection mark server con action mark packet new packet mark server chain prerouting src address 192 168 0 2 action mark connection new connection mark lap_works con chain prerouting src address 192 168 0 3 action mark connection new connection mark lap_works con chain prerouting connection mark lap_works con action mark packet new packet mark lap_work n Lobo924 ip firewall mangle gt flow admi NG admi Waide admi Flags 0 admi A admi admi admi Flags 0 In queue tree add rules that will limit Server s download and upload n Lobo924 queue tree gt add name Server Download parent Local limit at 131072 packet mark server max limit 262144 n Lobo924 queue tree gt add name Server Upload parent Public limit at 65536 packet mark server max limit 131072 n Lobo924 queue tree gt print X disabled I invalid name Server Download parent Local packet mark server limit at 131072 queue default priority 8 max limit 262144 burst limit 0 burst threshold 0 burst time 0s name Server Upload parent Public packet mark server limit at 65536 queue default priority 8 max limit 131072 burst limit 0 burst threshold 0 burst time 0
435. ou have to e version 5 in addition to version 1 version 5 has the BGP AS and flow sequence number Other trademarks and registred trademarks mentioned herein are properties of their respective owners information included e version 9 a new format which can be extended with new fields and record types thank s to its template style design Additional Documents e Software Package Management General Configuration Description This section describes the basic configuration of Traffic Flow Property Description enabled yes no whether to enable traffic flow service or not interfaces name names of those interfaces which will be used to gather statistics for traffic flow To specify more than one interface separate them with a comma cache entries Jk 2k 4k 8k 16k 32k 64k 128k 256k 512k default 1k number of flows which can be in router s memory simultaneously active flow timeout time default 30m maximum life time of a flow inactive flow timeout time default 15s how long to keep the flow active if it is idle Traffic Flow Target Description With Traffic Flow targets we specify those hosts which will gather the Traffic Flow information from router Property Description address IP address port IP address and port UDP of the host which receives Traffic Flow statistic packets from the router v9 template refresh integer default 20 number of packets after which the
436. p vrrp gt print Flags X disabled I invalid M master B backup 0 B name vril interface local vrid 1 priority 100 interval 1 preemption mode yes authentication none password _on backup on master admin Lobo924 ip vrrp gt Now we should add the same virtual address as was added to the master node Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 ip vrrp gt address add address 192 168 1 1 24 Vvirtual router vrl admin Lobo924 ip vrrp gt address print Flags X disabled A activ ADDRESS NETWORK BROADCAST VIRTUAL ROUTER 0 192 768 1 1 24 192 168 1 0 192 168 1 255 vel admin Lobo924 ip vrrp gt Note that this address will not appear in ip address list admin Lobo924 ip address gt print Flags X disabled I invalid D dynamic 4 ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 1 24 10 0 0 0 10 20 0255 public 1 192 168 1 3 24 192 168 1 0 192 168 1 255 local admin Lobo924 ip address gt Testing fail over Now when we will disconnect the master router the backup one will switch to the master state admin Lobo924 ip vrrp gt print Flags X disabled I invalid M master B backup 0 M name vrl interface local vrid 1 priority 100 interval 1 preemption mode yes authentication none password on backup on master admin Lobo924 ip vrrp gt ip addres
437. participating in data excange you ve sniffed Property Description address read only IP address IP address of the host peek rate read only integer integer the maximum data rate received transmitted rate read only integer integer current data rate received transmitted total read only integer integer total packets received transmitted Example In the following example we ll see the list of hosts admin Lobo924 tool sniffer host gt print ADDRESS RATE PEEK RATE TOTAL 0 10 0 0 4 Obps Obps 704bps O0bps 264 0 1 10 0 0 144 Obps Obps 6 24kbps 12 2kbps 1092 2128 2 10 0 0 181 Obps Obps 12 2kbps 6 24kbps 2994 1598 3 10 0 0 241 0bps 0bps 1 31kbps 4 85kbps 242 866 admin Lobo924 tool sniffer host gt Packet Sniffer Connections Home menu level tool sniffer connection Description Here you can get a list of the connections that have been watched during the sniffing time Property Description active read only yes no if yes the find active connections bytes read only integer bytes in the current connection dst address read only IP address destination address mss read only integer Maximum Segment Size resends read only integer the number of packets resends in the current connection src address read only IP address source address Example The example shows how to get the list of connections Other trademarks and registred trademarks mentioned herein are
438. peared in the address list Hosts with these IP addresses tried to initialize a telnet session to the router Other trademarks and registred trademarks mentioned herein are properties of their respective owners Mangle Document revision 2 8 Tue Jul 12 09 15 22 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Mangle Description Property Description Description Peer to Peer Traffic Marking Mark by MAC address Change MSS General Information Summary The mangle facility allows to mark IP packets with special marks These marks are used by various other router facilities to identify the packets Additionaly the mangle facility is used to modify some fields in the IP header like TOS DSCP and TTL fields Specifications Packages required system License required level Home menu level ip firewall mangle Standards and Technologies JP Hardware usage Increases with count of mangle rules Related Documents e Software Package Management IP Addresses and ARP Routes Equal Cost Multipath Routing Policy Routing e NAT e Filter e Packet Flow Mangle Other trademarks and registred trademarks mentioned herein are properties of their respective owners Home menu level ip firewall mangle Description Mangle is a kind of marker that marks packets for future processing with special marks Many other facilities in OSB ma
439. pecified must match DHCP client identifier option of the request expires after read only time time until lease expires host name read only text shows host name option from last received DHCP request lease time time default Os time that the client may use an address e Os lease will never expire mac address MAC address default 00 00 00 00 00 00 if specified must match MAC address of the client radius read only yes no shows whether this dynamic lease is authenticated by RADIUS or not rate limit read only text default sets rate limit for active lease Format is rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time All rates should be numbers with optional k 1 000s or M 1 000 000s If tx rate is not specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified 1s is used as default rx rate integer default 0 maximal receive bitrate to the client for users it is upload bitrate e 0 no limitation server read only name server name which serves this client status read only waiting testing authorizing busy offered bound lease status e waiting not used
440. pecified for the while parameter it will be evaluated after executing commands and in case it is true do statement is executed again and again until false The if parameter if present is evaluated only once before doing anything else and if it is false then no action is taken text actions to execute Other trademarks and registred trademarks mentioned herein are properties of their respective owners repeatedly yes no condition which is evaluated each time after the execution of enclosed statements yes no condition which is evaluated once before the execution of enclosed statements admin Lobo924 gt global ae 10 do put Si set i Si 1 Nano while i lt 11 amp amp Si gt 0 sunset i 10 9 8 a 6 5 4 3 2 1 admin Lobo924 gt environment print prints information about variables that are currently initialised All global variables in the system are listed under the heading Global Variables All variables that are introduced in the current script variables introduced by local or created by for or foreach statements are listed under the heading Local Variables Creating variables and displaying a list of them admin Lobo924 gt Local A This is a local variable fadmin Lobo924 gt global B This is a global one fadmin Lobo924 gt environment print Global Variables B This is a global one Local Variables A This ass a local variable admin Lobo924
441. pending on the loop counter variable start and end values step parameter can be treated also as decrement text contains the command to be executed repeatedly admin Lobo924 gt for i from 1 to 100 step 37 do put Si 1000 i Other trademarks and registred trademarks mentioned herein are properties of their respective owners 1 1000 38 26 75 aS admin Lobo924 gt foreach executes supplied commands for each element in list name the name of the loop counter variable list of values over which to iterate text contains the command to be executed repeatedly Printing a list of available interfaces with their respective IP addresses foreach i in interface find type ether Neas do put MRE interface get i name Natas foreach J in ip address find interface i Mitte do put ea ip address get j address etherl 1 1 1 3 24 192 168 50 1 24 10 0 0 2 24 ether2 10 10 0 2 24 admin Lobo924 gt global declares global variable name name of the variable text value which should be assigned to the variable admin Lobo924 gt global MyString This is a string fadmin Lobo924 gt global IPAddr LO Ore O T admin Lobo924 gt global time 0 10 f admin Lobo924 gt environment print Global Variables IPAddr 10 0 0 1 time 00 10 00 MyString This is a string Local Variables admin Lobo924 gt if conditional statement I
442. placed in this chain is applied after routing The rules that replace destination addresses of IP packets should be placed there e srcnat a rule placed in this chain is applied before routing The rules that replace the source addresses of IP packets should be placed there comment text a descriptive comment for the rule A comment can be used to identify rules form scripts connection bytes integer integer matches packets only if a given amount of bytes has been transfered through the particular connection e 0 means infinity exempli gratia connection bytes 2000000 0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection limit integer netmask restrict connection limit per address or address block connection mark name matches packets marked via mangle facility with particular connection mark connection type ftp gre h323 irc mms pptp quake3 tftp matches packets from related connections based on information from their connection tracking helpers A relevant connection helper must be enabled under ip firewall service port content text the text packets should contain in order to match the rule dst address ZP address netmask IP address IP address specifies the address range an IP packet is destined to Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 dst address
443. point Nstreme link The setup of Nstreme is similar to usual wireless configuration except that you have to do some changes under interface wireless nstreme e Set the Nstreme AP to bridge mode and enable Nstreme on it admin Nstreme AP interface wireless gt set 0 mode bridge ssid nstreme Nia band 5ghz frequency 5805 disabled no admin Nstreme AP interface wireless gt print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode bridge ssid nstreme area frequency mode superchannel country no_country_set antenna gain 0 frequency 5805 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a Other trademarks and registred trademarks mentioned herein are properties of their respective owners wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client
444. port e HighPortWeight weight of the packet with non priviliged destination port random integer match packets randomly with given propability routing mark name matches packets marked by mangle facility with particular routing mark same not by dst yes no specifies whether to account or not to account for destination IP address when selecting a new source IP address for packets matched by rules with action same src address JP address netmask IP address IP address specifies the address range an IP packet is originated from Note that console converts entered address netmask value to a valid network address 1 e 1 1 1 1 24 is converted to 1 1 1 0 24 src address list name matches source address of a packet against user defined address list src address type unicast local broadcast multicast matches source address type of the IP packet one of the e unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case e local matches addresses assigned to router s interfaces e broadcast the IP packet is sent from one point to all other points in the IP subnetwork e multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points src mac address MAC address source MAC address src port integer 0 65535 integer 0 65535 source port number or range tcp mss integer 0 65535 matche
445. properties of their respective owners admin Lobo924 tool sniffer connection gt print Flags A active SRC ADDRESS DST ADDRESS BYTES RESENDS MSS 0 A 10 0 0 241 1839 10 0 0 181 23 telnet 6 42 60 0 0 0 1 A 10 0 0 144 2265 10 0 0 181 22 ssh 504 252 504 0 0 0 admin Lobo924 tool sniffer connection gt Sniff MAC Address You can also see the source and destination MAC Addresses To do so at first stop the sniffer if it is running and select a specific interface admin Lobo924 tool sniffer gt stop admin Lobo924 tool sniffer gt set interface bridgel admin Lobo924 tool sniffer gt start admin Lobo924 tool sniffer gt print interface bridgel only headers no memory limit 10 file name file limit 10 streaming enabled no streaming server 0 0 0 0 filter stream yes filter protocol ip only filter addressl 0 0 0 0 0 0 65535 filter address2 0 0 0 0 0 0 65535 running yes admin Lobo924 tool sniffer gt Now you have the source and destination MAC Addresses admin Lobo924 tool sniffer packet gt print detail 0 time 0 src mac address 00 0C 42 03 02 C7 dst mac address 00 30 4F 08 3A E7 interface bridgel src address 10 5 8 104 1125 dst address 10 1 0 172 3987 winbox tls protocol ip ip protocol tcp size 146 ip packet size 146 ip header size 20 tos 0 identification 5088 fragment offset 0 tt1l 126 1 time 0 src mac address 00 30 4F 08 3A E7 dst
446. properties of their respective owners The purpose of Nstreme2 Dual Nstreme is to m ake superfast point to point links using 2 wireless cards on each router one for receiving and the other one for transmitting data you can use different bands for receiving and transmitting point to point link using Dual Nstreme Configure DualNS 1 admin DualNS 1 interface wireless gt set 0 admin DualNS 1 interface wireless gt print Flags X disabled R running 0 wlanl mtu 1500 mac address 00 This example will show you how to make a 1 mode nstreme dual slav 0C 42 05 04 36 arp enabled name ty pe Atheros AR5413 disable running check no interfac radio name 000C42050436 mode nstrem area frequency mode superchannel c antenna gain 0 frequency 5180 band 5g rate set default supported rates b 1M supported rates a g 6Mbps 9Mbps 12Mbp 54Mbps basic rates b 1Mbps basic rates a g 6 ack timeout dynamic tx power default noise floor threshold default periodi dual slave ssid Lobo ountry no_country_set hz scan list default bps 2Mbps 5 5Mbps 11Mbps s 18Mbps 24Mbps 36Mbps 48Mbps bps max station count 2007 tx power mode default c calibration default burst time disabled fast frames no df s mode none antenna mode ant a wds mode disabled wds default bridg none wds ignore ssid no update stats interval disabled defaul t auth
447. proxy does not have to be transparent any more as proxy on router will be transparent and will forward proxy style requests according to standard these requests include all necessary information about web server to real proxy Property Description action accept add dst to address list add src to address list dst nat jump log masquerade netmap passthrough redirect return same src nat default accept action to undertake if the packet matches the rule accept accepts the packet No action is taken i e the packet is passed through and no more rules are applied to it add dst to address list adds destination address of an IP packet to the address list specified by address list parameter add src to address list adds source address of an IP packet to the address list specified by address list parameter dst nat replaces destination address of an IP packet to values specified by to addresses and to ports parameters e jump jump to the chain specified by the value of the jump target parameter log each match with this action will add a message to the system log masquerade replaces source address of an IP packet to an automatically determined by the routing facility IP address netmap creates a static 1 1 mapping of one set of IP addresses to another one Often used to distribute public IP addresses to hosts on private networks passthrough ignores this rule goes on to the next one redirect
448. pt the request You can use radius monitor command to see bad replies parameter This value should increase whenever a client tries to connect Supported connections e Lobo OSB PPPoE client to any PPPoE server access concentrator e Lobo OSB server access concentrator to multiple PPPoE clients clients are avaliable for almost all operating systems and some routers Quick Setup Guide e To configure Lobo OSB to be a PPPoE client 1 Just add a pppoe client interface pppoe client add name pppoe user mike user mike password 123 interface wlanl service name internet disabled no To configure Lobo OSB to be an Access Concentrator PPPoE Server 1 Add an address pool for the clients from 10 1 1 62 to 10 1 1 72 called pppoe pool ip pool add name pppoe pool ranges 10 1 1 62 10 1 1 72 2 Add PPP profile called pppoe profile where local address will be the router s address and clients will have an address from pppoe pool ppp profile add name pppoe profile local address 10 1 1 1 remote address pppoe pool 3 Add a user with username mike and password 123 ppp secret add name mike password 123 service pppoe profile pppoe profil 4 Now add a pppoe server interface pppoe server server add service name internet interface wlanl default profile pppoe profil Specifications Packages required ppp Other trademarks and registred trademarks mentioned herei
449. ption Configuring Master VRRP router Configuring Backup VRRP router Testing fail over General Information Summary Virtual Router Redundancy Protocol VRRP implementation in the Lobo OSB is RFC2338 compliant VRRP protocol is used to ensure constant access to some resources Two or more routers referred as VRRP Routers in this context create a highly available cluster also referred as Virtual routers with dynamic fail over Each router can participate in not more than 255 virtual routers per interface Many modern routers support this protocol Network setups with VRRP clusters provide high availability for routers without using clumsy ping based scripts Specifications Packages required system License required levell Home menu level ip vrrp Standards and Technologies VRRP AH HMAC MD5 96 within ESP and AH Hardware usage Not significant Related Documents Other trademarks and registred trademarks mentioned herein are properties of their respective owners e Package Management JP Addresses and ARP Description Virtual Router Redundancy Protocol is an election protocol that provides high availability for routers A number of routers may participate in one or more virtual routers One or more IP addresses may be assigned to a virtual router A node of a virtual router can be in one of the following states e MASTER state when the node answers all the requests to the instance s IP addresses There may only be
450. ption Notes Example Dynamic Addressing using DHCP Relay IP Address assignment using FreeRADIUS Server General Information Summary The DHCP Dynamic Host Configuration Protocol is needed for easy distribution of IP addresses in a network The Lobo OSB implementation includes both server and client parts and is compliant with RFC2131 General usage of DHCP IP assignment in LAN cable modem and wireless systems e Obtaining IP settings on cable modem systems IP addresses can be bound to MAC addresses using static lease feature DHCP server can be used with Lobo OSB HotSpot feature to authenticate and account DHCP clients See the HotSpot Manual for more information Quick Setup Guide This example will show you how to setup DHCP Server and DHCP Client on Lobo OSB e Setup of a DHCP Server 1 Create an IP address pool ip pool add name dhcp pool ranges 172 16 0 10 172 16 0 20 2 Add a DHCP network which will concern to the network 172 16 0 0 12 and will distribute a gateway with IP address 172 16 0 1 to DHCP clients ip dhcp server network add address 172 16 0 0 12 gateway 172 16 0 1 3 Finally add a DHCP server ip dhcp server add interface wlanl address pool dhcp pool e Setup of the DHCP Client which will get a lease from the DHCP server configured above 1 Add the DHCP client ip dhcp client add interface wlanl use peer dns yes add default route yes disabled no 2 Check whe
451. quit D dump C z pause Other trademarks and registred trademarks mentioned herein are properties of their respective owners Interface Bonding Document revision 1 1 oct 26 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Quick Setup Guide Specifications Related Documents Description Property Description Notes Bonding two Eoip tunnels General Information Summary Bonding is a technology that allows to aggregate multiple ethernet like interfaces into a single virtual link thus getting higher data rates and providing failover Quick Setup Guide Let us assume that we have 2 NICs in each router Routerl and Router2 and want to get maximum data rate between 2 routers To make this possible follow these steps 1 2 admin Routerl1 admin Router2 3 admin Routerl1 admin Router2 4 admin Routerl1 172 172 T72 172 172 Make sure that you do not have IP addresses on interfaces which will be enslaved for bonding interface Add bonding interface on Router1 And on Router 2 interface bonding gt add slav interface bonding gt add slav Add addresses to bonding interfaces ip address gt add address 172 ip address gt add address 172 Test the link from Router1 16 0 2 ping timeout 16 0 2 ping timeout 16 0 2 ping timeout 16 0 2 64 byte ping 16 0 2 64 byte ping ttl 64 time 2 ms ttl 64 time 2 ms s etherl e
452. r IP address ISDN interface MSN HotSpot MAC of the hotspot interface if known else IP of hotspot interface specified in hotspot menu if set else attribute not present e NAS Port Id async PPP serial port name PPPoE ethernet interface name on which server is running HotSpot name of the hotspot interface if known otherwise not present not present for ISDN PPTP and L2TP e Framed IP Address IP address of HotSpot client after Universal Client translation e Host IP IP address of HotSpot client before Universal Client translation the original IP Other trademarks and registred trademarks mentioned herein are properties of their respective owners address of the client e User Name client login name e MS CHAP Domain User domain if present e Realm If it is set in radius menu it is included in every RADIUS request as Lobo Realm attribute If it is not set the same value is sent as in MS CHAP Domain attribute if MS CHAP Domain is missing Realm is not included neither e User Password encrypted password used with PAP authentication e CHAP Password CHAP Challenge encrypted password and challenge used with CHAP authentication e MS CHAP Response MS CHAP Challenge encrypted password and challenge used with MS CHAPy1 authentication e MS CHAP2 Response MS CHAP Challenge encrypted password and challenge used with MS CHAPv 2 authentication Depending on authentication methods NOTE HotSpot uses
