AT-WR4500 Series IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide PN 613-000813 Rev.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Copyright © 2009 Allied Telesis International All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesis International. Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Mikrotik and RouterOS are trademarks of Mikrotikls SIA.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide LIMITATION OF LIABILITY AND DAMAGES THE PRODUCT AND THE SOFTWARES WITHIN ARE PROVIDED "AS IS," BASIS.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide CONTENTS 1 Introduction............................................................................................................................................................. 12 1.1 Features ............................................................................................................................................................ 13 1.2 Software License ............................
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 5 4.3.15 Network Scan.................................................................................................................................55 4.3.16 Security Profiles .............................................................................................................................56 4.3.17 Sniffer.........................................................................................
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 6.2 6.3 6.4 6.5 6.6 6.1.2 DHCP Client Setup.....................................................................................................................117 6.1.3 DHCP Server Setup....................................................................................................................118 6.1.4 Store Leases on Disk........................................................................
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 7 8.5.3 Monitoring L2TP Client ............................................................................................................ 163 8.5.4 L2TP Server Setup...................................................................................................................... 164 8.5.5 L2TP Server Users ...............................................................................................
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10.1.5 HotSpot User Profiles................................................................................................................229 10.2 HotSpot Users.................................................................................................................................................229 10.2.1 Description ..............................................................................
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 9 FIGURES Figure 1: AT-WR4500 Series typical application ..................................................................................................................12 Figure 2: WinBox Loader discovering .....................................................................................................................................14 Figure 3: WinBox main window...................................
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide PREFACE Purpose of This Guide This guide describes the AT-WR4500 Series Outdoor Wireless Routers RouterOS command structure and configuration for allowing users or network managers to correctly configure the router getting the most of it.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 11 CONTACTING ALLIED TELESIS This section provides Allied Telesis contact information for technical support as well as sales and corporate information. Online Support You can request technical support online by accessing the Allied Telesis Knowledge Base: http://www.alliedtelesis.com/kb/.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 1 Introduction Thank you for purchasing an AT-WR4500 series Wireless Router. Please refer to the ATWR45xx Quick Installation Guide for information on how to install connect and initially setup each router model. The WR4500 family of dual band outdoor wireless base routers and routing CPEs allow the building of wireless only or hybrid IP networks that are scalable, reliable and fully controllable.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 13 1.1 Features The AT-WR4500 series RouterOS firmware is very rich of features and very flexible. Among others: • Real IP routing functionalities • 2.4 GHz and 5 GHz dual band operations • IEEE 802.11a/b/g/h compliant • Certified for HiperLAN bands operation in Europe with DFS and TPC • IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 2 Configuring RouterOS 2.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 15 Figure 3: WinBox main window Select from the menu bar located in the leftmost part of the window the command or menu that you want to access and start configuring the equipment. For instance you can click on the “New Terminal” button for opening a Telnet terminal window connected and logged into your router as shown in Figure 4.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide After logging into the router you will be presented with the RouterOS™ Welcome Screen and command prompt, for example: AA TTTTTTTTTTTTTTTTTT ooooo AAAAA TTTTTTTTTTTTTTT oooooooo AAAAAAAA TTTTTTTT I oooooo AAAAAAAAAAA TTTTTTT IIIIIIIIII AAAAAAA AAAAA TTTT IIIIIIIIII AAAAAAA AAAAA T IIIIIIIIII AT-WR4500 RouterOS 3.10 (c) 1999-2008 http://www.alliedtelesis.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 17 A command or an argument does not need to be completed, if it is not ambiguous. For example, instead of typing interface you can type just in or int. To complete a command use the [Tab] key. The completion is optional and you can just use short command and parameter names The commands may be invoked from the menu level, where they are located, by typing its name.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 3 Configuration and Software Management Document revision: 1.6 (Mon Sep 19 12:55:52 GMT 2005) Applies to: V2.9 3.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 19 To see the files stored on the router: [admin@AT-WR4562] > file print # NAME 0 test.backup [admin@AT-WR4562] > TYPE backup SIZE 12567 CREATION-TIME sep/08/2004 21:07:50 To load the saved backup file test: [admin@AT-WR4562] system backup> load name=test Restore and reboot? [y/N]: Y Restoring system configuration System configuration restored, rebooting now 3.1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide It is impossible to import the whole router configuration using this feature. It can only be used to import a part of configuration (for example, firewall rules) in order to spare you some typing. Command Description file=[filename] - loads the exported configuration from a file to router Example To load the saved export file use the following command: [admin@AT-WR4562] > import address.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 21 Standards and Technologies: None Hardware usage: Not significant 3.2.2 System Upgrade Submenu level: /system upgrade Description This submenu gives you the ability to download RouterOS software packages from a remote RouterOS router. Step-by-Step Upload desired RouterOS packages to a router (not the one that you will upgrade).
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 3.2.3 Adding Package Source Submenu level: /system upgrade upgrade-package-source Description In this submenu you can add remote routers from which to download RouterOS software packages.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 23 • The package dependency is checked before installing a software package.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If a package is marked for uninstallation, but it is required for another (dependent) package, then the marked package cannot be uninstalled. You should uninstall the dependent package too. For the list of package dependencies see the 'Software Package List; section below. The system package will not be uninstalled even if marked for uninstallation.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 25 Example To downgrade the RouterOS (assuming that all needed packages are already uploaded): [admin@AT-WR4562] system package> downgrade Router will be rebooted. Continue? [y/N]: y system will reboot shortly 3.3.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example Suppose we need to cancel security package uninstallation action scheduled on reboot: [admin@AT-WR4562] system package> print Flags: X – disabled # NAME VERSION SCHEDULED 0 routeros-rb500 3.0 1 system 3.0 2 X ipv6 3.0 3 ntp 3.0 4 wireless 3.0 5 dhcp 3.0 6 routing 3.0 7 routerboard 3.0 8 advanced-tools 3.0 9 hotspot 3.0 10 ppp 3.0 11 security 3.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 27 Example See the available packages: [admin@AT-WR4562] [admin@AT-WR4562] # SOURCE 0 192.168.25.8 1 192.168.25.8 [admin@AT-WR4562] system upgrade> refresh system upgrade> print NAME VERSION routeros-x86 2.9.44 routeros-rb500 3.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 4 Configuring Interfaces 4.1 General Interface Settings Document revision: 1.1 (Fri Mar 0 5 08:08:52 GMT 200 4) Applies to: V2.9 4.1.1 General Information Summary AT-WR4500 RouterOS supports a variety of physical and virtual interfaces (like Bonding, Bridge, VLAN etc.). Each of them has its own submenu, but there is also a list of all interfaces where some common properties can be configured.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 31 One or more interfaces can be monitored at the same time. To see overall traffic passing through all interfaces at time, use aggregate instead of interface name. Example Multiple interface monitoring: /interface monitor-traffic ether1,aggregate received-packets-per-second: 9 11 received-bits-per-second: 4.39kbps 6.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide default - suport long cables short - support short cables standard - same as default disable-running-check (yes | no; default: yes) - disable running check.