Allied Telesis AT-WR4500 User's Manual
Contents
1. icis dep ict t Lebe ceases 104 5 4 Routes Equal Cost Multipath Routing Policy Routing eerte nennen 110 5 4 1 General Information 110 5 4 2 DUE 5 4 3 112 5 4 4 Application Examples 113 6 DHCP and 116 6 DECP Client and Servers ettet rre cente ec tte peek re cech Oeo Rae cR eo 116 6 1 1 General Information u cccccccscssscsssssesesssessssscscscesscssssssssssssssssssssssssesessssssssecssssesssssssssssssssssesees 116 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 6 1 2 DHCP Client 5 enis Der cen pense ree 117 6 1 3 DHCP S6rver Setups tt n ee o hee 118 6 1 4 Store Leases On 120 6 1 5 BB call 1 1 10 el lt n 121 6 1 6 DHGRP Server 121 6 1 7 DHCP Alert de Ed ecd Us tbt te 123 6 1 8 DEICP ODptOr c oboe es Diaries 123 6 1 9 Nee ive id vated ive td Nt NS dd NN e Need tue E Net 124 6 1 10 Qu estiorns amp 125 6 1 11 Application reet cosciente 126 6 2 DNS2. 10 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide PREFACE Purpose of This Guide This guide describes the AT WR4500 Series Outdoor Wireless Routers RouterOS command structure and configuration for allowing users or network managers to correctly configure the router getting the most of it How This Guide is organized This guide contains the following chapters and appendices Chapter Introduction describes the features functions LEDs and ports on the equipment Please refer to the relevant Quick Installation guides for information on how to install and setup each router Chapter 2 Configuring RouterOS describes how to access the router s command facility and perform the basic configuration tasts through the Command Line Interface The Web GUI and the WinBox application Chapter 3 Configuration and Software Management describes how to backup export and restore the router s configuration Chapters from 4 on describe all the available commands and parameters with some configuration examples Document Conventions This guide uses several conventions that you should become familiar with before you begin to install the product GY Note A note provides additional information Please go to the Allied Telesis website http www alliedtelesis com for the translated safety statement in your language Warning A warning indicates that performin
3. Figure 20 EoIP Application Example Figure 21 Bonding two EoIP tunnels Figure 22 IPIP Tunnel example Figure 23 Router to Router Secure Tunnel Figure 24 Secure Remote office connection through L2TP tunnel eese 167 Figure 25 Client to Office secure connection via L2TP tunnel Figure 26 PPPoE Example 22221 Figure 27 Network Setup without PPTP 2 Figure 28 Network Setup with encrypted PPTP 2 Figure 29 Connecting a Remote Client via and Encrypted PPTP Tunnel Figure 30 transport mode example using ESP with automatic keying Figure 31 Add accept and masquerading rules in SRC NAT Figure 32 Packet Flow Diagram eati tette be t e eM Ape ie et ERE debt nea Leges Lets dedi dee te dao Figure 33 Firewall Connection Tracking timeouts sssssesssssssessesnssseesssenscsesssesecssesusssssssesuseseessecuscseeaesuseseeaeseneenees Figure 34 HotSpot example network Figure 35 Simple VRRP fail over Figure Figure 37 Network Load Statistics Matrix Figure 38 Network load profile by time Figure 39 Traffic Load by protocol
4. The values this table are set dBm NOT mW Therefore this table is used mainly to reduce the transmit power of the card Property Description manual tx powers text define tx power in dBm for each rate separate by commas AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 55 RouterOS v3 Configuration and User Guide Example To set the following transmit powers at each rates IMbps I0dBm 2 104 5 5Mbps 9dBm I IMbps Q7dBm do the following adminQ AT WR4562 interface wireless manual tx power table print 0 name wlanl manual tx powers 1Mbps 17 2Mbps 17 5 5Mbps 17 11Mbps 17 6Mbps 17 9Mbps 17 12Mbps 17 18Mbps 17 24Mbps 17 36Mbps 17 48Mbps 17 54Mbps 17 admin AT WR4562 interface wireless manual tx power table set 0 manual tx powers 1Mbps 10 2Mbps 10 5 5Mbps 9 11Mbps 7 adminQ AT WR4562 interface wireless manual tx power table print 0 name wlanl manual tx powers 1Mbps 10 2Mbps 10 5 5Mbps 9 11Mbps 7 adminQ AT WR4562 interface wireless manual tx power table gt 4 3 15 Network Scan Command name interface wireless scan interface name Description This is a feature that allows you to scan all available wireless networks While scanning the card unregisters itself from the access point in station mode or unregisters all clients in bridge or ap bridge mode Thus network connections are lost while scanning Property Description addr
5. This is an ordered list so you can put more specific entries on the top of the list for them to override more common rules that appear lower You can even put an entry with 0 0 0 0 0 address at the end of the list to make the desired action default for those addresses that will not match any other entry 10 3 6 Active Host List Submenu level ip hotspot host Description This menu shows all active network hosts that are connected to the HotSpot gateway This list includes all one to one NAT translations Property Description address read only IP address the original IP address of the client authorized read only flag whether the client is successfully authenticated by the HotSpot system bridge port read only name the actual physical interface which the host is connected to This is used when HotSpot service is put on a bridge interface to determine the host s actual port within the bridge bypassed read only flag whether the client does not need to be authorized by the HotSpot system bytes in read only integer how many bytes did the router receive from the client bytes out read only integer how many bytes did the router send to the client found by read only text how was this host discovered first packet type sender recipient host dead time read only time how long has the router not received any packets including ARP replies keepalive replies and user traffic from this host id
6. x f b PPTP Tunnel p 2 7 Remote 7 d Our GW lt 192 168 1 1 192 168 2 1 in 10001 Figure 20 EoIP Application Example To make a secure Ethernet bridge between two routers you should Create PPTP tunnel between them Our will be the pptp server N password top s3 local address 10 0 0 1 remote address 10 0 0 2 adminGOur GW interface pptp server add name from remote user joe admin Our_GW interface pptp server gt server set enable yes admin Our_GW interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME 0 from_remote joe admin Our_GW interface pptp server gt The Remote router will be the pptp client admin Remote interface pptp client gt add name pptp user joe connect to 192 168 1 1 password top s3 mtu 1500 mru 1500 admin Remote interface pptp client gt enable pptp admin Remote interface pptp client gt print Flags X disabled running 0 name pptp mtu 1500 mru 1500 connect to 192 168 1 1 user joe password top s2 profile default add default route no admin Remote interface pptp client monitor pptp status connected uptime 39m46s encoding none admin Remote interface pptp client admin Our_GW interface pptp server ppp secret add name joe service pptp ENC See the PPTP Interface Manual for
7. 0 t s 48Mbps t 2007 ode ant a no default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile Stationl disconnect timeout on fail retry time 100ms preamble mode both admin WEP_Stationl interface wireless 3s AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 73 RouterOS v3 Configuration and User Guide Config of WEP_StationX admin8 WEP StationX interface wireless security profiles add name StationX NV mode static keys required static algo 1 40bit wep static key 1 1234567890 static transmit key key 1 admin8 WEP StationX interface wireless security profiles gt print 0 name default mode none wpa unicast ciphers wpa group ciphers pre shared key static algo 0 none static key 0 static algo 1 none static key 1 static algo 2 none static key 2 static algo 3 none static key 3 2 static transmit key key 0 static sta private algo none tatic sta private key radius mac authentication no group key update 5m ame StationX mode static keys required wpa unicast ciphers pa group ciphers pre shared key static algo 0 none static key 0 tic algo 1 40bit wep static key 1 1234567890 static algo 2 none tatic key 2 static algo 3 none static key 3 tatic transmit key key 1 static sta private algo none static sta private key radius mac authentication no group key update 5m admin WEP StationX interface
8. 22222222 231 0 3 6 Active Host 5 ere esten aet n cei 232 10 3 7 Description 2 22222 232 0 3 8 gt Service eei e ien ti 232 10 3 9 Customizing HotSpot Firewall 220 233 10 3 10 Customizing HotSpot HTTP Servlet Pages 22222211 236 10 3 11 Possible Error 2222 242 0 3 12 HotSpot n 243 10 4 HotSpot User 244 10 4 1 General Information 4 2 244 1042 HotSpot User Profiles eese tentent tentent nntentennten ttn ttnntententennts 244 10 4 3 HotSpot 246 10 4 4 HotSpot Active 247 High Availability protocols and techniques etes tenente tentent 249 EM AB de 249 1 1 1 General Informatio Nassa a AA A a es 249 LENZ VRRP 249 UERS n eee ee eee Deeds 251 11 1 4 simple example of VRRP fail over tentent tnntententnntenenntnnte 251 2 ca
9. AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 175 RouterOS v3 Configuration and User Guide 8 6 5 PPPoE Users Description The PPPoE users are authenticated through a RADIUS server if configured and if RADIUS fails then the local PPP user databese is used See the respective manual sections for more information e RADIUS client User 8 6 6 PPPoE Server User Interfaces Submenu level interface pppoe server Description There are two types of interface tunnel items in PPTP server configuration static users and dynamic connections An interface is created for each tunnel established to the given server Static interfaces are added administratively if there is a need to reference the particular interface name in firewall rules or elsewhere created for the particular user Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry or in case the entry is active already as there can not be two separate tunnel interfaces referenced by the same name Dynamic interfaces appear when a user connects and disappear once the user disconnects so it is impossible to reference the tunnel created for that use in router configuration for example in firewall so if you need a persistent rules for that user create a static entry for him her Otherwise it is safe to use dynamic configuration In both cases PPP
10. gt lt input type hidden name user value S username gt lt input type hidden name link login 1 link login gt lt input type hidden name link orig 1 link orig gt lt input type hidden name error value S error gt lt form gt lt script language JavaScript gt lt document redirect submit gt lt script gt lt body gt lt html gt e The external server can log in a HotSpot client by redirecting it back to the original HotSpot servlet login page specifying the correct username and password Here is an example of such a page it is redirecting to https hotspot example com login replace with the actual address of a HotSpot router also it is displaying www alliedtelesis com after successful login replace with what needed lt html gt lt title gt Hotspot login page lt title gt lt body gt lt form name login action https hotspot example com login method post gt lt input type text name username value demo gt lt input type password name password value none gt lt input type hidden name domain value gt lt input type hidden name dst value http www alliedtelesis com gt lt input type submit name login value log in gt lt form gt lt body gt lt html gt 242 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User G
11. manual sa add name ah sal ah spi 0x101 0x100 admin Routerl gt ipsec policy add src address 10 1 0 0 24 dst address 10 2 0 0 24 action encrypt ipsec protocols ah tunnel yes sa src 1 0 0 1 sa dst 1 0 0 2 manual sa ah sal for Router2 admin Router2 gt ipsec manual sa add name ah sal ah spi 0x100 0x101 ah key abcfed admin Router2 gt ip ipsec policy add src address 10 2 0 0 24 N dst address 10 1 0 0 24 action encrypt ipsec protocols ah N tunnel yes sa src 1 0 0 2 sa dst 1 0 0 1 manual sa ah sal IPsec Between two Masquerading RouterOS Routers IP Network 1 0 0 0 24 21 lt 1 0 0 2 Router 7 1 0 0 1 on M 10 2 0 0 24 10 1 0 0 24 Figure 31 Add accept and masquerading rules in SRC NAT for Router admin Routerl gt ip firewall nat add chain srcnat src address 10 1 0 0 24 dst address 10 2 0 0 24 admin Routerl gt ip firewall nat add chain srcnat out interface public N action masquerade for Router2 admin Router2 gt ip firewall nat chain srcnat add src address 10 2 0 0 24 dst address 10 1 0 0 24 admin Router2 gt ip firewall nat chain srcnat add out interface public N action masquerade AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 197 RouterOS v3 Configuration and User Guide configure IPse
12. 126 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide The wizard has made the following configuration based on the answers above admin AT WR4562 ip dhcp server gt print Flags disabled I invalid NAME INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP 0 1 etherl 0 0 0 0 dhcp_pooll 3d no admin AT WR4562 dhcp server gt network print ADDRESS GATEWAY DNS SERVER WINS SERVER DOMAIN 0 10 0 0 0 24 10 0 0 159 148 60 20 admin AT WR4562 ip dhcp server gt ip pool print NAME RANGES 0 dhcp 11 10 0 0 2 10 0 0 254 admin AT WR4562 ip dhcp server gt 6 1 11 Application Examples Dynamic Addressing using DHCP Relay Let us consider that you have several IP networks behind other routers but you want to keep all DHCP servers on a single router To do this you need a DHCP relay on your network which relies DHCP requests from clients to DHCP server This example will show you how to configure a DHCP server and a DHCP relay which serve 2 IP networks 192 168 1 0 24 and 192 168 2 0 24 that are behind a router DHCP Relay DHCP Server Public Public 192 168 0 2 24 DHCP Relay Locall Figure 18 DHCP Relay IP addresses of DHCP Server admin DHCP Server ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 1 24 192 168 0
13. 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 596020 5965204 5970 0 5975204598040 5985 0 5990 40 599510 6000 0 6005 0 6010 0 6015 0 6020 0 6025 0 6030 0 6035 0 6040 0 6045 0 6050 0 6055 0 6060 0 6065 0 6070 0 6075 0 6080 0 6085 0 6090 0 6095 0 6100 0 2ghz g channels 2312 0 2317 0 2322 0 2327 0 2332 0 2337 0 2342 0 2347 2352 0 2357 0 2362 0 2367 0 2372 0 2377 0 2382 0 2387 2392 0 2397 0 2402 0 2407 0 2412 0 2417 0 2422 0 2427 2432 0 2437 0 2442 0 2447 0 2452 0 2457 0 2462 0 2467 2472 0 2477 0 2482 0 2487 0 2492 0 2497 0 2314 0 2319 2324 0 2329 0 2334 0 2339 0 2344 0 2349 0 2354 0 2359 2364 0 2369 0 2374 0 2379 0 2384 0 2389 0 2394 0 2399 2404 0 2409 0 2414 0 2419 0 2424 0 2429 0 2434 0 2439 2444 0 2449 0 2454 0 2459 0 2464 0 2469 0 2474 0 2479 2484 0 2489 0 2494 0 2499 0 2ghz g turbo channels 2312 0 2317 0 2322 0 2327 0 2332 0 2337 0 2342 0 2347 0 2352 0 2357 0 2362 0 2367 0 2372 0 237 750 2382 0 2387 0 2392 0 2397 0 2402 0 2407 0 2412 0 2417 0 2422 0 2427 0 2432 0 2437 0 2442 0 2447 0 2452 0 2457 0 2462 0 2467 0 2472 0 2477 0 2482 0 0 0 0 0 0 oM 2487 0 2492 0 2497 0 2314 0 2319 0 2324 0 2329 2334 0 2339 0 2344 0 2349 0 2354 0 2359 0 2364 2369 0 237420 2379 0 238420 238920 239420 2399 2404 0 2409 0 2414 0 2419 0 2424 0 2429 0 2434 2439 0 2444 0 2449 0 2454 0 2459 0 2464 0 2469
14. 9 3 Packet Flow 9 3 1 General Information Summary This manual describes the order in which an IP packet traverses various internal facilities of the router and some general information regarding packet handling common IP protocols and protocol options Specifications Packages required system License required Level3 Submenu level ip firewall Standards and Technologies IP Hardware usage Increases with NAT mangle and filter rules count Related Topics IP Addresses and ARP Routes Equal Cost Multipath Routing Policy Routing NAT Mangle Filter 9 3 2 Packet Flow Description RouterOS is designed to be easy to operate in various aspects including IP firewall Therefore regular firewall policies can be created and deployed without the knowledge about how the packets are processed in the router For example if all that required is just natting internal clients to a public address the following command can be issued assuming the interface to the Internet in named Public ip firewall nat add action masquerade out interface Public chain srcnat Regular packet filtering bandwith management or packet marking can be configured with ease in a similar manner However a more complicated configuration could be deployed only with a good understanding of the underlying processes in the router AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 211 RouterOS v3 Configuration and User Guide Th
15. Example To enable RADIUS AAA enter the following command admin AT WR4562 user aaa set use radius yes admin AT WR4562 user aaa print use radius yes accounting yes interim update 0s default group read admin AT WR4562 user aaa 7 3 6 SSH keys Submenu level user ssh keys Description Remote users may be allowed to log in without using password authentication and even ever entering their password but by using pregenerated DSA openssh SSH keys instead Note that if you use puttygen convert generated keys to right type Property Description key owner read only text emote user as specified in the key file user name the user that is allowed to log in using this key must exist in the user list Command Description import import the uploaded DSA key user the user the imported key is linked to file filename of the DSA key to import Example Generating key on a linux machine sh 3 00 ssh keygen t dsa f id dsa Generating public private dsa key pair Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in id dsa Your public key has been saved in id dsa pub The key fingerprint is 91 d7 08 be b6 a1 67 5e 81 02 cb 4d 47 d6 a0 3b admin ssh test Importing the generated ang uploaded key admin AT WR4562 user ssh keys gt print USER KEY OWNER admin AT WR4562 user ssh keys import file id d
16. It is impossible to import the whole router configuration using this feature It can only be used to import a part of configuration for example firewall rules in order to spare you some typing Command Description file filename loads the exported configuration from a file to router Example To load the saved export file use the following command admin AT WR4562 gt import address rsc Opening script file address rsc Script file loaded successfully admin AT WR4562 gt 3 1 4 Configuration Reset Command name system reset Description The command clears all configuration of the router and sets it to the default including the login name and password 4 and no password IP addresses and other configuration is erased interfaces will become disabled After the reset command router will reboot Command Description reset erases router s configuration If the router has been installed using netinstall and had a script specified as the initial configuration the reset command executes this script after purging the configuration To stop it doing so you will have to reinstall the router Example admin AT WR4562 gt system reset Dangerous Reset anyway y N n action cancelled admin AT WR4562 gt 3 2 Software Version Management 3 2 1 General Information Summary To upgrade RouterOS to a more recent version you can simply transfer the packa
17. To Office From Laptop 10 150 1 2 32 10 150 1 254 32 LAN 10 150 1 254 24 192 168 80 111 24 10 150 1 1 24 Figure 25 Client to Office secure connection via L2TP tunnel The router in this example RemoteOffice Interface Tolnternet 192 168 81 1 24 Interface Office 10 150 1 254 24 The client computer can access the router through the Internet On the L2TP server a user must be set up for the client admin RemoteOffice ppp secret add name ex service l12tp password lkjrht local address 10 150 1 254 remote address 10 150 1 2 admin8 RemoteOffice ppp secret print detail Flags X disabled 0 name ex service 12tp caller id password lkjrht profile default local address 10 150 1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret Then the user should be added in the L2TP server list admin8 RemoteOffice interface l2tp server add name FromLaptop user ex admin8 RemoteOffice interface l2tp server print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 FromLaptop ex admin RemoteOffice interface l2tp server And the server must be enabled admin RemoteOffice interface l2tp server server set enabled yes admin RemoteOffice interface l2tp server server print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin8 RemoteOffice interface l2tp server server
18. 170 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Finally the proxy APR must be enabled on the Office interface admin RemoteOffice interface ethernet set Office arp proxy arp admin RemoteOffice interface ethernet print Flags X disabled R running NAME MTU MAC ADDRESS ARP 0 ToInternet 1500 00 30 4 0 7 1 enabled 1 R Office 1500 00 30 4F 06 62 12 proxy arp admin RemoteOffice interface ethernet L2TP Setup for Windows Microsoft provides L2TP client support for Windows XP 2000 NT4 ME and 98 Windows 2000 and XP include support in the Windows setup or automatically install L2TP For 98 NT and ME installation requires a download from Microsoft L2TP IPsec VPN Client For more information see Microsoft L2TP IPsec VPN Client Microsoft L2TP IPsec VPN Client On Windows 2000 L2TP setup without IPsec requires editing registry Disabling IPsec for the Windows 2000 Client Disabling IPSEC Policy Used with L2TP 8 5 7 Troubleshooting Description firewall and cannot establish L2TP connection Make sure UDP connections can pass through both directions between your sites My Windows L2TP IPsec VPN Client fails to connect to L2TP server with Error 789 or Error 781 The error messages 789 and 781 occur when IPsec is not configured properly on both ends See the respective documentation on how to configur
19. Allied Telesis gt AT WR4500 Series IEEE 802 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide PN 613 000813 Rev B 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Copyright 2009 Allied Telesis International All rights reserved No part of this publication may be reproduced without prior written permission from Allied Telesis International Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation Mikrotik and RouterOS are trademarks of Mikrotikls SIA All other product names company names logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners Parts of this manual reproduced with Mikrotik permission from Mikrotik RouterOS v3 0 Reference Manual Allied Telesis Inc reserves the right to make changes in specifications and other information contained in this document without prior written notice The information provided herein is subject to change without notice In no event shall Allied Telesis Inc be liable for any incidental special indirect or consequential damages whatsoever including but not limited to lost profits arising out of or related to this manual or the information contained herein even if Allied Telesis Inc has been advised of known or should have known the possibility of such damages AT WR4500 Series IEEE 802 1 labgh
20. Ascend Data Rate tx rx data rate limitation if multiple attributes are provided first limits tx data rate second rx data rate If used together with Ascend Xmit Rate specifies rx rate 0 if unlimited e Ascend Xmit Rate tx data rate limitation It be used to specify tx limit only instead of sending two sequental Ascend Data Rate attributes in that case Ascend Data Rate will specify the receive rate 0 if unlimited e Session Timeout max lease time lease time Property Description add arp yes no default no whether to add dynamic ARP entry no either ARP mode should be enabled on that interface or static ARP entries should be administratively defined in ip arp submenu address pool name static only default static only IP pool from which to take IP addresses for clients static only allow only the clients that have a static lease i e no dynamic addresses will be given to clients only the ones added in lease submenu always broadcast yes no default no always send replies as broadcasts authoritative after Osec delay after 2sec delay yes default after 2sec delay whether the DHCP server is the only one DHCP server for the network after Osec delay to clients request for an address dhcp server will wait 10 seconds and if there is another request from the client after this period of time then dhcp server will offer the address to the client or will send DHCPNAK if the
21. Example To enable the OSPF protocol on the 10 10 1 0 24 network and include it into the backbone area do the following admin AT WR4562 routing ospf network add area backbone network 10 10 1 0 24 adminQ AT WR4562 routing ospf network print Flags X disabled NETWORK AREA 0 10 10 1 0 24 backbone adminQ AT WR4562 routing ospf gt 102 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 5 3 5 Interfaces Submenu level routing ospf interface Description This facility provides tools for additional in depth configuration of OSPF interface specific parameters You do not have to configure interfaces in order to run OSPF Property Description authentication key text default authentication key have to be used by neighboring routers that are using OSPF s simple password authentication cost integer 1 65535 default 1 interface cost expressed as link state metric dead interval time default 40s specifies the interval after which a neighbor is declared as dead The interval is advertised in the router s hello packets This value must be the same for all routers and access servers on a specific network hello interval time default 10s the interval between hello packets that the router sends on the interface The smaller the hello interval the faster topological changes will be detected but more routing traffic will ensue
22. On Router 2 admin AT WR4562 ip address gt add address 10 10 10 2 24 interface test admin AT WR4562 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 201 24 10 0 0 0 10 0 0 255 etherl 1 10 10 10 2 24 10 10 10 0 10 10 10 255 test admin AT WR4562 ip address gt If it set up correctly then it is possible to ping Router 2 from Router and vice versa admin AT WR4562 ip address gt ping 10 10 10 1 10 10 1 64 byte pong ttl 255 time 3 ms 10 10 1 64 byte pong ttl 255 time 4 ms 10 10 1 64 byte pong 1 255 time 10 ms 10 10 10 1 64 byte pong ttl 255 time 5 ms 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 3 10 5 10 ms 5 59 59 9 admin AT WR4562 address gt ping 10 10 10 2 10 10 10 2 64 byte pong 1 255 time 10 ms 10 10 10 2 64 byte pong 1 255 time 11 ms 10 10 10 2 64 byte pong ttl 255 time 10 ms 10 10 10 2 64 byte pong ttl 255 time 13 ms 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 10 11 13 ms admin AT WR4562 ip address gt ct ct ct ct D wlod 4 5 Bridge Interfaces 4 5 1 General Information Summary MAC level bridging of Ethernet Ethernet over IP EoIP and Atheros wireless interfaces are supported All 802 1 1a 802 1 Ib and 802 1 Ig client wireless interfaces ad hoc infrastructure or station mode d
23. Internet DHCP Server Public To Radius 172 16 0 1 24 RADIUS 10 1 0 2 24 172 16 0 2 24 19216801247 1 2 2 I lt anaana Local Network Address Range 192 168 0 0 24 Figure 19 DHCP with RADIUS We assume that you already have installed FreeRADIUS Just add these lines to specified files e users file 00 0B 6B 31 02 4B Auth Type Local Password Framed IP Address 192 168 0 55 clients conf file client 172 16 0 1 secret MySecret shortname Server Configure Radius Client on RouterOS radius add service dhcp address 172 16 0 2 secret MySecret admin DHCP Server radius print detail Flags X disabled 0 service dhcp called id domain address 172 16 0 2 secret MySecret authentication port 1812 accounting port 1813 timeout 00 00 00 300 accounting backup no realm admin DHCP Server radius Setup DHCP Server Create an address pool ip pool add name Radius Clients ranges 192 168 0 11 192 168 0 100 2 Adda DHCP server ip dhcp server add address pool Radius Clients use radius yes interface Local disabled no 3 Configure DHCP networks ip dhcp server network add address 192 168 0 0 24 gateway 192 168 0 1 dns server 159 148 147 194 159 148 60 20 Now the client with MAC address 00 0B 6B 31 02 4B will always receive IP address 192 168 0 55 AT
24. _ 1 10 1 0 to_main 10 2 0 1 OSPF_peer_2 to_main 10 1 0 1 to peerl 10 3 0 2 OSPF peer 1 backup 10 3 0 1 Figure 13 OSPF Backup In this example We introduce an OSPF area with area ID 0 0 0 1 which includes all three routers shown on the diagram 2 Only the OSPF Main router will have the default route configured Its interfaces peer and peer2 will be configured for the OSPF protocol The interface main gw will not be used for distributing the OSPF routing information 3 routers OSPF peer and OSPF peer 2 will distribute their connected route information and receive the default route using the OSPF protocol AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 105 RouterOS v3 Configuration and User Guide Now let s setup the OSPF_MAIN router The router should have 3 NICs adminQ8OSPF MAIN interface print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R main_gw ether 0 0 1500 1 to peer 1 ether 0 0 1500 2 R to peer 2 ether 0 0 1500 Add all needed ip addresses to interfaces as it is shown here adminQOSPF MAIN ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 11 24 192 168 0 0 192 168 0 255 main_gw 1 10 1 0 2 24 10 1 0 0 10 1 0 255 to peer 1 2 10 2 0 2 24 10 2 0 0 10 2 0 255 to peer 2 You should set distribute default as if installed as type 2 redistribute connected as
25. none do not use encryption and do not accept encrypted packets 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets 104bit wep use the 1045 encryption also known as 28bit wep and accept only these packets aes ccm use the AES CCM Advanced Encryption Standard in Counter with CBC MAC encryption algorithm and accept only these packets tkip use the TKIP Temporal Key Integrity Protocol and accept only these packets static key 0 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 0 If AES CCM is used the key must consist of even number of characters and must be at least 32 characters long For TKIP the key must be at least 64 characters long and also must consist of even number characters static key l text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 1 AES CCM is used the key must consist of even number of characters and must be at least 32 characters long For TKIP the key must be at least 64 characters long and also must consist of even number characters static key 2 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 2 If AES CCM is used the key must consist of even number of characters and must be at least 32 characters long For TKIP the key must be at least 64 characters long and also must consist of e
26. running 0 X name test2 mtu 1460 mru 1460 connect to 10 1 1 12 user john password john profile default add default route yes allow pap chap mschapl mschap2 admin AT WR4562 interface pptp client gt enable 0 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 181 RouterOS v3 Configuration and User Guide 8 7 3 Monitoring PPTP Client Command name interface pptp client monitor Property Description encoding text encryption and encoding if asymmetric separated with being used in this connection idle time read only time time since the last packet has been transmitted over this link mru read only integer effective MRU of the link mtu read only integer effective MTU of the link status text status of the client dialing attempting to make a connection verifying password connection has been established to the server password verification in progress connected self explanatory terminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minutes and seconds Example Example of an established connection adminQ AT WR4562 interface pptp client gt monitor test2 status connected uptime 6h44m9s idle time 6h44m9s encoding MPPE128 stateless mtu 1460 mru 1460 adminQ AT WR4562 interface pptp client gt 8 7 4 PPTP Server Setup Submenu level interface
27. IP pool name on the router from which to get IP address for the client If Framed IP Address is specified this attribute is ignored If Framed IP Address or Framed Pool is specified it overrides remote address default configuration Idle Timeout overrides idle timeout in the default configuration Session Timeout overrides session timeout in the default configuration Port Limit maximal mumber of simultaneous connections using the same username overrides te shared users property of the HotSpot user profile Class cookie will be included in Accounting Request unchanged Framed Route routes to add on the server Format is specified in RFC2865 Ch 5 22 can be specified as many times as needed Filter Id firewall filter chain name It is used to make a dynamic firewall rule Firewall chain name can have suffix in or out that will install rule only for incoming or outgoing traffic Multiple Filter id can be provided but only last ones for incoming and outgoing is used For PPPs filter rules in ppp chain that will jump to the specified chain if a packet has come to from the client that means that 136 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide you should first create a ppp chain and make jump rules that would put actual traffic to this chain The same applies for HotSpot but the rules will be created in hotspot chain Mikrotik
28. Miscellaneous variables session id value of session id parameter in the last request var value of var parameter in the last request error error message if something failed invalid username or password error orig original error message without translations retrieved from errors txt if something failed invalid username or password chap id value of chap ID 371 chap challenge value of chap challenge 357 0 I 5 330 0 I 3 02 1 234 145 245 303 253 142 246 1 334 7513753310 6 popup whether to pop up checkbox true or false advert pending whether an advertisement is pending to be displayed yes or no RADIUS related variables radius lt id gt show the attribute identified with id in text string form in case RADIUS authentication was used otherwise AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 239 RouterOS v3 Configuration and User Guide radius lt id gt u show the attribute identified with lt id gt in unsigned integer form in case RADIUS authentication was used 0 otherwise radius lt id gt lt vnd id gt show the attribute identified with lt id gt and vendor ID lt vnd id gt in text string form in case RADIUS authentication was used otherwise radius lt id gt lt vnd id gt u show the attribute identified with id and vendor ID lt vnd id gt in unsigned integer form in case RADIUS authentication was used 0 otherwise Working with va
29. This http mark is put automatically on the HTTP proxy requests to the servers detected by the HotSpot HTTP proxy the one that is listening on the 64874 port to be HTTP proxy requests to unknown proxy servers This is done so that users that have some proxy settings would use the HotSpot gateway instead of the possibly unavailable outside their network of origin proxy server users have configured in their computers The mark is as well put on any HTTP requests done form the users whoose profile is configured to transparently proxy their requests 14 D chain hs auth protocol tcp dst port 25 action jump jump target hs smtp Providing SMTP proxy for authorized users the same as in rule 12 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 235 RouterOS v3 Configuration and User Guide Packet filter rules From ip firewall filter print dynamic command you can get something like this comments follow after each of the rules 0 D chain forward action jump jump target hs unauth hotspot from client auth Any packet that traverses the router from unauthorized client will be sent to the hs unauth chain The hs unauth implements the IP based Walled Garden filter 1 chain forward action jump jump target hs unauth to hotspot to client auth Everything that comes to clients through the router gets redirected to another chain called hs unauth to This chain should reject unau
30. admin AT WR4562 dhcp server gt 6 1 4 Store Leases on Disk Submenu level ip dhcp server config Description Leases are always stored on disk on graceful shutdown and reboot If on every lease change it is stored on disk a lot of disk writes happen There are no problems if it happens on a hard drive but is very bad on Compact Flash especially if lease times are very short To minimize writes on disk all changes are flushed together every store leases disk seconds If this time will be very short immediately then no changes will be lost even in case of hard reboots and power losts But on CF there may be too many writes in case of short lease times as in case of hotspot If this time will be very long never then there will be no writes on disk but information about active leases may be lost in case of power loss In these cases dhcp server may give out the same ip address to another client if first one will not respond to ping requests AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 121 RouterOS v3 Configuration and User Guide Property Description store leases disk time interval immediately never default 5min how frequently lease changes should be stored on disk 6 1 5 DHCP Networks Submenu level ip dhcp server network Property Description address IP address netmask the network DHCP server s will lend addresses from boot file name text Boot file name dhcp o
31. admin PPPoE Server interface pppoe server server print Flags X disabled 0 Service name mt interface wlanl max mtu 1480 max mru 1480 authentication pap chap mschapl mschap2 keepalive timeout 10 one session per host yes max sessions 0 default profile default admin PPPoE Server interface pppoe server server Finally we can set up PPPoE clients admin PPPoE Server ip pool add name pppoe ranges 10 1 0 100 10 1 0 200 admin PPPoE Server ip pool print NAME RANGES 0 pppoe 10 1 0 100 10 1 0 200 admin PPPoE Server ip pool ppp profile adminQPPPoE Server ppp profile set default use encryption yes local address 10 1 0 3 remote address pppoe admin PPPoE Server ppp profile print Flags default 0 name default local address 10 1 0 3 remote address pppoe use compression no use vj compression no use encryption yes only one no change tcp mss yes 1 name default encryption use compression default use vj compression default use encryption yes only one default change tcp mss default admin PPPoE Server ppp profile secret admin PPPoE Server ppp secret add name w password wkst service pppoe admin PPPoE Server ppp secret add name 1 password ltp service pppoe admin PPPoE Server ppp secret print Flags X disabled NAME SERVICE CALLER ID PASSWORD PROFILE REMOTE ADDRESS 0 w pppoe wkst default 0 0 0 0 1 1 pppoe ltp default 0 0 0 0 admin PPPoE Server ppp secret Thus
32. basic and supported rates settings are not used instead default values are used configured basic and supported rates settings are used as configured scan list multiple choice integer default default default the list of channels to scan default represents all frequencies allowed by the regulatory domain in the respective country If no country is set these frequencies are used for 2 4GHz mode 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 for 2 4GHz g turbo mode 2437 for 5GHz mode 5180 5200 5220 5240 5260 5280 5300 5320 5745 5765 5785 5805 5825 for 5GHz turbo 5210 5250 5290 5760 5800 security profile text default default which security profile to use Define security profiles under linterface wireless security profiles where you can setup WPA or WEP wireless security for further details see the Security Profiles section of this manual ssid text default AT WR4560 Service Set Identifier Used to separate wireless networks supported rates a g multiple choice 6Mbps 9Mbps 12 18 24Mbps 36Mbps 48Mbps 54Mbps rates to be supported in 802 1 or 802 1 Ig standard supported rates b multiple choice Mbps 2Mbps 5 5Mbps I Mbps rates to be supported in 802 1 Ib standard tx power integer 30 30 default 17 manually sets the transmit power of the card in dBm if tx power mode is set to card rates or all rates fixed see tx power mode description
33. e Calling Station ld client identifier active client id Framed IP Address IP address of the client active address e Called Station Id name of DHCP server e User Name MAC address of the client active mac address e Password Access Accept Framed IP Address address that will be assigned to client Framed Pool ip pool from which to assign ip address to client e Rate Limit Datarate limitation for DHCP clients Format is rx rate tx rate rx burst rate tx burst e rate rx burst threshold tx burst threshold rx burst time tx burst time priority rx rate min tx e rate min All rates should be numbers with optional 1 0005 or M 1 000 000s If tx rate is not AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 119 RouterOS v3 Configuration and User Guide e specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time e f both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate e tx rate are used as burst thresholds If both rx burst time and tx burst time are not specified Is is e as default Priority takes values 1 8 where implies the highest priority but 8 the lowest If rx rate min and tx rate min are not specified rx rate and tx rate values are used The rx rate min and tx rate min values can not exceed rx rate and tx rate values
34. enabled yes no whether to enable traffic flow service or not inactive flow timeout time default 15s how long to keep the flow active if it is idle interfaces name names of those interfaces which will be used to gather statistics for traffic flow To specify more than one interface separate them with a comma 12 3 4 Traffic Flow Target Submenu level ip traffic flow target Description With Traffic Flow targets we specify those hosts which will gather the Traffic Flow information from router Property Description address IP address port IP address and port UDP of the host which receives Traffic Flow statistic packets from the router v9 template refresh integer default 20 number of packets after which the template is sent to the receiving host only for NetFlow version 9 v9 template timeout after how long to send the template if it has not been sent version 1 5 9 which version format of NetFlow to use 12 3 5 Application Examples Traffic Flow Example This example shows how to configure Traffic Flow on a router Enable Traffic Flow on the router adminQ AT WR4562 ip traffic flow set enabled yes admin AT WR4562 ip traffic flow print enabled yes interfaces all cache entries 1k active flow timeout 30m inactive flow timeout 15s adminQAT WR4562 ip traffic flow Specify IP address and port of the host which will receive Traffic Flow packets admin
35. local dst to client matches packets received from clients against various HotSpot conditions All values can be negated auth true if a packet comes from an authenticted HotSpotclient from client true if a packet comes from any HotSpot client http true if a HotSpot client sends a packet to the address and port previously detected as his proxy server Universal Proxy technique or if the destination port is 80 and transparent proxying is enabled for AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 207 RouterOS v3 Configuration and User Guide that particular client local dst true if a packet has local destination IP address to client true if a packet is sent to a client icmp options integer integer match ICMP Type Code fields in bridge port name actual interface the packet has entered the router through if bridged this property matches the actual bridge port while in interface the bridge itself in interface name interface the packet has entered the router through if the interface is bridged then the packet will appear to come from the bridge interface itself ingress priority integer 0 63 INGRESS received priority of the packet if set 0 otherwise The priority may be derived from either VLAN or WMM priority ipv4 options any loose source routing no record route no router alert no source routing no timestamp none record route router alert strict source routing
36. may be any RFC 2003 compliant router 160 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Use lip There is address add command to assign an IP address to the IPIP interface no authentication or state for this interface The bandwidth usage of the interface may be monitored with the monitor feature from the interface menu 8 4 3 Application Examples Description Suppose we want to add an IPIP tunnel between routers RI and R2 m CN f 4 R2 Figure 22 IPIP Tunnel example network At first we need to configure IPIP interfaces and then add IP addresses to them The configuration for router RI is as follows local address remote address admin AT WR4562 10505051 admin AT WR4562 admin AT WR4562 interface ipip gt add 22 63 11 6 admin AT WR4562 interface ipip gt print Flags X disabled running NAME MTU LOCAL ADDRESS REMOTE ADDRESS O X ipipl 1480 10 0 0 1 22 63 11 6 interface ipip gt 0 interface gt ip address add address 1 1 1 1 24 interface ipipl The configuration of the R2 is shown below admin AT WR4562 admin AT WR4562 admin AT WR4562 interface ipip gt add local address 22 63 11 6 remote address 10 0 0 1 admin AT WR4562 interface ipip gt print Flags X disabled R running N
37. p2p may heavily disturb other network traffic such as http and e mail RouterOS is able to recognize connections of the most popular P2P protocols and filter or enforce QOS on them The protocols which can be detected are Fasttrack Kazaa KazaaLite Diet Kazaa Grokster iMesh giFT Poisoned mlMac e Gnutella Shareaza XoLoX Gnucleus BearShare LimeWire java Morpheus Swapper Gtk Gnutella linux Mutella linux Qtella linux MLDonkey Acquisition Mac OS Poisoned Swapper Shareaza XoloX e Gnutella2 Shareaza MLDonkey Gnucleus Morpheus Adagio mlMac DirectConnect DirectConnect AKA DC MLDonkey NeoModus Direct Connect BCDC CZDC eDonkey eDonkey2000 eMule xMule linux Shareaza MLDonkey mlMac Overnet Soulseek Soulseek MLDonkey e BitTorrent BitTorrent BitTorrent Shareaza MLDonkey ABC Azureus BitAnarch SimpleBT BitTorrent Net mlMac Blubster Blubster Piolet e WPNP WinMX e Warez Warez Ares starting from 2 8 18 this protocol can only be dropped speed limiting is impossible 9 4 NAT 9 4 1 General Information Summary Network Address Translation NAT is a router facility that replaces source and or destination IP addresses of the IP packet as it pass through thhe router It is most commonly used to enable multiple host on a private network to access the Internet using a single public IP address Specifications Pack
38. whether the packet is a fragment of an IP packet Starting packet i e first fragment does not count Note that is the connection tracking is enabled there will be no fragments as the system automatically assembles every packet hotspot multiple choice auth from client http local dst to client matches packets received from clients against various HotSpot conditions All values can be negated auth true if a packet comes from an authenticted HotSpotclient from client true if a packet comes from any HotSpot client http true if a HotSpot client sends a packet to the address and port previously detected as his proxy server Universal Proxy technique or if the destination port is 80 and transparent proxying is enabled for that particular client local dst true if a packet has local destination IP address to client true if a packet is sent to a client icmp options integer integer matches ICMP Type Code fields in bridge port name actual interface the packet has entered the router through if bridged this property matches the actual bridge port while in interface the bridge itself in interface name interface the packet has entered the router through if the interface is bridged then the packet will appear to come from the bridge interface itself ingress priority integer 0 63 INGRESS received priority of the packet if set 0 otherwise The priority may be derived from either VLAN or WMM priority
39. 1 255 default 1 VRRP update interval in seconds Defines how frequently the master of the given cluster sends VRRP advertisement packets mac address MAC address MAC address of the VRRP instance According to the RFC any VRRP instance should have its unique MAC address master read only flag whether the instance is in the master state mtu integer default 1500 Maximum Transmission Unit name name assigned name of the VRRP instance on backup name default script to execute when the node switch to backup state on master name default script to execute when the node switch to master state password text default password required for authentication depending on method used can be ignored if no authentication used 8 character long text string for plain text authentication or 16 character long text string 128 bit key required for AH authentication preemption mode yes no default yes whether preemption mode is enabled no a backup node will not be elected to be a master until the current master fail even if the backup node has higher priority than the current master yes the master node always has the priority priority integer 1 255 default 100 priority of the current node higher values mean higher priority 255 RFC requires that the router that owns the IP addresses assigned to this instance had the priority of 255 vrid integer 0 255 default 1 Virtual Router Identifier
40. 12 3 1 General Information Specifications Packages required system License required Level Submenu level ip traffic flow Hardware usage Not significant 12 3 2 Related Documents NTop Description Traffic Flow is a system that provides statistic information about packets which pass through the router Besides network monitoring and accounting system administrators can identify various problems that may occur in the network With help of Traffic Flow it is possible to analyze and optimize the overall network performance Traffic Flow supports the following NetFlow formats e version the first version of NetFlow data format do not use it unless you have to e version 5 in addition to version version 5 has the BGP AS and flow sequence number information included e version 9 a new format which be extended with new fields and record types thank s to its template style design Additional Resources http www ntop org netflow html 12 3 3 General Configuration Description This section describes the basic configuration of Traffic Flow AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 259 RouterOS v3 Configuration and User Guide Property Description active flow timeout time default 30m maximum life time of a flow cache entries Ik 2k 4k 8k 16k 32k 64k 128k 256k 512k default Ik number of flows which can reside in the router s memory simultaneously
41. 60 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Property Description channel time time default 200ms how long to snoop each channel if multiple channels is set to yes multiple channels yes no default no whether to snoop multiple channels or a single channel no wireless snooper snoops only one channel in frequency that is configured in interface wireless yes snoop in all channels that are listed in the scan list in interface wireless receive errors yes no default no whether to receive packets with CRC errors Command Description snoop starts monitoring wireless channels wireless interface name interface that monitoring is performed on BAND operating band Example Snoop 802 Ib network admin AT WR4562 interface wireless snooper gt snoop wlanl BAND FREO USE BW NET COUNT STA COUNT 2 4ghz b 2412MHz 1 5 11 8kbps 2 2 2 4ghz b 2417MHz 1 3 6 83kbps 0 1 2 4ghz b 2422MHz 0 6 4 38kbps 1 all 2 4ghz b 2427MHz 0 6 4 43kbps 0 0 2 4ghz b 2432MHz 0 3 2 22kbps 0 0 2 4ghz b 2437MHz 0 Obps 0 0 2 4ghz b 2442MHz 1 8 1kbps 0 0 2 4ghz b 2447MHz 1 8 22kbps 1 1 2 4ghz b 2452MHz 1 8 3kbps 0 0 2 4ghz b 2457 2 0 Obps 0 0 2 4ghz b 2462MHz 0 Obps 0 0 admin AT WR4562 interface wireless snooper gt 4 3 21 Application Examples Station and AccessPoint This example shows how to configure 2 RouterOS routers one as Acce
42. Clientiand Cacher rte tte e eh 129 6 2 1 General INFOrmation eet eoe t eet rte Er 129 6 3 DINS Cache Setup cete ne Urn 129 6 3 1 Cache 130 6 3 2 Static DNS Fete tld ova E 130 6 4 AEM tries 130 6 5 Static DNS 130 6 6 Flushing DINS cache AAA Configuration e E rt 132 7 1 RADIUS 132 7 1 1 General Information ccccccsesessssssssessssssssesesssssscsesesssscscsesesesssseseseseeesessseseseseseseseeseseseseseenens 132 7 1 2 RADIUS Client Setup 132 7 1 3 Connection Terminating from 22012111 133 7 1 4 Suggested RADIUS Servers 4 42222 134 7 1 5 Supported RADIUS Attributes 20 2 2 4 4 134 7 1 6 Troubleshooting OU ASN OER cte ERE 140 7 2 PPP Ser AAA 141 7 2 1 General INFOrmation et eee dte ut 141 7 2 2 Local PPP User Profil amp s ete te etd nece etes aede eee ns 141 7 2 3 Local PPP 6 143 7 2 4 Monitoring Active PPP 01 144 7 2 5 PPP User Remote AAA edet 145 7 3 Router User scatet dte ed ave D dde 145 7 3 1 General Info
43. Flags R radius NAME SERVICE CALLER ID ADDRESS UPTIME ENCODING 0 ex pptp 105051112 10 0 0 254 114165 128 admin rb13 gt ppp active print detail Flags radius 0 name ex service pptp caller id 10 0 11 12 address 10 0 0 254 uptime 1m22s encoding MPPE128 stateless session id 0x8180002B limit bytes in 200000000 limit bytes out 0 admin rb13 gt ppp active print stats Flags R radius Lj NAME BYTES PACKETS 0 ex 10510 159690614 187 210257 admin rb13 gt AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 145 RouterOS v3 Configuration and User Guide 7 2 5 PPP User Remote AAA Submenu level ppp aaa Property Description accounting yes no default yes enable RADIUS accounting interim update time default Os Interim Update time interval use radius yes no default no enable user authentication via RADIUS RADIUS user database is queried only if the required username is not found local user database Example To enable RADIUS AAA admin AT WR4562 ppp aaa set use radius yes adminQ AT WR4562 ppp aaa print use radius yes accounting yes interim update 0s admin AT WR4562 ppp aaa 7 3 Router User AAA 7 3 1 General Information Summary This documents provides summary configuration reference and examples on router user management Specifications Packages required system License required Level Submenu l
44. IP Addresses and ARP 10 4 2 HotSpot User Profiles Submenu level ip hotspot user profile Description HotSpot User profiles are used for common user settings Profiles are like user groups they are grouping users with the same limits Property Description address pool name none default none the IP pool name which the users will be given IP addresses from This works like dhcp pool method in earlier versions of RouterOS except that it does not use DHCP but rather the embedded one to one NAT none do not reassign IP addresses to the users of this profile advertise yes no default no whether to enable forced advertisement popups for this profile advertise interval multiple choice time default 30m 10m set of intervals between showing advertisement popups After the list is done the last value is used for all further advertisements advertise timeout time immediately never default Im how long to wait for advertisement to be shown before blocking network access with walled garden AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 245 RouterOS v3 Configuration and User Guide advertise url multiple choice text default http www alliedtelesis com list of URLs to show as advertisement popups The list is cyclic so when the last item reached next time the first is Shown idle timeout time none default none idle timeout maximal period of inactivity for authorized clients It i
45. IP Addresses and ARP RADIUS client PPP User AAA Log Management Additional Resources Links for PPPoE documentation http www faqs org rfcs rfc25 6 html PPPoE Clients RASPPPoE for Windows 95 98 98SE ME NT4 2000 XP NET http support microsoft com kb 283070 http www raspppoe com 8 6 2 PPPoE Client Setup Submenu level interface pppoe client Description The PPPoE client supports high speed connections It is fully compatible with the RouterOS PPPoE server access concentrator For Windows some connection instructions may use the form where the phone number such WR4500_AC mt to indicate that WR4500_AC is the access concentrator name and mt is the service name Property Description ac name text default this may be left blank and the client will connect to any access concentrator that offers the service name selected add default route yes no default no whether to add a default route automatically allow multiple choice mschap2 mschapl chap pap default mschap2 mschapl chap pap the protocol to allow the client to use for authentication dial on demand yes no default no connects to AC only when outbound traffic is generated and disconnects when there is no traffic for the period set in the idle timeout value interface name interface the PPPoE server can be reached through max mru integer default 1460 Maximum Receiv
46. If a packet is bigger than tunnel MTU it will be split into multiple packets allowing full size IP or Ethernet packets to be sent over the tunnel disabled disable MRRU on this link 182 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Specifying MRRU means enabling Multilink PPP over single link This protocol is used to split big packets into smaller ones Under Windows it can be enabled in Networking tag Settings button Negotiate multi link for single link connections Their MRRU is hardcoded to 1614 This setting is usefull to overcome PathMTU discovery failures The MP should be enabled on both peers Example To enable PPTP server admin AT WR4562 interface pptp server server set enabled yes admin AT WR4562 interface pptp server server print enabled yes mtu 1460 mru 1460 authentication mschap2 mschapl keepalive timeout 30 default profile default admin AT WR4562 interface pptp server server 8 7 5 PPTP Users Description The PPTP users are authenticated through a RADIUS server if configured and if RADIUS fails then the local PPP user databese is used See the respective manual sections for more information e RADIUS client e PPP User AAA 8 7 6 PPTP Tunnel Interfaces Submenu level interface pptp server Description There are two types of interface tunnel items in PPTP server configurati
47. If value is set to no the router determines whether the card is up and running for AP one or more clients have to be registered to it for station it should be connected to an AP This setting affects the records in the routing table in a way that there will be no route for the card that is not running the same applies to dynamic routing protocols If set to yes the interface will always be shown as running disconnect timeout time default 3s time since the third sending failure 3 hw retries l packets have been lost at the lowest datarate only i e since the first time on fail retry time has been activated when the client gets disconnected logged as extensive data loss frame lifetime integer default 0 frame lifetime in centiseconds since the first sending attempt to send the frame Wireless normally does not drop any packets at all until the client is disconnected If there is no need to accumulate packets you can set the time after which the packet will be discarded 0 never drop packets until the client is disconnected default value frequency integer operating frequency of the AP ignored for the client which always scans through its scan list regardless of the value set in this field frequency mode regulatory domain manual tx power superchannel default regulatory domain defines which frequency channels to allow regulatory domain use the channels allowed in the selected country at the allowed tr
48. Nstreme Figure 7 Nstreme network example The setup of Nstreme is similar to usual wireless configuration except that you have to do some changes under interface wireless nstreme Set the Nstreme AP to bridge mode and enable Nstreme on it admin Nstreme AP interface wireless set 0 mode bridge ssid nstreme band 5ghz frequency 5805 disabled no admin Nstreme AP interface wireless print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode bridge ssid nstreme area frequency mode superchannel country no country set antenna gain 0 frequency 5805 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps llMbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin Nstreme AP interface wireless nstreme ad
49. basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin Station interface wireless ip address admin Station ip address add address 10 1 0 2 24 interface To AP admin Station ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 172 16 0 2 24 172 16 0 0 172 16 0 255 To AP 1 192 168 2 3 24 192 168 2 0 192 168 2 255 2 10 1 0 2 24 10 1 0 0 10 1 0 255 To AP admin Station ip address gt Check whether you can ping the Access Point from Station admin Station gt ping 10 1 0 1 10 1 0 1 64 byte ping ttl 264 time 3 ms 10 1 0 1 64 byte ping ttl 264 time 3 ms 10 1 0 1 64 byte ping ttl 64 time 3 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms admin Station gt WDS Station Using 802 11 set of standards you cannot simply bridge wireless stations To solve this problem the wds station mode was created it wo
50. bolvia brazil brunei darussalam bulgaria canada chile china colombia costa rica croatia cyprus czech republic denmark dominican republic ecuador egypt el salvador estonia finland france france res georgia germany greece guatemala honduras hong kong hungary iceland india indonesia iran ireland israel italy japan japan japan2 japan3 japan4 5 jordan kazakhstan korea republic korea republic2 kuwait latvia lebanon liechtenstein lithuania luxemburg macau macedonia malaysia mexico monaco morocco netherlands new zealand no country set north korea norway oman pakistan panama peru philippines poland portugal puerto rico qatar romania russia saudi arabia singapore slovak republic slovenia south africa spain sweden switzerland syria taiwan thailand trinidad amp tobago tunisia turkey ukraine united arab emirates united kingdom united states uruguay uzbekistan venezuela viet nam yemen zimbabwe default country set limits wireless settings frequency and transmit power to those which are allowed in the respective country no country set no regulatory domain limitations default ap tx limit integer default 0 limits data rate for each wireless client in bps 0 no limits default authentication yes no default yes specifies the default action on
51. default 100 default bridge port cost of the WDS links wds ignore ssid yes no default no if set to yes the AP will create WDS links with any other AP in this frequency If set to no the ssid values must match on both APs wds mode disabled dynamic static WDS mode disabled WDS interfaces are disabled dynamic WDS interfaces are created the static WDS interfaces are created manually wmm support disabled enabled required whether to allow or require peer to use WMM extensions to provide basic quality of service The VAP MAC address is set by default to the same address as the physical interface has with the second bit of the first byte set i e the MAC address would start with 02 If that address is already used by some other wireless or VAP interface it is increased by until a free spot is found When manually assigning MAC address keep in mind that it should have the first bit of the first byte unset so it should not be like 01 or A3 Note also that it is recommended to keep the MAC adress of VAP as similar in terms of bit values to the MAC address of the physical interface it is put onto as possible because the more different the addresses are the more it affects performance eo 4 3 10 WDS Interface Configuration Submenu level interface wireless wds Description WDS Wireless Distribution System allows packets to pass from one wireless AP Access Point to
52. default no specifies whether to redistribute connected routes to neighbor routers or not redistribute ospf yes no default no specifies whether to redistribute routes learned via OSPF protocol to neighbor routers or not redistribute bgp yes no default no specifies whether to redistribute routes learned via bgp protocol to neighbor routers or not metric default integer default I specifies metric the number of hops for the default route metric static integer default I specifies metric the number of hops for the static routes metric connected integer default I specifies metric the number of hops for the connected routes metric ospf integer default I specifies metric the number of hops for the routes learned via OSPF protocol metric bgp integer default I specifies metric the number of hops for the routes learned via BGP protocol update timer time default 30s specifies frequency of RIP updates timeout timer time default 3m specifies time interval after which the route is considered invalid garbage timer time default 2m specifies time interval after which the invalid route will be dropped from neighbor router table The maximum metric of RIP route is 15 Metric higher than 15 is considered infinity and routes with such metric are considered unreachable Thus RIP cannot be used on networks with more than 15 hops between any two routers and using redistribute metrics la
53. field value specified by the new dscp parameter change mss change Maximum Segment Size field value of the packet to a value specified by the new mss parameter change ttl change Time to Live field value of the packet to a value specified by the new ttl parameter jump jump to the chain specified by the value of the jump target parameter log each match with this action will add a message to the system log mark connection place a mark specified by the new connection mark parameter on the entire connection that matches the rule mark packet place a mark specified by the new packet mark parameter on a packet that matches the rule mark routing place a mark specified by the new routing mark parameter on a packet This kind of marks is used for policy routing purposes only passthrough ignore this rule go on to the next one return pass control back to the chain from where the jump took place set priority set priority speciefied by the new priority parameter on the packets sent out through a link that is capable of transporting priority VLAN or WMM enabled wireless interface strip ipv4 options strip IPv4 option fields from the IP packet address list name specify the name of the address list to collect IP addresses from rules having action add dst to address list or action add src to address list actions These address lists could be later used for packet matching address list timeout time default 00 00 00 time interval
54. ipv4 options any loose source routing no record route no router alert no source routing no timestamp none record route router alert strict source routing timestamp match ipv4 header options any match packet with at least one of the ipv4 options loose source routing match packets with loose source routing option This option is used to route the internet datagram based on information supplied by the source no record route match packets with no record route option This option is used to route the internet datagram based on information supplied by the source no router alert match packets with no router alter option no source routing match packets with no source routing option no timestamp match packets with no timestamp option record route match packets with record route option router alert match packets with router alter option strict source routing match packets with strict source routing option timestamp match packets with timestamp jump target forward input output name name of the target chain to jump to if the action jump is used layer7 protocol name Layer 7 filter name as set in the ip firewall layer7 protocol menu Caution this matcher needs high computational power limit integer time 0 integer restricts packet match rate to a given limit Usefull to reduce the amount of log messages count maximum average packet rate measured in packets per second pps unless f
55. l e to make it possible for the clients with unknown proxy settings to work with the HotSpot system This feature is called Universal Proxy If it is detected that a client is using some proxy server the system will automatically mark that packets with the http hotspot mark to work around the unknown proxy problem as we will see later on Note that the port used 64874 is the same as for HTTP requests in the rule 8 so both HTTP and HTTP proxy requests are processed by the same code 11 D chain hs unauth protocol tcp dst port 443 action redirect to ports 64875 HTTPS proxy is listening on the 64875 port 13 I chain hs unauth action jump jump target hs smtp dst port 25 protocol tcp Redirect for SMTP protocol may also be defined in the HotSpot configuration In case it is a redirect rule will be put in the hs smtp chain This is done so that users with unknown SMTP configuration would be able to send their mail through the service provider s your SMTP server instead of going to the possibly unavailable outside their network of origin SMTP server users have configured on their computers The chain is empty by default hence the invalid jump rule 15 I chain hs auth action jump jump target hs smtp dst port 25 protocol tcp Providing HTTP proxy service for authorized users Authenticated user requests may need to be subject to the transparent proxying the Universal Proxy technique and for the advertisement feature
56. local address IP address name IP address or IP address pool name for PPP server name name user s name used for authentication password text default user s password used for authentication profile name default default profile name to use together with this access record for user authentication remote address IP address name IP address or IP address pool name for PPP clients 144 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide routes text routes that appear on the server when the client is connected The route format is dst address gateway metric for example 10 1 0 0 24 10 0 0 1 1 Several routes may be specified separated with commas If gateway is not specified the remote address is used If metric is not speciefied the metric of I is used service any async I2tp ovpn pppoe pptp default any specifies the services available to a particular user Example To add the user ex with password Ikjrht and profile ex available for PPTP service only enter the following command admin rb13 ppp secret gt add name ex password lkjrht service pptp profile ex admin rb13 ppp secret gt print Flags X disabled SERVICE CALLER ID PASSWORD PROFILE REMOTE ADDRESS 0 ex pptp lkjrht ex 0 0 0 0 admin rb13 ppp secret 7 2 4 Monitoring Active PPP Users Command name ppp active print Property Descrip
57. must be unique on one interface All the nodes of one cluster must have the same vrid interval preemption mode authentication and password To add a VRRP instance on etherl interface forming because priority is 255 a virtual router with vrid of I admin AT WR4562 ip vrrp add interface etherl vrid 1 priority 255 admin AT WR4562 ip vrrp print Flags X disabled I invalid M master B backup 0 I name vri interface etherl vrid 1 priority 255 interval 1 preemption mode yes authentication none password on backup on master admin AT WR4562 ip vrrp gt Note that the instance is active at once This is because it has the priority of 255 The instance would wait in backup mode for a new master election process to complete in its favour before assuming the master role otherwise This also means that there must not be other VRRP routers with the maximal priority AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 251 RouterOS v3 Configuration and User Guide 1 1 3 Virtual IP addresses Submenu level ip vrrp address Property Description address IP address IP address belongs to the virtual router broadcast address broadcasting IP address interface name default default interface where to put the address on may be different form the interface this VRRP instance is running on default put this address on the interface th
58. no default default default defines whether a user is allowed to have more then one connection at a time yes a user is not allowed to have more than one connection at a time no the user is allowed to have more than one connection at a time default derive this value from the interface default profile same as no if this is the interface default profile outgoing filter name firewall chain name for outgoing packets Specified chain gets control for each packet going to the client The ppp chain should be manually added and rules with action jump jump target ppp should be added to other relevant chains in order for this feature to work For more information look at the Examples section rate limit text default rate limitation in form of rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time priority rx rate min tx rate min from the point of view of the router so rx is client upload and tx is client download All rates are measured in bits per second unless followed by optional k suffix kilobits per second or M suffix megabits per second If tx rate is not specified rx rate serves as tx rate too The same applies for tx burst rate tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate are used as burst thresholds If both rx burst time and
59. port 23 type the following command ip firewall filter add chain input protocol tcp dst port 23 action drop To only allow not more than 5 simultaneous connections from each of the clients do the following ip firewall filter add chain forward protocol tcp tcp flags syn connection limit 6 32 action drop Specifications Packages required system License required Level P2P filters limited to 1 Level3 Submenu level ip firewall filter Standards and Technologies RFC2113 Hardware usage Increases with filtering rules count Related Topics IP Addresses and ARP Routes Equal Cost Multipath Routing Policy Routing NAT Mangle Packet Flow 9 1 2 Firewall Filter Submenu level ip firewall filter Description Network firewalls keep outside threats away from sensitive data available inside the network Whenever different networks are joined together there is always a threat that someone from outside of your network will break into your LAN Such break ins may result in private data being stolen and distributed valuable data being altered or destroyed or entire hard drives being erased Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks Properly configured firewall plays a key role in efficient and secure network infrastrure deployment AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 199 RouterOS v3 Configuration and Us
60. record route router alert strict source routing timestamp match ipv4 header options any match packet with at least one of the ipv4 options loose source routing match packets with loose source routing option This option is used to route the internet datagram based on information supplied by the source no record route match packets with no record route option This option is used to route the internet datagram based on information supplied by the source no router alert match packets with no router alter option no source routing match packets with no source routing option no timestamp match packets with no timestamp option record route match packets with record route option router alert match packets with router alter option strict source routing match packets with strict source routing option timestamp match packets with timestamp jump target dstnat srcnatname name of the target chain to jump to if the action jump is used layer7 protocol name Layer 7 filter name as set in the ip firewall layer7 protocol menu Caution this matcher needs high computational power limit integer time 0 integer restricts packet match rate to a given limit Usefull to reduce the amount of log messages count maximum average packet rate measured in packets per second pps unless followed by time option time specifies the time interval over which the packet rate is measured burst number of packets to match i
61. time default 200ms how long to sniff each channel if multiple channels is set to yes file limit integer default 10 limits file name s file size measured in kilobytes file name text default name of the file where to save packets in PCAP format If file name is not defined packets are not saved into a file memory limit integer default 1000 how much memory to use in kilobytes for sniffed packets multiple channels yes no default no whether to sniff multiple channels or a single channel no wireless sniffer sniffs only one channel in frequency that is configured in interface wireless yes sniff in all channels that are listed in the scan list in interface wireless only headers yes no default no sniff only wireless packet heders receive errors yes no default no whether to receive packets with CRC errors streaming enabled yes no default no whether to send packets to server in TZSP format streaming max rate integer default 0 how many packets per second the router will accept 0 no packet per second limitation streaming server IP address default 0 0 0 0 streaming server s IP address 4 3 18 Sniffer Sniff Submenu level interface wireless sniffer sniff Description Wireless Sniffer Sniffs packets Property Description file over limit packets read only integer how many packets are dropped because of exceeding file limit file saved packets read only integer n
62. timestamp match ipv4 header options any match packet with at least one of the ipv4 options loose source routing match packets with loose source routing option This option is used to route the internet datagram based on information supplied by the source no record route match packets with no record route option This option is used to route the internet datagram based on information supplied by the source no router alert match packets with no router alter option no source routing match packets with no source routing option no timestamp match packets with no timestamp option record route match packets with record route option router alert match packets with router alter option strict source routing match packets with strict source routing option timestamp match packets with timestamp jump target forward input output postrouting preroutingname name of the target chain to jump to if the action jump is used layer7 protocol name Layer 7 filter name as set in the ip firewall layer7 protocol menu Caution this matcher needs high computational power limit integer time 0 1 integer restrict packet match rate to a given limit Usefull to reduce the amount of log messages count maximum average packet rate measured in packets per second pps unless followed by time option time specify the time interval over which the packet rate is measured burst number of packets to match in a burst log pre