453. r Lobo OSB bridges you should set forward protocols to ip arp and other for other bridges there should be analogical settings You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface Note that as VLAN is not a full tunnel protocol i e it does not have additional fields to transport MAC addresses of sender and recipient the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces In other words while wireless clients may participate in VLANs put on wireless interfaces it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface Other trademarks and registred trademarks mentioned herein are properties of their respective owners VLAN Setup Home menu level Ainterface vlan Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting e disabled the interface will not use ARP protocol e enabled the interface will use ARP protocol e proxy arp the interface will be an ARP proxy e reply only the interface will only reply to the requests originated to its own IP addresses but neighbor MAC addresses will be gathered from ip arp statically set table only interface name physical interface to the network where are VLANs mtu integer default 1500 Maximum Transmission Unit name name interface name for reference vlan id i
454. r queuing disciplines are PFIFO BFIFO SFQ PCQ RED e shapers queuing disciplines that also perform the limitation Shapers are PCQ and HTB Virtual Interfaces There are 3 virtual interfaces in OSB in addition to real interfaces e global in represents all the input interfaces in general INGRESS queue Please note that queues attached to global in apply to traffic that is received by the router before the packet filtering global in queueing is executed just after mangle and dst nat e global out represents all the output interfaces in general Queues attached to it apply before the ones attached to a specific interface e global total represents a virtual interface through which all the data going through the router is passing When attaching a qdisc to global total the limitation is done in both directions For example if we set a total max limit to 256000 we will get upload download 256kbps maximum Introduction to HTB HTB Hierarchical Token Bucket is a classful queuing discipline that is useful for applying different handling for different kinds of traffic Generally we can set only one queue for an interface but in OSB queues are attached to the main Hierarchical Token Bucket HTB and thus have some properties derived from that parent queue For example we can set a maximum data rate for a workgroup and then distribute that amount of traffic between the members of that workgroup HTB qdisc in detail HTB te
455. rates to be supported in 802 11b standard remote mac MAC address default 00 00 00 00 00 00 which MAC address to connect to this would be the remote receiver card s MAC address rx band operating band of the receiving radio e 2 4ghz b IEEE 802 11b e 2 4ghz g IEEE 802 11g e 2 4ghz g turbo IEEE 802 11g in Atheros proprietary turbo mode up to 108Mbit e 5ghz IEEE 802 11a up to 54 Mbit e 5ghz turbo IEEE 802 1 1a in Atheros proprietary turbo mode up to 108Mbit rx frequency integer default 5320 Frequency to use for receiving frames rx radio name which radio should be used for receiving frames tx band operating band of the transmitting radio e 2 4ghz b IEEE 802 11b e 2 4ghz g IEEE 802 11 e 2 4ghz g turbo IEEE 802 11g in Atheros proprietary turbo mode up to 108Mbit e 5ghz IEEE 802 11a up to 54 Mbit e 5ghz turbo IEEE 802 11a in Atheros proprietary turbo mode up to 108Mbit tx frequency integer default 5180 Frequency to use for transmitting frames tx radio name which radio should be used for transmitting frames Notes WDS cannot be used on Nstreme dual links The difference between tx freq and rx freq should be about 200MHz more is recommended because of the interference that may occur You can use different bands for rx and tx links For example transmit in 2 4ghz g turbo and Other trademarks and registred trademarks mentioned herein are properties of their respective owners
456. rbo channels 2312 0 2317 0 2322 0 2327 0 2332 0 2337 0 2342 2347202352 0 235720 2362 0 2367 0 2372 0 2377 2382 0 2387 0 2392 0 2397 0 2402 0 2407 0 2412 2417 0 2422 0 2427 0 2432 0 2437 0 2442 0 2447 2452 0 2457 0 2462 0 2467 0 2472 0 2477 0 2482 2487 0 2492 0 2497 0 2314 0 2319 0 2324 0 2329 2334 0 2339 0 2344 0 2349 0 2354 0 2359 0 2364 2369 0 2374 0 2379 0 2384 0 2389 0 2394 0 2399 2404 0 2409 0 2414 0 2419 0 2424 0 2429 0 2434 2439 0 2444 0 2449 0 2454 0 2459 0 2464 0 2469 2474 0 2479 0 2484 0 2489 0 2494 0 2499 0 admin Lobo924 interface wireless gt DODDVCOCCCO ee nn COODVOGCCCO0C00 yyy NNN YTS Virtual Access Point Interface Home menu level Ainterface wireless Description Virtual Access Point VAP interface is used to have an additional AP You can create a new AP with different ssid and mac address It can be compared with a VLAN where the ssid from VAP is the VLAN tag and the hardware interface is the VLAN switch You can add up to 7 VAP interfaces for each hardware interface OSB supports VAP feature for Atheros AR5212 and newer Property Description arp disabled enabled proxy arp reply only ARP mode default authentication yes no default yes whether to accept or reject a client that wants to associate but is not in the access list Other trademarks and registred trademarks mentioned herein are properties of their respective owners default forwarding yes no defa
457. rce routing option e timestamp match packets with timestamp jump target dstnat srcnat name name of the target chain to jump to if the action jump is used limit integer time integer restricts packet match rate to a given limit Usefull to reduce the amount of log messages e Count maximum average packet rate measured in packets per second pps unless followed by Time option e Time specifies the time interval over which the packet rate is measured e Burst number of packets to match in a burst log prefix text all messages written to logs will contain the prefix specified herein Used in conjunction with action log nth integer integer 0 15 integer match a particular Nth packet received by the rule One of 16 available counters can be used to count packets e Every match every Nth packet e Counter specifies which counter to use e Packet match on the given packet number The value by obvious reasons must be between 0 and Every 1 If this option is used for a given counter then there must be at least Every rules with this option covering all values between 0 and Every 1 inclusively out interface name interface the packet is leaving the router through packet mark text matches packets marked via mangle facility with particular packet mark packet size integer 0 65535 integer 0 65535 matches packet of the specified size or size range in bytes Other trademarks and registred trademar
458. rds and Technologies RADIUS Hardware usage Local traffic accounting requires additional memory Related Documents Package Management IP Addresses and ARP Other trademarks and registred trademarks mentioned herein are properties of their respective owners HotSpot Gateway PPP and Asynchronous Interfaces e PPPoE e PPTP e L2TP e ISDN Local IP Traffic Accounting Home menu level ip accounting Description As each packet passes through the router the packet source and destination addresses are matched against an IP pair in the accounting table and the traffic for that pair is increased The traffic of PPP PPTP PPPoE ISDN and HotSpot clients can be accounted on per user basis too Both the number of packets and the number of bytes are accounted If no matching IP or user pair exists a new entry will be added to the table Only the packets that enter and leave the router are accounted Packets that are dropped in the router are not counted as well as ones that are sent from the router itself Packets that are NATted on the router will be accounted for with the actual IP addresses on each side Packets that are going through bridged interfaces i e inside the bridge interface are also accounted correctly Property Description enabled yes no default no whether local IP traffic accounting is enabled threshold integer default 256 maximum number of IP pairs in the accounting table maximal value is 819
459. regulatory domain channels in configured country only are allowed and transmit power is limited to what is allowed in that channel in configured country minus configured antenna gain Also note that in this mode card will never be configured to higher power than allowed by the respective regulatory domain e manual tx power channels in configured country only are allowed but transmit power is taken from tx power setting e superchannel only possible with superchannel license In this mode all hardware supported Other trademarks and registred trademarks mentioned herein are properties of their respective owners channels are allowed hide ssid yes no default no whether to hide ssid or not in the beacon frames e yes ssid is not included in the beacon frames AP replies only to probe requests with the given ssid e no ssid is included in beacon frames AP replies to probe requests with the given ssid ant to broadcast ssid empty ssid interface type read only text adapter type and model mac address MAC address Media Access Control MAC address of the interface master interface name physical wireless interface name that will be used by Virtual Access Point VAP interface max station count integer 1 2007 default 2007 maximal number of clients allowed to connect to AP Real life experiments from our customers show that 100 clients can work with one AP using traffic shaping mode alignment only ap br
460. rein are properties of their respective owners to yes multiple channels yes no default no whether to snoop multiple channels or a single channel e no wireless snooper snoops only one channel in frequency that is configured in interface wireless e yes snoop in all channels that are listed in the scan list in interface wireless receive errors yes no default no whether to receive packets with CRC errors Command Description snoop starts monitoring wireless channels e wireless interface name interface that monitoring is performed on e BAND operating band Example Snoop 802 11b network admin Lobo924 interface wireless snooper gt snoop wlanl BAND FREQ USE BW NET COUNT STA COUNT 2 4ghz b 2412MHz 1 5 11 8kbps 2 2 2 4ghz b 2417MHz 1 3 6 83kbps 0 1 2 4ghz b 2422MHz 0 6 4 38kbps 1 1 2 4ghz b 2427MHz 0 6 4 43kbps 0 0 2 4ghz b 2432MHz 0 3 2 22kbps 0 0 2 4ghz b 2437MHz 0 Obps 0 0 2 4ghz b 2442MHz 1 8 1kbps 0 0 2 4ghz b 2447MHz 1 8 22kbps 1 1 2 4ghz b 2452MHz 1 8 3kbps 0 0 2 4ghz b 2457MHz 0 Obps 0 0 2 4ghz b 2462MHz 0 Obps 0 0 admin Lobo924 interface wireless snooper gt General Information Station and AccessPoint This example shows how to configure 2 Lobo routers one as Access Point and the other one as a Station on SGHz 802 1 1a standard e On Access Point e mode ap bridge e frequency 5805 e band 5ghz e ssid test e disabled
461. rength and rate was the packet received src read only MAC address the sender s MAC address time read only time time when the packet was received starting from the beginning of sniffing type read only assoc req assoc resp reassoc req reassoc resp probe req probe resp beacon atim disassoc auth deauth ps poll rts cts ack cf end cf endack data d cfack d cfpoll d cfackpoll data null nd cfack nd cfpoll nd cfackpoll type of the sniffed packet Example Sniffed packets admin Lobo924 interface wireless sniffer packet gt pr Flags E crc error FREQ SIGNAL RATE SRC DST TYPE 0 2412 73dBm 1Mbps 00 0B 6B 31 00 53 FF FF FF FF FF FF beacon 1 2412 91dBm 1Mbps 00 02 6F 01 CE 2E FF FF FF FF FF FF beacon 2 2412 45dBm 1Mbps 00 02 6F 05 68 D3 FF FF FF FF FF FF beacon 3 2412 72dBm 1Mbps 00 60 B3 8C 98 3F FF FF FF FF FF FF beacon 4 2412 65dBm 1lMbps 00 01 24 70 3D 4E FF FF FF FF FF FF probe req 5 2412 60dBm 1Mbps 00 01 24 70 3D 4E FF FF FF FF FF FF probe reg 6 2412 61dBm 1lMbps 00 01 24 70 3D 4E FF FF FF FF FF FF probe req Snooper Home menu level Ainterface wireless snooper Description With wireless snooper you can monitor the traffic load on each channel Property Description channel time time default 200ms how long to snoop each channel if multiple channels is set Other trademarks and registred trademarks mentioned he
462. replaces destination address of an IP packet to one of the router s local addresses return passes control back to the chain from where the jump took place same gives a particular client the same source destination IP address from supplied range for each connection This is most frequently used for services that expect the same client address for multiple connections from the same client src nat replaces source address of an IP packet to values specified by to addresses and to ports parameters address list name specifies the name of the address list to collect IP addresses from rules having action add dst to address list or action add src to address list actions These address lists could be later used for packet matching address list timeout time default 00 00 00 time interval after which the address will be removed from the address list specified by address list parameter Used in conjunction with add dst to address list or add src to address list actions e 00 00 00 leave the address in the address list forever chain dstnat srcnat name specifies the chain to put a particular rule into As the different traffic is passed through different chains always be careful in choosing the right chain for a new rule If the input does not match the name of an already defined chain a new chain will be created Other trademarks and registred trademarks mentioned herein are properties of their respective owners e dstnat a rule
463. requirements for HTTP caching HEAD This method shares all features of GET method except that the server must not return a message body in the response This retrieves the metainformation of the entity implied by the request which leads to a wide usage of it for testing hypertext links for validity accessibility and recent modification The response to a HEAD request may be cacheable in the way that the information contained in the Other trademarks and registred trademarks mentioned herein are properties of their respective owners response may be used to update previously cached entity identified by that Request URI POST This method requests that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request URI The actual action performed by the POST method is determined by the origin server and usually is Request URI dependent Responses to POST method are not cacheable unless the response includes appropriate Cache Control or Expires header fields PUT This method requests that the enclosed entity be stored under the supplied Request URI If another entity exists under specified Request URI the enclosed entity should be considered as updated newer version of that residing on the origin server If the Request URI is not pointing to an existing resource the origin server should create a resource with that URI If the request passes through a cache and the Request
464. ress list items found in NAT mangle and filter facilities Property Description list name specify the name of the address list to add IP address to address JP address netmask IP address IP address specify the IP address or range to be added to the address list Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 Example The following example creates an address list of people thet are connecting to port 23 telnet on the router and drops all further traffic from them Additionaly the address list will contain one static entry of address 192 0 34 166 32 www example com admin Lobo924 gt ip firewall address list add list drop_traffic address 192 0 34 166 32 admin Lobo924 gt ip firewall address list print Flags X disabled D dynamic LIST ADDRESS 0 drop_traffic 192 0 34 166 admin Lobo924 gt ip firewall mangle add chain prerouting protocol tcp dst port 23 action add srce to address list address list drop_traffic admin Lobo924 gt ip firewall filter add action drop chain input src address list drop_traffic admin Lobo924 gt ip firewall address list print Flags X disabled D dynamic LIST ADDRESS 0 drop_traffic 192 0 34 166 1 D drop_traffic 1 1 1 1 2 D drop_traffic 10 5 11 8 admin Lobo924 gt As seen in the output of the last print command two new dynamic entries ap
465. ridge Specifications Packages required system License required level3 Home menu level Ainterface bridge Standards and Technologies JEEE801 1D Hardware usage Not significant Related Documents Software Package Management Other trademarks and registred trademarks mentioned herein are properties of their respective owners gt Filter Description Ethernet like networks Ethernet Ethernet over IP IEEE802 11 in ap bridge or bridge mode WDS VLAN can be connected together using MAC bridges The bridge feature allows the interconnection of hosts connected to separate LANs using EoIP geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them as if they were attached to a single LAN As bridges are transparent they do not appear in traceroute list and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged depending on the way the LANs are interconnected latency and data rate between hosts may vary Network loops may emerge intentionally or not in complex topologies Without any special treatment loops would prevent network from functioning normally as they would lead to avalanche like packet multiplication Each bridge runs an algorithm which calculates how the loop can be prevented STP allows bridges to communicate with each other so they can negotiate a loop free topology All oth
466. rity takes precedence retransmit interval time default 5s time between retransmitting lost link state advertisements When a router sends a link state advertisement LSA to its neighbor it keeps the LSA until it receives back the acknowledgment If it receives no acknowledgment in time it will retransmit the LSA The following settings are recommended for Broadcast network are 5 seconds and for Point to Point network are 10 seconds transmit delay time default 1s link state transmit delay is the estimated time it takes to transmit a link state update packet on the interface Example To add an entry that specifies that ether2 interface should send Hello packets every 5 seconds do the following Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 routing ospf gt interface add interface ether2 hello interval 5s admin Lobo924 routing ospf gt interface print 0 interface ether2 cost 1 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 5s dead interval 40s admin Lobo924 routing ospf gt Virtual Links Home menu level routing ospf virtual link Description As stated in OSPF RFC the backbone area must be contiguous However it is possible to define areas in such a way that the backbone is no longer contiguous In this case the system administrator must restore backbone connectivity by configuring virtual li
467. rks and registred trademarks mentioned herein are properties of their respective owners requirements of your CA Example To import a certificate and the respective private key already uploaded on the router admin Lobo924 certificate gt import passphrase xXxxx certificates imported private keys imported files imported decryption failures keys with no certificate admin Lobo924 certificate gt print Flags K decrypted private key Q private key R rsa D dsa 0 QR name cert1 subject C LV ST 0 CN cert test mt lv issuer C LV ST 0 CN third serial number 01 invalid before sep 17 2003 11 56 19 invalid after sep 16 2004 11 56 19 ca yes FONEFE admin Lobo924 certificate gt decrypt passphrase xXxXxx keys decrypted 1 admin Lobo924 certificate gt print Flags K decrypted private key Q private key R rsa D dsa 0 KR name cert1 subject C LV ST 0 CN cert test mt lv issuer C LV ST 0 CN third serial number 01 invalid before sep 17 2003 11 56 19 invalid after sep 16 2004 11 56 19 ca yes admin Lobo924 certificate gt Now the certificate may be used by HotSpot servlet admin Lobo924 ip service gt print Flags X disabled I invalid NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0 0 0 0 0 1 ftp i 0 0 0 0 0 2 WWW 8081 0 0 0 0 0 3 hotspot 80 0 0 0 0 0 4 ssh 22 0 0 0 0 0 5 hotspot ssl 443 0 0 0 0 0 none admin Lobo924 ip service gt set ho
468. rm textual comment for the rule A comment can be used to refer the particular rule from scripts connection bytes integer integer match packets only if a given amount of bytes has been transfered through the particular connection e 0 means infinity exempli gratia connection bytes 2000000 0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection limit integer netmask restrict connection limit per address or address block connection mark name match packets marked via mangle facility with particular connection mark connection type ftp gre h323 irc mms pptp quake3 tftp match packets from related connections based on information from their connection tracking helpers A relevant connection helper must be enabled under ip firewall service port content text the text packets should contain in order to match the rule dst address JP address netmask IP address IP address specify the address range an IP packet is destined to Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 dst address list name match destination address of a packet against user defined address list dst address type unicast local broadcast multicast match destination address type of the IP packet one of the e unicast IP addresses used for one point to another point transmission There is o
469. rms e queuing discipline qdisc an algorithm that holds and maintains a queue of packets It specifies the order of the outgoing packets it means that queuing discipline can reorder packets Qdisc also decides which packets to drop if there is no space for them e filter a procedure that classifies packets The filter is responsible for classifying packets so that they are put in the corresponding qdiscs e level position of a class in the hierarchy e inner class a class that has one or more child classes attached to it Inner classes do not store Other trademarks and registred trademarks mentioned herein are properties of their respective owners any packets but they do traffic shaping The class also does not have its own priority leaf class a class that has a parent but does not have any child classes Leaf classes are always located at level 0 of the hierarchy Each leaf class has a qdisc attached to it self feed an object that represents the exit for the packets from all the classes active at its level of the hierarchy It consists of 8 self slots self slot an element of a self feed that corresponds to each particular priority All classes active at the same level of one priority are attached to one self slot that they are using to send packets out through active class at a particular level a class that is attached to a self slot at the given level inner feed similar to self feed object which consists of in
470. rocess like web proxy VPN or others Alike there are two ways for a packet to leave the processing pipeline A packet can leave through the one of the router s interfaces in this case the interface is referred as output interface or it can end up in the local process In general traffic can be destined to one of the router s IP addresses it can originate from the router or simply should be passed through To further complicate things the traffic can be bridged or routed one which is determined during the Bridge Decision stage Routed traffic The traffic which is being routed can be one of three types e the traffic which is destined to the router itself The IP packets has destination address equal to one of the router s IP addresses A packet enters the router through the input interface sequentially traverses prerouting and input chains and ends up in the local process Consequently a packet can be filtered in the input chain filter and mangled in two places the input and the prerouting chain filters e the traffic originated by the router In this case the IP packets have their source addresses identical to one of the router s IP addresses Such packets travel through the output chain then they are passed to the routing facility where an appropriate routing path for each packet is determined and leave through the postrouting chain e one which passes through the router These packets go through the prerouting forward and postrouting