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide • No implied protocol limits on link distance • No implied protocol speed degradation for long link distances • Dynamic protocol adjustment depending on traffic type and resource usage Quick Setup Guide Let's consider that you have a wireless interface, called wlan1. To set it as an Access Point, working in 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide range 35 ack-timeout 5GHz 5GHz-turbo 2.4GHz-G 30km 249 137 368 35km 298 168 320 40km 350 190 375 45km 405 - - These are not the precise values. Depending on hardware used and many other factors they may vary up to +/- 15 microseconds.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide band - operating band 2.4ghz-b - IEEE 802.11b 2.4ghz-b/g - IEEE 802.11g (supports also legacy IEEE 802.11b protocol) 2.4ghz-g-turbo - IEEE 802.11g using double channel, providing air rate of up to 108 Mbit 2.4ghz-onlyg - only IEEE 802.11g 5ghz - IEEE 802.11a up to 54 Mbit 5ghz-turbo - IEEE 802.11a using double channel, providing air rate of up to 108Mbit 2ghz-10mhz - variation of IEEE 802.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide address to the one of a different device. In case no address is set in the station-bridge-clone-mac property, the station postpones connecting to an AP until some packet, with the source MAC address different from any of the router itself, needs to be transmitted over that interface.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 39 wds-cost-range (integer; default: 50-150) - range, within which the bridge port cost of the WDS links are adjusted. The calculations are based on the p-throughput value of the respective WDS interface, which represents estimated approimate rhtoughput on the interface, which is mapped on the wds-costrange scale so that bigger p-throughput would correspond to numerically lower port cost.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide To see current interface settings: [admin@AT-WR4562] interface wireless> print Flags: X - disabled, R - running Flags: X - disabled, R - running 0 name="wlan1" mtu=1500 mac-address=00:0C:42:18:5C:3D arp=enabled interface-type=Atheros AR5413 mode=station ssid="AT-WR4560" frequency=2412 band=2.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 41 overhead (and thus increase speed). The card is not waiting for frames, but in case a number of packets are queued for transmitting, they can be combined.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide mtu (integer: 0..1600; default: 1500) - Maximum Transmission Unit name (name) - reference name of the interface rates-a/g (multiple choice: 6Mbps, 9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps) - rates to be supported in 802.11a or 802.11g standard rates-b (multiple choice: 1Mbps, 2Mbps, 5.5Mbps, 11Mbps) - rates to be supported in 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 43 [admin@AT-WR4562] interface wireless> print Flags: X - disabled, R - running 0 R name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:14 arp=enabled interface-type=Atheros AR5413 mode=station ssid="AT-WR4560" frequency=2412 band=2.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide The association procedure is as follows: when a new client wants to associate to the AP that is configured on interface wlanN, an entry with client's MAC address and interface wlanN is looked up sequentially from top to bottom in the access-list.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 47 2512, 2532, 2552, 2572, 2592, 2612, 2632, 2652, 2672, 2692, 2712, 2732) - the list of 2GHz IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide There is a special argument for the print command - print count-only. It forces the print command to print only the count of information topics. /interface wireless info print command shows only channels supported by a particular card.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 51 max-station-count (integer; default: 2007) - number of clients that can connect to this AP simultaneously mtu (integer: 68..1600; default: 1500) - Maximum Transmission Unit name (name; default: wlanN) - interface name proprietary-extensions (pre-2.9.25 | post-2.9.25; default: post-2.9.25) - the method to insert additional information (MikroTik proprietary extensions) into the wireless frames.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Property Description arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol disabled - the interface will not use ARP enabled - the interface will use ARP proxy-arp - the interface will use the ARP proxy feature reply-only - the interface will only reply to the requests originated to its own IP addresses.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 53 audio-min (integer; default: -100) - signal-strength at which audio (beeper) frequency will be the lowest audio-monitor (MAC address; default: 00:00:00:00:00:00) - MAC address of the remote host which will be 'listened' filter-mac (MAC address; default: 00:00:00:00:00:00) - in case if you want to receive packets from only one remote host, you should specify here its MAC address frame-size (integer: 200.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example [admin@AT-WR4562] interface wireless align> monitor wlan2 # ADDRESS SSID RXQ AVG-RXQ LAST-RX TXQ LAST-TX CORRECT 0 00:01:24:70:4B:FC wirelesa -60 -60 0.01 -67 0.01 100 % [admin@AT-WR4562] interface wireless align> 4.3.13 Frequency Monitor Description Aproximately shows how loaded are the wireless channels.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 55 Example To set the following transmit powers at each rates: 1Mbps@10dBm, 2Mbps@10dBm, 5.5Mbps@9dBm, 11Mbps@7dBm, do the following: [admin@AT-WR4562] interface wireless manual-tx-power-table> print 0 name="wlan1" manual-tx-powers=1Mbps:17,2Mbps:17,5.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 4.3.16 Security Profiles Submenu level: /interface wireless security-profiles Description This section provides WEP (Wired Equivalent Privacy) and WPA/WPA2 (Wi-Fi Protected Access) functions to wireless interfaces. WPA The Wi-Fi Protected Access is a combination of 802.1X, EAP, MIC, TKIP and AES. This is a easy to configure and secure wireless mechanism.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide • disabled=no • On client (station): • mode=station • band=5ghz • ssid=test • disabled=no Configure the Access Point and add an IP address (10.1.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Configure the station and add an IP address (10.1.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide • Configure AP to support WDS connections • Set wds-default-bridge to bridge1 • On WDS station: • Configure it as a WDS Station, using mode=station-wds 63 • Configure the WDS Access Point.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 65 This example will show you how to create a VAP: [admin@VAP] interface wireless> print Flags: X - disabled, R - running 0 name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled disable-running-check=no interface-type=Atheros AR5413 radio-name="000C42050022" mode=ap-bridge ssid="test" area="" frequency-mode=superchannel country=no_country_set antenna-gain=0 frequency=2437 band=2.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Nstreme This example shows you how to configure a point-to-point Nstreme link. Nstreme 2 Nstreme 1 Figure 7: Nstreme network example The setup of Nstreme is similar to usual wireless configuration, except that you have to do some changes under /interface wireless nstreme.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide As we have not configured the DualNS-2 router, we cannot define the remote-mac parameter on DualNS-1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide WEP Security This example shows how to configure WEP (Wired Equivalent Privacy) on Access Point and Clients. In example we will configure an Access Point which will use 104bit-wep for one station and 40bit-wep for other clients. The configuration of stations is also present.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Configure the Access Point: [admin@WEP_AP] interface wireless security-profiles> add name=StationX \ \... mode=static-keys-required static-algo-1=40bit-wep static-key-1=1234567890 \ \...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Configure WEP_Station1: [admin@WEP_Station1] interface wireless security-profiles> add name=Station1 \ \... mode=static-keys-required static-sta-private-algo=104bit-wep \ \...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 73 Config of WEP_StationX: [admin@WEP_StationX] interface wireless security-profiles> add name=StationX \ \... mode=static-keys-required static-algo-1=40bit-wep static-key-1=1234567890 \ \...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide On the AP in default or in your own made profile as an encryption algorithm choose wpa-psk. Specify the pre-shared-key, wpa-unicast-ciphers and wpa-group-cipher [admin@WPA_AP] interface wireless security-profiles> set default mode=wpa-psk\ \...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 75 4.4 VLAN Interfaces Document revision: 1.2 (Mon Sep 19 13:46:34 GMT 2005) Applies to: V2.9 4.4.1 General Information Summary VLAN is an implementation of the 802.1Q VLAN protocol for RouterOS. It allows you to have multiple Virtual LANs on a single ethernet or wireless interface, giving the ability to segregate LANs efficiently.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 77 On Router 1: [admin@AT-WR4562] ip [admin@AT-WR4562] ip Flags: X - disabled, # ADDRESS 0 10.0.0.204/24 1 10.20.0.1/24 2 10.10.10.1/24 [admin@AT-WR4562] ip address> add address=10.10.10.1/24 interface=test address> print I - invalid, D - dynamic NETWORK BROADCAST INTERFACE 10.0.0.0 10.0.0.255 ether1 10.20.0.0 10.20.0.255 pc1 10.10.10.0 10.10.10.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Quick Setup Guide To put interface ether1 and ether2 in a bridge.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To group ether1 and ether2 in the already created bridge1 bridge (versions from 2.9.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 81 Example To monitor a bridge port: [admin@AT-WR4562] interface bridge port> mo 0 status: in-bridge port-number: 1 role: designated-port edge-port: no edge-port-discovery: yes point-to-point-port: no external-fdb: no sending-rstp: no learning: yes forwarding: yes -- [Q quit|D dump|C-z pause] 4.5.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 83 dst-address (IP address; default: 0.0.0.0/0) - destination IP address (only if MAC protocol is set to IPv4) dst-mac-address (MAC address; default: 00:00:00:00:00:00) - destination MAC address dst-port (integer: 0..