63. 0 0 0 0 0 to main On OSPF peer 2 adminQGOSPF peer 2 gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 10 2 0 2 110 to main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 0 0 0 0 0 to peer 1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to main 5 Do 10 1 0 0 24 r 410 2 0 2 110 to main Functioning of the Backup If the link between routers OSPF MAIN and OSPF peer goes down we have the following situation Figure 15 OSPF Backup 110 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide The OSPF routing changes as follows Routes on OSPF MAIN router admin OSPF MAIN ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 192 168 0 0 24 110 1 DC 192 168 0 0 24 r 0 0 0 0 0 main gw 2 Do 10 3 0 0 24 10 2 0 1 110 to peer 2 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 E 07000 0 to_peer_2 5 Io 10 1 0 0 24 110 6 DC 10 1 0 0 24 r 0 0 0 0 0 to peer 1 On OSPF peer adminQ8OSPF peer 1 ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 1
64. 0 0 0 0 gateway 192 168 0 1 gateway state reachable distance 1 interface pppsync 1 DC dst address 192 168 0 1 32 preferred source 10 0 0 214 gateway 0 0 0 0 gateway state reachable distance 0 interface pppsync admin AT WR4562 ip address gt As you can see a dynamic connected route has been automatically added to the routes list If you want the default gateway be the other router of the p2p link just add a static route for it It is shown as 0 in the example above 5 1 6 Troubleshooting Description Router shows that the IP address is invalid Check whether the interface exists to which the IP address is assigned Or maybe it is disabled It is also possible that the system has crashed reboot the router Router shows that the ARP entry is invalid Check whether the interface exists to which the ARP entry is assigned Or maybe it is disabled Check also for an IP address for the particular interface 5 2 RIP Routing Information Protocol 5 2 1 General Information Summary RouterOS implements RIP Version 058 and Version 2 RFC 2453 RIP enables routers in an autonomous system to exchange routing information It always uses the best path the path with the fewest number of hops i e routers available Specifications Packages required routing License required Level3 Submenu level routing rip Standards and Technologies RIPv1 RIPv2 Hardware usage Not significant AT WR4500 Series IEEE 802
65. 0 192 168 0 255 To DHCP Relay 1 10 1 0 2 24 10 1 0 0 10 1 0 255 Public admin DHCP Server ip address gt AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 127 RouterOS v3 Configuration and User Guide IP addresses of DHCP Relay admin DHCP Relay ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 1 24 192 168 0 0 192 168 0 255 To DHCP Server 1 192 168 1 1 24 192 168 1 0 192 168 1 255 Locall 2 192 168 2 1 24 192 168 2 0 192 168 2 255 Local2 admin DHCP Relay ip address gt To setup 2 DHCP Servers on DHCP Server router add 2 pools For networks 192 168 1 0 24 and 192 168 2 0 ip pool add name Locall Pool ranges 192 168 1 11 192 168 1 100 ip pool add name Locall Pool ranges 192 168 2 11 192 168 2 100 admin 8DHCP Server ip pool print NAME RANGES 0 Locall Pool 192 168 1 11 192 168 1 100 1 Local2 Pool 192 168 2 11 192 168 2 100 admin DHCP Server ip pool Create DHCP Servers ip dhcp server add interface To DHCP Relay relay 192 168 1 1 address pool Locall Pool name DHCP 1 disabled no ip dhcp server add interface To DHCP Relay 1 192 168 2 1 address pool Local2 Pool name DHCP 2 disabled no admin DHCP Server ip dhcp server gt print Flags X disabled I invalid NAME INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP 0 DHCP 1 To DHCP Relay 192 168 1 1 Locall Pool 3400 00 00
66. 1 DHCP 2 To DHCP Relay 192 168 2 1 Local2 Pool 3400 00 00 admin 8DHCP Server ip dhcp server gt Configure respective networks ip dhcp server network add address 192 168 1 0 24 gateway 192 168 1 1 dns server 159 148 60 20 ip dhcp server network add address 192 168 2 0 24 gateway 192 168 2 1 dns server 159 148 60 20 admin DHCP Server ip dhcp server network print ADDRESS GATEWAY DNS SERVER WINS SERVER DOMAIN 0 192 168 1 0 24 192 168 1 1 159 148 60 20 1 192 168 2 0 24 192 168 2 1 159 148 60 20 admin DHCP Server ip dhcp server network Configuration of DHCP Server is done Now let s configure DHCP Relay ip dhcp relay add name Locall Relay interface Locall dhcp server 192 168 0 1 local address 192 168 1 1 disabled no ip dhcp relay add name Local2 Relay interface Local2 dhcp server 192 168 0 1 local address 192 168 2 1 disabled no admin 8DHCP Relay ip dhcp relay print Flags X disabled I invalid NAME INTERFACE DHCP SERVER LOCAL ADDRESS 0 Locall Relay Locali 192 168 0 1 192 168 1 1 ay 12 1 12 192 168 021 192 168 2 1 admin DHCP Relay ip dhcp relay IP Address assignment using FreeRADIUS Server Let us consider that we want to assign IP addresses for clients using the RADIUS server 128 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide V
67. 1 labgh Outdoor Wireless Routers 93 RouterOS v3 Configuration and User Guide Related Topics IP Addresses and ARP Routes Equal Cost Multipath Routing Policy Routing Description Routing Information Protocol RIP is one protocol in a series of routing protocols based on Bellman Ford or distance vector algorithm This Interior Gateway Protocol IGP lets routers exchange routing information across a single autonomous system in the way of periodic RIP updates Routers transmit their own RIP updates to neighboring networks and listen to the RIP updates from the routers on those neighboring networks to ensure their routing table reflects the current state of the network and all the best paths are available Best path considered to be a path with the fewest hop count id est that include fewer routers The routes learned by RIP protocol are installed in the route list ip route print with the distance of 120 Additional Resources http www ietf org rfc rfc1058 txt RIP vl e http www ietf org rfc rfc2453 txt RIP v2 e http en wikipedia org wiki Routing Information Protocol 5 2 2 General Setup Property Description distribute default always never if installed default never specifies whether to redistribute the default route 0 0 0 0 0 or not redistribute static yes no default no specifies whether to redistribute static routes to neighbor routers or not redistribute connected yes no
68. 192 168 80 1 user ex password lkjrht profile default add default route no allow pap chap mschapl mschap2 admin RemoteOffice interface pptp client gt Thus a PPTP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addresses 10 0 103 1 and 10 0 103 2 at each router It enables direct communication between the routers over third party networks Internet e ISP 2 192 168 81 0 24 Encrypted Home Office 192 168 80 1 24 Remote Office 192 168 81 1 24 10 0 103 1 24 Tunnel_To_HomeOffice 10 0 103 2 24 10 150 1 254 10 150 2 1 24 10 150 1 1 24 Figure 28 Network Setup with encrypted PPTP Tunnel To route the local Intranets over the PPTP tunnel you need to add these routes admin HomeOffice gt ip route add dst address 10 150 1 0 24 gateway 10 0 103 2 admin RemoteOffice gt ip route add dst address 10 150 2 0 24 gateway 10 0 103 1 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 185 RouterOS v3 Configuration and User Guide On the PPTP server it can alternatively be done using routes parameter of the user configuration admin8 HomeOffice ppp secret print detail Flags X disabled 0 name ex service pptp caller id password lkjrht profile default local address 10 0 103 1 remote address 10 0 103
69. 2474 0 2479 0 2484 0 2489 0 2494 0 2499 0 admin AT WR4562 interface wireless 4 3 9 Virtual Access Point Interface Submenu level interface wireless Description Virtual Access Point VAP interface is used to have an additional AP You can create a new AP with different ssid and mac address can be compared with a VLAN where the ssid from is the VLAN tag and the hardware interface is the VLAN switch You can add up to 128 VAP interfaces for each hardware interface RouterOS supports VAP feature for Atheros AR5212 and newer Property Description area text default string value that is used to describe an Access Point Connect List on the Client s side comparing this string value with area prefix string value makes decision whether allow a Client connect to the AP If area prefix match the entire area string or only the beginning of it the Client is allowed to connect to the AP arp disabled enabled proxy arp reply only ARP mode default ap tx limit integer default 0 limits data rate for each wireless client in bps 0 no limits default authentication yes no default yes whether to accept or reject a client that wants to associate but is not in the access list default client tx limit integer default 0 limits each client s transmit data rate in bps Works only if the client is also a Router 0 no limits default forwarding yes no default yes whether to forward
70. 5190 0 5230 0 5270 0 5310 0 5350 0 5390 0 5430 0 5470 0 5510 0 5550 0 5590 0 5630 0 5670 0 5710 0 5750 0 5790 0 5830 0 5870 0 5910 0 5950 0 5990 0 6030 0 6070 42 0 23 82 0 23 22 0 24 62 0 24 14 0 23 54 0 23 94 0 23 34 0 24 74 0 24 0 4950 0 4990 0 5030 0 5070 0 5110 0 5150 0 5190 0 5230 0 5270 0 5310 0 5350 0 5390 0 5430 0 5470 0 5510 0 5550 0 5590 0 5630 0 5670 0 5710 0 5750 0 5790 0 5830 0 5870 0 5910 0 5950 0 4955 0 4995 0 5035 0 5075 OQ SLL 0 5155 0 5195 0 5235 0 552 53 0 5315 0 5355 0 5395 0 5435 0 5475 0 5515 0 5555 0 5595 0 5635 0 5675 045715 0 5755 0 5795 0 5835 0 5875 0 5915 0 5955 0 5995 0 6035 0 6075 47 87 2572 67 19 593 99 291 79 M oS 0 gt OS C3 Oe 2404 04 oS NON ON ON S oS oS 2 02 3 2 QM Ca gt PES 0 4955 0 4995 0 5035 0 5075 0 5115 0 5155 0 5195 075235 055215 0 5315 0 5355 0 5395 0 5435 0 5475 0 5515 055555 0 5595 0 5635 0 5675 0 5715 0 5755 0 5795 0 5835 0 5875 0 5915 0 5955 NON ON ON S oS oS oS NON ON S oS oS oS oS oS gt ES CO D C9 5 50
71. 5ghz rx frequency 5180 rates b 1Mbps 2Mbps 5 5Mbps llMbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps framer policy none framer limit 4000 admin DualNS 1 interface wireless nstreme dual AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 69 RouterOS v3 Configuration and User Guide As we have not configured the DualNS 2 router we cannot define the remote mac parameter on DualNS We will do it after configuring DualNS 2 The configuration of DualNS 2 adminGDualNS 2 interface wireless set wlanl wlan2 mode nstreme dual slave admin8 DualNS 2 interface wireless print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode nstreme dual slave ssid AT WR4500 area frequency mode superchannel country no country set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats i
72. 8 5 1 General Information ccccccscsessssssssessssssssesesesssscsesessssssesesesesseseseseseesesesssesesseseseseseeneseseseseesens 161 8 5 2 LTP Client Setup x t tette n 162 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 7 RouterOS v3 Configuration and User Guide 8 5 3 Monitoring L2TP Client irren cernere 163 8 5 4 E2TP Server Setup 164 8 5 5 EZ TP Server 164 8 5 6 L2TP Application Examples eene entente tenente 166 8 5 7 Tro bleshootiig 170 8 5 duc EE 170 8 6 1 General Information eet eet dee tnt vede denen 170 8 6 2 5 liad tb n dl tree tate 172 8 6 3 Monitoring PPPOE Client eet een Pitti ree er tbe Pec eee 173 8 6 4 PPPoE Server Setup Access Concentrator eerte 173 8 6 5 PPPOE Use rsiissatin oaia 175 8 6 6 PPPOE Server User Interfaces sssssesssssssssscsssssessssssssscssscsssssesssssssssesssesssssesssessessesnsessesees 175 8 6 7 Application Examples deterrere a 176 8 6 8 178 97 ee M 178 8 7 1 General Information tinte testor 178 87 2 PPEP Client 180 8 7 3 Monitoring PPTP Glieht etie tee etel ene bnt beste bo du do
73. 99 0 0 4935 0 4975 0 5015 0 5055 0 5095 0 5135 0 5175 0 5215 0 5255 0 5295 0 5335 0 5375 0 5415 0 5455 0 5495 0 5535 0 5575 0 5615 0 5655 0 5695 0 5735 0 5775 0 5815 0 5855 0 5895 0 5935 0 4940 0 4980 0 5020 0 5060 0 5100 0 5140 0 5180 0 5220 0 5260 0 5300 0 5340 0 5380 0 5420 0 5460 0 5500 0 5540 0 5580 0 5620 0 5660 0 5700 0 5740 0 5780 0 5820 0 5860 0 5900 0 5940 0 5980 0 6020 0 6060 0 6100 0 0 eeprom 0x5002 32 0 23 72 0 23 12 0 24 52 0 24 92 0 24 44 0 23 84 0 23 24 0 24 64 0 24 0 0 4940 0 4980 0 5020 0 5060 0 5100 0 5140 0 5180 0 5220 0 5260 0 5300 0 5340 0 5380 0 5420 0 5460 0 5500 0 5540 0 5580 0 5620 0 5660 0 5700 0 5740 0 5780 0 5820 0 5860 0 5900 0 5940 0 4945 0 4985 0 5025 0 5065 0 5105 0 5145 0 5185 0 5225 0 5265 0 5305 0 5345 0 5385 0 5425 0 5465 0 5505 0 5545 0 5585 0 5625 0 5665 0 5705 0 5745 0 5785 0 5825 0 5865 0 5905 0 5945 0 5985 0 6025 0 6065 3720 23 77 0 23 17 0 24 57 0 24 9720 23 49 0 23 89 0 23 29 0 24 69 0 24 0 4945 0 4985 0 5025 0 5065 0 5105 0 5145 0 5185 0 5225 0 5265 0 5305 0 5345 0 5385 0 5425 0 5465 0 5505 0 5545 0 5585 0 5625 0 5665 0 5705 0 5745 0 5785 0 5825 0 5865 0 5905 0 5945 0 4950 0 4990 0 5030 0 5070 0 5110 0 5150 0
74. AREE 3l 4 2 2 Ethernet Interface Configuration etes tenente 3l 4 2 3 Monitoring the Interface Status eese tentent tententtnntenttnttnntententtnnti 32 4 2 4 Treubleshooting 1 rettet tttm ttt notte intet 33 4 32 Wirelessinterfaces ai ood iuc epo tet pO D A 33 4 3 1 General Inforiiatior cione 33 4 3 2 Wireless Interface Configuration eese 35 4 3 3 Nstreme Settings 40 4 3 4 Nstreme2 Group Settings assesi eaoin eet Ear ENA reaa tE aE Teias E E ATEN 41 4 3 5 Registration Table Petr aee teet et nate Peg ed deae 43 4 3 6 Connect oae ete eed o DAT D ec a 45 4 3 7 fuo ME 45 4 3 8 46 4 3 9 Virtual Access Point Interface 50 4 3 10 Interface Configuration 4 3 11 E ATRE 52 43 12 iia NRI Ide 53 4 3 13 FREQUENCY MOM ICOM c tee tee OR MER ce t a 54 4 3 14 Manual Transmit Power Table eese 54 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 5 RouterOS v3 Configuration and User Guide 4 3 15 weed 2 55 4 3 16 Security Profiles sssi E E e T A 56 LEM 58 3118 tO
75. AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 209 RouterOS v3 Configuration and User Guide rst drop connection syn new connection urg urgent data tcp mss integer 0 65535 matches TCP MSS value of an IP packet time time time sat fri thu wed tue mon sun allows to create filter based on the packets arrival time and date or for locally generated packets departure time and date Instead of making two rules if you want to mark a packet connection or routing mark and finish mangle table processing on that event in other words mark and simultaneously accept the packet you may disable the set by default passthrough property of the marking rule Usually routing mark is not used for P2P since P2P traffic always is routed over a default getaway 9 2 3 Application Examples Description The following section discusses some examples of using the mangle facility Peer to Peer Traffic Marking To ensure the quality of service for network connection interactive traffic types such as VoIP and HTTP should be prioritized over non interactive such as peer to peer network traffic RouterOS QOS implementation uses mangle to mark different types of traffic first and then place them into queues with different limits The following example enforces the P2P traffic will get no more than IMbps of the total link capacity when the link is heavily used by other traffic otherwice expanding
76. AT WR4562 ip traffic flow target add address 192 168 0 2 2055 version 9 admin AT WR4562 ip traffic flow target print Flags X disabled ADDRESS VERSION 0 192 16870 2 2055 9 admin AT WR4562 traffic flow target Now the router starts to send packets with Traffic Flow information 260 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Some screenshots from NTop program which has gathered Traffic Flow information from our router and displays it in nice graphs and statistics For example where what kind of traffic has flown Traffic Unit Bytes Packets IP Address 10574 a 17 14 days 0 37 58 5 sec 2221 apeos J oes a i es 0828 m ies oe a ites ree i cay 05716 a0 se Figure 36 Host Information Top three hosts by upload and download each minute Top Hosts Sent Thpt 159 148 172 197 648 0 bps 159 148 147 196 91 9 Kbps 10 5 7 14 91 9 Kbps msa asa cara 05 assawa msa 75205 192 168 10 10 960 0 bps msa 600 192 168 10 10 400 0 bps Figure 37 Network Load Statistics Matrix AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 261 RouterOS v3 Configuration and User Guide Throughput 64 9 Kbps 51 9 Kbps 38 9 Kbps 26 0 Kbp
77. AT WR4562 system upgrade download 1 admin AT WR4562 system upgrade print SOURCE NAME VERSION STATUS COMPLETED 0 192 168 25 8 routeros x86 2 9 44 available 1 192 169 25 9 routeros rb500 2 0 downloading 16 admin AT WR4562 system upgrade gt 3 3 8 Adding Package Source Submenu level system upgrade upgrade package source Description In this submenu you can add remote routers from which to download the RouterOS software packages Property Description address IP address source IP address of the router from which the package list entry will be retrieved password text password of the remote router user text username of the remote router After specifying a remote router in system upgrade upgrade package source you can type Isystem upgrade refresh to refresh the package list and system upgrade print to see all available eo packages Example To add a router with IP address 192 168 25 8 username admin and no password adminQAT WR4562 admin AT WR4562 system upgrade upgrade package source add address 192 168 25 8 user admin password admin WR4500 system upgrade upgrade package source print ADDRESS USER 0 192 168 25 8 admin System upgrade upgrade package source 3 3 9 Software Package List Description System Software Package The system software package provides the basic functionality of the RouterOS namely e address manag
78. B bgp 0 dst address 0 0 0 0 0 gateway 10 0 0 26 metric 2 from 10 0 0 26 1 C dst address 10 0 0 0 24 gateway 0 0 0 0 metric 1 from 0 0 0 0 2 C dst address 192 168 0 0 24 gateway 0 0 0 0 metric 1 from 0 0 0 0 3 R dst address 192 168 1 0 24 gateway 10 0 0 26 metric 1 from 10 0 0 26 4 R dst address 192 168 3 0 24 gateway 10 0 0 26 metric 1 from 10 0 0 26 admin AT WR4562 routing rip The regular routing table is admin AT WR4562 routing rip ip route print Flags X disabled I invalid D dynamic J rejected C connect S static rip osptf B DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 R 0 0 0 0 0 r 10 0 0 26 120 etherl 1 192 168 3 0 24 10 0 0 26 120 etherl 2 192 168 1 0 24 10 0 0 26 120 etherl 3 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 4 DC 10 0 0 0 24 102050 gt 0 0 etherl admin AT WR4562 routing rip 98 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Alliedware Router Configuration interface Ethernet0 ip address 10 0 0 26 255 255 255 0 no ip directed broadcast interface Seriall ip address 192 168 1 1 255 255 255 252 ip directed broadcast router rip version 2 redistribute connected redistribute static network 10 0 0 0 network 192 168 1 0 ip classless The routing table of the Alliedware router is awplus show ip route Codes C connec
79. DHCP client on ether interface ip dhcp server add name dhcp office disabled no admin AT WR4562 ip dhcp server gt print detail Flags disabled I invalid 0 interface etherl add default route yes use peer dns yes use peer ntp yes status bound address 192 168 0 65 24 gateway 192 168 0 1 dhcp server 192 168 0 1 primary dns 192 168 0 1 primary ntp 192 168 0 1 expires after 9m44s dhcp clients 02 00 00 admin AT WR4562 ip dhcp server gt Client will only receive DHCP lease case it is directly reachable by its MAC address through that interface some wireless bridges may change client s MAC address If authoritative property is set to yes the DHCP server is sending rejects for the leases it cannot bind or renew It also may although not always help to prevent the network users to run their own DHCP servers illicitly disturbing the proper way the network should be functioning If relay property of a DHCP server is not set to 0 0 0 0 the DHCP server will not respond to the direct requests from clients Example To add a DHCP server to interface ether l lending IP addresses from dhcp clients IP pool for 2 hours ip dhcp server add name dhcp office disabled no address pool dhcp clients interface etherl lease time 2h admin AT WR4562 ip dhcp server gt print Flags X disabled I invalid NAME INTERFACE RELAY ADDRESS POOL LEASE TIME ADD ARP 0 dhcp office etherl dhcp clients 02 00 00
80. I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 1 24 10 1 0 0 10 1 0 255 to_main 1 10 3 0 1 24 10 3 0 0 10 3 0 255 backup Set redistribute connected as as type l Metric connected metric static metric rip metric bgp should be zero admin8ROSPF peer 11 routing ospf gt print router id 0 0 0 0 distribute default never redistribute connected as type 1 redistribute static no redistribute rip no redistribute bgp no metric default 1 metric connected 0 metric static 0 metric rip 0 metric bgp 0 Add the same area as in main router admin ROSPF peer 11 Flags X disabled I invalid routing ospf area print NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 0 0 0 1 no 1 none Add connected networks with area local_ 10 admin OSPF_peer_1 routing ospf network print Flags X disabled I invalid NETWORK AREA 0 10 3 0 0 24 local_10 1 10 1 0 0 24 local 10 Finally set up the OSPF peer 2 router Enable the following interfaces adminQ8OSPF peer 2 interface print Flags X disabled D dynamic R running NAME TYPE RX RATE TX RATE MTU 0 R to_main ether 0 0 1500 1 to peer 1 ether 0 0 1500 Add the needed IP addresses adminQ8OSPF peer 2 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 2 0 1 24 10 2 0 0 1022 0 255 to_main 1 10 3 0 2 2
81. IP packet one of the unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case local matches addresses assigned to router s interfaces broadcast the IP packet is sent from one point to all other points in the IP subnetwork multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 219 RouterOS v3 Configuration and User Guide dst limit integer time 0 integer dst address dst port src address time 0 limits the packet per second pps rate on a per destination IP or per destination port base As opposed to the limit match every destination IP address destination port has it s own limit The options are as follows in order of appearance count maximum average packet rate measured in packets per second pps unless followed by time option time specifies the time interval over which the packet rate is measured burst number of packets to match in a burst mode the classifier s for packet rate limiting expire specifies interval after which recorded IP addresses ports will be deleted dst port integer 0 65535 integer 0 65535 destination port number or range fragment yes no whether the packet is a fragment of an IP packet Starting packet i e first fragment does not count Note that is the co
82. RouterOS v3 Configuration and User Guide 8 2 Interface Bonding 8 3 General Information 8 3 1 Summary Bonding is a technology that allows to aggregate multiple ethernet like interfaces into a single virtual link thus getting higher data rates and providing failover 8 3 2 Quick Setup Guide Let us assume that we 2 NICs in each router Routerl and Router2 and want to get maximum data rate between 2 routers To make this possible follow these steps Make sure that you do not have IP addresses on interfaces which will be enslaved for bonding interface Add bonding interface on Router admin Routerl interface bonding add slaves etherl ether2 And on Router2 admin Router2 interface bonding add slaves etherl ether2 Add addresses to bonding interfaces admin Routerl ip address gt add address 172 16 0 1 24 interface bondingl admin Router2 ip address gt add address 172 16 0 2 24 interface bondingl Test the link from Routerl admin Routerl interface bonding pi 172 16 0 2 172 16 0 2 ping timeout 172 16 0 2 ping timeout 172 16 0 2 ping timeout 172 16 0 2 64 byte ping ttl 64 time 2 ms 172 16 0 2 64 byte ping ttl 264 time 2 ms A bonding interface needs couple of seconds to get connectivity with its peer Specifications Packages required system License required Level Submenu level interface bonding Standar
83. Series IEEE 802 1 labgh Outdoor Wireless Routers 183 RouterOS v3 Configuration and User Guide Example To add a static entry for exl user adminQ AT WR4562 interface pptp server gt add user exl adminQ AT WR4562 interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 DR lt pptp ex gt ex 1460 10 0 0 202 6m32s none 1 pptp inl 1 admin AT WR4562 interface pptp server gt In this example an already connected user ex is shown besides the one we just added Now the interface named 1 can be referenced from anywhere in RouterOS configuration like a regular interface 8 7 7 PPTP Application Examples Router to Router Secure Tunnel Example The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet SS Internet Home Office 192 168 80 1 24 Remote Office 2 168 81 1 24 10 150 2 1 24 10 150 1 1 24 Figure 27 Network Setup without PPTP enabled There are two routers in this example Home Office Interface LocalHomeOffice 10 150 2 254 24 Interface Tolnternet 192 1 68 80 1 24 Remote Office Interface Tolnternet 192 168 81 1 24 Interface LocalRemoteOffice 10 150 1 254 24 Each router is connected to a different ISP One router can access another router through the Internet On the Preforma PPTP server a user must be set up for the client admin HomeOff
84. Summary The following Manual discusses IP address management and the Address Resolution Protocol settings IP addresses serve as identification when communicating with other network devices using the TCP IP protocol In turn communication between devices in one physical network proceeds with the help of Address Resolution Protocol and ARP addresses Specifications Packages required system License required Level Submenu level ip address lip arp Standards and Technologies 4 ARP Hardware usage Not significant Related Topics Configuring Interfaces DHCP and DNS 5 1 2 IP Addressing Submenu level ip address Description IP addresses serve for a general host identification purposes in IP networks Typical 4 address consists of four octets For proper addressing the router also needs the network mask value id est which bits of the complete IP address refer to the address of the host and which to the address of the network The network address value is calculated by binary AND operation from network mask and IP address values It s also possible to specify IP address followed by slash and the amount of bits that form the network address In most cases it is enough to specify the address the netmask and the interface arguments The network prefix and the broadcast address are calculated automatically It is possible to add multiple IP addresses to an interface or to leave the interface without any address
85. Test the L2TP tunnel connection admin RemoteOffice gt ping 10 0 103 1 10 0 103 1 pong ttl1 255 time 3 ms 10 0 103 1 pong ttl1 255 time 3 ms 10 0 103 1 pong ttl1 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms Test the connection through the L2TP tunnel to the LocalHomeOffice interface admin RemoteOffice gt ping 10 150 2 254 10 150 2 254 pong tt1 255 time 3 ms 10 150 2 254 pong tt1 255 time 3 ms 10 150 2 254 pong tt1 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms To bridge a LAN over this secure tunnel please see the example in the EoIP section of the manual To set the maximum speed for traffic over this tunnel please consult the Queues section Connecting a Remote Client via L2TP Tunnel The following example shows how to connect a computer to a remote office network over L2TP encrypted tunnel giving that computer an IP address from the same network as the remote office has without need of bridging over EolP tunnels Please consult the respective manual on how to set up a L2TP client with the software you are using AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 169 RouterOS v3 Configuration and User Guide Internet ISP 1 9 192 168 89 8 24 e Remote Office To Internet 192 168 81 1 24
86. WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 129 RouterOS v3 Configuration and User Guide 6 2 DNS Client and Cache 6 2 1 General Information Summary DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time This is a simple recursive DNS server with local items Specifications Packages required system License required Level Submenu level ip dns Standards and Technologies DNS Hardware usage Not significant Related Topics IP and Routing Description The RouterOS router with DNS cache feature enabled can be set as a primary DNS server for any DNS compliant clients Moreover RouterOS router can be specified as a primary DNS server under its dhcp server settings When the DNS cache is enabled the RouterOS router responds to DNS TCP and UDP requests on port 53 Additional Resources http www ietf org rfc rfc 035 txt number 1035 http www freesoft org CIE Course Section2 3 htm http www networksorcery com enp protocol dns htm http en wikipedia org wiki Domain_Name_System 6 3 DNS Cache Setup Submenu level ip dns Description DNS facility is used to provide domain name resolution for router itself as well as for the clients connected to it Property Description allow remote requests yes no specifies whether to allow network requests cache max ttl time default Iw specifies maximum time to live fo
87. Walled Garden Submenu level ip hotspot walled garden ip Description This menu is manages Walled Garden for generic IP requests See the previous section for managing HTTP and HTTPS protocol specific properties like the actual DNS name HTTP method and path used in requests Property Description action accept drop reject default accept action to undertake if a packet matches the rule accept allow the access to the page without prior authorization drop the authorization is required to access this page reject the authorization is required to access this page in case the page will be accsessed withot authorization ICMP reject message host unreachable will be generated dst address IP address IP address of the destination web server dst host text default domain name of the destination web server this is not a regular expression or a wildcard of any kind The DNS name specified is resolved to a list of IP addresses when the rule is added and all those IP addresses are used dst port integer default the TCP or UDP port protocol MUST be specified explicitly in the protocol property a client has send the request to protocol integer ddp egp encap ggp gre hmp icmp idpr cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp IP protocol name server name name of the HotSpot server this rule applied to src address IP address IP address of the user
88. admin AT WR4562 ip hotspot cookie 10 3 3 HTTP level Walled Garden Submenu level ip hotspot walled garden Description Walled garden is a system which allows unauthorized use of some resources but requires authorization to access other resources This is useful for example to give access to some general information about HotSpot service provider or billing options This menu only manages Walled Garden for HTTP and HTTPS protocols Other protocols can also be included in Walled Garden but that is configured elsewhere in ip hotspot walled garden ip see the next section of this manual for details Property Description action allow deny default allow action to undertake if a request matches the rule allow allow the access to the page without prior authorization deny authorization is required to access this page dst address read only IP address IP address of the destination web server installed by IP level walled garden dst host wildcard default domain name of the destination web server dst port integer default the TCP port a client has send the request to hits read only integer how many times has this rule been used method text HTTP method of the request path wildcard default the path of the request server name name of the HotSpot server this rule applies to src address IP address IP address of the user sending the request Wildcard properti
89. admin AT WR4562 routing ospf gt 5 3 6 Virtual Links Submenu level routing ospf virtual link Description As stated in OSPF RFC the backbone area must be contiguous However it is possible to define areas in such a way that the backbone is no longer contiguous In this case the system administrator must restore backbone connectivity by configuring virtual links Virtual link can be configured between two routers through common area called transit area one of them should have to be connected with backbone Virtual links belong to the backbone The protocol treats two routers joined by a virtual link as if they were connected by an unnumbered point to point network AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 103 RouterOS v3 Configuration and User Guide Property Description neighbor id address default 0 0 0 0 specifies router id of the neighbor transit area name default unknown a non backbone area the two routers have in common Virtual links can not be established through stub areas Example add a virtual link with the 10 0 0 201 router through the ex area do the following admin AT WR4562 routing ospf virtual link add neighbor id 10 0 0 201 transit area ex adminQ AT WR4562 routing ospf virtual link print Flags X disabled I invalid NEIGHBOR ID TRANSIT AREA 0 10 0 0 201 ex adminQ AT WR4562 routing ospf virtual link gt V
90. align Description This feature is created to position wireless links The align submenu describes properties which are used if Jinterface wireless mode is set to alignment only In this mode the interface listens to those packets which are sent to it from other devices working on the same channel The interface also can send special packets which contains information about its parameters Property Description active mode yes no default yes whether the interface will receive and transmit alignment packets or it will only receive them audio max integer default 20 signal strength at which audio beeper frequency will be the highest AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 53 RouterOS v3 Configuration and User Guide audio min integer default 100 signal strength at which audio beeper frequency will be the lowest audio monitor MAC address default 00 00 00 00 00 00 MAC address of the remote host which will be listened filter mac MAC address default 00 00 00 00 00 00 in case if you want to receive packets from only one remote host you should specify here its MAC address frame size integer 200 1500 default 300 size of alignment packets that will be transmitted frames per second integer 100 default 25 number of frames that will be sent per second in active mode receive all yes no default no whether the interface gathers packets about othe
91. allowed session time for client After this time the user will be logged out unconditionally 0 no timeout shared users integer default 1 maximal number of simultaneously logged in users with the same username status autorefresh time none default none HotSpot servlet status page autorefresh interval transparent proxy yes no default yes whether to use transparent HTTP proxy for the authorized users of this profile When idle timeout or keepalive is reached session time for that user is reduced by the actual period of inactivity in order to prevent the user from being overcharged 246 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10 4 3 HotSpot Users Submenu level ip hotspot user Property Description address IP address default 0 0 0 0 static IP address If not 0 0 0 0 client will always get the same IP address A configured address implies that only one simultaneous login for that user is allowed Any existing address will be replaced with this one using the embedded one to one NAT bytes in read only integer total amount of bytes received from user bytes out read only integer total amount of bytes sent to user email text e mail address Only basic syntax checking is done to ensure validity of this field imit bytes in integer default 0 maximum amount of bytes user can transmit i e bytes received
92. and statefull firewalling stop working 9 3 5 Service Ports Submenu level ip firewall service port Description Some network protocols are not compatible with network address translation for example due to some additional infomation about the actual addresses or ports is present in the packet payload which is not known for the NAT procedures as they only look at the IP UDP and TCP headers not inside the packets For these protocols to work correctly a connection tracking helper is needed to work around such design issues You may enable and disable helpers here you may want to disable some of them to increase performance or if you are experiencing problems with some protocols detected incorrectly Note that you can not add or remove the helpers just enable or disable the existing ones Property Description name protocol name ports integer port range that is used by the protocol only some helpers need this AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 215 RouterOS v3 Configuration and User Guide 9 3 6 General Firewall Information Description ICMP TYPE CODE values In order to protect your router and attached private networks you need to configure firewall to drop or reject most of ICMP traffic However some ICMP packets are vital to maintain network reliability or provide troubleshooting services The following is a list of ICMP TYPE CODE values found in good packets It is generally su
93. another just as if the APs were ports on a wired Ethernet switch APs must use the same standard 802 1 1 802 1 Ib 802 1 1g and work on the same frequencies in order to connect to each other There are two possibilities to create a WDS interface e dynamic is created on the fly and appers under wds menu as a dynamic interface e static is created manually 52 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol disabled the interface will not use ARP enabled the interface will use ARP proxy arp the interface will use the ARP proxy feature reply only the interface will only reply to the requests originated to its own IP addresses Neighbor MAC addresses will be resolved using ip arp statically set table only disable running check yes no default no disable running check For broken wireless interfaces it is a good idea to set this value to yes mac address read only MAC address default 00 00 00 00 00 00 MAC address of the master interface Specifying master interface this value will be set automatically master interface name wireless interface which will be used by WDS mtu integer 0 65336 default 1500 Maximum Transmission Unit name name default wdsN WDS interface name wds address MAC address MAC ad
94. as type l and redistribute static as as type 2 Metric connected metric static metric rip metric bgp should be zero adminQOSPF MAIN routing ospf gt print router id 0 0 0 0 distribute default if installed as type 2 redistribute connected as type 1 redistribute static as type 2 redistribute rip no redistribute bgp no metric default 1 metric connected 0 metric static 0 metric rip 0 metric bgp 0 Define new OSPF area named local 10 with area id 0 0 0 1 adminQOSPF MAIN routing ospf area print Flags X disabled I invalid AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local 10 0 0 0 1 no 1 none Add connected networks with area local 10 in ospf network adminQ8OSPF MAIN routing ospf network print Flags X disabled I invalid NETWORK AREA 0 10 1 0 0 24 local_10 T 10 2 0 0 24 local_10 For main router the configuration is done Next you should configure OSPF peer 1 router Enable followong interfaces on OSPF peer adminQGOSPF peer 1 interface print Flags X disabled D dynamic R running RX RATE TX RATE MTU OR backup ether 0 0 1500 1 R to_main ether 0 0 1500 106 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Assign IP addresses to these interfaces admin ROSPF peer 1 ip address print Flags X disabled
95. at the same time 2 3 Accessing the CLI When logging into the router via terminal console in telnet or SSH you will be presented with the RouterOS login prompt Use admin and no password hit Enter for logging into the router for the first time AT WR4500 v3 0 Login admin Password The password can be changed with the password command adminQAT WR4562 gt password old password new password retype new password admin AT WR4562 gt okckck ck ck ck ko kk kk okckck ck ck ck ko ko kk 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide After logging into the router you will be presented with the RouterOS Welcome Screen and command prompt for example AA TTTTTTTTTTTTTTTTTT ooooo AAAAA TTTTTTTTTTTTTTT AAAAAAAA TTITITITT I AAAAAAAAAAA TTTTTTT IIIIIIIIII AAAAA TTTT AAAAAAA TELLERE AT WR4500 RouterOS 3 10 c 1999 2008 http www alliedtelesis com admin AT WR4562 gt The command prompt shows the identity name of the router and the current menu level for example admin AT WR4562 gt interface admin AT WR4562 interface admin AT WR4562 gt ip address admin AT WR4562 ip address gt The list of available commands at any menu level can be obtained by entering the question mark adminQAT WR4541g gt blink certi
96. base station in a Point to Multipoint configuration The AT WR4542 with its embedded high gain antenna is best suited for being used as a wireless CPE connecting to AT WR4561 AT WR4562 base router or be deployed in couples for realizing long reach high performances Point to Point links Flexibility is the primary advantage of the WR4500 family of wireless base routers All products share the same software and features and differ only in the number of radio interfaces Access Backbone Network Network ae i a 5GHz r y 5GHz ai A ve Landline v ea IP Net 2 4 5GHz amp Figure AT WR4500 Series typical application AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 13 RouterOS v3 Configuration and User Guide 1 1 Features The AT WR4500 series RouterOS firmware is very rich of features and very flexible Among others Real IP routing functionalities 2 4 GHz and 5 GHz dual band operations IEEE 802 1 1 compliant Certified for HiperLAN bands operation in Europe with DFS and TPC IEEE 802 3af compliant PoE powering IP66 67 rated outdoor robust construction Professional look suitable for indoor installation too Embedded IP firewalling functionalities Highly configurable QoS management for multimedia applications High sensitivity radio interface for
97. before policy item name means NOT AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 147 RouterOS v3 Configuration and User Guide Example To add reboot group that is allowed to reboot the router locally or using telnet as well as read the router s configuration enter the following command admin8rb13 user group add name reboot policy telnet reboot read local admin8rb13 user group print 0 name read policy local telnet ssh reboot read test winbox password web sniff ftp write policy 1 name write policy local telnet ssh reboot read write test winbox password sniff ftp policy 2 name full policy local telnet ssh ftp reboot read write policy test winbox password web sniff 3 name reboot policy local telnet reboot read ssh ftp write policy test winbox password web sniff admin8rb13 user group 7 3 3 Router Users Submenu level user Description Router user database stores the information such as username password allowed access addresses and group about router management personnel Property Description address IP address netmask default 0 0 0 0 0 host or network address from which the user is allowed to log in group name name of the group the user belongs to name name user name Although it must start with an alphanumeric character it may contain _ and symbols password text default user p
98. below tx power mode all rates fixed card rates default manual table default default choose the transmit power mode for the card all rates fixed use one transmit power value for all rates as configured in tx power card rates use transmit power that for different rates is calculated according the cards transmit power algorithm which as an argument takes tx power value default use the default tx power manual table use the transmit powers as defined in interface wireless manual tx power table update stats interval time how often to update request from the clients signal strength and ccq values in interface wireless registration table AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 39 RouterOS v3 Configuration and User Guide wds cost range integer default 50 150 range within which the bridge port cost of the WDS links are adjusted The calculations are based on the p throughput value of the respective WDS interface which represents estimated approimate rhtoughput on the interface which is mapped on the wds cost range scale so that bigger p throughput would correspond to numerically lower port cost The cost is recalculated every 20 seconds or when the p throughput changes more than by 10 since the last recalculation wds default bridge name default none the default bridge for WDS interface If you use dynamic WDS then it is very useful in cases when wds connection is reset the newly cre
99. button placed besides the Connect To field and wait for some seconds list of AT WR4500 connected equipments at least one will appear see Figure 2 Select the one you want to access and then click on the Connect button Every AT WR4500 router is configured in factory with admin as the login user with no password set The first time that you use it the WinBox Loader will start downloading the rest of the WinBox application from the WR4500 router Wait up to one minute until the entire application has been downloaded and the WinBox main window will appear AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 15 RouterOS v3 Configuration and User Guide 2 AT WR4500 WinBox 2 9 46 Make Supout rif Manual Exit Figure 3 WinBox main window Select from the menu bar located in the leftmost part of the window the command or menu that you want to access and start configuring the equipment For instance you can click on the New Terminal button for opening a Telnet terminal window connected and logged into your router as shown in Figure 4 admin 192 168 1 251 AT WR45419 WinBox 3 10 on 411 mipsbe IIIIIIIIII IIIIIIIIII AAAAAAA IIIIIIIIII AT WR4500 RouterOS 3 10 1999 2008 http wuw alliedtelesis com 45410 gt Figure 4 WinBox with terminal window open You can keep open as many WinBox internal windows as you need
100. card in the set 42 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide mtu integer 0 1600 default 1500 Maximum Transmission Unit name name reference name of the interface rates a g multiple choice 6Mbps 9Mbps 12 18 24Mbps 36Mbps 48Mbps 54Mbps rates to be supported in 802 1 or 802 1 1g standard rates b multiple choice Mbps 2Mbps 5 5Mbps I Mbps rates to be supported in 802 1 Ib standard remote mac MAC address default 00 00 00 00 00 00 which MAC address to connect to this would be the remote receiver card s MAC address rx band operating band of the receiving radio 2 4ghz b IEEE 802 1 Ib 2 4ghz g IEEE 802 1 Ig 2 4ghz g turbo IEEE 802 1 Ig in Atheros proprietary turbo mode up to 08Mbit 5ghz IEEE 802 1 la up to 54 Mbit 5ghz turbo IEEE 802 1 la in Atheros proprietary turbo mode up to 108 2ghz lOmhz variation of IEEE 802 1 1g with half the band and accordingly twice lower speed air rate of up to 27Mbit 2ghz 5mhz variation of IEEE 802 1 Ig with quarter the band and accordingly four times lower speed air rate of up to 13 5Mbit 5ghz lIOmhz variation of IEEE 802 la with half the band and accordingly twice lower speed air rate of up to 27Mbit 5ghz 5mhz variation of IEEE 802 with quarter the band and accordingly four times lower speed air rate of up to 13 5Mbit rx
101. client on the gig interface connecting to the AC that provides testSN service using user name john with the password password admin RemoteOffice interface pppoe client gt add interface gig N Service name testSN user john password password disabled no admin8 RemoteOffice interface pppoe client gt print Flags X disabled R running 0 name pppoe outl max mtu 1480 max mru 1480 mrru disabled interface etherl user user password passwd profile default service name testSN ac name add default route no dial on demand no use peer dns no allow pap chap mschapl mschap2 admin RemoteOffice interface pppoe client gt 8 6 3 Monitoring PPPoE Client Command name interface pppoe client monitor Property Description ac mac MAC address MAC address of the access concentrator AC the client is connected to ac name text name of the AC the client is connected to encoding text encryption and encoding if asymmetric separated with being used in this connection mru read only integer effective MRU of the link mtu read only integer effective MTU of the link service name text name of the service the client is connected to status text status of the client dialing attempting to make a connection verifying password connection has been established to the server password verification in progress connected self explanatory terminated interface is not enabled or the othe
102. coming from clients through mypppclients chain admin8rb13 ppp profile add local address 10 0 0 1 remote address ex incoming filter mypppclients admin8rb13 ppp profile print Flags default 0 name default use compression default use vj compression default use encryption default only one default change tcp mss yes 1 name default encryption use compression default use vj compression default use encryption yes only one default change tcp mss yes 2 name ex local address 10 0 0 1 remote address ex use compression default use vj compression default use encryption default only one default change tcp mss default incoming filter mypppclients admin rb13 ppp profile 7 2 3 Local PPP User Database Submenu level ppp secret Description PPP User Database stores PPP user access records with PPP user profile assigned to each user Property Description caller id text default for PPTP and L2TP it is the IP address a client must connect from For PPPoE it is the MAC address written in CAPITAL letters a client must connect from For ISDN it is the caller s number that may or may not be provided by the operator the client may dial in from norestrictions on where clients may connect from limit bytes in integer default 0 maximal amount a client can upload in bytes for a session limit bytes out integer default 0 maximal amount a client can download in bytes for a session
103. comment deny PRC portmapper dst port 137 139 action drop comment deny NBT dst port 2049 action drop comment deny NFS dst port 3133 action drop comment deny BackOriffice Allow only needed icmp codes in icmp chain add chain icmp protocol icmp icmp options 0 0 action accept comment drop inval id connections add chain icmp protocol icmp icmp options 3 0 action accept comment allow esta blished connections add chain icmp protocol icmp icmp options 3 1 action accept comment allow alre ady established connections add chain icmp protocol icmp icmp options 4 0 action accept comment allow sour ce quench add chain icmp protocol icmp icmp options 8 0 action accept comment allow echo request add chain icmp protocol icmp icmp options 11 0 action accept comment allow time exceed add chain icmp protocol icmp icmp options 12 0 action accept comment allow para meter bad add chain icmp action drop comment deny all other types 9 2 Mangle 9 2 1 General Information Summary The mangle facility allows router facilities to identify marking IP packets with special marks These marks are used by various other the packets Additionaly the mangle facility is used to modify some fields in the IP header like TOS DSCP and TTL fields Specifications Packages required system License required Level AT WR4500 Series IEEE 802 1 lab
104. costs to internal link state metrics Both Type and Type 2 external metrics can be used in the AS at the same time In that event Type external metrics always take precedence In lip route you can see routes with lo status Because router receives routers from itself The metric cost can be calculated from line speed by using the formula 0e 8 line speed The table contains some examples Example To enable the OSPF protocol redisrtibute routes to the connected networks as typel metrics with the cost of I you need do the following admin AT WR4562 routing ospf gt set redistribute connected as type 1 N metric connected 1 admin AT WR4562 routing ospf gt print router id 0 0 0 0 distribute default never redistribute connected no redistribute static no redistribute rip no redistribute bgp no metric default 1 metric connected 20 metric static 20 metric rip 20 metric bgp 20 mpls te area unspecified mpls te router id unspecified admin AT WR4562 routing ospf gt 5 3 3 OSPF Areas Submenu level routing ospf area Description OSPF allows collections of routers to be grouped together Such group is called an area Each area runs a separate copy of the basic link state routing algorithm This means that each area has its own link state database and corresponding graph The structure of an area is invisible from the outside of the area This isolation of knowledge enables the protocol to ef
105. default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both Virtual Access Point Virtual Access Point VAP enables you to create multiple Access Points with different Service Set Identifier VW DS settings and even different MAC address using the same hardware interface You create up to 7 VAP interfaces from a single physical interface To create a Virtual Access Point simply add a new interface specifying a master interface which is the physical interface that will do the hardware function to VAP AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 65 RouterOS v3 Configuration and User Guide This example will show you how to create a VAP admin VAP interface wireless print Flags disabled running 0 name wlanl mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode ap bridge ssid test area frequency mode superchannel country no country set antenna gain 0 frequency 2437 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps l11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6M
106. e mail gsm mme ntp open ovpn pim radvd rip sertcp ups default info specifies log group or log message type Example To log messages that are generated by firewall by saving them in local buffer admin AT WR4562 system logging add topics firewall action memory admin AT WR4500 system logging print Flags X disabled I invalid TOPICS ACTION PREFIX 0 info memory 1 error memory 2 warning memory 3 critical echo 4 firewall memory admin AT WR4500 system logging 256 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 12 1 3 Actions Submenu level system logging action Property Description disk lines integer default 100 number of records in log file saved on the disk only if action target is set to disk disk stop on full yes no default no whether to stop to save log messages on disk after the specified disk lines number is reached email to name email address logs are sent to only if action target is set to email memory lines integer default 100 number of records in local memory buffer only if action target is set to memory memory stop on full yes no default no whether to stop to save log messages in local buffer after the specified memory lines number is reached name name name of an action remember yes no default yes whether to keep log messages which have not
107. eati racio 214 9 3 6 General Firewall 215 9 45 216 9 4 1 General Information 2 i eie e nem ir 216 9 4 2 PME 217 9 4 3 2 0 2 rrt estie tech seb ratto tede pua e ee 221 107 Hot Spot Service icit et etta d e ti ee in ria 222 I0 I HotSpot Gateway ctt qe 222 10 1 1 General Information 222 10 1 2 Question amp Answer Based Setup esee tententtententtn tente 226 10 1 3 HotSpot Interface 2 227 10 1 4 HotSpot Server Profiles eese teen ttnttententtnnten ttn ttenten tentent 228 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 12 10 1 5 HotSpot User Profiles ente egre e 229 10 2 HotSpot Users oriin a 229 10 2 1 D sCEIpton s ett 229 10 3 HotSpot Active Users reet et rtt 229 10 3 1 DeScEIptOT 229 10 32 HotSpot Cookies 25e tea dede tee eee 229 10 3 3 ettet ette eite de det 230 0 3 4 IPslevel Walled Garde tien 231 10 3 5 One to one NAT static address 2
108. frames to other AP clients or not disable running check yes no default no disable running check For broken cards it is a good idea to set this value to yes disabled yes no default yes whether to disable the interface or not hide ssid yes no default no whether to hide ssid or not in the beacon frames yes ssid is not included in the beacon frames AP replies only to probe requests with the given ssid no ssid is included in beacon frames AP replies to probe requests with the given ssid and to broadcast ssid mac address MAC address default 02 00 00 00 00 MAC address of VAP You can define your own value for mac address master interface name hardware interface to use for VAP AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 51 RouterOS v3 Configuration and User Guide max station count integer default 2007 number of clients that can connect to this AP simultaneously mtu integer 68 1600 default 1500 Maximum Transmission Unit name name default wlanN interface name proprietary extensions pre 2 9 25 post 2 9 25 default post 2 9 25 the method to insert additional information MikroTik proprietary extensions into the wireless frames This option is needed to workaround incompatibility between the old pre 2 9 25 method and new Intel Centrino PCI Express cards pre 2 9 25 include extensions in the form accepted by older RouterOS versions This will include
109. from the same network assigned to the router Exempli gratia the combination of IP address 10 0 0 1 24 on the ether interface and IP address 10 0 0 132 24 on the ether2 interface is invalid unless both interfaces are bridged together because both addresses belong to the same network 10 0 0 0 24 Use addresses from different networks on different interfaces Example admin AT WR4562 ip address add address 10 10 10 1 24 interface ether2 admin AT WR4562 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 2 2 2 1 24 2 2 2 0 2 222 255 ether2 1 10 5 7 244 24 10 5 7 0 10 392 72259 etherl 2 10 10 10 1 24 10 10 10 0 10 10 10 255 ether2 admin AT WR4562 ip address gt 5 1 3 Address Resolution Protocol Submenu level ip arp Description Even though IP packets are addressed using IP addresses hardware addresses must be used to actually transport data from one host to another Address Resolution Protocol is used to map OSI level 3 IP addresses to OSI level 2 MAC addresses A router has a table of currently used ARP entries Normally the table is built dynamically but to increase network security it can be built statically by means of adding static entries Property Description address IP address IP address to be mapped interface name interface name the IP address is assigned to mac address MAC address default 00 00 00 00 00 00 MAC address to b
110. http login open status page only in case of HTTP login including cookie and https login methods always open the status page in case of mac login as well once the user opens any web page outgoing filter name name of the firewall chain applied to outgoing packets to the users of this profile outgoing packet mark name packet mark put on all the packets to every user of this profile automatically rate limit text default Rate limitation in form of rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time priority rx rate min tx rate min from the point of view of the router so rx is client upload and tx is client download All rates should be numbers with optional k 1 0005 or M 1 000 000s If tx rate is not specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified 15 is used as default Priority takes values 8 where implies the highest priority but 8 the lowest If rx rate min and tx rate min are not specified rx rate and tx rate values are used The rx rate min and tx rate min values can not exceed rx rate and tx rate values session timeout time default Os session timeout maximal
111. in byte limit for send 1000000 or if there is no limit limit bytes out byte limit for receive 1000000 or if there is no limit refresh timeout status page refresh timeout 1 305 or if none refresh timeout secs status page refresh timeout in seconds 90s or 0 if none session timeout session time left for the user 5h or if none session timeout secs session time left for the user in seconds 3475 or 0 if there is such timeout session time left session time left for the user 5h or if none session time left secs session time left for the user in seconds 3475 or 0 if there is such timeout uptime current session uptime 10h2m33s uptime secs current session uptime in seconds 125 Traffic counters which are available only in the status page bytes in number of bytes received from the user 15423 bytes in nice user friendly form of number of bytes received from the user 15423 bytes out number of bytes sent to the user 11352 bytes out nice user friendly form of number of bytes sent to the user 11352 packets in number of packets received from the user 251 packets out number of packets sent to the user 211 remain bytes in remaining bytes until limit bytes in will be reached 337465 or if there is no limit remain bytes out remaining bytes until limit bytes out will be reached 124455 or if there is no limit
112. installed sa gt 8 8 7 Application Examples RouterOS Router to RouterOS Router Networlc 1 0 0 0 24 Router2 lt 1 0 0 2 Routerl 4 1 0 0 1 SS 1020024 10 1 0 0 24 Figure 30 transport mode example using ESP with automatic keying for Routerl admin Routerl gt ip ipsec policy add sa src address 1 0 0 1 sa dst address 1 0 0 2 N action encrypt admin Routerl gt ip ipsec peer add address 1 0 0 2 Secret gvejimezyfopmekun for Router2 admin Router2 gt ipsec policy add sa src address 1 0 0 2 sa dst address 1 0 0 1 action encrypt admin Router2 gt ip ipsec peer add address 1 0 0 1 Secret gvejimezyfopmekun Transport mode example using ESP with automatic keying and automatic policy generating on Router and static policy on Router 2 for Router l admin Router1 gt ip ipsec peer add address 1 0 0 0 24 Secret gvejimezyfopmekun generate policy yes for Router2 admin Router2 gt ip ipsec policy add sa src address 1 0 0 2 sa dst address 1 0 0 1 N action encrypt admin Router2 gt ip ipsec peer add address 1 0 0 1 N Secret gvejimezyfopmekun tunnel mode example using AH with manual keying 196 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide for Router admin Routerl gt ip
113. integer default 1700 The port number to listen for the requests on RouterOS doesn t support POD Packet of Disconnect the other RADIUS access request packet that performs a similar function as Disconnect Messages 7 1 4 Suggested RADIUS Servers Description RouterOS RADIUS Client should work well with all RFC compliant servers It has been tested with FreeRADIUS XTRadius does not currently support MS CHAP Steel Belted Radius 7 1 5 Supported RADIUS Attributes Description MikroTik RADIUS Dictionaries Here you can download MikroTik reference dictionary which incorporates all the needed RADIUS attributes This dictionary is the minimal dictionary which is enough to support all features of RouterOS It is designed for FreeRADIUS but may also be used with many other UNIX RADIUS servers eg XTRadius a It may conflict with the default configuration files of RADIUS server which have references to the Attributes absent in this dictionary Please correct the configuration files not the dictionary as no other Attributes are supported by RouterOS There is also dictionary mikrotik that can be included in an existing dictionary to support RouterOS vendor specific Attributes Definitions e PPPs PPP PPTP PPPoE and ISDN e default configuration settings in default profile for PPPs or HotSpot server settings for HotSpot Access Request e Service Type always is Framed o
114. introduces you with commands which are used to perform the following functions e system backup e system restore from a backup configuration export e configuration import e system configuration reset Description The configuration backup can be used for backing up RouterOS configuration to a binary file which can be stored on the router or downloaded from it using FTP for future use The configuration restore can be used for restoring the router s configuration exactly as it was at the backup creation moment from a backup file The restoration procedure system backup load assumes the cofiguration is restored on the same router where the backup file was originally created system backup save so it will create partially broken configuration if the hardware has been changed The configuration export can be used for dumping out complete or partial RouterOS configuration to the console screen or to a text script file which can be downloaded from the router using FTP protocol The configuration dumped is actually a batch of commands that add without removing the existing configuration the selected configuration to a router The configuration import facility executes a batch of console commands from a script file System reset command is used to erase all configuration on the router Before doing that it might be useful to backup the router s configuration In order to be sure that the backup will not fail system backup load comm
115. ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 1 1 1 24 1 1 1 0 1 1 1 255 isp2 10 1 0 111 24 10 1 0 0 10 1 0 255 ispl AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 157 Office2 configuration admin office2 interface print Flags disabled D dynamic running NAME TYPE RX RATE MTU 0 R isp2 ether 0 0 1500 ispl ether 0 0 1500 admin office2 interface ip add print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 2 2 2 1 24 2 2 2 0 22422255 isp2 10 1 0 112 24 10 1 0 0 10 1 0 255 ispl EoIP tunnel configuration for Officel through ISPI admin officel gt interface add remote address 10 1 mac address FE FD 00 00 00 04 admin officel gt interface eoip print Flags X disabled running 0 name eoip tunnel2 mtu 1500 mac address FE FD 00 remote address 10 1 0 112 tunnel id 2 0 112 tunnel id 2 00 00 04 arp enabled for Office2 through ISP admin office2 mac address FE FD 00 00 00 02 admin office2 gt interface eoip print Flags X disabled running 0 remote address 10 1 0 111 tunnel id 2 interface eoip add remote address 10 1 0 111 tunnel id 2 R name eoip tunnel2 mtu 1500 mac address FE FD 00 00 00 02 arp enabled for Officel
116. ip arp ip route print Flags X disabled I invalid D dynamic J rejected connect static rip ospf B bop DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 0 0 1 1 eth LAN 1 DC 10 0 0 0 24 r 0 0 0 0 0 eth LAN 2 DC 10 0 0 230 32 r 0 0 0 0 0 pppoe in25 3 DC 10 0 0 231 32 r 0 0 0 0 0 pppoe in26 adminQ AT WRA4562 ip arp 5 1 5 Unnumbered Interfaces Description Unnumbered interfaces can be used on serial point to point links If your AT WR4500 ROUTER is not equipped with such interfaces please disregard this description A private address should be put on the 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide interface with the network being the same as the address on the router on the other side of the p2p link there may be no IP on that interface but there is an IP for that router Example admin AT WR4562 ip address add address 10 0 0 214 32 network 192 168 0 1 interface pppsync admin AT WR4562 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 214 32 192 168 0 1 192 168 0 1 pppsync admin AT WR4562 ip address gt admin AT WR4562 ip address gt route print detail Flags disabled I invalid D dynamic J rejected connect S static rip ospf B bgp 0 S dst address 0 0 0 0 0 preferred source
117. is reduced along with the routing table and less CPU cycles are used to process Any router which is trying access to a network outside the area sends the packets to the default route Example To define additional OSPF area named local 10 with area id 0 0 10 5 do the following adminQ WiFi routing ospf area add area id 0 0 10 5 name local 10 admin8 WiFi routing ospf area print Flags X disabled I invalid NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none 1 local_10 0 0 10 5 no 1 none adminQ WiFi routing ospf area 5 3 4 Networks Submenu level routing ospf network Description There can be Point to Point networks or Multi Access networks Multi Access network can be a broadcast network a single message can be sent to all routers To start the OSPF protocol you have to define the networks on which it will run and the area ID for each of those networks Property Description area name default backbone the OSPF area to be associated with the specified address range network IP address mask default 20 the network associated with the area The network argument allows defining one or multiple interfaces to be associated with a specific OSPF area Only directly connected networks of the router may be specified You should set the network address exactly the same as the remote point IP address for point to point links The right netmask in this case is 132
118. l2tp server In this example an already connected user ex is shown besides the one we just added Now the interface named I2tp inl be referenced from anywhere in RouterOS configuration like a regular interface 166 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8 5 6 L2TP Application Examples Router to Router Secure Tunnel Example Big S Internet WISP I 192 168 80 0 24 WISP 2 N 192 168 8 I 0 24 Home Office Remote Office To Internet To Internet 192 168 80 1 24 192 168 81 1 24 LAN LAN 10 150 2 254 24 10 150 1 254 24 Network Setup without L2TP enabled Ss 10 150 2 1 24 10 150 1 1 24 Figure 23 Router to Router Secure Tunnel Example There are two routers in this example Home Office Interface LocalHomeOffice 10 150 2 254 24 Interface Tolnternet 192 168 80 1 24 RemoteOffice Interface Tolnternet 192 168 81 1 24 Interface LocalRemoteOffice 10 150 1 254 24 Each router is connected to a different ISP One router can access another router through the Internet On the L2TP server a user must be set up for the client admin HomeOffice ppp secret add name ex service 12tp password lkjrht local address 10 0 103 1 remote address 10 0 103 2 admin HomeOffice ppp secret print detail Flags X disabled 0 name ex service 12tp caller id password lkjrht profile default local addres
119. list of 5GHz channels frequencies are given in MHz 5ghz turbo channels multiple choice read only 4920 4925 4930 4935 4940 4945 4950 4955 4960 4965 4970 4975 4980 4985 4990 4995 5000 5005 5010 5015 5020 5025 5030 5035 5040 5045 5050 5055 5060 5065 5070 5075 5080 5085 5090 5095 5100 5105 5110 5115 5120 5125 5130 5135 5140 5145 5150 5155 5160 5165 5170 5175 5180 5185 5190 5195 5200 5205 5210 5215 5220 5225 5230 5235 5240 5245 5250 5255 5260 5265 5270 5275 5280 5285 5290 5295 5300 5305 5310 5315 5320 5325 5330 5335 5340 5345 5350 5355 5360 5365 5370 5375 5380 5385 5390 5395 5400 5405 5410 5415 5420 5425 5430 5435 5440 5445 5450 5455 5460 5465 5470 5475 5480 5485 5490 5495 5500 5505 5510 5515 5520 5525 5530 5535 5540 5545 5550 5555 5560 5565 5570 5575 5580 5585 5590 5595 5600 5605 5610 5615 5620 5625 5630 5635 5640 5645 5650 5655 5660 5665 5670 5675 5680 5685 5690 5695 5700 5705 5710 5715 5720 5725 5730 5735 5740 5745 5750 5755 5760 5765 5770 5775 5780 5785 5790 5795 5800 5805 5810 5815 5820 5825 5830 5835 5840 5845 5850 5855 5860 5865 5870 5875 5880 5885 5890 5895 5900 5905 5910 5915 5920 5925 5930 5935 5940 5945 5950 5955 5960 5965 5970 5975 5980 5985 5990 5995 6000 6005 6010 6015 6020 6025 6030 6035 6040 6045 6050 6055 6060 6065 60
120. longer reach and higher throughput on wireless links Wide choice of omnidirectional directional and sector antennas RoHS compliant 1 2 Software License RouterOS licensing scheme is based on software IDs To license the software you must know the software ID that is displayed during installation process or can be read from the CLI system console or WinBox In order to get the software ID from system console first log in the default user is admin with no password and type system license print admin AT WR4541g gt system license print software id NCL8 3TT upgradable to v4 x nlevel 4 features admin AT WR4541g gt 14 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 2 Configuring RouterOS 2 1 Logging in the AT WR4500 Router There are many options for accessing your AT WR4500 Router command facility e Accessing the router Command Line Interface either via Telnet or SSH using any text mode Telnet or SSH client software e Accessing the Web based Graphical User Interface via HTTP using a Web browser e Running the MS Windows based WinBox graphical menu based configuration utility Every AT WR4500 Wireless Router is factory configured with the static IP address 192 168 1 1 24 net mask 255 255 255 0 and both CLI and Web GUI can be accessed through this IP address 2 2 Accessing the WR4500 through WinBox Should the router come
121. mac address the client s MAC address profile and limit uptime the respective values of trial user profile and trial uptime limit properties of the HotSpot server profile The entries will be automatically removed once the trial user times out after trial uptime reset time AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 247 RouterOS v3 Configuration and User Guide Example To add user ex with password ex that is allowed to log in only with 01 23 45 67 89 AB MAC address and is limited to hour of work admin AT WR4562 ip hotspot user add name ex password ex mac address 01 23 45 67 89 AB limit uptime 1h admin AT WR4562 ip hotspot user print Flags X disabled SERVER NAME ADDRESS PROFILE UPTIME 0 ex default 00 00 00 admin AT WR4562 ip hotspot user print detail Flags X disabled 0 name ex password ex mac address 01 23 45 67 89 AB profile default limit uptime 01 00 00 uptime 00 00 00 bytes in 0 bytes out 0 packets in 0 packets out 0 admin AT WR4562 ip hotspot user 10 4 4 HotSpot Active Users Submenu level ip hotspot active Description The active user list shows the list of currently logged in users Nothing can be changed here except user can be logged out with the remove command Property Description address read only IP address IP address of the user blocked read only flag whether the user is blocked by advertisement i e usual due
122. many outgoing packets were dropped by the policy without an attempt to encrypt out transformed integer how many outgoing packets were encrypted ESP and or signed AH ph2 state read only expired no phase2 established indication of the progress of key establishing expired there are some leftovers from previous phase2 In general it is similar to no phase2 no phase2 no keys are estabilished at the moment estabilished Appropriate SAs are in place and everything should be working fine priority integer default 0 policy ordering classificator signed integer Larger number means higher priority proposal name default default name of proposal information that will be sent by IKE daemon to establish SAs for this policy protocol name integer default all IP packet protocol to match sa dst address IP address default 0 0 0 0 SA destination IP address remote peer sa src address IP address default 0 0 0 0 SA source IP address local peer src address IP address netmask port default 0 0 0 0 32 any source IP address tunnel yes no default no specifies whether to use tunnel mode All packets are IPIP encapsulated in tunnel mode and their new IP header src address and dst address are set to sa src address and sa dst address values of this policy If you do not use tunnel mode id est you use transport mode then only packets whose source and destination addresses are the same as sa sr
123. need of bridging over EolP tunnels Please consult the respective manual on how to set up a PPTP client with the software you are using 186 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Internet ISP 42 Ss 152 168 81 0 24 ISP 1 e e Encrypted PPTP Tunnel e e e ToRemoteOffice 10 150 1 1 32 Tunnel_To_HomeOffice 10 150 1 254 32 Remote Office 192 168 81 1 24 10 150 1 254 24 192 168 80 1 I 1 24 10 150 1 1 24 Figure 29 Connecting Remote Client via and Encrypted PPTP Tunnel The router in this example RemoteOffice Interface Tolnternet 192 168 81 1 24 Interface Office 10 150 1 254 24 The client computer can access the router through the Internet On the PPTP server a user must be set up for the client admin RemoteOffice ppp secret add name ex service pptp password lkjrht local address 10 150 1 254 remote address 10 150 1 2 admin RemoteOffice ppp secret print detail Flags X disabled 0 name ex service pptp caller id password lkjrht profile default local address 10 150 1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret Then the user should be added in the PPTP server list admin RemoteOffice interface pptp server gt add name FromLaptop user ex admin RemoteOffice interface pptp server gt print Flags X disabled
124. optimal entry point into the local AS 112 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide bgp origin incomplete igp egp the origin of the route prefix bgp prepend integer 0 16 number which indicates how many times to prepend AS_NAME to AS_PATH check gateway arp ping default ping which protocol to use for gateway reachability distance integer 0 255 administrative distance of the route When forwarding a packet the router will use the route with the lowest administrative distance and reachable gateway dst address address netmask default 0 0 0 0 0 destination address and network mask where netmask is number of bits which indicate network number Used in static routing to specify the destination which can be reached using a gateway 0 0 0 0 0 any network gateway address gateway host that can be reached directly through some of the interfaces You can specify multiple gateways separated by a comma for ECMP routes pref src IP address source IP address of packets leaving router via this route 0 0 0 0 pref src is determined automatically routing mark name a mark for packets defined under ip firewall mangle Only those packets which have the according routing mark will be routed using this gateway scope integer 0 255 a value which is used to recursively lookup the nexthop addresses Nexthop is looked up only
125. packets are queued for transmitting they can be combined There are several methods of framing none do nothing special do not combine packets framing is disabled best fit put as much packets as possible in one frame until the framer limit limit is met but do not fragment packets exact size put as much packets as possible in one frame until the framer limit limit is met even if fragmentation will be needed best performance dynamic size choose the best frame size dynamically name name reference name of the interface a The settings here except for enabling nstreme are relevant only on Access Point they are ignored for client devices The client automatically adapts to the AP settings WDS for Nstreme protocol requires using station wds mode on one of the peers Configurations with WDS between AP modes bridge and ap bridge will not work Example To enable the nstreme protocol on the wlanl radio with exact size framing adminQ AT WR4562 interface wireless nstreme gt print 0 name wlanl enable nstreme no enable polling yes disable csma no framer policy none framer limit 3200 admin AT WR4562 interface wireless nstreme set wlanl enable nstreme yes N framer policy exact size 4 3 4 Nstreme2 Group Settings Submenu level interface wireless nstreme dual Description Two radios in nstreme dual slave mode can be grouped together to make nstreme2 Point to Point connection To