471. roper addressing the router also needs the network mask value id est which bits of the complete IP address refer to the address of the host and which to the address of the network The network address value is calculated by binary AND operation from network mask and IP address values It s also possible to specify IP address followed by slash and amount of bits assigned to a network mask In most cases it is enough to specify the address the netmask and the interface arguments The network prefix and the broadcast address are calculated automatically It is possible to add multiple IP addresses to an interface or to leave the interface without any addresses assigned to it Leaving a physical interface without an IP address is not a must when the bridging between interfaces is used In case of bridging the IP address can be assigned to any interface in the bridge but actually the address will belong to the bridge interface You can use ip address print detail to see to which interface the address belongs to Lobo OSB has following types of addresses e Static manually assigned to the interface by a user e Dynamic automatically assigned to the interface by estabilished ppp ppptp or pppoe connections Property Description actual interface read only name only applicable to logical interfaces like bridges or tunnels Holds the name of the actual hardware interface the logical one is bound to address IP address IP addr
472. roperties of their respective owners e dynamic size choose the best frame size dynamically name name reference name of the interface Notes Such settings as enable polling framer policy and framer limit are relevant only on Access Point they are ignored for client devices The client automatically adapts to AP settings WDS for Nstreme protocol requires using station wds mode on one of the peers Configurations with WDS between AP modes bridge and ap bridge will not work Example To enable the nstreme protocol on the wlan radio with exact size framing admin Lobo924 interface wireless nstreme gt print 0 name wlanl enable nstreme no enable polling yes framer policy non framer limit 3200 admin Lobo924 interface wireless nstreme gt set wlanl enable nstreme yes framer policy exact siz Nstreme2 Group Settings Home menu level interface wireless nstreme dual Description Two radios in nstreme dual slave mode can be grouped together to make nstreme2 Point to Point connection To put wireless interfaces into a nstreme2 group you should set their mode to nstreme dual slave Many parameters from interface wireless menu are ignored using the nstreme2 except e frequency mode e country e antenna gain e tx power e tx power mode e antenna mode Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting disable
473. roperty Description Bridge NAT Description Property Description Bridge Brouting Facility Description Property Description Troubleshooting Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description General Information Summary MAC level bridging of Ethernet Ethernet over IP EoIP Prism Atheros and RadioLAN interfaces are supported All 802 11a 802 11b and 802 11g client wireless interfaces ad hoc infrastructure or station mode do not support this because of the limitations of 802 11 However it is possible to bridge over the Prism and Atheros based links using the WDS feature for Atheros and Prism chipset based cards or Ethernet over IP protocol For preventing loops in a network you can use the Spanning Tree Protocol STP This protocol is also used for configurations with backup links Main features e Spanning Tree Protocol STP e Multiple bridge interfaces e Bridge associations on a per interface basis e MAC address table can be monitored in real time e IP address assignment for router access e Bridge interfaces can be filtered and NATed e Support for brouting based on bridge packet filter Quick Setup Guide To put interface ether1 and ether2 in a bridge 1 Add a bridge interface called MyBridge interface bridge add name MyBridge disabled no 2 Add ether1 and ether2 to MyBridge interface interface bridge port set etherl ether2 bridge MyB
474. ross reboots e local defined by local keyword local variables are not shared with any other script other instance of the same script or other console logins The value of local variable value is lost when script finishes loop index variables defined within for and foreach statements these variables are used only in do block of commands and are removed after command completes e monitor variables some monitor commands that have do part can also introduce variables You can obtain a list of available variables by placing environment print statement inside the do block of commands You can assign a new value to variable using set action It takes two unnamed parameters the name of the variable and the new value of the variable If a variable is no longer needed it s name can be freed by unset command If you free local variable it s value is lost If you free global variable it s value is still kept in router it just becomes inaccessible from current script Notes Loop variables shadows already introduced variables with the same name Example admin Lobo924 ip route gt admin Lobo924 gt global gl this is global variable admin Lobo924 gt put S gl this is global variable admin Lobo924 gt Command Substitution and Return Values Description Some console commands are most useful if their output can be feed to other commands as an argument value In OSB console this is done by using the retur
475. routing information between the routers belonging to a single autonomous system AS An AS is a group of routers exchanging routing information via a common routing protocol In order to deploy the OSPF all routers it will be running on should be configured in a coordinated manner note that it also means that the routers should have the same MTU for all the networks advertized by OSPF protocol The OSPF protocol is started after you will add a record to the OSPF network list The routes learned by the OSPF protocol are installed in the routes table list with the distance of 110 General Setup Home menu level routing ospf Description In this section you will learn how to configure basic OSPF settings Property Description distribute default never if installed as type 1 if installed as type 2 always as type 1 always as type 2 default never specifies how to distribute default route Should be used for ABR Area Border router or ASBR Autonomous System boundary router settings e never do not send own default route to other routers Other trademarks and registred trademarks mentioned herein are properties of their respective owners e if installed as type 1 send the default route with type 1 metric only if it has been installed a static default route or route added by DHCP PPP etc e if installed as type 2 send the default route with type 2 metric only if it has been installed a static default route or rout
476. rs src address JP address netmask source address of the IP packet url wildcard the URL of the HTTP request Notes Unlike the access list the direct proxy access list has default action equal to deny It takes place when no rules are specified or a particular request did not match any rule Cache Management Home menu level ip web proxy cache Description Cache access list specifies which requests domains servers pages have to be cached locally by web proxy and which not This list is implemented exactly the same way as web proxy access list Default action is to cache object if no matching rule is found Property Description action allow deny default allow specifies the action to perform on matched packets e allow cache objects from matched request e deny do not cache objects from matched request dst address JP address netmask destination address of the IP packet dst port port a list or range of ports the packet is destined to local port port specifies the port of the web proxy via which the packet was received This value should match one of the ports web proxy is listening on method any connect delete get head options post put trace HTTP method used in the request see HTTP Methods section in the end of this document src address JP address netmask source address of the IP packet url wildcard the URL of the HTTP request Complementary Tools Descrip
477. rs that support SSL protocol have a list of the Certificate Authorities they trust the most known and trusted CA is VeriSign but that is not the only one Other trademarks and registred trademarks mentioned herein are properties of their respective owners To use a Certificate which contain a public key server needs a private key One of the keys is used for encryption and the other for decryption It is important to understand that both keys can encrypt and decrypt but what is encrypted by one of them can be decrypted only by the another Private key must be kept securely so that nobody else can get it and use this certificate Usually private key is encrypted with a passphrase Most trusted Certificate Authorities sell the service of signing Certificates Certificates also have a finite validity term so you will have to pay regularly It is also possible to create a self signed Certificate you can create one on most UNIX Linux boxes using openssl toolkit all Root Certificate Authorities have self signed Certificates but if it is not present in a browser s database the browser will pop up a security warning saying that the Certificate is not trusted note also that most browsers support importing custom Certificates to their databases Certificates Home menu level certificate Description Lobo OSB can import Certificates for the SSL services it provides only HotSpot for now This submenu is used to manage Certificates for
478. rvice pppo admin PPPoE Server ppp secret gt print Flags X disabled NAME SERVICE CALLER ID PASSWORD PROFILE REMOTE ADDRESS 0 w pppoe wkst default 0 0 0 0 1 al pppoe ltp default 0 0 0 0 admin PPPoE Server ppp secret gt Thus we have completed the configuration and added two users w and l who are able to connect to Internet using PPPoE client software Note that Windows XP built in client supports encryption but RASPPPOE does not So if it is planned not to support Windows clients older than Windows XP it is recommended to switch require encryption to yes value in the default profile configuration In other case the server will accept clients that do not encrypt data Troubleshooting Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners I can connect to my PPPoE server The ping goes even through it but I still cannot open web pages Make sure that you have specified a valid DNS server in the router in ip dns or in ppp profile the dns server parameter The PPPoE server shows more than one active user entry for one client when the clients disconnect they are still shown and active Set the keepalive timeout parameter in the PPPoE server configuration to 10 if You want clients to be considered logged off if they do not respond for 10 seconds Note that if the keepalive timeout par
479. s If you want to enter or edit multiline system note you may need to use embedded text editor system note edit note Other trademarks and registred trademarks mentioned herein are properties of their respective owners Bandwidth Test Document revision 1 9 Fri Nov 26 11 00 29 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Server Configuration Property Description Notes Example Client Configuration Property Description Example General Information Summary The Bandwidth Tester can be used to monitor the throughput only to a remote Lobo router either wired or wireless and thereby help to discover network bottlenecks Specifications Packages required system License required levell Home menu level tool Standards and Technologies TCP RFC 793 UDP RFC768 Hardware usage significant Related Documents Software Package Management Description Protocol Description The TCP test uses the standard TCP protocol with acknowledgments and follows the TCP algorithm on how many packets to send according to latency dropped packets and other features in the TCP algorithm Please review the TCP protocol for details on its internal speed settings and how Other trademarks and registred trademarks mentioned herein are properties of their respective owners to analyze its behavior Statistics for thro
480. s Neighbour MAC addresses will be resolved using ip arp statically set table only arp interval time default 00 00 00 100 time in milliseconds which defines how often to monitor ARP requests arp ip targets IP address default IP target address which will be monitored if link monitoring is set to arp You can specify multiple IP addresses separated by comma down delay time default 00 00 00 if a link failure has been detected bonding interface is disabled for down delay time Value should be a multiple of mii interval lacp rate sec 30secs default 30secs Link Aggregation Control Protocol rate specifies how often to exchange with LACPDUs between bonding peer Used to determine whether link is up or other changes have occured in the network LACP tries to adapt to these changes providing failover link monitoring arp mii typel mii type2 none default none method to use for monitoring the link whether it is up or down e arp uses Address Resolution Protocol to determine whether the remote interface is reachable e mii typel uses Media Independent Interface typel to determine link status Link status Other trademarks and registred trademarks mentioned herein are properties of their respective owners determenation relies on the device driver If bonding shows that the link status is up when it should not be then it means that this card don t support this possibility e mii type2 uses MII type2 to de
481. s a g 6Mbps max station count 2007 ack timeout dynamic tx power default noise floor threshold default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge non update stats interval disabled default authentication yes default forwarding yes hide ssid no 802 1x mode none admin Lobo924 interface wireless gt set 0 1 mode nstreme dual slav 2 Then add nstreme2 interface with exact size framing admin Lobo924 interface wireless nstreme dual gt add framer policy exact siz 3 Configure which card will be receiving and which transmitting and specify remote receiver card s MAC address admin Lobo924 interface wireless nstreme dual gt print Flags X disabled R running 0 X name n stremel mtu 1500 mac address 00 00 00 00 00 00 arp enabled disable running check no tx radio unknown rx radio unknown remote mac 00 00 00 00 00 00 tx band 5GHz tx frequency 5180 rates b 1Mbps 2Mbps 5 5Mbps 11Mbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps rx band 5GHz rx frequency 5320 framer policy exact siz framer limit 4000 admin Lobo924 interface wireless nstreme dual gt set 0 disabled no tx radio wlanl rx radio wlan2 remote mac 00 0C 42 05 0B 12 admin Lobo924 interface wireless nstreme dual gt print Flags X disabled R running 0 X name n stremel mtu 1500 ma
482. s n Lobo924 queue tree gt nd similar config for Laptop and Workstation n Lobo924 queue tree gt add name Laptop Wkst Down parent Local packet mark lap_work limit at 65535 max limit 262144 n Lobo924 queue tree gt add name Laptop Wkst Up parent Public packet mark lap_work limit at 32768 max limit 131072 n Lobo924 queue tree gt print X disabled I invalid name Server Download parent Local packet mark server limit at 131072 queue default priority 8 max limit 262144 burst limit 0 burst threshold 0 burst time 0s name Server Upload parent Public packet mark server limit at 65536 queue default priority 8 max limit 131072 burst limit 0 Other trademarks and registred trademarks mentioned herein are properties of their respective owners burst threshold 0 burst time 0s 2 name Laptop Wkst Down parent Local packet mark lap_work limit at 65535 queue default priority 8 max limit 262144 burst limit 0 burst threshold 0 burst time 0s 3 name Laptop Wkst Up parent Public packet mark lap_work limit at 32768 queue default priority 8 max limit 131072 burst limit 0 burst threshold 0 burst time 0s admin Lobo924 queue tree gt Equal bandwidth sharing among users This example shows how to equally share 10Mibps download and 2Mibps upload among active users in the network 192 168 0 0 24 If Host A is downloading 2 Mibps Host B gets 8 Mibps and vice versa
483. s DNS Hardware usage Not significant Related Documents Software Package Management HotSpot Gateway Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description The Lobo router with DNS cache feature enabled can be set as a primary DNS server for any DNS compliant clients Moreover Lobo router can be specified as a primary DNS server under its dhcp server settings When the DNS cache is enabled the Lobo router responds to DNS TCP and UDP requests on port 53 Additional Documents http www freesoft org CIE Course Section2 3 htm http www networksorcery com enp protocol dns htm e RFC1035 Client Configuration and Cache Setup Home menu level ip dns Description DNS client is used to provide domain name resolution for router itself as well as for the P2P clients connected to the router Property Description allow remote requests yes no specifies whether to allow network requests cache max ttl time default 1w specifies maximum time to live for cahce records In other words cache records will expire after cache max ttl time cache size integer 512 10240 default 2048KiB specifies the size of DNS cache in KiB cache used read only integer displays the currently used cache size in KiB primary dns P address default 0 0 0 0 primary DNS server secondary dns P address default 0 0 0 0 secondary DNS server Notes If the
484. s default 00 00 00 00 00 00 ARP destination MAC address Other trademarks and registred trademarks mentioned herein are properties of their respective owners arp hardware type integer default 1 ARP hardware type This normally Ethernet Type 1 arp opcode arp nak drarp error drarp reply drarp request inarp request reply reply reverse request request reverse ARP opcode packet type e arp nak negative ARP reply rarely used mostly in ATM networks e drarp error Dynamic RARP error code saying that an IP address for the given MAC address can not be allocated e drarp reply Dynamic RARP reply with a temporaty IP address assignment for a host e drarp request Dynamic RARP request to assign a temporary IP address for the given MAC address e inarp request e reply standard ARP reply with a MAC address e reply reverse reverse ARP RARP reply with an IP address assigned e request standard ARP request to a known IP address to find out unknown MAC address e request reverse reverse ARP RARP request to a known MAC address to find out unknown IP address intended to be used by hosts to find out their own IP address similarly to DHCP service arp packet type integer arp srce address IP address default 0 0 0 0 0 ARP source IP address arp src mac address MAC address default 00 00 00 00 00 00 ARP source MAC address chain text bridge firewall chain which the filter is functioning in e
485. s 192 168 1 11 192 168 Locall Pool ranges 192 168 2 11 192 168 ip pool gt print RANGES 192 16841 192 168 2 ip pool gt Create DHCP Servers ip dhcp server add interfac address pool ip dhcp server add interfac LO address pool admin D Flags X 0 DHC 1 DHC admin D NAME LO HCP Server disable t P 1 P 2 HCP Server NTERFACE o DHCP Server ocall ocal2 For networks 192 168 1 0 24 and 1100 2 100 11 192 168 1 100 11 192 168 2 100 To DHCP Relay relay 192 168 1 1 call Pool name DHCP 1 disabled no To DHCP Relay relay 192 168 2 1 cal2 Pool name DHCP 2 disabled no ip dhcp server gt print d I invalid INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP To DHCP Relay 192 168 1 1 Locall Pool 3d00 00 00 To DHCP Relay 192 168 2 1 Local2 Pool 3d00 00 00 ip dhcp server gt Configure respective networks ip dhcp server network add address 192 168 1 0 24 gateway 192 168 1 1 dns server 159 148 60 20 ip dhcp server network add address 192 168 2 0 24 gateway 192 168 2 1 dns server 159 148 60 20 admin DHCP Server ESS ADDR 0 192 1 1 1921 admin DHCP Server 68 1 0 24 68 2 0 24 ip dhcp server network gt print GATEWAY DNS SERVER WINS SERVER DOMAIN 192 168 1 1 159 148 60 20 192 168 2 1 159 148 60 20 ip dhcp server network gt Configura
486. s HTB hierarchy 1 Imagine a situation when there have packets arrived at Leaf1 and Leaf2 Because of this Leaf1 attaches itself to this level s Level 0 self slot with priority 8 and Leaf2 attaches to self slot with priority 7 Leaf3 has nothing to send so it does nothing This is a simple situation there are active classes Leafl and Leaf2 at Level 0 and as they both are in green state they are processed in order of their priorities at first we serve Leaf2 then Leaf1 Now assume that Leaf2 has to send more than 256kbps for this reason it attaches itself to its parent s ClassB inner feed which recursively attaches itself to Levell self slot at priority 7 Leafl continues to be at green state it has to send packets but not faster than 1Mbps Leaf3 still has nothing to send This is a very interesting situation because Leafl gets a higher priority than Leaf2 when it is in the green state although we have configured it for a lower priority 8 than Leaf2 It is because Leaf2 has disconnected itself from self feed at Level 0 and now is borrowing from its parent ClassB which has attached to self feed at Level 1 And because of this the priority of Leaf2 has traveled to Levell Remember that at first we serve those classes which are at the lowest level with the highest priority then continuing with the next level and so on Consider that Leaf1 has reached its max limit and changed its state to red and Leaf2 now uses more
487. s TCP MSS value of an IP packet time time time sat fri thu wed tue mon sun allows to create filter based on the packets arrival time and date or for locally generated packets departure time and date to addresses JP address IP address default 0 0 0 0 address or address range to replace original address of an IP packet with Other trademarks and registred trademarks mentioned herein are properties of their respective owners to ports integer 0 65535 integer 0 65535 port or port range to replace original port of an IP packet with tos max reliability max throughput min cost min delay normal specifies a match to the value of Type of Service ToS field of IP header e max reliability maximize reliability ToS 4 e max throughput maximize throughput ToS 8 e min cost minimize monetary cost ToS 2 e min delay minimize delay ToS 16 e normal normal service ToS 0 NAT Applications Description In this section some NAT applications and examples of them are discussed Basic NAT configuration Assume we want to create router that e hides the private LAN behind one address e provides Public IP to the Local server e creates 1 1 mapping of network addresses Example of Source NAT Masquerading If you want to hide the private LAN 192 168 0 0 24 behind one address 10 5 8 109 given to you by the ISP you should use the source network address translation masquerading
488. s approximately 40 seconds the hello interval setting If required 0 0 0 0 10 2 0 1 Ko r 0 0 0 0 r 0 0 0 0 ip route gt print ip route gt print I invalid D dynamic icy BS fEEp Wo OSP G GATEWAY O62 50 4 2 r 0 0 0 0 06 0 20 0 ee LOZ 02 110 0 110 110 0 110 0 b bgp main_gw to_peer_2 to_peer_2 to_peer_1l b bgp J rejected DISTANCE INTERFACE 110 backup 110 0 backup 110 backup 110 0 to_main J rejected DISTANCE INTERFACE 110 to_main 110 0 to_peer_1l 110 0 to_main KEQ to_main this setting can be adjusted but it should be done on all routers within the OSPF area Other trademarks and registred trademarks mentioned herein are properties of their respective owners RIP Document revision Wed Mar 24 12 32 12 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description Additional Documents General Setup Property Description Notes Example Interfaces Description Property Description Notes Example Networks Description Property Description Notes Example Neighbors Description Property Description Example Routes Property Description Notes Example Example General Information Summary Lobo OSB implements RIP Version 1 RFC1058 and Version 2 RFC 2453 RIP enables routers in an autonomous syste