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide stp-forward-delay (time: 0..65535) - forward delay timer stp-hello-time (time: 0..65535) - stp hello packets time stp-max-age (time: 0..65535) - maximal STP message age stp-msg-age (time: 0..65535) - STP message age stp-port (integer: 0..65535) - stp port identifier stp-root-address (MAC address) - root bridge MAC address stp-root-cost (integer: 0..65535) - root bridge cost stp-root-priority (time: 0..
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 85 Property Description action (accept | arp-reply | drop | dst-nat | jump | log | mark | passthrough | redirect | return | src-nat; default: accept) - action to undertake if the packet matches the rule, one of the: accept - accept the packet. No action, i.e.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 4.5.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 87 5 IP and Routing 5.1 IP Addresses and ARP Document revision: 1.3 (Tue Sep 20 19:02:32 GMT 2005) Applies to: V2.9 5.1.1 General Information Summary The following Manual discusses IP address management and the Address Resolution Protocol settings. IP addresses serve as identification when communicating with other network devices using the TCP/IP protocol.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Property Description actual-interface (read-only: name) - only applicable to logical interfaces like bridges or tunnels. Holds the name of the actual hardware interface the logical one is bound to. address (IP address) - IP address broadcast (IP address; default: 255.255.255.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 89 If ARP feature is turned off on the interface, i.e., arp=disabled is used, ARP requests from clients are not answered by the router. Therefore, static ARP entry should be added to the clients as well. For example, the router's IP and MAC addresses should be added to the Windows workstations using the arp command: C:\> arp -s 10.5.8.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide A B Network A 192.168.0.0/24 198.168.0.20/24 198.168.0.30/24 198.168.0.1/25 ether1 ether2 198.168.0.129/25 Network B 192.168.0.128/25 198.168.0.130/25 C Figure 11: Proxy ARP Suppose the host A needs to communicate to host C. To do this, it needs to know host's C MAC address. As shown on the diagram above, host A has /24 network mask.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 91 Example Consider the following configuration: Server 10.0.0.2/24 10.0.0.1/24 Internet 10.0.0.217/24 ether1 Pppoe-inX addresses 10.0.0.217/32 Reserved for dial in 10.0.0.230..240 Laptop 10.0.0.231/24 WS 10.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide interface with the network being the same as the address on the router on the other side of the p2p link (there may be no IP on that interface, but there is an IP for that router). Example [admin@AT-WR4562] ip address> add address=10.0.0.214/32 network=192.168.0.1 \ \...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 93 Related Topics IP Addresses and ARP Routes, Equal Cost Multipath Routing, Policy Routing Description Routing Information Protocol (RIP) is one protocol in a series of routing protocols based on BellmanFord (or distance vector) algorithm. This Interior Gateway Protocol (IGP) lets routers exchange routing information across a single autonomous system in the way of periodic RIP updates.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 95 5.2.4 Networks Submenu level: /routing rip network Description To start the RIP protocol, you have to define the networks on which RIP will run. Property Description network (IP address mask; default: 0.0.0.0/0) - specifies the network on which RIP will run.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide This list shows routes learned by all dynamic routing protocols (RIP, OSPF and BGP) Example To view the list of the routes: [admin@AT-WR4562] routing rip route> print Flags: S - static, R - rip, O - ospf, C - connect, B - bgp 0 O dst-address=0.0.0.0/32 gateway=10.7.1.254 metric=1 from=0.0.0.0 ... 33 R dst-address=159.148.10.104/29 gateway=10.6.1.1 metric=2 from=10.6.1.1 34 R dst-address=159.148.10.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Alliedware+ Router Configuration ... interface Ethernet0 ip address 10.0.0.26 255.255.255.0 no ip directed-broadcast ! interface Serial1 ip address 192.168.1.1 255.255.255.252 ip directed-broadcast ! router rip version 2 redistribute connected redistribute static network 10.0.0.0 network 192.168.1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 99 Related Topics • IP Addresses and ARP • Routes, Equal Cost Multipath Routing, Policy Routing • Log Management Description Open Shortest Path First protocol is a link-state routing protocol. It's uses a link-state algorithm to build and calculate the shortest path to all known destinations. The shortest path is calculated using the Dijkstra algorithm.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Within one area, only the router that is connected to another area (i.e. Area border router) or to another AS (i.e. Autonomous System boundary router) should have the propagation of the default route enabled. OSPF protocol will try to use the shortest path (path with the smallest total cost) if available.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 101 However, areas do not need to be physical connected to backbone. It can be done with virtual link.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 5.3.5 Interfaces Submenu level: /routing ospf interface Description This facility provides tools for additional in-depth configuration of OSPF interface specific parameters.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 103 Property Description neighbor-id (IP address; default: 0.0.0.0) - specifies router-id of the neighbor transit-area (name; default: (unknown)) - a non-backbone area the two routers have in common Virtual links can not be established through stub areas Example To add a virtual link with the 10.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example The following text can be observed just after adding an OSPF network: admin@AT-WR4562] routing ospf> neighbor print router-id=10.0.0.204 address=10.0.0.204 priority=1 state="2-Way" state-changes=0 ls-retransmits=0 ls-requests=0 db-summaries=0 dr-id=0.0.0.0 backup-dr-id=0.0.0.0 [admin@AT-WR4562] routing ospf> 5.3.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 105 Now let's setup the OSPF_MAIN router.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Assign IP addresses to these interfaces: [admin@OSPF_peer_1] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK 0 10.1.0.1/24 10.1.0.0 1 10.3.0.1/24 10.3.0.0 BROADCAST 10.1.0.255 10.3.0.255 INTERFACE to_main backup Set redistribute-connected as as-type-1. Metric-connected, metric-static, metric-rip, metric-bgp should be zero.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 107 Add the same area as in previous routers: [admin@OSPF_peer_2] routing ospf area> print Flags: X - disabled, I - invalid # NAME AUTHENTICATION 0 backbone none 1 local_10 none AREA-ID STUB DEFAULT-COST 0.0.0.0 0.0.0.1 no 1 Add connected networks with the same area: [admin@OSPF_peer_2] routing ospf network> print Flags: X - disabled, I - invalid # NETWORK AREA 0 10.2.0.0/24 local_10 1 10.3.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Routing tables with Revised Link Cost This example shows how to set up link cost. Let us assume, that the link between the routers OSPF_peer_1 and OSPF_peer_2 has a higher cost (might be slower, we have to pay more for the traffic through it, etc.). Internet main_gw 192.168.0.11 [OSPF_MAIN] to_peer2 10.2.0.2 to_peer1 10.1.0.2 to_main 10.2.0.1 Cost=1 [OSPF_peer_2] Cost=1 Cost=1 to_main 10.1.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 109 On OSPF_peer_1: [admin@OSPF_peer_1] > ip route pr Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192.168.0.0/24 r 10.1.0.2 110 to_main 1 Io 10.3.0.0/24 110 2 DC 10.3.0.0/24 r 0.0.0.0 0 backup 3 Do 10.2.0.0/24 4 Io 10.1.0.0/24 5 DC 10.1.0.0/24 r 10.1.0.2 110 to_main 0 to_main 110 r 0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide The OSPF routing changes as follows: Routes on OSPF_MAIN router: [admin@OSPF_MAIN] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 192.168.0.0/24 110 1 DC 192.168.0.0/24 r 0.0.0.0 0 main_gw 2 Do 10.3.0.0/24 r 10.2.0.1 110 to_peer_2 3 Io 10.2.0.0/24 110 4 DC 10.2.0.0/24 r 0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 111 Filter NAT Description RouterOS has following types of routes: dynamic routes - automatically created routes for networks, which are directly accessed through an interface. They appear automatically, when adding a new IP address. Dynamic routes are also added by routing protocols.