126. profile wins server IP address 1 2 IP address of che WINS server to supply to Windows clients AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 143 RouterOS v3 Configuration and User Guide There are two default profiles that cannot be removed admin rb13 ppp profile print Flags default 0 name default use compression default use vj compression default use encryption default only one default change tcp mss yes 1 name default encryption use compression default use vj compression default use encryption yes only one default change tcp mss yes admin rb13 ppp profile Use Van Jacobson compression only if you have to because it may slow down the communications on bad or congested channels incoming filter and outgoing filter arguments add dynamic jump rules to chain ppp where the jump target argument will be equal to incoming filter or outgoing filter argument in profile Therefore chain ppp should be manually added before changing these arguments only one parameter is ignored if RADIUS authentication is used If there are more that 10 simultaneous PPP connections planned it is recommended to turn the change mss property off and use one general MSS changing rule in mangle table instead to reduce CPU utilization Example To add the profile ex that assigns the router itself the 10 0 0 1 address and the addresses from the ex pool to the clients filtering traffic
127. put wireless interfaces into a nstreme2 group you should set their mode to nstreme dual slave Many parameters from interface wireless menu are ignored using the nstreme2 except e frequency mode e country e antenna gain tx power e tx power mode antenna mode Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting disable csma yes no default no disable CSMA CA better performance disable running check yes no whether the interface should always be treated as running even if there is no connection to a remote peer framer limit integer default 2560 maximal frame size framer policy none best fit exact size default none the method how to combine frames A number of frames may be combined into one bigger one to reduce the amout of protocol overhead and thus increase speed The card are not waiting for frames but in case a number packets are queued for transmitting they can be combined There are several methods of framing none do nothing special do not combine packets best fit put as much packets as possible in one frame until the framer limit limit is met but do not fragment packets exact size put as much packets as possible in one frame until the framer limit limit is met even if fragmentation will be needed best performance mac address read only MAC address MAC address of the transmitting wireless
128. r rip o ospf b bgp E 510 2 0 2 to main DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 192 168 0 0 24 110 1 DC 192 168 0 0 24 0 20 20 0 0 main_gw 2 Do 10 3 0 0 24 10 2 0 1 119 to peer 2 E sL to peer 1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to peer 2 5 Io 10 1 0 0 24 110 6 DC 10 1 0 0 24 1 0 40 00 0 to peer 1 DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 r10 2 0 2 110 to main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 1 0 0 0 0 0 to peer 1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to main 5 Do 10 1 0 0 24 rt 10 3 0 1 110 to peer 1 108 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Routing tables with Revised Link Cost This example shows how to set up link cost Let us assume that the link between the routers OSPF peer and OSPF peer 2 has a higher cost might be slower we have to pay more for the traffic through it etc to_peerl 10 1 0 2 to_main 10 1 0 1 OSPF_peer_1 Figure 14 OSPF Routing tables We should change cost value both routers OSPF peer and OSPF peer 2 to 50 To do this we need to add a following interface admin 8OSPF peer 1 routing ospf interface add interface backup cost 50 admin OSPF peer 1 routing ospf interface print 0 interface backup cost 50 priority 1 authentication key retransmit interval 5s transmit delay 1s hello i
129. sending the reques 0 3 5 One to one NAT static address bindings Submenu level ip hotspot ip binding Description You can setup NAT translations statically based on either the original IP address or IP network or the original MAC address You can also allow some addresses to bypass HotSpot authentication i e they will be able work without having to log in to the network first and completely block some addresses Property Description address IP address netmask default the original IP address or network of the client mac address MAC address default the source MAC address of the client server namelall default all the name of the server the client is connecting to to address address default IP address to translate the original client address to If address property is given as network this is the starting address for the translation i e the first address is translated to to address address to to address and so on type regular bypassed blocked type of the static binding entry regular perform a one to one NAT translation according to the values set in this entry bypassed perform the translation but exclude the client from having to log in to the HotSpot system blocked the translation will not be preformed and all packets from the host will be dropped 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide
130. setup In fa GW ERST CN f IP 10 0 0 1 M Pl f 1 GW 2 y 10 0 02 le Network A m 10 20 0 Interface Public IP 10 0 0 7 24 pe d Interface Locall Interface Local2 IP 192 168 0 1 24 IP 192 168 1 1 24 192 168 0 0 24 192 168 1 0 24 Figure 7 Standard Policy Based Routing with Failover AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 115 Configuration of the IP addresses admin PB Router ip address gt print Flags disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INT 0 192 168 0 1 24 192 168 0 0 192 168 0 255 Loc T 192 168 1 1 24 192 168 1 0 192 168 1 255 Loc 2 10 0 0 7 24 10 0 0 0 10 0 0 255 Pub admin PB Router ip address gt ERFACE all al2 lic To achieve the described result follow these configuration steps Mark packets from network 192 168 0 0 24 with new routing mark netl and packets from network 192 168 1 0 24 with a new routing mark net2 admin PB Router ip firewall mangle gt add src address 192 1 action mark routing new routing mark net1 chain prerou admin PB Router ip firewall mangle gt add src address 192 1 action mark routing new routing mark net2 chain prerou admin PB Router ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 chain prerout
131. size range or a standalone value max specifies upper boundary of the size range passthrough yes no default yes whether to let the packet to pass further like action passthrough after marking it with a given mark property only valid if action is mark packet connection or routing mark port port 0 16 matches if any source or destination port matches the specified list of ports or port ranges note that the protocol must still be selected just like for the regular src port and dst port matchers protocol ddp egp encap ggp gre hmp icmp idrp cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp integer matches particular IP protocol specified by protocol name or number You should specify this setting if you want to specify ports psd integer time integer integer attempts to detect TCP and UDP scans It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives such as from passive mode FTP transfers WeightThreshold total weight of the latest TCP UDP packets with different destination ports coming from the same host to be treated as port scan sequence DelayThreshold delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence LowPortWeight weight of the packets with privileged lt 1024 destination port HighPortWe
132. some of the packets and bridging on others Has one predefined chain brouting which is traversed right after a packet enters an enslaved interface before Bridging Decision The bridge destination NAT is executed before bridging decision You can put packet marks in bridge firewall filter broute and NAT which are the same as the packet marks in IP firewall put by mangle So packet marks put by bridge firewall can be used in IP firewall and vice versa General bridge firewall properties are described in this section Some parameters that differ between nat broute and filter rules are described in further sections Property Description 802 3 sap integer DSAP Destination Service Access Point and SSAP Source Service Access Point are 2 one byte fields which identify the network protocol entities which use the link layer service These bytes are always equal Two hexadecimal digits may be specified here to match an SAP byte 802 3 type integer Ethernet protocol type placed after the IEEE 802 2 frame header Works only if 802 3 sap is OxAA SNAP Sub Network Attachment Point header For example AppleTalk be indicated by SAP code of OxAA followed a SNAP type code of 0x809B arp dst address IP address default 0 0 0 0 0 ARP destination address arp dst mac address MAC address default 00 00 00 00 00 00 ARP destination MAC address arp hardware type integer default 1 ARP hardware typ
133. specific HotSpot may also perform a one to one NAT for the client so that a particular user would always receive the same IP address regardless of what PC is he she working at The system will automatically detect and redirect requests to a proxy server a client is using if any it may be set in his her settings to use an unknown to us proxy server to the proxy server embedded in the router Authorization may be delegated to a RADIUS server which delivers similar configuration options as the local database For any user requiring authorization a RADIUS server gets queried first and if no reply received the local database is examined RADIUS server may send a Change of Authorization request according to standards to alter the previously accepted parameters Advertisement The same proxy used for unauthorized clients to provide Walled Garden facility may also be used for authorized users to show them advertisement popups Transparent proxy for authorized users allows to monitor http requests of the clients and to take some action if required It enables the possibility to open status page even if client is logged in by mac address as well as to show advertisements time after time When time has come to show an advertisement the server redirects client s web browser to the status page Only requests which provide html content are redirected images and other content will not be affected The status page displays the advertisement and next adve
134. station and 40bit wep for other clients The configuration of stations is also present WEP AP gt Internet 7 AN Interface WEP STA1 eee MAC 00 0C 42 05 00 22 gnaw et Interface WEP AP 2 2 ssid mt_wep 2 lt AObit wep 2 WEP_Station 6 Interface WEP STAX MAC 00 0C 42 05 06 B2 WEP StationX Figure 9 WEP security example The key used for connection between AP WEP Stationl will 65432 109876543210987654321 key for WEP AP StationX will be 12345678 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 71 Configure the Access Point admin WEP_AP interface wireless security profiles add name StationX NV mode static keys required static algo 1 40bit wep static key 1 1234567890 Sstatic transmit key key 1 adminQ WEP AP interface wireless security profiles gt print 0 name default mode none wpa unicast ciphers wpa group ciphers pre shared key static algo 0 none static key 0 static algo 1 none static key 1 static algo 2 none static key 2 static algo 3 none Static key 3 2 static transmit key key 0 static sta private algo none Static sta private key radius mac authentication no group key update 5m 1 name StationX mode static keys required wpa unicast ciphers wpa group ciphers pre shared key static algo 0 none static key 0 s
135. text default admin username of one automatically created user passphrase text the passphrase of the certificate you are importing password for the user text password for the automatically created user select certificate name none import other certificate choose SSL certificate from the list of the imported certificates do not use SSL e import other certificate setup the certificates not imported yet and ask this question again Depending on current settings and answers to the previous questions default values of following questions may be different Some questions may disappear if they become redundant Example To configure HotSpot on ether interface which is already configured with address of 192 0 2 1 25 and adding user admin with password rubbish admin AT WR4562 gt ip hotspot setup hotspot interface etherl local address of network 192 0 2 1 24 masquerade network yes address pool of network 192 0 2 2 192 0 2 126 select certificate none ip address of smtp server 0 0 0 0 dns servers 192 0 2 254 dns name hs example net name of local hotspot user admin password for the user rubbish admin AT WR4562 gt AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 227 RouterOS v3 Configuration and User Guide 10 1 3 HotSpot Interface Setup Submenu level ip hotspot Description HotSpot system is put on individual interfaces You ca
136. the new format as well so this mode is compatiblewith all RouterOS versions This mode is incompatible with wireless clients built on the new Centrino wireless chipset and may as well be incompatible with some other stations security profile text default default which security profile to use Define security profiles under linterface wireless security profiles where you can setup WPA or WEP wireless security for further details see the Security Profiles section of this manual ssid text default AT WR4560 the service set identifier update stats interval time how often to update request from the clients signal strength and ccq values in interface wireless registration table wds cost range integer default 50 150 range within which the bridge port cost of the WDS links are adjusted The calculations are based on the p throughput value of the respective WDS interface which represents estimated approimate rhtoughput on the interface which is mapped on the wds cost range scale so that bigger p throughput would correspond to numerically lower port cost The cost is recalculated every 20 seconds or when the p throughput changes more than by 1076 since the last recalculation wds default bridge name default none the default bridge for WDS interface If you use dynamic WDS then it is very useful in cases when wds connection is reset the newly created dynamic WDS interface will be put in this bridge wds default cost integer
137. the var name is the name of the variable without quotes This construction may be used in any HotSpot HTML file accessed as login or logout as well as any text or HTML txt htm or html file stored on the HotSpot server with the exception of traffic counters which are available in status page only and error error orig chap id chap challenge and popup variables which are available in login page only For example to show a link to the login page following construction can be used a href S 1 1 gt login lt a gt Variables All of the Servlet HTML pages use variables to show user specific values Variable names appear only in the HTML source of the servlet pages they are automatically replaced with the respective values by the HotSpot Servlet For each variable there is an example of its possible value included in brackets All the described variables are valid in all servlet pages but some of them just might be empty at the time they are accesses for example there is no uptime before a user has logged in Common server variables hostname DNS name or IP address if DNS name is not given of the HotSpot Servlet hotspot example net identity RouterOS identity name AT WR4562 login by authentication method used by user plain passwd a yes no representation of whether HTTP PAP login method is allowed server address HotSpot server address 10
138. the default mode for Microsoft L2TP client L2TP includes PPP authentication and accounting for each L2TP connection Full authentication and accounting of each connection may be done through a RADIUS client or locally MPPE 40bit RC4 and MPPE 28bit RC4 encryption are supported L2TP traffic uses UDP protocol for both control and data packets UDP port 1701 is used only for link establishment further traffic is using any available UDP port which may or may not be 1701 This means that L2TP can be used with most firewalls and routers even with NAT by enabling UDP traffic to be routed through the firewall or router 8 5 2 L2TP Client Setup Submenu level interface I2tp client Property Description add default route yes no default no whether to use the server which this client is connected to as its default router gateway allow multiple choice mschap2 mschap chap pap default mschap2 mschapl chap pap the protocol to allow the client to use for authentication connect to IP address The IP address of the L2TP server to connect to max mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MRU to 1460 to avoid fragmentation of packets max mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decrease
139. this range ssid text the ssid of the AP If none set all ssid s are accepted Different ssids will be meaningful if the ssid for the respective interface is set to 4 3 7 Access List Submenu level interface wireless access list Description The access list is used by the Access Point to restrict associations of clients This list contains MAC addresses of clients and determines what action to take when client attempts to connect Also the forwarding of frames sent by the client is controlled Note that is is an ordered list i e checked from top to bottom 46 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide The association procedure is as follows when a new client wants to associate to the AP that is configured on interface wlanN an entry with client s MAC address and interface wlanN is looked up sequentially from top to bottom in the access list If such entry is found action specified in the access list is performed else default authentication and default forwarding arguments of interface wlanN are taken Property Description ap tx limit integer default 0 limits data rate for this wireless client in bps 0 no limits authentication yes no default yes whether to accept or to reject this client when it tries to connect client tx limit integer default 0 limits this client s transmit data rate in bps Works only if the client i
140. to the full link capacity admin AT WR4562 gt ip firewall mangle add chain forward p2p all p2p action mark connection new connection mark p2p conn admin GAT WR4562 gt ip firewall mangle add chain forward connection mark p2p conn action mark packet new packet mark p2p admin AT WR4562 gt ip firewall mangle add chain forward connection mark p2p_conn action mark packet new packet mark other admin AT WR4562 gt ip firewall mangle print Flags X disabled I invalid D dynamic 0 chain forward p2p all p2p action mark connection new connection mark p2p conn 1 chain forward connection mark p2p conn action mark packet new packet mark p2p 2 chain forward packet mark p2p conn action mark packet new packet mark other admin AT WR4562 gt admin AT WR4562 gt queue tree add parent Public packet mark p2p limit at 1000000 N max limit 100000000 priority 8 adminQ AT WR4562 gt queue tree add parent Local packet mark p2p limit at 1000000 N max limit 100000000 priority 8 admin AT WR4562 gt queue tree add parent Public packet mark other limit at 1000000 max limit 100000000 priority 1 admin AT WR4562 gt queue tree add parent Local packet mark other limit at 1000000 N max limit 100000000 priority 1 Mark by MAC address To mark traffic from a known MAC address which goes to the router or through it do the following admin AT WR4562 gt ip fi
141. user to select language or automatically by JavaScript to select PDA regular version of HTML pages To utilize this feature create subdirectories in HotSpot HTML directory and place those HTML files which are different in that subdirectory For example to translate everything in Latvian subdirectory Iv can be created with login html logout html status html alogin html radvert html and errors txt files which are translated into Latvian If the requested HTML page can not be found in the requested subdirectory the corresponding HTML file from the main directory will be used Then main login html file would contain link to Iv login dst link orig esc which then displays Latvian version of login page lt a href lv login dst link orig esc gt Latviski lt a gt And Latvian version would contain link to English version lt a href login dst link orig esc gt English lt a gt Another way of referencing directories is to specify target variable lt a href link login only dst link orig esc amp target lv gt Latviski lt a gt a href link login only dst link orig esc amp target 2F gt English lt a gt After preferred directory has been selected for example Iv all links to local HotSpot pages will contain that path for example link status http hotspot mt lv lv status So if all hotspot pages reference links using link xxx variables then no more changes are to b
142. user defined address list dst address type unicast local broadcast multicast matches destination address type of the IP packet one of the AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 201 RouterOS v3 Configuration and User Guide unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case local matches addresses assigned to router s interfaces broadcast the IP packet is sent from one point to all other points in the IP subnetwork multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points dst limit integer time 0 integer dst address dst port src address time 0 limits the packet per second pps rate on a per destination IP or per destination port base As opposed to the limit match every destination IP address destination port has it s own limit The options are as follows in order of appearance count maximum average packet rate measured in packets per second pps unless followed by time option time specifies the time interval over which the packet rate is measured burst number of packets to match in a burst mode the classifier s for packet rate limiting expire specifies interval after which recorded IP addresses ports will be deleted dst port integer 0 65535 integer 0 65535 destination port number or range fragment yes no
143. value in percent that shows how effective the receive bandwidth is used regarding the theoretically maximum available bandwidth Mostly it depends from an amount of retransmited wireless frames rx rate read only integer receive data rate signal strength read only integer average strength of the client signal recevied by the AP signal to noise read only text signal to noise ratio strength at rates read only text signal strength level at different rates together with time how long were these rates used tx ccq read only integer 0 100 Client Connection Quality a value in percent that shows how effective the transmit bandwidth is used regarding the theoretically maximum available bandwidth Mostly it depends from an amount of retransmited wireless frames tx frames timed out read only integer number of frames that have been discarded due to frame lifetime timeout tx rate read only integer transmit data rate tx signal strength read only integer average power of the AP transmit signal as received by the client device uptime read only time time the client is associated with the access point wds read only no yes whether the connected client is using wds or not wmm enabled read only yes no whether WMM is used with this peer Example To see registration table showing all clients currently associated with the access point admin AT WR4562 interface wireless registration table p
144. we have completed the configuration and added two users w and who are able to connect to Internet using PPPoE client software Windows XP built in client supports encryption but RASPPPOE does not So if it is planned not to support Windows clients older than Windows XP it is recommended to switch require encryption to yes value in the default profile configuration In other case the server will accept clients that do not encrypt data 178 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8 6 8 Troubleshooting Description can connect to my PPPoE server The ping goes even through it but still cannot open web pages Make sure that you have specified a valid DNS server in the router in ip dns or in ppp profile the dns server parameter The PPPoE server shows more than one active user entry for one client when the clients disconnect they are still shown and active Set the keepalive timeout parameter in the PPPoE server configuration to 10 if You want clients to be considered logged off if they do not respond for 10 seconds If the keepalive timeout parameter is set to 0 and the only one parameter PPP profile settings is set to yes then the clients might be able to connect only once To resolve this problem one session per host parameter in PPPoE server configuration should be set to yes can get through the PPPo
145. will be stored in RAM and will be lost after a reboot Example Add IP range 192 168 0 0 24 from which users are allowed to monitor Grapher s resource usage admin AT WR4562 tool graphing resource add allow address 192 168 0 0 24 N N Store on disk yes admin AT WR4562 tool graphing resource print Flags X disabled ALLOW ADDRESS STORE ON DISK 0 192 168 0 0 24 yes admin AT WR4562 tool graphing resource
146. will use two radios on both sides simultaneously one for transmitting data and one for receiving allowing superfast point to point connection Point to Multipoint controlled point to multipoint mode with client polling like AP controlled TokenRing 4 3 2 Wireless Interface Configuration Submenu level interface wireless Description In this section we will discuss the most important part of the configuration Property Description ack timeout integer dynamic indoors acknowledgement code timeout transmission acceptance timeout in microseconds for acknowledgement messages Can be one of these dynamic ack timeout is chosen automatically indoors standard constant for indoor usage adaptive noise immunity yes no default yes adjust various receiver parameters dynamically to minimize interference and noise effect on the signal quality allow sharedkey yes no default no allow WEP Shared Key cilents to connect Note that no authentication is done for these clients WEP Shared keys are not compared to anything they are just accepted at once if access list allows that antenna gain integer default 0 antenna gain in dBi This parameter will be used to calculate whether your system meets regulatory domain s requirements in your country antenna mode ant a ant b rxa txb txa rxb default ant a which antenna to use for transmit receive data ant a use only antenna a ant b use only ante
147. with ISAKMP but IKE is the most widely used one Together they provide means for authentication of hosts and automatic management of security associations SA Most of the time IKE daemon is doing nothing There are two possible situations when it is activated e There is some traffic caught by a policy rule which needs to become encrypted or authenticated but the policy doesn t have any SAs The policy notifies IKE daemon about that and IKE daemon initiates connection to remote host e IKE daemon responds to remote connection In both cases peers establish connection and execute 2 phases e Phase The peers agree upon algorithms they will use in the following IKE messages and authenticate The keying material used to derive keys for all SAs and to protect following ISAKMP exchanges between hosts is generated also AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 189 RouterOS v3 Configuration and User Guide Phase 2 The peers establish one or more SAs that will be used by IPsec to encrypt data All SAs established by IKE daemon will have lifetime values either limiting time after which SA will become invalid or amount of data that can be encrypted by this SA or both There are two lifetime values soft and hard When SA reaches it s soft lifetime treshold the IKE daemon receives a notice and starts another phase 2 exchange to replace this SA with fresh one If SA reaches hard lifetime it is discarded IKE c
148. yet been displayed in console only if action target is set to echo remote address port default 0 0 0 0 514 remote logging server s IP address and UDP port only if action target is set to remote target disk echo email memory remote default memory log storage facility or target disk logs are saved to the hard drive echo logs are displayed on the console screen email logs are sent by email memory logs are saved to the local memory buffer remote logs are sent to a remote host You cannot delete or rename default actions f Example To add a new action with name short that will save logs in local buffer if number of records in buffer are less than 50 admin AT WR4562 system logging action add name short NV target memory memory lines 50 memory stop on full yes admin AT WR4562 system logging action print FACILITY LOCAL REMOTE PREFIX REMOTE ADDRESS REMOTE PORT ECHO Flags default NAME TARGET REMOTE 0 memory memory 1 disk disk 2 echo echo 3 remote remote 0 0 0 0 514 4 short memory admin AT WR4562 system logging action 12 1 4 Log Messages Submenu level log Description Displays locally stored log messages Property Description message read only text message text time read only text date and time of the event topics read only text topic list the message belongs to AT WR4500 Series IEEE 802
149. your questions about configuring a HotSpot gateway at the end of this manual It is still recommended that you read and understand all the Description section below before deploying a HotSpot system If this does not work e check that ip dns contains valid DNS servers try to ping www example com to see that DNS resolving works e make sure that connection tracking is enabled ip firewall connection tracking set enabled yes Specifications Packages required hotspot dhcp optional License required Levell Limited to active user Level3 Limited to active user Level4 Limited to 200 active users Level5 Limited to 500 active users Level Submenu level ip hotspot Standards and Technologies ICMP DHCP Hardware usage Not significant Description RouterOS HotSpot Gateway should have at least two network interfaces I HotSpot interface which is used to connect HotSpot clients 2 LAN WAN interface which is used to access network resources For example DNS and RADIUS server s should be accessible The diagram below shows a sample HotSpot setup AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 223 RouterOS v3 Configuration and User Guide RADIUS WAN LAN HotSpot Gateway HotSpot Interface s 4 1 amp b 7 E 2 s Figure 34 HotSpot example network The HotSpot interface should have an IP address assigned to it Physical network conne
150. 0 admin WiFi ip ipsec gt 5 1 727605 src address 10 0 0 148 dst address 10 0 0 147 auth algorithm shal enc algorithm auth key ecc5f4aeelb297739ec88e324d7cfb8594aa6c35 enc key d6943b8ea582582e449bde085c9471ab05b209783c9eb4bbd lifetime 24m 30m usetime jan 28 2003 20 55 23 use 1 3des replay 4 state mature ifetime 0s 0s current bytes 128 7 dst address 10 0 0 148 auth algorithm shal enc algorithm 3des replay 4 state mature auth key 8ac9dc7ecebfed9cd1030ae3b07b32e8e5cb98af enc key 8a38073a7a d0 74518c10438a0023e64cc660ed69845ca3c addtime jan 28 2003 20 55 12 add 1 ifetime 24m 30m lifetime 0s 0s current bytes 512 8 8 6 Flushing Installed SA Table Command name ip ipsec installed sa flush Description Sometimes after incorrect incomplete negotiations took place it is required to flush manually the installed SA table so that SA could be renegotiated This option is provided by the flush command Property Description sa type multiple choice ah all esp default all specifies SA types to flush ah delete AH protocol SAs only esp delete ESP protocol SAs only all delete both ESP and AH protocols SAs AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 195 RouterOS v3 Configuration and User Guide Example To flush all the SAs installed admin AT WR4562 ip ipsec installed sa gt flush admin AT WR4562 ip ipsec installed sa gt print admin AT WR4562 ip ipsec
151. 00 up delay 00 00 00 lacp rate 30secs admin officel ip address gt add address 3 3 3 1 24 interface bondingl admin officel ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 1 1 1 24 eletro 1 1 1 255 isp2 1 10 1 0 111 24 10 1 0 0 10 1 0 255 ispl 2 3 3 9 1724 3 23 3 0 3 23 3 255 bondingl for Office2 admin office2 interface bonding add slaves eoip tunnell eoip tunnel2 admin office2 interface bonding print Flags X disabled R running 0 name bondingl mtu 1500 mac address 00 0C 42 03 20 E7 arp enabled Slaves eoip tunnell eoip tunnel2 mode balance rr primary none link monitoring none arp interval 00 00 00 100 arp ip targets mii interval 00 00 00 100 down delay 00 00 00 up delay 00 00 00 lacp rate 30secs admin office2 ip address add address 3 3 3 2 24 interface bondingl admin office2 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 2 2 2 1 24 224220 20242255 isp2 1 10 1 0 112 24 10 1 0 0 Toys 09 255 ispl 2 3 3 3 2 24 3 3 3 0 9 3 3 255 bondingl admin office2 ip address ping 3 3 3 1 3 3 3 1 64 byte ping ttl 264 time 2 ms 3 3 3 1 64 byte ping ttl 64 time 2 ms 2 packets transmitted 2 packets received 0 packet loss round trip min avg max 2 2 0 2 ms 8 4 IPIP Tunnel Interfaces 8 4 1 General Information Summary The IPIP tunneling implementat
152. 00s If tx rate is not specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified Is is used as default Priority takes values 1 8 where implies the highest priority but 8 the lowest If rx rate min and tx rate min are not specified rx rate and tx rate values are used The rx rate min and tx rate min values can not exceed rx rate and tx rate values Mikrotik Group Router local user group name defines in user group for local users HotSpot default profile for HotSpot users Mikrotik Advertise URL URL of the page with advertisements that should be displayed to clients If this attribute is specified advertisements are enabled automatically including transparent proxy even if they were explicitly disabled in the corresponding user profile Multiple attribute AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 137 RouterOS v3 Configuration and User Guide instances may be send by RADIUS server to specify additional URLs which are choosen in round robin fashion Mikrotik Advertise Interval Time interval between two adjacent advertisements Multiple attribute instances may be send by RADIUS server to specify additional intervals All interval values are threated as a lis
153. 1 labgh Outdoor Wireless Routers 257 RouterOS v3 Configuration and User Guide Command Description print shows log messages buffer prints log messages that were saved in specified local buffer follow monitor system logs without paging prints logs without paging file saves the log information on local ftp server with a specified file name Example To view the local logs admin AT WR4562 gt log print TIME MESSAGE dec 24 2003 08 20 36 log configuration changed by admin dec 24 2003 08 20 36 log configuration changed by admin dec 24 2003 08 20 36 log configuration changed by admin dec 24 2003 08 20 36 log configuration changed by admin dec 24 2003 08 20 36 log configuration changed by admin dec 24 2003 08 20 36 log configuration changed by admin quit D dump To monitor the system log admin AT WR4562 gt log print follow TIME MESSAGE dec 24 2003 08 20 36 log configuration changed by admin dec 24 2003 08 24 34 log configuration changed by admin dec 24 2003 08 24 51 log configuration changed by admin dec 24 2003 08 25 59 log configuration changed by admin dec 24 2003 08 25 59 log configuration changed by admin dec 24 2003 08 30 05 log configuration changed by admin dec 24 2003 08 30 05 log configuration changed by admin dec 24 2003 08 35 56 system started dec 24 2003 08 35 57 isdn outl initializing dec 24 2003 08 35 57 isdn outl dialing dec 24 2003 08 35 58 Prism firmware loading OK
154. 11 11 1 11 11 11 254 222 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10 Hot Spot Service 10 1 HotSpot Gateway 10 1 1 General Information Summary The RouterOS HotSpot Gateway enables providing of public network access for clients using wireless or wired network connections HotSpot Gateway features e authentication of clients using local client database or RADIUS server e accounting using local database or RADIUS server e Walled garden system accessing some web pages without authorization Quick Setup Guide Given a router with two interfaces Local where HotSpot clients are connected to and Public which is connected to the Internet To set up HotSpot on the Local interface first a valid IP configuration is required on both interfaces This can be done with setup command or by setting up the router manually In this example we will assume the configuration with DHCP server already enabled on the Local interface 2 valid DNS configuration must be set up in the ip dns submenu 3 To put HotSpot on the Local interface using the same IP address pool as DHCP server uses for that interface ip hotspot add interface local address pool dhcp pool 4 and finally add at least one HotSpot user ip hotspot user add name admin These simple steps should be sufficient to enable HotSpot system Please find HotSpot How to s which will answer most of
155. 2 mode 802 3ad active backup balance alb balance rr balance tlb balance xor broadcast default balance rr interface bonding mode Can be one of 802 3ad IEEE 802 3ad dynamic link aggregation In this mode the interfaces are aggregated in a group where each slave shares the same speed If you use a switch between 2 bonding routers be sure that this switch supports IEEE 802 3ad standard Provides fault tolerance and load balancing active backup provides link backup Only one slave can be active at a time Another slave becomes active only if first one fails balance alb adaptive load balancing It includes balance tlb and received traffic is also balanced Device driver should support for setting the mac address then it is active Otherwise balance alb doesn t work No special switch is required balance rr round robin load balancing Slaves in bonding interface will transmit and receive data in sequential order Provides load balancing and fault tolerance balance tlb Outgoing traffic is distributed according to the current load on each slave Incoming traffic is received by the current slave If receiving slave fails then another slave takes the MAC address of the failed slave Doesn t require any special switch support balance xor Use XOR policy for transmit Provides only failover in very good quality but not load balancing yet broadcast Broadcasts the same data on all interfaces at once This provides fa
156. 2 routes admin HomeOffice ppp secret set 0 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret print detail Flags X disabled 0 name ex service pptp caller id password lkjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes 10 150 1 0 24 10 0 103 2 1 admin8 HomeOffice ppp secret Test the PPTP tunnel connection admin RemoteOffice ping 10 0 103 1 10 0 103 1 pong ttl1 255 time 3 ms 10 0 103 1 pong ttl1 255 time 3 ms 10 0 103 1 pong ttl1 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms Test the connection through the PPTP tunnel to the LocalHomeOffice interface admin RemoteOffice gt ping 10 150 2 254 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms To bridge a LAN over this secure tunnel please see the example the EoIP section of the manual To set the maximum speed for traffic over this tunnel please consult the Queues section Connecting a Remote Client via PPTP Tunnel The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has without
157. 4 10 3 0 0 10 3 0 255 to peer 1 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 107 Add the same area as in previous routers admin OSPF_peer_2 routing ospf area print Flags X disabled I invalid NAME AREA ID AUTHENTICATION 0 backbone none 1 local_10 0 001 none STUB DEFAULT COST 0 0 0 0 no 1 Add connected networks with the same area admin OSPF_peer_2 routing ospf network print Flags X disabled I invalid NETWORK AREA 0 1607 0 70724 local_10 1 10 3 0 0 24 local_10 After all routers have been set up as described above and the links between them routing tables of the three routers look as follows are operational the admin OSPF_MAIN ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp adminQOSPF peer 1 ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 10 0052 110 to_main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 backup 3 Do 10 2 0 0 24 T DV 110 to main r 10 3 0 2 backup 4 Io 10 1 0 0 24 110 5 DC 10 1 0 0 24 r 0 0 0 0 0 to main adminQ8OSPF peer 2 ip route print Flags X disabled I invalid D dynamic J rejected C connect S static
158. 5 50 1 80 ssl login a yes no representation of whether HTTPS method was used to access that servlet page 238 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide server name HotSpot server name set in the ip hotspot menu as the name property Links link login link to login page including original URL requested http 10 5 50 I login dst http www example com link login only link to login page not including original URL requested http 10 5 50 1 login link logout link to logout page http 10 5 50 1 logout link status link to status page http 10 5 50 1 status link orig original URL requested http www example com General client information domain domain name of the user example com interface name physical HotSpot interface name in case of bridged interfaces this will return the actual bridge port name ip IP address of the client 10 5 50 2 logged in yes if the user is logged in otherwise no yes mac MAC address of the user 01 23 45 67 89 AB trial a yes no representation of whether the user has access to trial time If users trial time has expired the value is no username the name of the user John User status information idle timeout idle timeout 20m or if none idle timeout secs idle timeout in seconds 88 or 0 if there is such timeout limit bytes
159. 64000 rx tx burst time Is 64k 64k 256k 256k 128k 128k 10 10 rx tx rate 64000 rx tx burst rate 256000 rx tx burst threshold 128000 rx tx burst time 1 05 Accounting Request The accounting request carries the same attributes as Access Request plus these ones Acct Status Type Start Stop or Interim Update Acct Authentic either authenticated by the RADIUS or Local authority PPPs only Class RADIUS server cookie as received in Access Accept Acct Delay Time how long does the router try to send this Accounting Request packet Stop and Interim Update Accounting Request Additionally to the accounting start request the following messages will contain the following attributes Acct Session Time connection uptime in seconds Acct Input Octets bytes received from the client Acct Input Gigawords 4G 2432 bytes received from the client bits 32 63 when bits 0 31 are delivered in Acct Input Octets Acct Input Packets nubmer of packets received from the client Acct Output Octets bytes sent to the client Acct Output Gigawords 4G 2 32 bytes sent to the client bits 32 63 when bits 0 31 are delivered in Acct Output Octets Acct Output Packets number of packets sent to the client Stop Accounting Request These packets will additionally to the Interim Update packets have Acct Terminate Cause session termination cause see RFC2866 ch 5 10 4500 Series IEEE 802 1 labgh Outdoor Wirel
160. 70 6075 6080 6085 6090 6095 6100 the list of 5GHz turbo channels frequencies are given in MHz ack timeout control read only yes no provides information whether this device supports transmission acceptance timeout control alignment mode read only yes no is the alignment only mode supported by this interface burst support yes no whether the interface supports data bursts burst time chip info read only text information from EEPROM default periodic calibration read only yes no whether the card supports periodic calibration firmware read only text current firmware of the interface does not apply to current AT WR4500 routers interface type read only text shows the hardware interface type noise floor control read only yes no does this interface support noise floor thershold detection nstreme support read only yes no whether the card supports n streme protocol scan support yes no whether the interface supports scan function wireless scan supported bands multiple choice read only 2ghz b 5ghz 5ghz turbo 2ghz g the list of supported bands tx power control read only yes no provides information whether this device supports transmission power control virtual aps read only yes no whether this interface supports Virtual Access Points interface wireless add 48 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers R
161. 92 168 0 0 24 0 3 0 2 110 backup 1 Io 192 168 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 backup 3 Do 10 2 0 0 24 10 3 0 2 110 backup 4 Io 10 1 0 0 24 110 5 DC 10 1 0 0 24 100 0 0 0 0 to main On OSPF peer 2 adminQ8OSPF peer 2 ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 10 2 0 2 110 to main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 to peer 1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 0 0 0 0 0 to main 5 Do 10 1 0 0 24 r 10 2 0 2 110 to_main The change of the routing takes approximately 40 seconds the hello interval setting If required this setting can be adjusted but it should be done on all routers within the OSPF area 5 4 Routes Equal Cost Multipath Routing Policy Routing 5 4 1 General Information Summary The following manual surveys the IP routes management equal cost multi path ECMP routing technique and policy based routing Specifications Packages required system License required Level Submenu level ip route Standards and Technologies RFC 791 Hardware usage Not significant Related Topics IP Addresses and ARP AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Filter NAT Description RouterOS has following types of routes dyna
162. AA EoIP Description PPTP is a secure tunnel for transporting IP traffic using PPP PPTP encapsulates PPP in virtual lines that run over IP PPTP incorporates PPP and MPPE Microsoft Point to Point Encryption to make encrypted links The purpose of this protocol is to make well managed secure connections between routers as well as between routers and PPTP clients clients are available for and or included in almost all OSs including Windows Multilink PPP MP is supported in order to provide MRRU the ability to transmit full sized 1500 and larger packets and bridging over PPP links using Bridge Control Protocol BCP that allows to send raw Ethernet frames over PPP links This way it is possible to setup bridging without EolP The bridge should either have an administratively set MAC address or an Ethernet like interface in it as PPP links do not have MAC addresses PPTP includes PPP authentication and accounting for each PPTP connection Full authentication and accounting of each connection may be done through a RADIUS client or locally MPPE 40bit RC4 and MPPE 28bit RC4 encryption are supported PPTP traffic uses TCP port 1723 and IP protocol GRE Generic Routing Encapsulation IP protocol ID 47 as assigned by the Internet Assigned Numbers Authority IANA PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router PPTP connections m
163. AME MTU LOCAL ADDRESS REMOTE ADDRESS 0X ipipl 1480 22 63 11 6 10 0 0 1 interface ipip gt enable 0 interface gt ip address add address 1 1 1 2 24 interface ipipl AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 161 RouterOS v3 Configuration and User Guide Now both routers can ping each other admin AT WR4562 interface ipip gt ping 1 1 1 2 1 1 2 64 byte ping ttl 64 time 24 ms 1 1 2 64 byte ping ttl 64 time 19 ms 1 1 1 2 64 byte ping ttl 64 time 20 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 19 21 0 24 ms admin AT WR4562 interface ipip gt lid 1 1 8 5 L2TP Interface 8 5 1 General Information Summary L2TP Layer 2 Tunnel Protocol supports encrypted tunnels over IP The RouterOS implementation includes support for both L2TP client and server General applications of L2TP tunnels include secure router to router tunnels over the Internet linking bridging local Intranets or LANs extending PPP user connections to a remote location for example to separate authentication and Internet access points for ISP accessing an Intranet LAN of a company for remote mobile clients employees Each L2TP connection is composed of a server and a client The RouterOS may function as a server or client or for various configurations it may be the server for some connections and client for other connections Quick Setup Guide To mak
164. Configuration and User Guide Note that the IP addresses assigned statically are not probed Property Description active address read only IP address actual IP address for this lease active client id read only text actual client id of the client active mac address read only MAC address actual MAC address of the client active server read only list actual dhcp server which serves this client address IP address specify ip address or ip pool for static lease 0 0 0 0 use pool from server agent circuit id read only text circuit ID of DHCP relay agent agent remote id read only text Remote ID set by DHCP relay agent always broadcast yes no send all repies as broadcasts block access yes no default no block access for this client drop packets from this client blocked read only flag whether the lease is blocked client id text default if specified must match DHCP client identifier option of the request expires after read only time time until lease expires host name read only text shows host name option from last received DHCP request lease time time default Os time that the client may use the address Os lease will never expire mac address MAC address default 00 00 00 00 00 00 if specified must match the MAC address of the client radius read only yes no shows whether this dynamic lease is authenticated by RADIUS or not rate limit re
165. D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME 0 FromLaptop ex admin RemoteOffice interface pptp server gt And the server must be enabled admin RemoteOffice interface pptp server server gt set enabled yes admin RemoteOffice interface pptp server server gt print enabled yes max mtu 1460 max mru 1460 mrru disabled authentication mschap2 keepalive timeout 30 default profile default admin RemoteOffice interface pptp server server gt AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 187 RouterOS v3 Configuration and User Guide Finally the proxy APR must be enabled on the Office interface admin RemoteOffice interface ethernet set Office arp proxy arp admin8 RemoteOffice interface ethernet print Flags X disabled R running NAME MTU MAC ADDRESS ARP 0 R ToInternet 1500 00 30 4F 0B 7B Cl enabled 1 R Office 1500 00 30 4F 06 62 12 proxy arp admin RemoteOffice interface ethernet PPTP Setup for Windows Microsoft provides PPTP client support for Windows NT 2000 ME 98SE and 98 Windows 98SE 2000 and ME include support in the Windows setup or automatically install PPTP For 95 NT and 98 installation requires a download from Microsoft Many ISPs have made help pages to assist clients with Windows PPTP installation Sample instructions for PPTP VPN installation and client setup Windows 98SE If the VPN PPTP support i
166. E link only small packets eg pings You need to change mss of all the packets passing through the PPPoE link to the value of PPPoE link s MTU 40 at least on one of the peers So for PPPoE link with MTU of 1480 admin MT interface pppoe server server set 0 max mtu 1440 max mru 1440 admin MT interface pppoe server server print Flags X disabled 0 service name mt interface wlanl max mtu 1440 max mru 1440 authentication pap chap mschapl mschap2 keepalive timeout 10 one session per host yes max sessions 0 default profile default admin MT interface pppoe server server My Windows XP client cannot connect to the PPPoE server You have to specify the Service Name in the properties of the XP PPPoE client If the service name is not set or it does not match the service name of the RouterOS PPPoE server you get the line is busy errors or the system shows verifying password unknown error want to have logs for PPPoE connection establishment Configure the logging feature under the system logging facility and enable the PPP type logs 8 7 PPTP 8 7 1 General Information Summary PPTP Point to Point Tunnel Protocol supports encrypted tunnels over IP The RouterOS implementation includes support for PPTP client and server General applications of PPTP tunnels secure router to router tunnels over the Internet linking bridging local Intranets or LANs accessing an Intranet LAN of a company for remote mobil
167. EEE802 11a IEEE802 11b IEEE802 11g Hardware usage Not significant Related Topics e Addresses and ARP e Log Management Description The Atheros card has been tested for distances up to 20 km providing connection speed up to 7Mbit s With appropriate antennas and cabling the maximum distance should be as far as 50 km These values of ack timeout were approximated from the tests done by us as well as by some of our customers ack timeout range 5GHz 5GHz turbo 2 4GHz G default default default 5km 52 30 62 lOkm 85 48 96 ISkm 121 67 133 20km 160 89 174 25km 203 111 219 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 35 RouterOS v3 Configuration and User Guide ack timeout range 5GHz 5GHz turbo 2 4GHz G 30km 249 137 368 35km 298 168 320 40km 350 190 375 45km 405 These are not the precise values Depending on hardware used and many other factors they may vary l up to 15 microseconds You can also use dynamic ack timeout value the router will determine ack timeout setting automatically by sending periodically packets with a different ack timeout Ack timeout values by which ACK frame was received are saved and used later to determine the real ack timeout The Nstreme protocol may be operated in three modes e Point to Point mode controlled point to point mode with one radio on each side Dual radio Point to Point mode Nstreme2 the protocol
168. Hellman MODP 2048 bit algorithm dont verify certificate require a certificate but do not chack if it has been signed by the available CA certificate verify certificate require a certificate and verify that it has been signed by the available CA certificate unicast ciphers multiple choice tkip aes ccm a set of ciphers used to encrypt frames sent to individual wireless station unicast transfers in the order of preference tkip Temporal Key Integrity Protocol encryption protocol compatible with lagacy WEP equipment but enhanced to correct some of WEP flaws aes ccm more secure WPA encryption protocol based on the reliable AES Advanced Encryption Standard Networks free of WEP legacy should use only this wpa pre shared key text default string which is used as the WPA Pre Shared Key It must be the same on AP and station to communicate wpa2 pre shared key text default string which is used as the WPA2 Pre Shared Key It must be the same on AP and station to communicate The keys used for encryption are hexadecimal form If you use 40bit wep the key has to be 10 characters long if you use I 04bit wep the key has to be 26 characters long Wireless encryption cannot work together with wireless compression 4 3 17 Sniffer Submenu level interface wireless sniffer Description With wireless sniffer you can sniff packets from wireless networks Property Description channel time
169. IABILITY OF EACH AND EVERY KIND IN RELATION TO THE PRODUCT OR ITS SOFTWARE EXCEED THE AMOUNT PAID BY CUSTOMER FOR THE PRODUCT 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide CONTENTS 4 WEP O DUCE OI M 12 IS MN ACUTE Sa 13 l2 Soft Ware BICI H H 13 Configuring ROUterOS 14 2 1 Logging in the AT WR4500 Router sessssssessssssssssessscssessecuscseessscussseesusesscssesussnesssesuseseessesnseseesseensesees 14 22 Accessing the WR4500 through 14 2 3 ACCESSING EA T AE 15 Configuration and Software tentennts 18 3 1 General Informati n rtt 18 3 1 1 System Backup een itae T eet eee ta e ve ania 18 3 1 2 The Export Commandin eeu Re LUE A REOR 19 3 1 3 The Import Command sissssisecscccsecsesceesscescessessesesessasssonsteateneocantsecosesuetaocoueassovsusanaccoeesasiascousaecoees 19 3 1 4 Configuration Reset cene d aE Eaa EREE aa EEEa 20 3 2 Software Version Management sssscssssscsesseessssssssecscseesessssseessesnssseessssssssecssssessuesusssseaueeneesaseeeseeses 20 3 2 1 General Information tt ett tint
170. Mark lId firewall mangle chain name HotSpot only The RouterOS RADIUS client upon receiving this attribute creates a dynamic firewall mangle rule with action jump chain hotspot and jump target equal to the atribute value Mangle chain name can have suffixes in or out that will install rule only for incoming or outgoing traffic Multiple Mark id attributes can be provided but only last ones for incoming and outgoing is used Acct Interim Interval interim update for RADIUS client PPP if 0 uses the one specified in RADIUS client HotSpot only respected if radius interim update received in HotSpot server profile MS MPPE Encryption Policy require encryption property PPPs only MS MPPE Encryption Types use encryption property non zero value means to use encryption PPPs only Ascend Data Rate tx rx data rate limitation if multiple attributes are provided first limits tx data rate second rx data rate If used together with Ascend Xmit Rate specifies rx rate 0 if unlimited Ignored if Rate Limit attribute is present Ascend Xmit Rate tx data rate limitation It may be used to specify tx limit only instead of sending two sequental Ascend Data Rate attributes in that case Ascend Data Rate will specify the receive rate 0 if unlimited Ignored if Rate Limit attribute is present MS CHAP32 Success auth response if MS CHAPv2 was used for PPPs only MS MPPE Send Key MS MPPE Recv Key encryption keys for encrypted PPPs pro
171. Outdoor Wireless Routers RouterOS v3 Configuration and User Guide LIMITATION OF LIABILITY AND DAMAGES THE PRODUCT AND THE SOFTWARES WITHIN ARE PROVIDED AS IS BASIS THE MANUFACTURER AND MANUFACTURER S RESELLERS COLLECTIVELY REFERRED TO AS THE SELLERS DISCLAIM ALL WARRANTIES EXPRESS IMPLIED OR STATUTORY INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF NON INFRINGEMENT MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES ARISING FROM COURSE OF DEALING COURSE OF PERFORMANCE OR USAGE OF TRADE IN NO EVENT WILL THE SELLERS BE LIABLE FOR DAMAGES OR LOSS INCLUDING BUT NOT LIMITED TO DIRECT INDIRECT SPECIAL WILFUL PUNITIVE INCIDENTAL EXEMPLARY OR CONSEQUENTIAL DAMAGES DAMAGES FOR LOSS OF BUSINESS PROFITS OR DAMAGES FOR LOSS OF BUSINESS OF ANY CUSTOMER OR ANY THIRD PARTY ARISING OUT OF THE USE OR THE INABILITY TO USE THE PRODUCT OR THE SOFTWARES INCLUDING BUT NOT LIMITED TO THOSE RESULTING FROM DEFECTS IN THE PRODUCT OR SOFTWARE OR DOCUMENTATION OR LOSS OR INACCURACY OF DATA OF ANY KIND WHETHER BASED ON CONTRACT TORT OR ANY OTHER LEGAL THEORY EVEN IF THE PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF THE PRODUCT OR ITS SOFTWARE IS ASSUMED BY CUSTOMER BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR DAMAGES THE ABOVE LIMITATION MAY NOT APPLY TO THE PARTIES IN NO EVENT WILL THE SELLERS TOTAL CUMULATIVE L
172. T WR4562 interface wireless access list add mac address 00 01 24 70 3A BB interface wlanl private algo 40bit wep private key 1234567890 admin AT WR4562 interface wireless access list gt print Flags X disabled 0 mac address 00 01 24 70 3A BB interface wlanl signal range 120 120 authentication yes forwarding yes ap tx limit 0 client tx limit 0 private algo 40bit wep private key 1234567890 private pre shared key admin AT WR4562 interface wireless access list 4 3 8 Info command Submenu level interface wireless info Description This facility provides you with general wireless interface information Property Description 2ghz b channels multiple choice read only 2312 2317 2322 2327 2332 2337 2342 2347 2352 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 47 RouterOS v3 Configuration and User Guide 2512 2532 2552 2572 2592 2612 2632 2652 2672 2692 2712 2732 the list of 2GHz IEEE 802 1 Ib channels frequencies are given in MHz 2ghz g channels multiple choice read only 2312 2317 2322 2327 2332 2337 2342 2347 2352 2357 2362 2367 2372 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2512 2532 2552 2572 2592 2612 2632 2652 2672 2692 2712 2732 2484 the list of 2GHz IEEE 802 1 8 channels frequencies are
173. This value must be the same on each end of the adjacency otherwise the adjacency will not form interface name default all interface on which OSPF will run all is used for the interfaces not having any specific settings priority integer 0 255 default 1 router s priority It helps to determine the designated router for the network When two routers attached to a network both attempt to become the designated router the one with the higher router s priority takes precedence retransmit interval time default 5s time between retransmitting lost link state advertisements When a router sends a link state advertisement LSA to its neighbor it keeps the LSA until it receives back the acknowledgment If it receives no acknowledgment in time it will retransmit the LSA The following settings are recommended for Broadcast network are 5 seconds and for Point to Point network are 10 seconds transmit delay time default 16 link state transmit delay is the estimated time it takes to transmit a link state update packet on the interface Example To add an entry that specifies that ether2 interface should send Hello packets every 5 seconds do the following admin AT WR4562 routing ospf gt interface add interface ether2 hello interval 5s admin AT WR4562 routing ospf gt interface print 0 interface ether2 cost 1 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 5s dead interval 40s
174. WAY DISTANCE INTERFACE 0 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 1 DC 10 0 0 0 24 r 0 0 0 0 0 etherl admin AT WR4562 gt eo No default route has been configured The route will be obtained using the RIP AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 97 RouterOS v3 Configuration and User Guide The necessary configuration of the RIP general settings is as follows admin AT WR4562 routing rip set redistribute connected yes admin AT WR4562 routing rip print distribute default never redistribute static no redistribute connected yes redistribute ospf no redistribute bgp no metric default metric static metric connected metric ospf metric bgp 1 update timer 30s timeout timer 3m garbage timer 2m admin AT WR4562 routing rip The minimum required configuration of RIP interface is just enabling the network associated with the ether interface adminGAT WR4562 routing rip network add network 10 0 0 0 2 adminQ AT WR4562 routing rip network print ADDRESS 0 10 0 0 0 24 adminQ AT WR4562 routing rip network There is no need to run RIP on the ether2 as no propagation of RIP information is required into the Remote network in this example The routes obtained by RIP can be viewed in the routing rip route menu admin AT WR4562 routing rip route print Flags S static R rip O ospf C connect
175. WPA AP Interface wlanl ssid AT WR4500 e Interface wlanl Pre shared ke y 1234567890 ae Wpa group cipher aes ccm Pre shared ke y 1234567890 Wpa group cipher aes ccm Wpa unicast cipher tkip Station Figure 10 WPA security example 74 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide On the AP in default or in your own made profile as an encryption algorithm choose wpa psk Specify the pre shared key wpa unicast ciphers and wpa group cipher admin WPA_AP interface wireless security profiles gt set default mode wpa psk N pre shared key 1234567890 wpa unicast ciphers aes ccm tkip wpa group ciphers aes cem tkip admin WPA_AP interface wireless security profiles gt pr name default mode wpa psk wpa unicast ciphers tkip aes ccm wpa group ciphers tkip aes ccm pre shared key 1234567890 static algo 0 none static key 0 2 static algo 1 none static key 1 static algo 2 none static key 2 2 static algo 3 none static key 3 static transmit key key 0 static sta private algo none static sta private key radius mac authentication no group key update 5m admin WPA AP interface wireless security profiles On the Client do the same Encryption algorithm wpa group cipher and pre shared key must be the same as specified on AP wpa unicast cipher must be one of the ciphers suppor
176. WR4562 ip arp print Flags X disabled I invalid H DHCP D dynamic ADDRESS MAC ADDRESS INTERFACE 0 D 10 5 7 242 00 A0 24 9D 52 A4 etherl 1 10 10 10 10 06 21 00 56 00 12 ether2 admin AT WR4562 ip arp 5 1 4 Proxy ARP feature Description A router with properly configured proxy ARP feature acts like a transparent ARP proxy between directly connected networks Consider the following network diagram 90 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide a Network A 198 168 0 20 24 192 168 0 0 24 198 168 0 30 24 198 168 0 129 25 P 1 Network 7 192 168 0 128 25 198 168 0 130 25 Figure Proxy ARP Suppose the host A needs to communicate to host C To do this it needs to know host s C MAC address As shown on the diagram above host A has 24 network mask That makes host A to believe that it is directly connected to the whole 192 168 0 0 24 network When a computer needs to communicate to another one on a directly connected network it sends a broadcast ARP request Therefore host A sends a broadcast ARP request for the host C MAC address Broadcast ARP requests are sent to the broadcast MAC address FF FF FF FF FF FF Since the ARP request is a broadcast it will reach all hosts in the network A including the router RI but it will not reach host C because routers do not forward broadcasts by def
177. able lookup lookup route in given routing table dst address IP address mask destination IP address mask interface name default interface through which the gateway can be reached routing mark name default mark of the packet be mached by this rule To add a routing mark use firewall mangle commands src address IP address mask source IP address mask table name default routing table created by user AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 113 RouterOS v3 Configuration and User Guide You can use policy routing even if you use masquerading on your private networks The source address will be the same as it is in the local network In previous versions of RouterOS the source address changed to 0 0 0 0 It is impossible to recognize peer to peer traffic from the first packet Only already established connections can be matched That also means that in case source NAT is treating Peer to Peer traffic differently from the regular traffic Peer to Peer programs will not work general application is policy routing redirecting regular traffic through one interface and Peer to Peer traffic through another A known workaround for this problem is to solve it from the other side making not Peer to Peer traffic to go through another gateway but all other useful traffic go through another gateway In other words to specify what protocols HTTP DNS POP3 etc will go th
178. acket address list name specifies the name of the address list to collect IP addresses from rules having action add dst to address list or action add src to address list actions These address lists could be later used for packet matching address list timeout time default 00 00 00 time interval after which the address will be removed from the address list specified by address list parameter Used in conjunction with add dst to address list or add src to address list actions 00 00 00 leave the address in the address list forever chain forward input output name specifies the chain to put a particular rule into As the different traffic is passed through different chains always be careful in choosing the right chain for a new rule If the input does not match the name of an already defined chain a new chain will be created comment text a descriptive comment for the rule A comment can be used to identify rules form scripts connection bytes integer integer matches packets only if a given amount of bytes has been transfered through the particular connection 0 means infinity exempli gratia connection bytes 2000000 0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection limit integer netmask restrict connection limit per address or address block connection mark name matches packets marked via mangle facility with particular connection mark connection state
179. ad only text default sets rate limit for active lease Format is rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time rates should be numbers with optional k 1 0005 or M 1 000 000s If tx rate not specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time not specified 15 is used as default server read only name server name which serves this client src mac address MAC address source MAC address status read only waiting testing authorizing busy offered bound lease status waiting not used static lease testing testing whether this address is used or not only for dynamic leases by pinging it with timeout of 0 5s authorizing waiting for response from radius server busy this address is assigned statically to a client or already exists in the network so it can not be leased offered server has offered this lease to a client but did not receive confirmation from the client bound server has received client s confirmation that it accepts offered address it is using it now and will free the address not later than the lease time will be over use src mac MAC address use this s
180. ading This step will only be needed once and you may continue using the same package source in future to upgrade the router s again See the next section for details e Refresh available software package list system upgrade refresh e See available packages using system upgrade print command e Download selected or all packages from the remote router using the download or download all e command Property Description name read only name package name source read only IP address source IP address of the router from which the package list entry is retrieved status read only available scheduled downloading downloaded installed package status version read only text version of the package Command Description download download packages from list by specifying their numbers download all download all packages that are needed for the upgrade packages which are listed in the system package print command output refresh updates currently available package list AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 27 RouterOS v3 Configuration and User Guide Example See the available packages adminQ AT WR4562 system upgrade refresh adminQ AT WR4562 system upgrade print SOURCE NAME VERSION STATUS COMPLETED 0 192 168 25 8 routeros x86 2 9 44 available 1 192 168 25 98 routeros rb500 v0 available admin AT WR4562 system upgrade To upgrade selected packages admin
181. administered address assigned by network administrator and use any MAC address you just need to ensure they are unique between the hosts connected to one bridge Example To add and enable an EolP tunnel named to mt2 to the 10 5 8 1 router specifying tunnel id of 1 admin AT WR4562 interface gt add name to mt2 remote address 10 5 8 1 tunnel id 1 admin AT WR4562 interface eoip gt print Flags X disabled R running 0X name to mt2 mtu 1500 arp enabled remote address 10 5 8 1 tunnel id 1 admin AT WR4562 interface eoip gt enable 0 admin AT WR4562 interface eoip gt print Flags X disabled running 0 name to mt2 mtu 1500 arp enabled remote address 10 5 8 1 tunnel id 1 admin AT WR4562 interface gt 152 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8 1 3 EolP Application Example Description Let us assume we want to bridge two networks Office LAN and Remote LAN The networks are connected to an IP network through the routers Dur and Remote The IP network can be a private intranet or the Internet Both routers can communicate with each other through the IP network Example Our goal is to create a secure channel between the routers and bridge both networks through it The network setup diagram is as follows ia pea P m 2 Network
182. advertisement is pending bytes in read only integer how many bytes did the router receive from the client bytes out read only integer how many bytes did the router send to the client domain read only text domain of the user if split from username idle time read only time the amount of time has the user been idle idle timeout read only time the exact value of idle timeout that applies to this user This property shows how long should the user stay idle for it to be logged off automatically keepalive timeout read only time the exact value of keepalive timeout that applies to this user This property shows how long should the user s computer stay out of reach for it to be logged off automatically limit bytes in read only integer maximal amount of bytes the user is allowed to send to the router limit bytes out read only integer maximal amount of bytes the router is allowed to send to the client limit bytes total read only integer maximal aggregate amount of bytes the router is allowed to send to the client and receive form it login by multiple choice read only cookie http chap http pap https mac trial authentication method used by user mac address read only MAC address actual MAC address of the user packets in read only integer how many packets did the router receive from the client packets out read only integer how many packets did the router send to the client radius
183. after which the address will be removed from the address list specified by address list parameter Used in conjunction with add dst to address list or add src to address list actions 00 00 00 leave the address in the address list forever 206 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide chain forward input output postrouting prerouting specify the chain to put a particular rule into As the different traffic is passed through different chains always be careful in choosing the right chain for a new rule If the input does not match the name of an already defined chain a new chain will be created comment text free form textual comment for the rule A comment can be used to refer the particular rule from scripts connection bytes integer integer match packets only if a given amount of bytes has been transfered through the particular connection 0 means infinity exempli gratia connection bytes 2000000 0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection limit integer netmask restrict connection limit per address or address block connection mark name match packets marked via mangle facility with particular connection mark connection state estabilished invalid new related interprets the connection tracking analysis data for a particular packet estabilished a packet which belongs to an
184. ages required security License required Level Submenu level ip ipsec Standards and Technologies Psec Hardware usage consumes lot of CPU time Intel Pentium MMX or AMD K6 suggested as a minimal configuration Related Topics IP Addresses and ARP Firewall and QoS 188 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Description IPsec IP Security supports secure encrypted communications over IP networks Encryption After packet is src natted if needed but before putting it into interface queue IPsec policy database is consulted to find out if packet should be encrypted Security Policy Database SPD is a list of rules that have two parts Packet matching packet source destination protocol and ports for TCP and UDP are compared to values in policy rules one after another Action if rule matches action specified in rule is performed none continue with the packet as if there was no discard drop the packet encrypt apply IPsec transformations to the packet Each SPD rule can be associated with several Security Associations SA that determine packet encryption parameters key algorithm SPI Note that packet can only be encrypted if there is a usable SA for policy rule Same SA may be used for different policies unless especially prohibited by a policy By setting SPD rule security level user can control what happens when t
185. ages required system License required Level number of rules limited to 1 Level3 Submenu level ip firewall nat Standards and Technologies IP REC1631 RFC2663 Hardware usage Increases with the count of rules Related Topics IP Addresses and ARP Routes Equal Cost Multipath Routing Policy Routing Filter Mangle Packet Flow Additional Resources http en wikipedia org wiki Network address translation AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 217 RouterOS v3 Configuration and User Guide 9 4 2 NAT Description Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications A LAN that uses NAT is referred as natted network For NAT to function there should be a NAT gateway in each natted network The NAT gateway NAT router performs IP address rewriting on the way a packet travel from to LAN There are two types of NAT e source or srcnat This type of is performed on packets that are originated from natted network A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router A reverse operation is applied to the reply packets travelling in the other direction e destination or dstnat This type of NAT is performed on packets that are destined to the natt
186. ain a space You can abbreviate names of levels commands and arguments For the IP address configuration instead of using the address and netmask arguments in most cases you can specify the address together with the number of true bits in the network mask i e there is no need to specify the netmask separately Thus the following two entries would be equivalent lip address add address 10 0 0 1 24 interface etherl ip address add address 10 0 0 1 netmask 255 255 255 0 interface etherl You must specify the size of the network mask the address argument even if it is the 32 bit subnet i e use 10 0 0 1 32 for address 10 0 0 1 netmask 255 255 255 255 At the factory an IP address 192 168 1 1 24 is pre configured to allow to use application such us Telnet WinBox or HTTP Web GUI from the Ethernet interface ether connecting a PC configured with an IP Address on the same IP subnet i e 192 168 1 100 24 Whenever the AT WR4500 will be reset back the default setting via the command system reset configuration this IP address will not be restored into the router running configuration Connecting the console cable is possible to configure the IP address using the commands reported here above 18 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 3 Configuration and Software Management 3 1 General Information Summary This chapter
187. al Information 87 5 1 2 adhibeant os Deb un LEO 87 5 1 3 Address Resolution Protocol 88 5 1 4 Proxy ARP feature ec et t e Gilet ERR 89 5 1 5 Unnumbered Interfaces s ssescsssssssssssssesssescssesessscssesccesscssssssessessssscsssessescesssessesuseuseseesssessesees 91 5 1 6 Troubleshooting tte eei tae e i tecti i tete ta nha 92 5 2 Routing Information Protocol essessssssssessecsecsececsessesseeseenessessccecsscsecsecsesnecuecussecseccecsecaeeaeeneeseeeeeees 92 5 2 1 General Information ite D eet o Reese ta dec Eee RA nu 92 5 2 2 General 5 eese Ded oce de rab aee 93 5 2 3 Interfaces Ae MEME 94 5 2 4 95 5 2 5 EEEE E E eiae 95 5 2 6 95 5 2 7 Application 96 5 32 98 5 3 1 General INFOrmation Re d an 98 5 3 2 General 99 5 3 3 OSPF Areas ii e e nr te e Re n tpe 100 5 3 4 Networks n 101 5 3 5 usarie c 102 5 3 6 Nirtual LINKS 5 102 5 3 7 Neighbor Sa EE 103 5 3 8