489. s no authentication or state for this interface The bandwidth usage of the interface may be monitored with the monitor feature from the interface menu Lobo OSB IPIP implementation has been tested with Cisco 1005 The sample of the Cisco 1005 configuration is given below interface Tunnel0O ip address 10 3 0 1 255 255 255 0 tunnel source 10 0 0 171 tunnel destination 10 0 0 204 tunnel mode ipip General Information Description Suppose we want to add an IPIP tunnel between routers R1 and R2 _ _ IFIP tunnel a R1 R2 IF address 10 0 0 1 IF address 22 63 11 6 At first we need to configure IPIP interfaces and then add IP addresses to them The configuration for router R1 is as follows admin Lobo924 interface ipip gt add local address 10 0 0 1 remote address 22 63 11 6 Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 interface ipip gt print Flags X disabled R running NAME MTU LOCAL ADDRESS REMOTE ADDRESS 0 X ipipl 1480 10 0 0 1 22 3 63 6 115 6 admin Lobo924 interface ipip gt en 0 admin Lobo924 interface ipip gt ip address add address 1 1 1 1 24 interface ipipl The configuration of the R2 is shown below admin Lobo924 interface ipip gt add local address 22 63 11 6 remote address 10 0 0 1 admin Lobo924 interface ipip gt print Flags X disabled R running NAME M
490. s of the primary DNS server assigned by the DHCP Server secondary dns P address IP address of the secondary DNS server assigned by DHCP Server primary ntp IP address of the primary NTP server assigned by the DHCP Server secondary ntp IP address of the secondary NTP server assigned by the DHCP Server status bound error rebinding renewing requesting searching stopped shows the status of DHCP Client use peer dns yes no default yes whether to accept the DNS settings advertized by DHCP server they will be ovverriden in ip dns submenu use peer ntp yes no default yes whether to accept the NTP settings advertized by DHCP server they will override the settings put in the system ntp client submenu Command Description release release current binding and restart DHCP client renew renew current leases If the renew operation was not successful client tries to reinitialize lease i e it starts lease request procedure rebind as if it had not received an IP address yet Notes If host name property is not specified client s system identity will be sent in the respective field of DHCP request If client id property is not specified client s MAC address will be sent in the respective field of DHCP request If use peer dns property is enabled the DHCP client will unconditionally rewrite the settings in ip dns submenu In case two or more DNS servers were received first two of them
491. s on which the protocol is working Example To set the FTP protocol uses both 20 and 21 TCP port admin Lobo924 ip hotspot service port gt print Flags X disabled AME PORTS 0 ftp 21 admin Lobo924 ip hotspot service port gt set ftp ports 20 21 admin Lobo924 ip hotspot service port gt print Flags X disabled NAME PORTS 0 ftp 20 21 admin Lobo924 ip hotspot service port gt Customizing HotSpot Firewall Section Description Apart from the obvious dynamic entries in the ip hotspot submenu itself like hosts and active users some additional rules are added in the firewall tables when activating a HotSpot service Unlike OSB version 2 8 there are relatively few firewall rules added in the firewall as the main job is made by the one to one NAT algorithm NAT rules From ip firewall nat print dynamic command you can get something like this comments follow after each of the rules Putting all HotSpot related tasks for packets from all HotSpot clients into a separate chain Redirect all DNS requests to the HotSpot service The 64872 port provides DNS service for all HotSpot users If you want HotSpot server to listen also to another port add rules here the same way changing dst port property Other trademarks and registred trademarks mentioned herein are properties of their respective owners Redirect all HTTP login requests to the HTTP login servlet The 64873 is HotSpot HTTP servlet port Re
492. s over the L2TP tunnel you need to add these routes admin HomeOffice gt ip route add dst address 10 150 1 0 24 gateway 10 0 103 2 admin RemoteOffice gt ip route add dst address 10 150 2 0 24 gateway 10 0 103 1 On the L2TP server it can alternatively be done using routes parameter of the user configuration admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service l2tp caller id password 1kjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret gt set 0 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service l2tp caller id password l1kjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret gt Test the L2TP tunnel connection admin RemoteOffice gt ping 10 0 103 1 10 0 103 1 pong ttl 255 time 3 ms 10 0 103 1 pong tt1l 255 time 3 ms 10 0 103 1 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms Test the connection through the L2TP tunnel to the LocalHomeOffice interface Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin RemoteOffice gt ping 10 150 2 254 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 tim
493. s print Flags X disabled I invalid D dynamic 4 ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 1 24 10 0 0 0 10 0 0 255 public 1 192 168 1 3 24 192 168 1 0 192 168 1 4 255 local 2 D 192 168 1 1 24 192 168 1 0 192 5168 1 255 local admin Lobo924 ip vrrp gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners
494. s working on the same channel The interface also can send special packets which contains information about its parameters Property Description active mode yes no default yes whether the interface will receive and transmit alignment packets or it will only receive them audio max integer default 20 signal strength at which audio beeper frequency will be the Other trademarks and registred trademarks mentioned herein are properties of their respective owners highest audio min integer default 100 signal strength at which audio beeper frequency will be the lowest audio monitor MAC address default 00 00 00 00 00 00 MAC address of the remote host which will be listened filter mac MAC address default 00 00 00 00 00 00 in case if you want to receive packets from only one remote host you should specify here its MAC address frame size integer 200 1500 default 300 size of alignment packets that will be transmitted frames per second integer 1 100 default 25 number of frames that will be sent per second in active mode receive all yes no default no whether the interface gathers packets about other 802 11 standard packets or it will gather only alignment packets ssid all yes no default no whether you want to accept packets from hosts with other ssid than yours test audio integer test the beeper for 10 seconds Notes If you are using the comm
495. sa src address 10 0 0 147 sa dst address 10 0 0 148 action encrypt admin WiFi ip ipsec policy gt print Flags X disabled D dynamic I invalid 0 src address 10 0 0 147 32 any dst address 10 0 0 148 32 any protocol all action encrypt level require ipsec protocols esp tunnel no sa src address 10 0 0 147 sa dst address 10 0 0 148 proposal default manual sa none dont fragment clear admin WiFi ip ipsec policy gt to view the policy statistics do the following admin WiFi ip ipsec policy gt print stats Flags X disabled D dynamic I invalid 0 src address 10 0 0 147 32 any dst address 10 0 0 148 32 any protocol all ph2 state no phase2 in accepted 0 in dropped 0 out accepted 0 out dropped 0 encrypted 0 not encrypted 0 decrypted 0 not decrypted 0 admin WiFi ip ipsec policy gt Peers Home menu level ip ipsec peer Description Peer configuration settings are used to establish connections between IKE daemons phase 1 configuration This connection then will be used to negotiate keys and algorithms for SAs Property Description address ZP address netmask port default 0 0 0 0 32 500 address prefix If remote peer s address matches this prefix then this peer configuration is used while authenticating and establishing phase 1 If several peer s addresses matches several configuration entries the most specific one 1 e the one with largest netmask will be used
496. scription name name default etherN assigned interface name whrere N is the number of the ethernet interface arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol cable setting default short standard default default changes the cable length setting only applicable to NS DP83815 6 cards e default suport long cables e short support short cables e standard same as default mtu integer default 1500 Maximum Transmission Unit disable running check yes no default yes disable running check If this value is set to no the router automatically detects whether the NIC is connected with a device in the network or not mac address MAC address set the Media Access Control number of the card auto negotiation yes no default yes when enabled the interface advertises its maximum capabilities to achieve the best connection possible full duplex yes no default yes defines whether the transmission of data appears in two directions simultaneously speed 70 Mbps 100 Mbps 1 Gbps sets the data transmission speed of the interface By default this value is the maximal data rate supported by the interface Notes For some Ethernet NICs it is possible to blink the LEDs for 10s Type interface ethernet blink ether1 and watch the NICs to see the one which has blinking LEDs When disable running check is set to no the router automatically detec
497. sent to all the listed servers Example To add a DHCP relay named relay on etherl interface resending all received requests to the 10 0 0 1 DHCP server admin Lobo924 ip dhcp relay gt add name relay interface etherl dhep server 10 0 0 1 disabled no admin Lobo924 ip dhcp relay gt print Flags X disabled I invalid NAME INTERFACE DHCP SERVER LOCAL ADDRESS 0 relay etherl 10 0 0 1 0 0 0 0 admin Lobo924 ip dhcp relay gt Question amp Answer Based Setup Command name ip dhcp server setup Command Description addresses to give out text the pool of IP addresses DHCP server should lease to the clients dhcp address space IP address netmask default 192 168 0 0 24 network the DHCP server will lease to the clients dhcp relay IP address default 0 0 0 0 the IP address of the DHCP relay between the DHCP server and the DHCP clients dhcp server interface name interface to run DHCP server on dns servers IP address IP address of the appropriate DNS server to be propagated to the DHCP clients gateway IP address default 0 0 0 0 the default gateway of the leased network lease time time default 3d the time the lease will be valid Notes Depending on current settings and answers to the previous questions default values of following questions may be different Some questions may disappear if they become redundant for example there is no use of asking for r
498. signal strength read only integer signal strength in dBm ssid read only text service set identifier of the AP Example Scan the 5GHz band Other trademarks and registred trademarks mentioned herein are properties of their respective owners fadmin Lobo924 interface wireless gt scan wlanl Flags A active B bss P privacy R routeros network N nstreme ADDRESS SSID BAND FREQ SIG RADIO NAME AB R 00 0C 42 05 00 28 test 5ghz 5180 77 000C42050028 AB R 00 02 6F 20 34 82 aapl 5ghz 5180 73 00026F203482 AB 00 0B 6B 30 80 0F www 5ghz 5180 84 AB R 00 0B 6B 31 B6 D7 www 5ghz 5180 81 000B6B31B6D7 AB R 00 0B 6B 33 1A D5 R52_test_new 5ghz 5180 79 OOOB6B331AD5 AB R 00 0B 6B 33 0D EA short5 5ghz 5180 70 000B6B330DEA AB R 00 0B 6B 31 52 69 Lobo 5ghz 5220 69 000B6B315269 AB R 00 0B 6B 33 12 BF long2 5ghz 5260 55 000B6B3312BF Q quit D dump C z pause admin Lobo924 interface wireless gt Security Profiles Home menu level Ainterface wireless security profiles Description This section provides WEP Wired Equivalent Privacy and WPA Wi Fi Protected Access functions to wireless interfaces WPA The Wi Fi Protected Access is a combination of 802 1X EAP MIC TKIP and AES This is a easy to configure and secure wireless mechanism WEP The Wired Equivalent Privacy encrypts data only between 802 11 devices using static keys It is not considered as a very secure wireless data encryption mech
499. signed to each Examples are interface or user levels There you can use item names instead of item numbers You do not have to use the print command before accessing items by name As opposed to numbers names are not assigned by the console internally but are one of the items properties Thus they would not change on their own However there are all kinds of obscure situations possible when several users are changing router s configuration at the same time Generally item names are more stable than the numbers and also more informative so you should prefer them to numbers when writing console scripts Notes Item numbers are assigned by print command and are not constant it is possible that two successive print commands will order items differently But the results of last print commands are memorized and thus once assigned item numbers can be used even after add remove and move operations after move operation item numbers are moved with the items Item numbers are assigned on per session basis they will remain the same until you quit the console or until the next print command is executed Also numbers are assigned separately for every item list so ip address print would not change numbers for interface list Example Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 interface gt set 0 mtu 1200 ERROR item number must be assigned by a print command use pr
500. sitory Home menu level system script Description All scripts are stored in the system script menu along with some service information such as script name script owner number of times the script was executed and permissions for particular script In OSB a script may be automatically started in three different ways e via the scheduler e on event occurence for example the netwatch tool generates an event if a network host it is configured to monitor becomes unaccessible e by another script It is also possible to start a script manually via system script run command Property Description last started time date and time when the script has been last invoked The argument is shown only if the run count 0 owner name default admin the name of the user who created the script Other trademarks and registred trademarks mentioned herein are properties of their respective owners policy multiple choice ftp local policy read reboot ssh telnet test web write default reboot read write policy test the list of the policies applicable ftp user can log on remotely via ftp and send and retrieve files from the router e local user can log on locally via console policy manage user policies add and remove user e read user can retrieve the configuration e reboot user can reboot the router e ssh user can log on remotely via secure shell e telnet user can log on remotely via telne
501. smitted data frames hw frame bytes read only integer integer number of sent and received data bytes including header information interface read only name interface that client is registered to last activity read only time last interface data tx rx activity last ip read only IP address IP address found in the last IP packet received from the registered client mac address read only MAC address MAC address of the registered client packets read only integer integer number of sent and received network layer packets packing size read only integer maximum packet size in bytes parent read only MAC address parent access point s MAC address if forwarded from another access point routeros version read only name OSB version of the registered client rx ccq read only integer 0 100 Client Connection Quality a value in percent that shows how effective the receive bandwidth is used regarding the theoretically maximum available bandwidth rx packed read only integer number of received packets in form of received packets number of Other trademarks and registred trademarks mentioned herein are properties of their respective owners packets which were packed into a larger ones using fast frames rx rate read only integer receive data rate signal strength read only integer average signal level tx ccq read only integer 0 100 Client Connection Quality a value in percent that sho
502. so known as 64bit wep and accept only these packets e 104bit wep use the 104bit encryption also known as 128bit wep and accept only these packets e aes ccm use the AES CCM Advanced Encryption Standard in Counter with CBC MAC encryption algorithm and accept only these packets e tkip use the TKIP Temporal Key Integrity Protocol and accept only these packets static algo 1 none 40bit wep 104bit wep aes ccm tkip default none which encryption algorithm to use e none do not use encryption and do not accept encrypted packets e 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets e 104bit wep use the 104bit encryption also known as 128bit wep and accept only these packets e aes ccm use the AES CCM Advanced Encryption Standard in Counter with CBC MAC encryption algorithm and accept only these packets e tkip use the TKIP Temporal Key Integrity Protocol and accept only these packets static algo 2 none 40bit wep 104bit wep aes ccm tkip default none which encryption algorithm to use e none do not use encryption and do not accept encrypted packets e 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets e 104bit wep use the 104bit encryption also known as 128bit wep and accept only these packets e aes ccm use the AES CCM Advanced Encryption Standard in Counter with CBC MAC encryption algorithm and accept on
503. spective owners Winbox Document revision 1 0 Fri Mar 05 07 59 49 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Description Troubleshooting Description General Information Summary The Lobo OSB can be configured remotely using Telnet SSH WinBox Console or Webbox In this manual we will discuss how to use the interactive WinBox console Description The Winbox console is used for accessing the Lobo Router configuration and management features using graphical user interface GUI All Winbox interface functions are as close as possible to Console functions all Winbox functions are exactly in the same hierarchy in Terminal Console and vice versa except functions that are not implemented in Winbox That is why there are no Winbox sections in the manual The Winbox Console plugin loader the winbox exe program can be retrieved from the Lobo router the URL is http router_address winbox winbox exe Use any web browser on Windows 95 98 ME NT4 0 2000 XP or Linux to retrieve the winbox exe executable file from Router If your router is not specifically configured you can also type in the web browser just http router_address The Winbox plugins are cached on the local disk for each Lobo OSB version The plugins are not downloaded if they are in the cache and the router has not been upgraded since the last time it has been accessed Starting the Winbox
504. sphrase passphrase for the found encrypted private key e keys decrypted how many keys were successfully decrypted and cached create certificate request creates an RSA certificate request to be signed by a Certificate Authority After this download both private key and certificate request files from the router When you receive your signed certificate from the CA upload it and the private key that is made by this command to a router and use certificate import command to install it e certificate request file name name for the certificate request file if it already exists it will be overwritten This is the original certificate that will be signed by the Certificate Authority e file name name of private key file If such file does not exist it will be created during the next step Private key is used to encrypt the certificate e passphrase the passphrase that will be used to encrypt generated private key file You must enter it twice to be sure you have not made any typing errors e rsa key bits number of bits for RSA encryption key Longer keys take more time to generate 4096 bit key takes about 30 seconds on Celeron 800 system to generate e country name C ISO two character country code e g LV for Latvia state or province name ST full name of state or province e locality name L locality e g city name e organization name O name of the organization or company e organization unit name OU organiz
505. ssion traffic to other subqueues The round robin algorithm dequeues peq allot bytes from each subqueue in a turn The whole SFQ queue can contain 128 packets and there are 1024 subqueues available for these packets Use SFQ for congested links to ensure that some connections do not starve PCQ To solve some SFQ imperfectness Per Connection Queuing PCQ was created It is the only classless queuing type that can do limitation It is an improved version of SFQ without its stohastic nature PCQ also creates subqueues regarding the peq classifier parameter Each subqueue has a data rate limit of peq rate and size of peq limit packets The total size of a PCQ queue cannot be greater than peq total limit packets The following example demonstrates the usage of PCQ with packets classified by their source address If you classify the packets by srce address then all packets with different source IP addresses will be grouped into different subqueues Now you can do the limitation or equalization for each subqueue with the peq rate parameter Perhaps the most significant part is to decide to which interface should we attach this queue If we will attach it to the Local interface all traffic from the Public interface will be grouped by src address probably it s not what we want but if we attach it to the Public interface all traffic from our clients will be grouped by src address so we can easily limit or equalize upload for clients To equa
506. ssions are prefixed with and are accessible from all submenus The events used to trigger script execution include but are not limited to the System Scheduler the Traffic Monitoring Tool and the Netwatch Tool generated events Specifications Packages required system License required levell Home menu level system script Standards and Technologies None Hardware usage Not significant Related Documents e Software Package Management System Scheduler Network Monitor Traffic Monitor Console Command Syntax Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners Console commands are made of the following parts listed in the order you type them in console prefix indicates whether the command is an ICE like in put or that the command path starts from the root menu level like in admin Lobo924 ip firewall mangle gt ping 10 0 0 1 e path a relative path to the desired menu level like filter in admin Lobo924 ip firewall mangle gt filter print e path_args this part is required to select some menu levels where the actual path can vary across different user inputs like mylist in admin Lobo924 ip firewall mangle gt routeing prefix list list mylist e action one of the actions available at the specified menu level like add in admin Lobo924 ip firewall mangle gt ip firewall filter add chain forward action drop