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide bgp-origin (incomplete | igp | egp) - the origin of the route prefix bgp-prepend (integer: 0..16) - number which indicates how many times to prepend AS_NAME to AS_PATH check-gateway (arp | ping; default: ping) - which protocol to use for gateway reachability distance (integer: 0..255) - administrative distance of the route.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 113 You can use policy routing even if you use masquerading on your private networks. The source address will be the same as it is in the local network. In previous versions of RouterOS the source address changed to 0.0.0.0 It is impossible to recognize peer-to-peer traffic from the first packet. Only already established connections can be matched.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide ISP1 gives us 2Mbps and ISP2 - 4Mbps so we want a traffic ratio 1:2 (1/3 of the source/destination IP pairs from 192.168.0.0/24 goes through ISP1, and 2/3 through ISP2). IP addresses of the router: [admin@ECMP-Router] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST 0 192.168.0.254/24 192.168.0.0 192.168.0.255 1 10.1.0.2/28 10.1.0.0 10.1.0.15 2 10.1.1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 115 Configuration of the IP addresses: [admin@PB-Router] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST 0 192.168.0.1/24 192.168.0.0 192.168.0.255 1 192.168.1.1/24 192.168.1.0 192.168.1.255 2 10.0.0.7/24 10.0.0.0 10.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 6 DHCP and DNS 6.1 DHCP Client and Server Document revision: 2.7 (Mon Ap r 18 22:24:18 GMT 2005) Applies to: V2.9 6.1.1 General Information Summary The DHCP (Dynamic Host Configuration Protocol) is needed for easy distribution of IP addresses in a network. The RouterOS implementation includes both - server and client parts and is compliant with RFC2131.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 117 68 port. The initial negotiation involves communication between broadcast addresses (on some phases sender will use source address of 0.0.0.0 and/or destination address of 255.255.255.255). You should be aware of this when building firewall. Additional Resources http://www.isc.org/index.pl?/sw/dhcp/ http://en.tldp.org/HOWTO/DHCP/index.html http://en.wikipedia.org/wiki/Dhcp 6.1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If host-name property is not specified, client's system identity will be sent in the respective field of DHCP request. If client-id property is not specified, client's MAC address will be sent in the respective field of DHCP request. If use-peer-dns property is enabled, the DHCP client will unconditionally rewrite the settings in /ip dns submenu.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 119 • specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-bursttime. • If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rxrate • and tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is • used as default. Priority takes values 1..
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide the source-address is left as 0.0.0.0, then the static address will be used.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 121 Property Description store-leases-disk (time-interval | immediately | never; default: 5min) - how frequently lease changes should be stored on disk 6.1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Note that the IP addresses assigned statically are not probed.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 123 Example To assign 10.5.2.100 static IP address for the existing DHCP client (shown in the lease table as item #0): [admin@AT-WR4562] ip Flags: X - disabled, # ADDRESS 0 D 10.5.2.90 1 D 10.5.2.91 [admin@AT-WR4562] ip [admin@AT-WR4562] ip Flags: X - disabled, # ADDRESS 0 D 10.5.2.91 1 10.5.2.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Property Description code (integer: 1..254) - dhcp option code. All codes are available at http://www.iana.org/assignments/bootp-dhcp-parameters name (name) - descriptive name of the option value (text) - parameter's value in form of a string.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 125 Example To add a DHCP relay named relay on ether1 interface resending all received requests to the 10.0.0.1 DHCP server: [admin@AT-WR4562] ip dhcp-relay> add name=relay interface=ether1 \ \... dhcp-server=10.0.0.1 disabled=no [admin@AT-WR4562] ip dhcp-relay> print Flags: X - disabled, I - invalid # NAME INTERFACE DHCP-SERVER LOCAL-ADDRESS 0 relay ether1 10.0.0.1 0.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide The wizard has made the following configuration based on the answers above: [admin@AT-WR4562] ip dhcp-server> print Flags: X - disabled, I - invalid # NAME INTERFACE RELAY 0 dhcp1 ether1 0.0.0.0 ADDRESS-POOL LEASE-TIME ADD-ARP dhcp_pool1 3d no [admin@AT-WR4562] ip dhcp-server> network print # ADDRESS GATEWAY DNS-SERVER 0 10.0.0.0/24 10.0.0.1 159.148.60.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 127 IP addresses of DHCP-Relay: [admin@DHCP-Relay] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST 0 192.168.0.1/24 192.168.0.0 192.168.0.255 1 192.168.1.1/24 192.168.1.0 192.168.1.255 2 192.168.2.1/24 192.168.2.0 192.168.2.255 [admin@DHCP-Relay] ip address> INTERFACE To-DHCP-Server Local1 Local2 To setup 2 DHCP Servers on DHCP-Server router add 2 pools.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Internet RADIUS Server 172.16.0.2/24 [DHCP-Server] Public To-Radius 172.16.0.1/24 10.1.0.2/24 Local 192.168.0.1/24 Local Network Address Range : 192.168.0.0/24 Figure 19: DHCP with RADIUS We assume that you already have installed FreeRADIUS. Just add these lines to specified files: • users file: 00:0B:6B:31:02:4B Auth-Type := Local, Password == "" Framed-IP-Address = 192.168.0.55 • clients.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 129 6.2 DNS Client and Cache Document revision: 1.2 (Fri Ap r 15 17:37:43 GMT 2005) Applies to: V2.9 6.2.1 General Information Summary DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time. This is a simple recursive DNS server with local items.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To set 159.148.60.2 as the primary DNS server and allow the router to be used as a DNS server, do the following: [admin@AT-WR4562] ip dns> set primary-dns=159.148.60.2 \ \... allow-remote-requests=yes [admin@AT-WR4562] ip dns> print primary-dns: 159.148.60.2 secondary-dns: 0.0.0.0 allow-remote-requests: yes cache-size: 2048KiB cache-max-ttl: 1w cache-used: 17KiB [admin@AT-WR4562] ip dns> 6.3.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 131 Description The RouterOS has an embedded DNS server feature in DNS cache. It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server. This feature can also be used to provide fake DNS information to your network clients.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 7 AAA Configuration 7.1 RADIUS client Document revision: 1.6 (February 14, 200 7, 12:00 GMT) Applies to: V2.9 7.1.1 General Information Summary This document provides information about RouterOS built-in RADIUS client configuration, supported RADIUS attributes and recommendations on RADIUS server selection.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide port (integer; default: 1700) - The port number to listen for the requests on RouterOS doesn't support POD (Packet of Disconnect) the other RADIUS access request packet that performs a similar function as Disconnect Messages 7.1.4 Suggested RADIUS Servers Description RouterOS RADIUS Client should work well with all RFC compliant servers.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide you should first create a ppp chain and make jump rules that would put actual traffic to this chain). The same applies for HotSpot, but the rules will be created in hotspot chain • Mikrotik-Mark-Id - firewall mangle chain name (HotSpot only).