188. an optionally provide a Perfect Forward Secrecy PFS which is a property of key exchanges that in turn means for IKE that compromising the long term phase key will not allow to easily gain access to all IPsec data that is protected by SAs established through this phase It means an additional keying material is generated for each phase 2 Generation of keying material is computationally very expensive Exempli gratia the use of modp8192 group can take several seconds even on very fast computer It usually takes place once per phase exchange which happens only once between any host pair and then is kept for long time PFS adds this expensive operation also to each phase 2 exchange Diffie Hellman MODP Groups Diffie Hellman DH key exchange protocol allows two parties without any initial shared secret to create one securely The following Modular Exponential MODP Diffie Hellman also known as Oakley Groups are supported Diffie Hellman Group Modulus Reference Group 768 bits RFC2409 Group 2 1024 bits MODP group RFC2409 Group 3 EC2N group GP 2 155 RFC2409 Group 4 EC2N group on 2 185 RFC2409 Group 5 1536 bits MODP group RFC3526 IKE Traffic To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA that this packet perhaps is trying to establish locally originated packets with UDP source port 500 are not processed with SPD The same way packets with UDP destination
189. and must be used on the same computer with the same hardware where system backup save was done 3 1 1 System Backup Submenu level system backup Description The save command is used to store the entire router configuration in a backup file The file is shown in the file submenu It can be downloaded via ftp to keep it as a backup for your configuration To restore the system configuration for example after a system reset it is possible to upload that file via ftp and load that backup file using load command in system backup submenu Command Description load name filename Load configuration backup from a file save name filename Save configuration backup to a file Example To save the router configuration to file test admin AT WR4562 system backup save name test Configuration backup saved admin AT WR4562 system backup AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide To see the files stored on the router admin AT WR4562 gt file print NAME TYPE SIZE 0 test backup backup 12567 admin AT WR4562 gt CREATION TIME sep 08 2004 21 07 50 To load the saved backup file test admin AT WR4562 system backup load name test Restore and reboot y N 94 Restoring system configuration System configuration restored rebooting now 3 1 2 The Export Command Command name export Descripti
190. ange topology change flag is set when a bridge detects port state change to force all other bridges to drop their host tables and recalculate network topology topology change ack topology change acknowledgement flag is sen in replies to the notification packets 84 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide stp forward delay time 0 65535 forward delay timer stp hello time time 0 65535 stp hello packets time stp max age time 0 65535 maximal STP message age stp msg age time 0 65535 STP message age stp port integer 0 65535 stp port identifier stp root address MAC address root bridge MAC address stp root cost integer 0 65535 root bridge cost stp root priority time 0 65535 root bridge priority stp sender address MAC address stp message sender MAC address stp sender priority integer 0 65535 sender priority stp type config tcn the BPDU type config configuration BPDU tcn topology change notification vlan encap 802 2 arp ip ipv6 ipx rarp vlan the MAC protocol type encapsulated in the VLAN frame vlan id integer 0 4095 VLAN identifier field vlan priority integer 0 7 the user priority field Stp matchers are only valid if destination MAC address is 0 80 C2 00 00 00 FF FF FF FF FF FF Bridge Group address also stp should be enabled ARP matchers are only valid if mac prot
191. anism takes care of it e Very low protocol overhead per frame allowing super high data rates 34 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide e implied protocol limits on link distance e No implied protocol speed degradation for long link distances e Dynamic protocol adjustment depending on traffic type and resource usage Quick Setup Guide Let s consider that you have a wireless interface called wlanl To set as an Access Point working 802 112 standard using frequency 2442 MHz and Service Set Identifier test do the following configuration interface wireless set wlanl ssid test frequency 2442 band 2 4ghz b g mode ap bridge disabled no Now your router is ready to accept wireless clients To make a point to point connection using 802 1 1 standard frequency 5805 MHz and Service Set Identifier p2p write interface wireless set wlanl ssid p2p frequency 5805 band 5ghz mode bridge disabled no The remote interface should be configured to station as showed below To make the wireless interface as a wireless station working in 802 1 1 standard and Service Set Identifier p2p interface wireless set wlanl ssid p2p band 5ghz mode station disabled no Specifications Packages required wireless License required Level4 station and bridge mode Submenu level interface wireless Standards and Technologies I
192. ansmit power with the configured antenna gain deducted only Also note that in this mode card will never be configured to higher power than allowed by the respective regulatory domain manual tx power use the channels allowed in the selected country only but take transmit power from the tx power settings superchannel only possible with the Superchannel license In this mode all hardware supported channels and transmit power settings are allowed hide ssid yes no default no whether to hide ssid or not in the beacon frames yes ssid is not included in the beacon frames AP replies only to probe requests with the given ssid no ssid is included in beacon frames AP replies to probe requests with the given ssid ant to broadcast ssid empty ssid hw retries integer default 15 number of frame sending retries until the transmission is considered failed Data rate is decreased upon failure but if there is no lower rate 3 sequential failures activate on fail retry time transmission pause and the counter restarts The frame is being retransmitted either until success or until client is disconnected interface type read only text adapter type and model mac address MAC address Media Access Control MAC address of the interface master interface name physical wireless interface name that will be used by Virtual Access Point VAP interface max station count integer 1 2007 default 2007 maximal number of clients all
193. ant that determine to which AP the station should connect to At first the station is searching for APs all frequencies from scan list in the respective band and makes a list of Access Points If che ssid is set under interface wireless the router removes all Access Points from its AP list which do not have such ssid If a rule is matched and the parameter connect is set to yes the station will connect to this AP If the parameter says connect no or the rule is not matched we jump to the next rule If we have gone through all rules and haven t connected to any AP yet The router chooses an AP with the best signal and ssid that is set under interface wireless In case when the station has not connected to any AP this process repeats from beginning Property Description area prefix text a string that indicates the beginning from the area string of the AP If the AP s area begins with area prefix then this parameter returns true connect yes no whether to connect to AP that matches this rule interface name name of the wireless interface mac address MAC address MAC address of the AP If set to 00 00 00 00 00 00 all APs are accepted security profile name default none name of the security profile used to connect to the AP If one then those security profile is used which is configured for the respective interface signal range integer signal strength range in dBm Rule is matched if the signal from AP is within
194. any MAC address may use 30 minutes a day without ever registering The username of such a user as seen in the active user table and in the login link is where XX XX XX XX XX XX is his her MAC address The authentication procedure will not ask RADIUS server permission to authorise such a user HotSpot can authenticate users consulting the local user database or a RADIUS server local database is consulted first then a RADIUS server In case of HTTP cookie authentication via RADIUS server the router will send the same information to the server as was used when the cookie was first generated If authentication is done locally profile corresponding to that user is used otherwise in case RADIUS reply did not contain the group for that user the default profile is used to set default values for parameters which are not set in RADIUS access accept message For more information on how the interaction with a RADIUS server works see the respective manual section The HTTP PAP method also makes it possible to authenticate by requesting the page llogin username username amp password password In case you want to log in using telnet connection the exact HTTP request would look like that GET login username username amp password password 0 note that the request is case sensitive Authorization After authentication user gets access to the Internet and receives some limitations which are user profile
195. assword If not specified it is left blank hit Enter when logging in It conforms to standard Unix characteristics of passwords and may contain letters digits and symbols There is one predefined user with full access rights admin AT WR4562 user print Flags X disabled NAME GROUP ADDRESS 0 22 System default user admin full 0 0 0 0 0 admin AT WR4562 user There always should be at least one user with fulls access rights If the user with full access rights is the only one it cannot be removed 148 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To add user joe with password j102e3 belonging to write group enter the following command admin AT WR4562 user add name joe password jlo2e3 group write admin AT WR4562 user print Flags X disabled 0 22 System default user name admin group full address 0 0 0 0 0 1 name joe group write address 0 0 0 0 0 admin AT WR4562 user 7 3 4 Monitoring Active Router Users Command name user active print Description This command shows the currently active users along with respective statisics information Property Description address read only IP address host IP address from which the user is accessing the router 0 0 0 0 the user is logged in locally from the console name read only name user name radius read on
196. ate to addresses IP address IP address 0 1 default 0 0 0 0 address or address range to replace original address of an IP packet with to ports integer 0 65535 integer 0 65535 0 1 port or port range to replace original port of an IP packet with AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 221 RouterOS v3 Configuration and User Guide 9 4 3 NAT Applications Description In this section some NAT applications and examples of them are discussed Basic NAT configuration Assume we want to create router that hides the private LAN behind one address provides Public IP to the Local server creates 1 1 mapping of network addresses Example of Source NAT Masquerading If you want to hide the private LAN 192 168 0 0 24 behind one address 10 5 8 109 given to you by the ISP you should use the source network address translation masquerading feature of the RouterOS router The masquerading will change the source IP address and port of the packets originated from the network 192 168 0 0 24 to the address 10 5 8 109 of the router when the packet is routed through it To use masquerading a source NAT rule with action masquerade should be added to the firewall configuration ip firewall nat add chain srcnat action masquerade out interface Public All outgoing connections from the network 192 168 0 0 24 will have source address 10 5 8 109 of the router and source port above 1024 No access f
197. ate min are the values of limit at properties AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 229 RouterOS v3 Configuration and User Guide smtp server IP address default 0 0 0 0 default SMTP server to be used to redirect unconditionally all user SMTP requests to split user domain yes no default no whether to split username from domain name when the username is given in user domain or in domain user format ssl certificate name none default none name of the SSL certificate to use for HTTPS authentication Not used for other authentication methods trial uptime time time default 30m 1d is used only when authentication method is trial Specifies the amount of time the user identified by MAC address can use HotSpot services without authentication and the time that has to pass that the user is allowed to use HotSpot services again trial user profile name default default is used only only when authentication method is trial Specifies user profile that trial users will use use radius yes no default no whether to use RADIUS to authenticate HotSpot users If dns name property is not specified hotspot address is used instead If hotspot address is also absent then both are to be detected automatically In order to use RADIUS authentication the Iradius menu must be set up accordingly Trial authentication method should always be used together with one of the other authentication met
198. ated dynamic WDS interface will be put in this bridge wds default cost integer default 100 default bridge port cost of the WDS links wds ignore ssid yes no default if set to the AP will create WDS links with any other in this frequency If set to no the ssid values must match on both APs wds mode disabled dynamic static WDS mode disabled WDS interfaces are disabled dynamic WDS interfaces are created on the fly static WDS interfaces are created manually wmm support disabled enabled required whether to allow or require peer to use WMM extensions to provide basic quality of service The IEEE 802 11 standard limitation makes it impossible for wireless interfaces station mode to work as expected when bridged That means that if you need to create a bridge you should not use station mode on that machine In case you need a bridge on a wireless station use station wds mode may only be used in the AP supports WDS Bridging on the AP side works fine It is strongly suggested to leave basic rates at the lowest setting possible Using compression the AP can serve approximately 50 clients with compression enabled Compression is supported only by Atheros wireless interfaces like the ones used AT WR4500 series If disable running check value is set to no the router determines whether the network interface is up and running in order to show flag R for AP one or more clients hav
199. ault A router with enabled proxy ARP knows that the host C is on another subnet and will reply with its own MAC adress The router with enabled proxy ARP always answer with its own MAC address if it has a route to the destination This behaviour can be usefull for example if you want to assign dial in ppp pppoe pptp clients IP addresses from the same address space as used on the connected LAN AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 91 RouterOS v3 Configuration and User Guide Example Consider the following configuration Pe gt 10 0 0 217 32 7 1 Reserved for dial ih 10 0 0 230 240 7 3 Laptop WS 10 0 0 231 24 10 0 0 230 24 Figure 12 Proxy ARP with PPPoE The Router setup is as follows admin AT WR4562 ip arp gt interface ethernet print Flags X disabled running NAME MTU MAC ADDRESS ARP 0 eth LAN 1500 00 50 08 00 00 F5 proxy arp admin AT WR4562 ip arp interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 eth LAN ether 1500 1 prisml prism 1500 2 pppoe in25 3D 26 admin AT WR4562 ip arp ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 10 0 0 255 eth LAN 1D 10 0 0 217 32 10 0 0 230 0 0 0 0 pppoe in25 2 D 10 0 0 217 32 10 0 0 231 0 0 0 0 pppoe in26 admin AT WR4562
200. ault yes whether to store information about traffic on system drive or not If not the information will be stored in RAM and will be lost after a reboot 12 4 4 Interface Graphing Submenu level tool graphing interface Description Shows how much traffic is passed through an interface over a period of time Property Description allow address IP address netmask default 0 0 0 0 0 IP address range which is allowed to view information about the interface If a client PC not belonging to this IP address range tries to open http Router IP address graphs it will not see this entry interface name default all name of the interface which will be monitored store on disk yes no default yes whether to store information about traffic on system drive or not If not the information will be stored in RAM and will be lost after a reboot Example To monitor traffic which is passed through interface etherl only from local network 192 168 0 0 24 and write information on disk admin AT WR4562 tool graphing interface add interface etherl allow address 192 168 0 0 24 store on disk yes adminQ AT WR4562 tool graphing interface print Flags X disabled INTERFACE ALLOW ADDRESS STORE ON DISK 0 etherl 192 168 0 0 24 yes adminQ AT WR4562 tool graphing interface 12 4 5 Simple Queue Graphing Submenu level tool graphing queue Description In this submenu you can specify a queue from the
201. ave login free access adminQ AT WR4562 ip hotspot ip binding gt print Flags X disabled P bypassed B blocked MAC ADDRESS ADDRESS TO ADDRESS SERVER 10 11 12 3 244 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If all fields has been filled in the ip binding table and type has been set to bypassed then the IP address of this entry will be accessible from public interfaces immediately admin AT WR4562 ip hotspot ip binding print Flags X disabled P bypassed B blocked MAC ADDRESS ADDRESS TO ADDRESS SERVER 10 11 12 3 1 P 00 01 02 03 04 05 10 11 12 3 10 11 12 3 hs local admin AT WR4562 ip hotspot ip binding host print Flags S static H DHCP D dynamic A authorized P bypassed MAC ADDRESS ADDRESS TO ADDRESS SERVER IDLE TIMEOUT 0 SB 00 01 02 03 04 05 10 11 12 3 10 11 12 3 hs local 10 4 HotSpot User AAA 10 4 1 General Information Summary This document provides information on authentication authorization and accounting parameters and configuration for HotSpot gateway system Specifications Packages required system License required Level Submenu level ip hotspot user Standards and Technologies RADIUS Hardware usage Local traffic accounting requires additional memory Related Topics Hot Spot Service PPP User AAA Router User AAA RADIUS client Software Package Management
202. ay be limited or impossible to setup though a masqueraded NAT IP connection Please see the Microsoft and RFC links listed below for more information 180 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Additional Resources http msdn microsoft com library backgrnd html understanding_pptp htm http support microsoft com support kb articles q 62 8 47 asp http support microsoft com kb 54062 http www ietf org rfc rfc2637 txt number 2637 http www ietf org rfc rfc3078 txt number 3078 http www ietf org rfc rfc3079 txt number 3079 8 7 2 PPTP Client Setup Submenu level interface pptp client Property Description add default route yes no default no whether to use the server which this client is connected to as its default router gateway allow multiple choice mschap2 mschap chap pap default mschap2 mschapl chap pap the protocol to allow the client to use for authentication connect to address The IP address of the PPTP server to connect to max mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MRU to 1460 to avoid fragmentation of packets max mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over dec
203. bmenu According to the DHCP protocol a parameter is returned to the DHCP client only if it requests this parameter specifying the respective code in DHCP request Parameter List code 55 attribute If the code is not included in Parameter List attribute DHCP server will not send it to the DHCP client Example This example shows how to set DHCP server to reply on DHCP client s Hostname request code 12 with value Host A Add an option named Option Hostname with code 12 Hostname and value Host A admin AT WR4562 ip dhcp server option add name Hostname code 12 value Host A admin AT WR4562 ip dhcp server option print NAME CODE VALUE 0 Option Hostname 12 Host A admin AT WR4562 ip dhcp server option Use this option in DHCP server network list admin AT WR4562 ip dhcp server network add address 10 1 0 0 24 N N gateway 10 1 0 1 dhcp option Option Hostname dns server 159 148 60 20 admin AT WR4562 ip dhcp server network print detail address 10 1 0 0 24 gateway 10 1 0 1 dns server 159 148 60 20 dhcp option Option Hostname admin AT WR4562 ip dhcp server network Now the DHCP server will reply with its Hostname Host A to DHCP client if requested 6 1 9 DHCP Relay Submenu level ip dhcp relay Description DHCP Relay is just a proxy that is able to receive a DHCP request and resend it to the real DHCP server Property Description delay threshold time default none if
204. bps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both adminQ VAP interface wireless add master interface wlanl ssid virtual test mac address 00 0C 42 12 34 56 disabled no name V AP admin VAP interface wireless print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode ap bridge ssid test area frequency mode superchannel country no country set antenna gain 0 frequency 2437 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps l1Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stat
205. c for Router l admin Routerl gt ipsec policy add src address 10 1 0 0 24 dst address 10 2 0 0 24 action encrypt tunnel yes Sa src address 1 0 0 1 sa dst address 1 0 0 2 admin Routerl gt ip ipsec peer add address 1 0 0 2 NV exchange mode aggressive secret gvejimezyfopmekun for Router2 admin Router2 gt ipsec policy add src address 10 2 0 0 24 NV dst address 10 1 0 0 24 action encrypt tunnel yes Sa src address 1 0 0 2 sa dst address 1 0 0 1 admin Router2 gt ip ipsec peer add address 1 0 0 1 NV exchange mode aggressive secret gvejimezyfopmekun 198 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 9 Firewall and QoS 9 1 Filter 9 1 1 General Information Summary The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to from and through the router Along with the Network Address Translation it serve as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic Quick Setup Guide To add a firewall rule which drops all TCP packets that are destined to port 135 and going through the router use the following command ip firewall filter add chain forward dst port 135 protocol tcp action drop To deny acces to the router via Telnet protocol TCP
206. c address and sa dst address can be processed by this policy Transport mode can only work with packets that originate at and are destined for IPsec peers hosts that established security associations To encrypt traffic between networks or a network and a host you have to use tunnel mode It is good to have dont fragment cleared because encrypted packets are always bigger than original and thus they may need fragmentation If you are using IKE to establish SAs automatically then policies on both routers must exactly match each other id est src address 1 2 3 0 27 one router and dst addressz1 2 3 0 28 on another would not work Source address values on one router MUST be equal to destination address values on the other one and vice versa AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 191 Example To add a policy to encrypt a following the traffic between two hosts 10 0 0 147 and 10 0 0 148 we need do the adminQWiFi Nus ip ipsec pol sa dst address 10 0 licy add sa src address 10 0 0 147 0 148 action encrypt admin8 WiFi ip ipsec policy print Flags X disabled D dynamic I inactive 0 src address 10 0 0 147 32 any dst address 10 0 0 148 32 any protocol all action encrypt level require ipsec protocols esp tunnel no Sa src address 10 0 0 147 sa dst address 10 0 0 148 proposal default manual sa none priority 0 admin8 WiFi i
207. ce by employing modular compressed system e Unused software packages can be uninstalled e RouterOS functions and the system itself can be easily upgraded e Multiple packages can be installed at once AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 23 RouterOS v3 Configuration and User Guide e The package dependency is checked before installing a software package The package will not be installed if the required software package is missing e The version of the feature package should be the same as that of the system package e packages can be uploaded on the router using ftp and installed only when the router is going for shutdown during the reboot process e f the software package file can be uploaded to the router then the disk space is sufficient for the installation of the package e The system can be downgraded to an older version by uploading the needed packages to router via FTP binary mode After that execute command system package downgrade 3 3 2 Installation Upgrade Description Installation or upgrade of the RouterOS software packages can be done by uploading the newer version of the software package to the router and rebooting it The software package files are compressed binary files which can be downloaded from Allied Telesis web site in th support section http www alliedtelesis com support The full name of the software package consists of a descriptive name version number and
208. ce port Description Just like for classic the HotSpot embedded one to one NAT breaks some protocols that are incompatible with address translation To leave these protocols consistent helper modules must be used For the one to one NAT the only such a module is for FTP protocol AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 233 RouterOS v3 Configuration and User Guide Property Description name read only name protocol name ports read only integer list of the ports on which the protocol is working Example To set the FTP protocol uses both 20 and 21 TCP port admin AT WR4562 ip hotspot service port gt print Flags X disabled NAME PORTS 0 ftp 21 adminQ AT WR4562 ip hotspot service port gt set ftp ports 20 21 admin AT WR4562 ip hotspot service port gt print Flags X disabled NAME PORTS 0 ftp 20 21 adminQ AT WR4562 ip hotspot service port gt 10 3 9 Customizing HotSpot Firewall Section Description Apart from the obvious dynamic entries in the ip hotspot submenu itself like hosts and active users some additional rules are added in the firewall tables when activating a HotSpot service Unlike RouterOS version 2 8 there are relatively few firewall rules added in the firewall as the main job is made by the one to one NAT algorithm NAT rules From ip firewall nat print dynamic command you can get something like this comments follow after each of
209. ce set identifier txq read only integer the last received signal strength from our host to the remote one 54 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example admin AT WR4562 interface wireless align monitor wlan2 ADDRESS SSID RXO AVG RXO LAST RX TXQ LAST TX CORRECT 0 00 01 24 70 4B FC wirelesa 60 60 0 01 63 Os 0T 100 admin AT WR4562 interface wireless align 4 3 13 Frequency Monitor Description Aproximately shows how loaded are the wireless channels Property Description freq read only integer shows current channel use read only percentage shows usage in current channel Example Monitor 802 1 Ib network load admin AT WR4562 interface wireless frequency monitor wlanl FREQ 2412MH 2417MH 2422MH 2427MH 2432MH 2437 2442MH 244 7MH 2452MH 245 7MH 2462MH oo Hd 99 oe oe oe oe oe O 10NOOOO N U0 omnes aah tS Hon REN zo b NN N NN NN NN NN gt oe To monitor other bands change the the band setting for the respective wireless interface 4 3 14 Manual Transmit Power Table Submenu level interface wireless manual tx power table Description In this submenu you can define signal strength for each rate You should be aware that you can damage your wireless card if you set higher output power than it is allowed
210. ces to the physical network where VLAN is to be created is ether I for all of them it is needed only for example simplification it is NOT a must To connect computers through VLAN they must be connected physically and unique IP addresses should be assigned them so that they could ping each other Then on each of them the VLAN interface should be created admin AT WR4562 interface vlan gt add name test vlan id 32 interface etherl admin AT WR4562 interface vlan gt print Flags disabled running NAME ARP VLAN ID INTERFACE 0 R test 1500 enabled 32 etherl admin AT WR4562 interface vlan gt If the interfaces were successfully created both of them will be running If computers are connected incorrectly through network device that does not retransmit or forward VLAN packets either both or one of the interfaces will not be running When the interface is running IP addresses can be assigned to the VLAN interfaces AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 77 RouterOS v3 Configuration and User Guide On Router admin AT WR4562 ip address gt add address 10 10 10 1 24 interface test admin AT WR4562 ip address gt print Flags disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 204 24 10 0 0 0 10 0 0 255 etherl 1 10 20 0 1 24 10 20 0 0 10 20 0 255 pel 2 10 10 10 1 24 10 10 10 0 10 10 10 255 test admin AT WR4562 ip address gt
211. ckage list entry is retrieved status read only available scheduled downloading downloaded installed package status version read only text version of the package Command Description download download packages from list by specifying their numbers download all download all packages that are needed for the upgrade packages which are listed in the system package print command output refresh updates currently available package list Example See the available packages admin AT WR4562 system upgrade refresh adminQ AT WR4562 system upgrade print SOURCE NAME VERSION STATUS COMPLETED 0 192 168 25 8 routeros x86 2 9 44 available Ll 192 1685 25 9 routeros rb500 3 0 available admin AT WR4562 system upgrade To upgrade chosen packages adminQ AT WR4562 system upgrade download 1 admin AT WR4562 system upgrade print SOURCE NAME VERSION STATUS COMPLETED 0 192 168 25 8 routeros x86 2 9 44 available 1182316812558 routeros rb500 3 0 available admin AT WR4562 system upgrade 22 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 3 2 3 Adding Package Source Submenu level system upgrade upgrade package source Description In this submenu you can add remote routers from which to download RouterOS software packages Property Description address IP address source IP address of the router from which the pa
212. ckage list entry will be retrieved password text password of the remote router user text username of the remote router After specifying a remote router system upgrade upgrade package source you can type upgrade refresh to refresh the package list and system upgrade to see all available packages Example To add a router with username admin and no password from which the packages will be retrieved admin AT WR4562 system upgrade upgrade package source add address 192 168 25 8 user admin password admin AT WR4562 ystem upgrade upgrade package source print ADDRESS USER 0 192 168 25 8 admin admin AT WR4562 system upgrade upgrade package source 3 3 Software Package Management 3 3 1 General Information Summary The RouterOS is distributed in the form of software packages The basic functionality of the router and the operating system itself is provided by the system software package Other packages contain additional software features as well as support to various network interface cards Specifications License required Level Submenu level system package Standards and Technologies FTP Hardware usage Not significant Description Features The modular software package system of RouterOS has the following features e Ability to extend RouterOS functions by installing additional software packages e Optimal usage of the storage spa
213. col is set to IPv4 dst mac address MAC address default 00 00 00 00 00 00 destination MAC address dst port integer 0 65535 destination port number or range only for TCP or UDP protocols flow text individual packet mark to match in bridge name bridge interface through which the packet is coming in in interface name physical interface i e bridge port through which the packet is coming in ip protocol ipsec ah ipsec esp ddp egp ggp gre hmp idpr cmtp icmp igmp ipencap encap ipip iso tp4 ospf pup rspf st tcp udp vmtp xns idp xtp IP protocol only if MAC protocol is set to 4 ipsec ah IPsec AH protocol ipsec esp IPsec ESP protocol ddp datagram delivery protocol egp exterior gateway protocol ggp gateway gateway protocol gre general routing encapsulation hmp host monitoring protocol idpr cmtp idpr control message transport icmp internet control message protocol igmp internet group management protocol ipencap ip encapsulated in ip encap ip encapsulation ipip ip encapsulation iso tp4 iso transport protocol class 4 ospf open shortest path first pup parc universal packet protocol rspf radio shortest path first rdp reliable datagram protocol st st datagram mode tcp transmission control protocol udp user datagram protocol vmtp versatile message transport xns idp xerox ns idp xtp xpress transfe
214. cription alert timeout none time default none time after which alert will be forgotten If after that time the same server will be detected new alert will be generated none infinite time interface name interface on which to run rogue DHCP server finder invalid server read only text list of MAC addresses of detected unknown DHCP servers Server is removed from this list after alert timeout on alert text script to run when an unknown DHCP server is detected valid server text list of MAC addresses of valid DHCP servers All alerts on an interface can be cleared at any time using command lip dhcp server alert reset alert interface Note that e mail can be sent using system logging action add target email eo 6 1 8 DHCP Option Submenu level ip dhcp server option Description With help of DHCP Option it is possible to define additional custom options for DHCP Server to advertise 124 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Property Description code integer 1 254 dhcp option code All codes are available at http www iana org assignments bootp dhcp parameters name name descriptive name of the option value text parameter s value in form of a string If the string begins with Ox it is assumed as a hexadecimal value The defined options you can use ip dhcp server network su
215. ction has to be established between the HotSpot user s computer and the gateway It can be wireless the wireless card should be registered to AP or wired the NIC card should be connected to a hub or a switch Introduction to HotSpot HotSpot is a way to authorize users to access some network resources It does not provide traffic encryption To log in users may use almost any web browser either HTTP or HTTPS protocol so they are not required to install additional software The gateway is accounting the uptime and amount of traffic each of its clients have used and also can send this information to a RADIUS server The HotSpot system may limit each particular user s bitrate total amount of traffic uptime and some other parameters mentioned further in this document The HotSpot system is targeted to provide authentication within a local network to access the Internet but may as well be used to authorize access from outer networks to access local resources Configuring Walled Garden feature it is possible to allow users to access some web pages without the need of prior authentication Getting Address First of all a client must get an IP address It may be set on the client statically or leased from a DHCP server The DHCP server may provide ways of binding lent IP addresses to clients MAC addresses if required The HotSpot system does not care how did a client get an address before he she gets to the HotSpot login page Moreover H
216. d 1 mac address 00 00 5E 80 00 02 disabled no Now you can add IP addresses to the created EolP interfaces from the same subnet Specifications Packages required system License required Level limited to tunnel Level3 Submenu level interface eoip Standards and Technologies GRE RFC1701 Hardware usage Not significant Related Topics IP Addresses and ARP Bridge Interfaces PPTP Description EolP interface may be configured between two routers that have active IP level connection The EolP tunnel may run over an IPIP tunnel a PPTP 28bit encrypted tunnel a PPPoE connection or any other connection that transports IP Specific Properties Each EolP tunnel interface can connect with one remote router which has a corresponding interface configured with the same Tunnel ID AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 151 RouterOS v3 Configuration and User Guide EolP interface appears as an Ethernet interface under the interface list This interface supports all features of an Ethernet interface IP addresses and other tunnels may be run over the interface The EolP protocol encapsulates Ethernet frames in GRE IP protocol number 47 packets just like PPTP and sends them to the remote side of the EolP tunnel Maximal number of EolP tunnels is 65536 WDS significantly faster than EolP on wireless links up to 10 20 so it is recommended to use WDS whenev
217. d User Guide One or more interfaces can be monitored at the same time To see overall traffic passing through all interfaces at time use aggregate instead of interface name Example Multiple interface monitoring interface monitor traffic etherl aggregate received packets per second 9 Tr received bits per second 4 39kbps 6 19kbps sent packets per second 16 17 sent bits per second 101kbps 101kbps O quit D dump C z pause 4 2 Ethernet Interfaces 4 2 1 General Information Summary RouterOS supports various types of Ethernet Interfaces with all available features This section describes how to configure the various parameters and settings Specifications Packages required system License required Level Submenu level interface ethernet Standards and Technologies IEEE 802 3 Hardware usage Not significant Related Topics e Software Package Management Addresses and ARP e DHCP and DNS Additional Resources e http grouper ieee org groups 802 3 e http en wikipedia org wiki EEE 802 3 http www ethermanage com ethernet ethernet html e http www dcs gla ac uk liddellj nct ethernet protocol html 4 2 2 Ethernet Interface Configuration Submenu level interface ethernet Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol auto negotiation yes no default yes when
218. d before IP filters NAT of the built in chain of the same name except for the output which is executed after IP Firewall Output These rules can be used with real physical receiving transmitting interfaces as well as with bridge interface that simply groups the bridged interfaces 82 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide There are three bridge filter tables filter bridge firewall with three predefined chains e input filters packets which destination is the bridge including those packets that will be routed as they are anyway destined to the bridge MAC address e output filters packets which come from the bridge including those packets that has been routed normally e forward filters packets which are to be bridged note this chain is not applied to the packets that should be routed through the router just to those that are traversing between the ports of the same bridge nat bridge network address translation provides ways for changing source destination MAC addresses of the packets traversing a bridge Has two built in chains e scnat used for hiding a host or a network behind a different MAC address This chain is applied to the packets leaving the router through a bridged interface e dstnat used for redirecting some pakets to another destinations e broute makes bridge brouter router that performs routing on
219. d by 40 so for 1500 byte Ethernet link set the MTU to 1460 to avoid fragmentation of packets AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 163 RouterOS v3 Configuration and User Guide mrru integer 512 65535 default disabled maximum packet size that can be received on the link If a packet is bigger than tunnel MTU it will be split into multiple packets allowing full size IP or Ethernet packets to be sent over the tunnel disabled disable MRRU on this link name name default I2tp outN interface name for reference password text default user password to use when logging to the remote server profile name default default profile to use when connecting to the remote server user text user name to use when logging on to the remote server Specifying MRRU means enabling MP Multilink PPP over single link This protocol is used to split big packets into smaller ones Under Windows it can be enabled in Networking tag Settings button Negotiate multi link for single link connections Their MRRU is hardcoded to 1614 This setting is usefull to overcome PathMTU discovery failures The MP should be enabled on both peers Example To set up L2TP client named test2 using username john with password john to connect to the 10 1 1 12 L2TP server and use it as the default gateway admin AT WR4562 interface 12tp client gt add name test2 connect to 10 1 1 12 NV user john a
220. dd default route yes password john admin AT WR4562 interface 12tp client gt print Flags X disabled R running 0X name test2 mtu 1460 mru 1460 connect to 10 1 1 12 user john password john profile default add default route yes allow pap chap mschapl mschap2 adminQ AT WR4562 interface 12tp client gt enable 0 8 5 3 Monitoring L2TP Client Command name interface I2tp client monitor Property Description encoding text encryption and encoding if asymmetric separated with 7 being used n this connection idle time read only time time since the last packet has been transmitted over this link mru read only integer effective MRU of the link mtu read only integer effective MTU of the link status text status of the client dialing attempting to make a connection verifying password connection has been established to the server password verification in progress connected self explanatory terminated interface is not enabled or the other side will not establish a connection uptime time connection time displayed in days hours minutes and seconds Example Example of an established connection adminQ AT WR4562 interface 12tp client gt monitor test2 status connected uptime 6h44m9s idle time 6h44m9s encoding MPPE128 stateless mtu 1460 mru 1460 adminQAT WR4562 interface l2tp client 164 4500 Series IEEE 802 1 labgh Outdoor Wirele
221. dec 24 2003 08 37 48 user admin logged in from 10 1 0 60 via telnet Ctrl C to quit New entries will appear at bottom 2 2 SNMP Service 12 2 1 General Information Summary SNMP is an application layer protocol It is called simple because it works that way the management station makes a request and the managed device SNMP agent replies to this request In SNMPvI there are three main actions Get Set and Trap RouterOS supports only Get which means that you can use this implementation only for network monitoring Hosts receive SNMP generated messages UDP port 161 except the trap messages which received on UDP port 162 The RouterOS supports e SNMPVvI only e Read only access is provided to the NMS network management system e User defined communities are supported e Get and GetNext actions e No Set support e No Trap support 258 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Specifications Packages required system ppp optional License required Level Submenu level snmp Standards and Technologies SNMP RFC 1157 Hardware usage Not significant Related Topics Software Package Management IP Addresses and ARP Additional Resources e http www ietf org rfc rfc 157 txt http en wikipedia org wiki Simple Network Management Protocol http www david guerrero com papers snmp 12 3 Traffic Flow
222. default ap tx limit 0 default client tx limit 0 hide ssid no security profile default compression no admin PPPoE Server interface wireless AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 177 RouterOS v3 Configuration and User Guide Now configure the Ethernet interface add the IP address and set the default route admin PPPoE Server ip address gt add address 10 1 0 3 24 interface Local admin PPPoE Server ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 3 24 10 1 0 0 10 1 0 255 Local admin PPPoE Server ip address gt ip route admin PPPoE Server ip route add gateway 10 1 0 1 admin PPPoE Server ip route print Flags X disabled A active D dynamic C connect S static r rip b bgp o ospf DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 10 1 0 0 24 Local LA S 0 0 0 0 0 10 150 1 1 Local admin PPPoE Server ip route gt interface ethernet admin PPPoE Server interface ethernet gt set Local arp proxy arp admin PPPoE Server interface ethernet gt print Woo lags X disabled running NAME MTU MAC ADDRESS ARP 0 R Local 1500 00 0C 42 03 25 53 proxy arp admin PPPoE Server interface ethernet We should add PPPoE server to the wireless interface adminQPPPoE Server interface pppoe server server add interface wlanl Service name mt one session per host yes disabled no
223. destination IP address dynamic read only flag whether the rule has been created dynamically in accepted integer how many incoming packets were passed through by the policy without an attempt to decrypt in dropped integer how many incoming packets were dropped by the policy without an attempt to decrypt in transformed integer how many incoming packets were decrypted ESP and or verified AH by the policy inactive read only flag whether the rule is inactive it may become inactive due to some misconfiguration ipsec protocols multiple choice ah esp default esp specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic AH is applied after ESP and in case of tunnel mode ESP will be applied in tunnel mode and AH in transport mode level unique require use default require specifies what to do if some of the SAs for this policy cannot be found use skip this transform do not drop packet and do not acquire SA from IKE daemon require drop packet and acquire SA unique drop packet and acquire a unique SA that is only used with this particular policy manual sa name default none name of manual sa template that will be used to create SAs for this policy none no manual keys are set out accepted integer how many outgoing packets were passed through by the policy without an attempt to encrypt out dropped integer how
224. dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin AccessPoint interface wireless add adminG AccessPoint ip address gt add address 10 1 0 1 24 interface AP admin AccessPoint ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 10 1 0 1 24 10 1 0 0 10 1 0255 AP admin AccessPoint ip address gt 62 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Configure the station and add an IP address 10 1 0 2 to it admin Station interface wireless set wlanl name To AP mode station ssid test band 5ghz disabled no admin Station interface wireless print Flags X disabled R running OR mtu 1500 mac address 00 0B 6B 34 5A 91 arp enabled disable running check no interface type Atheros AR5213 radio name 000B6B345A91 mode station ssid test area frequency mode superchannel country no country set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps llMbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
225. dge mode WDS VLAN can be connected together using MAC bridges The bridge feature allows the interconnection of hosts connected to separate LANs using EolP geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them as if they were attached to a single LAN As bridges are transparent they do not appear in traceroute list and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged depending on the way the LANs are interconnected latency and data rate between hosts may vary Network loops may emerge intentionally or not in complex topologies Without any special treatment loops would prevent network from functioning normally as they would lead to avalanche like packet multiplication Each bridge runs an algorithm which calculates how the loop can be prevented STP allows bridges to communicate with each other so they can negotiate a loop free topology All other alternative connections that would otherwise form loops are put to standby so that should the main connection fail another connection could take its place This algorithm exchange configuration messages BPDU Bridge Protocol Data Unit periodically so that all bridges would be updated with the newest information about changes in network topology STP selects root bridge which is responosible for network reconfiguration such as blocking and opening port
226. dmin Our interface bridge port add bridge bridgel interface eoip remote admin Our GW interface bridge port add bridge bridgel interface etherl admin Our GW interface bridge port print Flags X disabled I inactive D dynamic INTERFACE BRIDGE PRIORITY PATH COST 0 eoip remote bridgel 128 10 1 etherl bridgel 128 10 admin Our interface bridge And the same for the Remote admin Remote interface bridge add admin Remote interface bridge print Flags X disabled R running 0 R name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 stp no priority 32768 ageing time 5m forward delay 15s garbage collection interval 4s hello time 2s max message age 20s adminG Remote interface bridge add bridge bridgel interface etherl admin Remote interface bridge add bridge bridgel interface eoip main admin8 Remote interface bridge port print Flags X disabled I inactive D dynamic INTERFACE BRIDGE PRIORITY PATH COST 0 etherl bridgel 128 10 1 eoip main bridgel 128 10 admin Remote interface bridge port print Addresses from the same network can be used both in the Office LAN and in the Remote LAN 8 1 4 Troubleshooting Description The routers can ping each other but EolP tunnel does not seem to work Check the MAC addresses of the EolP interfaces they should not be the same 154 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers
227. dress of the remote WDS host a When the link between WDS devices using wds mode dynamic goes down the dynamic WDS interfaces disappear and if there are any IP addresses set on this interface their interface setting will change to unknown When the link comes up again the interface value will not change it will remain as unknown That s why it is not recommended to add IP addresses to dynamic WDS interfaces If you want to use dynamic WDS in a bridge set the wds default bridge value to desired bridge interface name When the link will go down and then it comes up the dynamic WDS interface will be put in the specified bridge automatically As the routers which are in WDS mode have to communicate at equal frequencies it is not recommended to use WDS and DFS simultaneously it is most probable that these routers will not connect to each other WDS significantly faster than EolP to 10 2076 so it is recommended to use WDS whenever possible Example admin AT WR4562 interface wireless wds gt add master interface wlanl wds address 00 0B 6B 30 2B 27 disabled no admin AT WR4562 interface wireless wds gt print Flags X disabled running D dynamic 0 R name wdsl mtu 1500 mac address 00 0B 6B 30 2B 23 arp enabled disable running check no master inteface wlanl wds address 00 0B 6B 30 2B 27 admin AT WR4562 interface wireless wds gt 4 3 4 Align Submenu level interface wireless
228. ds and Technologies None Hardware usage Not significant 8 3 3 Related Documents Linux Ethernet Bonding Driver mini howto AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 155 RouterOS v3 Configuration and User Guide Description To provide a proper failover you should specify link monitoring parameter It can be e Media Independent Interface or type2 Media Independent Interface is an abstract layer between the operating system and the NIC which detects whether the link is running it performs also other functions but in our case this is the most important e ARP Address Resolution Protocol periodically for arp interval time checks the link status link monitoring is used to check whether the link is up or not Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol for the interface disabled the interface will not use ARP enabled the interface will use ARP proxy arp the interface will use the ARP proxy feature reply only the interface will only reply to the requests originated to its own IP addresses Neighbour MAC addresses will be resolved using ip arp statically set table only arp interval time default 00 00 00 100 time in milliseconds which defines how often to monitor ARP requests arp ip targets IP address default IP target address which will be monitored if link monitoring is set to a
229. e et bc adeb 20 3 22 System Upgrade 21 3 2 3 Adding Package Source 22 3 3 Software Package Management ssssssscsscsssseecssssssssecsssscssssssssssesssssssssesssenscssesssesvesuseuscssesscessessesesenseses 22 3 3 1 General Informatior 22 3 3 2 Installation Upgrade tte 23 3 3 3 tn etie neve ia ver T the aene 23 3 3 4 Downgrading eto tete pere ein pe e ae en e en unde ceca DA RI 24 3 3 5 Disabling and Enabling citt retten Deer c Mee ni tentus 25 3 3 6 Unscheduling 2 intet rore tees reet t debe cesi rcr Cerea agg 25 3 3 7 System n ated ee re Lapis 26 3 3 8 Adding Package Source uso iiie deseen rores Der b ege 27 3 3 9 Software Package List nir eveniet een ken eden agens 27 Configuring Interfaces tc 30 4 1 General Interface Settings sscscsssssecscssssescsssssssscsssssssssesssscesssessssssessessessesssesssssesusessesecessessessesnsesseses 30 4 1 1 General Informatiori 30 4 1 2 Interface Stat s 2 e ete ele verc 30 4 1 3 Traffic DU 30 4 2 Ethernet Interfaces taret ertet casti ea rede 3l 4 1 General Information Ln ea
230. e downgrade Router will be rebooted Continue y N y System will reboot shortly 3 3 5 Disabling and Enabling Specifications Command name system package disable system package enable Description You can disable packages making them invisible for the system and later enable them bringing the system back to the previous state It is useful if you don t want to uninstall a package but just turn off its functionality This will save the RAM and processor resources for other applications but will not free the diskspace used by the package files If a package is marked for disabling but it is required for another dependent package then the marked package cannot be disabled You should disable or uninstall the dependent package too For the list of package dependencies see the Software Package List section below If any of the test packages will be enabled for example wireless test and routing test packages that are included in routeros x86 npk system automaticly will disable regular packages that conflict with them Example Suppose we need to test ipv6 package features admin AT WR4562 system package print Flags X disabled NAME VERSION SCHEDULED 0 routeros rb500 3 0 I system 3 0 2 2 0 3 ntp 3 0 4 wireless 3 0 5 dhcp 3 20 6 routing 3 0 T routerboard 240 8 advanced tools 3 0 9 hotspot 3 0 10 ppp 2 0 11 security 320 adminQ AT WR4562 system packag
231. e enable ipv6 admin AT WR4562 system package reboot 3 3 6 Unscheduling Command name system package unschedule Description Unschedule option allows to cancel pending uninstall disable or enable actions for listed packages Packages marked for uninstallation disabling or enabling on reboot column schedule will have a note warning about changes 26 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example Suppose we need to cancel security package uninstallation action scheduled on reboot admin AT WR4562 system package print Flags X disabled NAME routeros rb500 system X ipv6 ntp VERSION SCHEDULED 3 5 3 9 wireless 3 3 3 3 3 3 3 0 dhcp routing routerboard advanced tools hotspot 10 ppp 11 security 3 0 Scheduled for uninstall admin AT WR4562 system package unschedule security admin AT WR4562 system package O SO OO 0 OS 3 3 7 System Upgrade Submenu level system upgrade Description This submenu gives you the ability to download RouterOS software packages from a remote RouterOS router Step by Step e Upload desired RouterOS packages to a router not the one that you will upgrade e Add this router s IP address user name and password to system upgrade upgrade package source on the router s you will be upgr
232. e This normally Ethernet Type 1 arp opcode arp nak drarp error drarp reply drarp request inarp request reply reply reverse request request reverse ARP opcode packet type arp nak negative ARP reply rarely used mostly in ATM networks drarp error Dynamic RARP error code saying that an IP address for the given MAC address can not be allocated drarp reply Dynamic RARP reply with a temporaty IP address assignment for a host drarp request Dynamic RARP request to assign a temporary IP address for the given MAC address inarp request reply standard ARP reply with a MAC address reply reverse reverse ARP RARP reply with an IP address assigned request standard ARP request to a known IP address to find out unknown MAC address request reverse reverse ARP RARP request to a known MAC address to find out unknown IP address intended to be used by hosts to find out their own IP address similarly to DHCP service arp packet type integer arp src address address default 0 0 0 0 0 ARP source IP address arp src mac address MAC address default 00 00 00 00 00 00 ARP source MAC address chain text bridge firewall chain which the filter is functioning in either a built in one or a user defined AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 83 RouterOS v3 Configuration and User Guide dst address IP address default 0 0 0 0 0 destination IP address only if MAC proto
233. e clients employees Each PPTP connection is composed of a server and a client The RouterOS may function as a server or client or for various configurations it may be the server for some connections and client for other connections For example the client created below could connect to a Windows 2000 server another RouterOS Router or another router which supports a PPTP server AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 179 RouterOS v3 Configuration and User Guide Quick Setup Guide make PPTP tunnel between 2 RouterOS routers with IP addresses 10 5 8 104 PPTP server and 10 1 0 172 PPTP client follow the next steps Configuration on PPTP server router Add a user admin PPTP Server ppp secret add name jack password pass local address 10 0 0 1 remote address 10 0 0 2 Enable the PPTP server admin PPTP Server interface pptp server server set enabled yes Configuration on PPTP client router Add the PPTP client admin PPTP Client interface pptp client add user jack password pass connect to 10 5 8 104 disabled no Specifications Packages required ppp License required Level limited to tunnel Level3 limited to 200 tunnels Level5 Submenu level interface pptp server linterface pptp client Standards and Technologies PPTP RFC 2637 Hardware usage Not significant Related Topics IP Addresses and ARP PPP User A
234. e IPsec in the Microsoft L2TP IPsec VPN Client and in the RouterOS If you do not want to use IPsec it be easily switched off on the client side If you are using Windows 2000 you need to edit system registry using regedt32 exe regedit exe Add the following registry value to HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters Value Name ProhibitlpSec Data Type REG_DWORD Value You must restart the Windows 2000 for the changes to take effect 8 6 PPPoE 8 6 1 General Information Summary The PPPoE Point to Point Protocol over Ethernet protocol provides extensive user management network management and accounting benefits to ISPs and network administrators Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain Ethernet networks PPPoE is an extension of the standard Point to Point Protocol PPP The difference between them is expressed in transport method PPPoE employs Ethernet instead of modem connection AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 171 RouterOS v3 Configuration and User Guide Generally speaking PPPoE is used to hand out IP addresses to clients based on the user and workstation if desired authentication as opposed to workstation only authentication when static IP addresses or DHCP are used It is adviced not to use static IP addresses or DHCP on the same interfaces as PPPoE for
235. e Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MRU to 1460 to avoid fragmentation of packets max mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte Ethernet link set the MTU to 1460 to avoid fragmentation of packets mrru integer 512 65535 default disabled maximum packet size that can be received on the link If a packet is bigger than tunnel MTU it will be split into multiple packets allowing full size IP or Ethernet packets to be sent over the tunnel disabled disable MRRU on this link name name default pppoe out name of the PPPoE interface password text default a user password used to connect the PPPoE server profile name default profile for the connection service name text default specifies the service name set on the access concentrator Leave it blank unless you have many services and need to specify the one you need to connect to use peer dns yes no default no whether to set the router s default DNS to the PPP peer DNS i e whether to get DNS settings from the peer user text default a user name that is present on the PPPoE server AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 173 RouterOS v3 Configuration and User Guide Example To add and enable PPPoE
236. e a L2TP tunnel between two RouterOS routers with IP addresses 10 5 8 104 L2TP server and 10 1 0 172 L2TP client follow the next steps Configuration on L2TP server router Add a L2TP user admin8L2TP Server ppp secret add name james password pass V NV local address 10 0 0 1 remote address 10 0 0 2 Enable the L2TP server adminGL2TP Server interface l2tp server server set enabled yes Configuration on L2TP client router Add a L2TP client admin L2TP Client interface 12tp client gt add user james password pass connect to 10 5 8 104 Specifications Packages required ppp License required Level limited to tunnel Level3 limited to 200 tunnels Level5 Submenu level interface I2tp server linterface I2tp client Standards and Technologies L2TP RFC 2661 Hardware usage Not significant 162 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Related Topics IP Addresses and ARP AAA Configuration EoIP IP Security Additional Resources http www linuxguide it docs php Networking VPN IPSec262FL2TP http en wikipedia org wiki L2tp Description L2TP is a secure tunnel protocol for transporting IP traffic using PPP L2TP encapsulates PPP in virtual lines that run over IP Frame Relay and other protocols that are not currently supported by RouterOS L2TP incorporates PPP and MPPE Mic
237. e both 1 name wlan2 mtu 1500 mac address 00 0C 42 05 00 28 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050028 mode nstreme dual slave ssid AT WR4500 area frequency mode superchannel country no country set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps llMbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin DualNS 1 interface wireless nstreme dual admin DualNS 1 interface wireless nstreme dual add rx radio wlanl tx radio wlan2 rx frequency 5180 tx frequency 5805 disabled no admin DualNS 1 interface wireless nstreme dual print Flags X disabled R running 0 name nstremel mtu 1500 mac address 00 0C 42 05 04 36 arp enabled disable running check no tx radio wlan2 rx radio wlanl remote mac 00 00 00 00 00 00 tx band 5ghz tx frequency 5805 rx band
238. e choice ec2n155 ec2n185 modp768 modpl024 modpl536 default modp1024 Diffie Hellman group cipher strength enc algorithm multiple choice des 3des aes 128 aes 192 aes 256 default 3des encryption algorithm Algorithms are named in strength increasing order exchange mode multiple choice main aggressive base default main different ISAKMP phase exchange modes according to RFC 2408 Do not use other modes then main unless you know what you are doing generate policy yes no default no allow this peer to establish SA for non existing policies Such policies are created dynamically for the lifetime of SA This way it is possible for example to create IPsec secured L2TP tunnels or any other setup where remote peer s IP address is not known at the configuration time hash algorithm multiple choice md5 shal default md5 hashing algorithm SHA Secure Hash Algorithm is stronger but slower lifebytes integer default 0 phase lifetime specifies how much bytes can be transferred before SA is discarded 0 SA expiration will not be due to byte count excess 192 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide lifetime time default Id phase lifetime specifies how long the SA will be valid SA will be discarded after this time nat traversal yes no default no use Linux NAT T mechanism to solve IPsec incompatibility w
239. e given VRRP instane is working on network address IP address of the network virtual router name VRRP router s name the address belongs to The virtual IP addresses should be the same for each node of a virtual router To add a virtual address of 192 168 1 1 24 to the vrl VRRP router admin AT WR4562 ip vrrp gt address address 192 168 1 1 24 virtual router vrl admin AT WR4562 ip vrrp gt address print Flags X disabled A active ADDRESS NETWORK BROADCAST INSTANCE INTERFACE 0 192 168 1 1 24 192 168 1 0 192 168 1 255 vrl default admin AT WR4562 ip vrrp gt 11 1 4 simple example of VRRP fail over Description VRRP protocol may be used to make a redundant Internet connection with seamless fail over Let us assume that we have 192 168 1 0 24 network and we need to provide highly available Internet connection for it This network should be NATted to make fail over with public IPs use such dynamic routing protocols as BGP or OSPF together with VRRP We have connections to two different Internet Service Providers ISPs and one of them is preferred for example it is cheaper or faster i Internet 192 168 1 1 P a LAN 68 1 0 24 192 1 Figure 35 Simple VRRP fail over example 252 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide This example shows how to config
240. e in DNS cache It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server Property Description address IP address IP address to resolve domain name with name text DNS name to be resolved to a given IP address ttl time time to live of the DNS record 6 4 All DNS Entries Submenu level ip dns cache all Description This menu provides a complete list with all DNS records stored on the server Property Description data read only text DNS data field IP address for type A records Other record types may have different contents of the data field like hostname or arbitrary text name read only name DNS name of the host ttl read only time remaining time to live for the record type read only text DNS record type 6 5 Static DNS Entries Submenu level ip dns static AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 131 RouterOS v3 Configuration and User Guide Description The RouterOS has an embedded DNS server feature in DNS cache It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server This feature can also be used to provide fake DNS information to your network clients For example resolving any DNS request for a certain set of domains or for the whole Intern
241. e information about all routes learned by the RIP protocol redistribute static as type as type 2 no default no if set the router will redistribute the information about all static routes added to its routing database i e routes that have been created using the ip route add command router id address default 0 0 0 0 OSPF Router ID If not specified OSPF uses the largest address configured on the interfaces as its router ID 100 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Within one area only the router that is connected to another area i e Area border router or to another AS i e Autonomous System boundary router should have the propagation of the default route enabled OSPF protocol will try to use the shortest path path with the smallest total cost if available OSPF protocol supports two types of metrics e typel external metrics are expressed in the same units as OSPF interface cost In other words the router expects the cost of a link to a network which is external to AS to be the same order of magnitude as the cost of the internal links e type2 external metrics are an order of magnitude larger any type2 metric is considered greater than the cost of any path internal to the AS Use of type2 external metric assumes that routing between AS is the major cost of routing a packet and climinates the need conversion of external
242. e made each client will stay within the selected directory all the time 240 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If you want to use HTTP CHAP authentication method it is supposed that you include the doLogin function which references to the md5 js which must be already loaded before the Submit action of the login form Otherwise CHAP login will fail The resulting password to be sent to the HotSpot gateway in case of HTTP CHAP method is formed MD5 hashing the concatenation of the following chap id the password of the user and chap challenge in the given order In case if variables are to be used in link directly then they must be escaped accordingly For example in login page lt a href https login example com login mac mac amp user username gt link lt a gt will not work as intended if username will be 1 23 amp 456 1 2 In this case instead of user its escaped version must be used user esc lt a href https login server serv login mac mac esc amp user user esc gt link lt a gt Now the same username will be converted to 123 26456 30 1 2 which is the valid representation of 123 amp 456 1 2 in URL This trick may be used with any variables not only with username There is a boolean parameter erase cookie to the logout page which may be either on or true to delete user cookie on logout so that the user w
243. e mapped to Maximum number of ARP entries is 8192 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 89 RouterOS v3 Configuration and User Guide If ARP feature is turned off on the interface i e arp disabled is used ARP requests from clients are not answered by the router Therefore static ARP entry should be added to the clients as well For example the router s IP and MAC addresses should be added to the Windows workstations using the arp command gt arp s 10 5 8 254 00 00 62 6 09 If arp property is set to reply only on the interface then router only replies to ARP requests Neighbour MAC addresses will be resolved using ip arp statically but there will be no need to add the router s MAC address to other hosts ARP tables Example admin AT WR4562 ip arp add address 10 10 10 10 interface ether2 mac address 06 Ys 7 21 00 56 200 12 admin AT WR4562 ip arp print Flags X disabled I invalid H DHCP D dynamic ADDRESS MAC ADDRESS INTERFACE OD 25272902 00 30 4F 1B B3 D9 ether2 1D 10 5 7 242 00 A0 24 9D 52 A4 etherl 2 10 10 10 10 06 21 00 56 00 12 ether2 admin AT WR4562 ip arp If static arp entries are used for network security on an interface you should set arp to reply only on that interface Do it under the relevant interface menu admin AT WR4562 ip arp interface ethernet set ether2 arp reply only admin AT
244. e packet flow through the router is depicted in the following diagram Bridge Dst NAT Preroutna HotSpot Input f OUTPUT Y INTERFACE J Figure 32 Packet Flow Diagram As can be seen on the diagram there are five chains in the processing pipeline These are prerouting input forward output and postrouting The actions performed on a packet in each chain are discussed later in this chapter Additional arrows from IPsec boxes shows the processing of encrypted packets they need to encrypted decrypted first and then processed as usual id est from the point an ordinal packet enters the router A paket can enter processing conveyer of the router in two ways First a packet can come from one of the interfaces present in the roter then the interface is referred as input interface Second it can be originated from a local process like web proxy VPN or others Alike there are two ways for a packet to leave the processing pipeline A packet can leave through the one of the router s interfaces in this case the interface is referred as output interface or it can end up in the local process In general traffic can be destined to one of the router s IP addresses it can originate from the router or simply should be passed through To further complicate things the traffic can be bridged or routed one which is determined during the Bridge Decision stage 212 4500 Series IEEE 802 1 labgh Outdoor Wir
245. e prerouting and stop in the routing recision The actions imposed by various router facilities are sequentially applied to a packet in each of the default chains The exact order they are applied is pictured in the bottom of the flow diagram Exempli gratia for a packet passing postrouting chain the mangle rules are applied first two types of queuing come in second place and finally source NAT is performed on packets that need to be natted Note that any given packet can come through only one of the input forward or output chains Bridged Traffic In case the incoming traffic needs to be bridged do not confuse it with the traffic coming to the bridge interface at the router s own MAC address and thus classified as routed traffic it is first determined whether it is an IP traffic or not After that IP traffic goes through the prerouting forward and postrouting chains while non IP traffic bypasses all IP firewall rules and goes directly to the interface queue Both types of traffic however undergo the full set of bridge firewall chains anyway regardless of the protocol 9 3 3 Connection Tracking Submenu level ip firewall connection Description Connection tracking refers to the ability to maintain the state information about connections such as source and destination IP address and ports pairs connection states protocol types and timeouts Firewalls that do connection tracking are known as stateful and are inherently more sec
246. e secondary DNS server assigned by the DHCP server secondary ntp read only IP address IP address of the secondary NTP server assigned by the DHCP server status read only bound error rebinding renewing requesting searching stopped shows the status of DHCP slient use peer dns yes no default yes whether to accept the DNS settings advertized by DHCP server they will override the settings put in the ip dns submenu use peer ntp yes no default yes whether to accept the NTP settings advertized by DHCP server they will override the settings put in the system ntp client submenu Command Description release release current binding and restart DHCP client renew renew current leases If the renew operation was not successful client tries to reinitialize lease i e it starts lease request procedure rebind as if it had not received an IP address yet 118 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If host name property is not specified client s system identity will be sent in the respective field of ev DHCP request If client id property is not specified client s MAC address will be sent in the respective field of DHCP request If use peer dns property is enabled the DHCP client will unconditionally rewrite the settings in lip dns submenu In case two or more DNS servers were received first two of them are set as p
247. e source MAC address of a packet only valid in srcnat chain out bridge name outgoing bridge interface out interface name interface via packet is leaving the bridge to arp reply mac address MAC address source MAC address to put in Ethernet frame and ARP payload when action arp reply is selected to dst mac address MAC address destination MAC address to put in Ethernet frames when action dst nat is selected to src mac address MAC address source MAC address to put in Ethernet frames when action src nat is selected 4 5 10 Bridge Brouting Facility Submenu level interface bridge broute Description This section describes broute facility specific options which were omitted in the general firewall description The Brouting table is applied to every packet entering a forwarding enslaved interface i e it does not work on regular interfaces which are not included in a bridge Property Description action accept drop dst nat jump log mark passthrough redirect return default accept action to undertake if the packet matches the rule one of the accept let the bridging code decide what to do with this packet drop extract the packet from bridging code making it appear just like it would come from a not bridged interface no further bridge decisions or filters will be applied to this packet except if the packet would be router out to a bridged interface in which case the packet would be proc
248. e to be registered to it for station it should be connected to an AP If the interface does not appear as running R its route in the routing table is shown as invalid If set to yes the interface will always be shown as running On Atheros based interfaces encryption WEP WPA etc does not work when compression is enabled The tx power default setting is the maximum tx power that the card can use If you want to use larger tx rates you are able to set them but do it at your own risk Usually you can use this parameter to reduce the tx power In general tx power controlling properties should be left at the default settings Changing the default setting may help with some interfaces some situations but without testing the most common result is degradation of range and throughput Some of the problems that may occur are 1 overheating of the power amplifier chip and the card which will cause lower efficiency and more data errors 2 overdriving the amplifier which will cause more data errors 3 excessive power usage for the card and this may overload the 3 3V power supply of the board that the card is located on resulting in voltage drop and reboot or excessive temperatures for the board If the wireless interfaces are put in nstreme dual slave mode all configuration will take place in linterface wireless nstreme dual submenu described further on in this manual In that case configuration made in this submenu will be part