507. st includes all one to one NAT translations Property Description address read only IP address the original IP address of the client authorized read only flag whether the client is successfully authenticated by the HotSpot system blocked read only flag true if access is blocked within walled garden because of expired advertisement timeout bridge port read only name the actual physical interface which the host is connected to This is used when HotSpot service is put on a bridge interface to determine the host s actual port within the bridge bypass hotspot read only flag whether the client does not need to be authorized by the HotSpot system bytes in read only integer how many bytes did the router receive from the client bytes out read only integer how many bytes did the router send to the client host dead time read only time how long has the router not received any packets including ARP replies keepalive replies and user traffic from this host idle time read only time the amount of time has the user been idle idle timeout read only time the exact value of idle timeout that applies to this user This property shows how long should the user stay idle for it to be logged off automatically keepalive timeout read only time the exact value of keepalive timeout that applies to this user This property shows how long should the user s computer stay out of reach for it to be logged o
508. st time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both VAP interface wireless gt add master interface wlan1 ssid virtual test Other trademarks and registred trademarks mentioned herein are properties of their respective owners Nessa mac address 00 0C 42 12 34 56 disabled no name V AP admin VAP interface wireless gt print Flags X disabled R running 0 name wlan1 mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode ap bridge ssid test area frequency mode superchannel country no_country_set antenna gain 0 frequency 2437 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode
509. stred trademarks mentioned herein are properties of their respective owners PPTP Setup for Windows Microsoft provides PPTP client support for Windows NT 2000 ME 98SE and 98 Windows 98SE 2000 and ME include support in the Windows setup or automatically install PPTP For 95 NT and 98 installation requires a download from Microsoft Many ISPs have made help pages to assist clients with Windows PPTP installation http www real time com Customer_Support PPTP_Config pptp config html http www microsoft com windows95 downloads contents WUAdminTools S_WUNetworkingTools V Sample instructions for PPTP VPN installation and client setup Windows 98SE If the VPN PPTP support is installed select Dial up Networking and Create a new connection The option to create a VPN should be selected If there is no VPN options then follow the installation instructions below When asked for the Host name or IP address of the VPN server type the IP address of the router Double click on the new icon and type the correct user name and password must also be in the user database on the router or RADIUS server used for authentication The setup of the connections takes nine seconds after selection the connect button It is suggested that the connection properties be edited so that NetBEUI IPX SPX compatible and Log on to network are unselected The setup time for the connection will then be two seconds after t
510. t Home menu level ip neigbor Other trademarks and registred trademarks mentioned herein are properties of their respective owners Description This submenu allows you to see the list of neighbours discovered Property Description interface read only name local interface name the neighbour is connected to address read only IP address IP address of the neighbour router mac address read only MAC address MAC address of the neighbour router identity read only text identity of the neighbour router version read only text operating system or firmware version of the neighbour router unpack read only none simple compress headers compress all identifies if the interface of the neighbour router is unpacking packets packed with M3P platform read only text hardware software platworm type of neighbour router age read only time specifies the record s age in seconds time from last update Example To view the table of discovered neighbours admin Lobo924 ip neighbor gt pri INTERFACE ADDRESS MAC ADDRESS IDENTITY VERSION 0 ether2 WO il gO eS 00 0C 42 00 02 06 ID 2 9betad 1 ether2 ss ee Wee 00 0C 42 03 02 ED Lobo 2 9betad5d admin Lobo924 ip neighbor gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners NTP Network Time Protocol Document revision NaN Mon Jul 19 07 25 46 GMT 2004 This document applies
511. t e drop drop the packet e encrypt apply transformations specified in this policy and it s SA decrypted integer how many incoming packets were decrypted by the policy dont fragment clear inherit set default clear The state of the don t fragment IP header field e clear clear unset the fields so that packets previously marked as don t fragment got fragmented e inherit do not change the field e set set the field so that each packet matching the rule will not be fragmented dst address JP address netmask port default 0 0 0 0 32 any destination IP address encrypted integer how many outgoing packets were encrypted by the policy in accepted integer how many incoming packets were passed through by the policy without an attempt to decrypt in dropped integer how many incoming packets were dropped by the policy without an attempt to decrypt ipsec protocols multiple choice ah esp default esp specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic AH is applied after ESP and in case of tunnel mode ESP will be applied in tunnel mode and AH in transport mode Other trademarks and registred trademarks mentioned herein are properties of their respective owners level acquire require use default require specifies what to do if some of the SAs for this policy cannot be found e use skip this transform do n
512. t user password profile name default default user profile routes text routes that are to be registered on the HotSpot gateway when the client is connected The route format is dst address gateway metric for example 10 1 0 0 24 10 0 0 1 1 Several routes may be specified separated with commas server name all default all which server is this user allowed to log in to uptime read only time total time user has been logged in Notes In case of mac authentication method clients MAC addresses can be used as usernames without password The byte limits are total limits for each user not for each session as at ip hotspot active So if a user has already downloaded something then session limit will show the total limit minus already downloaded For example if download limit for a user is 100MB and the user has already downloaded 30MB then session download limit after login at ip hotspot active will be 100MB 30MB 70MB Should a user reach his her limits bytes in gt limit bytes in or bytes out gt limit bytes out he she will not be able to log in anymore The statistics is updated if a user is authenticated via local user database each time he she logs out It means that if a user is currently logged in then the statistics will not show current total values Use ip hotspot active submenu to view the statistics on the current user sessions If the user has IP address specified only one sim
513. t e test user can run ping traceroute bandwidth test e web user can log on remotely via http e write user can retrieve and change the configuration run count integer default 0 script usage counter This counter is incremented each time the script is executed The counter will reset after reboot source text default the script source code itself Command Description run name executes a given script name the name of the script to execute Notes You cannot do more in scripts than you are allowed to do by your current user rights that is you cannot use disabled policies For example if there is a policy group in user group which allows you ssh local telnet read write policy test web and this group is assigned to your user name then you cannot make a script that reboots the router Example The following example is a script for writing message Hello World to the info log admin Lobo924 system script gt add name log test source log info Hello World admin Lobo924 system script gt run log test admin Lobo924 system script gt print 0 name log test owner admin policy ftp reboot read write policy test winbox password last started mar 20 2001 22 51 41 run count 1 source log info Hello World admin Lobo924 system script gt Task Management Home menu level system script job Description This facility is used to manage the active or scheduled tasks Other trademar
514. t forward input output postrouting prerouting name name of the target chain to jump to if the action jump is used limit integer time integer restrict packet match rate to a given limit Usefull to reduce the amount of log messages e Count maximum average packet rate measured in packets per second pps unless followed by Time option e Time specify the time interval over which the packet rate is measured e Burst number of packets to match in a burst log prefix text all messages written to logs will contain the prefix specified herein Used in conjunction with action log new connection mark name specify the new value of the connection mark to be used in conjunction with action mark connection new mss integer specify MSS value to be used in conjunction with action change mss new packet mark name specify the new value of the packet mark to be used in conjunction with action mark packet new routing mark name specify the new value of the routing mark used in conjunction with action mark routing new tos max reliability max throughput min cost min delay normal integer specify TOS value to be used in conjunction with action change tos e max reliability maximize reliability ToS 4 Other trademarks and registred trademarks mentioned herein are properties of their respective owners e max throughput maximize throughput ToS 8 e min cost minimize monetary cost ToS 2 e min
515. t it will use the strongest algorithm from AES and TKIP AES is stronger If the interface acts as a station it will connect to Access Points which support at least one of selected algorithms wpa unicast ciphers aes ccm tkip default which algorithms are allowed to use for unicast communications If the interface is an Access Point then it sends these algorithms as supported If it is a Station then it will connect only to APs which support any of these algorithms Notes The keys used for encryption are in hexadecimal form If you use 40bit wep the key has to be 10 characters long if you use 104bit wep the key has to be 26 characters long Prism card doesn t report that the use of WEP is required for all data type frames which means that some clients will not see that access point uses encryption and will not be able to connect to such AP This is a Prism hardware problem and can not be fixed Use Atheros based cards instead of Prism on APs if you want to provide WEP in your wireless network Sniffer Home menu level Ainterface wireless sniffer Description With wireless sniffer you can sniff packets from wireless networks Property Description channel time time default 200ms how long to sniff each channel if multiple channels is set to Other trademarks and registred trademarks mentioned herein are properties of their respective owners yes file limit integer default 10 limits file name s file size
516. t and waits for answer for 0 5 seconds During this time the lease is marked testing 5 in case the address does not respond the lease becomes offered and then bound with the respective lease time Other trademarks and registred trademarks mentioned herein are properties of their respective owners 6 in other case the lease becomes busy for the lease time there is a command to retest all busy addresses and the client s request remains unanswered the client will try again shortly A client may free the leased address When the dynamic lease is removed and the allocated address is returned to the address pool But the static lease becomes busy until the client will reacquire the address Note that the IP addresses assigned statically are not probed Property Description active address read only IP address actual IP address for this lease active client id read only text actual client id of the client active mac address read only MAC address actual MAC address of the client active server read only actual dhcp server which serves this client address P address specify ip address or ip pool for static lease e 0 0 0 0 use pool from server agent circuit id read only text circuit ID of DHCP relay agent agent remote id read only text Remote ID set by DHCP relay agent block access yes no default no block access for this client drop packets from this client client id text default if s
517. t applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Setup Property Description Example Neighbour List Description Property Description Example General Information Summary The Lobo Neighbor Discovery Protocol MNDP eases network configuration and management by enabling each Lobo router to discover other connected Lobo routers and learn information about the system along with features which are enabled The Lobo routers can automatically use learned information to set up some features with minimal or no configuration MNDF features works on IP level connections e works on all non dynamic interfaces distributes basic information on the software version e distributes information on configured features that should interoperate with other Lobo routers Lobo OSB is able to discover both MNDP and CDP Cisco Discovery Protocol devices Specifications Packages required system License required level Home menu level ip neighbor Standards and Technologies MNDP Hardware usage Not significant Related Documents Other trademarks and registred trademarks mentioned herein are properties of their respective owners e Package Management e M3P Description MNDP basic function is to assist with automatic configuration of features that are only available between Lobo routers Currently this is used for the Packet Packer feature The
518. t argument e log log the packet e mark mark the packet to use the mark later e passthrough ignore this rule and go on to the next one Acts the same way as a disabled rule except for ability to count packets e return return to the previous chain from where the jump took place out bridge name outgoing bridge interface out interface name interface via packet is leaving the bridge Bridge NAT Home menu level interface bridge nat Description This section describes bridge NAT options which were omitted in the general firewall description Property Description action accept arp reply drop dst nat jump log mark passthrough redirect return src nat default accept action to undertake if the packet matches the rule one of the e accept accept the packet No action i e the packet is passed through without undertaking any action and no more rules are processed in the relevant list chain e arp reply send a reply to an ARP request any other packets will be ignored by this rule with the specified MAC address only valid in dstnat chain e drop silently drop the packet without sending the ICMP reject message e dst nat change destination MAC address of a packet only valid in dstnat chain e jump jump to the chain specified by the value of the jump target argument e log log the packet e mark mark the packet to use the mark later e passthrough ignore this rule and go on to the n
519. t tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both WDS_Station interface wireless gt Virtual Access Point Virtual Access Point VAP enables you to create multiple Access Points with different Service Set Identifier WDS settings and even different MAC address using the same hardware interface You can create up to 7 VAP interfaces from a single physical interface To create a Virtual Access Point simply add a new interface specifying a master interface which is the physical interface that will do the hardware function to VAP This example will show you how to create a VAP admin Flags 0 admin VAP interface wireless gt print x disabled R running name wlan1 mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode ap bridge ssid test area frequency mode superchannel country no_country_set antenna gain 0 frequency 2437 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default bur
520. t user admin full 0 0 0 0 0 1 uuu full 0 0 0 0 0 admin Lobo924 ip route gt Although the current command level is changed to ip route it has no effect on next commands entered from prompt therefore print command is still considered to be user print Example The example below demonstrates how to add two users to the user menu admin Lobo924 ip route gt user add name x password y group write add name y password z group read F print lags X disabled NAME GROUP ADDRESS 0 777 System default user admin full 0 0 0 0 0 ai x write 0 0 0 0 0 2 y read 0 0 0 0 0 admin Lobo924 ip route gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Variables Description OSB scripting language suports two types of variables which are global system wide and local accessible only within the current script respectively A variable can be referenced by dollar sign followed by the name of the variable with the exception of set and unset commands that take variable name without preceding dollar sign Variable names should be composed of contain letters digits and character A variable must be declared prior to using it in scripts There are four types of declaration available e global defined by global keyword global variables can be accessed by all scripts and console logins on the same router However global variables are not kept ac
521. tandard Point to Point Protocol PPP The difference between them is expressed in transport method PPPoE employs Ethernet instead of modem connection Generally speaking PPPoE is used to hand out IP addresses to clients based on the user and workstation if desired authentication as opposed to workstation only authentication when static IP Other trademarks and registred trademarks mentioned herein are properties of their respective owners addresses or DHCP are used It is adviced not to use static IP addresses or DHCP on the same interfaces as PPPoE for security reasons Lobo OSB can act as a RADIUS client you can use a RADIUS server to authenticate PPPoE clients and use accounting for them A PPPoE connection is composed of a client and an access concentrator server The client may be a Windows computer that has the PPPoE client protocol installed The Lobo OSB supports both client and access concentrator implementations of PPPoE The PPPoE client and server work over any Ethernet level interface on the router wireless 802 11 Aironet Cisco WaveLan Prism Atheros 10 100 1000 Mbit s Ethernet RadioLan and EoIP Ethernet over IP tunnel No encryption MPPE 40bit RSA and MPPE 128bit RSA encryption is supported Note that when RADIUS server is authenticating a user with CHAP MS CHAPv1 MS CHAPv2 it does not use shared secret it is used only in authentication reply So if you have a wrong shared secret RADIUS server will acce
522. te that there is no need to run RIP on the ether2 as no propagation of RIP information is required into the Remote network in this example The routes obtained by RIP can be viewed in the routing rip route menu admin Lobo924 routing rip gt route print Flags S static R rip ospf C connect B bgp 0 R dst address 0 0 0 0 0 gateway 10 0 0 26 metric 2 from 10 0 0 26 1 C dst address 10 0 0 0 24 gateway 0 0 0 0 metric 1 from 0 0 0 0 2 C dst address 192 168 0 0 24 gateway 0 0 0 0 metric 1 from 0 0 0 0 3 R dst address 192 168 1 0 24 gateway 10 0 0 26 metric 1 from 10 0 0 26 4 R dst address 192 168 3 0 24 gateway 10 0 0 26 metric 1 from 10 0 0 26 admin Lobo924 routing rip gt The regular routing table is Lobo routing rip gt ip route print Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 R 0 0 0 0 0 r 10 0 0 26 120 etherl 1 R 192 168 3 0 24 E 10 0 0 26 120 etherl 2 R 192 168 1 0 24 r 10 0 0 26 120 etherl 3 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 4 DC 10 0 0 0 24 r 0 0 0 0 0 etherl Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 routing rip gt e Cisco Router Configuration Cisco show running config interface Ethernet0O ip address 10 0 0 26 255 255 255 0 no ip directed broadcast interface Serial
523. terminated enabled yes no default no whether to enable or no the SOCKS proxy max connections integer 1 500 default 200 maxumum number of simultaneous connections port integer 1 65535 default 1080 TCP port on which the SOCKS server listens for connections Example To enable SOCKS admin Lobo924 ip socks gt set enabled yes admin Lobo924 ip socks gt print enabled yes port 1080 connection idle timeout 2m max connections 200 admin Lobo924 ip socks gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners Access List Home menu level ip socks access Description In the SOCKS access list you can add rules which will control access to SOCKS server This list is similar to firewall lists Property Description action allow deny default allow action to be performed for this rule e allow allow packets matching this rule to be forwarded for further processing e deny deny access for packets matching this rule dst address JP address netmask port destination server s address src address JP address netmask port source client s address for a packet Active Connections Home menu level Ap socks connections Description The Active Connection list shows all established TCP connections which are maintained through the SOCKS proxy server Property Description dst address read only IP address destination appli
524. termine link status used if mii typel is not supported by the NIC e none no method for link monitoring is used If a link fails it is not considered as down but no traffic passes through it thus mac address read only MAC address MAC address of the bonding interface mii interval time default 00 00 00 100 how often to monitor the link for failures parameter used only if link monitoring is mii typel or mii type2 mtu integer 68 1500 default 1500 Maximum Transmit Unit in bytes mode 802 3ad active backup balance alb balance rr balance tlb balance xor broadcast default balance rr interface bonding mode Can be one of e 802 3ad IEEE 802 3ad dynamic link aggregation In this mode the interfaces are aggregated in a group where each slave shares the same speed If you use a switch between 2 bonding routers be sure that this switch supports IEEE 802 3ad standard Provides fault tolerance and load balancing e active backup provides link backup Only one slave can be active at a time Another slave becomes active only if first one fails e balance alb adaptive load balancing It includes balance tlb and received traffic is also balanced Device driver should support for setting the mac address then it is active Otherwise balance alb doesn t work No special switch is required e balance rr round robin load balancing Slaves in bonding interface will transmit and receive data in sequential order
525. ternal proxy possibly to a proxy with caching functions transparently Setup Home menu level Ap proxy Property Description enabled yes no default no whether the proxy server is enabled maximal client connecions integer default 1000 maximal number of connections accepted from clients any further connections will be rejected maximal server connectons integer default 1000 maximal number of connections made to Other trademarks and registred trademarks mentioned herein are properties of their respective owners servers any further connections from clients will be put on hold until some server connections will terminate parent proxy P address port default 0 0 0 0 0 IP address and port of another HTTP proxy to redirect all requests to exceptions may be defined in the direct access list e 0 0 0 0 0 no parent proxy is used port port default 8080 TCP port the proxy server will be listening on This is to be specified on all clients that want to use the server as HTTP proxy Transparent with zero configuration for clients proxy setup can be made by redirecting HTTP requests to this port in IP firewall using destination NAT feature Notes The web proxy listens to all IP addresses that the router has in its IP address list Example To enable the proxy on port 8000 admin Lobo924 ip proxy gt set enabled yes port 8000 admin Lobo924 ip proxy gt print enabled yes port 8000 parent pro