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 137 instances may be send by RADIUS server to specify additional URLs which are choosen in round robin fashion. • Mikrotik-Advertise-Interval - Time interval between two adjacent advertisements. Multiple attribute instances may be send by RADIUS server to specify additional intervals. All interval values are threated as a list and are taken one-by-one for each successful advertisement.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Change of Authorization RADIUS disconnect and Change of Authorization (according to RFC3576) are supported as well.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 141 7.2 PPP User AAA Document revision: 2.5 (Fri Jul 07 14:52:59 GMT 2006) Applies to: V2.9 7.2.1 General Information Summary This document provides summary, configuration reference and examples on PPP user management. This includes asynchronous PPP, PPTP, PPPoE and ISDN users.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide default - derive this value from the interface default profile; same as no if this is the interface default profile dns-server (IP address{1,2}) - IP address of the DNS server to supply to clients idle-timeout (time) - specifies the amount of time after which the link will be terminated if there was no activity present.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide routes (text) - routes that appear on the server when the client is connected. The route format is: dstaddress [[gateway] [metric]] (for example, 10.1.0.0/24 10.0.0.1 1). Several routes may be specified separated with commas. If gateway is not specified, the remote address is used.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 145 7.2.5 PPP User Remote AAA Submenu level: /ppp aaa Property Description accounting (yes | no; default: yes) - enable RADIUS accounting interim-update (time; default: 0s) - Interim-Update time interval use-radius (yes | no; default: no) - enable user authentication via RADIUS RADIUS user database is queried only if the required username is not found in local user database.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 7.3.2 Router User Groups Submenu level: /user group Description The router user groups provide a convenient way to assign different permissions and access rights to different user classes.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To add user joe with password j1o2e3 belonging to write group, enter the following command: [admin@AT-WR4562] user> add name=joe password=j1o2e3 group=write [admin@AT-WR4562] user> print Flags: X - disabled 0 ;;; system default user name="admin" group=full address=0.0.0.0/0 1 name="joe" group=write address=0.0.0.0/0 [admin@AT-WR4562] user> 7.3.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8 VPNs and Tunneling 8.1 EoIP Document revision: 1.4 (Fri Nov 04 2 0:53:13 G MT 2 005) Applies to: V2.9 8.1.1 General Information Summary Ethernet over IP (EoIP) Tunneling is a RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection. The EoIP interface appears as an Ethernet interface.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 151 The EoIP interface appears as an Ethernet interface under the interface list. This interface supports all features of an Ethernet interface. IP addresses and other tunnels may be run over the interface. The EoIP protocol encapsulates Ethernet frames in GRE (IP protocol number 47) packets (just like PPTP) and sends them to the remote side of the EoIP tunnel. Maximal number of EoIP tunnels is 65536.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8.1.3 EoIP Application Example Description Let us assume we want to bridge two networks: 'Office LAN' and 'Remote LAN'. The networks are connected to an IP network through the routers [Our_GW] and [Remote]. The IP network can be a private intranet or the Internet. Both routers can communicate with each other through the IP network.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 153 Configure the EoIP tunnel by adding the eoip tunnel interfaces at both routers. Use the ip addresses of the pptp tunnel interfaces when specifying the argument values for the EoIP tunnel: [admin@Our_GW] interface eoip> add name="eoip-remote" tunnel-id=0 \ \... remote-address=10.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8.2 Interface Bonding Document revision: 1.1 (oct-26-2004) Applies to: V2.9 8.3 General Information 8.3.1 Summary Bonding is a technology that allows to aggregate multiple ethernet-like interfaces into a single virtual link, thus getting higher data rates and providing failover. 8.3.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 155 Description To provide a proper failover, you should specify link-monitoring parameter. It can be: • MII (Media Independent Interface) type1 or type2 - Media Independent Interface is an abstract layer between the operating system and the NIC which detects whether the link is running (it performs also other functions, but in our case this is the most important).
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide name (name) - descriptive name of bonding interface primary (name; default: none) - Interface is used as primary output media. If primary interface fails, only then others slaves will be used.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 157 Office2 configuration: [admin@office2] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE 0 R isp2 ether 1 R isp1 ether [admin@office2] interface> /ip add print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST 0 2.2.2.1/24 2.2.2.0 2.2.2.255 1 10.1.0.112/24 10.1.0.0 10.1.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Bonding configuration for Office1 [admin@office1] interface bonding> add slaves=eoip-tunnel1,eoip-tunnel2 [admin@office1] interface bonding> print Flags: X - disabled, R - running 0 R name="bonding1" mtu=1500 mac-address=00:0C:42:03:20:E7 arp=enabled slaves=eoip-tunnel1,eoip-tunnel2 mode=balance-rr primary=none link-monitoring=none arp-interval=00:00:00.100 arp-ip-targets="" mii-interval=00:00:00.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 159 Add an IPIP interface (by default, its name will be ipip1): [admin@10.5.8.104] interface ipip> add local-address=10.5.8.104 \ remote-address=10.1.0.172 disabled=no Add an IP address to created ipip1 interface: [admin@10.5.8.104] ip address> add address=10.0.0.1/24 interface=ipip1 Configuration on router with IP address 10.1.0.172: Add an IPIP interface (by default, its name will be ipip1): [admin@10.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Use /ip address add command to assign an IP address to the IPIP interface. There is no authentication or 'state' for this interface. The bandwidth usage of the interface may be monitored with the monitor feature from the interface menu. 8.4.3 Application Examples Description Suppose we want to add an IPIP tunnel between routers R1 and R2: IP Network IPIP Tunnel [R1] 10.0.0.1 [R2] 22.63.11.6 1.1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 161 Now both routers can ping each other: [admin@AT-WR4562] interface ipip> /ping 1.1.1.2 1.1.1.2 64 byte ping: ttl=64 time=24 ms 1.1.1.2 64 byte ping: ttl=64 time=19 ms 1.1.1.2 64 byte ping: ttl=64 time=20 ms 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 19/21.0/24 ms [admin@AT-WR4562] interface ipip> 8.5 L2TP Interface Document revision: 1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Related Topics IP Addresses and ARP AAA Configuration EoIP IP Security Additional Resources http://www.linuxguide.it/docs.php?Networking:VPN:IPSec%2FL2TP http://en.wikipedia.org/wiki/L2tp Description L2TP is a secure tunnel protocol for transporting IP traffic using PPP.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 163 mrru (integer: 512..65535; default: disabled) - maximum packet size that can be received on the link.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8.5.4 L2TP Server Setup Submenu level: /interface l2tp-server server Description The L2TP server creates a dynamic interface for each connected L2TP client. The L2TP connection count from clients depends on the license level you have. Level1 license allows 1 L2TP client, Level3 or Level4 licenses up to 200 clients, and Level5 or Level6 licenses do not have L2TP client limitations.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 165 so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration. In both cases PPP users must be configured properly.