249. ecifies lower boundary of the size range or a standalone value max specifies upper boundary of the size range port port 0 16 matches if any source or destination port matches the specified list of ports or port ranges note that the protocol must still be selected just like for the regular src port and dst port matchers protocol ddp egp encap ggp gre hmp icmp idrp cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp integer matches particular IP protocol specified by protocol name or number You should specify this setting if you want to specify ports psd integer time integer integer attempts to detect TCP and UDP scans It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives such as from passive mode FTP transfers WeightThreshold total weight of the latest TCP UDP packets with different destination ports coming from the same host to be treated as port scan sequence DelayThreshold delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence LowPortWeight weight of the packets with privileged lt 1024 destination port HighPortWeight weight of the packet with non priviliged destination port random integer match packets randomly with given propability routing mark name matches packets marked by mangle fac
250. ecifies the IP address of the router from which the route was received 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide This list shows routes learned by all dynamic routing protocols RIP OSPF and BGP Example To view the list of the routes admin AT WR4562 routing rip route print Flags S static R rip O ospf C connect B bgp 0 O dst address 0 0 0 0 32 gateway 10 7 1 254 metric 1 from 0 0 0 0 33 R dst address 159 148 10 104 29 gateway 10 6 1 1 metric 2 from 10 6 1 1 34 R dst address 159 148 10 112 28 gateway 10 6 1 1 metric 2 from 10 6 1 1 admin AT WR4562 routing rip route 5 2 7 Application Examples Example Let us consider an example of routing information exchange between a RouterOS router an Alliedware router and the ISP RouterOS router RouterOS Router Configuration admin AT WR4562 gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 etherl ether 1500 1 ether2 ether 1500 admin AT WR4562 gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 174 24 10 0 0 174 10 0 0 255 etherl 1 192 168 0 1 24 192 168 0 0 192 168 0 255 ether2 admin AT WR4562 gt ip route print Flags disabled I invalid D dynamic J rejected connect S static rip ospf B bgp DST ADDRESS G GATE
251. ecssesssseessssssssseesssseecseesssuseessssssseessssseesseesssneesseessaneesssesessee 263 12 4 5 Simple Queue Graphing sssessessescsscsesssecseesesnssseesscsnecsesusesecsesuseseeascenseseesseesseseseeeneeses 263 12 4 6 Resource Graphing 264 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 9 RouterOS v3 Configuration and User Guide FIGURES Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 AT WR4500 Series typical application WinBox Loader 4 lt NVinBox main LAM DR UE RA CD EE WinBox with terminal window Station and AP mode example WDS d aede che Nstreme network Nstreme dual network example WEP security example OSPF Routing tables Figure 1 5 OSPF Backup aee e e Erie din RR et d tac PCS e eer Figure 16 Static Equal Cost Multi Path Routing example Figure 17 Standard Policy Based Routing with Figure 18 DHCP Relay eerte Figure 197 DHCP with ree retento bh
252. ecurity 35 admin AT WR4562 system package uninstall security admin AT WR4562 gt reboot 1 O TOTOOG 00 oo C2 3 3 4 Downgrading Command name system package downgrade Description Downgrade option allows you to downgrade the software via FTP without losing your license key or reinstalling the router It is not recommended to use older versions however if the newest version introduced some unwanted behavior you may try to downgrade If you send a support question you will probably be asked to upgrade to the latest version Step by Step e Connect to the router using ftp client e Select the BINARY mode file transfer e Upload the software package files to the router e Check the information about the uploaded software packages using the file print command e Execute command system package downgrade The router will downgrade and reboot After reboot verify that the packages were installed correctly by issuing system package print command Command Description downgrade this command asks your confirmation and reboots the router After reboot the software is downgraded if all needed packages were uploaded to the router AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 25 RouterOS v3 Configuration and User Guide Example To downgrade the RouterOS assuming that all needed packages are already uploaded admin AT WR4562 system packag
253. ed 9 3 4 Connection Timeouts Submenu level ip firewall connection tracking Description Connection tracking provides several timeouts When particular timeout expires the according entry is removed from the connection state table The following diagram depicts typical TCP connection establishment and termination and tcp timeouts that take place during these processes TCP connection establishment TCP connection termination TCP INITIATOR TCP RESPONDER TCP INITIATOR TCP RESPONDER send SYN send FIN receive SYN receive FIN lt receive SYN ACK send SYN ACK send ACK SYN_RCVD receive FIN TIMEOUT send FIN 2 CLOSE WAIT receive ACK TIMEOUT ESTABLISHED send ACK TIMEOUT receive ACK uw data Figure 33 Firewall Connection Tracking timeouts Property Description enable yes no default yes whether to allow or disallow connection tracking generic timeout time default 10m maximal amount of time connection state table entry that keeps tracking of packets that are neither TCP nor UDP for instance GRE will survive after having seen last packet matching this entry Creating PPTP connection this value will be increased automaticly icmp timeout time default 10s maximal amount of time connection tracking entry will survive after having seen ICMP request 214 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide max ent
254. ed network It is most comonly used to make hosts on a private network to be acceesible from the Internet A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network NAT Drawbacks Hosts behind a NAT enabled router do not have true end to end connectivity Therefore some Internet protocols might not work in scenarios with NAT Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP can be disrupted Moreover some protocols are inherently incompatible with NAT a bold example is AH protocol from the IPsec suite RouterOS includes a number of so called NAT helpers that enable NAT traversal for various protocols Redirect and Masquerade Redirect and masquerade are special forms of destination NAT and source NAT respectively Redirect is similar to the regular destination NAT in the same way as masquerade is similar to the source NAT masquerade is a special form of source NAT without need to specify to addresses outgoing interface address is used automatically The same is for redirect it is a form of destination NAT where to addresses is not used incoming interface address is used instead Note that to ports is meaningful for redirect rules this is the port of the service on the router that will handle these requests e g web proxy When packet is dst natted no matter action nat or actio
255. ed Station ld 30 RFC2865 Calling Station Id 31 RFC2865 CHAP Challenge 60 RFC2866 CHAP Password 3 RFC2865 Class 25 RFC2865 Filter Id 11 RFC2865 Framed IP Address 8 RFC2865 Framed IP Netmask 9 RFC2865 Framed Pool 88 RFC2869 Framed Protocol 7 RFC2865 Framed Route 22 RFC2865 Idle Timeout 28 RFC2865 Mikrotik Advertise Interval 14988 13 Mikrotik Advertise URL 14988 12 Mikrotik Group 14988 3 Mikrotik Host IP 14988 10 Mikrotik Mark Id 14988 N Mikrotik Rate Limit 14988 8 Mikrotik Realm 14988 9 Mikrotik Recv Limit 14988 Mikrotik Recv Limit Gigawords 14988 14 Mikrotik Wireless Enc Algo 14988 6 Mikrotik Wireless Enc Key 14988 7 Mikrotik Wireless Forward 14988 4 Mikrotik Wireless Skip Dot x 14988 5 Mikrotik Xmit Limit 14988 2 Mikrotik Xmit Limit Gigawords 14988 15 MS CHAP Challenge 311 11 RFC2548 MS CHAP Domain 311 10 RFC2548 MS CHAP Response 311 RFC2548 MS CHAP2 Response 311 25 RFC2548 140 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Name VendorlD Value RFC where it is defined MS CHAP2 Success 311 26 RFC2548 MS MPPE Encryption Policy 311 7 RFC2548 MS MPPE Encryption Types 311 8 RFC2548 MS MPPE Recv Key 311 17 RFC2548 MS MPPE Send Key 311 16 RFC2548 NAS Identifier 32 RFC2865 NAS Port 5 RFC2865 NAS IP Address 4 RFC2865 NAS Port ld 87 RFC2869 NAS Port Type 61 RFC2865 Port Limit 62 RFC2865 Service Type 6 RFC2865 Session Timeout 27 RFC2865 User Name RFC2865 User Passw
256. eless Routers RouterOS v3 Configuration and User Guide Routed traffic The traffic received for the router s MAC address on the respective port is passed to the routing procedures and can be of one of these four types e the traffic which is destined to the router itself The IP packets has destination address equal to one of the router s IP addresses A packet enters the router through the input interface sequentially traverses prerouting and input chains and ends up in the local process Consequently a packet can be filtered in the input chain filter and mangled in two places the input and the prerouting chain filters e the traffic is originated from the router In this case the IP packets have their source addresses identical to one of the router s IP addresses Such packets travel through the output chain then they are passed to the routing facility where an appropriate routing path for each packet is determined and leave through the postrouting chain e routable traffic which is received at the router s MAC address has an IP address different from any of the router s own addresses and its destination can be found in the routing tables These packets go through the prerouting forward and postrouting chains e unroutable traffic which is received at the router s MAC address has an IP address different from any of the router s own addresses but its destination can not be found in the routing tables These packets go through th
257. eless interface giving the ability to segregate LANs efficiently It supports up to 4095 vlan interfaces each with a unique VLAN ID per ethernet device A VLAN is a logical grouping that allows end users to communicate as if they were physically connected to a single isolated LAN independent of the physical configuration of the network VLAN support adds a new dimension of security and cost savings permitting the sharing of a physical network while logically maintaining separation among unrelated users Specifications Packages required system License required Level limited to vlan Level3 Submenu level interface vlan Standards and Technologies VLAN IEEE 802 1Q Hardware usage Not significant Related Topics Addresses and ARP Description VLANS are simply a way of grouping a set of switch ports together so that they form a logical network separate from any other such group It may also be understood as breaking one physical switch into several independent parts Within a single switch this is straightforward local configuration When the VLAN extends over more than one switch the inter switch links have to become trunks on which packets are tagged to indicate which VLAN they belong to You can use RouterOS to mark these packets as well as to accept and route marked ones As VLAN works on OSI Layer 2 it can be used just as any other network interface without any restrictions VLAN successfully passes through regu
258. ement ARP static IP routing policy routing firewall packet filtering content e filtering masquerading and static NAT traffic shaping queues IP traffic accounting Neighbour e Discovery IP Packet Packing DNS client settings IP service servers 28 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Ethernet interface support IP over IP tunnel interface support Ethernet over IP tunnel interface support driver management for Ethernet ISA cards serial port management local user management export and import of router configuration scripts backup and restore of the router s configuration undo and redo of configuration changes network diagnostics tools ping traceroute bandwidth tester traffic monitor bridge support system resource management package management telnet client and server local and remote logging facility winbox server as well as winbox executable with some plugins Additional Software Feature Packages The table below shows additional software feature packages extended functionality provided by them the required prerequisites and additional licenses if any Allied Telesis distributes and supports the following packages only Package name Contents Prerequisites Additional License advanced tools email client pingers S none none netwatch and other utilities Call Content Connection CCC data retention server
259. enabled the interface advertises its maximum capabilities to achieve the best connection possible to NS DP83815 6 cards 32 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide default suport long cables short support short cables standard same as default disable running check yes no default yes disable running check If this value is set to no the router automatically detects whether the NIC is connected with a device in the network or not full duplex yes no default yes defines whether the transmission of data appears in two directions simultaneously mac address MAC address set the Media Access Control number of the card mdix enable yes no whether the MDI X auto crosscable correction feature is enabled for the port if applicable mtu integer default 1500 Maximum Transmission Unit name name default etherN assigned interface name whrere N is the number of the ethernet interface speed 10 Mbps 100 Mbps Gbps sets the data transmission speed of the interface By default this value is the maximal data rate supported by the interface When disable running check is set to no the router automatically detects whether the NIC is connected to a device in the network or not When the remote device is not connected the leds are not blinking the route which is set on the specific interface becomes invalid Co
260. encrypted packets dynamic keys generate encryptioon keys dynamically name name descriptive name for the security profile radius eap accounting yes no default no use RADUIS accounting if EAP authentication is used radius mac accounting yes no default no use RADIUS accounting providing MAC address as username radius mac authentication no yes default no whether to use RADIUS server for MAC authentication radius mac caching time default disabled how long the RADIUS authentication reply for MAC address authentication if considered valid and thus can be cached for faster reauthentication radius mac format text default MAC address format to use for communication with RADIUS server AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 57 RouterOS v3 Configuration and User Guide radius mac mode as username as username and password default as username whether to use MAC address as username only or ad both username and password for RADIUS authentication static algo 0 none 40bit wep 104bit wep aes ccm default none which encryption algorithm to use none do not use encryption and do not accept encrypted packets 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets 104bit wep use the 1045 encryption also known as 28bit wep and accept only these packets aes ccm use the AES CCM Advanced Encryptio
261. ent ack timeout 56 wds link no nstreme no framing mode none routeros version 3 0 last ip 10 10 10 1 802 1x port enabled yes compression no current tx powers 1Mbps 19 19 2Mbps 19 19 5 5Mbps 19 19 11Mbps 19 19 6Mbps 19 19 9Mbps 19 19 12 19 19 18 0 19 19 24 19 19 36Mbps 18 18 48 17 17 54 16 16 notify external fdb no admin AT WR4562 interface wireless The ess stands for Extended Service Set IEEE 802 1 wireless networking 4 3 3 Nstreme Settings Submenu level interface wireless nstreme Description You can switch a wireless card to the nstreme mode In that case the card will work only with nstreme clients Property Description disable csma yes no default no disable CSMA CA when polling is used better performance enable nstreme yes no default no whether to switch the card into the nstreme mode enable polling yes no default yes whether to use polling for clients framer limit integer default 3200 maximal frame size framer policy none best fit exact size dynamic size default none the method how to combine frames A number of frames may be combined into a bigger one to reduce the amount of protocol AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 41 RouterOS v3 Configuration and User Guide overhead and thus increase speed The card is not waiting for frames but in case a number of
262. ent to Allied Telesis without an RMA number will be returned to the sender at the sender s expense To obtain an RMA number contact Allied Telesis Technical Support through our web site http www alliedtelesis com support Sales or Corporate Information You can contact Allied Telesis for sales or corporate information through our web site http www alliedtelesis com To find the contact information for your country select Contact Us gt Worldwide Contacts Management Software Updates New releases of management software for our managed products are available from either of the following Internet sites e Allied Telesis web site http www alliedtelesis com support software e Allied Telesis FTP server ftp ftp alliedtelesis com If you prefer to download new software from the Allied Telesis FTP server from your workstation s command prompt you will need FTP client software and you must log in to the server Enter anonymous for the user name and your email address for the password Tell Us What You Think If you have any comments or suggestions on how we might improve this or other Allied Telesis documents please contact us at http www alliedtelesis corn 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Introduction Thank you for purchasing an AT WR4500 series Wireless Router Please refer to the ATWR45xx Quick Installation Guide for
263. er Guide RouterOS has very powerful firewall implementation with features including e stateful packet filtering e peer to peer protocols filtering e traffic classification by source MAC address IP addresses network or list and address types broadcast local multicast unicast port or port range IP protocols protocol options ICMP type and code fields TCP flags IP options and MSS interface the packet arrived from or left through internal flow and connection marks ToS DSCP byte packet content rate at which packets arrive and sequence numbers packet size packet arrival time and much more General Filtering Principles The firewall operates by means of firewall rules A rule is a definitive form expression that tells the router what to do with a particular IP packet Each rule consists of two parts that are the matcher which matches traffic flow against given conditions and the action which defines what to do with the mathched packets Rules are organized in chains for better management The filter facility has three default chains input forward and output that are responsible for traffic coming from throurh and to the router respectively New user defined chains can be added as necessary Since these chains have no default traffic to match rules with action jump and relevant jump target should be added to one or more of the three default chains Filter Chains As mentioned before the firewall filtering rules are grou
264. er possible 8 1 2 EolP Setup Submenu level interface eoip Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol mac address MAC address MAC address of the EolP interface You can freely use MAC addresses that are in the range from 00 00 5E 80 00 00 to 00 00 5E FF FF FF mtu integer default 1500 Maximum Transmission Unit The default value provides maximal compatibility name name default eoip tunnelN interface name for reference remote address the IP address of the other side of the EoIP tunnel must be a RouterOS router tunnel id integer a unique tunnel identifier tunnel id is method of identifying tunnel There should not be tunnels with the same tunnel id on the same router tunnel id on both participant routers must be equal mtu should be set to 1500 to eliminate packet refragmentation inside the tunnel that allows transparent bridging of Ethernet like networks so that it would be possible to transport full sized Ethernet frame over the tunnel When bridging EolP tunnels it is highly recommended to set unique MAC addresses for each tunnel for the bridge algorithms to work correctly For EolP interfaces you can use MAC addresses that are in the range from 00 00 5E 80 00 00 to 00 00 5E FF FF FF which IANA has reserved for such cases Alternatively you can set the second bit of the first byte to mark the address as locally
265. erface max message age time default 20s how long to remember Hello messages received from other bridges mtu integer default 1500 Maximum Transmission Unit name name default bridgeN a descriptive name of the bridge interface priority integer 0 65535 default 32768 bridge interface priority The priority argument is used by Spanning Tree Protocol to determine which port remains enabled if at least two ports form a loop protocol mode none rstp stp default none whether to enable the Spanning Tree Protocol or the Rapid Spanning Tree Protocol Bridging loops will only be prevented if this property is turned on transmit hold count Example To add and enable a bridge interface that will forward all the protocols adminQ AT WR4562 interface bridge add print Flags X disabled R running 1R name bridgel mtu 1500 arp enabled mac address 00 0D B9 12 B3 F9 protocol mode none priority 0x8000 auto mac yes admin mac 00 00 00 00 00 00 max message age 20s forward delay 15s transmit hold count 6 ageing time 5m 4 5 3 Port Settings Submenu level interface bridge port Description The submenu is used to enslave interfaces in a particular bridge interface Property Description edge auto no no discover yes yes discover default auto an edge port is a switch port that is never intended to be connected to another bidge device external fdb auto no yes default auto external for
266. erver but no response is received from it Solution check whether the RADIUS server is running and is reachable from the HotSpot router 10 3 12 HotSpot How to s Description This section will focus on some simple examples of how to use your HotSpot system as well as give some useful ideas Setting up https authorization At first certificate must be present with decrypted private key admin AT WR4562 gt certificate print Flags decrypted private key private key rsa D dsa KR name hotspot example net sub ject C LV L Riga O MT OU dev CN hot spot example net emailAddress admin hotsot example net issuer C LV L Riga O MT OU dev CN hotsot example net emailAddress admin hotsot example net serial number 0 email admin hotsot example net invalid before oct 27 2004 11 43 22 invalid after oct 27 2005 11 43 22 ca yes Then we can use that certificate for hotspot ip hotspot profile set default login by cookie http chap https Ssl certificate hotsot example net After that we can see that HTTPS is running on hotspot interface admin AT WR4562 gt ip hotspot print Flags X disabled I invalid S HTTPS NAME INTERFACE ADDRESS POOL PROFILE IDLE TIMEOUT 0 S hs local local default 00 05 00 Bypass hotspot for some devices in hotspot network All IP binding entries with type property set to bypassed will not be asked to authorize it means that they will h
267. es 226 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide hotspot service port address translation helpers for the one to one NAT hotspot walled garden Walled Garden rules at HTTP level DNS names HTTP request substrings e hotspot walled garden ip Walled Garden rules at IP level IP addresses IP protocols hotspot user local HotSpot system users hotspot user profile local HotSpot system users profiles user groups hotspot active dynamic list of all authenticated HotSpot users e hotspot cookie dynamic list of all valid HTTP cookies 10 1 2 Question amp Answer Based Setup Command name ip hotspot setup Questions address pool of network name IP address pool for the HotSpot network dns name text DNS domain name of the HotSpot gateway will be statically configured on the local DNS proxy dns servers IP address IP address DNS servers for HotSpot clients hotspot interface name interface to run HotSpot on ip address of smtp server IP address default 0 0 0 0 IP address of the SMTP server to redirect SMTP requests TCP port 25 to 0 0 0 0 no redirect local address of network IP address default 10 5 50 1 24 HotSpot gateway address for the interface masquerade network yes no default yes whether to masquerade the HotSpot network name of local hotspot user
268. es assigned to it In case of bridging or PPPoE connection the physical interface may bot have any address assigned yet be perfectly usable Putting an IP address to a physical interface included in a bridge would mean actually putting it on the bridge interface itself You can use ip address print detail to see to which interface the address belongs to RouterOS has following types of addresses Static manually assigned to the interface by a user Dynamic automatically assigned to the interface by DHCP or an estabilished PPP connections 88 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Property Description actual interface read only name only applicable to logical interfaces like bridges or tunnels Holds the name of the actual hardware interface the logical one is bound to address IP address IP address broadcast IP address default 255 255 255 255 broadcasting IP address calculated by default from an IP address and a network mask disabled yes no default no specifies whether the address is disabled or not interface name interface name the IP address is assigned to netmask IP address default 0 0 0 0 specifies network address part of an IP address network IP address default 0 0 0 0 IP address for the network For point to point links it should be the address of the remote end You cannot have two different IP addresses
269. es dst host and dst path match a complete string i e they will not match example com if they are set to example Available wildcards are match any number of any characters and match any one character Regular expressions are also accepted here but if the property should be treated as a regular expression it should start with a colon 7 Small hits in using regular expressions symbol sequence is used to enter character in console pattern means only in regular expressions single dot in pattern means any symbol to show that no symbols are allowed before the given pattern we use symbol at the beginning of the pattern to specify that no symbols are allowed after the given pattern we use symbol at the end of the pattern You can not use path property for HTTPS requests as router can not and should not that is what the HTTPS protocol was made for decrypt the request AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 231 RouterOS v3 Configuration and User Guide Example To allow unauthorized requests to the www example com domain s paynow html page admin AT WR4562 ip hotspot walled garden gt add path paynow html dst host www example com adminQ AT WR4562 ip hotspot walled garden gt print Flags X disabled D dynamic 0 dst host www example com path paynow html action allow adminQ AT WR4562 ip hotspot walled garden gt 10 3 4 P level
270. ess read only MAC address MAC address of the AP band read only text in which standard does the AP operate bss read only yes no basic service set freeze time interval time default I s time in seconds to refresh the displayed data freq read only integer the frequency of AP interface name name the name of interface which will be used for scanning APs privacy read only yes no whether all data is encrypted or not signal strength read only integer signal strength in dBm ssid read only text service set identifier of the AP Example Scan the 5GHz band adminGAT WR4562 interface wireless scan wlanl Flags A active B bss P privacy R routeros network N nstreme ADDRESS SSID BAND FREQ SIG RADIO NAME 00 0C 42 05 00 28 test 5ghz 5180 77 000C42050028 AB 00 02 6F 20 34 82 aapl 5ghz 5180 73 00026F203482 AB 00 0B 6B 30 80 0F www 5ghz 5180 84 AB R 00 0B 6B 31 B6 D7 www 5ghz 5180 81 000B6B31B6D7 AB R 00 0B 6B 33 1A D5 R52 test new 5ghz 5180 79 000B6B331AD5 00 0B 6B 33 0D EA short5 5ghz 5180 70 000B6B330DEA 00 0B 6B 31 52 69 AT WR4500 5ghz 5220 69 000B6B315269 AB 00 0B 6B 33 12 BF long2 5ghz 5260 55 000B6B3312BF Q quit D dump C z pause adminGAT WR4562 interface wireless 56 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 4 3 16 Security Profiles Submenu l
271. ess Routers RouterOS v3 Configuration and User Guide Change of Authorization RADIUS disconnect and Change of Authorization according to RFC3576 are supported as well These attributes may be changed by a CoA request from the RADIUS server e Mikrotik Group e Mikrotik Recv Limit e Mikrotik Xmit Limit e Mikrotik Rate Limit e Ascend Data Rate only if Mikrotik Rate Limit is not present e Ascend XMit Rate only if Mikrotik Rate Limit is not present e Mikrotik Mark ld e Filter ld e Mikrotik Advertise Url e Mikrotik Advertise Interval e Session Timeout dle Timeout e Port Limit It is not possible to change IP address pool or routes that way for such changes user must be disconnected first Attribute Numeric Values Name VendorlD Value RFC where it is defined Acct Authentic 45 RFC2866 Acct Delay Time 41 RFC2866 Acct Input Gigawords 52 RFC2869 Acct Input Octets 42 RFC2866 Acct Input Packets 47 RFC2866 Acct Interim Interval 85 RFC2869 Acct Output Gigawords 53 RFC2869 Acct Output Octets 43 RFC2866 Acct Output Packets 48 RFC2866 Acct Session ld 44 RFC2866 Acct Session Time 46 RFC2866 Acct Status Type 40 RFC2866 Acct Terminate Cause 49 RFC2866 Ascend Client Gateway 529 132 Ascend Data Rate 529 197 Ascend Xmit Rate 529 255 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Name VendorlD Value RFC where it is defined Call
272. ess list dst nat jump log masquerade netmap passthrough redirect return same src nat default accept action to undertake if the packet matches the rule accept accepts the packet No action is taken i e the packet is passed through and no more rules are applied to it add dst to address list adds destination address of an IP packet to the address list specified by 218 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide address list parameter add src to address list adds source address of an IP packet to the address list specified by address list parameter dst nat replaces destination address of an IP packet to values specified by to addresses and to ports parameters jump jump to the chain specified by the value of the jump target parameter log each match with this action will add a message to the system log masquerade replaces source address of an IP packet to an automatically determined by the routing facility IP address netmap creates static mapping of one set of IP addresses to another one Often used to distribute public IP addresses to hosts on private networks passthrough ignores this rule goes on to the next one redirect replaces destination address of an IP packet to one of the router s local addresses return passes control back to the chain from where the jump took place same gives a particular client the same sou
273. essed normally just like any other routed packet dst nat change destination MAC address of a packet only valid in dstnat chain an let bridging code to decide further actions jump jump to the chain specified by the value of the jump target argument log log the packet mark mark the packet to use the mark later passthrough ignore this rule and go on to the next one Acts the same way as a disabled rule except for ability to count packets redirect redirect the packet to the bridge itself only valid in dstnat chain an let bridging code to decide further actions return return to the previous chain from where the jump took place to dst mac address MAC address destination MAC address to put in Ethernet frames when action dst nat is selected 86 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 4 5 11 Troubleshooting Description Router shows that my rule is invalid e in interface in bridge or in bridge port is specified but such an interface does not exist e there is an action mark packet but no new packet mark e there is an action mark connection but no new connection mark e there is an action mark routing but no new routing mark Non presente nel manual pdf AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 87 RouterOS v3 Configuration and User Guide 5 IP and Routing 5 1 IP Addresses and ARP 5 1 1 General Information
274. estabilished invalid new related interprets the connection tracking analysis data for a particular packet estabilished a packet which belongs to an existing connection exempli gratia a reply packet or a packet which belongs to already replied connection invalid a packet which could not be identified for some reason This includes out of memory condition and ICMP errors which do not correspond to any known connection It is generally advised to drop these packets new a packet which begins a new TCP connection related a packet which is related to but not part of an existing connection such as ICMP errors or a packet which begins FTP data connection the later requires enabled FTP connection tracking helper under ip firewall service port connection type ftp gre h323 irc mms pptp quake3 tftp matches packets from related connections based on information from their connection tracking helpers A relevant connection helper must be enabled under ip firewall service port content text the text packets should contain in order to match the rule dscp integer 0 63 DSCP ex ToS IP header field value dst address IP address netmask IP address IP address specifies the address range an IP packet is destined to Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 dst address list name matches destination address of a packet against
275. et to your own page The server is capable of resolving DNS requests based on POSIX basic regular expressions so that multiple requets can be matched with the same entry In case an entry does not conform with DNS naming standards it is considered a regular expression and marked with R flag The list is ordered and is checked from top to bottom Regular expressions are checked first then the plain records Property Description address IP address IP address to resolve domain name with name text DNS name to be resolved to a given IP address May be a regular expression ttl time time to live of the DNS record Reverse DNS lookup Address to Name of the regular expression entries is not possible You can however add an additional plain record with the same IP address and specify some name for it Remember that the meaning of a dot in regular expressions is any character so the expression should be escaped properly For example if you need to match anything within example com domain but not all the domains that just end with example com like www another example com use name example com Regular expression matching is significantly slower than of the plain entries so it is advised to minimize the number of regular expression rules and optimize the expressions themselves Example To add static DNS entry for www example com to be resolved to 10 0 0 1 IP address admin AT WR4562 i
276. et of standards These interfaces use radio waves as a physical signal carrier and are capable of data transmission with speeds up to 108 Mbps in 5GHz turbo mode RouterOS can operate wireless interfaces as wireless clients station mode wireless bridges bridge mode wireless access points ap bridge mode and for antenna positioning alignment only mode RouterOS provides a complete support for IEEE 802 11 802 11 and 802 112 wireless networking standards There are several additional features implemented for the wireless networking in RouterOS WPA Wi Fi Protected Access WEP Wired Equivalent Privacy software and hardware AES encryption WDS Wireless Distribution System DFS Dynamic Frequency Selection Alignment mode for positioning antennas and monitoring wireless signal VAP Virtual Access Point ability to disable packet forwarding among clients Nstreme wireless transmission protocol and others The Nstreme protocol is proprietary i e incompatible with other vendors wireless protocol aimed to improve point to point and point to multipoint wireless links Advanced version of Nstreme called Nstreme2 works with a pair of wireless interfaces Atheros AR5210 and newer MAC chips only one for transmitting data and one for receiving Benefits of Nstreme protocol e Client polling Polling reduces media access times because the card does not need to ensure the air is free each time it needs to transmit data the polling mech
277. eudobridge clone similar to the station pseudobridge but the station will clone MAC address of a particular device set in the station bridge clone mac property i e it will change itsown 38 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide address to the one of a different device In case no address is set in the station bridge clone mac property the station postpones connecting to an AP until some packet with the source MAC address different from any of the router itself needs to be transmitted over that interface It then connects to an AP with the MAC address of the device that have sent that packet station wds the interface is working as a station but can communicate with a WDS peer wds slave the interface is working as it would work in ap bridge mode but it adapts to its WDS peer s frequency if it is changed mtu integer 68 1600 default 1500 Maximum Transmission Unit name name default wlanN assigned interface name noise floor threshold integer default 128 127 default default noise strength dBm below which the card will transmit on fail retry time time default 100 5 time after which we repeat to communicate with a wireless device if a data transmission has failed 3 times on the lowest rate periodic calibration default disabled enabled default default to ensure performance of chipset over temperature and environmental cha
278. evel interface wireless security profiles Description This section provides WEP Wired Equivalent Privacy and WPA WPA2 Wi Fi Protected Access functions to wireless interfaces WPA The Wi Fi Protected Access is a combination of 802 1 EAP MIC TKIP and AES This is a easy to configure and secure wireless mechanism It has been later updated to version 2 to provide greater security Pairwise master key caching for EAP authentification is supported for 2 This means that disconnected client can connect without repeated EAP authentication if keys are still valid changed to interface or security profile configuration restart or Session Timeout in case of RADIUS authentication WEP The Wired Equivalent Privacy encrypts data only between 802 11 devices using static keys It is not considered a very secure wireless data encryption mechanism though it is better than no encryption at all The configuration of WEP is quite simple using RouterOS security profiles Property Description authentication types multiple choice wpa psk wpa2 psk wpa eap wpa2 eap default the list of accepted authentication types APs will advertise the listed types Stations will choose the AP which supports the best type from the list WPA2 is always preferred to WPA I EAP is preferred to PSK eap methods multiple choice eap tls passthrough the ordered list of EAP methods APs will to propose to the stations one by one if fi
279. evel user Hardware usage Not significant Related Topics PPP User AAA Software Package Management Description RouterOS router user facility manage the users connecting the router from the local console via serial terminal telnet SSH or Winbox The users are authenticated using either local database or designated RADIUS server Each user is assigned to a user group which denotes the rights of this user A group policy is a combination of individual policy items In case the user authentication is performed using RADIUS the RADIUS client should be previously configured under the radius submenu 146 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 7 3 2 Router User Groups Submenu level user group Description The router user groups provide a convenient way to assign different permissions and access rights to different user classes Property Description name name the name of the user group policy multiple choice local telnet ssh ftp reboot read write policy test winbox password web sniff group policy item set local policy that grants rights to log in locally via local console telnet policy that grants rights to log in remotely via telnet ssh policy that grants rights to log in remotely via secure shell protocol ftp policy that grants remote rights to log in remotely via FTP and to transfer files from and to the r
280. existing connection exempli gratia a reply packet or a packet which belongs to already replied connection invalid a packet which could not be identified for some reason This includes out of memory condition and ICMP errors which do not correspond to any known connection It is generally advised to drop these packets new a packet which begins a new TCP connection related a packet which is related to but not part of an existing connection such as ICMP errors or a packet which begins FTP data connection the later requires enabled FTP connection tracking helper under ip firewall service port connection type ftp gre h323 irc mms pptp quake3 tftp match packets from related connections based on information from their connection tracking helpers A relevant connection helper must be enabled under ip firewall service port content text the text packets should contain in order to match the rule dscp integer 0 63 DSCP ex ToS IP header field value dst address IP address netmask IP address IP address specify the address range an IP packet is destined to Note that console converts entered address netmask value to a valid network address ie 1 1 1 1 24 is converted to 1 1 1 0 24 dst address list name match destination address of a packet against user defined address list dst address type unicast local broadcast multicast match destination address type of the IP packet one of the unicast IP add
281. extension npk e g system 3 2 npk routerboard 3 2 npk Package routeros x86 contains all necessary packages for RouterOS installation and upgrading for AT WR456x Wireless Routers You should check the available hard disk space prior to downloading the package file by issuing system resource print command If there is not enough free disk space for storing the upgrade packages it can be freed up by uninstalling some software packages which provide functionality not required for your needs If you have a sufficient amount of free space for storing the upgrade packages connect to the router using ftp Use user name and password of a user with full access privileges Step by Step Connect to the router using ftp client e Select the BINARY mode file transfer e Upload the software package files to the router e Check the information about the uploaded software packages using the file print command e Reboot the router by issuing the system reboot command or by pressing Ctrl Alt Del keys at the router s console e After reboot verify that the packages were installed correctly by issuing system package print command e The packages uploaded to the router should retain the original name and also be in lowercase The installation upgrade process is shown on the console screen monitor attached to the router Before upgrading the router please check the current version of the system package and the additional software packages The ve
282. f Service ToS is a standard field of IP packet and it is used by many network applications and hardware to specify how the traffic should be treated by the gateway RouterOS works with the full ToS byte It does not take account of reserverd bits in this byte because they have been redefined many times and this approach provides more flexibility It means that it is possible to work with DiffServ marks Differentiated Services Codepoint DSCP as defined in RFC2474 and ECN codepoints Explicit Congestion Notification ECN as defined in RFC3168 which are using the same field in the IP protocol header Note that it does not mean that RouterOS supports DiffServ or ECN it is just possible to access and change the marks used by these protocols RFC1349 defines these standard values e normal normal service ToS 0 e low cost minimize monetary cost ToS 2 e max reliability maximize reliability ToS 4 max throughput maximize throughput ToS 8 e low delay minimize delay 5 16 Peer to Peer protocol filtering Peer to peer protocols also known as p2p provide means for direct distributed data transfer between individual network hosts While this technology powers many brilliant applications like Skype it is 216 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide widely abused for unlicensed software and media destribution Even when it is used for legal purposes
283. fect a marked reduction in routing traffic as compared to treating the entire Autonomous System as a single link state domain 60 80 routers have to be the maximum in one area Property Description area id IP address default 0 0 0 0 OSPF area identifier Default area id 0 0 0 0 is the backbone area The OSPF backbone always contains all area border routers The backbone is responsible for distributing routing information between non backbone areas The backbone must be contiguous AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 101 RouterOS v3 Configuration and User Guide However areas do not need to be physical connected to backbone It can be done with virtual link The name and area id for this area can not be changed authentication none simple md5 default none specifies authentication method for OSPF protocol messages none do not use authentication simple plain text authentication md5 keyed Message Digest 5 authentication default cost integer default 1 specifies the default cost used for stub areas Applicable only to area boundary routers name name default OSPF area s name type default stub default default a stub area is an area which is out from part with no routers or areas beyond it A stub area is configured to avoid AS External Link Advertisements being flooded into the Stub area One of the reason to configure a Stub area is that the size of the link state database
284. ficate Certificate management driver Driver management file Local router file storage import interface Interface configuration ip log System logs password Change password ping Send ICMP Echo packets port Serial ports ppp Point to Point Protocol queue Bandwidth management quit Quit console radius Radius client settings redo Redo previously undone action routing setup Do basic setup of system snmp SNMP settings 1 1 Special login users system System information and utilities tool Diagnostics tools undo Undo previous action user export Print or save an export script that can be used to restore configuration admin AT WR4541g gt The list of available commands and menus has short descriptions next to the items You can move to the desired menu level by typing its name and hitting the Enter key for example admin AT WR4562 gt Base level menu admin AT WR4562 gt driver Enter driver to move to the driver level menu admin AT WR4562 driver Enter to move to the base level menu from any level admin AT WR4562 gt interface Enter interface to move to the interface level menu admin AT WR4562 interface gt ip Enter ip to move to the IP level menu from any level admin AT WR4562 ip AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 17 RouterOS v3 Configuration and User Gu
285. fix text all messages written to logs will contain the prefix specified herein Used in conjunction with action log new connection mark name specify the new value of the connection mark to be used in conjunction with action mark connection new dscp integer 0 63 specify the new value of the DSCP field to be used in conjunction with action change dscp new mss integer specify MSS value to be used in conjunction with action change mss new packet mark name specify the new value of the packet mark to be used in conjunction with action mark packet new priority integer specify the new value of packet priority for the priority enabled interfaces used in conjunction with action set priority from dscp set packet priority form its DSCP field value from ingress set packet priority from the INGRESS priority of the packet in case packet has been received from an interface that supports priorities VLAN or WMM enabled wireless interface 0 if not set new routing mark name specify the new value of the routing mark used in conjunction with action mark routing new ttl decrement increment set integer specify the new TTL field value used in conjunction with action change ttl decrement the value of the TTL field will be decremented for value increment the value of the TTL field will be incremented for value set the value of the TTL field will be set to value nth integer integer 0 15 integer 0 1 match a pa
286. frequency integer default 5320 Frequency to use for receiving frames rx radio name which radio should be used for receiving frames tx band operating band of the transmitting radio 2 4ghz b IEEE 802 1 Ib 2 4ghz g IEEE 802 1 2 4ghz g turbo IEEE 802 1 1g in Atheros proprietary turbo mode up to 108 5ghz IEEE 802 1 la up to 54 Mbit 5ghz turbo IEEE 802 la in Atheros proprietary turbo mode up to 108 2ghz lOmhaz variation of IEEE 802 1 1g with half the band and accordingly twice lower speed air rate of up to 27Mbit 2ghz 5mhz variation of IEEE 802 1 1g with quarter the band and accordingly four times lower speed air rate of up to 13 5Mbit 5ghz lOmhz variation of IEEE 802 1 1 with half the band and accordingly twice lower speed air rate of up to 27Mbit 5ghz 5mhz variation of IEEE 802 1 la with quarter the band and accordingly four times lower speed air rate of up to 13 5Mbit tx frequency integer default 5180 Frequency to use for transmitting frames tx radio name which radio should be used for transmitting frames a WDS cannot be used on Nstreme dual links The difference between tx freq and rx freq should be about 200 2 more is recommended because of the interference that may occur You can use different bands for rx and tx links For example transmit in 2 4ghz g turbo and receive data using 2 4ghz b band Example To enable the nstreme2 prot
287. from the user 0 no limit limit bytes out integer default 0 maximum amount of bytes user can receive i e bytes sent to the user 0 no limit limit bytes total integer default 0 maximum aggregate amount of bytes user can receive and send i e the sum of the amount of bytes sent to the user and received from it 0 no limit limit uptime time default Os total uptime limit for user pre paid time Os no limit mac address MAC address default 00 00 00 00 00 00 static MAC address If not 00 00 00 00 00 00 client is allowed to login only from that MAC address name name user name If authentication method is trial then user name will be set automaticly after following pattern T MAC adress where MAC address is trial user Mac address packets in read only integer total amount of packets received from user i e packets received from the user packets out read only integer total amount of packets sent to user i e packets sent to the user password text user password profile name default default user profile routes text routes that are to be registered on the HotSpot gateway when the client is connected The route format is dst address gateway metric for example 10 1 0 0 24 10 0 0 1 1 Several routes may be specified separated with commas If gateway is not specified the remote address is used If metric is not speciefied the metric of I is used server name all defau
288. g AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 255 RouterOS v3 Configuration and User Guide 12 Monitoring and Management 12 1 Log Management 12 1 1 General Information Summary Various system events and status information can be logged Logs can be saved in local routers file displayed in console sent to an email or to a remote server running a syslog daemon Specifications Packages required system License required Level Submenu level system logging log Standards and Technologies Syslog Hardware usage Not significant Description Logs have different groups or topics Logs from each topic can be configured to be discarded logged locally or remotely Locally log files can be stored in memory default logs are lost on reboot or on hard drive not enabled by default as is harmful for flash disks 12 1 2 General Settings Submenu level system logging Property Description action name default memory specifies one of the system default actions or user specified action listed in system logging action prefix text local log prefix topics info critical firewall keepalive packet read timer write ddns hotspot I2tp ppp route update account debug ike manager pppoe script warning async dhcp notification pptp state watchdog bgp error ipsec radius system web proxy calc event isdn ospf raw telephony wireless
289. g or omitting a specific action may result in bodily injury Caution A caution indicates that performing or omitting a specific action may result in equipment damage or loss of data AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 11 RouterOS v3 Configuration and User Guide CONTACTING ALLIED TELESIS This section provides Allied Telesis contact information for technical support as well as sales and corporate information Online Support You can request technical support online by accessing the Allied Telesis Knowledge Base http www alliedtelesis com kb You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions Email and Telephone Support For Technical Support via email or telephone refer to the Support amp Services section of the Allied Telesis web site http www alliedtelesis com support Warranty For product registration and warranty conditions please visit Allied Telesis website http www alliedtelesis com support warranty Where to Find Web based Guides The installation and user guides for all Allied Telesis products are available in portable document format PDF on our web site at www alliedtelesis com You can view the documents online or download them onto a local workstation or server Returning Products Products for return or repair must first be assigned a return materials authorization RMA number A product s
290. g which will be sent to the HotSpot gateway The hash result as a password together with username is sent over network to HotSpot service so password is never sent in plain text over IP network On the client side MD5 algorithm is implemented in JavaScript applet so if a browser does not support JavaScript like for example Internet Explorer 2 0 or some PDA browsers or it has JavaScipt disabled it will not be able to authenticate users It is possible to allow unencrypted passwords to be accepted by turning on HTTP PAP authentication method but it is not recommended due to security considerations to use that feature HTTPS the same as HTTP PAP but using SSL protocol for encrypting transmissions HotSpot user just send his her password without additional hashing note that there is no need to worry about plain text password exposure over the network as the transmission itself is encrypted In either case HTTP POST method if not possible then HTTP GET method is used to send data to the HotSpot gateway HTTP cookie after each successful login a cookie is sent to the web browser and the same cookie is added to active HTTP cookie list Next time the same user will try to log in web browser will send the saved HTTP cookie This cookie will be compared with the one stored on the HotSpot gateway and only if source MAC address and randomly generated ID match the ones stored on the gateway user will be automatically logged in using the logi
291. galea for CALEA compliance none none Communications Assistance for Law Enforcement Act DHCP server and client none dhcp none support hotspot HotSpot gateway none any additional license network time protocol ntp none none support support for PPP PPTP ee PPP L2TP PPPoE and ISDN PPP support for RouterBoard routerboard be none specific functions and utilities routing support for RIP and OSPF none none support for IPSEC SSH and security none none secure WinBox connections user manager embedded RADIUS server none none with web interface AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 29 Package name Contents Prerequisites Additional License Support for wireless interfaces with updated Country Regulatory Domain settings wireless none None 30 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 4 Configuring Interfaces 4 1 General Interface Settings 4 1 1 General Information Summary AT WR4500 RouterOS supports a variety of physical and virtual interfaces like Bonding Bridge VLAN etc Each of them has its own submenu but there is also a list of all interfaces where some common properties can be configured Description The Manual describes general settings of RouterOS interfaces 4 1 2 Interface Status Submenu level interface Property Description mt
292. ges to router via ftp using the binary transfer mode and then just rebooting the router This manual discusses a more advanced method how to upgrade a router automatically If you have more than one router then this can be useful Specifications Packages required system License required Level Submenu level system upgrade AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 21 RouterOS v3 Configuration and User Guide Standards and Technologies None Hardware usage Not significant 3 2 2 System Upgrade Submenu level system upgrade Description This submenu gives you the ability to download RouterOS software packages from a remote RouterOS router Step by Step Upload desired RouterOS packages to a router not the one that you will upgrade Add this router s IP address user name and password to system upgrade upgrade package source on the router s you will be upgrading This step will only be needed once and you may continue using the same package source in future to upgrade the router s again See the next section for details Refresh available software package list system upgrade refresh See available packages using system upgrade print command Download selected or all packages from the remote router using the download or download all command Property Description name read only name package name source read only IP address source IP address of the router from which the pa
293. ggested to allow these types of ICMP traffic Ping 8 0 echo request 0 0 echo reply e Trace 11 0 TTL exceeded 3 3 Port unreachable e Path MTU discovery 3 4 Fragmentation DF Set General suggestion to apply ICMP filtering e Allow ping ICMP Echo Request outbound Echo Reply messages inbound e Allow traceroute T TL Exceeded and Port Unreachable messages inbound e Allow path MTU ICMP Fragmentation DF Set messages inbound e Block everything else Type of Service Internet paths vary in quality of service they provide They can differ in cost reliability delay and throughput This situation imposes some tradeoffs exempli gratia the path with the lowest delay may be among the ones with the smallest throughput Therefore the optimal path for a packet to follow through the Internet may depend on the needs of the application and its user As the network itself has no knowledge on how to optimize path choosing for a particular application or user the IP protocol provides a method for upper layer protocols to convey hints to the Internet Layer about how the tradeoffs should be made for the particular packet This method is implemented with the help of a special field in the IP protocol header the Type of Service field The fundamental rule is that if a host makes appropriate use of the TOS facility its network service should be at least as good as it would have been if the host had not used this facility Type o
294. gh Outdoor Wireless Routers 205 RouterOS v3 Configuration and User Guide Submenu level ip firewall mangle Standards and Technologies IP Hardware usage Increases with count of mangle rules Related Topics Addresses and ARP e Routes Equal Cost Multipath Routing Policy Routing e NAT e Filter Packet Flow 9 2 2 Mangle Submenu level ip firewall mangle Description Mangle is a kind of marker that marks packets for future processing with special marks Many other facilities in RouterOS make use of these marks e g queue trees and NAT They identify a packet based on its mark and process it accordingly The mangle marks exist only within the router they are not transmitted across the network Property Description action accept add dst to address list add src to address list change dscp change mss change ttl jump log mark connection mark packet mark routing passthrough return set priority strip ipv4 options default accept action to undertake if the packet matches the rule accept accept the packet No action i e the packet is passed through and no more rules are applied to it add dst to address list add destination address of an IP packet to the address list specified by address list parameter add src to address list add source address of an IP packet to the address list specified by address list parameter change dscp change Differentiated Services Code Point DSCP
295. gin page shown to a user to ask for username and password This page may take the following parameters username username password either plain text password in case of PAP authentication or MD5 hash of chap id variable password and CHAP challenge in case of CHAP authentication This value is used as e mail address for trial users dst original URL requested before the redirect This will be opened on successfull login popup whether to pop up a status window on successfull login radius lt id gt send the attribute identified with id in text string form to the RADIUS server in case RADIUS authentication is used lost otherwise radius lt id gt u send the attribute identified with id in unsigned integer form to the RADIUS server in case RADIUS authentication is used lost otherwise radius lt id gt lt vnd id gt send the attribute identified with id and vendor ID lt vnd id gt in text string form to the RADIUS server in case RADIUS authentication is used lost otherwise radius lt id gt lt vnd id gt u send the attribute identified with id and vendor ID lt vnd id gt in unsigned integer form to the RADIUS server in case RADIUS authentication is used lost otherwise md5 js JavaScript for MD5 password hashing Used together with http chap login method alogin html page shown after client has logged in It pops up status page and redirects browser to originally requested page before he she was redirected to the Ho
296. given in MHz 5ghz channels multiple choice read only 4920 4925 4930 4935 4940 4945 4950 4955 4960 4965 4970 4975 4980 4985 4990 4995 5000 5005 5010 5015 5020 5025 5030 5035 5040 5045 5050 5055 5060 5065 5070 5075 5080 5085 5090 5095 5100 5105 5110 5115 5120 5125 5130 5135 5140 5145 5150 5155 5160 5165 5170 5175 5180 5185 5190 5195 5200 5205 5210 5215 5220 5225 5230 5235 5240 5245 5250 5255 5260 5265 5270 5275 5280 5285 5290 5295 5300 5305 5310 5315 5320 5325 5330 5335 5340 5345 5350 5355 5360 5365 5370 5375 5380 5385 5390 5395 5400 5405 5410 5415 5420 5425 5430 5435 5440 5445 5450 5455 5460 5465 5470 5475 5480 5485 5490 5495 5500 5505 5510 5515 5520 5525 5530 5535 5540 5545 5550 5555 5560 5565 5570 5575 5580 5585 5590 5595 5600 5605 5610 5615 5620 5625 5630 5635 5640 5645 5650 5655 5660 5665 5670 5675 5680 5685 5690 5695 5700 5705 5710 5715 5720 5725 5730 5735 5740 5745 5750 5755 5760 5765 5770 5775 5780 5785 5790 5795 5800 5805 5810 5815 5820 5825 5830 5835 5840 5845 5850 5855 5860 5865 5870 5875 5880 5885 5890 5895 5900 5905 5910 5915 5920 5925 5930 5935 5940 5945 5950 5955 5960 5965 5970 5975 5980 5985 5990 5995 6000 6005 6010 6015 6020 6025 6030 6035 6040 6045 6050 6055 6060 6065 6070 6075 6080 6085 6090 6095 6100 the
297. h Outdoor Wireless Routers 133 RouterOS v3 Configuration and User Guide domain text default domain validation realm text explicitly stated realm user domain so the users do not have to provide proper ISP domain name in user name secret text default shared secret used to access the RADIUS server service multiple choice hotspot login ppp telephony wireless dhcp default router services that will use this RADIUS server hotspot HotSpot authentication service login router s local user authentication ppp Point to Point clients authentication telephony telephony accounting wireless wireless client authentication client s MAC address is sent as User Name dhcp DHCP protocol client authentication client s MAC address is sent as User Name timeout time default 1005 timeout after which the request should be resend Microsoft Windows domain of client passed to RADIUS servers that require a The order of the items in this list is meaningful Microsoft Windows clients send their usernames in form domain username When RADIUS server is authenticating user with CHAP MS CHAPv I MS CHAPv2 it is not using shared secret secret is used only in authentication reply and router is verifying it So if you have wrong shared secret RADIUS server will accept request but router won t accept reply You can see that with radius monitor command bad replies number should increase whenever
298. h action reject reject with icmp net prohibited Everything else that has not been while listed by the Walled Garden will be rejected Note usage of TCP Reset for rejecting TCP connections 11 D chain hs unauth to action return protocol icmp 12D www alliedtelesis com chain hs unauth dst address 159 148 147 196 protocol tcp src port 80 action return Same action as in rules 7 and 8 is performed for the packets destined to the clients chain hs unauth to as well 13 D chain hs unauth to action reject reject with icmp host prohibited Reject all packets to the clients with ICMP reject message 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 0 3 10 Customizing HotSpot HTTP Servlet Pages Description You can create a completely different set of servlet pages for each HotSpot server you have specifying the directory it will be stored in html directory property of a HotSpot server profile ip hotspot profile The default servlet pages are copied in the directory of your choice right after you create the profile This directory can be accessed by connecting to the router with an FTP client You can modify the pages as you like using the information from this section of the manual Available Servlet Pages Main HTML servlet pages which are shown to user redirect html redirects user to another url for example to login page login html lo
299. here is no valid SA for policy rule use if there is no valid SA send packet unencrypted like accept rule require drop packet and ask IKE daemon to establish a new SA unique same as require but establish a unique SA for this policy i e this SA may not be shared with other policy Decryption When encrypted packet is received for local host after dst nat and input filter the appropriate SA is looked up to decrypt it using packet source destination security protocol and SPI value If no SA is found the packet is dropped If SA is found packet is decrypted Then decrypted packet s fields are compared to the policy rule that SA is linked to If the packet does not match the policy rule it is dropped If the packet is decrypted fine or authenticated fine it is received once more it goes through dst nat and routing which finds out what to do either forward or deliver locally again before forward and input firewall chains a packet that was not decrypted on local host is compared with SPD reversing its matching rules If SPD requires encryption there is valid SA associated with matching SPD rule the packet is dropped This is called incoming policy check Internet Key Exchange The Internet Key Exchange IKE is a protocol that provides authenticated keying material for Internet Security Association and Key Management Protocol ISAKMP framework There are other key exchange schemes that work
300. hods 10 1 5 HotSpot User Profiles Submenu level ip hotspot user profile See HotSpot AAA section 10 2 HotSpot Users Submenu level ip hotspot user 10 2 1 Description Article moved to HotSpot AAA section 10 3 HotSpot Active Users Submenu level ip hotspot active 10 3 1 Description Article moved to HotSpot AAA section 10 3 2 HotSpot Cookies Submenu level ip hotspot cookie Description Cookies can be used for authentication in the Hotspot service Property Description domain read only text domain name if split from username expires in read only time how long the cookie is valid mac address read only MAC address user s MAC address user read only name username 230 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide There can be multiple cookies with the same MAC address For example there will be a separate cookie 6 for each web browser the same computer Cookies can expire that s the way how it is supposed to be Default validity time for cookies is 3 days 72 hours but it can be changed for each individual HotSpot server profile for example ip hotspot profile set default http cookie lifetime 1d Example To get the list of valid cookies admin AT WR4562 ip hotspot cookie print USER DOMAIN MAC ADDRESS EXPIRES IN 0 ex 01 23 45 67 89 23h54m16s
301. hotspot profile Property Description dns name text DNS name of the HotSpot server This is the DNS name used as the name of the HotSpot server i e it appears as the location of the login page This name will automatically be added as a static DNS entry in the DNS cache hotspot address IP address default 0 0 0 0 IP address for HotSpot service html directory text default hotspot name of the directory accessible with FTP which stores the HTML servlet pages when changed the default pages are automatically copied into specified directory if it does not exist already http cookie lifetime time default 3d validity time of HTTP cookies http proxy IP address default 0 0 0 0 address of the proxy server the HotSpot service will use as a parent proxy server for all those requests intercepted by Universal Proxy system and not defined in the lip proxy direct list If not specified the address defined in parent proxy parameter of ip proxy If that is absent as well the request will be resolved by the local proxy login by multiple choice cookie http chap http pap https mac trial default cookie http chap which authentication methods to use cookie use HTTP cookies to authenticate without asking user credentials Other method will be used in case the client does not have cookie or the stored username and password pair are not valid anymore since the last authentication May only be used together with o
302. ially ignored WDS cannot be used together with the Nstreme dual Example This example shows how configure a wireless client 40 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide To see current interface settings admin AT WR4562 interface wireless print Flags X disabled R running Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0C 42 18 5C 3D arp enabled interface type Atheros AR5413 mode station ssid AT WR4560 frequency 2412 band 2 4ghz b scan list default antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default compression no admin AT WR4562 interface wireless Set the ssid to mmt band to 2 4 b g and enable the interface Use the monitor command to see the connection status admin AT WR4562 interface wireless set 0 ssid mmt disabled no band 2 4ghz b g admin AT WR4562 interface wireless monitor wlanl status connected to ess band 2 4ghz g frequency 2412MHz tx rate 54Mbps rx rate 54Mbps ssid mmt bssid 00 0C 42 05 00 14 radio name 000C42050014 signal strength 23dBm tx signal strength 35dBm noise floor 96dBm signal to noise 73dB tx ccq 79 rx ccq 46 p throughput 28681 overall tx ccq 79 authenticated clients 1 curr
303. ice ppp secret add name ex service pptp password lkjrht local address 10 0 103 1 remote address 10 0 103 2 admin8 HomeOffice ppp secret print detail Flags X disabled 0 name ex service pptp caller id password lkjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin8 HomeOffice ppp secret 184 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Then the user should be added in the PPTP server list admin HomeOffice interface pptp server add user ex admin HomeOffice interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 pptp inl ex admin HomeOffice interface pptp server gt And finally the server must be enabled admin HomeOffice interface pptp server server gt set enabled yes admin HomeOffice interface pptp server server gt print enabled yes max mtu 1460 max mru 1460 mrru disabled authentication mschap2 keepalive timeout 30 default profile default admin HomeOffice interface pptp server server gt Add a PPTP client to the RemoteOffice router admin RemoteOffice interface pptp client gt add connect to 192 168 80 1 user ex password lkjrht disabled no admin RemoteOffice interface pptp client gt print Flags disabled running 0 name pptp outl mtu 1460 mru 1460 connect to
304. id 0 interface wlanl add default route yes use peer dns yes status bound address 172 16 0 20 12 gateway 172 16 0 1 dhcp server 192 168 0 1 primary dns 159 148 147 194 expires after 2d23 58 52 admin Server ip dhcp client Specifications Packages required dhcp License required Level Submenu level ip dhcp client ip dhcp server ip dhcp relay Standards and Technologies DHCP Description The DHCP protocol gives and allocates IP addresses to IP clients DHCP is basically insecure and should only be used in trusted networks DHCP server always listens on UDP 67 port DHCP client on UDP AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 117 RouterOS v3 Configuration and User Guide 68 port The initial negotiation involves communication between broadcast addresses on some phases sender will use source address of 0 0 0 0 and or destination address of 255 255 255 255 You should be aware of this when building firewall Additional Resources http www isc org index pl sw dhcp http en tldp org HOWTO DHCP index html http en wikipedia org wiki Dhcp 6 1 2 DHCP Client Setup Submenu level ip dhcp client Description The RouterOS DHCP client may be enabled on any Ethernet like interface at a time The client will accept an address netmask default gateway and two dns server addresses The received IP address will be added to the interface with the respective netmask The default gateway
305. id connections add chain input connection state established action accept V comment Allow Established connections add chain input protocol udp action accept V comment Allow UDP add chain input protocol icmp action accept V comment Allow ICMP add chain input src address 192 168 0 0 24 action accept comment Allow access to router from known network add chain input action drop comment Drop anything else Protecting the Customer s Network To protect the customer s network we should check all traffic which goes through router and block unwanted For icmp tcp udp traffic we will create chains where will be droped all unwanted packets ip firewall filter add chain forward protocol tcp connection state invalid action drop comment drop invalid connections add chain forward connection state established action accept comment allow already established connections add chain forward connection state related action accept comment allow related connections Block IP addreses called bogons add chain forward src address 0 0 0 0 8 action drop add chain forward dst address 0 0 0 0 8 action drop add chain forward src address 127 0 0 0 8 action drop add chain forward dst address 127 0 0 0 8 action drop add chain forward src address 224 0 0 0 3 action drop add chain forward dst address 224 0 0 0 3 action drop 204 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers Rou
306. ide A command or an argument does not need to be completed if it is not ambiguous For example instead of typing interface you can type just in or int To complete a command use the Tab key The completion is optional and you can just use short command and parameter names The commands may be invoked from the menu level where they are located by typing its name If the command is in a different menu level than the current one then the command should be invoked using its full absolute or relative path for example admin AT WR4562 ip route print Prints the routing table admin AT WR4562 ip route address print Prints the IP address table admin AT WR4562 ip route ip address print Prints the IP address table The commands may have arguments The arguments have their names and values Some commands may have a required argument that has no name Command Action command Enter Executes the command Shows the list of all available commands command Displays help on the command and the list of arguments command argument n 8 Displays help on the command s argument Tab Completes the command word the input is ambiguous a second Tab gives possible options Moves up to the base level command Executes the base level command Moves up one level T Specifies an empty string wordl word2 Specifies a string of 2 words that cont
307. ight weight of the packet with non priviliged destination port random integer 1 99 matches packets randomly with given propability routing mark name matches packets marked with the specified routing mark src address address netmask IP address IP address specifies the address range an IP packet is originated from Note that console converts entered address netmask value to a valid network address 1 1 1 1 24 is converted to 1 1 1 0 24 src address list name matches source address of a packet against user defined address list src address type unicast local broadcast multicast matches source address type of the IP packet one of the unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case local matches addresses assigned to router s interfaces broadcast the IP packet is sent from one point to all other points in the IP subnetwork multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points src mac address MAC address source MAC address src port integer 0 65535 integer 0 65535 source port number or range tcp flags multiple choice ack cwr ece fin psh rst syn urg tcp flags to match ack acknowledging data cwr congestion window reduced ece ECN echo flag explicit congestion notification fin close connection psh push function