526. text to be echoed to the console Display the MTU of ether1 interface admin Lobo924 gt sput interface get etherl mtu 1500 admin Lobo924 gt resolve returns IP address of the host resolved from the DNS name The DNS settings should be configured on the router ip dns submenu prior to using this command text domain name to be resolved into an IP address DNS configuration and resolve command example admin Lobo924 ip route gt ip dns set primary dns 159 148 60 2 admin Lobo924 ip route gt put resolve www example com 192 0 34 166 set assigns new value to a variable name the name of the variable text the new value of the variable Measuring time needed to resolve www example com fadmin Lobo924 gt put time resolve www example com El 00 00 00 006 admin Lobo924 gt time measures the amount of time needed to execute given console commands text the console commands to measure execution time of Measuring time needed to resolve www example com fadmin Lobo924 gt put time resolve www example com 00 00 00 006 admin Lobo924 gt while executes given console commands repeatedly while the logical conditions is true yes no condition which is evaluated each time before the execution of enclosed statements text console commands that should be executed repeatedly admin Lobo924 gt set i 0 while i lt 10 do put Si set i i 1 0 1 2 Other
527. that it does not mean that OSB supports DiffServ or ECN it is just possible to access and change the marks used by these protocols Other trademarks and registred trademarks mentioned herein are properties of their respective owners RFC1349 defines these standard values e normal normal service ToS 0 e low cost minimize monetary cost ToS 2 e max reliability maximize reliability ToS 4 e max throughput maximize throughput ToS 8 e low delay minimize delay ToS 16 Peer to Peer protocol filtering Peer to peer protocols also known as p2p provide means for direct distributed data transfer between individual network hosts While this technology powers many brilliant applications like Skype it is widely abused for unlicensed software and media destribution Even when it is used for legal purposes p2p may heavily disturb other network traffic such as http and e mail OSB is able to recognize connections of the most popular P2P protocols and filter or enforce QOS on them The protocols which can be detected are Fasttrack Kazaa KazaaLite Diet Kazaa Grokster iMesh giFT Poisoned mlMac Gnutella Shareaza XoLoX Gnucleus BearShare LimeWire java Morpheus Phex Swapper Gtk Gnutella linux Mutella linux Qtella linux MLDonkey Acquisition Mac OS Poisoned Swapper Shareaza XoloX mlMac Gnutella2 Shareaza MLDonkey Gnucleus Morpheus Adagio mlMac DirectConnect DirectConnect AKA DC M
528. that provides authentication and accounting facilities to various network apliances RADIUS authentication and accounting gives the ISP or network administrator ability to manage PPP user access and accounting from one server throughout a large network The Lobo OSB has a RADIUS client which can authenticate for HotSpot PPP PPPoE PPTP L2TP and ISDN connections The attributes received from RADIUS server override the ones set in the default profile but if some parameters are not received they are taken from the respective default profile The RADIUS server database is consulted only if no matching user acces record is found in router s local database Traffic is accounted locally with Lobo Traffic Flow and Cisco IP pairs and snapshot image can be gathered using Syslog utilities If RADIUS accounting is enabled accounting information is also sent to the RADIUS server default for that service RADIUS Client Setup Home menu level radius Description This facility allows you to set RADIUS servers the router will use to authenticate users Property Description accounting backup yes no default no this entry is a backup RADIUS accounting server accounting port integer default 1813 RADIUS server port used for accounting address ZP address default 0 0 0 0 IP address of the RADIUS server authentication port integer default 1812 RADIUS server port used for authentication called id text default value depends on
529. the Windows wireless interface at this moment Let us consider the following setup where the Lobo Wireless AP offers wireless clients transparent access to the local network with authentication First of all the wireless interface should be configured admin PPPol frequency 2442 band 2 admin PPPol Flags 0 radio name 000124705304 E Server interfac interfac wireless gt set 0 mode ap bridge wireless gt E Server Xx disabled R name running print 4ghz b g ssid mt disabled no wlanl mtu 1500 mac address 00 01 24 70 53 04 arp enabled disable running check no interfac type Atheros AR5211 mode station ssid mt area frequency mode superchannel country no_country_set antenna gain 0 frequency 2412 band 2 4ghz b scan lis supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps t default rate set default supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6 ack timeout dynamic tx power default noi S floor threshold default periodic calibration default bps max station count 2007 tx power mode default burst time disabled fast frames no dfs mod non antenna mod wds mode disabled wds default bridge non stats interval disabled defaul default forwarding yes default ap tx limit 0 default client tx limit 0 updat hid
530. the actual period of inactivity in order to prevent the user from being overcharged Example HotSpot Users Home menu level ip hotspot user Property Description address ZP address default 0 0 0 0 static IP address If not 0 0 0 0 client will always get the same IP address It implies that only one simultaneous login for that user is allowed Any existing address will be replaced with this one using the embedded one to one NAT Other trademarks and registred trademarks mentioned herein are properties of their respective owners bytes in read only integer total amount of bytes received from user bytes out read only integer total amount of bytes sent to user limit bytes in integer default 0 maximum amount of bytes user can transmit i e bytes received from the user e 0 no limit limit bytes out integer default 0 maximum amount of bytes user can receive i e bytes sent to the user e 0 no limit limit uptime time default Os total uptime limit for user pre paid time e Os no limit mac address MAC address default 00 00 00 00 00 00 static MAC address If not 00 00 00 00 00 00 client is allowed to login only from that MAC address name name user name packets in read only integer total amount of packets received from user i e packets received from the user packets out read only integer total amount of packets sent to user i e packets sent to the user password tex
531. the average packet size is 50 300 bytes the common size of VoIP packets Features e may work on any Ethernet like media e is disabled by default for all interfaces e when older version on the OSB are upgraded from a version without M3P to a version with discovery current wireless interfaces will not be automatically enabled for M3P e small packets going to the same MAC level destination regardless of IP destination are collected according to the set configuration and aggregated into a large packet according to the set size e the packet is sent as soon as the maximum aggregated packet packet size is reached or a maximum time of 15ms 5ms Setup Home menu level ip packing Description M3P is working only between Lobo routers which are discovered with Lobo Neighbor Discovery Protocol MNDP When M3P is enabled router needs to know which of its neighbouring hosts have enabled M3P MNDP is used to negotiate unpacking settings of neighbours therefore it has to be enabled on interfaces you wish to enable M3P Consult MNDP manual on how to do it Property Description aggregated size integer default 1500 the maximum aggregated packet s size interface name interface to enable M3P on packing none simple compress all compress headers default simple specifies the packing mode e none no packing is applied to packets e simple aggregate many small packets into one large packet minimizing network overhead p
532. the user stay logged in see uptime for it to be logged off automatically uptime read only time current session time of the user i e how long has the user been logged in user read only name name of the user Example To get the list of active users admin Lobo924 ip hotspot active gt print Flags R radius B blocked USER ADDRESS UPTIMI SESSION TIMEOUT IDLE TIMEOUT 0 ex 10 0 0 144 4m17s 55m43s admin Lobo924 ip hotspot active gt a Other trademarks and registred trademarks mentioned herein are properties of their respective owners IP accounting Document revision 2 1 Fri Dec 17 18 28 01 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Local IP Traffic Accounting Description Property Description Notes Example Example Local IP Traffic Accounting Table Description Property Description Notes Example Web Access to the Local IP Traffic Accounting Table Description Property Description Example General Information Summary Authentication Authorization and Accounting feature provides a possibility of local and or remote on RADIUS server Point to Point and HotSpot user management and traffic accounting all IP traffic passing the router is accounted Specifications Packages required system License required levell Home menu level user ppp ip accounting radius Standa
533. ther trademarks and registred trademarks mentioned herein are properties of their respective owners IP Addresses and ARP Document revision 1 3 Tue Sep 20 19 02 32 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents IP Addressing Description Property Description Notes Example Address Resolution Protocol Description Property Description Notes Example Proxy ARP feature Description Example Unnumbered Interfaces Description Example Troubleshooting Description General Information Summary The following Manual discusses IP address management and the Address Resolution Protocol settings IP addresses serve as identification when communicating with other network devices using the TCP IP protocol In turn communication between devices in one physical network proceeds with the help of Address Resolution Protocol and ARP addresses Specifications Packages required system License required level Home menu level ip address ip arp Standards and Technologies LP ARP Hardware usage Not significant Related Documents Other trademarks and registred trademarks mentioned herein are properties of their respective owners e Software Package Management IP Addressing Home menu level Ap address Description IP addresses serve for a general host identification purposes in IP networks Typical IPv4 address consists of four octets For p
534. ther you have obtained a lease admin Server ip dhcp client gt print detail Other trademarks and registred trademarks mentioned herein are properties of their respective owners Flags X disabled I invalid 0 interface wlanl add default route yes use peer dns yes status bound address 172 16 0 20 12 gateway 172 16 0 1 dhcp server 192 168 0 1 primary dns 159 148 147 194 expires after 2d23 58 52 admin Server ip dhcp client gt Specifications Packages required dhcp License required level Home menu level ip dhcp client ip dhcp server ip dhcp relay Standards and Technologies DHCP Description The DHCP protocol gives and allocates IP addresses to IP clients DHCP is basically insecure and should only be used in trusted networks DHCP server always listens on UDP 67 port DHCP client on UDP 68 port The initial negotiation involves communication between broadcast addresses on some phases sender will use source address of 0 0 0 0 and or destination address of 255 255 255 255 You should be aware of this when building firewall Additional Documents ISC Dynamic Host Configuration Protocol DHCP e DHCP mini HOWTO e ISC DHCP FAQ DHCP Client Setup Home menu level ip dhcp client Description The Lobo OSB DHCP client may be enabled on any Ethernet like interface at a time The client will accept an address netmask default gateway and two dns server addresses The received IP address will
535. ther2 s etherl ether2 16 0 1 24 interface bondingl 16 0 2 24 interface bonding gt pi 172 16 0 2 interface bondingl Note that bonding interface needs a couple of seconds to get connectivity with its peer Other trademarks and registred trademarks mentioned herein are properties of their respective owners Specifications Packages required system License required level Home menu level Ainterface bonding Standards and Technologies None Hardware usage Not significant Related Documents e Linux Ethernet Bonding Driver mini howto Description To provide a proper failover you should specify link monitoring parameter It can be e MII Media Independent Interface typel or type2 Media Independent Interface is an abstract layer between the operating system and the NIC which detects whether the link is running it performs also other functions but in our case this is the most important e ARP Address Resolution Protocol periodically for arp interval time checks the link status link monitoring is used to check whether the link is up or not Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol for the interface e disabled the interface will not use ARP e enabled the interface will use ARP e proxy arp the interface will use the ARP proxy feature e reply only the interface will only reply to the requests originated to its own IP addresse
536. tically by JavaScript to select PDA regular version of HTML pages To utilize this feature create subdirectories in HotSpot HTML directory and place those HTML files which are different in that subdirectory For example to translate everything in Latvian subdirectory Iv can be created with login html logout html status html alogin html radvert html and errors txt files which are translated into Latvian If the requested HTML page can not be found in the requested subdirectory the corresponding HTML file from the main directory will be used Then main login html file would contain link to lv login dst link orig esc which then displays Latvian version of login page lt a href 1v login dst link orig esc gt Latviski lt a gt And Latvian version would contain link to English version lt a href login dst link orig esc gt English lt a gt Another way of referencing directories is to specify target variable After preferred directory has been selected for example Iv all links to local HotSpot pages will contain that path for example link status http hotspot mt lv lv status So if all hotspot pages reference links using link xxx variables then no more changes are to be made each client will stay within the selected directory all the time Notes If you want to use HTTP CHAP authentication method it is supposed that you include the doLogin function which references to t
537. tication protocols RADIUS authentication and accounting MPPE encryption compression for PPPoE data rate limitation differentiated firewall PPPoE dial on demand Simple tunnels IPIP tunnels EoIP Ethernet over IP IPsec IP security AH and ESP protocols MODP Diffie Hellman groups 1 2 5 MD5 and SHA1 hashing algorithms DES 3DES AES 128 AES 192 AES 256 encryption algorithms Perfect Forwarding Secrecy PFS MODP groups 1 2 5 Proxy FTP and HTTP caching proxy server HTTPS proxy transparent DNS and HTTP proxying SOCKS protocol support DNS static entries support for caching on a separate drive access control lists caching lists parent proxy support DHCP DHCP server per interface DHCP relay DHCP client multiple DHCP networks static and dynamic DHCP leases RADIUS support VRRP VRRP protocol for high availability UPnP Universal Plug and Play support Other trademarks and registred trademarks mentioned herein are properties of their respective owners e NTP Network Time Protocol server and client synchronization with GPS system Monitoring Accounting IP traffic accounting firewall actions logging statistics graphs accessible via HTTP e SNMP read only access M3P Lobo Packet Packer Protocol for Wireless links and Ethernet e MNDP Lobo Neighbor Discovery Protocol also supports Cisco Discovery Protocol CDP e Tools ping traceroute bandwidth test ping flood telnet SSH packet sniffer Dyna
538. tion Web proxy has additional commands to handle non system drive used for caching purposes and to recover the proxy from severe file system errors Command Description check drive checks non system cache drive for errors clear cache deletes existing cache and creates new cache directories format drive formats non system cache drive and prepairs it for holding the cache Other trademarks and registred trademarks mentioned herein are properties of their respective owners Transparent Mode Description Transparent proxy feature performs request caching invisibly to the end user This way the user does not notice that his connection is being processed by the proxy and therefore does not need to perform any additional configuration of the software he is using Transparent proxy combined with bridge greatly simplifies deployment of web proxy in the existing infrastructure To enable the transparent mode place a firewall rule in destination NAT specifying which connections id est traffic coming to which ports should be redirected to the proxy Notes Only HTTP traffic is supported in transparent mode of the web proxy HTTPS and FTP protocols are not going to work this way Example To configure the router to transparently redirect all connections coming from ether1 interface to port 80 to the web proxy listening on port 8080 then add the following destination NAT rule admin Lobo924 gt ip firewall nat add in interface
539. tion address of a packet These properties are taken in account only if filter protocol is ip only Not only Ethernal hitp www ethereal com and Packetyzer http www packetyzer com can receive the sniffer s stream but also Lobo s program trafr that runs on any IA32 Linux computer and saves receivedpacketslibpcapfileformat Example In the following example streaming server will be added streaming will be enabled file name will be set to test and packet sniffer will be started and stopped after some time admin Lobo924 tool sniffer gt set streaming server 10 0 0 241 streaming enabled yes file name test admin Lobo924 tool sniffer gt prin interface all only headers no memory limit 10 file name test file limit 10 streaming enabled yes streaming server 10 0 0 241 filter stream yes filter protocol ip only filter addressl filter address2 0 0 0 0 0 0 65535 0 0 0 0 0 0 65535 running no fadmin Lobo924 tool sniffer gt start admin Lobo924 tool sniffer gt stop Running Packet Sniffer Command name tool sniffer start tool sniffer stop tool sniffer save Description The commands are used to control runtime operation of the packet sniffer The start command is used to start reset sniffering stop stops sniffering To save currently sniffed packets in a specific file save command is used Example In the following example the packet sniffer will be started and after some
540. tion of DHCP Server is done Now let s configure DHCP Relay ip dhcp dhcp server 192 ip dhcp dhcp server 192 admin D Flags X 0 1 admin D NAME Locall Relay Local2 Relay relay add relay add HCP Relay disable a HCP Relay name Locall Relay interface Locall 168 0 name Local2 Relay interface Local2 ip dhcp relay gt print 1 local address 192 168 1 1 disabled no 168 0 1 local address 192 168 2 1 disabled no d I invalid INTERFACE DHCP SERVER LOCAL ADDRESS Locall 192 168 0 1 192 168 1 1 Local2 192 168 0 1 192 168 2 1 ip dhcp relay gt IP Address assignment using FreeRADIUS Server Let us consider that we want to assign IP addresses for clients using the RADIUS server Other trademarks and registred trademarks mentioned herein are properties of their respective owners We assume that you already have installed FreeRADIUS Just add these lines to specified files users file 00 0B 6B 31 02 4B Auth Type Local Password Framed IP Address 192 168 0 55 clients conf file client 172 16 0 1 secret MySecret shortname Server Configure Radius Client on OSB radius add service dhcp address 172 16 0 2 secret MySecret admin DHCP Server radius gt print detail Flags X disabled 0 service dhcp called id domain address 172 16 0 2 secret MySecret authentication port 1812 accounting port 1813 timeout 00 00 00
541. tions Packages required system License required levell Home menu level ppp Related Documents Router User AAA Software Package Management Other trademarks and registred trademarks mentioned herein are properties of their respective owners IP Addresses and ARP PPP and Asynchronous Interfaces e PPPoE e PPTP L27TP e ISDN Description The Lobo OSB provides scalable Authentication Athorization and Accounting AAA functionality Local authentication is performed using the User Database and the Profile Database The actual configuration for the given user is composed using respective user record from the User Database associated item from the Profile Database and the item in the Profile database which is set as default for a given service the user is authenticating to Default profile settings from the Profile database have lowest priority while the user access record settings from the User Database have highest priority with the only exception being particular IP addresses take precedence over IP pools in the local address and remote address settings which described later on Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network The Lobo OSB has a RADIUS client which can authenticate for PPP PPPoE PPTP L2TP and ISDN connections The attributes received from RADIUS server override the ones set in t
542. tive owners 0 R etherl ether 1500 1 R ether2 ether 1500 admin Lobo924 gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 174 24 10 0 0 174 10 0 0 255 etherl 1 192 168 0 1 24 192 168 0 0 192 168 0 255 ether2 admin Lobo924 gt ip route print Flags X disabled I invalid D dynamic J rejected CG connect S static R rip O0 4ospt Bo bop DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 1 DC 10 0 0 0 24 E 02000 0 etherl admin Lobo924 gt Note that no default route has been configured The route will be obtained using the RIP The necessary configuration of the RIP general settings is as follows admin Lobo924 routing rip gt set redistribute connected yes admin Lobo924 routing rip gt print redistribute static no redistribute connected yes redistribute ospf no redistribute bgp no metric static 1 metric connected 1 metric ospf 1 metric bgp 1 update timer 30s timeout timer 3m garbage timer 2m admin Lobo924 routing rip gt The minimum required configuration of RIP interface is just enabling the network associated with the ether interface admin Lobo924 routing rip network gt add address 10 0 0 0 2 admin Lobo924 routing rip network gt print ADDRESS O 10 0 0 0 24 admin Lobo924 routing rip network gt No
543. to 10 0 0 1 IP address admin Lobo924 ip dns static gt add name www example com address 10 0 0 1 admin Lobo924 ip dns static gt print NAME ADDRESS TTL 0 aaa aaa a 123 123 123 123 1d 1 www example com 10 0 0 1 1d admin Lobo924 ip dns static gt Flushing DNS cache Command name ip dns cache flush Command Description flush clears internal DNS cache Other trademarks and registred trademarks mentioned herein are properties of their respective owners Example admin Lobo924 ip dns gt cache flush admin Lobo924 ip dns gt print primary dns 159 148 60 2 secondary dns 0 0 0 0 allow remote requests yes cache size 2048 KiB cache max ttl lw cache used 10 KiB admin Lobo924 ip dns gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners HotSpot Gateway Document revision 4 Tue Oct 04 17 03 23 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents General Information Summary Quick Setup Guide Specifications Description Question amp Answer Based Setup Command Description Notes Example HotSpot Interface Setup Description Property Description Command Description Notes Example HotSpot Server Profiles Property Description Notes Example HotSpot User Profiles Description HotSpot Users Description HotSpot Active Users Description HotSpot Cookies Description Property Description Notes Example