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8.5.6 L2TP Application Examples Router-to-Router Secure Tunnel Example Big Internet WISP#1 192.168.80.0/24 WISP#2 192.168.81.0/24 Home Office To Internet 192.168.80.1/24 Remote Office To Internet 192.168.81.1/24 LAN 10.150.2.254/24 LAN 10.150.1.254/24 Network Setup without L2TP enabled 10.150.2.1/24 10.150.1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 167 And finally, the server must be enabled: [admin@HomeOffice] interface l2tp-server server> set enabled=yes [admin@HomeOffice] interface l2tp-server server> print enabled: yes mtu: 1460 mru: 1460 authentication: mschap2 default-profile: default [admin@HomeOffice] interface l2tp-server server> Add a L2TP client to the RemoteOffice router: [admin@RemoteOffice] interface l2tp-client> add connect-to=192.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide On the L2TP server it can alternatively be done using routes parameter of the user configuration: [admin@HomeOffice] ppp secret> print detail Flags: X - disabled 0 name="ex" service=l2tp caller-id="" password="lkjrht" profile=default local-address=10.0.103.1 remote-address=10.0.103.2 routes=="" [admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 169 Big Internet ISP#1 192.168.80.0/24 WISP#2 192.168.81.0/24 Remote Office To Internet 192.168.81.1/24 Encrypted L2TP tunnel To Office 10.150.1.2/32 From Laptop 10.150.1.254/32 LAN 10.150.1.254/24 192.168.80.111/24 10.150.1.1/24 Figure 25: Client to Office secure connection via L2TP tunnel The router in this example: [RemoteOffice] Interface ToInternet 192.168.81.1/24 Interface Office 10.150.1.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 171 Generally speaking, PPPoE is used to hand out IP addresses to clients based on the user (and workstation, if desired) authentication as opposed to workstation only authentication, when static IP addresses or DHCP are used. It is adviced not to use static IP addresses or DHCP on the same interfaces as PPPoE for obvious security reasons.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Related Topics IP Addresses and ARP RADIUS client PPP User AAA Log Management Additional Resources Links for PPPoE documentation: http://www.faqs.org/rfcs/rfc2516.html PPPoE Clients: RASPPPoE for Windows 95, 98, 98SE, ME, NT4, 2000, XP, .NET http://support.microsoft.com/kb/283070 http://www.raspppoe.com/ 8.6.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 173 Example To add and enable PPPoE client on the gig interface connecting to the AC that provides testSN service using user name john with the password password: [admin@RemoteOffice] interface pppoe-client> add interface=gig \ \...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If no service name is specified in WindowsXP, it will use only service with no name. So if you want to serve WindowsXP clients, leave your service name empty.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 175 8.6.5 PPPoE Users Description The PPPoE users are authenticated through a RADIUS server (if configured), and if RADIUS fails, then the local PPP user databese is used. See the respective manual sections for more information: • RADIUS client • PPP User AAA 8.6.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8.6.7 Application Examples PPPoE in a multipoint wireless 802.11g network In a wireless network, the PPPoE server may be attached to an Access Point (as well as to a regular station of wireless infrastructure). Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 177 Now, configure the Ethernet interface, add the IP address and set the default route: [admin@PPPoE-Server] ip address> add address=10.1.0.3/24 interface=Local [admin@PPPoE-Server] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.1.0.3/24 10.1.0.0 10.1.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 8.6.8 Troubleshooting Description I can connect to my PPPoE server. The ping goes even through it, but I still cannot open web pages Make sure that you have specified a valid DNS server in the router (in /ip dns or in /ppp profile the dns-server parameter).
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 179 Quick Setup Guide To make a PPTP tunnel between 2 RouterOS routers with IP addresses 10.5.8.104 (PPTP server) and 10.1.0.172 (PPTP client), follow the next steps. Configuration on PPTP server router: Add a user: [admin@PPTP-Server] ppp secret> add name=jack password=pass \ \... local-address=10.0.0.1 remote-address=10.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Additional Resources http://msdn.microsoft.com/library/backgrnd/html/understanding_pptp.htm http://support.microsoft.com/support/kb/articles/q162/8/47.asp http://support.microsoft.com/kb/154062/en-us http://www.ietf.org/rfc/rfc2637.txt?number=2637 http://www.ietf.org/rfc/rfc3078.txt?number=3078 http://www.ietf.org/rfc/rfc3079.txt?number=3079 8.7.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 181 8.7.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Specifying MRRU means enabling MP (Multilink PPP) over single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is usefull to overcome PathMTU discovery failures. The MP should be enabled on both peers.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 183 Example To add a static entry for ex1 user: [admin@AT-WR4562] interface pptp-server> add user=ex1 [admin@AT-WR4562] interface pptp-server> print Flags: X - disabled, D - dynamic, R - running # NAME USER MTU CLIENT-ADDRESS 0 DR ex 1460 10.0.0.202 1 pptp-in1 ex1 [admin@AT-WR4562] interface pptp-server> UPTIME 6m32s ENC...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Then the user should be added in the PPTP server list: [admin@HomeOffice] interface pptp-server> add user=ex [admin@HomeOffice] interface pptp-server> print Flags: X - disabled, D - dynamic, R - running # NAME USER MTU CLIENT-ADDRESS 0 pptp-in1 ex [admin@HomeOffice] interface pptp-server> UPTIME ENC...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 185 On the PPTP server it can alternatively be done using routes parameter of the user configuration: [admin@HomeOffice] ppp secret> print detail Flags: X - disabled 0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default local-address=10.0.103.1 remote-address=10.0.103.2 routes=="" [admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Internet ISP #1 192.168.80.0/24 Encrypted PPTP Tunnel ToRemoteOffice 10.150.1.1/32 ISP #2 192.168.81.0/24 Tunnel_To_HomeOffice 10.150.1.254/32 192.168.80.111/24 [Remote Office] 192.168.81.1/24 10.150.1.254/24 10.150.1.1/24 Figure 29: Connecting a Remote Client via and Encrypted PPTP Tunnel The router in this example: [RemoteOffice] Interface ToInternet 192.168.81.1/24 Interface Office 10.150.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Description IPsec (IP Security) supports secure (encrypted) communications over IP networks. Encryption After packet is src-natted (if needed), but before putting it into interface queue, IPsec policy database is consulted to find out if packet should be encrypted.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 189 Phase 2 - The peers establish one or more SAs that will be used by IPsec to encrypt data. All SAs established by IKE daemon will have lifetime values (either limiting time, after which SA will become invalid, or amount of data that can be encrypted by this SA, or both). There are two lifetime values - soft and hard.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide large packets with don't fragment flag will not be able to pass the router inherit - do not change the field set - set the field, so that each packet matching the rule will not be fragmented. Not recommended dst-address (IP address/netmask:port; default: 0.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 191 Example To add a policy to encrypt all the traffic between two hosts (10.0.0.147 and 10.0.0.148), we need do the following: [admin@WiFi] ip ipsec policy> add sa-src-address=10.0.0.147 \ \... sa-dst-address=10.0.0.148 action=encrypt [admin@WiFi] ip ipsec policy> print Flags: X - disabled, D - dynamic, I - inactive 0 src-address=10.0.0.147/32:any dst-address=10.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide lifetime (time; default: 1d) - phase 1 lifetime: specifies how long the SA will be valid; SA will be discarded after this time nat-traversal (yes | no; default: no) - use Linux NAT-T mechanism to solve IPsec incompatibility with NAT routers inbetween IPsec peers.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example Sample printout looks as follows: [admin@WiFi] ip ipsec> installed-sa print Flags: A - AH, E - ESP, P - pfs 0 E spi=E727605 src-address=10.0.0.148 dst-address=10.