308. ility with particular routing mark same not by dst yes no specifies whether to account or not to account for destination IP address when selecting a new source IP address for packets matched by rules with action same src address address netmask IP address IP address specifies the address range an packet is originated from Note that console converts entered address netmask value to a valid network address 1 1 1 1 24 is converted to 1 1 1 0 24 src address list name matches source address of a packet against user defined address list src address type unicast local broadcast multicast matches source address type of the IP packet one of the unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case local matches addresses assigned to router s interfaces broadcast the IP packet is sent from one point to all other points in the IP subnetwork multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points src mac address MAC address source MAC address src port integer 0 65535 integer 0 65535 source port number or range tcp mss integer 0 65535 matches TCP MSS value of an IP packet time time time sat fri thu wed tue mon sun allows to create filter based on the packets arrival time and date or for locally generated packets departure time and d
309. imal amount of time connection tracking entry will survive after having seen connection termination request FIIN just after connection request SYN or having seen another termination request FIN from connection release initiator total entries read only integer number of connections currently recorded in the connection state table udp stream timeout time default 3m maximal amount of time connection tracking entry will survive after replay is seen for the last packet matching this entry connection tracking entry is assured It is used to increase timeout for such connections as H323 VoIP etc udp timeout time default 10s maximal amount of time connection tracking entry will survive after having seen last packet matching this entry The maximum timeout value depends on amount of entries connection state table If amount of entries in the table is more than e 1 16 of maximum number of entries the maximum timeout value will be day e 3 16 of maximum number of entries the maximum timeout value will be hour e 2 of maximum number of entries the maximum timeout value will be 10 minute e 3 16 of maximum number of entries the maximum timeout value will be minute The shortest timeout will always be choden between the configured timeout and the value listed above If connection tracking timeout value is less than the normal interval between the data packets rate timeout expires before the next packet arives NAT
310. in DualNS 2 interface wireless nstreme dual gt print Flags X disabled R running 0 R name nstremel mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no tx radio wlan2 rx radio wlanl remote mac 00 0C 42 05 04 36 tx band 5ghz tx frequency 5180 rx band 5ghz rx frequency 5805 rates b 1Mbps 2Mbps 5 5Mbps llMbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps framer policy none framer limit 4000 admin DualNS 2 interface wireless nstreme dual Now complete the configuration for DualNS I admin DualNS 1 interface wireless nstreme dual gt set 0 remote mac 00 0C 42 05 00 22 admin DualNS 1 interface wireless nstreme dual gt print Flags X disabled R running 0 R name nstremel mtu 1500 mac address 00 0C 42 05 04 36 arp enabled disable running check no tx radio wlan2 rx radio wlanl remote mac 00 0C 42 05 00 22 tx band 5ghz tx frequency 5805 rx band 5ghz rx frequency 5180 rates b 1Mbps 2Mbps 5 5Mbps llMbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps framer policy none framer limit 4000 admin DualNS 1 interface wireless nstreme dual 70 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide WEP Security This example shows how to configure WEP Wired Equivalent Privacy on Access Point and Clients In example we will configure an Access Point which will use IO4bit wep for one
311. information how to install connect and initially setup each router model The WR4500 family of dual band outdoor wireless base routers and routing CPEs allow the building of wireless only or hybrid IP networks that are scalable reliable and fully controllable Wireless ISPs can easily and quickly provide homes in rural areas with broadband Internet access and VoIP telephony and at the same time can set up WiFi hot spots for nomadic users Enterprises can connect remote buildings without the need for expensive leased lines and can extend WiFi coverage to outdoor yards providing users with mobile intranet and Internet access everywhere Municipalities can build wireless IP networks for connecting remote offices and for increasing public safety with real time monitored surveillance cameras and continuous communication with local police patrols Local utilities can easily control their remote equipments and read in real time gas water and electricity meters without any need for expensive fiber cabling Hot spot services can be provided to hotel guests and hospital patients illuminating rooms from outside the building with a reduced impact on medical equipments because no transmit radio will be installed inside the hospital The single radio AT WR4561 model can be used as either a base router a hot spot or a wireless CPE while the dual radio AT WR4562 can be deployed at the same time as both a wireless only base router and hot spot or
312. ing and which transmitting and specify remote receiver card s MAC address adminQ AT WR4562 interface wireless nstreme dual print Flags X disabled R running 0X name n stremel mtu 1500 mac address 00 00 00 00 00 00 arp enabled disable running check no tx radio unknown rx radio unknown remote mac 00 00 00 00 00 00 tx band 5GHz tx frequency 5180 rx band 5GHz rx frequency 5320 disable csma no rates b 1Mbps 2Mbps 5 5Mbps llMbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps framer policy exact size framer limit 4000 admin AT WR4562 interface wireless nstreme dual gt set 0 disabled no NV tx radio wlanl rx radio wlan2 remote mac 00 0C 42 05 0B 12 adminQ AT WR4562 interface wireless nstreme dual print Flags X disabled R running 0 name n stremel mtu 1500 mac address 00 0C 42 05 0B 12 arp enabled disable running check no tx radio wlanl rx radio wlan2 remote mac 00 00 00 00 00 00 tx band 5GHz tx frequency 5180 rx band 5GHz rx frequency 5320 disable csma no rates b 1Mbps 2Mbps 5 5Mbps llMbps rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps framer policy exact size framer limit 4000 admin AT WR4562 interface wireless nstreme dual 4 3 5 Registration Table Submenu level interface wireless registration table Description In the registration table you can see various information about currently connected clients It is used only for Access Poi
313. ing src address 192 168 0 0 24 action mar new routing mark netl 1 chain prerouting src address 192 168 1 0 24 action mar new routing mark net2 admin PB Router ip firewall mangl e 68 0 0 24 ting 68 1 0 24 ting k routing k routing Route packets from network 192 168 0 0 24 to gateway 192 168 1 0 24 to gateway 2 10 0 0 3 using the according pac 10 0 0 2 packets from network ket marks If or 2 fails does not reply to pings route the respective packets to Main 10 0 0 1 admin PB Router ip route add gateway 10 0 0 2 routing ma N check gateway ping admin PB Router ip route add gateway 10 0 0 3 routing ma check gateway ping admin PB Router ip route add gateway 10 0 0 1 admin 0PB Router ip route print Flags X disabled A active D dynamic C connect S static r rip b bgp o ospf DST ADDRESS PREFSRC G GATEWAY 0 ADC 10 0 0 0 24 10 0 0 7 1 ADC 192 168 0 0 24 192 168 0 1 2 ADC 192 168 1 0 24 192 168 1 1 S 0 0 0 0 0 t 2020202 4 5 0 0 0 0 0 r 10 0 0 3 5 S 0 0 0 0 0 105020571 admin PB Router ip route rk netl rk net2 DISTANCE INTERFACE Public Locall Local2 Public Public Public 116 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 6 DHCP and DNS 6 1 DHCP Client and Server 6 1 1 General Inf
314. ion Athorization and Accounting AAA functionality Local authentication is performed using the User Database and the Profile Database The actual configuration for the given user is composed using respective user record from the User Database associated item from the Profile Database and the item in the Profile database which is set as default for a given service the user is authenticating to Default profile settings from the Profile database have lowest priority while the user access record settings from the User Database have highest priority with the only exception being particular IP addresses take precedence over IP pools in the local address and remote address settings which described later on Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network The RouterOS has a RADIUS client which can authenticate for PPP PPPoE PPTP L2TP and ISDN connections The attributes received from RADIUS server override the ones set in the default profile but if some parameters are not received they are taken from the respective default profile 7 2 2 Local PPP User Profiles Submenu level ppp profile Description PPP profiles are used to define default values for user access records stored under ppp secret submenu Settings in ppp secret User Database override corresponding ppp profile settings except that single IP addresses always take
315. ion on each user once in a while the while is defined in the radius interim update property radius default domain text default default domain to use for RADIUS requests It allows to select different RADIUS servers depending on HotSpot server profile but may be handful for single RADIUS server as well radius interim update time received default received how often to sent cumulative accounting reports Os same as received received use whatever value received from the RADIUS server radius location id text Raduis Location Id attribute value to be sent to the RADIUS server radius location name text Raduis Location Name attribute value to be sent to the RADIUS server rate limit text default Rate limitation in form of rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time priority rx rate min tx rate min from the point of view of the router so rx is client upload and tx is client download All rates should be numbers with optional k 1 0005 or M 1 000 0005 If tx rate is not specified rx rate is as tx rate too Same goes for tx burst rate and tx burst threshold and tx burst time If both rx burst threshold and tx burst threshold are not specified but burst rate is specified rx rate and tx rate is used as burst thresholds If both rx burst time and tx burst time are not specified 15 is used as default rx rate min and tx r
316. ion on the RouterOS is RFC 2003 compliant IPIP tunnel is a simple protocol that encapsulates IP packets in IP to make a tunnel between two routers The IPIP tunnel interface appears as an interface under the interface list This protocol makes multiple network schemes possible IP tunneling protocol adds the following possibilities to network setup e to tunnel Intranets over the Internet e to use it instead of source routing Quick Setup Guide To make an IPIP tunnel between two RouterOS routers with IP addresses 10 5 8 104 and 10 1 0 172 using IPIP tunnel addresses 10 0 0 1 and 10 0 0 2 follow the next steps Configuration on router with IP address 10 5 8 104 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 159 RouterOS v3 Configuration and User Guide Add interface by default its name will be admin810 5 8 104 interface gt add local address 10 5 8 104 remote address 10 1 0 172 disabled no Add an IP address to created ipipl interface admin 10 5 8 104 ip address gt add address 10 0 0 1 24 interface ipipl Configuration on router with IP address 10 1 0 172 Add an interface by default its name will ipipl admin810 1 0 172 interface gt add local address 10 1 0 172 remote address 10 5 8 104 disabled no Add an IP address to created ipipl interface admin 10 1 0 172 ip address gt add address 10 0 0 2 24 in
317. ir rate of up to 27Mbit 5ghz 5mhz variation of IEEE 802 1 la with quarter the band and accordingly four times lower speed air rate of up to 13 5Mbit basic rates a g multiple choice 6Mbps 9Mbps 12 18 24Mbps 36Mbps 48Mbps 54Mbps default 6Mbps basic rates in 802 1 la or 802 1 Ig standard This should be the minimal speed all the wireless network nodes support they will not be ableto connect otherwise It is recommended to leave this as default basic rates b multiple choice Mbps 2Mbps 5 5Mbps 1 IMbps default I Mbps basic rates in 802 1 Ib mode This should be the minimal speed all the wireless network nodes support they will not be ableto connect otherwise It is recommended to leave this as default burst time time default disabled time in microseconds which will be used to send data without stopping Note that no other wireless cards in that network will be able to transmit data during burst time microseconds compression yes no default no if enabled on AP in ap bridge or bridge mode it advertizes that it is capable to use hardware data compression If a client connected to this AP also supports and is configured to use the hardware data compression it requests the AP to use compression This property does not affect clients which do not support compression country albania algeria argentina armenia australia austria azerbaijan bahrain belarus belgium belize
318. ireless Routers 99 RouterOS v3 Configuration and User Guide Related Topics Addresses and ARP e Routes Equal Cost Multipath Routing Policy Routing e Log Management Description Open Shortest Path First protocol is a link state routing protocol It s uses a link state algorithm to build and calculate the shortest path to all known destinations The shortest path is calculated using the Dijkstra algorithm OSPF distributes routing information between the routers belonging to a single autonomous system AS An AS is a group of routers exchanging routing information via a common routing protocol In order to deploy the OSPF all routers it will be running on should be configured in a coordinated manner It also means that the routers should have the same MTU for all the networks advertised by the OSPF protocol The OSPF protocol is started after you will add a record to the OSPF network list The routes learned by the OSPF protocol are installed in the routes table list with the distance of 10 5 3 2 General Setup Submenu level routing ospf Description In this section you will learn how to configure basic OSPF settings Property Description distribute default never if installed as type if installed as type 2 always as type always as type 2 default never specifies how to distribute default route Should be used for ABR Area Border router or ASBR Autonomous System boundary
319. irtual link should be configured on both routers 5 3 7 Neighbors Submenu level routing ospf neighbor Description The submenu provides an access to the list of OSPF neighbors id est the routers adjacent to the current router and supplies brief statistics Property Description address read only IP address appropriate IP address of the neighbor backup dr id read only IP address backup designated router s router id for this neighbor db summaries read only integer number of records in link state database advertised by the neighbor dr id read only IP address designated router s router id for this neighbor Is requests read only integer number of link state requests Is retransmits read only integer number of link state retransmits priority read only integer the priority of the neighbor which is used in designated router elections via Hello protocol on this network router id read only IP address the router id parameter of the neighbor state read only Down Attempt Init 2 Way ExStart Exchange Loading Full the state of the connection Down the connection is down Attempt the router is sending Hello protocol packets Init Hello packets are exchanged between routers to create a Neighbor Relationship 2 Way the routers add each other to their Neighbor database and they become neighbors ExStart the DR Designated Router and BDR Backup Designated Router create an adjancency
320. is displayed if user is not logged in fstatus html is displayed if fstatus html is not found redirect html is used to redirect to the login page request for logout page if user is logged in logout html is displayed if user is not logged in flogout html is displayed if flogout html is not found redirect html is used to redirect to the login page Note that if it is not possible to meet a request using the pages stored on the router s FTP server Error 404 is displayed There are many possibilities to customize what the HotSpot authentication pages look like The pages are easily modifiable They are stored on the router s FTP server in the directory you choose for the respective HotSpot server profile By changing the variables which client sends to the HotSpot servlet it is possible to reduce keyword count to one username or password for example the client s MAC address may be used as the other value or even to zero License Agreement some predefined values general for all users or client s MAC address may be used as username and password Registration may occur on a different server for example on a server that is able to charge Credit Cards Client s MAC address may be passed to it so that this information need not be written in manually After the registration the server should change RADIUS database enabling client to log in for some amount of time To insert variable in some place in HTML file the var name syntax is used where
321. isconnect timeout 3s on fail retry time 100ms preamble mode both adminQ WEP AP interface wireless access list admin8 WEP AP interface wireless 1 gt add private algo 104bit wep private key 65432109876543210987654321 interface WEP AP forwarding yes N mac address 00 0C 42 05 00 22 adminQ WEP AP interface wireless access list gt print Flags X disabled 0 mac address 00 0C 42 05 00 22 interface WEP AP authentication yes forwarding yes ap tx limit 0 client tx limit 0 private algo 104bit wep private key 65432109876543210987654321 adminQWEP AP interface wireless access list 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Configure WEP Station l admin WEP_Stationl interface wireless security profiles gt n ame Stationl N mode static keys required static sta private algo 104bit wep N Static sta private key 65432109876543210987654321 admin WEP_Stationl interface wireless security profiles gt print 0 name default mode none wpa unicast ciphers wpa group ciphers pre shared key static algo 0 none static key 0 static algo 1 none static key 1 static algo 2 none static key 2 2 static algo 3 none static key 3 static transmit key key 0 static sta private algo none static sta private key radius mac authentication no group 1 name Stationl mode static keys req
322. ith NAT routers inbetween IPsec peers This can only be used with ESP protocol AH is not supported by design as it signes the complete packet including IP header which is changed by NAT rendering AH signature invalid The method encapsulates IPsec ESP traffic into UDP streams in order to overcome some minor issues that made ESP incompatible with NAT proposal check multiple choice claim exact obey strict default strict phase 2 lifetime check logic claim take shortest of proposed and configured lifetimes and notify initiator about it exact require lifetimes to be the same obey accept whatever is sent by an initiator strict if proposed lifetime is longer than the default then reject proposal otherwise accept proposed lifetime remote certificate name name of a certificate for authenticating the remote side validating packets no private key required Only needed if RSA signature authentication method is used secret Ox it i text default secret string in case pre shared key authentication is used If it starts with s parsed as a hexadecimal value send initial contact yes no default yes specifies whether to send initial IKE information or wait for remote side AES Advanced Encryption Standard encryption algorithms are much faster than DES so it is recommended to use this algorithm class whenever possible But AES s speed is also its drawback as it potentia
323. ive already as there can not be two separate tunnel interfaces referenced by the same name Dynamic interfaces appear when a user connects and disappear once the user disconnects so it is impossible to reference the tunnel created for that use in router configuration for example in firewall AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 165 RouterOS v3 Configuration and User Guide so if you need a persistent rules for that user create a static entry for him her Otherwise it is safe to use dynamic configuration In both cases PPP users must be configured properly Property Description client address read only IP address shows the IP address of the connected client encoding read only text encryption and encoding if asymmetric separated with being used in this connection mru read only integer client s MRU mtu read only integer client s MTU name name interface name uptime read only time shows how long the client is connected user name the name of the user that is configured statically or added dynamically Example add a static entry for exl user admin AT WR4562 interface 12tp server gt add user exl admin AT WR4562 interface 12tp server gt print Flags disabled dynamic running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 DR l2tp ex ex 1460 10 0 0 202 6m32s none 1 l2tp inl ex1 adminQ QAT WR4562 interface
324. kets unaltered can only see the translated address Note also that arp mode must be enabled on the interface you use one to one NAT on 224 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Before the authentication When enabling HotSpot on an interface the system automatically sets up everything needed to show login page for all clients that are not logged in This is done by adding dynamic destination NAT rules which you can observe on a working HotSpot system These rules are needed to redirect all HTTP and HTTPS requests from unauthorized users to the HotSpot servlet i e the authentication procedure e g the login page Other rules that are also inserted we will describe later in a special section of this manual In most common setup opening any HTTP page will bring up the HotSpot servlet login page which can be customized extensively as will be described later on As normal user behavior is to open web pages by their DNS names a valid DNS configuration should be set up on the HotSpot gateway itself it is possible to reconfigure the gateway so that it will not require local DNS configuration but such a configuration is impractical and thus not recommended Walled Garden You may wish not to require authorization for some services for example to let clients access the web server of your company without registration or even to require authorization only to a
325. l routers per interface Many modern routers support this protocol Network setups with VRRP clusters provide high availability for routers without using clumsy ping based scripts Specifications Packages required system License required Level Submenu level ip vrrp Standards and Technologies VRRP AH HMAC MD5 96 within ESP and AH Hardware usage Not significant Related Topics IP Addresses and ARP Description Virtual Router Redundancy Protocol is an election protocol that provides high availability for routers A number of routers may participate in one or more virtual routers One or more IP addresses may be assigned to a virtual router A node of a virtual router can be in one of the following states e MASTER state when the node answers all the requests to the instance s IP addresses There may only be one MASTER node in a virtual router This node sends VRRP advertisement packets to all the backup routers using multicast address every once in a while set in interval property BACKUP state when the VRRP router monitors the availability and state of the Master Router It does not answer any requests to the instance s IP addresses Should master become unavailable if at least three sequential VRRP packets are lost election process happens and new master is proclaimed based on its priority For more details on virtual routers see RFC2338 VRRP does not currently work on VLAN interfaces as it is imp
326. lar station of wireless infrastructure Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication Further for RouterOS clients the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500 This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500 It has not been determined how to change the MTU of the Windows wireless interface at this moment Let us consider the following setup where the WR4500 Wireless AP offers wireless clients transparent access to the local network with authentication 10 1 0 1 24 PPPoE Server Ssid mt Frequency 2442 Dynamic nterfates 4 I n 7 10 1 0 3 24 10 1 0 200 32 10 1 0 199 32 10 1 0 198 32 Reserved for Wireless PPPoE Clients 10 1 0 100 10 1 0 200 Figure 26 PPPoE Example First of all the wireless interface should be configured admin PPPoE Server interface wireless set 0 mode ap bridge frequency 2442 band 2 4ghz b g ssid mt disabled no admin PPPoE Server interface wireless print Flags X disabled R running 0 X name wlanl mtu 1500 mac address 00 0C 42 18 5C 3D arp enabled interface type Atheros AR5413 mode ap bridge ssid mt frequency 2442 band 2 4ghz b g scan list default antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no default authentication yes default forwarding yes
327. lar Ethernet bridges You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface Note that as VLAN is not a full tunnel protocol i e it does not have additional fields to transport MAC addresses of sender and recipient the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces In other words while wireless clients may participate in VLANs put on wireless interfaces it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface Additional resources http www ieee802 org l pages 802 Q html http en wikipedia org wiki IEEE_802 1Q 4 4 2 VLAN Setup Submenu level interface vlan Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol mode disabled the interface will not use ARP protocol enabled the interface will fully use ARP protocol proxy arp the interface will be an ARP proxy 76 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide reply only the interface will only reply to the requests for to its own IP addresses but neighbor MAC addresses will be gathered from ip arp statically set table only interface name physical interface to the network where the VLAN is put mtu integer default 1500 Maximum Transmission Unit name name interface name f
328. le time read only time the amount of time has the user been idle idle timeout read only time the exact value of idle timeout that applies to this user This property shows how long should the user stay idle for it to be logged off automatically keepalive timeout read only time the exact value of keepalive timeout that applies to this user This property shows how long should the user s computer stay out of reach for it to be logged off automatically mac address read only MAC address the actual MAC address of the user packets in read only integer how many packets did the router receive from the client packets out read only integer how many packets did the router send to the client server read only name name of the server which the host is connected to static read only flag whether this translation has been taken from the static IP binding list to address read only IP address what address is the original IP address of the host translated to uptime read only time current session time of the user i e how long has the user been in the active host list 0 3 7 Command Description make binding copy a dynamic entry from this list to the static IP bindings list Input Parameters unnamed name item number comment text custom comment to the static entry to be created type regular bypassed blocked the type of the static entry 10 3 8 Service Port Submenu level ip hotspot servi
329. ll be using is specified in netmask property 6 1 6 DHCP Server Leases Submenu level ip dhcp server lease Description DHCP server lease submenu is used to monitor and manage server s leases The issued leases are showed here as dynamic entries You can also add static leases to issue the definite client determined by MAC address the specified IP address Generally the DHCP lease it allocated as follows unused lease is in waiting state 2 if a client asks for an IP address the server chooses one 3 if the client will receive statically assigned address the lease becomes offered and then bound with the respective lease time 4 ifthe client will receive a dynamic address taken from an IP address pool the router sends a ping packet and waits for answer for 0 5 seconds During this time the lease is marked testing 5 in case the address does not respond the lease becomes offered and then bound with the respective lease time 6 in other case the lease becomes busy for the lease time there is a command to retest all busy addresses and the client s request remains unanswered the client will try again shortly A client may free the leased address When the dynamic lease is removed and the allocated address is returned to the address pool But the static lease becomes busy until the client will reacquire the address 122 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3
330. lly be cracked faster so use AES 256 when you need security or AES 28 when speed is also important Both peers MUST have the same encryption and authentication algorithms DH group and exchange mode Some legacy hardware may support only DES and MD5 You should set generate policy flag to yes only for trusted peers because there is no verification done for the established policy To protect yourself against possible unwanted events add policies with action none for all networks you don t want to be encrypted at the top of policy list Since dynamic policies are added at the bottom of the list they will not be able to override your configuration Alternatively you can use policy priorities to enforce some policies to be active always Example To define new peer configuration for 10 0 0 147 peer with secret gwejimezyfopmekun admin WiFi ip ipsec peer add address 10 0 0 147 32 N Secret gwejimezyfopmekun admin WiFi ipsec peer print Flags X disabled 0 address 10 0 0 147 32 500 secret gwejimezyfopmekun generate policy no exchange mode main send initial contact yes proposal check obey hash algorithm md5 enc algorithm 3des dh group modp1024 lifetime 1d lifebytes 0 admin WiFi ip ipsec peer gt 8 8 4 Remote Peer Statistics Submenu level ip ipsec remote peers Description This submenu provides you with various statistics about remote peers that currently have established phase connections with this router Note tha
331. lo 181 8 7 4 PPEP Seryer 181 8 7 5 182 8 7 6 1 dote oe ERR a at 182 8 7 7 PPTP Application Examples 183 8 7 8 Troubleshooting s rekrite 187 88 IP SeCU rity 187 8 8 1 General Informiation 187 8 82 Policy 189 8 8 3 191 8 8 4 Remote Peer Statistics niece rt erede arbe agb 192 8 8 5 193 8 8 6 Flushing Installed SA Table esessessesssesecsessscscsscsessecsecsessccscsecsscsecnecuecseesccuccecsecaeeneenseneescees 194 8 8 7 Application Examples ctio tet eter 195 9 Firewalliand QOS he 198 91 198 9 1 1 General Information eia cite en a eet 198 9 1 2 198 9 1 3 Filter Applications sannin ea A A r RES 203 92 iMahigle x E EEEE E E E E ET 204 9 2 1 General Informatio 204 9 2 2 E TE E EEEE EENE EREE EEE EO E M 205 9 2 3 Application EXAMP ES o eH ete eH Ree dard oe EAEn e 209 vc cor 210 9 3 1 General Information tette etes 990 210 9 3 2 Packet 210 9 3 3 Connection Tracking 212 9 3 4 Connection TIME OUtS 213 9 3 5 Service Ports
332. lt all which HotSpot server is this user allowed to log in to uptime read only time total time user has been logged in In case of mac authentication method clients MAC addresses can be used as usernames without password The byte limits are total limits for each user not for each session as at lip hotspot active So if a user has already downloaded something then session limit will show the total limit minus already downloaded For example if download limit for a user is 100 and the user has already downloaded 30MB then session download limit after login at lip hotspot active will be 100 30MB 70MB Should a user reach his her limits bytes in gt limit bytes in or bytes out gt limit bytes out he she will not be able to log in anymore The statistics is updated if a user is authenticated via local user database each time he she logs out It means that if a user is currently logged in then the statistics will not show current total values Use lip hotspot active submenu to view the statistics on the current user sessions If the user has IP address specified only one simultaneous login is allowed If the same credentials are used again when the user is still active the active one will be automatically logged Trial users will have dynamic records here with their name written as T mac where mac is the user s MAC address without the brackets email set to the password the user has supplied
333. lt burst time disabled dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both compression no allow sharedkey no admin WPA Station interface wireless gt 4 3 22 Troubleshooting Description If I use WDS and DFS the routers do not connect to each other As the WDS routers must operate at the same frequency it is very probable that DFS will not select the frequency that is used by the peer router RouterOS does not send any traffic through Cisco Wireless Access Point or Wireless Bridge If you use ClSCO Aironet Wireless Ethernet Bridge or Access Point you should set the Configuration Radio 18021 Extended Allow proprietary extensions to the Configuration Radio 1802 Extended Encapsulation Default encapsulation method to 042 If left to the default on and 802 1H respectively you won t be able to pass traffic through the bridge AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 75 RouterOS v3 Configuration and User Guide 4 4 VLAN Interfaces 4 4 1 General Information Summary VLAN is an implementation of the 802 1 Q VLAN protocol for RouterOS It allows you to have multiple Virtual LANs on a single ethernet or wir
334. ly flag the user has been authenticated through a RADIUS server via read only console telnet ssh winbox user s access method console user is logged in locally telnet user is logged in remotely via telnet ssh user is logged in remotely via secure shell protocol winbox user is logged in remotely via WinBox tool when read only date log in date and time Example To print currently active users enter the following command admin rb13 user active print Flags R radius WHEN NAME ADDRESS VIA 0 feb 27 2004 00 41 41 admin 1 1 1 200 ssh 1 feb 27 2004 01 22 34 admin 1 1 1 200 winbox admin rb13 user gt 7 3 5 Router User Remote AAA Submenu level user aaa Description Router user remote AAA enables router user authentication and accounting via RADIUS server Property Description accounting yes no default yes specifies whether to use RADIUS accounting default group name default read user group used by default for users authenticated via RADIUS server interim update time default Os RADIUS Interim Update interval AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 149 RouterOS v3 Configuration and User Guide use radius yes no default no specifies whether a user database on a RADIUS server should be consulted The RADIUS user database is queried only if the required username is not found the local user database
335. ly true false shows whether replay was seen for the last packet matching this entry connection mark read only text Connection mark set in mangle dst address read only IP address port the destination address and port the connection is established to icmp id read only integer contains the ICMP ID Each ICMP packet gets an ID set to it when it is sent and when the receiver gets the ICMP message it sets the same ID within the new ICMP message so that the sender will recognize the reply and will be able to connect it with the appropriate ICMP request icmp option read only integer the ICMP type and code fields p2p read only text peer to peer protocol protocol read only text IP protocol name or number reply dst address read only IP address port the destination address and port the reply connection is established to reply icmp id read only integer contains the ICMP ID of received packet reply icmp option read only integer the ICMP type and code fields of received packet reply src address read only IP address port the source address and port the reply connection is established from src address read only IP address port the source address and port the connection is established from tcp state read only text the state of TCP connection timeout read only time the amount of time until the connection will be timed out unreplied read only true false shows whether the request was unrepli
336. meout time none default none keepalive timeout for unauthorized clients Used to detect that the computer of the client is alive and reachable If check will fail during this period user will be dropped of the host list and the address used buy the user will be freed none do not timeout unreachable users profile name default default default HotSpot profile for the interface Command Description reset html name overwrite the existing HotSpot servlet with the original HTML files It is used if you have changed the servlet and it is not working after that addresses per mac property works only if address pool is defined Also note that case you are authenticating users connected through a router than all the IP addresses will seem to have come from one MAC address Example To add HotSpot system to the local interface allowing the system to do one to one NAT for each client addresses from the HS real address pool will be used for the NAT admin AT WR4562 ip hotspot add interface local address pool HS real admin AT WR4562 ip hotspot print Flags X disabled I invalid S HTTPS NAME INTERFACE ADDRESS POOL PROFILE IDLE TIMEOUT 0 hs local local HS real default 00 05 00 admin AT WR4562 ip hotspot 228 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10 1 4 HotSpot Server Profiles Submenu level ip
337. mes group encryption read only aes ccm tkip group encryption algorithm used hw frame bytes read only integer integer number of sent and received data bytes including header information hw frames read only integer integer number of sent and received 802 11 data frames including retransmitted data frames interface read only name interface that client is registered to last activity read only time last interface data tx rx activity last ip read only IP address IP address found in the last IP packet received from the registered client mac address read only MAC address MAC address of the registered client nstreme read only yes no whether nstreme protocol is used for this link p throughput read only integer estimated approximate throughput that is expected to the given peer taking into account the effective transmit rate and hardware retries Calculated once in 5 seconds packed bytes read only integer integer number of bytes packed into larger frames for transmitting receiving framing packed frames read only integer integer number of frames packed into larger ones for transmitting receiving framing packets read only integer integer number of sent and received network layer packets radio name read only text radio name of the peer routeros version read only name RouterOS version of the registered client rx ccq read only integer 0 100 Client Connection Quality a
338. mic B blocked ADDRESS MAC ADDRESS HOST NAME SERVER RATE LIMIT STATUS D 10 5 2 90 00 04 EA C6 0E 40 switch bound L D 10 5 2 91 00 04 99 63 0 switch bound admin AT WR4562 ip dhcp server lease add copy from 0 address 10 5 2 100 adminQ AT WR4562 ip dhcp server lease print Flags X disabled R radius D dynamic B blocked ADDRESS MAC ADDRESS HOST NAME SERVER RATE LIMIT STATUS 0 D 10 5 2 91 00 04 99 63 0 switch bound 10 5 2 100 00 04 EA C6 0E 40 switch bound admin AT WR4562 ip dhcp server lease 6 1 7 DHCP Alert Submenu level ip dhcp server alert Description To find any rogue DHCP servers as soon as they appear in your network DHCP Alert tool can be used It will monitor ethernet for all DHCP replies and check whether this reply comes from a valid DHCP server If reply from unknown DHCP server is detected alert gets triggered admin AT WR4562 ip dhcp server alert gt log print 00 34 23 dhcp critical error warning info debug dhcp alert on Public discovered unknown dhcp server mac 00 02 29 60 36 E7 ip 10 5 8 236 admin AT WR4562 dhcp server alert When the system alerts about a rogue DHCP server it can execute a custom script As DHCP replies can be unicast rogue dhcp detector may not receive any offer to other dhcp clients at all To deal with this rogue dhcp server acts as a dhcp client as well it sends out dhcp discover requests once a minute Property Des
339. mic routes automatically created routes for networks which are directly accessed through an interface They appear automatically when adding a new IP address Dynamic routes are also added by routing protocols static routes user defined routes that specify the router which can forward traffic to the specified destination network They are useful for specifying the default gateway The gateway for static routes may be checked with either ARP or ICMP protocol for reachability so that different gateways with different priorities costs may be assigned for one destination network to provide failover ECMP Equal Cost Multi Path Routing This routing mechanism enables packet routing along multiple paths with equal cost and ensures load balancing With ECMP routing you can use more than one gateway for one destination network this approach may also be configured to provide failover With ECMP a router potentially has several available next hops towards a given destination A new gateway is chosen for each new source destination IP pair It means that for example one FTP connection will use only one link but new connection to a different server will use another link ECMP routing has another good feature single connection packets do not get reordered and therefore do not kill TCP performance The ECMP routes can be created by routing protocols RIP or OSPF or by adding a tatic route with multiple gateways separated by a comma e g ip r
340. min Nstreme AP interface wireless nstreme set wlanl enable nstreme yes admin Nstreme AP interface wireless nstreme gt print 0 name wlanl enable nstreme yes enable polling yes framer policy none framer limit 3200 admin Nstreme AP interface wireless nstreme gt AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 67 Configure Nstreme Client wireless settings and enable Nstreme on it admin Nstreme Client interface wireless set wlanl mode station ssid nstreme band 5ghz frequency 5805 disabled no admin8Nstreme Client interface wireless print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0B 6B 34 5A 91 arp enabled disable running check no interface type Atheros AR5213 radio name 000B6B345A91 mode station ssid nstreme area frequency mode superchannel country no country set antenna gain 0 frequency 5805 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps l11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication
341. mmand Description reset mac name set the MAC address of the NIC to the factory default setting Example admin AT WR4562 gt interface print Flags disabled D dynamic running NAME TYPE MTU 0 X etherl ether 0 0 1500 admin AT WR4562 gt interface enable etherl admin AT WR4562 gt interface print Flags X disabled D dynamic running NAME TYPE RX RATE TX RATE MTU 0 etherl ether 0 0 1500 admin AT WR4562 gt interface ethernet admin AT WR4562 interface ethernet print Flags X disabled R running NAME MTU MAC ADDRESS ARP 0 etherl 1500 00 0C 42 03 00 F2 enabled admin AT WR4562 interface ethernet print detail Flags X disabled R running 0 name etherl1 mtu 1500 mac address 00 0C 42 03 00 F2 arp enabled disable running check yes auto negotiation yes full duplex yes cable settings default speed 100Mbps admin AT WR4562 interface ethernet 4 2 3 Monitoring the Interface Status Command name interface ethernet monitor Property Description auto negotiation done incomplete fast link pulses FLP to the adjacent link station to negotiate the SPEED and MODE of the link Both stations choose the maximal speed boh support done negotiation done incomplete negotiation failed default cable setting read only short standard default cable length setting only applicable to NS DP83815 6 ca
342. more details on setting up encrypted channels AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 153 RouterOS v3 Configuration and User Guide Configure the EolP tunnel by adding the eoip tunnel interfaces at both routers Use the ip addresses of the pptp tunnel interfaces when specifying the argument values for the EolP tunnel admin Our_GW interface eoip gt add name eoip remote tunnel id 0 N remote address 10 0 0 2 admin Our_GW interface eoip enable eoip remote admin Our_GW interface eoip gt print Flags X disabled R running 0 name eoip remote mtu 1500 arp enabled remote address 10 0 0 2 tunnel id 0 admin Our_GW interface eoip admin Remote interface gt add name eoip tunnel id 0 remote address 10 0 0 1 admin Remote interface eoip gt enable eoip main admin Remote interface eoip gt print Flags X disabled running 0 name eoip mtu 1500 arp enabled remote address 10 0 0 1 tunnel id 0 Remote interface eoip gt Enable bridging between the EolP and Ethernet interfaces on both routers On the Our admin Our interface bridge add admin Our GW interface bridge print Flags X disabled R running 0 name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 protocol mode none priority 0x8000 auto mac yes admin mac 00 00 00 00 00 00 max message age 20s forward delay 15s transmit hold count 6 ageing time 5m a
343. n Standard in Counter with CBC MAC encryption algorithm and accept only these packets tkip use the TKIP Temporal Key Integrity Protocol and accept only these packets static algo I 40bit wep 104bit wep aes ccm default none which encryption algorithm to use none do not use encryption and do not accept encrypted packets 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets 104bit wep use the 1045 encryption also known as 28bit wep and accept only these packets aes ccm use the AES CCM Advanced Encryption Standard in Counter with CBC MAC encryption algorithm and accept only these packets tkip use the TKIP Temporal Key Integrity Protocol and accept only these packets static algo 2 none 40bit wep 104bit wep aes ccm default none which encryption algorithm to use none do not use encryption and do not accept encrypted packets 40bit wep use the 40bit encryption also known as 64bit wep and accept only these packets 104bit wep use the 104bit encryption also known as 28bit wep and accept only these packets aes ccm use the AES CCM Advanced Encryption Standard in Counter with CBC MAC encryption algorithm and accept only these packets tkip use the TKIP Temporal Key Integrity Protocol and accept only these packets static algo 3 none 40bit wep 104bit wep aes ccm default none which encryption algorithm to use
344. n a burst log prefix text all messages written to logs will contain the prefix specified herein Used in conjunction with action log nth integer integer 0 15 integer 0 1 match a particular Nth packet received by the rule One of 16 available counters can be used to count packets 220 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide every match every th packet For example if every I then the rule matches every 2nd packet counter specifies which counter to use A counter increments each time the rule containing nth match matches packet match on the given packet number The value by obvious reasons must be between 0 and every If this option is used for a given counter then there must be at least 1 rules with this option covering all values between 0 and every inclusively out bridge port name actual interface the packet is leaving the router through if bridged this property matches the actual bridge port while out interface the bridge itself out interface name interface the packet is leaving the router through if the interface is bridged then the packet will appear to leave through the bridge interface itself packet mark text matches packets marked via mangle facility with particular packet mark packet size integer 0 65535 integer 0 65535 0 1 matches packet of the specified size or size range in bytes min sp
345. n information username and password pair was used when the cookie was first generated Otherwise the user will be prompted to log in and in the case authentication is successful old cookie will be removed from the local HotSpot active cookie list and the new one with different random ID and expiration time will be added to the list and sent to the web browser It is also possible to erase cookie on user manual logoff not in the default server pages but you can modify them to perform this This method may only be used together with HTTP PAP HTTP CHAP or HTTPS methods as there would be nothing to generate cookies in the first place otherwise MAC address try to authenticate clients as soon as they appear in the hosts list as soon as they have sent any packet to the HotSpot server using client s MAC address as username Trial users may be allowed to use the service free of charge for some period of time for evaluation and be required to authenticate only after this period is over HotSpot can be configured to allow some AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 225 RouterOS v3 Configuration and User Guide amount of time per MAC address to be freely used with some limitations imposed by the provided user profile In case the MAC address still has some trial time unused the login page will contain the link for trial login The time is automatically reset after the configured amount of time so that for example
346. n redirect dst address is changed Information about translation of addresses including original dst address is kept in router s internal tables Transparent web proxy working on router when web requests get redirected to proxy port on router can access this information from internal tables and get address of web server from them If you are dst natting to some different proxy server it has no way to find web server s address from IP header because dst address of IP packet that previously was address of web server has changed to address of proxy server Starting from there is special header HTTP request which tells web server address so proxy server can use it instead of dst address of IP packet If there is no such header older HTTP version on client proxy server can not determine web server address and therefore can not work It means that it is impossible to correctly transparently redirect HTTP traffic from router to some other transparent proxy box Only correct way is to add transparent proxy on the router itself and configure it so that your real proxy is parent proxy In this situation your real proxy does not have to be transparent any more as proxy on router will be transparent and will forward proxy style requests according to standard these requests include all necessary information about web server to real proxy Property Description action accept add dst to address list add src to addr
347. n run completely different HotSpot configurations on different interfaces Property Description HTTPS read only flag whether the HTTPS service is actually running on the interface i e it is set up in the server profile and a valid certificate is imported in the router address pool name none default none IP address pool name for performing one to one NAT You can choose not to use the one to one NAT none do not perform one to one NAT for the clients of this HotSpot interface addresses per mac integer unlimited default 2 number of IP addresses allowed to be bind with any particular MAC address it is a small chance to reduce denial of service attack based on taking over all free IP addresses in the address pool Not available if address pool is set to none unlimited number of IP addresses per one MAC address is not limited idle timeout time none default 00 05 00 idle timeout maximal period of inactivity for unauthorized clients It is used to detect that client is not using outer networks e g Internet i e there is NO TRAFFIC coming from that client and going through the router Reaching the timeout user will be dropped of the host list and the address used buy the user will be freed none do not timeout idle users interface name interface to run HotSpot on ip of dns name read only IP address IP address of the HotSpot gateway s DNS name set in the HotSpot interface profile keepalive ti
348. n tWDS Station interface bridge print Flags X disabled R running 0 R name bridgel mtu 1500 arp enabled mac address 11 05 00 00 02 00 stp no priority 32768 ageing time 5m forward delay 15s garbage collection interval 4s hello time 2s max message age 20s adminfWDS Station interface bridge port admin tWDS Station interface bridge port add interface etherl bridge bridgel admin tWDS Station interface bridge port add interface wlanl bridge bridgel admin8RWDS Station interface bridge port interface wireless admin8RWDS Station interface wireless set wlanl mode station wds disabled no N ssid wds sta test band 2 4ghz b g admin tWDS Station interface wireless print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0B 6B 34 5A 91 arp enabled disable running check no interface type Atheros AR5213 radio name 000B6B345A91 mode station wds ssid wds sta test area frequency mode superchannel country no country set antenna gain 0 frequency 2412 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps llMbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds
349. name interface via packet is leaving the bridge 4 5 9 Bridge NAT Submenu level interface bridge nat Description This section describes bridge NAT options which were omitted in the general firewall description AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 85 RouterOS v3 Configuration and User Guide Property Description action accept arp reply drop dst nat jump log mark passthrough redirect return src nat default accept action to undertake if the packet matches the rule one of the accept accept the packet No action i e the packet is passed through without undertaking any action and no more rules are processed in the relevant list chain arp reply send a reply to an ARP request any other packets will be ignored by this rule with the specified MAC address only valid in dstnat chain drop silently drop the packet without sending the ICMP reject message dst nat change destination MAC address of a packet only valid in dstnat chain jump jump to the chain specified by the value of the jump target argument log log the packet mark mark the packet to use the mark later passthrough ignore this rule and go on to the next one Acts the same way as a disabled rule except for ability to count packets redirect redirect the packet to the bridge itself only valid in dstnat chain return return to the previous chain from where the jump took place src nat chang
350. ne oe bend da 253 11 2 1 Ceneral lnforTriatioTi db Dd 253 11 2 2 Hardware Watchdog Management ssssssssssscscssssssnssssssssssessessscsessssnssseesseenseseeseeesesee 253 Monitoring and Management 000000000 255 1221 reed esee aii 255 12 1 1 General Information tr e a a A a es 255 I2 2 General Steins 255 22 3 ACION SEE A 256 2 1 4 bog Messages it one ad eda eb n epe nt ets 256 12 2 SN MP SerVIGe nete meet nl aan ed te cd aie nd nde Maal Dd de ro Foret 257 12 2 1 General Infortmiation redet te A dele trei tede diee 257 12 3 lt Traffic Flotte nee Da eee eno oe beh 258 12 3 1 General Informatiori dea etes ti tei la tH Gea EHE ea 258 12 3 2 Related DOCUMENES e 258 12 3 3 General Configuration eese 258 12 3 4 TrafficcFlow Targets retta nte ree ideo rab deat 259 12 3 5 Application Examples tae restent rte see nag deinde 259 12 4 RARE enhn ees ERR e AE nee RR Taat 262 12 4 1 General 262 I2 4 2 General Options cerit obo dec 262 12 4 3 Health Graphing ARR 263 12 4 4 Interface Graphinng ssssssssssscsssse
351. nges the software performs periodic calibration periodic calibration interval integer default 60 interfal between periodic recalibrations in seconds preamble mode both long short default both sets the synchronization field in a wireless packet long has a long synchronization field in a wireless packet 128 bits Is compatible with 802 1 standard short has a short synchronization field a wireless packet 56 bits Is not compatible with 802 1 standard With short preamble mode it is possible to get slightly higher data rates both supports both short and long preamble prism cardtype 30mW 100 200mW specify the output of the Prism chipset based card proprietary extensions pre 2 9 25 post 2 9 25 default post 2 9 25 the method to insert additional information RouterOS proprietary extensions into the wireless frames This option is needed to workaround incompatibility between the old pre 2 9 25 method and new Intel Centrino PCI Express cards pre 2 9 25 include extensions in the form accepted by older RouterOS versions This will include the new format as well so this mode is compatiblewith all RouterOS versions This mode is incompatible with wireless clients built on the new Centrino wireless chipset and may as well be incompatible with some other stations radio name text descriptive name of the card Only for RouterOS devices rate set default configured which rate set to use default
352. nly for PPPs e Framed Protocol always is PPP only for PPPs e NAS Identifier router identity NAS IP Address IP address of the router itself e NAS Port unique session ID e Acct Session ld unique session ID e NAS Port Type async PPP Async PPTP and L2TP Virtual PPPoE Ethernet ISDN ISDN Sync HotSpot Ethernet Cable Wireless 802 11 according to the value of nas port type parameter in ip hotspot profile e Calling Station Id PPPoE and HotSpot client MAC address in capital letters PPTP and L2TP client public IP address ISDN client MSN Called Station Id PPPoE service name PPTP and L2TP server IP address ISDN interface MSN HotSpot name of the HotSpot server AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 135 RouterOS v3 Configuration and User Guide NAS Port Id async PPP serial port name PPPoE ethernet interface name on which server is running HotSpot name of the physical HotSpot interface if bridged the bridge port name is showed here not present for ISDN PPTP and L2TP Framed IP Address address of HotSpot client after Universal Client translation Mikrotik Host IP IP address of HotSpot client before Universal Client translation the original IP address of the client User Name client login name MS CHAP Domain User domain if present Mikrotik Realm If it is set in radius menu it is included in every RADIUS req
353. nna b rxa txb use antenna a for receiving packets use antenna b for transmitting packets txa rxb use antenna a for transmitting packets antenna b for receiving packets area text default string value that is used to describe an Access Point Connect List on the Client s side comparing this string value with area prefix string value makes decision whether allow a Client connect to the AP If area prefix match the entire area string or only the beginning of it the Client is allowed to connect to the AP arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting 36 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide band operating band 2 4ghz b IEEE 802 1 1b 2 4ghz b g IEEE 802 1 Ig supports also legacy IEEE 802 1 Ib protocol 2 4ghz g turbo IEEE 802 1 lg using double channel providing air rate of up to 108 Mbit 2 4ghz onlyg only IEEE 802 112 5ghz IEEE 802 1 la up to 54 Mbit 5ghz turbo IEEE 802 la using double channel providing air rate of up to 108Mbit 2ghz lOmhz variation of IEEE 802 1 Ig with half the band and accordingly twice lower speed air rate of up to 27Mbit 2ghz 5mhz variation of IEEE 802 with quarter the band and accordingly four times lower speed air rate of up to 13 5Mbit 5ghz lOmhz variation of IEEE 802 1 1 with half the band and accordingly twice lower speed a
354. nnection tracking is enabled there will be no fragments as the system automatically assembles every packet hotspot multiple choice auth from client http local dst to client matches packets received from clients against various HotSpot conditions All values can be negated auth true if a packet comes from an authenticted HotSpotclient from client true if a packet comes from any HotSpot client http true if a HotSpot client sends a packet to the address and port previously detected as his proxy server Universal Proxy technique or if the destination port is 80 and transparent proxying is enabled for that particular client local dst true if a packet has local destination IP address to client true if a packet is sent to a client icmp options integer integer matches ICMP Type Code fields in bridge port name actual interface the packet has entered the router through if bridged this property matches the actual bridge port while in interface the bridge itself in interface name interface the packet has entered the router through if the interface is bridged then the packet will appear to come from the bridge interface itself ingress priority integer 0 63 INGRESS received priority of the packet if set 0 otherwise The priority may be derived from either VLAN or priority ipv4 options any loose source routing no record route no router alert no source routing no timestamp none
355. no allow only one session per host determined by MAC address If a host will try to establish a new session the old one will be closed service name text the PPPoE service name The default keepalive timeout value of 10 is OK most cases If you set it to 0 the router will not disconnect clients until they log out or router is restarted To resolve this problem the one session per host property can be used Security issue do not assign an IP address to the interface you will be receiving the PPPoE requests on Specifying MRRU means enabling MP Multilink PPP over single link This protocol is used to split big packets into smaller ones Under Windows it can be enabled in Networking tag Settings button Negotiate multi link for single link connections Their MRRU is hardcoded to 1614 This setting is usefull to overcome PathMTU discovery failures The MP should be enabled on both peers Example To add PPPoE server on etherl interface providing ex service and allowing only one connection per host admin AT WR4562 interface pppoe server server add interface etherl N Service name ex one session per host yes admin AT WR4562 interface pppoe server server print Flags X disabled X service name ex interface etherl mtu 1480 mru 1480 authentication mschap2 mschap chap pap keepalive timeout 10 one session per host yes default profile default admin AT WR4562 interface pppoe server server
356. nted as a hex string current bytes read only integer amount of data processed by this SA s crypto algorithms dst address read only IP address destination address of SA taken from respective policy enc algorithm multiple choice read only none des 3des aes encryption algorithm used in SA enc key read only text encryption key presented as a hex string not applicable to AH SAs lifebytes read only integer soft hard expiration threshold for amount of processed data replay read only integer size of replay window presented in bytes This window protects the receiver against replay attacks by rejecting old or duplicate packets spi read only integer SPI value of SA represented in hexadecimal form src address read only IP address source address of SA taken from respective policy state multiple choice read only larval mature dying dead SA living phase use lifetime read only time soft hard expiration time counted from the first use of SA usetime read only text time when this SA was first used 194 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example Sample printout looks as follows admin WiFi ip ipsec gt installed sa print Flags A AH E ESP P pfs addtime jan 28 2003 20 55 12 1 lifebytes 0 0 1E 15 06 src address 10 0 0 14 usetime jan 28 2003 20 55 12 use 1 lifebytes 0
357. nterface bridge host Property Description age read only time the time since the last packet was received from the host bridge read only name the bridge the entry belongs to local read only flag whether the host entry is of the bridge itself that way all local interfaces are shown mac address read only MAC address host s MAC address on interface read only name which of the bridged interfaces the host is connected to Example To get the active host table adminQ AT WR4562 interface bridge host print Flags L local BRIDGE MAC ADDRESS ON INTERFACE AGE bridgel 00 00 B4 5B A6 58 etherl 4m48s bridgel 00 30 4F 18 58 17 etherl 4m50s L bridgel 00 50 08 00 00 F5 etherl 0s L bridgel 00 50 08 00 00 F6 ether2 Os bridgel 00 60 52 0B B4 81 etherl 4m50s bridgel 00 C0 DF 07 5E E6 etherl 4m46s bridgel 00 0 5 6 23 25 prisml 4m48s bridgel 00 0 7 7 0 8 etherl 1s admin AT WR4562 interface bridge host 4 5 7 Bridge Firewall General Description Specifications Submenu level interface bridge filter interface bridge nat interface bridge broute Description The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to from and through bridge Packets between bridged interfaces just like any other IP traffic are also passed through the generic lip firewall rules but bridging filters are always applie
358. nternet disabled no To configure RouterOS to be an Access Concentrator PPPoE Server Add an address pool for the clients from 10 1 1 62 to 10 1 1 72 called pppoe pool ip pool add name pppoe pool ranges 10 1 1 62 10 1 1 72 Add PPP profile called pppoe profile where local address will be the router s address and clients will have an address from pppoe pool ppp profile add name pppoe profile local address 10 1 1 1 remote address pppoe pool Add a user with username mike and password 123 ppp secret add name mike password 123 service pppoe profile pppoe profile Now add a pppoe server interface pppoe server server add service name internet interface wlanl default profile pppoe profile Specifications Packages required ppp License required Levell limited to interface Level3 limited to 200 interfaces Level4 limited to 200 interfaces Level5 limited to 500 interfaces Level6 unlimited Submenu level interface pppoe server interface pppoe client Standards and Technologies PPPOE RFC 2516 Hardware usage PPPoE server may require additional RAM uses approx 9KiB plus extra OKiB for packet queue if data rate limitation is used for each connection and CPU power Maximum of 65535 connections is supported 172 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Related Topics
359. nterval 10s dead interval 40s adminQ8OSPF peer 2 routing ospf interface add interface to peer 1 cost 50 admin OSPF peer 2 routing ospf interface print 0 interface to peer 1 cost 50 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 10s dead interval 40s After changing the cost settings we have only one equal cost multipath route left to the network 10 3 0 0 24 from OSPF MAIN router Routes on OSPF MAIN router adminQOSPF MAIN ip route print Flags X disabled I invalid D dynamic J rejected C connect S static r rip o ospf b bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 192 168 0 0 24 110 1 DC 192 168 0 0 24 r 0 0 0 0 0 main gw 2 Do 10 3 0 0 24 10 2 0 1 110 to peer 2 10 1 01 to peer 1 3 Io 10 2 0 0 24 110 4 DC 10 2 0 0 24 r 0 0 0 0 0 to peer 2 5 Io 10 1 0 0 24 140 6 DC 10 1 0 0 24 0 0 0 0 0 to peer 1 AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 109 RouterOS v3 Configuration and User Guide On OSPF peer adminQGOSPF peer 1 gt ip route pr Flags X disabled I invalid D dynamic J rejected C connect 8 static rip o ospf Db bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192 168 0 0 24 r 10 1 0 2 110 to main 1 Io 10 3 0 0 24 110 2 DC 10 3 0 0 24 r 0 0 0 0 0 backup 3 Do 10 2 0 0 24 10 101 0 9 110 to main 4 Io 10 1 0 0 24 110 5 DC 10 1 0 0 24
360. nterval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both 1 name wlan2 mtu 1500 mac address 00 0C 42 05 06 B2 arp enabled disable running check no interface type Atheros AR5413 radio name 000C420506B2 mode nstreme dual slave ssid AT WR4500 area frequency mode superchannel country no country set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin DualNS 2 interface wireless nstreme dual admin DualNS 2 interface wireless nstreme dual add rx radio wlanl tx radio wlan2 rx frequency 5805 tx frequency 5180 disabled no remote mac 00 0C 42 05 04 36 adm
361. ntication md5 Keyed Message Digest 5 authentication authentication key text default specifies authentication key for RIP messages in prefix list name default name of the filtering prefix list for received routes out prefix list name default name of the filtering prefix list for advertised routes a It is recommended not to use RIP version wherever it is possible due to security issues Example To add an entry that specifies that when advertising routes through the etherl interface prefix list plout should be applied admin AT WR4562 routing rip interface add interface etherl N prefix list out plout admin AT WR4562 routing rip interface print Flags I inactive 0 interface etherl receive v2 send v2 authentication none authentication key prefix list in plout prefix list out none admin AT WR4562 routing rip AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 95 RouterOS v3 Configuration and User Guide 5 2 4 Networks Submenu level routing rip network Description To start the RIP protocol you have to define the networks on which RIP will run Property Description network IP address mask default 0 0 0 0 0 specifies the network on which RIP will run Only directly connected networks of the router may be specified For point to point links you should specify the remote endpoint IP address as the network IP address F
362. nts Property Description 802 1x port enabled read only yes no whether the data exchange is allowed with the peer i e whether 802 1 authentication is completed if needed ack timeout read only integer current value of ack timeout ap read only yes no whether the connected device is an Access Point or not ap tx limit read only integer transmit rate limit on the AP in bits per second authentication type read only none wpa psk wpa2 psk wpa eap wpa2 eap authentication method used for the peer bytes read only integer integer number of sent and received packet bytes 44 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide client tx limit read only integer transmit rate limit on the AP in bits per second compression read only yes no whether data compresson is used for this peer encryption read only aes ccm tkip unicast encryption algorithm used frame bytes read only integer integer number of sent and received data bytes excluding header information frames read only integer integer number of sent and received 802 11 data frames excluding retransmitted data frames framing current size read only integer current size of combined frames framing limit read only integer maximal size of combined frames framing mode read only none best fit exact size default none the method how to combine fra
363. nts src mac address MAC address source MAC address src port integer 0 65535 integer 0 65535 source port number or range AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 203 RouterOS v3 Configuration and User Guide tcp flags ack cwr fin psh rst syn tcp flags to match ack acknowledging data cwr congestion window reduced ece ECN echo flag explicit congestion notification fin close connection psh push function rst drop connection syn new connection urg urgent data tcp mss integer 0 65535 matches TCP MSS value of an IP packet time time time sat fri thu wed tue mon sun allows to create filter based on the packets arrival time and date or for locally generated packets departure time and date Because the NAT rules are applied first it is important to hold this in mind when setting up firewall rules since the original packets might be already modified by the NAT 9 1 3 Filter Applications Protect your RouterOS router To protect your router you should not only change admin s password but also set up packet filtering All packets with destination to the router are processed against the ip firewall input chain Note that the input chain does not affect packets which are being transferred through the router ip firewall filter add chain input connection state invalid action drop comment Drop Inval
364. number of services for example for users to be allowed to access an internal file server or another restricted area This can be done by setting up Walled Garden system When a not logged in user requests a service allowed in the Walled Garden configuration the HotSpot gateway does not intercept it or in case of HTTP simply redirects the request to the original destination Other requests are redirected to the HotSpot servlet login page infrastructure When a user is logged in there is no effect of this cable on him her Walled Garden for HTTP requests is using the embedded proxy server ip proxy This means that all the configured parameters of that proy server will also be effective for the WalledGarden clients as well as for all clients that have transparent proxy enabled Authentication There are currently 6 different authentication methods You can use one or more of them simultaneously HTTP PAP simplest method which shows the HotSpot login page and expect to get the authentication info i e username and password in plain text Note that passwords are not being encrypted when transferred over the network Another use of this method is the possibility of hard coded authentication information in the servlet s login page simply creating the appropriate link HTTP CHAP standard method which includes CHAP challenge in the login page The CHAP MD5 hash challenge is to be used together with the user s password for computing the strin
365. o display in your Web browser Data from the router is gathered every 5 minutes but saved on the system drive every store every time After rebooting the router graphing will display information that was last time saved on the disk before the reboot RouterOS generates four graphics for each item e Daily Graph 5 Minute Average e Weekly Graph 30 Minute Average e Monthly Graph 2 Hour Average e Yearly Graph I Day Average To access each graphic from a network specify this network in allow address parameter for the respective item 12 4 2 General Options Submenu level tool graphing Property Description store every 5min hour 24hours default 5 how often to store information on system drive Example To store information on system drive every hour tool graphing set store every hour admin AT WR4562 tool graphing gt print store every hour admin AT WR4562 tool graphing gt AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 263 RouterOS v3 Configuration and User Guide 12 4 3 Health Graphing Submenu level tool graphing health Description This submenu provides information about RouterBoard s health voltage and temperature For this option you have to install the routerboard package Property Description allow address IP address netmask default 0 0 0 0 0 network which is allowed to view graphs of router health store on disk yes no def
366. o not support this because of the limitations of 802 11 However it is possible to bridge over a wireless link using the WDS feature or Ethernet over IP protocol For preventing loops in a network you can use the Spanning Tree Protocol STP This protocol is also used for configurations with backup links Main features e Spanning Tree Protocol STP and Rapid Spanning Tree Protocol RSTP e Multiple bridge interfaces e Bridge associations on a per interface basis e MAC address table can be monitored in real time e P address assignment for router access Bridge interfaces can be filtered and NATed e Support for brouting based on bridge packet filter 78 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Quick Setup Guide To put interface etherl and ether2 in a bridge Add a bridge interface called MyBridge interface bridge add name MyBridge disabled no Add etherl and ether2 to MyBridge interface interface bridge port add interface etherl bridge MyBridge interface bridge port add interface ether2 bridge MyBridge Specifications Packages required system License required Level3 Submenu level interface bridge Standards and Technologies IEEE801 1D Hardware usage Not significant Related Topics e Addresses and ARP e EolP Description Ethernet like networks Ethernet Ethernet over IP IEEE802 11 in ap bridge or bri
367. o point link using Dual Nstreme 68 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide DualNS 2 5180MHz 3 4 9 ASAP gt 5805 MHz e DualNS 1 Figure 8 Nstreme dual network example Configure DualNS 1 admin DualNS 1 interface wireless set wlanl wlan2 mode nstreme dual slave admin DualNS 1 interface wireless print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0C 42 05 04 36 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050436 mode nstreme dual slave ssid AT WR4500 area frequency mode superchannel country no country set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps llMbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mod
368. o the scheduled advertisment page if user is logged in and advertisement is not scheduled for this user the requested page is served if user is not logged in but the destination host is allowed by walled garden then the request is also served if user is not logged in and the destination host is disallowed by walled garden rlogin html is displayed if rlogin html is not found redirect html is used to redirect to the login page request for on the HotSpot host AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 237 RouterOS v3 Configuration and User Guide if user is logged in rstatus html is displayed if rstatus html is not found redirect html is used to redirect to the status page if user is not logged in rlogin html is displayed if rlogin html is not found redirect html is used to redirect to the login page request for login page if user has successfully logged in or is already logged alogin html is displayed if alogin html is not found redirect html is used to redirect to the originally requested page or the status page in case original destination page was not given if user is not logged in username was not supplied no error message appeared login html is showed if login procedure has failed error message is supplied flogin html is displayed if flogin html is not found login html is used in case of fatal errors error html is showed request for status page if user is logged in status html
369. obvious security reasons RouterOS can act as a RADIUS client you can use a RADIUS server to authenticate PPPoE clients and use accounting for them A PPPoE connection is composed of a client and an access concentrator server The client may be any computer that has the PPPoE client protocol support installed The RouterOS supports both client and access concentrator implementations of PPPoE The PPPoE client and server work over any Ethernet level interface on the router wireless 802 11 10 100 1000 Mbit s Ethernet and EoIP Ethernet over IP tunnel No encryption MPPE 40bit RSA and MPPE 28bit RSA encryption is supported When RADIUS server is authenticating a user with CHAP MS CHAPv or MS CHAPv2 the RADIUS protocol does not use shared secret it is used only in authentication reply So if you have a wrong shared secret RADIUS server will accept the request You can use radius monitor command to see bad replies parameter This value should increase whenever a client tries to connect Supported connections e RouterOS PPPoE client to any PPPoE server access concentrator e RouterOS server access concentrator to multiple PPPoE clients clients are avaliable for almost all operating systems and most routers Quick Setup Guide To configure RouterOS to be a PPPoE client Just add a pppoe client interface pppoe client add name pppoe user mike user mike password 123 interface wlanl service name i