544. to authenticate clients as soon as they appear in the hosts list i e as soon as they have sent any packet to the HotSpot server using client s MAC address as username There are currently 5 different authentication methods You can use one or more of them simultaneously HotSpot can authenticate users consulting the local user database or a RADIUS server local database is consulted first then a RADIUS server In case of HTTP cookie authentication via RADIUS server the router will send the same information to the server as was used when the cookie was first generated If authentication is done locally profile corresponding to that user is used otherwise in case RADIUS reply did not contain the group for that user the default profile is used to set default values for parameters which are not set in RADIUS access accept message For more information on how the interaction with a RADIUS server works see the respective manual section The HTTP PAP method also makes it possible to authenticate by requesting the page login username username amp password password In case you want to log in using telnet connection the exact HTTP request would look like that GET Aogin username username amp password password HTTP 1 0 note that the request is case sensitive Authorization After authentication user gets access to the Internet and receives some limitations which are user profile specific HotSpot may also perform a one to one NAT f
545. tool traffic monitor Description The traffic monitor tool is used to execute console scripts when interface traffic crosses a given threshold Each item in traffic monitor list consists of its name which is useful if you want to disable or change properties of this item from another script some parameters specifying traffic condition and the pointer to a script or scheduled event to execute when this condition is met Property Description Other trademarks and registred trademarks mentioned herein are properties of their respective owners interface name interface to monitor name name name of the traffic monitor item on event name script source Must be present under system script threshold integer default 0 traffic threshold traffic transmitted received default transmitted type of traffic to monitor e transmitted transmitted traffic e received received traffic trigger above always below default above condition on which to execute the script e above the script will be run each time the traffic exceeds the threshold e always triggers scripts on both above and below condition e below triggers script in the opposite condition when traffic reaches a value that is lower than the threshold Example In this example the traffic monitor enables the interface ether2 if the received treffic exceeds 15kbps on etherl and disables the interface ether2 if the received traffic falls below 12k
546. trademarks and registred trademarks mentioned herein are properties of their respective owners TmMOWMWTHAU ABW admin Lobo924 gt Special Commands Description Monitor It is possible to access values that are shown by most monitor actions from scripts A monitor command that has a do parameter can be supplied either script name see system scripts or console commands to execute Get Most print commands produce values that are accessible from scripts Such print commands have a corresponding get command on the same menu level The get command accepts one parameter when working with regular values or two parameters when working with lists Notes Monitor command with do argument can also be called directly from scripts It will not print anything then just execute the given script The names of the properties that can be accessed by get are the same as shown by print command plus names of item flags like the disabled in the example below You can use T ab key completions to see what properties any particular get action can return Example In the example below monitor action will execute given script each time it prints stats on the screen and it will assign all printed values to local variables with the same name admin Lobo924 interface gt monitor traffic ether2 once do environment print received packets per second 0 received bits per second Obps sent packets per second 0 sent bits p
547. trademarks and registred trademarks mentioned herein are properties of their respective owners e 0 no limits Example To see the list of all available interfaces admin Lobo924 interface gt print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R etherl ether 0 0 1500 1 R bridgel bridge 0 0 1500 2 R ether2 ether 0 0 1500 3 R wlanl wlan 0 0 1500 admin Lobo924 interface gt Traffic Monitoring Command name interface monitor traffic Description The traffic passing through any interface can be monitored Property Description received packets per second read only integer number of packets that interface has received in one second received bits per second read only integer number of bits that interface has received in one second sent packets per second read only integer number of packets that interface has sent in one second sent bits per second read only integer number of bits that interface has sent in one second Notes One or more interfaces can be monitored at the same time To see overall traffic passing through all interfaces at time use aggregate instead of interface name Example Multiple interface monitoring interface monitor traffic etherl aggregate received packets per second 9 11 received bits per second 4 39kbps 6 19kbps sent packets per second 16 L7 per s sent bits cond 101kbps 101kbps Q
548. ts http msdn microsoft com library backgrnd html understandin tp htm http support microsoft com support kb articles q162 8 47 asp http www ietf org rfc rfc2637 1xt number 2637 http www ietf org rfc rfc3078 txt 2number 3078 http www ietf org rfc rfc3079 txt 2number 3079 PPTP Client Setup Home menu level interface pptp client Property Description add default route yes no default no whether to use the server which this client is connected to as its default router gateway allow multiple choice mschap2 mschap1 chap pap default mschap2 mschap1 chap pap the protocol to allow the client to use for authentication connect to JP address The IP address of the PPTP server to connect to mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MRU to 1460 to avoid fragmentation of packets mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets name name default pptp outN interface name for reference password text default user password to use when logging to the remote server profile name default default profile to use when connecting to the remote server
549. ts parent s inner slot of the same priority in case the parent is also yellow or to its own level self slot of the same priority in case the parent is green Upon the transition to this state the class disconnects from self feed of its level and connects to its parent s inner feed e red a class the actual rate of which exceeds max limit This class cannot borrow rate from its parent class Priorities When a leaf class wants to send some traffic as they are the only classes that hold packets HTB checks its priority It will begin with the highest priority and the lowest level and proceed until the lowest priority at highest level is reached As you can see from the picture leaf classes which are at the green state will always have a higher priority than those which are borrowing because their priority is at a lower level level0 In this Other trademarks and registred trademarks mentioned herein are properties of their respective owners picture Leaf1 will be served only after Leaf2 although it has a higher priority 7 than Leaf1 8 In case of equal priorities and equal states HTB serves these classes using round robin algorithm HTB Examples Here are some examples on how the HTB works Imagine the following scenario we have 3 different kinds of traffic marked in ip firewall mangle packet_mark1 packet_mark2 and packet_mark3 and now have bulit a HTB hierarchy Now let us describe some scenarios using thi
550. ts whether the NIC is connected to a device in the network or not When the remote device is not connected the leds are not blinking the route which is set on the specific interface becomes invalid Example admin Lobo924 gt interface print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU O X etherl ether 0 0 1500 admin Lobo924 gt interface enabl therl admin Lobo924 gt interface print Other trademarks and registred trademarks mentioned herein are properties of their respective owners Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R etherl ether 0 0 1500 admin Lobo924 gt interfac thernet admin Lobo924 interfac thernet gt print Flags X disabled R running NAME MTU MAC ADDRESS ARP 0 R etherl 1500 00 0C 42 03 00 F2 enabled admin Lobo924 interfac thernet gt print detail Flags X disabled R running 0 R name ether1 mtu 1500 mac address 00 0C 42 03 00 F2 arp enabled disable running check yes auto negotiation yes full duplex yes cable settings default speed 100Mbps fadmin Lobo924 interfac thernet gt Monitoring the Interface Status Command name interface ethernet monitor Property Description status link ok no link unknown status of the interface one of the link ok the card has connected to the network no link the card has not connected
551. tspot ssl certificate certl none admin Lobo924 ip service gt set hotspot ssl certificate certl admin Lobo924 ip service gt print Flags X disabled I invalid NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0 0 0 0 0 1 ftp 21 0 0 0 0 0 2 WWW 8081 0 0 0 0 0 3 hotspot 80 0 0 0 0 0 4 ssh 22 0 0 0 0 0 5 hotspot ssl 443 0 0 0 0 0 certl admin Lobo924 ip service gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners DDNS Update Tool Document revision 1 2 Fri Mar 05 09 33 48 GMT 2004 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Additional Documents Dynamic DNS Update Property Description Notes Example General Information Summary Dynamic DNS Update Tool gives a way to keep domain name pointing to dynamic IP address It works by sending domain name system update request to name server which has a zone to be updated Secure DNS updates are also supported The DNS update tool supports only one algorithm hmac md5 It s the only proposed algorithm for signing DNS messages Specifications Packages required advanced tools License required levell Command name tool dns update Standards and Technologies Dynamic Updates in the DNS RFC 2136 Secure DNS Dynamic Update RFC 3007 Hardware usage Not significant Related Documents e Package
552. tx limit 0 hide ssid no security profile Stationl disconnect timeout 3s on fail retry time 100ms preamble mode both admin WEP_Stationl interface wireless gt Config of StationX admin WEP_StationX interface wireless security profiles gt add name StationX mode static keys required static algo 1 40bit wep static key 1 1234567890 static transmit key key 1 admin WEP_StationX interface wireless security profiles gt print 0 name default mode none wpa unicast ciphers wpa group ciphers pre shared key static algo O none static key 0 static algo l none static key 1l static algo 2 none static key 2 static algo 3 none static key 3 static transmit key key 0 static sta private algo non static sta private key radius mac authentication no group key update 5m 1 name StationX mode static keys required wpa unicast ciphers wpa group ciphers _pre shared key static algo O none static key 0 static algo 1 40bit wep static key 1 1234567890 static algo 2 none static key 2 static algo 3 none static key 3 static transmit key key l1 static sta private algo non static sta private key radius mac authentication no group key update 5m admin WEP_StationX interface wireless security profiles gt admin
553. tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin Nstreme AP interface wireless gt nstreme admin Nstreme AP interface wireless nstreme gt set wlanl enable nstreme yes admin Nstreme AP interface wireless nstreme gt print 0 name wlanl enable nstreme yes enable polling yes framer policy non framer limit 3200 admin Nstreme AP interface wireless nstreme gt e Configure Nstreme Client wireless settings and enable Nstreme on it admin Nstreme Client interface wireless gt set wlanl mode station ssid nstreme band 5ghz frequency 5805 disabled no admin Nstreme Client interface wireless gt print Flags X disabled R running 0 name wlan1l mtu 1500 mac address 00 0B 6B 34 5A 91 arp enabled disable running check no interface type Atheros AR5213 radio name 000B6B345A91 mode station ssid nstreme area frequency mode superchannel country no_country_set antenna gain 0 frequency 5805 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a
554. u can see all used IP addresses from IP pools Property Description pool read only name name of the IP pool address read only IP address IP address that is assigned to client form the pool Other trademarks and registred trademarks mentioned herein are properties of their respective owners owner read only MAC address MAC address of the client info read only name name of the interface to which the client is connected to Example See used addresses from pool admin Lobo924 ip pool used gt print POOL ADDRESS OWNER INFO local 192 168 0 100 00 0C 42 03 1F 60 test local 192 168 0 99 00 0C 42 03 21 0F test Other trademarks and registred trademarks mentioned herein are properties of their respective owners SOCKS Proxy Server Document revision 1 3 Fri Apr 15 17 51 27 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description Notes Additional Documents SOCKS Configuration Description Property Description Example Access List Description Property Description Active Connections Description Property Description Example FTP service through SOCKS server General Information Summary This manual discusses the SOCKS proxy server which is implemented in OSB Lobo OSB supports SOCKS version 4 Specifications Packages required system License required levell Home menu level Ap socks Standards and Technolo
555. ugh the relevant connection connection limit integer netmask restrict connection limit per address or address block connection state estabilished invalid new related interprets the connection tracking analysis data for a particular packet e estabilished a packet which belongs to an existing connection exempli gratia a reply packet or a packet which belongs to already replied connection e invalid a packet which could not be identified for some reason This includes out of memory condition and ICMP errors which do not correspond to any known connection It is generally advised to drop these packets e new a packet which begins a new TCP connection e related a packet which is related to but not part of an existing connection such as ICMP errors or a packet which begins FTP data connection the later requires enabled FTP connection tracking helper under ip firewall service port connection type ftp gre h323 irc mms pptp quake3 tftp matches packets from related Other trademarks and registred trademarks mentioned herein are properties of their respective owners connections based on information from their connection tracking helpers A relevant connection helper must be enabled under ip firewall service port content text the text packets should contain in order to match the rule dst address ZP address netmask IP address IP address specifies the address range an IP packet is destined t
556. ughput are calculated using the entire size of the TCP packet As acknowledgments are an internal working of TCP their size and usage of the link are not included in the throughput statistics Therefore this statistic is not as reliable as the UDP statistic when estimating throughput The UDP tester sends 110 or more packets than currently reported as received on the other side of the link To see the maximum throughput of a link the packet size should be set for the maximum MTU allowed by the links which is usually 1500 bytes There is no acknowledgment required by UDP this implementation means that the closest approximation of the throughput can be seen Usage Notes Caution Bandwidth Test uses all available bandwidth by default and may impact network usability Bandwidth Test uses much resources If you want to test real throughput of a router you should run bandwidth test through it not from or to it To do this you need at least 3 routers connected in chain the Bandwidth Server the given router and the Bandwidth Client ne bs w Bandwidth The Router Bandwidth Serer you are Client testing Note that if you use UDP protocol then Bandwidth Test counts IP header tUDP header UDP data In case if you use TCP then Bandwidth Test counts only TCP data TCP header and IP header are not included Server Configuration Home menu level tool bandwidth server Property Description allocate udp ports from allocate UDP ports from a
557. ular expressions are also accepted here but if the property should be treated as a regular expression it should start with a colon Small hits in using regular expressions e symbol sequence is used to enter character in console e pattern means only in regular expressions single dot in pattern means any symbol e to show that no symbols are allowed before the given pattern we use symbol at the beginning of the pattern e to specify that no symbols are allowed after the given pattern we use symbol at the end of Other trademarks and registred trademarks mentioned herein are properties of their respective owners the pattern e to enter or symbols you should escape them with backslash Example The default rule admin Lobo924 ip web proxy access gt print Flags X disabled I invalid 0 77 allow CONNECT only to SSL ports 443 https and 563 snews dst port 443 563 method connect action deny admin Lobo924 ip web proxy access gt To disallow download of MP3 and MPG files and FTP connections other than from the 10 0 0 1 server admin Lobo924 ip web proxy access gt add url mp 3g action deny admin Lobo924 ip web proxy access gt add src address 10 0 0 1 32 action allow admin Lobo924 ip web proxy access gt add url ftp action deny admin Lobo924 ip web proxy access gt print Flags X disabled I invalid 0 77 allow CONNECT only to SSL ports 443 https and 563
558. ules on chosen time intervals e Prioritizing of traffic e Using multiple flow marks from ip firewall mangle e Shaping of bidirectional traffic one limit for the total of upload download Property Description burst limit integer integer maximum data rate which can be reached while the burst is active in form of in out burst threshold integer integer used to calculate whether to allow burst If the average data Other trademarks and registred trademarks mentioned herein are properties of their respective owners rate over the last burst time seconds is less than burst threshold the actual data rate may reach burst limit burst time integer integer used to calculate average data rate dst address JP address netmask destination address to match dst netmask netmask netmask for dst address flows text packet flows which are marked in ip firewall mangle Current queue parameters apply only to packets which are marked with one of these flow marks interface text interface to which this queue applies limit at integer guaranteed data rate to this queue max limit integer data rate which can be reached if there is enough bandwidth available name text descriptive name of the queue p2p any all p2p bit torrent blubster direct connect edonkey fasttrack gnutella soulseek winmx which type of P2P traffic to match e all p2p match all P2P traffic e any match any packet 1 e
559. ult yes whether to forward frames to other AP clients or not disabled yes no default yes whether to disable the interface or not disable running check yes no default no disable running check For broken cards it is a good idea to set this value to yes hide ssid yes no default no whether to hide ssid or not in the beacon frames e yes ssid is not included in the beacon frames AP replies only to probe requests with the given ssid e no ssid is included in beacon frames AP replies to probe requests with the given ssid and to broadcast ssid mac address MAC address default 02 00 00 AA 00 00 MAC address of VAP You can define your own value for mac address master interface name hardware interface to use for VAP max station count integer default 2007 number of clients that can connect to this AP simultaneously mtu integer 68 1600 default 1500 Maximum Transmission Unit name name default wlanN interface name ssid text default Lobo the service set identifier WDS Interface Configuration Home menu level interface wireless wds Description WDS Wireless Distribution System allows packets to pass from one wireless AP Access Point to another just as if the APs were ports on a wired Ethernet switch APs must use the same standard 802 1 1a 802 11b or 802 11g and work on the same frequencies in order to connect to each other There are two possibilities to create a W
560. ultaneous login is allowed If the same credentials are used again when the user is still active the active one will be automatically logged off Example Other trademarks and registred trademarks mentioned herein are properties of their respective owners To add user ex with password ex that is allowed to log in only with 01 23 45 67 89 AB MAC address and is limited to 1 hour of work admin Lobo924 ip hotspot user gt add name ex password ex mac address 01 23 45 67 89 AB limit uptime 1h admin Lobo924 ip hotspot user gt print Flags X disabled SERVER NAME ADDRESS PROFILE UPTIME 0 ex default 00 00 00 admin Lobo924 ip hotspot user gt print detail Flags X disabled 0 name ex password ex mac address 01 23 45 67 89 AB profile default limit uptime 01 00 00 uptime 00 00 00 bytes in 0 bytes out 0 packets in 0 packets out 0 admin Lobo924 ip hotspot user gt HotSpot Active Users Home menu level ip hotspot active Description The active user list shows the list of currently logged in users Nothing can be changed here except user can be logged out with the remove command Property Description address read only IP address IP address of the user blocked read only flag whether the user is blocked by advertisement i e usual due advertisement is pending bytes in read only integer how many bytes did the router receive from the client bytes
561. uments MAC Telnet Server Property Description Notes Example MAC WinBox Server Property Description Notes Example Monitoring Active Session List Property Description Example MAC Telnet Client Example General Information Summary MAC telnet is used to provide access to a router that has no IP address set It works just like IP telnet MAC telnet is possible between two Lobo OSB routers only Specifications Packages required system License required levell Home menu level tool tool mac server Standards and Technologies MAC Telnet Hardware usage Not significant Related Documents e Software Package Management WinBox Ping e MNDP Other trademarks and registred trademarks mentioned herein are properties of their respective owners MAC Telnet Server Home menu level tool mac server Property Description interface name all default all interface name to which the mac server clients will connect e all all interfaces Notes There is an interface list in this submenu level If you add some interfaces to this list you allow MAC telnet to that interface Disabled disabled yes item means that interface is not allowed to accept MAC telnet sessions on that interface Example To enable MAC telnet server on ether1 interface only admin Lobo924 tool mac server gt print Flags X disabled INTERFACE 0 all admin Lobo924 tool mac server gt remove 0 admin Lobo924 tool mac server
562. unlimited e Session Timeout max lease time lease time Other trademarks and registred trademarks mentioned herein are properties of their respective owners Property Description add arp yes no default no whether to add dynamic ARP entry e no either ARP mode should be enabled on that interface or static ARP entries should be administratively defined in ip arp submenu address pool name static only default static only IP pool from which to take IP addresses for clients e static only allow only the clients that have a static lease i e no dynamic addresses will be given to clients only the ones added in lease submenu always broadcast yes no default no always send replies as broadcasts authoritative yes no default no whether the DHCP server is the only one DHCP server for that network bootp support none static dynamic default static support for BOOTP clients e none do not respond to BOOTP requests e static offer only static leases to BOOTP clients e dynamic offer static and dynamic leases for BOOTP clients delay threshold time default none if secs field in DHCP packet is smaller than delay threshold then this packet is ignored e none there is no threshold all DHCP packets are processed interface name Ethernet like interface name lease time time default 72h the time that a client may use an address The client will try to renew this address after a half of t