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 195 Example To flush all the SAs installed: [admin@AT-WR4562] ip ipsec installed-sa> flush [admin@AT-WR4562] ip ipsec installed-sa> print [admin@AT-WR4562] ip ipsec installed-sa> 8.8.7 Application Examples RouterOS Router to RouterOS Router IP Network 1.0.0.0/24 [Router1] 1.0.0.1 10.1.0.0/24 [Router2] 1.0.0.2 10.2.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide for Router1 [admin@Router1] > ip ipsec manual-sa add name=ah-sa1 \ \... ah-spi=0x101/0x100 ah-key=abcfed [admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24 \ \... dst-address=10.2.0.0/24 action=encrypt ipsec-protocols=ah \ \... tunnel=yes sa-src=1.0.0.1 sa-dst=1.0.0.2 manual-sa=ah-sa1 for Router2 [admin@Router2] > ip ipsec manual-sa add name=ah-sa1 \ \...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide configure IPsec for Router1 [admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24 \ \... dst-address=10.2.0.0/24 action=encrypt tunnel=yes \ \... sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2 [admin@Router1] > ip ipsec peer add address=1.0.0.2 \ \... exchange-mode=aggressive secret="gvejimezyfopmekun" for Router2 [admin@Router2] > ip ipsec policy add src-address=10.2.0.0/24 \ \... dst-address=10.1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 9 Firewall and QoS 9.1 Filter Document revision: 2.7 (Fri Nov 04 1 6:04:37 G MT 2 005) Applies to: V2.9 9.1.1 General Information Summary The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Property Description action (accept | add-dst-to-address-list | add-src-to-address-list | drop | jump | log | passthrough | reject | return | tarpit; default: accept) - action to undertake if the packet matches the rule accept - accept the packet. No action is taken, i.e.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 201 unicast - IP addresses used for one point to another point transmission.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide time - specifies the time interval over which the packet rate is measured burst - number of packets to match in a burst log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 203 tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg) - tcp flags to match ack - acknowledging data cwr - congestion window reduced ece - ECN-echo flag (explicit congestion notification) fin - close connection psh - push function rst - drop connection syn - new connection urg - urgent data tcp-mss (integer: 0..
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 205 Submenu level: /ip firewall mangle Standards and Technologies: IP Hardware usage: Increases with count of mangle rules Related Topics • IP Addresses and ARP • Routes, Equal Cost Multipath Routing, Policy Routing • NAT • Filter • Packet Flow 9.2.2 Mangle Submenu level: /ip firewall mangle Description Mangle is a kind of 'marker' that marks packets for future processing with special marks.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide chain (forward | input | output | postrouting | prerouting) - specify the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created comment (text) - free form textual comment for the rule.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide every - match every every+1th packet. For example, if every=1 then the rule matches every 2nd packet counter - specifies which counter to use. A counter increments each time the rule containing nth match matches packet - match on the given packet number. The value by obvious reasons must be between 0 and every.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 209 rst - drop connection syn - new connection urg - urgent data tcp-mss (integer: 0..
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Change MSS It is a well known fact that VPN links have smaller packet size due to incapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and should be discarded.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 211 The packet flow through the router is depicted in the following diagram: Figure 32: Packet Flow Diagram As can be seen on the diagram, there are five chains in the processing pipeline. These are prerouting, input, forward, output and postrouting. The actions performed on a packet in each chain are discussed later in this chapter.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Routed traffic The traffic received for the router's MAC address on the respective port, is passed to the routing procedures and can be of one of these four types: • the traffic which is destined to the router itself. The IP packets has destination address equal to one of the router's IP addresses.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 213 Property Description assured (read-only: true | false) - shows whether replay was seen for the last packet matching this entry connection-mark (read-only: text) - Connection mark set in mangle dst-address (read-only: IP address:port) - the destination address and port the connection is established to icmp-id (read-only: integer) - contains the ICMP ID.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 215 9.3.6 General Firewall Information Description ICMP TYPE:CODE values In order to protect your router and attached private networks, you need to configure firewall to drop or reject most of ICMP traffic. However, some ICMP packets are vital to maintain network reliability or provide troubleshooting services. The following is a list of ICMP TYPE:CODE values found in good packets.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide widely abused for unlicensed software and media destribution. Even when it is used for legal purposes, p2p may heavily disturb other network traffic, such as http and e-mail. RouterOS is able to recognize connections of the most popular P2P protocols and filter or enforce QOS on them.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 217 9.4.2 NAT Description Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 219 dst-limit (integer/time{0,1},integer,dst-address | dst-port | src-address{+},time{0,1}) - limits the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide every - match every every+1th packet. For example, if every=1 then the rule matches every 2nd packet counter - specifies which counter to use. A counter increments each time the rule containing nth match matches packet - match on the given packet number. The value by obvious reasons must be between 0 and every.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 221 9.4.3 NAT Applications Description In this section some NAT applications and examples of them are discussed. Basic NAT configuration Assume we want to create router that: "hides" the private LAN "behind" one address provides Public IP to the Local server creates 1:1 mapping of network addresses Example of Source NAT (Masquerading) If you want to "hide" the private LAN 192.168.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10 Hot Spot Service 10.1 HotSpot Gateway Document revision: 4.2 (Tue Jul 04 14:49:38 GMT 2006) Applies to: V2.9 10.1.1 General Information Summary The RouterOS HotSpot Gateway enables providing of public network access for clients using wireless or wired network connections.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 223 Internet RADIUS WAN/LAN Interface [HotSpot Gateway] HotSpot Interface Figure 34: HotSpot example network The HotSpot interface should have an IP address assigned to it. Physical network connection has to be established between the HotSpot user's computer and the gateway.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Before the authentication When enabling HotSpot on an interface, the system automatically sets up everything needed to show login page for all clients that are not logged in. This is done by adding dynamic destination NAT rules, which you can observe on a working HotSpot system. These rules are needed to redirect all HTTP and HTTPS requests from unauthorized users to the HotSpot servlet (i.e.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 225 amount of time per MAC address to be freely used with some limitations imposed by the provided user profile. In case the MAC address still has some trial time unused, the login page will contain the link for trial login. The time is automatically reset after the configured amount of time (so that, for example, any MAC address may use 30 minutes a day without ever registering).