370. ocal 2 192 168 1 1 24 192 168 1 0 192 168 1 255 vrrpl admin AT WR4562 ip addrees gt Now this address should appear in ip address list admin AT WR4562 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 1 24 10 0 0 0 10 0 0 255 public 1 192 168 1 2 24 192 168 1 0 192 168 1 255 local 2 D 192 168 1 1 24 192 168 1 0 192 168 1 255 local admin AT WR4562 ip address gt Configuring Backup VRRP router Now we will create VRRP instance with lower priority we can use the default value of 100 so this router will back up the preferred one admin AT WR4562 ip vrrp add interface local admin AT WR4562 ip vrrp gt print Flags X disabled I invalid M master B backup 0 B name vrl interface local vrid 1 priority 100 interval 1 preemption mode yes authentication none password on backup on master admin AT WR4562 ip vrrp gt Now we should add the same virtual address as was added to the master node admin AT WR4562 ip vrrp address add address 192 168 1 1 24 interface vrrpl AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 253 RouterOS v3 Configuration and User Guide Testing fail over Now when we will disconnect the master router the backup one will switch to the master state admin AT WR4562 ip vrrp gt print Flags disabled I invalid running master back
371. ocol is arp or rarp VLAN matchers are only valid for vlan ethernet protocol IP related matchers are only valid if mac protocol is set as ipv4 802 3 matchers are only consulted if the actual frame is compliant with IEEE 802 2 and IEEE 802 3 standards note it is not the industry standard Ethernet frame format used in most networks worldwide These matchers are ignored for other packets ev 4 5 8 Bridge Packet Filter Submenu level interface bridge filter Description This section describes bridge packet filter specific filtering options which were omitted in the general firewall description Property Description action accept drop jump log mark passthrough return default accept action to undertake if the packet matches the rule one of the accept accept the packet No action i e the packet is passed through without undertaking any action and no more rules are processed in the relevant list chain drop silently drop the packet without sending the ICMP reject message jump jump to the chain specified by the value of the jump target argument log log the packet non presente nel manual pdf mark mark the packet to use the mark later passthrough ignore this rule and go on to the next one Acts the same way as a disabled rule except for ability to count packets return return to the previous chain from where the jump took place out bridge name outgoing bridge interface out interface
372. ocol on a router Having two wireless interfaces which are not used for anything else to group them into an nstreme interface switch both of them into nstreme dual slave mode AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 43 RouterOS v3 Configuration and User Guide admin AT WR4562 interface wireless print Flags X disabled running 0 name wlanl mtu 1500 mac address 00 0C 42 05 00 14 arp enabled interface type Atheros AR5413 mode station ssid AT WR4560 frequency 2412 band 2 4ghz b g scan list default antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default compression no 1 name wlan2 mtu 1500 mac address 00 80 48 41 AF 2A arp enabled interface type Atheros AR5413 mode station ssid AT WR4560 frequency 2412 band 2 4ghz b g scan list default antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default compression no admin AT WR4562 interface wireless set 0 1 mode nstreme dual slave Then add nstreme2 interface with exact size framing admin AT WR4562 interface wireless nstreme dual add N framer policy exact size Configure which card will be receiv
373. ollowed by time option 202 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide time specifies the time interval over which the packet rate is measured burst number of packets to match in a burst log prefix text all messages written to logs will contain the prefix specified herein Used in conjunction with action log nth integer integer 0 15 integer 0 1 match a particular Nth packet received by the rule One of 16 available counters can be used to count packets every match every th packet For example if every I then the rule matches every 2nd packet counter specifies which counter to use A counter increments each time the rule containing nth match matches packet match on the given packet number The value by obvious reasons must be between 0 and every If this option is used for a given counter then there must be at least every tl rules with this option covering all values between 0 and every inclusively out bridge port name actual interface the packet is leaving the router through if bridged this property matches the actual bridge port while out interface the bridge itself out interface name interface the packet is leaving the router through if the interface is bridged then the packet will appear to leave through the bridge interface itself p2p all p2p bit torrent blubster direct connect edonkey fasttrack gnutella
374. on The export command prints a script that can be used to restore configuration The command can be invoked at any menu level and it acts for that menu level and all menu levels below it The output can be saved into a file available for download using FTP Command Description file filename saves the export to a file Example admin AT WR4562 gt ip address print Flags disabled I invalid D dynamic ADDRESS NETWORK BROADCAST 0 10 1 0 172 24 0 1 0 0 TO L0 2255 1 10 5 1 1 24 10 5 1 0 10 5 1 255 admin AT WR4562 gt INTERFACE bridgel etherl To make an export file admin AT WR4562 ip address gt export file address admin AT WR4562 ip address gt To see the files stored on the router admin AT WR4562 gt file print NAME TYPE SIZE 0 address rsc script 315 admin AT WR4562 gt CREATION TIME dec 23 2003 13 21 48 3 1 3 The Import Command Command name import Description The root level command import file_name executes a script stored in the specified file adds the configuration from the specified file to the existing setup This file may contain any console comands including scripts is used to restore configuration or part of it after a system reset event or anything that causes configuration data loss 20 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide
375. on static users and dynamic connections An interface is created for each tunnel established to the given server Static interfaces are added administratively if there is a need to reference the particular interface name in firewall rules or elsewhere created for the particular user Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry or in case the entry is active already as there can not be two separate tunnel interfaces referenced by the same name Dynamic interfaces appear when a user connects and disappear once the user disconnects so it is impossible to reference the tunnel created for that use in router configuration for example in firewall so if you need a persistent rules for that user create a static entry for him her Otherwise it is safe to use dynamic configuration In both cases PPP users must be configured properly Property Description client address read only IP address shows the IP address of the connected client encoding read only text encryption and encoding if asymmetric separated with being used in this connection mru read only integer client s MRU mtu read only integer client s MTU name name interface name uptime read only time shows how long the client is connected user name the name of the user that is configured statically or added dynamically AT WR4500
376. or this case the correct netmask will be 32 Example To enable RIP protocol on 10 10 1 0 24 network admin AT WR4562 routing rip network add network 10 10 1 0 24 adminQ AT WR4562 routing rip network print ADDRESS 0 10 10 1 0 24 admin AT WR4562 routing rip 5 2 5 Neighbors Description This submenu is used to define a neighboring routers to exchange routing information with Normally there is no need to add the neighbors if multicasting is working properly within the network If there are problems with exchanging routing information neighbor routers can be added to the list It will force the router to exchange the routing information with the neighbor using regular unicast packets Property Description address IP address default 0 0 0 0 IP address of neighboring router Example To force RIP protocol to exchange routing information with the 10 0 0 1 router adminQAT WR4562 routing rip neighbor add address 10 0 0 1 adminQ AT WR4562 routing rip neighbor print Flags I inactive ADDRESS 0 10 0 0 1 admin AT WR4562 routing rip 5 2 6 Routes Submenu level routing rip route Property Description dst address read only IP address mask network address and netmask of destination gateway read only IP address last gateway on the route to destination metric read only integer distance vector length to the destination network from IP address sp
377. or Wireless Routers RouterOS v3 Configuration and User Guide All other packets except DNS and login requests from unauthorized clients should pass through the hs unauth chain 7 D chain hotspot action jump jump target hs auth hotspot auth protocol tcp And packets from the authorized clients through the hs auth chain 8 D www alliedtelesis com chain hs unauth dst address 159 148 147 196 protocol tcp dst port 80 action return First in the hs unauth chain is put everything that affects TCP protocol in the ip hotspot walled garden ip submenu i e everything where either protocol is not set or set to TCP Here we are excluding www alliedtelesis com from being redirected to the login page 9 D chain hs unauth action redirect to ports 64874 dst port 80 protocol tcp All other HTTP requests are redirected to the Walled Garden proxy server which listens the 64874 port If there is an allow entry in the ip hotspot walled garden menu for an HTTP request it is being forwarded to the destination Otherwise the request will be automatically redirected to the HotSpot login servlet port 64873 10 D chain hs unauth action redirect to ports 64874 dst port 3128 protocol tcp 11 D chain hs unauth action redirect to ports 64874 dst port 8080 protocol tcp HotSpot by default assumes that only these ports may be used for HTTP proxy requests These two entries are used to catch client requests to unknown proxies
378. or reference vlan id integer default 1 Virtual LAN identifier or tag that is used to distinguish VLANs Must be equal for all computers that belong to the same VLAN MTU should be set to 1500 bytes as on Ethernet interfaces But this may not work with some Ethernet interfaces that do not support receiving transmitting of full size Ethernet packets with VLAN header added 1500 bytes data 4 bytes VLAN header 14 bytes Ethernet header In this situation MTU 1496 can be used but note that this will cause packet fragmentation if larger packets have to be sent over interface At the same time remember that MTU 1496 may cause problems if path MTU discovery is not working properly between source and destination Example To add and enable a VLAN interface named test with vlan id on interface ether admin AT WR4562 interface vlan gt add name test vlan id 1 interface etherl admin AT WR4562 interface vlan gt print Flags X disabled R running NAME MTU ARP VLAN ID INTERFACE 0 test 1500 enabled 1 etherl admin AT WR4562 interface vlan gt enable 0 admin AT WR4562 interface vlan gt print Flags disabled running MTU VLAN ID INTERFACE 0 R test 1500 enabled 1 etherl admin AT WR4562 interface vlan gt 4 4 3 Application Example VLAN example on 4500 Routers Let us assume that we have two or more RouterOS routers connected with a hub Interfa
379. or the rule A comment can be used to identify rules form scripts connection bytes integer integer matches packets only if a given amount of bytes has already been transfered through the particular connection 0 means infinity exempli gratia connection bytes 2000000 0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection limit integer netmask restrict connection number per address or address block matches if the specified number of connection has already been established connection mark name matches packets marked via mangle facility with particular connection mark connection type ftp gre h323 irc mms pptp quake3 tftp matches packets from related connections based on information from their connection tracking helpers A relevant connection helper must be enabled under ip firewall service port content text the text packets should contain in order to match the rule dscp integer 0 63 DSCP ex ToS IP header field value dst address IP address netmask IP address IP address specifies the address range an IP packet is destined to Note that console converts entered address netmask value to a valid network address ie 1 1 1 1 24 is converted to 1 1 1 0 24 dst address list name matches destination address of a packet against user defined address list dst address type unicast local broadcast multicast matches destination address type of the
380. ord 2 RFC2865 WISPr Bandwidth Max Down 14122 8 wi fi org WISPr Bandwidth Max Up 14122 7 wi fi org WISPr Bandwidth Min Down 14122 6 wi fi org WISPr Bandwidth Min Up 14122 5 wi fi org WISPr Location ld 14122 wi fi org WISPr Location Name 14122 2 wi fi org WISPr Logoff URL 14122 3 wi fi org WISPr Redirection URL 14122 4 wi fi org WISPr Session Terminate Time 14122 9 wi fi org 7 1 6 Troubleshooting Description My radius server accepts authentication request from the client with Auth Login OK but the user cannot log on The bad replies counter is incrementing under radius monitor This situation can occur if the radius client and server have high delay link between them Try to increase the radius client s timeout to 600ms or more instead of the default 300ms Also double check if che secrets match on client and server AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 141 RouterOS v3 Configuration and User Guide 7 2 PPP User AAA 7 2 1 General Information Summary This document provides summary configuration reference and examples on PPP user management This includes asynchronous PPP PPTP PPPoE and ISDN users Specifications Packages required system License required Level Submenu level ppp Related Topics HotSpot User AAA Router User AAA RADIUS client Software Package Management IP Addresses and ARP PPPoE PPTP L2TP Interface Description The RouterOS provides scalable Authenticat
381. ormation Summary The DHCP Dynamic Host Configuration Protocol is needed for easy distribution of IP addresses in a network The RouterOS implementation includes both server and client parts and is compliant with RFC2131 General usage of DHCP e assignment in LAN cable modem and wireless systems e Obtaining IP settings on cable modem systems IP addresses can be bound to MAC addresses using static lease feature DHCP server can be used with RouterOS HotSpot feature to authenticate and account DHCP clients See the HotSpot Manual for more information Quick Setup Guide This example will show you how to setup DHCP Server and DHCP Client on RouterOS Setup of a DHCP Server Create an IP address pool ip pool add name dhcp pool ranges 172 16 0 10 172 16 0 20 2 Add a DHCP network which will concern to the network 172 16 0 0 12 and will distribute a gateway with IP address 172 16 0 1 co DHCP clients ip dhcp server network add address 172 16 0 0 12 gateway 172 16 0 1 3 Finally add a DHCP server ip dhcp server add interface wlanl address pool dhcp pool Setup of the DHCP Client which will get a lease from the DHCP server configured above I Add the DHCP client ip dhcp client add interface wlanl use peer dns yes add default route yes disabled no 2 Check whether you have obtained a lease admin Server ip dhcp client gt print detail Flags X disabled I inval
382. ort scan subsequence LowPortWeight weight of the packets with privileged lt 1024 destination port HighPortWeight weight of the packet with non priviliged destination port random integer 99 matches packets randomly with given propability reject with icmp admin prohibited icmp echo reply icmp host prohibited icmp host unreachable icmp net prohibited icmp network unreachable icmp port unreachable icmp protocol unreachable tcp reset integer alters the reply packet of reject action routing mark name matches packets marked by mangle facility with particular routing mark src address address netmask IP address IP address specifies the address range an packet is originated from Note that console converts entered address netmask value to a valid network address i e 1 1 1 1 24 is converted to 1 1 1 0 24 src address list name matches source address of a packet against user defined address list src address type unicast local broadcast multicast matches source address type of the IP packet one of the unicast IP addresses used for one point to another point transmission There is only one sender and one receiver in this case local matches addresses assigned to router s interfaces broadcast the IP packet is sent from one point to all other points in the IP subnetwork multicast this type of IP addressing is responsible for transmission from one or more points to a set of other poi
383. ossible to have the MAC address of a VLAN interface different from the MAC address of the physical interface it is put on 11 1 2 VRRP Routers Submenu level ip vrrp Description A number of VRRP routers may form a virtual router The maximal number of clusters on one network is 255 each having a unique VRID Virtual Router ID Each router participating VRRP cluster must have it priority set to a valid value Each VRRP instance is configured like a virtual interface that bound to a real interface in a similar manner VLAN is VRRP addresses are then put on the virtual VRRP interface normally The VRRP master has running flag enabled making the address and the associated routes and 250 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide other configuration active backup instance is not running so all the settings attached to that interface is inactive Property Description arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol authentication none simple ah default none authentication method to use for VRRP advertisement packets none no authentication simple plain text authentication ah Authentication Header using HMAC MD5 96 algorithm backup read only flag whether the instance is in the backup state interface name interface name the instance is running on interval integer
384. otSpot server may automatically and transparently change any IP address yes meaning really any address of a client to a valid unused address from the selected IP pool This feature gives possibility to provide a network access for example Internet access to mobile clients that are not willing or are disallowed not qualified enough or otherwise unable to change their networking settings The users will not notice the translation i e there will not be any changes in the users config but the router itself will see completely different from what is actually set on each client source IP addresses on packets sent from the clients even firewall mangle table will see the translated addresses This technique is called one to one NAT but is also known as Universal Client as that is how it was called in the RouterOS version 2 8 One to one NAT accepts any incoming address from a connected network interface and performs a network address translation so that data may be routed through standard IP networks Clients may use any preconfigured addresses If the one to one NAT feature is set to translate a client s address to a public IP address then the client may even run a server or any other service that requires a public IP address This NAT is changing source address of each packet just after it is received by the router it is like source NAT that is performed earlier so that even firewall mangle table which normally sees received pac
385. ould not be automatically logged on when he she opens a browser next time Example With basic HTML language knowledge and the examples below it should be easy to implement the ideas described above e To provide predefined value as username in login html change type text value S username gt to this line lt input type hidden name user value hsuser where hsuser is the username you are providing e To provide predefined value as password in login html change lt input type password gt to this line lt input type hidden name password value hspass gt where hspass is the password you are providing e send client s MAC address to a registration server in form of https www server serv register html mac XX XX XX XX XX XX change the Login button link in login html to https www example com register html mac mac you should correct the link to point to your server e show a banner after user login alogin html after if popup true add the following line open http your web server your banner page html my banner name you should correct the link to point to the page you want to show e To choose different page shown after login in login html change lt input type hidden name dst value 1 gt to this line lt input type hidden name ds
386. ource MAC address instead Command Description check status Check status of a given busy dynamic lease and free it in case of no response make static convert a dynamic lease to static one If rate limit is specified a simple queue is added with corresponding parameters when lease enters bound state Arp entry is added right after adding of queue is done only if add arp is enabled for dhcp server To be sure that client cannot use his ip address without getting dhcp lease and thus avoiding rate limit reply only mode must be used on that ethernet interface Even though client address may be changed with adding a new item in lease print list it will not change for the client It is true for any changes in the DHCP server configuration because of the nature of the DHCP protocol Client tries to renew assigned IP address only when half a lease time is past it tries to renew several times Only when full lease time is past and IP address was not renewed new lease is asked rebind operation The deault mac address value will never work You should specify a correct MAC address there AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 123 Example To assign 10 5 2 100 static IP address for the existing DHCP client shown in the lease table as item 0 adminQ AT WR4562 ip dhcp server lease print Flags X disabled R radius D dyna
387. oute add gateway 192 168 0 1 192 168 1 1 routing protocols may create multipath dynamic routes with equal cost automatically if the cost of the interfaces is adjusted propery For more information on using routing protocols please read the corresponding Manual Policy Based Routing It is a routing approach where the next hop gateway for a packet is chosen based on a policy which is configured by the network administrator In RouterOS the procedure the follwing e mark the desired packets with a routing mark e choose a gateway for the marked packets In routing process the router decides which route it will use to send out the packet Afterwards when the packet is masqueraded its source address is taken from the prefsrc field 5 4 2 Routes Submenu level ip route Description In this submenu you can configure Static Equal Cost Multi Path and Policy Based Routing and see the routes Property Description bgp as path text manual value of BGP s as path for outgoing route bgp atomic aggregate yes no indication to receiver that it cannot deaggregate the prefix bgp communities multiple choice integer administrative policy marker that can travel through different autonomous systems internet communities value 0 bgp local pref integer local preference value for a route bgp med integer a BGP attribute which provides a mechanism for BGP speakers to convey to an adjacent AS the
388. outer Keep in mind that the user allowed to transfer files may also upload a new RouterOS version that will be applied upon the next reboot reboot policy that allows rebooting the router read policy that grants read access to the router s configuration All console commands that do not alter router s configuration are allowed write policy that grants write access to the router s configuration except for user management This policy does not allow to read the configuration so make sure to enable read policy as well policy policy that grants user management rights Should be used together with write policy test policy that grants rights to run ping traceroute bandwidth test and wireless scan sniffer and snooper commands winbox policy that grants rights to connect to the router remotely using WinBox interface password policy that grants user option to change own password web policy that grants rights to log in remotely via WebBox sniff policy that grants access to the packet sniffer facility a There are three system groups which cannot be deleted name read policy local telnet ssh reboot read test winbox password web sniff ftp write policy 1 name write policy local telnet ssh reboot read write test winbox password web sniff ftp policy 2name full policy local telnet ssh ftp reboot read write policy test passw ord web sniff Exclamation sign just
389. outerOS v3 Configuration and User Guide There is a special argument for the print command print count only It forces the print command to print only the count of information topics linterface wireless info print command shows only channels supported by a particular card AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 49 Example admin AT WR4562 5ghz channels interface wireless info print 2352 0 23 2392 0 23 2432 0 24 2472 0 24 2324 0 23 2364 0 23 2404 0 24 2444 0 24 2484 0 24 4920 4960 5000 5040 5080 51204 5160 5200 5240 5280 5320 5360 5400 5440 5480 5520 5560 5600 5640 5680 5720 5760 5800 5840 5880 5920 5960 6000 6040 6080 0 4925 0 4965 0 5005 0 5045 0 5085 0 5125 0 5165 0 5205 0 5245 0 5285 05325 0 5365 0 5405 0 5445 0 5485 0 5525 0 5565 0 5605 0 5645 0 5685 075725 0 5765 0 5805 0 5845 0 5885 0 5925 0 5965 0 6005 0 6045 0 6085 5ghz turbo channels 4920 4960 5000 5040 5080 5120 5160 5200 5240 5280 5320 5360 5400 5440 5480 5520 5560 5600 5640 5680 5 120 5760 5800 5840 5880 5920 0 interface type Atheros AR5413 chip info mac 0xa 0x5 tx power control yes ack timeout control yes alignment mode yes virtual aps yes noise floor control yes scan support yes burst suppor
390. owed to connect to AP Real life experiments from our customers show that 100 clients can work with one AP using traffic shaping mode alignment only ap bridge bridge nstreme dual slave station station pseudobridge station pseudobridge clone station wds wds slave default station operating mode alignment only this mode is used for positioning antennas to get the best direction ap bridge the interface is operating as an Access Point bridge the interface is operating as a bridge This mode acts like ap bridge with the only difference being it allows only one client nstreme dual slave the interface is used for nstreme dual mode station the interface is operating as a wireless station client station pseudobridge wireless station that can be put in bridge MAC NAT is performed on all traffic sent over the wireless interface so that it look like coming from the station s MAC address regardless of the actual sender the standard does not allow station to send packets with different MAC address from its own Reverse translation when replies arrive from the AP to the pseudobridge station is based on the ARP table Non IP protocols are being sent to the default MAC address the last MAC address which the station has received a non IP packet from That means that if there is more than one client that uses non IP protocols for example PPPoE behind the station none of them will be able to work correctly station ps
391. p dns static add name www example com address 10 0 0 1 admin AT WR4562 ip dns static print Flags D dynamic X disabled R regexp ADDRESS TTL 0 www example com 10 0 0 1 1 admin AT WR4562 ip dns static 6 6 Flushing DNS cache Command name ip dns cache flush Command Description flush clears internal DNS cache Example adminQ AT WR4562 ip dns cache flush admin AT WR4562 ip dns print primary dns 159 148 60 2 secondary dns 0 0 0 0 allow remote requests yes cache size 2048 KiB cache max ttl lw cache used 10 KiB admin AT WR4562 ip dns 132 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 7 AAA Configuration 7 1 RADIUS client 7 1 1 General Information Summary This document provides information about RouterOS built in RADIUS client configuration supported RADIUS attributes and recommendations on RADIUS server selection Specifications Packages required system License required Level Submenu level radius Standards and Technologies RADIUS Related Topics HotSpot User AAA Router User AAA PPP User AAA IP Addresses and ARP Description RADIUS short for Remote Authentication Dial In User Service is a remote server that provides authentication and accounting facilities to various network apliances RADIUS authentication and accounting gives the ISP or network administrator abili
392. p ipsec policy to view the policy statistics do the following admin8 WiFi ip ipsec policy print stats Flags X disabled D dynamic I invalid 0 src address 10 0 0 147 32 any dst address 10 0 0 148 32 any protocol all ph2 state no phase2 in accepted 0 in dropped 0 out accepted 0 out dropped 0 encrypted 0 not encrypted 0 decrypted 0 not decrypted 0 admin WiFi ip ipsec policy 8 8 3 Peers Submenu level ip ipsec peer Description Peer configuration settings are used to establish connections between IKE daemons phase configuration This connection then will be used to negotiate keys and algorithms for SAs Property Description address IP address netmask port default 0 0 0 0 32 500 address prefix If remote peer s address matches this prefix then this peer configuration is used while authenticating and establishing phase If several peer s addresses matches several configuration entries the most specific one i e the one with largest netmask will be used auth method pre shared key rsa signature default pre shared key authentication method pre shared key authenticate by a password secret string shared between the peers rsa signature authenticate using a pair of RSA certificates certificate name name of a certificate on the local side signing packets the certificate must have private key Only needed if RSA signature authentication method is used dh group multipl
393. packet matches the criteria of the rule then the specified action is performed on it and no more rules are processed in that chain the exception is the passthrough action If a packet has not matched any rule within the chain then it is accepted 200 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Property Description action accept add dst to address list add src to address list drop jump log passthrough reject return tarpit default accept action to undertake if the packet matches the rule accept accept the packet No action is taken i e the packet is passed through and no more rules are applied to it add dst to address list adds destination address of an IP packet to the address list specified by address list parameter add src to address list adds source address of an IP packet to the address list specified by address list parameter drop silently drop the packet without sending the ICMP reject message jump jump to the chain specified by the value of the jump target parameter log each match with this action will add a message to the system log passthrough ignores this rule and goes on to the next one reject reject the packet and send an ICMP reject message return passes control back to the chain from where the jump took place tarpit captures and holds incoming TCP connections replies with SYN ACK to the inbound TCP SYN p
394. ped together in chains It allows a packet to be matched against one common criterion in one chain and then passed over for processing against some other common criteria to another chain For example a packet should be matched against the IP address port pair Of course it could be achieved by adding as many rules with IP address port match as required to the forward chain but a better way could be to add one rule that matches traffic from a particular IP address e g lip firewall filter add src address 1 1 1 2 32 jump target mychain and in case of successfull match passes control over the IP packet to some other chain id est mychain in this example Then rules that perform matching against separate ports can be added to mychain chain without specifying the IP addresses There are three predefined chains which cannot be deleted e input used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router s addresses Packets passing through the router are not processed against the rules of the input chain e forward used to process packets passing through the router e output used to process packets originated from the router and leaving it through one of the interfaces Packets passing through the router are not processed against the rules of the output chain e When processing a chain rules are taken from the chain in the order they are listed there from top to bottom If a
395. port 500 that are to be delivered locally are not processed in incoming policy check Setup Procedure To get IPsec to work with automatic keying using IKE ISAKMP you will have to configure policy peer and proposal optional entries For manual keying you will have to configure policy and manual sa entries 8 8 2 Policy Settings Submenu level ip ipsec policy Description Policy table is needed to determine whether security settings should be applied to a packet Property Description action none discard encrypt default accept specifies what action to undertake with a packet that matches the policy none pass the packet unchanged discard drop the packet encrypt apply transformations specified in this policy and it s SA dont fragment clear inherit set default clear The state of the don t fragment IP header field clear clear unset the field so that packets previously marked as don t fragment can be fragmented This setting is recommended as the packets are getting larger when IPsec protocol is applied to them so 190 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide large packets with don t fragment flag will not be able to pass the router inherit do not change the field set set the field so that each packet matching the rule will not be fragmented Not recommended dst address IP address netmask port default 0 0 0 0 32 any
396. pptp server server Description The PPTP server creates a dynamic interface for each connected PPTP client The PPTP connection count from clients depends on the license level you have Levell license allows PPTP client Level3 or Level4 licenses up to 200 clients and Level5 or Level licenses do not have PPTP client limitations Property Description authentication multiple choice pap chap mschapl mschap2 default mschap2 authentication algorithm default profile default profile to use enabled yes no default no defines whether PPTP server is enabled or not keepalive timeout time default 30 defines the time period in seconds after which the router is starting to send keepalive packets every second If no traffic and no keepalive responses has came for that period of time i e 2 keepalive timeout not responding client is proclaimed disconnected max mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MRU to 1460 to avoid fragmentation of packets max mtu integer default 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets mrru integer 512 65535 default disabled maximum packet size that can be received on the link
397. precedence over IP pools when specified as local address or remote address parameters Property Description bridge name bridge interface name which the PPP tunnel will automatically be added in case BCP negotiation will be successful i e in case both peers support BCP and have this parameter configured change tcp mss yes no default default default modifies TCP connection MSS settings yes adjust connection MSS value no do not atjust connection MSS value 142 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide default derive this value from the interface default profile same as no if this is the interface default profile dns server IP address 1 2 IP address of the DNS server to supply to clients idle timeout time specifies the amount of time after which the link will be terminated if there was no activity present There is no timeout set by default Os no link timeout is set incoming filter name firewall chain name for incoming packets Specified chain gets control for each packet coming from the client The ppp chain should be manually added and rules with action jump jump target ppp should be added to other relevant chains in order for this feature to work For more information look at the Examples section local address IP address name IP address or IP address pool name for PPP server name name PPP profile name only one yes
398. ption text add additional DHCP options from ip dhcp server option list You cannot redefine parameters which are already defined in this submenu Subnet Mask code 1 netmask Router code 3 gateway Domain Server code 6 dns server Domain Name code 15 domain NTP Servers code 42 ntp server NETBIOS Name Server code 44 wins server dns server text the DHCP client will use these as the default DINS servers Two comma separated DNS servers can be specified to be used by DHCP client as primary and secondary DNS servers domain text the DHCP client will use this as the DNS domain setting for the network adapter gateway IP address default 0 0 0 0 che default gateway to be used by DHCP clients netmask integer 0 32 default 0 the actual network mask to be used by DHCP client 0 netmask from network address is to be used next server IP address IP address of next server to use in bootstrap ntp server text the DHCP client will use these as the default NTP servers Two comma separated NTP servers can be specified to be used by DHCP client as primary and secondary NTP servers wins server text the Windows DHCP client will use these as the default WINS servers Two comma separated WINS servers can be specified to be used by DHCP client as primary and secondary WINS servers a The address field uses netmask to specify the range of addresses the given entry is valid for The actual netmask clients wi
399. quests from clients no DHCP really allowed 255 255 255 255 the DHCP server should be used for any incomming request from a DHCP relay except for those which are processed by another DHCP server that exists in the ip dhcp server submenu src address IP address default 0 0 0 0 the address which the DHCP client must send requests to in order to renew an IP address lease If there is only one static address on the DHCP server interface and 120 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide the source address is left as 0 0 0 0 then the static address will be used If there are multiple addresses on the interface an address in the same subnet as the range of given addresses should be used use radius yes no default no whether to use RADIUS server for dynamic leases Client will only receive DHCP lease case it is directly reachable by its MAC address through that interface some wireless bridges may change client s MAC address If authoritative property is set to yes the DHCP server is sending rejects for the leases it cannot bind or renew It also may although not always help to prevent the network users to run their own DHCP servers illicitly disturbing the proper way the network should be functioning If relay property of a DHCP server is not set to 0 0 0 0 the DHCP server will not respond to the direct requests from clients Example To add a
400. queue simple list to make a graphic for it Property Description allow address IP address netmask default 0 0 0 0 0 network which is allowed to view graphs of router health allow target yes no default yes whether to allow access to web graphing from IP range that is specified in queue simple target address simple queue name default all name of simple queue which will be monitored store on disk yes no default yes whether to store information about traffic on hard drive or not not the information will be stored RAM and will be lost after a reboot 264 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example Add a simple queue to Grapher list with simple queue name queuel allow limited clients to access Grapher from web store information about traffic on disk admin AT WR4562 tool graphing queue add simple queue queuel allow address yes N Store on disk yes 12 4 6 Resource Graphing Submenu level tool graphing resource Description Provides with router resource usage information over a period of time e CPU usage e Memory usage Disk usage Property Description allow address IP address netmask default 0 0 0 0 0 network which is allowed to view graphs of router health store on disk yes no default yes whether to store information about traffic on hard drive or not If not the information
401. r 802 1 standard packets or it will gather only alignment packets ssid all yes no default no whether you want to accept packets from hosts with other ssid than yours Command Description test audio integer test the beeper for 10 seconds If you are using the command linterface wireless align monitor then it will automatically change the wireless interface s mode from station bridge or ap bridge to alignment only Example admin AT WR4562 interface wireless align print frame size 300 active mode yes receive all yes audio monitor 00 00 00 00 00 00 filter mac 00 00 00 00 00 00 Ssid all no frames per second 25 audio min 100 audio max 20 adminQ AT WR4562 interface wireless align 4 3 12 Align Monitor Command name interface wireless align monitor Description This command is used to monitor current signal parameters to from a remote host Property Description address read only MAC address MAC address of the remote host avg rxq read only integer average signal strength of received packets since last display update on screen correct read only percentage how many undamaged packets were received last rx read only time time in seconds before the last packet was received last tx read only time time in seconds when the last TXQ info was received rxq read only integer signal strength of last received packet ssid read only text servi
402. r cahce records In other words cache records will expire after cache max ttl time cache size integer 512 10240 default 2048KiB specifies the size of DNS cache in KiB cache used read only integer displays the currently used cache size in KiB primary dns IP address default 0 0 0 0 primary DNS server secondary dns IP address default 0 0 0 0 secondary DNS server If the property use peer dns under lip dhcp client is set to yes then primary dns under lip dns will change to a DNS address given by DHCP Server 130 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To set 159 148 60 2 as the primary DNS server and allow the router to be used as a DNS server do the following admin AT WR4562 ip dns set primary dns 159 148 60 2 N allow remote requests yes admin AT WR4562 ip dns print primary dns 159 148 60 2 secondary dns 0 0 0 0 allow remote requests yes cache size 2048KiB cache max ttl lw cache used 17KiB admin AT WR4562 ip dns 6 3 1 Cache Monitoring Submenu level ip dns cache Property Description address read only IP address IP address of the host name read only name DNS name of the host ttl read only time remaining time to live for the record 6 3 2 Static DNS Entries Submenu level ip dns static Description The RouterOS has an embedded DNS server featur
403. r protocol jump target name if action jump specified then specifies the user defined firewall chain to process the packet limit integer time 0 1 integer restricts packet match rate to a given limit Usefull to reduce the amount of log messages Count maximum average packet rate measured in packets per second pps unless followed by Time option Time specifies the time interval over which the packet rate is measured Burst number of packets to match in a burst log prefix text defines the prefix to be printed before the logging information mac protocol integer 802 2 arp ip ipv6 ipx rarp vlan Ethernet payload type MAC level protocol mark flow name marks existing flow packet type broadcast host multicast other host MAC frame type broadcast broadcast MAC packet host packet is destined to the bridge itself multicast multicast MAC packet other host packet is destined to some other unicast address not to the bridge itself src address IP address default 0 0 0 0 0 source IP address only if MAC protocol is set to IPv4 src mac address MAC address default 00 00 00 00 00 00 source MAC address src port integer 0 65535 source port number or range only for TCP or UDP protocols stp flags topology change topology change ack The BPDU Bridge Protocol Data Unit flags Bridge exchange configuration messages named BPDU peridiocally for preventing from loop topology ch
404. r side will not establish a connection uptime time connection time displayed in days hours minutes and seconds Example To monitor the pppoe outl connection adminQ AT WR4562 interface pppoe client monitor pppoe outl status connected uptime 6s idle time 6s encoding MPPE128 stateless Service name testSN ac name AT WR4562 ac mac 00 0C 42 04 00 73 mtu 1480 mru 1480 adminQ AT WR4562 interface pppoe client gt 8 6 4 PPPoE Server Setup Access Concentrator Submenu level interface pppoe server server Description The PPPoE server access concentrator supports multiple servers for each interface with differing service names Currently the throughput of the PPPoE server has been tested to 160 Mb s on a Celeron 600 CPU Using higher speed CPUs throughput should increase proportionately The access concentrator name and PPPoE service name are used by clients to identity the access concentrator to register with The access concentrator name is the same as the identity of the router displayed before the command prompt The identity may be set within the system identity submenu 174 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If no service name is specified WindowsXP it will use only service with no name So if you want to serve WindowsXP clients leave your service name empty Property Description au
405. rce destination pairs from 192 168 0 0 24 goes through and 2 3 through ISP2 IP addresses of the router admin ECMP Router ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 Local 1 10 1 0 2 28 10 1 0 0 10 1 0515 Publicl 2 10 1 1 2 28 10 1 1 0 10 1 1 15 Public2 admin ECMP Router ip address gt Add the default routes one for ISPI and 2 for ISP2 so we can get the ratio 1 3 admin ECMP Router ip route add gateway 10 1 0 1 10 1 1 1 10 1 1 1 admin ECMP Router ip route print Flags X disabled A active D dynamic C connect S static r rip b bgp o ospf DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 10 1 0 0 28 Publicl 1 ADC 10 1 1 0 28 Public2 2 ADC 192 168 0 0 24 Local 3 8 0 0 0 070 10 1 0 1 Publicl 011 1 Public2 rfr Public2 admin ECMP Router ip route Standard Policy Based Routing with Failover This example will show how to route packets using an administrator defined policy The policy for this setup is the following route packets from the network 192 168 0 0 24 using gateway 10 0 0 1 and packets from network 192 168 1 0 24 using gateway 10 0 0 2 If does not respond to pings use Backup for network 192 168 0 0 24 if GW 2 does not respond to pings use Backup also for network 192 168 1 0 24 instead of GW 2 The
406. rce destination IP address from supplied range for each connection This is most frequently used for services that expect the same client address for multiple connections from the same client src nat replaces source address of an IP packet to values specified by to addresses and to ports parameters address list name specifies the name of the address list to collect IP addresses from rules having action add dst to address list or action add src to address list actions These address lists could be later used for packet matching address list timeout time default 00 00 00 time interval after which the address will be removed from the address list specified by address list parameter Used in conjunction with add dst to address list or add src to address list actions 00 00 00 leave the address in the address list forever chain dstnat srcnat name specifies the chain to put a particular rule into As the different traffic is passed through different chains always be careful in choosing the right chain for a new rule If the input does not match the name of an already defined chain a new chain will be created dstnat a rule placed in this chain is applied before routing The rules that replace destination addresses of IP packets should be placed there srcnat a rule placed in this chain is applied after routing The rules that replace the source addresses of IP packets should be placed there comment text a descriptive comment f
407. rds short support short cables standard same as default AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 33 RouterOS v3 Configuration and User Guide full duplex yes no whether transmission of data occurs in two directions simultaneously rate 10 Mbps 100 Mbps 1 Gbps the actual data rate of the connection status link ok no link unknown status of the interface one of the link ok the card is connected to the network no link the card is not connected to the network cable is not plugged in or faulty unknown the connection is not recognized if the card does not report connection status See the IP Addresses and ARP section of the manual for information how to add IP addresses to the interfaces Example admin AT WR4562 interface ethernet monitor etherl ether2 Status link ok link ok auto negotiation done done rate 100Mbps 100Mbps default cable setting standard standard 4 2 4 Troubleshooting Description Interface monitor shows wrong information In some very rare cases it is possible that the device driver does not show correct information but it does not affect the NIC s performance of course if your card is not broken 4 3 Wireless Interfaces 4 3 1 General Information Summary This manual discusses management of the Atheros chipset based wireless interfaces of the AT WR4500 Series wireless routers that comply with IEEE 802 11 s
408. re is a sufficient amount of free IP addresses in IP pool Local HotSpot user database non fatal errors e invalid username or password self explanatory e user is not allowed to log in from this MAC address trying to log in from a address different from specified in user database Solution log in from the correct MAC address or take out the limitation e user username has reached uptime limit self explanatory e user username has reached traffic limit either limit bytes in or limit bytes out limit is reached no more sessions are allowed for user username the shared users limit for the user s profile is reached Solution wait until someone with this username logs out use different login name or extend the shared users limit AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 243 RouterOS v3 Configuration and User Guide RADIUS client non fatal errors e invalid username or password RADIUS server has rejected the username and password sent to it without specifying a reason Cause either wrong username and or password or other error Solution should be clarified in RADIUS server s log files e lt error_message_sent_by_radius_server gt this may be any message any text string sent back by RADIUS server Consult with your RADIUS server s documentation for further information RADIUS client fatal errors e RADIUS server is not responding user is being authenticated by RADIUS s
409. read only flag whether the user was authenticated via RADIUS server read only name the particular HotSpot server the used is logged on at session time left read only time the exact value of session time left that applies to this user This property shows how long should the user stay logged in see uptime for it to be logged off automatically uptime read only time current session time of the user i e how long has the user been logged in user read only name name of the user 248 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To get the list of active users admin AT WR4562 ip hotspot active print Flags R radius B blocked USER ADDRESS 0 ex 10 0 0 144 admin AT WR4562 ip hotspot active UPTIME 41175 SESSION TIMEOUT IDLE TIMEOUT 55m43s AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 249 RouterOS v3 Configuration and User Guide I High Availability protocols and techniques am VRRP 1 1 1 General Information Summary Virtual Router Redundancy Protocol VRRP implementation in the RouterOS is RFC2338 compliant VRRP protocol is used to ensure constant access to some resources Two or more routers referred as VRRP Routers in this context create a highly available cluster also referred as Virtual routers with dynamic fail over Each router can participate in not more than 255 virtua
410. reased by 40 so for 1500 byte Ethernet link set the MTU to 1460 to avoid fragmentation of packets mrru integer 512 65535 default disabled maximum packet size that can be received on the link If a packet is bigger than tunnel MTU it will be split into multiple packets allowing full size IP or Ethernet packets to be sent over the tunnel disabled disable MRRU on this link name name default pptp outN interface name for reference password text default user password to use when logging to the remote server profile name default default profile to use when connecting to the remote server user text user name to use when logging on to the remote server Specifying MRRU means enabling MP Multilink PPP over single link This protocol is used to split big packets into smaller ones Under Windows it can be enabled in Networking tag Settings button Negotiate multi link for single link connections Their MRRU is hardcoded to 1614 This setting is usefull to overcome PathMTU discovery failures The MP should be enabled on both peers Example To set up PPTP client named test2 using unsername john with password john to connect to the 10 1 1 12 PPTP server and use it as the default gateway admin AT WR4562 interface pptp client gt add name test2 connect to 10 1 1 12 user john add default route yes password john admin AT WR4562 interface pptp client gt print Flags X disabled
411. requested address is not available from this server after 2sec delay to clients request for an address dhcp server will wait 2 seconds and if there is another request from the client after this period of time then dhcp server will offer the address to the client or will send DHCPNAK if the requested address is not available from this server no dhcp server ignores clients requests for addresses that are not available from this server yes to clients request for an address that is not available from this server dhcp server will send negative acknowledgment DHCPNAK bootp support none static dynamic default static support for BOOTP clients none do not respond to BOOTP requests static offer only static leases to BOOTP clients dynamic offer static and dynamic leases for BOOTP clients delay threshold time default none if secs field in DHCP packet is smaller than delay threshold then this packet is ignored none there is no threshold all DHCP packets are processed interface name Ethernet like interface name lease time time default 72h the time that a client may use the assigned address The client will try to renew this address after a half of this time and will request a new address after time limit expires name name reference name relay IP address default 0 0 0 0 the IP address of the relay this DHCP server should process requests from 0 0 0 0 the DHCP server will be used only for direct re
412. resses used for one point to another point transmission There is only one sender and one receiver in this case local match addresses assigned to router s interfaces broadcast the IP packet is sent from one point to all other points in the IP subnetwork multicast this type of IP addressing is responsible for transmission from one or more points to a set of other points dst limit integer time 0 integer dst address dst port src address time 0 limit the packet per second pps rate on a per destination IP or per destination port base As opposed to the limit match every destination IP address destination port has it s own limit The options are as follows in order of appearance count maximum average packet rate measured in packets per second pps unless followed by time option time specifies the time interval over which the packet rate is measured burst number of packets to match in a burst mode the classifier s for packet rate limiting expire specifies interval after which recorded IP addresses ports will be deleted dst port integer 0 65535 integer 0 65535 destination port number or range fragment yes no whether the packet is a fragment of an IP packet Starting packet i e first fragment does not count Note that is the connection tracking is enabled there will be no fragments as the system automatically assembles every packet hotspot multiple choice auth from client http
413. rewall mangle add chain prerouting Nes src mac address 00 01 29 60 36 E7 action mark connection new connection mark known mac conn admin AT WR4562 gt ip firewall mangle add chain prerouting connection mark known mac conn action mark packet new packet mark known mac 210 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Change MSS It is a well known fact that VPN links have smaller packet size due to incapsulation overhead A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection However if the packet has DF flag set it cannot be fragmented and should be discarded On links that have broken path MTU discovery PMTUD it may lead to a number of problems including problems with FTP and HTTP data transfer and e mail services In case of link with broken PMTUD a decrease of the MSS of the packets coming through the VPN link solves the problem The following example demonstrates how to decrease the MSS value via mangle admin AT WR4562 gt ip firewall mangle add out interface pppoe out protocol tcp tcp flags syn action change mss new mss 1300 chain forward admin AT WR4562 gt ip firewall mangle print Flags X disabled I invalid D dynamic 0 chain forward out interface pppoe out protocol tcp tcp flags syn action change mss new mss 1300 admin AT WR4562 gt
414. rger that further reduces this maximum hop count 94 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To enable RIP protocol to redistribute the routes to the connected networks admin AT WR4562 routing rip set redistribute connected yes admin AT WR4562 routing rip print distribute default never redistribute static no redistribute connected no redistribute ospf no redistribute bgp no metric default 1 metric static 1 metric connected 1 metric ospf 1 metric bgp 1 update timer 30s timeout timer 3m garbage timer 2m admin AT WR4562 routing rip 5 2 3 Interfaces Submenu level routing rip interface Description In general you do not have to configure interfaces in order to run RIP This command level is provided only for additional configuration of specific RIP interface parameters Property Description interface name default all interface on which RIP runs all sets defaults for interfaces not having any specific settings send vl 1 2 v2 default v2 specifies RIP protocol update versions to distribute receive vl v1 2 v2 default v2 specifies RIP protocol update versions the router will be able to receive authentication none simple md5 default none specifies authentication method to use for RIP messages none no authentication performed simple plain text authe
415. riables if var name statements can be used in theses pages Following content will be included if value of var name will not be an empty string It is an equivalent to 5 if var name t is possible to compare on equivalence as well 1 var name lt value gt These statements have effect until elif var name else or endif In general case it looks like this some content which will always be displayed if username john Hey your username is john S elif username dizzy Hello Dizzy How are you Your administrator 11 ip 10 1 2 3 You are sitting at that crappy computer which is damn slow S elif mac 00 01 02 03 04 05 This is an ethernet card which was stolen few months ago else I don t know who you are so lets live in peace endif other content which will always be displayed Only one of those expressions will be shown Which one depends on values of those variables for each client Customizing Error Messages All error messages are stored in the errors txt file within the respective HotSpot servlet directory You can change and translate all these messages to your native language To do so edit the errors txt file You can also use variables in the messages All instructions are given in that file Multiple Versions of HotSpot Pages Multiple hotspot page sets for the same hotspot server are supported They can be chosen by
416. ries read only integer the maximum number of connections the connection state table can contain depends on an amount of total memory tcp close timeout time default 105 maximal amount of time connection tracking entry will survive after having seen connection reset request RST or an acknowledgment ACK of the connection termination request from connection release initiator tcp close wait timeout time default 10s maximal amount of time connection tracking entry will survive after having seen an termination request FIN from responder tcp established timeout time default 4 maximal amount of time connection tracking entry will survive after having seen an acknowledgment ACK from connection initiator tcp fin wait timeout time default 10s maximal amount of time connection tracking entry will survive after having seen connection termination request FIN from connection release initiator tcp syn received timeout time default maximal amount of time connection tracking entry will survive after having seen a matching connection request SYN tcp syn sent timeout time default Im maximal amount of time connection tracking entry will survive after having seen a connection request SYN from connection initiator tcp syncookie yes no default no enable TCP SYN cookies for connections destined to the router itself this may be useful for HotSpot and tunnels tcp time wait timeout time default 10s max
417. rimary and secondary servers respectively In case one DNS server was received it is put as primary server and the secondary server is left intact Example To add a DHCP client on ether interface ip dhcp client add interface etherl disabled no admin AT WR4562 dhcp client gt print detail Flags X disabled I invalid 0 interface etherl add default route yes use peer dns yes use peer ntp yes status bound address 192 168 0 65 24 gateway 192 168 0 1 dhcp server 192 168 0 1 primary dns 192 168 0 1 primary ntp 192 168 0 1 expires after 9m44s admin AT WR4562 dhcp client 6 1 3 DHCP Server Setup Submenu level ip dhcp server Description The router supports an individual server for each Ethernet like interface The RouterOS DHCP server supports the basic functions of giving each requesting client an IP address netmask lease default gateway domain name DNS server s and WINS server s for Windows clients information set up in the DHCP networks submenu In order DHCP server to work you must set up also IP pools do not include the DHCP server s IP address into the pool range and DHCP networks It is also possible to hand out leases for DHCP clients using the RADIUS server here are listed the parameters for used in RADIUS server Access Request NAS Identifier router identity NAS IP Address IP address of the router itself e NAS Port unique session ID e NAS Port Type Ethernet
418. rint INTERFACE RADIO NAME MAC ADDRESS AP SIGNAL TX RATE 0 wlanl 000C42185C3D 00 0C 42 18 5C 3D no 38dBm 54Mbps admin AT WR4562 interface wireless registration table gt AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 45 RouterOS v3 Configuration and User Guide To get additional statistics admin AT WR4562 interface wireless registration table print stats 0 interface wlanl radio name 000C42185C3D mac address 00 0C 42 18 5C 3D ap no wds no rx rate 1Mbps tx rate 54Mbps packets 696 4147 bytes 5589 96698 frames 696 4147 frame bytes 5589 71816 hw frames 770 4162 hw frame bytes 24661 171784 tx frames timed out 0 uptime 3h50m35s last activity 2s440ms signal strength 38dBm01Mbps signal to noise 54dB strength at rates 38dBm 1Mbps 2s440ms 37dBm 2Mbps 3h50m35s180ms 37dBm 5 5Mbps 3h50m23s330ms 36dBm811Mbps 3h45m8s330ms 37dBm 9Mbps 3h44m13s340ms 36dBm 12Mbps 3h43m55s170ms 36dBm 18Mbps 3h43m43s340ms 36dBm824Mbps 3h43m25s180ms 37dBm 36Mbps 3h43m8s130ms 42dBm 48Mbps 55s180ms 41dBm 54Mbps 3s610ms tx signal strength 43dBm tx ccq 66 rx ccq 88 p throughput 30119 ack timeout 56 nstreme no framing mode none routeros version 3 0 ap tx limit 0 client tx limit 0 802 1x port enabled yes compression no wmm enabled no adminGAT WR4562 interface wireless 4 3 6 Connect List Submenu level interface wireless connect list Description The Connect List is a list of rules order is import
419. rks just like a station but connects only to APs that support WDS This example shows you how to make a transparent network using the Station WDS feature Interface WDS AP SSID wds sta test Figure 6 WDS Network example On WDS Access Point AT WR4500 Series RouterOS v3 Configuration and User Guide IEEE 802 1 labgh Outdoor Wireless Routers 63 Configure AP to support WDS connections Set wds default bridge to bridge On WDS station Configure it as a WDS Station using mode station wds Configure the WDS Access Point Configure the wireless interface and put it into a bridge and define that the dynami WDS links should be automatically put into the same bridge admin8WDS A admin8WDS A admin8WDS A p p Flags X di 0 name b priorit garbage p adminQGWDS A adminQ8WDS A admin8WDS A adminQ8WDS A wds mode d frequency admin8WDS A Flags X di 0 p p p p disable name w interface bridge interface bridge add interface bridge print sabled R running ridgel mtu 1500 arp enabled mac address B0 62 0D 08 FF FF stp no y 32768 ageing time 5m forward delay 15s collection interval 4s hello time 2s max message age 20s interface bridge port interface bridge port add interface etherl bridge bridgel interface bridge port interface wireless interface wireless set wlanl mode ap bridge ssid wds sta test ynamic
420. rmation 145 7 3 2 Router User Groups et entente 146 7 3 3 Router eec ee OG NR OG ROG diede 147 7 3 4 Monitoring Active Router 0 148 7 3 5 Router User Remote 148 7 3 6 SOTA 149 EEUU 150 8 1 Dc 150 8 1 1 General Information c ccccsccsssssssssesesssssscsesssssscsesesssssscsesesesssseseseseeesesssesesssseseseseeneseseseseesens 150 8 1 2 EolP Setup a a 151 8 1 3 EolP Application 2 152 8 1 4 Treublesliootlng e te E DE 153 82 interface 154 8 3 General Information 2 ete e dede te eed e ede eR d 154 8 3 1 SUMIMALY E CDS 154 8 3 2 Quick Setup Guide ene adobe ee de e ie 154 8 3 3 Related ERROR ER e seus east aee ee b ds 154 8 4 IPIP Turinellriterfaces rre ttt um eec cata te ee vet e 158 8 4 1 General INFOrmation eee eee e ene an etos re ve e ee e tid 158 8 4 2 lite 159 8 4 3 tee dee eet eerte ee se Lp te eai ba seb debida 160 85 EZTP Intetface z ioi te a dte dese eade i eese teo leves tease vas Dota 161
421. rom the Internet will be possible to the Local addresses If you want to allow connections to the server on the local network you should use destination Network Address Translation NAT Example of Destination NAT If you want to link Public IP 10 5 8 200 address to Local one 192 168 0 109 you should use destination address translation feature of the RouterOS router Also if you want allow Local server to talk with outside with given Public IP you should use source address translation too Add Public IP to Public interface ip address add address 10 5 8 200 32 interface Public Add rule allowing access to the internal server from external networks ip firewall nat add chain dstnat dst address 10 5 8 200 action dst nat to addresses 192 168 0 109 Add rule allowing the internal server to talk to the outer networks having its source address translated to 10 5 8 200 ip firewall nat add chain srcnat src address 192 168 0 109 to addresses 10 5 8 200 Example of one to one mapping If you want to link Public IP subnet 11 11 11 0 24 to local one 2 2 2 0 24 you should use destination address translation and source address translation features with action netmap ip firewall nat add chain dstnat dst address 11 11 11 1 11 11 11 254 action netmap to addresses 2 2 2 1 2 2 2 254 ip firewall nat add chain srcnat src address 2 2 2 1 2 2 2 254 action netmap to addresses 11
422. rosoft Point to Point Encryption to make encrypted links The purpose of this protocol is to allow the Layer 2 and PPP endpoints to reside on different devices interconnected by a packet switched network With L2TP a user has a Layer 2 connection to an access concentrator LAC e g modem bank ADSL DSLAM etc and the concentrator then tunnels individual PPP frames to the Network Access Server NAS This allows the actual processing of PPP packets to be separated from the termination of the Layer 2 circuit From the user s perspective there is no functional difference between having the L2 circuit terminate in a NAS directly or using L2TP It may also be useful to use L2TP just as any other tunneling protocol with or without encryption The L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec Note that it is default mode for Microsoft L2TP client as all L2TP control and data packets for a particular tunnel appear as homogeneous UDP IP data packets to the IPsec system Multilink PPP MP is supported in order to provide MRRU the ability to transmit full sized 1500 and larger packets and bridging over PPP links using Bridge Control Protocol BCP that allows to send raw Ethernet frames over PPP links This way it is possible to setup bridging without EolP The bridge should either have an administratively set MAC address or an Ethernet like interface in it as PPP links do not have MAC addresses A This is
423. rough the gateway A leaving all the rest so Peer to Peer traffic also to use the gateway B it is not important which gateway is which it is only important to keep Peer to Peer together with all traffic except the specified protocols Example To add the rule specifying that all the packets from the 10 0 0 144 host should lookup the at routing table admin AT WR4562 ip firewall mangle add action mark routing new routing mark at chain prerouting admin AT WR4562 ip route add gateway 10 0 0 254 routing mark mt admin AT WR4562 ip route rule add src address 10 0 0 144 32 table mt action lookup admin AT WR4562 ip route rule print Flags X disabled I invalid 0 Src address 192 168 0 144 32 action lookup table mt admin AT WR4562 ip route rule 5 4 4 Application Examples Static Equal Cost Multi Path routin Consider the following situation where we have to route packets from the network 192 168 0 0 24 to 2 gateways 10 1 0 1 and 10 1 1 1 10 1 0 1 28 2 Mbps Interface Public2 IP 10 1 1 2 28 Interface Publicl IP 10 1 0 2 28 Interface Local IP 192 168 0 1 24 192 168 0 0 24 Figure 16 Static Equal Cost Multi Path Routing example 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide gives us 2Mbps and ISP2 4Mbps so we want a traffic ratio 1 2 1 3 of the sou
424. router settings never do not send own default route to other routers if installed as type I send the default route with type metric only if it has been installed a static default route or route added by DHCP PPP etc if installed as type 2 send the default route with type 2 metric only if it has been installed a static default route or route added by DHCP PPP etc always as type I always send the default route with type metric always as type 2 always send the default route with type 2 metric metric bgp integer default 20 specifies the cost of the routes learned from BGP protocol metric connected integer default 20 specifies the cost of the routes to directly connected networks metric default integer default 1 specifies the cost of the default route metric rip integer default 20 specifies the cost of the routes learned from RIP protocol metric static integer default 20 specifies the cost of the static routes redistribute bgp as type as type 2 no default with this setting enabled the router will redistribute the information about all routes learned by the BGP protocol redistribute connected as type as type 2 no default no if set the router will redistribute the information about all connected routes i e routes to directly reachable networks redistribute rip 5 as type 2 no default no with this setting enabled the router will redistribute th
425. rp You can specify multiple IP addresses separated by comma down delay time default 00 00 00 if a link failure has been detected bonding interface is disabled for down delay time Value should be a multiple of mii interval lacp rate 15 30secs default 30secs Link Aggregation Control Protocol rate specifies how often to exchange with LACPDUs between bonding peer Used to determine whether link is up or other changes have occured in the network LACP tries to adapt to these changes providing failover link monitoring arp mii typel mii type2 none default none method to use for monitoring the link whether it is up or down arp uses Address Resolution Protocol to determine whether the remote interface is reachable mii typel uses Media Independent Interface typel to determine link status Link status determenation relies on the device driver If bonding shows that the link status is up when it should not be then it means that this card don t support this possibility mii type2 uses MII type2 to determine link status used if mii typel is not supported by the NIC none no method for link monitoring is used If a link fails it is not considered as down but no traffic passes through it thus mac address read only MAC address MAC address of the bonding interface mii interval time default 00 00 00 100 how often to monitor the link for failures parameter used only if link monitoring is mii typel or mii type
426. rsions of additional packages should match the version number of the system software package The version of the RouterOS system software and the build number are shown before the console login prompt Information about the version numbers and build time of the installed RouterOS software packages can be obtained using the system package print command 3 3 3 Uninstallation Command name system package uninstall Description Usually you do not need to uninstall software packages However if you have installed a wrong package or you need additional free space to install a new one you have to uninstall some unused packages 24 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If a package is marked for uninstallation but it is required for another dependent package then the marked package cannot be uninstalled You should uninstall the dependent package too For the list of package dependencies see the Software Package List section below The system package will not be uninstalled even if marked for uninstallation Example Suppose we need to uninstall security package from the router admin AT WR4562 system package print Flags X disabled NAME routeros rb500 system ipv6 ntp VERSION SCHEDULED 3 3 3 3 wireless 3 3 3 3 9 3 3 0 dhcp routing routerboard advanced tools hotspot 10 ppp 11 s
427. rst method listed is rejected the next one is tried Stations will accept first proposed method that will be on the list eap tls Use TLS certificates for authentication passthrough relay the authentication process to the RADIUS server not used by the stations group ciphers multiple choice tkip aes ccm a set of ciphers used to encrypt frames sent to all wireless station broadcast transfers in the order of preference tkip Temporal Key Integrity Protocol encryption protocol compatible with lagacy WEP equipment but enhanced to correct some of WEP flaws aes ccm more secure WPA encryption protocol based on the reliable AES Advanced Encryption Standard Networks free of WEP legacy should use only this group key update time default 5m how often to update group key This parameter is used only if the wireless card is configured as an Access Point interim update time default update interval for RADIUS accounting if RADIUS server has not provided different value mode none static keys optional static keys required dynamic keys default none security mode none do not encrypt packets and do not accept encrypted packets static keys optional if there is a static sta private key set use it Otherwise if the interface is set in an AP mode do not use encryption if the the interface is in station mode use encryption if the static transmit key is set static keys required encrypt all packets and accept only
428. rticular Nth packet received by the rule One of 16 available counters can be used to count packets 208 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide every match every th packet For example if every I then the rule matches every 2nd packet counter specifies which counter to use A counter increments each time the rule containing nth match matches packet match on the given packet number The value by obvious reasons must be between 0 and every If this option is used for a given counter then there must be at least 1 rules with this option covering all values between 0 and every inclusively out bridge port name actual interface the packet is leaving the router through if bridged this property matches the actual bridge port while out interface the bridge itself out interface name interface the packet is leaving the router through if the interface is bridged then the packet will appear to leave through the bridge interface itself p2p all p2p bit torrent direct connect edonkey fasttrack gnutella soulseek warez winmx match packets belonging to connections of the above P2P protocols packet mark name match the packets marked in mangle with specific packet mark packet size integer 0 65535 integer 0 65535 0 1 matches packet of the specified size or size range in bytes min specifies lower boundary of the