563. unwanted packets ip firewall filter add chain forward protocol tcp connection state invalid action drop comment drop invalid connections add chain forward connection state established action accept comment allow already established connections add chain forward connection state related action accept comment allow related connections Block IP addreses called bogons add chain forward src address 0 0 0 0 8 action drop add chain forward dst address 0 0 0 0 8 action drop add chain forward src address 127 0 0 0 8 action drop Other trademarks and registred trademarks mentioned herein are properties of their respective owners add chain forward dst address 127 0 0 0 8 action drop add chain forward src address 224 0 0 0 3 action drop add chain forward dst address 224 0 0 0 3 action drop Make jumps to new chains add chain forward protocol tcp action jump jump target tcp add chain forward protocol udp action jump jump target udp add chain forward protocol icmp action jump jump target icmp Create tcp chain and deny some tcp ports in it add chain tcp protocol tcp dst port 69 action drop comment deny TFTP add chain tcp protocol tcp dst port 111 action drop comment deny RPC portmapper add chain tcp protocol tcp dst port 135 action drop comment deny RPC portmapper add chain tcp protocol tcp dst port 137 139 action drop comment deny NBT add chain tcp protocol tcp dst port
564. use when logging on to the remote server password text default user password to use when logging to the remote server profile name default default profile to use when connecting to the remote server allow multiple choice mschap2 mschap1 chap pap default mschap2 mschap1 chap pap the protocol to allow the client to use for authentication add default route yes no default no whether to use the server which this client is connected to as its default router gateway Example To set up L2TP client named test2 using username john with password john to connect to the 10 1 1 12 L2TP server and use it as the default gateway Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 interface 12tp client gt add name test2 connect to 10 1 1 12 user john add default route yes password john admin Lobo924 interface 12tp client gt print Flags X disabled R running 0 X name test2 mtu 1460 mru 1460 connect to 10 1 1 12 user john password john profile default add default route yes admin Lobo924 interface 12tp client gt enable 0 Monitoring L2TP Client Command name interface I2tp client monitor Property Description status text status of the client e Dialing attempting to make a connection e Verifying password connection has been established to the server password verification in progress
565. user text user name to use when logging on to the remote server Other trademarks and registred trademarks mentioned herein are properties of their respective owners Example To set up PPTP client named test2 using unsername john with password john to connect to the 10 1 1 12 PPTP server and use it as the default gateway admin Lobo924 interface pptp client gt add name test2 connect to 10 1 1 12 user john add default route yes password john admin Lobo924 interface pptp client gt print Flags X disabled R running 0 X name test2 mtu 1460 mru 1460 connect to 10 1 1 12 user john password john profile default add default route yes admin Lobo924 interface pptp client gt enable 0 Monitoring PPTP Client Command name interface pptp client monitor Property Description encoding text encryption and encoding if asymmetric seperated with being used in this connection status text status of the client e Dialing attempting to make a connection e Verifying password connection has been established to the server password verification in progress e Connected self explanatory Terminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minutes and seconds uptime time connection time displayed in days hours minutes and seconds Example Example of an established connection
566. uthenticate yes no default yes communicate only with authenticated by valid username and password clients enable yes no default no enable client connections for bandwidth test max sessions maximal number of bandwidth test clients Notes The list of current connections can be obtained in session submenu Example Bandwidth Server Other trademarks and registred trademarks mentioned herein are properties of their respective owners admin Lobo924 tool bandwidth server gt print enabled no authenticate yes allocate udp ports from 2000 max sessions 10 admin Lobo924 tool gt Active sessions admin Lobo924 tool gt bandwidth server session print CLIENT PROTOCOL DIRECTION USER 0 35 35 39 1 udp send admin 125 25 25 44 udp send admin 2 36 36 36 1 udp send admin admin Lobo924 tool gt To enable bandwidth test server without client authentication admin Lobo924 tool bandwidth server gt set enabled yes authenticate no admin Lobo924 tool bandwidth server gt print enabled yes authenticate no allocate udp ports from 2000 max sessions 10 admin Lobo924 tool gt Client Configuration Command name tool bandwidth test Property Description address JP address IP address of destination host assume lost time time default Os assume that connection is lost if Bandwidth Server is not responding for that time direction receive transmit both default recei
567. ve the direction of the test do name string default script source duration time default Os duration of the test e Os test duration is not limited interval time 20ms 5s default 1s delay between reports in seconds local tx speed integer default 0 transfer test maximum speed bits per second e 0 no speed limitations local tx size integer 40 64000 local transmit packet size in bytes password text default password for the remote user protocol udp tcp default udp protocol to use random data yes no default no if random data is set to yes the payload of the bandwidth test packets will have incompressible random data so that links that use data compression will not distort the results this is CPU intensive and random data should be set to no for low speed CPUs remote tx speed integer default 0 receive test maximum speed bits per second e 0 no speed limitations remote tx size integer 40 64000 remote transmit packet size in bytes Other trademarks and registred trademarks mentioned herein are properties of their respective owners user name default remote user Example To run 15 second long bandwidth test to the 10 0 0 211 host sending and receiving 1000 byte UDP packets and using username admin to connect admin Lobo924 tool gt bandwidth test 10 0 0 211 duration 15s direction both size 1000 protocol udp user admin status done testin
568. w routing mark net2 chain prerouting admin PB Router ip firewall mangle gt print Other trademarks and registred trademarks mentioned herein are properties of their respective owners 2 Flags X disabled I invalid D dynamic 0 chain prerouting src address 192 168 0 0 24 action mark routing new routing mark net1l 1 chain prerouting src address 192 168 1 0 24 action mark routing new routing mark net2 admin PB Router ip firewall mangle gt Route packets from network 192 168 0 0 24 to gateway GW_1 10 0 0 2 packets from network 192 168 1 0 24 to gateway GW_2 10 0 0 3 using the according packet marks If GW_1 or GW_2 fails does not reply to pings route the respective packets to GW_Main 10 0 0 1 admin PB Router ip route gt add gateway 10 0 0 2 routing mark net1 check gateway ping admin PB Router ip route gt add gateway 10 0 0 3 routing mark net2 check gateway ping admin PB Router ip route gt add gateway 10 0 0 1 admin PB Router ip route gt print Flags X disabled A active D dynamic C connect S static r rip b bgp o ospf DST ADDRESS PREF SRC G GATEWAY DISTANCE INTERFACE 0 ADC 10 0 0 0 24 10 20 20 07 Public 1 ADC 192 168 0 0 24 192 168 0 1 Locall 2 ADC 192 168 1 0 24 192 1685 1 Local2 3 AS 0 0 0 0 0 E gt 10 30 05 2 Public 4 AS 0 0 0 0 0 r 10 0 0 3 Public 5 AS 0 0 0 0 0 E LOOOL Public admin PB Router ip route gt
569. with being used in this Other trademarks and registred trademarks mentioned herein are properties of their respective owners connection mtu integer cannot be set here client s MTU name name interface name uptime time shows how long the client is connected user name the name of the user that is configured statically or added dynamically Example To add a static entry for ex1 user admin Lobo924 interface pptp server gt add user exl admin Lobo924 interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENG xcs 0 DR lt pptp ex gt ex 1460 10 0 0 202 6m32s none T pptp in1 ex1 admin Lobo924 interface pptp server gt In this example an already connected user ex is shown besides the one we just added PPTP Application Examples Router to Router Secure Tunnel Example The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet There are two routers in this example HomeOffice Interface LocalHomeOffice 10 150 2 254 24 Interface ToInternet 192 168 80 1 24 RemoteOffice Interface ToInternet 192 168 81 1 24 Interface LocalRemoteOffice 10 150 1 254 24 Each router is connected to a different ISP One router can access another router through the Internet On the preforma PPTP server a user must be set up for the client admin HomeOffice ppp
570. wo IP addresses Returns boolean value gt greater Binary operator which compares two numbers two time values or two IP addresses Returns boolean value gt greater or equal Binary operator which compares two numbers two time values or two IP addresses Returns boolean value gt gt right shift Binary operator which shifts IP address by a given amount of bits The first argument is an IP address the second is an integer and the result is an IP address bitwise OR The argumens and the result are both IP addresses Il logical OR Binary operator The argumens and the result are both logical values Notes When comparing two arrays note that two arrays are equal only if their respective elements are equal Example Operator priority and evaluation order admin Lobo924 ip firewall rule forward gt put 10 1 6 2 11 12 2 3 1 false admin Lobo924 ip firewall rule forward gt put 10 1 6 2 11 12 2 3 1 true admin Lobo924 ip firewall rule forward logical NOT admin Lobo924 interface gt put true false admin Lobo924 interface gt put 2 gt 3 true admin Lobo924 interface gt unary minus admin Lobo924 interface gt put 1 lt 0 true admin Lobo924 gt 1 bit inversion admin Lobo924 interface gt put 255 255 0 0 0 0 255 255 admin Lobo924 interface gt sum admin Lobo924 interface gt put 3ms 5s 00 00 05 003 admi
571. ws how effective the transmit bandwidth is used regarding the theoretically maximum available bandwidth tx packed read only integer number of sent packets in form of sent packets number of packets which were packed into a larger ones using fast frames tx rate read only integer transmit data rate tx signal strength read only integer transmit signal level type read only name type of the client uptime read only time time the client is associated with the access point wds read only no yes whether the connected client is using wds or not Example To see registration table showing all clients currently associated with the access point admin Lobo924 interface wireless registration table gt print INTERFACE RADIO NAME MAC ADDRESS AP SIGNAL TX RATI 0 wirelessl 000124705304 00 01 24 70 53 04 no 38dBm 9Mbps admin Lobo924 interface wireless registration table gt Fl To get additional statistics admin Lobo924 interface wireless gt registration table print stats 0 interface dfaewad radio name 000C42050436 mac address 00 0C 42 05 04 36 ap yes wds no rx rate 54Mbps tx rate 54Mbps packets 597 668 bytes 48693 44191 frames 597 673 frame bytes 48693 44266 hw frames 597 683 hw frame bytes 63021 60698 uptime 45m28s last activity 0s signal strength 66dBm 54Mbps strength at rates 59dBm 1Mbps 13s120ms 61dBm 6Mbps 7s770ms 61dBm 9Mbps 40m43s970ms 60dBm 12
572. xamples on router user management Specifications Packages required system License required levell Home menu level user Hardware usage Not significant Related Documents Other trademarks and registred trademarks mentioned herein are properties of their respective owners PPP User AAA Software Package Management Description Lobo OSB router user facility manage the users connecting the router from the local console via terminal telnet SSH or Winbox The users are authenticated using either local database or designated RADIUS server Each user is assigned to a user group which denotes the rights of this user A group policy is a combination of individual policy items In case the user authentication is performed using RADIUS the RADIUS client should be previously configured under the radius submenu Router User Groups Home menu level user group Description The router user groups provide a convenient way to assign different permissions and access rights to different user classes Property Description name name the name of the user group policy multiple choice local telnet ssh ftp reboot read write policy test web default Nocal telnet ssh ftp reboot read write policy test web group policy item set e local policy that grants rights to log in locally via console e telnet policy that grants rights to log in remotely via telnet e ssh policy that grants rights t
573. xy 0 0 0 0 0 maximal client connecions 1000 maximal server connectons 1000 admin Lobo924 ip proxy gt Access List Home menu level ip proxy access Description Access list is implemented in the same way as Lobo OSB firewall rules Rules are processed from the top to the bottom First matching rule specifies decision of what to do with this connection There is a total of 6 classifiers that specify matching constraints If none of these classifiers is specified the particular rule will match every connection If connection is matched by a rule action property of this rule specifies whether connection will be allowed or not If the particular connection does not match any rule it will be allowed Property Description action allow deny default allow specifies whether to pass or deny matched packets dst address JP address netmask destination address of the IP packet dst host wildcard IP address or DNS name used to make connection the target server this is the string user wrote in his her browser before specifying port and path to a particular web page dst port port a list or range of ports the packet is destined to method any connect delete get head options post put trace HTTP method used in the request see HTTP Methods section in the end of this document Other trademarks and registred trademarks mentioned herein are properties of their respective owners path wildcard nam
574. y 1 If this option is used for a given counter then there must be at least Every rules with this option covering all values between 0 and Every 1 inclusively out interface name interface the packet will leave the router through p2p all p2p bit torrent blubster direct connect edonkey fasttrack gnutella soulseek warez winmx matches packets from various peer to peer P2P protocols packet size integer 0 65535 integer 0 65535 matches packet of the specified size or size range in bytes e Min specifies lower boundary of the size range or a standalone value e Max specifies upper boundary of the size range phys in interface name matches the bridge port physical input device added to a bridge device It is only useful if the packet has arrived through the bridge phys out interface name matches the bridge port physical output device added to a bridge device It is only useful if the packet will leave the router through the bridge protocol ddp egp encap ggp gre hmp icmp idrp cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp integer matches particular IP protocol specified by protocol name or number You should specify this setting if you want to specify ports Other trademarks and registred trademarks mentioned herein are properties of their respective owners psd integer time integer integer attempts
575. y 4 state mature auth key 8ac9dc7ecebfed9cd1030ae3b07b32e8e5cb98af enc key 8a8073a7afd0f74518c10438a0023e64cc660ed69845ca3c add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jan 28 2003 20 55 12 current usetime jan 28 2003 20 55 12 current bytes 512 admin WiFi ip ipsec gt Flushing Installed SA Table Command name ip ipsec installed sa flush Description Sometimes after incorrect incomplete negotiations took place it is required to flush manually the installed SA table so that SA could be renegotiated This option is provided by the flush command Property Description sa type multiple choice ah all esp default all specifies SA types to flush Other trademarks and registred trademarks mentioned herein are properties of their respective owners e ah delete AH protocol SAs only e esp delete ESP protocol SAs only e all delete both ESP and AH protocols SAs Example To flush all the SAs installed admin Lobo924 ip ipsec installed sa gt flush admin Lobo924 ip ipsec installed sa gt print admin Lobo924 ip ipsec installed sa gt Counters Home menu level ip ipsec counters Property Description in accept read only integer shows how many incoming packets were matched by accept policy in accept isakmp read only integer shows how many incoming UDP packets on port 500 were let through without matching a policy in decrypte
576. y NTP server status read only text status of the NTP client e stopped NTP is not running NTP is disabled e error there was some internal error starting NTP service please try to restart disable and enable NTP service e started NTP client service is started but NTP server is not found yet e failed NTP server sent invalid response to our NTP client NTP server is not synchronized to some other time source e reached NTP server contacted Comparing local clock to NTP server s clock duration of this phase is approximately 30s e timeset local time changed to NTP server s time duration of this phase is approximately 30s e synchronized local clock is synchronized to NTP server s clock NTP server is activated Other trademarks and registred trademarks mentioned herein are properties of their respective owners e using local clock using local clock as time source server enabled while client disabled Example To enable the NTP client to synchronize with the 159 148 60 2 server admin Lobo924 system ntp client gt set enabled yes primary ntp 159 148 60 2 admin Lobo924 system ntp client gt print enabled yes mode unicast primary ntp 159 148 60 2 secondary ntp 0 0 0 0 status synchronized admin Lobo924 system ntp client gt Server Home menu level system ntp server Property Description broadcast yes no default no whether NTP broadcast message is sent to 255 255 255 255 ev
577. y addresses that you are using as virtual addresses i e they are added in ip vrrp address must not appear in ip address list as they otherwise can cause IP address conflict which will not be resolved automatically Also You must have an IP address no matter what on the interface you want to run VRRP on Example To add a VRRP instance on ether1 interface forming because priority is 255 a virtual router with vrid of 1 admin Lobo924 ip vrrp gt add interface etherl vrid 1 priority 255 admin Lobo924 ip vrrp gt print Flags X disabled I invalid M master B backup 0O I name vrl interface etherl vrid 1 priority 255 interval 1 preemption mode yes authentication none password _on backup on master admin Lobo924 ip vrrp gt Virtual IP addresses Home menu level Ap vrrp address Property Description address ZP address IP address belongs to the virtual router network IP address IP address of the network broadcast JP address broadcasting IP address virtual router name VRRP router s name the address belongs to Notes Other trademarks and registred trademarks mentioned herein are properties of their respective owners The virtual IP addresses should be the same for each node of a virtual router Example To add a virtual address of 192 168 1 1 24 to the vr1 VRRP router admin Lobo924 ip vrrp gt address add address 192 168 1 1 24 virtual router vrl admin Lobo924 ip
578. y matched packets dst address ZP address netmask destination address of the IP packet dst port port a list or range of ports the packet is destined to local port port specifies the port of the web proxy via which the packet was received This value should match one of the ports web proxy is listening on method any connect delete get head options post put trace HTTP method used in the request see HTTP Methods section in the end of this document src address JP address netmask source address of the IP packet url wildcard the URL of the HTTP request Notes There is one rule by default that disallows connect method connections to ports other than 443 https and 563 snews connect method is a security hole that allows connections transparent tunneling to any computer using any protocol It is used mostly by spammers as they found it very convenient to use others mail SMTP servers as anonymous mail relay to send spam over the Internet It is strongly recommended to deny all IP addresses except those behind the router as the proxy still may be used to access your internal use only intranet web servers Also consult examples in Firewall Manual on how to protect your router Wildcard property url matches a complete string i e they will not match example com if they are set to example Available wildcards are match any number of any characters and match any one character Reg
579. y update 5m ame WEP AP mode ap br idge ssid mt_wep frequency 5320 band 5ghz disabled no security profile StationXx admin WEP_AP interface wireless gt print Flags X disabled R running name WEP AP mtu 1500 mac address 00 0C 42 05 04 36 arp enabled disable running check no interface type Atheros AR5413 X radio name 000C42050436 mode ap bri dge ssid mt_wep ar a frequency mode superchannel country no_country_set antenna gain 0 frequency 5320 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodi c calibration default burst time disabled fast frames no df s mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid update stats interval disabled default authentication yes no default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile StationxX disconnect timeout 3s on fail retry time 100ms preamble mod admin WEP_AP interface wireless gt access l admin WEP_AP interface wireless access li private key 654321098765432109876
580. yes admin Lobo924 tool graphing resource gt print Flags X disabled ALLOW ADDRESS STORE ON DISK 0 192 168 0 0 24 yes admin Lobo924 tool graphing resource gt Other trademarks and registred trademarks mentioned herein are properties of their respective owners HotSpot User AAA Document revision 2 3 Tue Sep 27 14 30 17 GMT 2005 This document applies to Lobo OSB V2 8 Table of Contents Table of Contents Summary Specifications Related Documents Description HotSpot User Profiles Description Property Description Notes Example HotSpot Users Property Description Notes Example HotSpot Active Users Description Property Description Example General Information Summary This document provides information on authentication authorization and accounting parameters and configuration for HotSpot gateway system Specifications Packages required system License required levell Home menu level Ap hotspot user Standards and Technologies RADIUS Hardware usage Local traffic accounting requires additional memory Related Documents HotSpot Gateway PPP User AAA e Router User AAA Other trademarks and registred trademarks mentioned herein are properties of their respective owners RADIUS client e Software Package Management IP Addresses and ARP Description HotSpot User Profiles Home menu level ip hotspot user profile Description HotSpot User profiles are used for common user sett
Download Pdf Manuals
Related Search