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10.1.3 227 HotSpot Interface Setup Submenu level: /ip hotspot Description HotSpot system is put on individual interfaces. You can run completely different HotSpot configurations on different interfaces Property Description HTTPS (read-only: flag) - whether the HTTPS service is actually running on the interface (i.e.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10.1.4 HotSpot Server Profiles Submenu level: /ip hotspot profile Property Description dns-name (text) - DNS name of the HotSpot server. This is the DNS name used as the name of the HotSpot server (i.e., it appears as the location of the login page). This name will automatically be added as a static DNS entry in the DNS cache hotspot-address (IP address; default: 0.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 229 smtp-server (IP address; default: 0.0.0.0) - default SMTP server to be used to redirect unconditionally all user SMTP requests to split-user-domain (yes | no; default: no) - whether to split username from domain name when the username is given in "user@domain" or in "domain\user" format ssl-certificate (name | none; default: none) - name of the SSL certificate to use for HTTPS authentication.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide There can be multiple cookies with the same MAC address. For example, there will be a separate cookie for each web browser on the same computer. Cookies can expire - that's the way how it is supposed to be.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 231 Example To allow unauthorized requests to the www.example.com domain's /paynow.html page: [admin@AT-WR4562] ip hotspot walled-garden> add path="/paynow.html" \ \... dst-host="www.example.com" [admin@AT-WR4562] ip hotspot walled-garden> print Flags: X - disabled, D - dynamic 0 dst-host="www.example.com" path="/paynow.html" action=allow [admin@AT-WR4562] ip hotspot walled-garden> 10.3.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10.3.6 This is an ordered list, so you can put more specific entries on the top of the list for them to override more common rules that appear lower. You can even put an entry with 0.0.0.0/0 address at the end of the list to make the desired action default for those addresses that will not match any other entry.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide All other packets except DNS and login requests from unauthorized clients should pass through the hsunauth chain 7 D chain=hotspot action=jump jump-target=hs-auth hotspot=auth protocol=tcp And packets from the authorized clients - through the hs-auth chain 8 D ;;; www.alliedtelesis.com chain=hs-unauth dst-address=159.148.147.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 235 Packet filter rules From /ip firewall filter print dynamic command, you can get something like this (comments follow after each of the rules): 0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth Any packet that traverses the router from unauthorized client will be sent to the hs-unauth chain. The hs-unauth implements the IP-based Walled Garden filter.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10.3.10 Customizing HotSpot: HTTP Servlet Pages Description You can create a completely different set of servlet pages for each HotSpot server you have, specifying the directory it will be stored in html-directory property of a HotSpot server profile (/ip hotspot profile). The default servlet pages are copied in the directory of your choice right after you create the profile.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 237 if user is logged in, rstatus.html is displayed; if rstatus.html is not found, redirect.html is used to redirect to the status page if user is not logged in, rlogin.html is displayed; if rlogin.html is not found, redirect.html is used to redirect to the login page request for "/login" page if user has successfully logged in (or is already logged in), alogin.html is displayed; if alogin.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide server-name - HotSpot server name (set in the /ip hotspot menu, as the name property) Links: link-login - link to login page including original URL requested ("http://10.5.50.1/login?dst=http://www.example.com/") link-login-only - link to login page, not including original URL requested ("http://10.5.50.1/login") link-logout - link to logout page ("http://10.5.50.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If you want to use HTTP-CHAP authentication method it is supposed that you include the doLogin() function (which references to the md5.js which must be already loaded) before the Submit action of the login form. Otherwise, CHAP login will fail.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 241 (you should correct the link to point to your server) • To erase the cookie on logoff, in the page containing link to the logout (for example, in status.html) change: open('$(link-logout)', 'hotspot_logout', ... to this: open('$(link-logout)?erase-cookie=on', 'hotspot_logout', ...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide • Hotspot will ask RADIUS server whether to allow the login or not. If not allowed, alogin.html page will be displayed (it can be modified to do anything!). If not allowed, flogin.html (or login.html) page will be displayed, which will redirect client back to the external authentication server. • Note: as shown in these examples, HTTPS protocol and POST method can be used to secure communications.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 243 RADIUS client non-fatal errors: • invalid username or password - RADIUS server has rejected the username and password sent to it without specifying a reason. Cause: either wrong username and/or password, or other error. Solution: should be clarified in RADIUS server's log files - this may be any message (any text string) sent back by RADIUS server.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide If all fields has been filled in the ip-binding table and type has been set to bypassed, then the IP address of this entry will be accessible from public interfaces immediately: [admin@AT-WR4562] ip hotspot ip-binding> print Flags: X - disabled, P - bypassed, B - blocked # MAC-ADDRESS ADDRESS TO-ADDRESS SERVER 0 P 10.11.12.3 1 P 00:01:02:03:04:05 10.11.12.3 10.11.12.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 245 advertise-url (multiple choice: text; default: http://www.alliedtelesis.com/) - list of URLs to show as advertisement popups. The list is cyclic, so when the last item reached, next time the first is shown idle-timeout (time | none; default: none) - idle timeout (maximal period of inactivity) for authorized clients. It is used to detect, that client is not using outer networks (e.g. Internet), i.e.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 10.4.3 HotSpot Users Submenu level: /ip hotspot user Property Description address (IP address; default: 0.0.0.0) - static IP address. If not 0.0.0.0, client will always get the same IP address. A configured address implies, that only one simultaneous login for that user is allowed.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 247 Example To add user ex with password ex that is allowed to log in only with 01:23:45:67:89:AB MAC address and is limited to 1 hour of work: [admin@AT-WR4562] ip hotspot user> add name=ex password=ex \ \...
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To get the list of active users: [admin@AT-WR4562] ip hotspot active> print Flags: R - radius, B - blocked # USER ADDRESS UPTIME 0 ex 10.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 249 11 High Availability protocols and techniques 11.1 VRRP Document revision: 1.5 (Mon Jul 10 16:51:20 GMT 2006) Applies to: V2.9 11.1.1 General Information Summary Virtual Router Redundancy Protocol (VRRP) implementation in the RouterOS is RFC2338 compliant. VRRP protocol is used to ensure constant access to some resources.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide other configuration) active. A backup instance is not 'running', so all the settings attached to that interface is inactive.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 11.1.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide This example shows how to configure VRRP on the two routers shown on the diagram. The routers must have initial configuration: interfaces are enabled, each interface have appropriate IP address, and routing table is set correctly (it should have at least a default route). SRC-NAT or masquerading should also be configured before. See the respective manual chapters on how to make this configuration.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example To make system generate a support output file and sent it automatically to support@example.com through the 192.0.2.1 smtp server in case of a software crash: [admin@AT-WR4562] system watchdog> set auto-send-supout=yes \ \... send-to-email=support@example.com send-smtp-server=192.0.2.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 255 12 Monitoring and Management 12.1 Log Management Document revision: 2.3 (Mon Jul 19 07:23:35 GMT 2004) Applies to: V2.9 12.1.1 General Information Summary Various system events and status information can be logged. Logs can be saved in local routers file, displayed in console, sent to an email or to a remote server running a syslog daemon.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 12.1.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Specifications Packages required: system, ppp(optional) License required: Level1 Submenu level: /snmp Standards and Technologies: SNMP (RFC 1157) Hardware usage: Not significant Related Topics Software Package Management IP Addresses and ARP Additional Resources • http://www.ietf.org/rfc/rfc1157.txt • http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol • http://www.david-guerrero.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Some screenshots from NTop program, which has gathered Traffic-Flow information from our router and displays it in nice graphs and statistics.
AT-WR4500 Series - IEEE 802.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 12.4 Graphing Document revision: 1.1 (Wed Mar 15 09:46:17 GMT 2006) Applies to: V2.9 12.4.1 General Information Summary Graphing is a tool which is used for monitoring various RouterOS parameters over a period of time.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide 12.4.3 263 Health Graphing Submenu level: /tool graphing health Description This submenu provides information about RouterBoard's 'health' - voltage and temperature. For this option, you have to install the routerboard package. Property Description allow-address (IP address/netmask; default: 0.0.0.
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Example Add a simple queue to Grapher list with simple-queue name queue1, allow limited clients to access Grapher from web, store information about traffic on disk: [admin@AT-WR4562] tool graphing queue> add simple-queue=queue1 allow-address=yes \ \... store-on-disk=yes 12.4.