429. rtise interval is used to schedule next advertisement If status page is unable to display an advertisement for configured timeout starting from moment when it is scheduled to be shown client access is blocked within walled garden as unauthorized clients are Client is unblocked when the scheduled page is finally shown Note that if popup windows are blocked in the browser the link on the status page may be used to open the advertisement manually While client is blocked FTP and other services will not be allowed Thus requiring client to open an advertisement for any Internet activity not especially allowed by the Walled Garden Accounting The HotSpot system implement accounting internally you are not required to do anything special for it to work The accounting information for each user may be sent to a RADIUS server Configuration menus hotspot HotSpot servers on particular interfaces one server per interface HotSpot server must be added in this menu in order for HotSpot system to work on an interface e hotspot profile HotSpot server profiles Settings which affect login procedure for HotSpot clients are configured here More than one HotSpot servers may use the same profile e hotspot host dynamic list of active network hosts on all HotSpot interfaces Here you can also find IP address bindings of the one to one NAT e hotspot ip binding rules for binding IP addresses to hosts on hotspot interfac
430. s 13 0 Kbps 0 0 bps xt iO Q C4 xt OD OO lt CJ xt OD C xt O QO C xf ipis eis fei do on Minus is ger n c rn Rt il e oer CARNALITER ET CJ C CJ CJ CJ CJ CJ CJ C CJ CJ C CJ C C C C 9 HY LIES E LEE ELE ELE LIE ELE LE LEER ELE Figure 38 Network load profile by time Global TCP UDP Protocol Distribution TCP UDP Protocol Percentage 255 6 MB 204 5 other ElTelnet 153 4 MB 102 3 MB Figure 39 Traffic Load by protocol 262 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 12 4 Graphing 12 4 1 General Information Summary Graphing is a tool which is used for monitoring various RouterOS parameters over a period of time Specifications Packages required system routerboard optional License required Level Submenu level tool graphing Hardware usage Not significant Description The Graphing tool can display graphics for Routerboard health voltage and temperature e Resource usage CPU Memory and Disk usage e Traffic which is passed through interfaces e Traffic which is passed through simple queues Graphing consists of two parts first part collects information and other part displays data in a Web page To access the graphics type http Router IP address graphs and choose a graphic t
431. s 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret Then the user should be added in the L2TP server list admin HomeOffice interface l2tp server add user ex admin HomeOffice interface l2tp server print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 l2tp inl ex admin HomeOffice interface l2tp server AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 167 RouterOS v3 Configuration and User Guide And finally the server must be enabled admin HomeOffice interface l2tp server server set enabled yes admin HomeOffice interface l2tp server server print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin8 HomeOffice interface l2tp server server Add a L2TP client to the RemoteOffice router admin RemoteOffice interface 12tp client gt add connect to 192 168 80 1 user ex N password lkjrht disabled no admin RemoteOffice interface 12tp client gt print Flags X disabled R running 0 name 12tp out1 mtu 1460 mru 1460 mrru disabled connect to 192 168 80 1 user ex password lkjrht profile default add default route no allow pap chap mschapl mschap2 admin8 RemoteOffice interface l2tp client Thus a L2TP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addre
432. s also a RouterOS Router 0 no limits forwarding yes no default yes whether to forward the client s frames to other wireless clients interface name name of the respective interface mac address MAC address MAC address of the client can be 00 00 00 00 00 00 for any client private algo lO4bit wep 40bit wep none which encryption algorithm to use private key text default private key of the client Used for private algo private pre shared key text private preshared key for that station in case any of the PSK authentication methods were used signal range integer signal strength range in dBm Rule is matched if the signal from AP is within this range time time rule is only matched during the specified period of time If you have default authentication action for the interface set to yes you can disallow this node to register at the AP s interface wlanN by setting authentication no for it Thus all nodes except this one will be able to register to the interface wlanN If you have default authentication action for the interface set to no you can allow this node to register at the AP s interface wlanN by setting authentication yes for it Thus only the specified nodes will be able to register to the interface wlanN Example To allow authentication and forwarding for the client 00 01 24 70 3A BB from the wlan interface using WEP 40bit algorithm with the key 1234567890 admin A
433. s installed select Dial up Networking and Create a new connection The option to create a VPN should be selected If there is no VPN options then follow the installation instructions below When asked for the Host name or IP address of the VPN server type the IP address of the router Double click on the new icon and type the correct user name and password must also be in the user database on the router or RADIUS server used for authentication The setup of the connections takes nine seconds after selection the connect button It is suggested that the connection properties be edited so that NetBEUI IPX SPX compatible and Log on to network unselected The setup time for the connection will then be two seconds after the connect button is selected To install the Virtual Private Networking support for Windows 98SE go to the Setting menu from the main Start menu Select Control Panel select Add Remove Program select the Windows setup tab select the Communications software for installation and Details Go to the bottom of the list of software and select Virtual Private Networking to be installed 8 7 8 Troubleshooting Description use firewall and cannot establish PPTP connection Make sure the TCP connections to port 1723 can pass through both directions between your sites Also IP protocol 47 should be passed through 8 8 IP Security 8 8 1 General Information Specifications Pack
434. s interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both 1 name V AP mtu 1500 mac address 00 0C 42 12 34 56 arp enabled disable running check no interface type virtual AP master interface wlanl ssid virtual test area max station count 2007 wds mode disabled wds default bridge none wds ignore ssid no default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default admin VAP interface wireless When scanning from another router for an AP you will see that you have 2 Access Points instead of one admin AT WR4562 interface wireless scan Station Flags A active B bss P privacy R routeros network N nstreme ADDRESS SSID BAND FREQ SIG RADIO NAME 00 0C 42 12 34 56 virtual test 2 4ghz g 2437 72 000C42050022 AB R 00 0C 42 05 00 22 test 2 4ghz g 2437 72 000C42050022 quit D dump C z pause admin AT WR4562 interface wireless The master interface must be configured as an Access Point ap bridge or bridge mode 66 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Nstreme This example shows you how to configure a point to point Nstreme link Nstreme 2
435. s of the other bridges The root bridge is the bridge with lowest bridge ID Additional Resources http www ieee802 org pages 802 D html http en wikipedia org wiki IEEE_802 1D http ebtables sourceforge net 4 5 2 Bridge Interface Setup Submenu level interface bridge Description To combine a number of networks into one bridge a bridge interface should be created later all the desired interfaces should be set up as its ports One MAC address will be assigned to all the bridged interfaces the smallest MAC address will be chosen automatically AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 79 RouterOS v3 Configuration and User Guide Property Description admin mac MAC address MAC address assigned to the bridge if auto mac no ageing time time default 5m how long a host information will be kept in the bridge database arp disabled enabled proxy arp reply only default enabled Address Resolution Protocol setting auto mac yes no default yes if yes bridge use the lowest MAC address available from its ports else use the MAC address specifed in the admin mac field forward delay time default 15 time which is spent during the initialization phase of the bridge interface i e after router startup or enabling the interface in listening learning state before the bridge will start functioning normally mac address read only MAC address MAC address for the int
436. s used to detect that client is not using outer networks e g Internet i e there is NO TRAFFIC coming from that client and going through the router Reaching the timeout user will be logged out dropped of the host list the address used by the user will be freed and the session time accounted will be decreased by this value none do not timeout idle users incoming filter name name of the firewall chain applied to incoming packets from the users of this profile incoming packet mark name packet mark put on all the packets from every user of this profile automatically keepalive timeout time none default 00 02 00 keepalive timeout for authorized clients Used to detect that the computer of the client is alive and reachable If check will fail during this period user will be logged out dropped of the host list the address used by the user will be freed and the session time accounted will be decreased by this value none do not timeout unreachable users name name profile reference name on login text default script name to launch after a user has logged in on logout text default script name to launch after a user has logged out open status page always http login default always whether to show status page also for users authenticated using mac login method Useful if you want to put some information for example banners or popup windows in the alogin html page so that all users would see it
437. sa pub user admin ssh admin AT WR4562 user ssh keys gt print USER KEY OWNER 0 admin ssh admin ssh test admin AT WR4562 user ssh keys 150 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8 VPNs andTunneling 8 1 EolP 8 1 1 General Information Summary Ethernet over IP EolP Tunneling is a RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection The EolP interface appears as an Ethernet interface When the bridging function of the router is enabled all Ethernet traffic all Echernet protocols will be bridged just as if there where a physical Ethernet interface and cable between the two routers with bridging enabled This protocol makes multiple network schemes possible Network setups with EolP interfaces e Possibility to bridge LANs over the Internet e Possibility to bridge LANs over encrypted tunnels e Possibility to bridge LANs over 802 1 b ad hoc wireless networks Quick Setup Guide To make an EolP tunnel between 2 routers which have IP addresses 10 5 8 1 and 10 1 0 1 On router with IP address 10 5 8 1 add an EolP interface and set its MAC address interface eoip add remote address 10 1 0 1 tunnel id 1 mac address 00 00 5E 80 00 01 disabled no On router with IP address 10 1 0 1 add an EolP interface and set its MAC address interface eoip add remote address 10 5 8 1 tunnel i
438. secs field in DHCP packet is smaller than delay threshold then this packet is ignored dhcp server text list of DHCP servers IP addresses which should the DHCP requests be forwarded to interface name interface name the DHCP relay will be working on local address IP address default 0 0 0 0 the unique IP address of this DHCP relay needed for DHCP server to distinguish relays 0 0 0 0 the IP address will be chosen automatically name name descriptive name for relay DHCP relay does not choose the particular DHCP server the dhcp server list it just sent to all the listed servers AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 125 RouterOS v3 Configuration and User Guide Example To add a DHCP relay named relay on ether interface resending all received requests to the 10 0 0 1 DHCP server admin AT WR4562 ip dhcp relay gt add name relay interface etherl dhcp server 10 0 0 1 disabled no admin AT WR4562 ip dhcp relay print Flags X disabled I invalid NAME INTERFACE DHCP SERVER LOCAL ADDRESS 0 relay etherl TOU 0 0 0 0 adminQ AT WR4562 ip dhcp relay gt 6 1 10 Questions amp Answers Command name ip dhcp server setup Questions addresses to give out text the pool of IP addresses DHCP server should lease to the clients dhcp address space IP address netmask default 192 168 0 0 24 network the DHCP server will lease
439. ser to reload refresh the login page usually helps if JavaScript is enabled and login html page is valid e invalid username username this MAC address is not yours trying to log in using a MAC address username different from the actual user s MAC address Solution no users with usernames that look like a MAC address eg 12 34 56 78 9a bc may only log in from the MAC address specified as their user name e session limit reached error orig depending on licence number of active hotspot clients is limited to some number The error is displayed when this limit is reached Solution try to log in later when there will be less concurrent user sessions or buy an another license that allows more simultaneous sessions e hotspot service is shutting down RouterOS is currently being restarted or shut down Solution wait until the service will be available again General fatal errors e internal error error orig this should never happen If it will error page will be shown displaying this error message error orig will describe what has happened Solution correct the error reported e configuration error error orig the HotSpot server is not configured properly error orig will describe what has happened Solution correct the error reported e cannot assign ip address no more free addresses from pool unable to get an IP address from an IP pool as there is no more free IP addresses in that pool Solution make sure the
440. somebody tries to connect Example To set a RADIUS server for HotSpot and PPP services that has 10 0 0 3 IP address and ex shared secret you need to do the following admin AT WR4562 radius add service hotspot ppp address 10 0 0 3 secret ex admin AT WR4562 radius print Flags X disabled SERVICE CALLED ID DOMAIN ADDRESS SECRET 0 ppp hotspot 10 0 0 3 ex admin AT WR4562 radius AAA for the respective services should be enabled too admin AT WR4562 radius ppp aaa set use radius yes admin AT WR4562 radius ip hotspot profile set default use radius yes To view some statistics for a client admin AT WR4562 radius monitor 0 pending 0 requests 10 accepts 4 rejects 1 resends 15 timeouts 5 bad replies 0 last request rtt 05 adminQGAT WR4562 radius 7 1 3 Connection Terminating from RADIUS Submenu level radius incoming Description This facility supports unsolicited messages sent from RADIUS server Unsolicited messages extend RADIUS protocol commands that allow terminating a session which has already been connected from RADIUS server For this purpose DM Disconnect Messages are used Disconnect messages cause a user session to be terminated immediately Property Description accept yes no default no Whether to accept the unsolicited messages 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide port
441. soulseek warez winmx matches packets from various peer to peer P2P protocols packet mark text matches packets marked via mangle facility with particular packet mark packet size integer 0 65535 integer 0 65535 0 1 matches packet of the specified size or size range in bytes min specifies lower boundary of the size range or a standalone value max specifies upper boundary of the size range port port 0 16 matches if any source or destination port matches the specified list of ports or port ranges note that the protocol must still be selected just like for the regular src port and dst port matchers protocol ddp egp encap ggp gre hmp icmp idrp cmtp igmp ipencap ipip ipsec ah ipsec esp iso tp4 ospf pup rdp rspf st tcp udp vmtp xns idp xtp integer matches particular IP protocol specified by protocol name or number You should specify this setting if you want to specify ports psd integer time integer integer attempts to detect TCP and UDP scans It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives such as from passive mode FTP transfers WeightThreshold total weight of the latest TCP UDP packets with different destination ports coming from the same host to be treated as port scan sequence DelayThreshold delay for the packets with different destination ports coming from the same host to be treated as possible p
442. ss Point and the other one as a station 5GHz 802 1 standard Access Point Interface AP IP 10 1 0 1 on Interface To AP IP 10 1 0 2 Station Figure 5 Station and AP mode example On Access Point e mode ap bridge e frequency 5805 e 5 2 ssid test AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 61 RouterOS v3 Configuration and User Guide disabled no On client station mode station band 5ghz ssid test disabled no Configure the Access Point and add an IP address 10 1 0 1 to it 0 0 adminG AccessPoint interface wireless set wlanl mode ap bridge frequency 5805 band 5ghz disabled no ssid test name AP admin AccessPoint interface wireless print Flags X disabled running name AP mtu 1500 mac address 00 0C 42 05 00 22 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050022 mode ap bridge ssid test area frequency mode superchannel country no country set antenna gain 0 frequency 5805 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps l11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no
443. ss Routers RouterOS v3 Configuration and User Guide 8 5 4 L2TP Server Setup Submenu level interface I2tp server server Description The L2TP server creates a dynamic interface for each connected L2TP client The L2TP connection count from clients depends on the license level you have Levell license allows L2TP client Level3 or Level4 licenses up to 200 clients and Level5 or Level licenses do not have L2TP client limitations To create L2TP users you should consult the PPP secret and PPP Profile manuals It is also possible to use the RouterOS router as a RADIUS client to register the L2TP users see the manual how to do it Property Description authentication multiple choice pap chap mschapl mschap2 default mschap2 authentication algorithm default profile default profile to use enabled yes no default no defines whether L2TP server is enabled or not keepalive timeout time default 30 defines the time period in seconds after which the router is starting to send keepalive packets every second If no traffic and no keepalive responses has came for that period of time i e 2 keepalive timeout not responding client is proclaimed disconnected max mru integer default 1460 Maximum Receive Unit The optimal value is the MRU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MRU to 1460 to avoid fragmentation of packets max mtu integer defa
444. sses 10 0 103 1 and 10 0 103 2 at each router It enables direct communication between the routers over third party networks Internet e WISP 2 ex 92 68 81 0 24 Home Office Remote Office To Internet To Internet 192 68 80 1 24 192 168 81 1 24 LAN LAN 10 150 2 254 24 10 150 1 254 24 Network Setup with L2TP 10 150 2 1 24 10 150 1 1 24 Figure 24 Secure Remote office connection through L2TP tunnel To route the local Intranets over the L2TP tunnel you need to add these routes admin HomeOffice gt ip route add dst address 10 150 1 0 24 gateway 10 0 103 2 admin8 RemoteOffice gt ip route add dst address 10 150 2 0 24 gateway 10 0 103 1 168 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide On the L2TP server it can alternatively be done using routes parameter of the user configuration admin HomeOffice ppp secret print detail Flags X disabled 0 name ex service 12tp caller id password lkjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret set 0 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret print detail Flags X disabled 0 name ex service 12tp caller id password lkjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret
445. t 58 43 19 I Sniffer Packets ctp e DER UR RH DR E 59 43 20 gt ele ea C de oblato teeing beste CD dts 59 4 3 21 Application Exairiples 2 ne tnt dee t e dec tet Deo 60 4 3 22 Troubleshooting rnn eerte aet aie e a Eee er beet lebte ees 74 44 VLAN Interfaces eie 75 4 4 1 General Information i retineo tener titer 75 4 42 VLAN Setup tt 75 4 4 3 Application Example edente nha 76 4 5 Bridge Interfaces eee ettet eddie ie eren 77 45 1 General Information citro pice D napi eia teens 77 4 5 2 Bridge Interface 78 4 5 3 79 4 5 4 Bridge 80 4 5 5 Bridge Port Monitoringa doti tine lada oec oe oet 80 4 5 6 Bridge Ost Monitorihg 81 4 5 7 Bridge Firewall General Description eese entente tnnt 8l 4 5 8 Bridge Packet Filterset 84 4 5 9 Bridge uie dS RR RUE ERN eR e a aaa 84 4 5 10 Bridge Brouting 85 4 5 11 Troubleshooting gcc sisted te e RT eti ties 86 5b ten ata 87 5 1 IP Addresses and sae eee beoe eee bee cds 87 5 1 1 Gener
446. t value http www example com gt AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 241 RouterOS v3 Configuration User Guide you should correct the link to point to your server e erase the cookie on logoff in the page containing link to the logout for example in status html change open link logout hotspot logout to this open link logout erase cookie on hotspot logout or alternatively add this line lt input type hidden name erase cookie value on before this one lt input type submit value log off gt An another example is making HotSpot to authenticate on a remote server which may for example perform creditcard charging e Allow direct access to the external server in walled garden either HT TP based or IP based e Modify login page of the HotSpot servlet to redirect to the external authentication server The external server should modify RADIUS database as needed Here is an example of such a login page to put on the HotSpot router it is redirecting to https auth example com login php replace with the actual address of an external authentication server lt html gt lt title gt lt title gt lt body gt lt form name redirect action https auth example com login php method post gt lt input type hidden name mac value mac gt lt input type hidden name ip value S
447. t and are taken one by one for each successful advertisement If end of list is reached the last value is continued to be used WISPr Redirection URL URL which the clients will be redirected to after successfull login WISPr Bandwidth Min Up minimal datarate CIR provided for the client upload WISPr Bandwidth Min Down minimal datarate CIR provided for the client download WISPr Bandwidth Max Up maxmal datarate MIR provided for the client upload WISPr Bandwidth Max Down maxmal datarate MIR provided for the client download WISPr Session Terminate Time time when the user should be disconnected in YYYY MM DDThh mm ssTZD form where Y year M month D day T separator symbol must be written between date and time h hour in 24 hour format minute second TZD time zone in one of these forms hh mm hhmm hh mm hhmm The received attributes override the default ones set the default profile but if an attribute is not received from RADIUS server the default one is to be used Rate Limit takes precedence over all other ways to specify data rate for the client Ascend data rate attributes are considered second WISPr attributes takes the last precedence Here are some Rate Limit examples 128k 128000 tx rate 128000 no bursts 64k 128M rx rate 64000 tx rate 128000000 64k 256k rx tx rate 64000 rx tx burst rate 256000 rx tx burst threshold
448. t if peer doesn t show up here it doesn t mean that IPsec traffic is being exchanged with it For example manually configured SAs will not show up here Property Description local address read only IP address local ISAKMP SA address AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 193 RouterOS v3 Configuration and User Guide remote address read only address peer s IP address side multiple choice read only initiator responder shows which side initiated the connection initiator phase negotiation was started by this router responder phase negotiation was started by peer state read only text state of phase negotiation with the peer estabilished normal working state Example To see currently estabilished SAs admin8 WiFi ipsec gt remote peers print 0 local address 10 0 0 148 remote address 10 0 0 147 state established side initiator admin WiFi ipsec gt 8 8 5 Installed SAs Submenu level ip ipsec installed sa Description This facility provides information about installed security associations including the keys Property Description add lifetime read only time soft hard expiration time counted from installation of SA addtime read only text time when this SA was installed auth algorithm multiple choice read only none md5 shal authentication algorithm used in SA auth key read only text authentication key prese
449. t yes nstreme support yes default periodic calibration enabled supported bands 2ghz b 5ghz 5ghz turbo 2ghz g 2ghz g turbo 2ghz b channels 2312 0 23 0 61 17 0 23 57 0 23 97 0 24 37 0 24 77 0 24 29 0 23 69 0 23 09 0 24 49 0 24 89 0 24 0 6090 0 4925 0 4965 0 5005 0 5045 0 5085 0 5125 0 5165 0 5205 0 5245 0 5285 0 5325 0 5365 0 5405 0 5445 0 5485 0 5525 0 5565 0 5605 0 5645 0 5685 0 5125 0 5765 0 5805 0 5845 0 5885 0 5925 0 4930 0 4970 0 5010 0 5050 0 5090 0 5130 055170 0 5210 055250 0 5290 0 5330 0 5370 0 5410 0 5450 0 5490 0 5530 0 5570 0 5610 0 5650 0 5690 0 5730 0 5770 0 5810 0 5850 0 5890 0 5930 0 5970 0 6010 0 6050 22 0 23 62 0 23 02 0 24 42 0 24 82 0 24 34 0 23 74 0 23 14 0 24 54 0 24 94 0 24 0 5375 0 5575 0 4930 0 4970 0 5010 0 5050 0 5090 0 5130 0 5170 0 5210 0 5250 0 5290 0 5330 0 5370 0 5410 0 5450 0 5490 0 5530 0 5570 0 5610 0 5650 0 5690 0 5730 0 5770 0 5810 0 5850 0 5890 0 5930 0 4935 0 4975 0 5015 0 5055 0 5095 0 5135 05275 0 5215 0 5255 0 5295 0 5335 0 5415 0 5455 0 5495 0 5535 0 5615 0 5655 0 5695 0 5735 0577 5 0 5815 0 5855 0 5895 0 5935 0 59757 0 6015 0 6055 0 6095 5 0 63 2 215023 67 0 23 07 0 24 47 0 24 87 0 24 39 0 23 79 0 23 19 0 24 59 0 24
450. tSpot login page status html status page shows statistics for the client It is also able to display advertisements automatically logout html logout page shown after user is logged out Shows final statistics about the finished session This page may take the following additional parameters erase cookie whether to erase cookies from the HotSpot server on logout makes impossible to log in with cookie next time from the same browser might be useful in multiuser environments error html error page shown on fatal errors only Some other pages are available as well if more control is needed rlogin html page which redirects client from some other URL to the login page if authorization of the client is required to access that URL rstatus html similarly to rlogin html only in case if the client is already logged in and the original URL is not known radvert html redirects client to the scheduled advertisement link flogin html shown instead of login html if some error has happened invalid username or password for example fstatus html shown instead of redirect if status page is requested but client is not logged in flogout html shown instead of redirect if logout page is requested but client is not logged in Serving Servlet Pages The HotSpot servlet recognizes 5 different request types request for a remote host if user is logged in and advertisement is due to be displayed radvert html is displayed This page makes redirect t
451. tatic algo 1 40bit wep static key 1 1234567890 static algo 2 none Static key 2 2 static algo 3 none static key 3 Static transmit key key 1 static sta private algo none static sta private key radius mac authentication no group key update 5m adminQ QWEP AP interface wireless security profiles adminQ AT WR4562 interface wireless set wlanl name WEP AP mode ap bridge N ssid mt_wep frequency 5320 band 5ghz disabled no security profile StationX adminQ WEP AP interface wireless print Flags X disabled R running 0 name WEP AP mtu 1500 mac address 00 0C 42 05 04 36 arp enabled disable running check no interface type Atheros AR5413 radio name 000C42050436 mode ap bridge ssid mt wep area frequency mode superchannel country no country set antenna gain 0 frequency 5320 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps 11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile StationX d
452. tch address The default setting means that if watch address is set and is not reachable the router will reboot about every 6 minutes send email from text default value set in tool e mail is used send email to text default e mail address to send the support output file to send smtp server text default SMTP server address to send the support output file through If not set the value set in tool e mail is used watch address IP address default none if set the system will reboot in case 6 sequental pings to the given IP address sent once per 10 seconds will fail none disable this option watchdog timer yes no default no whether to reboot if system is unresponsive for a minute e mail address to send the support output file from If not set the 254 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To make system generate a support output file and sent it automatically to support example com through the 192 0 2 1 smtp server in case of a software crash admin AT WR4562 system watchdog set auto send supout yes N send to email support example com send smtp server 192 0 2 1 admin AT WR4562 system watchdog print watch address none watchdog timer yes no ping delay 5m automatic supout yes auto send supout yes send smtp server 192 0 2 1 send email to support example com admin AT WR4562 system watchdo
453. ted S static I IGRP R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 El OSPF external type 1 E2 OSPF external type 2 E EGP i IS IS 11 15 15 level 1 L2 15 15 level 2 candidate default U per user static route o ODR Gateway of last resort is 192 168 1 2 to network 0 0 0 0 10 0 0 0 24 is subnetted 1 subnets 10 0 0 0 is directly connected Ethernet0 R 192 168 0 0 24 120 1 via 10 0 0 174 00 00 19 EthernetO 192 168 1 0 30 is subnetted 1 subnets 192 168 1 0 is directly connected Seriall R 192 168 3 0 24 120 1 via 192 168 1 2 00 00 05 Seriall R 0 0 0 0 0 120 1 via 192 168 1 2 00 00 05 Seriall awplus As we can see the Alliedware router has learned RIP routes both from the RouterOS router 192 168 0 0 24 and from the ISP router 0 0 0 0 0 and 192 168 3 0 24 5 3 OSPF 5 3 1 General Information Summary RouterOS implements OSPF Version 2 RFC 2328 The OSPF protocol is the link state protocol that takes care of the routes in the dynamic network structure that can employ different paths to its subnetworks It always chooses shortest path to the subnetwork first Specifications Packages required routing License required Level3 Submenu level routing ospf Standards and Technologies OSPF Hardware usage Not significant AT WR4500 Series IEEE 802 1 labgh Outdoor W
454. ted by Access Point admin8RWPA Station interface wireless security profiles set default mode wpa psk pre shared key 1234567890 wpa unicast ciphers tkip wpa group ciphers aes ccom tkip admin WPA Station interface wireless security profiles gt pr name default mode wpa psk wpa unicast ciphers tkip wpa group ciphers tkip aes ccm pre shared key 1234567890 static algo 0 none static key 0 2 static algo 1 none static key 1 static algo 2 none static key 2 2 static algo 3 none static key 3 static transmit key key 0 static sta private algo none static sta private key radius mac authentication no group key update 5m admin8 WPA Station interface wireless security profiles Test the link between Access point and the client admin tWPA Station interface wireless gt print Flags X disabled R running 0 name wlanl mtu 1500 mac address 00 0B 6B 35 E5 5C arp enabled disable running check no interface type Atheros AR5213 radio name 000B6B35E55C mode station ssid AT WR4500 area frequency mode superchannel country no country set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps llMbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power mode default noise floor threshold default periodic calibration defau
455. terOS v3 Configuration and User Guide Make jumps to new chains add chain forward protocol tcp action jump jump target tcp add chain forward protocol udp action jump jump target udp add chain forward protocol icmp action jump jump target icmp Create tcp chain and deny some tcp ports in it add chain tcp protocol tcp dst port 69 action drop comment deny TFTP add chain tcp protocol tcp dst port 111 action drop comment deny RPC p ortmapper add chain tcp protocol tcp dst port 135 action drop comment deny RPC p ortmapper add chain tcp protocol tcp dst port 137 139 action drop comment deny NBT add chain tcp protocol tcp dst port 445 action drop comment deny cifs add chain tcp protocol tcp dst port 2049 action drop comment deny NFS add chain tcp protocol tcp dst port 12345 12346 action drop comment deny NetBus add chain tcp protocol tcp dst port 20034 action drop comment deny NetBus add chain tcp protocol tcp dst port 3133 action drop comment deny BackOriffice add chain tcp protocol tcp dst port 67 68 action drop comment deny DHCP Deny udp ports in udp chain add chain udp add chain udp add chain udp add chain udp add chain udp add chain udp protocol udp protocol udp protocol udp protocol udp protocol udp protocol udp dst port 69 action drop comment deny TFTP dst port 111 action drop comment deny PRC portmapper dst port 135 action drop
456. terface ipipl Specifications Packages required system License required Level limited to tunnel Level3 200 tunnels Level5 unlimited Submenu level interface ipip Standards and Technologies IPIP RFC 2003 Hardware usage Not significant Related Topics IP Addresses and ARP Log Management Additional Resources http www ietf org rfc rfc 853 txt number 1853 http www ietf org rfc rfc2003 txt number 2003 http www ietf org rfc rfc 24 txt number 1241 8 4 2 IPIP Setup Submenu level interface ipip Description An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are REC 2003 compliant The IPIP tunnel may run over any connection that transports IP Each tunnel interface can connect with one remote router that has a corresponding interface configured An unlimited number of IPIP tunnels may be added to the router For more details on IPIP tunnels see RFC 2003 Property Description local address address local address on router which sends IPIP traffic to the remote host mtu integer default 1480 Maximum Transmission Unit Should be set to 1480 bytes to avoid fragmentation of packets May be set to 1500 bytes if mtu path discovery is not working properly on links name name default ipipN interface name for reference remote address address the IP address of the remote host of the IPIP tunnel
457. the client s side for APs that are not in connect list or on the AP s side for clients that are not in access list yes enables AP to register a client if it is not in access list In turn for client it allows to associate with AP not listed in client s connect list default client tx limit integer default 0 limits each client s transmit data rate in bps Works only if the client is also a Router 0 no limits default forwarding yes no default yes whether to use data forwarding by default or not If set to no the registered clients will not be able to communicate with each other dfs mode none radar detect no radar detect default none used for APs to dynamically select frequency at which this AP will operate none do not use DFS no radar detect AP scans channel list from scan list and chooses the frequency which is with the lowest amount of other networks detected AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 37 RouterOS v3 Configuration and User Guide radar detect AP scans channel list from scan list and chooses the frequency which is with the lowest amount of other networks detected if no radar is detected in this channel for 60 seconds the AP starts to operate at this channel if radar is detected the AP continues searching for the next available channel which is with the lowest amount of other networks detected disable running check yes no default no disable running check
458. the rules 0 D chain dstnat action jump jump target hotspot hotspot from client Putting all HotSpot related tasks for packets from all HotSpot clients into a separate chain 1 I chain hotspot action jump jump target pre hotspot Any actions that should be done before HotSpot rules apply should be put in the pre hotspot chain This chain is under full administrator control and does not contain any rules set by the system hence the invalid jump rule as the chain does not have any rules by default 2 D chain hotspot action redirect to ports 64872 dst port 53 protocol udp 3 D chain hotspot action redirect to ports 64872 dst port 53 protocol tcp Redirect all DNS requests to the HotSpot service The 64872 port provides DNS service for all HotSpot users If you want HotSpot server to listen also to another port add rules here the same way changing dst port property 4 D chain hotspot action redirect to ports 64873 hotspot local dst dst port 80 protocol tcp Redirect all HTTP login requests to the HTTP login servlet The 64873 is HotSpot HTTP servlet port 5 D chain hotspot action redirect to ports 64875 hotspot local dst dst port 443 protocol tcp Redirect all HTTPS login requests to the HTTPS login servlet The 64875 is HotSpot HTTPS servlet port 6 D chain hotspot action jump jump target hs unauth hotspot auth protocol tcp 234 4500 Series IEEE 802 1 labgh Outdo
459. thentication multiple choice mschap2 mschapl chap pap default mschap2 mschapl chap pap authentication algorithm default profile name default default default user profile to use interface name interface which the clients are connected to keepalive timeout time default 10 defines the time period in seconds after which the router is starting to send keepalive packets every second If no traffic and no keepalive responses has came for that period of time i e 2 keepalive timeout not responding client is proclaimed disconnected max mru integer default 1480 Maximum Receive Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 20 so for 1500 byte Ethernet link set the MTU to 1480 to avoid fragmentation of packets max mtu integer default 1480 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 20 so for 1500 byte Ethernet link set the MTU to 1480 to avoid fragmentation of packets max sessions integer default 0 maximum number of clients that the AC can serve 0 unlimited mrru integer 512 65535 default disabled maximum packet size that can be received on the link If a packet is bigger than tunnel MTU it will be split into multiple packets allowing full size IP or Ethernet packets to be sent over the tunnel disabled disable MRRU on this link one session per host yes no default
460. ther HTTP authentication methods HTTP PAP HTTP CHAP or HTTPS as in the other case there would be no way for the cookies to be generated in the first place http chap use CHAP challenge response method with MD5 hashing algorithm for hashing passwords This way it is possible to avoid sending clear text passwords over an insecure network This is the default authentication method http pap use plain text authentication over the network Please note that in case this method will be used your user passwords will be exposed on the local networks so it will be possible to intercept them https use encrypted SSL tunnel to transfer user communications with the HotSpot server Note that in order this to work a valid certificate must be imported into the router see a separate manual on certificate management mac try to use client s MAC address first as its username If the matching MAC address exists in the local user database or on the RADIUS server the client will be authenticated without asking to fill che login form trial does not require authentication for a certain amount of time mac auth password text if MAC authentication is used this field can be used to specify password for the users to be authenticated by their MAC addresses nas port type text default wireless 802 1 1 NAS Port Type attribute value to be sent to the RADIUS server radius accounting yes no default yes whether to send RADIUS server accounting informat
461. thorized requests to the clients 2 chain input action jump jump target hs input hotspot from client Everything that comes from clients to the router itself gets to another chain called hs input 3 I chain hs input action jump jump target pre hs input Before proceeding with predefined dynamic rules the packet gets to the administratively controlled pre hs input chain which is empty by default hence the invalid state of the jump rule 4 D chain hs input action accept dst port 64872 protocol udp 5 D chain hs input action accept dst port 64872 64875 protocol tcp Allow client access to the local authentication and proxy services as described earlier 6 D chain hs input action jump jump target hs unauth hotspot auth All other traffic from unauthorized clients to the router itself will be treated the same way as the traffic traversing the routers chain hs unauth protocol icmp action return ji www alliedtelesis com chain hs unauth dst address 159 148 147 196 protocol tcp dst port 80 action return TD 8 D Unlike NAT table where only TCP protocol related Walled Garden entries were added in the packet filter hs unauth chain is added everything you have set in the ip hotspot walled garden ip menu That is why although you have seen only one entry in the NAT table there are two rules here 9 D chain hs unauth action reject reject with tcp reset protocol tcp 10 D chain hs unaut
462. through ISP2 admin officel gt interface add remote address 2 2 N mac address FE FD 00 00 00 03 admin officel interface eoip gt print Flags X disabled R running 0 name eoip tunnell mtu 1500 mac address FE FD 00 remote address 2 2 2 1 tunnel id 1 1 R name eoip tunnel2 mtu 1500 mac address FE FD 00 remote address 10 1 0 112 tunnel id 2 2 1 tunnel id 1 00 00 03 arp enabled 00 00 04 arp enabled for Office2through ISP2 admin office2 gt interface eoip add remote address 1 1 N mac address FE FD 00 00 00 01 admin office2 interface eoip gt print Flags X disabled R running 0 R name eoip tunnell mtu 1500 mac address FE FD 00 remote address 1 1 1 1 tunnel id 1 1 R name eoip tunnel2 mtu 1500 mac address FE FD 00 remote address 10 1 0 111 tunnel id 2 1 1 tunnel id 1 00 00 01 arp enabled 00 00 02 arp enabled 158 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Bonding configuration for Office admin officel interface bonding add slaves eoip tunnell eoip tunnel2 admin officel interface bonding print Flags X disabled R running 0 name bondingl mtu 1500 mac address 00 0C 42 03 20 E7 arp enabled Slaves eoip tunnell eoip tunnel2 mode balance rr primary none link monitoring none arp interval 00 00 00 100 arp ip targets mii interval 00 00 00 100 down delay 00 00
463. through routes that have scope lt target scope of the nexthop target scope integer 0 255 a value which is used to recursively lookup the next hop addresses Each nexthop address selects smallest value of target scope from all routes that use this nexthop address Nexthop is looked up only through routes that have scope lt target scope of the nexthop GY You can specify more than one or two gateways in the route Moreover you can repeat some routes in the list several times to do a kind of cost setting for gateways Example To add two static routes to networks 10 1 12 0 24 and 0 0 0 0 0 the default destination address on a router with two interfaces and two IP addresses admin AT WR4562 ip route add dst address 10 1 12 0 24 gateway 192 168 0 253 admin AT WR4562 ip route add gateway 10 5 8 1 admin AT WR4562 ip route print Flags X disabled A active D dynamic C connect S static r rip b bgp o ospf DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 A S 10 1 12 0 24 r 192 168 0 253 Local 1 ADC 10 5 8 0 24 Public 2 ADC 192 168 0 0 24 Local 3A S 0 0 0 0 0 r 10 5 0 1 Public admin AT WR4562 ip route 5 4 3 Policy Rules Submenu level ip route rule Property Description action drop unreachable lookup default unreachable action to be processed on packets matched by this rule drop silently drop packet unreachable reply that destination host is unreach
464. tion address read only IP address IP address the client got from the server bytes read only integer integer amount of bytes transfered through this connection First figure represents amount of transmitted traffic from the router s point of view while the second one shows amount of received traffic caller id read only text for PPTP and L2TP it is the IP address the client connected from For PPPoE it is the MAC address the client connected from For ISDN it is the caller s number the client dialed in from no restrictions on where clients may connect from encoding read only text shows encryption and encoding separated with if asymmetric being used in this connection limit bytes in read only integer maximal amount of bytes the user is allowed to send to the router limit bytes out read only integer maximal amount of bytes the router is allowed to send to the client name read only name user name supplied at authentication stage packets read only integer integer amount of packets transfered through tis connection First figure represents amount of transmitted traffic from the router s point of view while the second one shows amount of received traffic service read only async 2tp ovpn pppoe pptp the type of service the user is using session id read only text shows unique client identifier uptime read only time user s uptime Example admin rb13 gt ppp active print
465. to the clients dhcp relay IP address default 0 0 0 0 the IP address of the DHCP relay between the DHCP server and the DHCP clients dhcp server interface name interface to run DHCP server on dns servers IP address IP address of the appropriate DNS server to be propagated to the DHCP clients gateway IP address default 0 0 0 0 the default gateway of the leased network lease time time default 3d the time the lease will be valid Depending on current settings and answers to the previous questions default values of following questions may be different Some questions may disappear if they become redundant for example there is no use of asking for relay when the server will lend the directly connected network Example To configure DHCP server on etherl interface to lend addresses from 10 0 0 2 to 10 0 0 254 which belong to the 10 0 0 0 24 network with 10 0 0 1 gateway and 159 148 60 2 DNS server for the time of 3 days adminQ AT WR4562 ip dhcp server gt setup Select interface to run DHCP server on dhcp server interface etherl Select network for DHCP addresses dhcp address space 10 0 0 0 24 Select gateway for given network gateway for dhcp network 10 0 0 1 Select pool of ip addresses given out by DHCP server addresses to give out 10 0 0 2 10 0 0 254 Select DNS servers dns servers 159 148 60 20 Select lease time lease time 3d admin AT WR4562 ip dhcp server gt
466. toring Command name interface bridge monitor Description Used to monitor the current status of a bridge Property Description current mac address MAC address MAC address currently assigned to the bridge root bridge yes no if this bridge is the root bridge root bridge id text the bridge ID which is in form of bridge priority bridge MAC address root path cost integer the total cost of the path to the root bridge root port name port to which the root bridge is connected to Example To monitor a bridge admin AT WR4562 interface bridge monitor bridgel state enabled current mac address 00 0D B9 12 B3 F8 root bridge yes root bridge id 0x8000 00 00 00 00 00 00 root path cost 0 root port none port count 2 designated port count 0 admin AT WR4562 interface bridge 4 5 5 Bridge Port Monitoring Command name interface bridge port monitor Description Statistics of an interface that belongs to a bridge AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 81 Example To monitor a bridge port admin AT WR4562 interface bridge port gt mo 0 status in bridge port number 1 role designated port edge port no edge port discovery yes point to point port no external fdb no sending rstp no learning yes forwarding yes quit D dump C z pause 4 5 6 Bridge Host Monitoring Command name i
467. tx burst time are not specified Is is used as default Priority takes values 1 8 where implies the highest priority but 8 the lowest If rx rate min and tx rate min are not specified rx rate and tx rate values are used The rx rate min and tx rate min values can not exceed rx rate and tx rate values remote address IP address name IP address or IP address pool name for PPP clients session timeout time maximum time the connection can stay up By default no time limit is set Os no connection timeout use compression yes no default default default specifies whether to use data compression or not yes enable data compression no disable data compression default derive this value from the interface default profile same as no if this is the interface default profile use encryption yes no required default default default specifies whether to use data encryption or not yes enable data encryption no disable data encryption requided enable and require encryption default derive this value from the interface default profile same as no if this is the interface default profile use vj compression yes no default default default specifies whether to use Van Jacobson header compression algorithm yes enable Van Jacobson header compression no disable Van Jacobson header compression default derive this value from the interface default profile same as no if this is the interface default
468. ty to manage PPP user access and accounting from one server throughout a large network The RouterOS has a RADIUS client which can authenticate for HotSpot PPP PPPoE PPTP L2TP and ISDN connections The attributes received from RADIUS server override the ones set in the default profile but if some parameters are not received they are taken from the respective default profile The RADIUS server database is consulted only if no matching user acces record is found in router s local database Traffic is accounted locally with RouterOS Traffic Flow and snapshot image can be gathered using Syslog utilities If RADIUS accounting is enabled accounting information is also sent to the RADIUS server default for that service 7 1 2 RADIUS Client Setup Submenu level radius Description This facility allows you to set RADIUS servers the router will use to authenticate users Property Description accounting backup yes no default no this entry is a backup RADIUS accounting server accounting port integer default 1813 RADIUS server port used for accounting address IP address default 0 0 0 0 IP address of the RADIUS server authentication port integer default 1812 RADIUS server port used for authentication called id text default value depends on Point to Point protocol ISDN phone number dialled MSN PPPoE service name PPTP server s IP address L2TP server s IP address AT WR4500 Series IEEE 802 1 labg
469. u integer maximum transmission unit for the interface in bytes name text the name of the interface type read only arlan bonding bridge cyclades eoip ethernet farsync ipip isdn client isdn server I2tp client I2tp server moxa c101 502 mtsync pc ppp client ppp server pppoe client pppoe server pptp client pptp server pvc radiolan sbe vlan wavelan wireless xpeed interface type Example To see the list of all available interfaces admin AT WR4562 interface print Flags X disabled D dynamic running Lj NAME TYPE RX RATE TX RATE MTU 0 etherl ether 0 0 1500 1 R bridgel bridge 0 0 1500 2 R ether2 ether 0 0 1500 3 R wlanl wlan 0 0 1500 admin AT WR4562 interface 4 1 3 Traffic Monitoring Command name interface monitor traffic Description The traffic passing through any interface can be monitored Property Description received bits per second read only integer number of bits that interface has received in one second received packets per second read only integer number of packets that interface has received in one second sent bits per second read only integer number of bits that interface has sent in one second sent packets per second read only integer number of packets that interface has sent in one second AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 31 RouterOS v3 Configuration an
470. uest as Mikrotik Realm attribute If it is not set the same value is sent as in MS CHAP Domain attribute if MS CHAP Domain is missing Realm is not included neither WISPr Location ID text string specified in radius location id property of the HotSpot server WISPr Location Name text string specified in radius location name property of the HotSpot server WISPr Logoff URL full link to the login page for example http 10 48 0 I Iv logout HotSpot uses CHAP by default and may use also PAP if unencrypted passwords are enabled it can not use MSCHAP Depending on authentication methods User Password encrypted password used with PAP authentication CHAP Password CHAP Challenge encrypted password and challenge used with CHAP authentication MS CHAP Response MS CHAP Challenge encrypted password and challenge used with MS authentication MS CHAP2 Response MS CHAP Challenge encrypted password and challenge used with MS CHAPv2 authentication Access Accept Framed IP Address IP address given to client If address belongs to 127 0 0 0 8 or 224 0 0 0 3 networks IP pool is used from the default profile to allocate client IP address If Framed IP Address is specified Framed Pool is ignored Framed IP Netmask client netmask PPPs if specified a route will be created to the network Framed IP Address belongs to via the Framed IP Address gateway HotSpot ignored by HotSpot Framed Pool
471. uide e Hotspot will ask RADIUS server whether to allow the login or not If not allowed alogin html page will be displayed it can be modified to do anything If not allowed flogin html or login html page will be displayed which will redirect client back to the external authentication server e Note as shown in these examples HTTPS protocol and POST method can be used to secure communications 10 3 11 Possible Error Messages Description There are two kinds of errors fatal non fatal Fatal errors are shown on a separate HTML page called error html Non fatal errors are basically indicating incorrect user actions and are shown on the login form General non fatal errors e You are not logged in trying to access the status page or log off while not logged in Solution log in e already authorizing retry later authorization in progress Client already has issued an authorization request which is not yet complete Solution wait for the current request to be completed and then try again e chap missing web browser did not send challenge response try again enable JavaScript trying to log in with HTTP CHAP method using MD5 hash but HotSpot server does not know the challenge used for the hash This may happen if you use BACK buttons in browser if JavaScript is not enabled in web browser if login html page is not valid or if challenge value has expired on server more than Ih of inactivity Solution instructing brow
472. uired wpa unicast ciphers wpa group ciphers pre shared key static algo 0 none sta static algo 1 none static key 1 static algo 2 none static static algo 3 none static key 3 static transmit key key 0 static sta private algo 104bit wep static sta private key 65432109876543210987654321 radius mac authentication no group key update 5m admin WEP_Stationl interface wireless security profiles admin WEP_Stationl interface wireless set wlanl mode station band 5ghz security profile Stationl name WEP STA1 disabled admin WEP_Stationl interface wireless print Flags X disabled R running 0 name WEP STA1 mtu 1500 mac address 00 0C 42 05 00 22 arp disable running check no interface type Atheros AR5413 radio name 000C42050022 mode station ssid mt wep area frequency mode superchannel country no country set antenna frequency 5180 band 5ghz scan list default rate set defaul supported rates b 1Mbps 2Mbps 5 5Mbps llMbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbp 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station coun ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna m wds mode disabled wds default bridge none wds ignore ssid update stats interval disabled default authentication yes key update 5m tic key 0 2 ssid mt_wep no enabled
473. ult 1460 Maximum Transmission Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets mrru integer 512 65535 default disabled maximum packet size that can be received on the link If a packet is bigger than tunnel MTU it will be split into multiple packets allowing full size IP or Ethernet packets to be sent over the tunnel disabled disable MRRU on this link Example To enable L2TP server admin AT WR4562 interface l2tp server server set enabled yes admin AT WR4562 interface l2tp server server print enabled yes max mtu 1460 max mru 1460 mrru disabled authentication mschap2 mschapl keepalive timeout 30 default profile default admin AT WR4562 interface l2tp server server 8 5 5 L2TP Server Users Submenu level interface I2tp server Description There are two types of interface tunnel items in PPTP server configuration static users and dynamic connections An interface is created for each tunnel established to the given server Static interfaces are added administratively if there is a need to reference the particular interface name in firewall rules or elsewhere created for the particular user Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry or in case the entry is act
474. ult tolerance but slows down traffic throughput on some slow machines mtu integer 68 1500 default 1500 Maximum Transmit Unit in bytes 156 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide name name descriptive name of bonding interface primary name default none Interface is used as primary output media If primary interface fails only then others slaves will be used This value works only with mode active backup slaves name at least two ethernet like interfaces separated by a comma which will be used for bonding up delay time default 00 00 00 if a link has been brought up bonding interface is disabled for up delay time and after this time it is enabled Value should be a multiple of mii interval Application Examples Bonding two EoIP tunnels Assume you need to configure the AT WR4500 router for the following network setup where you have two offices with 2 ISP for each You want combine links for getting double speed and provide failover Eoip tunnel 2 Internet ISP 1 OM E Figure 21 Bonding two EolP tunnels We are assuming that connections to Internet through two ISP are configured for both routers Officel configuration admin officel gt interface print Flags disabled D dynamic running NAME TYPE MTU 0 R isp ether 0 0 1500 R isp2 ether 0 0 1500 admin officel gt
475. umber of packets saved to file AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 59 RouterOS v3 Configuration and User Guide file size read only integer current file size kB memory over limit packets read only integer number of packets that are dropped because of exceeding memory limit memory saved packets read only integer how many packets are stored in mermory memory size read only integer how much memory is currently used for sniffed packets kB processed packets read only integer number of sniffed packets real file limit read only integer the real file size limit It is calculated from the beginning of sniffing to reserve at least MB free space on the disk real memory limit read only integer the real memory size limit It is calculated from the beginning of sniffing to reserve at least MB of free space in the memory stream dropped packets read only integer number of packets that are dropped because of exceeding streaming max rate stream sent packets read only integer number of packets that are sent to the streaming server Command Description save saves sniffed packets from the memory to file name in PCAP format 4 3 19 Sniffer Packets Description Wireless Sniffer sniffed packets If packets Cyclic Redundancy Check CRC field detects error it will be displayed by crc error flag Property Description band read only text wireless band dst read onl
476. up 0 name vrrpl mtu 1500 mac address 00 00 5E 00 01 01 arp enabled interface local vrid 1 priority 100 interval 1 preempt ion mode yes authentication none password on backup on master admin AT WR4562 ip vrrp 11 2 System Watchdog 11 2 1 General Information Summary System watchdog feature is needed to reboot the system in case of software failures Specifications Packages required system License required Level Submenu level system watchdog Standards and Technologies Hardware usage Not significant 11 2 2 Hardware Watchdog Management Submenu level system watchdog Description This menu allows to configure system to reboot on kernel panic when an IP address does not respond or in case the system has locked up Software watchdog timer is used to provide the last option so in very rare cases caused by hardware malfunction it can lock up by itself There is a hardware watchdog device available in AT WR454x hardware which can reboot the system in any case Property Description auto send supout yes no default no after the support output file is automatically generated it can be sent by email automatic supout yes no default yes when software failure happens a file named autosupout rif is generated automatically The previous autosupout rif file is renamed to autosupout old rif no ping delay time default 5m specifies how long after reboot not to test and ping wa
477. ure VRRP on the two routers shown on the diagram The routers must have initial configuration interfaces are enabled each interface have appropriate IP address and routing table is set correctly it should have at least a default route SRC NAT or masquerading should also be configured before See the respective manual chapters on how to make this configuration Both interfaces should have IP address We will assume that the interface the 192 168 1 0 24 network is connected to is named local on both VRRP routers Configuring Master VRRP router First of all we should create a VRRP instance on this router We will use the priority of 255 for this router as it should be preferred router admin AT WR4562 vrrp gt add interface local priority 255 admin AT WR4562 ip vrrp gt print 0 RM name vrrpl mtu 1500 mac address 00 00 5E 00 01 01 arp enabled interface local vrid 1 priority 255 interval 1 preemption mode yes authentication none password on backup on master admin AT WR4562 ip vrrp gt Next the virtual IP address should be added to this VRRP instance admin AT WR4500 ip address gt add address 192 168 1 1 24 interface vrrpl admin M AT WR4500 ip address gt print admin AT WR4562 ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 1 24 10 0 0 0 10 0 0 255 public 1 192 168 1 2 24 192 168 1 0 192 168 1 255 l
478. ure that those who do only simple stateless packet processing The state of a particular connection could be estabilished meaning that the packet is part of already known connection new meaning that the packet starts a new connection or belongs to a connection that has not seen packets in both directions yet related meaning that the packet starts a new connection but is associated with an existing connection such as FTP data transfer or ICMP error message and finally invalid meaning that the packet does not belong to any known connection and at the same time does not open a valid new connection Connection tracking is done in the prerouting chain or the output chain for locally generated packets Another function of connection tracking which cannot be overestimated is that it is needed for NAT You should be aware that no NAT can be performed unless you have connection tracking enabled the same applies for p2p protocols recognition Connection tracking also assembles IP packets from fragments before further processing The maximum number of connections the ip firewall connection state table can contain is determined by the amount of physical memory present in the router Please ensure that your router is equipped with sufficient amount of physical memory to properly handle all connections AT WR4500 Series IEEE 802 1 labgh Outdoor Wireless Routers 213 RouterOS v3 Configuration and User Guide Property Description assured read on
479. users must be configured properly static entries do not replace PPP configuration Property Description encoding read only text encryption and encoding if asymmetric separated with being used in this connection mru read only integer client s MRU mtu read only integer client s MTU name name interface name remote address read only MAC address MAC address of the connected client service name name of the service the user is connected to uptime read only time shows how long the client is connected user name the name of the connected user must be present in the user darabase anyway Example To view the currently connected users admin AT WR4562 interface pppoe server gt print Flags disabled D dynamic running NAME USER SERVICE REMOTE ENCODING UPTIME 0 DR lt pppoe ex gt user ex 00 0C MPPE12 40m45s adminQ AT WR4562 interface pppoe server gt To disconnect the user ex adminQAT WR4562 interface pppoe server remove find user ex adminQ AT WR4562 interface pppoe server gt print adminQ AT WR4562 interface pppoe server gt 176 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8 6 7 Application Examples PPPoE a multipoint wireless 802 g network In a wireless network the PPPoE server may be attached to an Access Point as well as to a regu
480. ven number characters static key 3 text hexadecimal key which will be used to encrypt packets with the 40bit wep or 104bit wep algorithm algo 3 If AES CCM is used the key must consist of even number of characters and must be at least 32 characters long For TKIP the key must be at least 64 characters long and also must consist of even number characters static sta private algo none 40bit wep lO4bit wep aes ccm tkip algorithm to use if the static sta private key is set Used to commumicate between 2 devices static sta private key text if this key is set in station mode use this key for encryption In AP mode you have to specify static private keys in the access list or use the Radius server using radius mac authentication Used to commumicate between 2 devices static transmit key static key 0 static key static key 2 static key 3 default static key 0 which key to use for broadcast packets Used in AP mode supplicant identity text EAP supplicant identity to use for RADIUS EAP authentication tls certificate name select the certificate for this device from the list of imported certificates 58 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide tls mode no certificates dont verify certificate verify certificate default no certificates TLS certificate mode no certificates certificates are negotiated dynamically using anonymous Diffie
481. vided by RADIUS server only is MS CHAPv2 was used as authentication for PPPs only Ascend Client Gateway client gateway for DHCP pool HotSpot login method HotSpot only Mikrotik Recv Limit total receive limit in bytes for the client Mikrotik Recv Limit Gigawords 4G 2432 bytes of total receive limit bits 32 63 when bits 0 31 are delivered in Mikrotik Recv Limit Mikrotik Xmit Limit total transmit limit in bytes for the client Mikrotik Xmit Limit Gigawords 4G 2 32 bytes of total transmit limit bits 32 63 when bits 0 31 are delivered in Mikrotik Recv Limit Mikrotik Wireless Forward not forward the client s frames back to the wireless infrastructure if this attribute is set to 0 Wireless only Mikrotik Wireless Skip DotIx disable 802 1x authentication for the particulat wireless client if set to non zero value Wireless only Mikrotik Wireless Enc Algo WEP encryption algorithm 0 no encryption 40 bit WEP 2 104 bit WEP Wireless only Mikrotik Wireless Enc Key WEP encruption key for the client Wireless only Mikrotik Rate Limit Datarate limitation for clients Format is rx rate tx rate rx burst rate tx burst rate rx burst threshold tx burst threshold rx burst time tx burst time priority rx rate min tx rate min from the point of view of the router so rx is client upload and tx is client download All rates should be numbers with optional k 1 000s or M 1 000 0
482. warding layer 2 database point to point auto no yes default auto in a point to poiny link it is assumed that the port is connected to a single device at the other end of the link bridge name default none the bridge interface the respective interface is grouped in none the interface is not grouped in any bridge interface read only name interface name which is to be included in a bridge path cost integer 0 65535 default 10 path cost to the interface used by STP to determine the best path priority integer 0 255 default 128 interface priority compared to other interfaces which are destined to the same network Starting from version 2 9 9 the ports this list should be added not set see the following examples 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To group etherl and ether2 in the already created bridgel bridge versions from 2 9 9 admin AT WR4562 interface bridge port add interface etherl bridge bridgel admin AT WR4562 interface bridge port add interface ether2 bridge bridgel admin AT WR4562 interface bridge port print INTERFACE BRIDGE PRIORITY PATH COST 0 etherl bridgel 128 10 1 ether2 bridgel 128 10 admin AT WR4562 interface bridge port Note that there is wlan I interface anymore as it is not added as bridge port 4 5 4 Bridge Moni
483. wds default bridge bridgel disabled no band 2 4ghz b g 2437 interface wireless print sabled R running Lani mtu 1500 mac address 00 0C 42 05 00 22 arp enabled running check no interface type Atheros AR5413 radio name 000C42050022 mode ap bridge ssid wds sta test area frequen frequen cy mode superchannel country no country set antenna gain 0 cy 2437 band 2 4ghz b g scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps l11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise burst t loor threshold default periodic calibration default ime disabled fast frames no dfs mode none antenna mode ant a wds mode dynamic wds default bridge bridgel wds ignore ssid no update default stats interval disabled default authentication yes forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Now configure the WDS station and put the wireless wlanl and ethernet Local interfaces into a bridge admin8 WDS Station gt interface bridge admin8 WDS Station interface bridge add admi
484. will be added to the routing table as a dynamic entry Should the DHCP client be disabled or not renew an address the dynamic default route will be removed If there is already a default route installed prior the DHCP client obtains one the route obtained by the DHCP client would be shown as invalid Property Description add default route yes no default yes whether to add the default route to the gateway specified by the DHCP server address read only IP address netmask IP address and netmask which is assigned to DHCP Client from the Server client id text corresponds to the settings suggested by the network administrator or ISP Commonly it is set to the client s MAC address but it may as well be any text string dhcp server read only IP address IP address of the DHCP server expires after read only time time when the lease expires specified by the DHCP server gateway read only IP address IP address of the gateway which is assigned by DHCP server host name text the host name of the client as sent to a DHCP server interface name any Ethernet like interface this includes wireless and EolP tunnels on which the client searches for a DHCP server primary dns read only IP address IP address of the primary DNS server assigned by the DHCP server primary ntp read only IP address IP address of the primary NTP server assigned the DHCP server secondary dns read only IP address IP address of th
485. wireless security profiles admin8 WEP StationX interface wireless set wlanl name WEP STAX ssid mt NV band 5ghz security profile StationX mode station disabled no admin8 WEP StationX interface wireless print 0 R name WEP STAX mtu 1500 mac address 00 0C 42 05 06 B2 arp enabled disable running check no interface type Atheros AR5413 radio name 000C420506B2 mode station ssid mt wep area frequency mode superchannel country no country set antenna gain 0 frequency 5180 band 5ghz scan list default rate set default supported rates b 1Mbps 2Mbps 5 5Mbps l11Mbps supported rates a g 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates b 1Mbps basic rates a g 6Mbps max station count 2007 ack timeout dynamic tx power default tx power mode default noise floor threshold default periodic calibration default burst time disabled fast frames no dfs mode none antenna mode ant a wds mode disabled wds default bridge none wds ignore ssid no update stats interval disabled default authentication yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile StationX disconnect timeout 3s on fail retry time 100ms preamble mode both adminGWEP StationX interface wireless 5 w WPA Security This example shows WPA Wi Fi Protected Access configuration on Access Point and Client to secure all data which will be passed between AP and Client
486. with each other and they begin creating their link state databases using Database Description Packets Exchange is the process of discovering routes by exchanging Database Description Packets Loading receiving information from the neighbor Full the link state databases are completely synchronized The routers are routing traffic and continue sending each other hello packets to maintain the adjacency and the routing information state changes read only integer number of connection state changes The neighbor s list also displays the router itself with 2 Way state 104 4500 Series IEEE 802 1 labgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example The following text can be observed just after adding an OSPF network admin AT WR4562 routing ospf gt neighbor print router id 10 0 0 204 address 10 0 0 204 priority 1 state 2 Way state changes 0 ls retransmits 0 ls requests 0 db summaries 0 dr id 0 0 0 0 backup dr id 0 0 0 0 admin AT WR4562 routing ospf gt 5 3 8 Application Examples OSPF backup without using a tunnel Let us assume that the link between the routers OSPF Main and OSPF peer l is the main one If it goes down we want the traffic switch over to the link going through the router OSPF peer 2 This example shows how to use OSPF for backup purposes if you are controlling all the involved routers and you can run OSPF on them t 1 10 1 0 2
487. with a different IP address or if you do not want to change the IP address of your PC or Workstation then it is possible to access the Router using the discovery facility of the WinBox utility Since WinBox can open a Layer 2 connection to the equipments no change to the PC IP address is needed Please refer to the following section for instructions on how to get and use WinBox Downloading WinBox loader The MS Windows based utility WinBox can be downloaded from the Allied Telesis web site accessing http www alliedtelesis com Select you country access the Software and Documentation section under the Service Support menu select Wireless in the Product Category drop down menu and AT WR45421 in the Product drop down menu Scroll down the page and select the 4500 WinBox loader from the list of available Software Using WinBox Connect the AT WR4500 router with a LAN cable to your PC and launch the WinBox loader utility that you have just downloaded Please make sure that the only LAN port enabled on your PC is the one connected to the WR4500 Router Any other LAN port either wired or wireless shall be disabled x Loade Connect Connect MAC Address IP Address Identity Version 00 00 42 1 4 7E B2 192 168 1 1 AT WR4500 29 46 Login Password Note Address Figure 2 WinBox Loader discovering When the WinBox loader startup window appears click on the 24
488. y MAC address the receiver s MAC address freq read only integer frequency interface read only text wireless interface that captures packets signal rate read only text at which signal strength and rate was the packet received src read only MAC address the sender s MAC address time read only time time when the packet was received starting from the beginning of sniffing type read only assoc req assoc resp reassoc req reassoc resp probe req probe resp beacon atim disassoc auth deauth ps poll rts cts ack cf end cf endack data d cfack d cfpoll d cfackpoll data null nd cfack nd cfpoll nd cfackpoll type of the sniffed packet Example Sniffed packets admin AT WR4562 interface wireless sniffer packet pr Flags E crc error FREQ SIGNAL RATE SRC DST TYPE 0 2412 73dBm 1Mbps 00 0 6 31 00 53 FF FF FF FF FF FF beacon 1 2412 91dBm 1Mbps 00 02 6F 01 CE 2E FF FF FF FF FF FF beacon 2 2412 45dBm 1Mbps 00 02 6F 05 68 D3 FF FF FF FF FF FF beacon 3 2412 72dBm 1Mbps 00 60 B3 8C 98 3F FF FF FF FF FF FF beacon 4 2412 65dBmQ1Mbps 00 01 24 70 3D 4E FF FF FF FF FF FF probe req 5 2412 60dBmQ1Mbps 00 01 24 70 3D 4E FF FF FF FF FF FF probe req 6 2412 61dBmQ1Mbps 00 01 24 70 3D 4E FF FF FF FF FF FF probe req 4 3 20 Snooper Submenu level interface wireless snooper Description With wireless snooper you can monitor the traffic load on each channel
489. yes default forwarding yes default ap tx limit 0 default client tx limit 0 hide ssid no security profile default disconnect timeout 3s on fail retry time 100ms preamble mode both admin8 Nstreme Client interface wireless nstreme admin Nstreme Client interface wireless nstreme gt set wlanl enable nstreme yes admin8 Nstreme Client interface wireless nstreme gt print 0 name wlanl enable nstreme yes enable polling yes framer policy none framer limit 3200 admin8 Nstreme Client interface wireless nstreme gt And monitor the link admin8 Nstreme Client interface wireless monitor wlanl status connected to ess band 5ghz frequency 5805MHz tx rate 24Mbps rx rate 18Mbps Ssid nstreme bssid 00 0C 42 05 00 22 radio name 000C42050022 signal strength 70dBm tx signal strength 68dBm tx ccq 0 rx ccq 3 wds link no nstreme yes polling yes framing mode none routeros version 3 2 current tx powers 1Mbps 11 2Mbps 11 5 5Mbps 11 11Mbps 11 6Mbps 28 9Mbps 28 12Mbps 28 18Mbps 28 24Mbps 28 36Mbps 25 48Mbps 23 54Mbps 22 quit D dump C z pause admin8 Nstreme Client interface wireless Dual Nstreme The purpose of Nstreme2 Dual Nstreme is to make superfast point to point links using 2 wireless interfaces on each router one for receiving and the other one for transmitting data you can use different bands for receiving and transmitting This example will show you how to make a point t
Download Pdf Manuals
Related Search