Wandy RouterOS v2.8 Reference Manual - Written by Mikrotik - Table Of Contents Basic Setup Guide................................................................................ 1 General Information ................................................................................................................ 1 Setting up Wandy RouterOS............................................................................................ 2 Logging into the Wandy Router................................................
Wireless ............................................................................................................………….....41 Aironet Arlan..........................................................................................................................43 RadioL 43 Synchr 44 Async ............................................................................................................………………44 ISDN..... ............................................................................................
IPIP Tunnel Interfaces.........................................................................82 General Information............................................................................................................... 82 IPIP Setu83 IPIP Configuration................................................................................................................. 83 Ethernet Interfaces..............................................................................85 General Information.............
PPTP Interface...................................................................................120 General Information............................................................................................................. 120 PPTP Client Setup................................................................................................................122 Monitoring PPTP Client.......................................................................................................
Bridge.................................................................................................168 General Information............................................................................................................. 168 Bridge Interface Setup..........................................................................................................170 Port S ............................................................................................................…………….
Address Resolution Protocol................................................................................................209 Proxy-ARP feature............................................................................................................... 210 Unnumbered Interfaces........................................................................................................ 211 IP Security..........................................................................................
IP Pools.............................................................................................. 261 General Information ............................................................................................................ 261 Setup.....262 Peer-to-Peer Traffic Control............................................................. 263 General Information ............................................................................................................ 263 Traffic Marking...............
List of Services.....................................................................................................................292 HotSpot Gateway.............................................................................. 294 General Information............................................................................................................. 295 Question&Answer-Based Setup...........................................................................................
Voice Port for Voice over IP (voip)..................................................................................... 350 Number 350 Regional Settings..................................................................................................................353 Audio CODECs....................................................................................................................354 AAA..... 354 Gateke356 Tro359 A simple example...............................................................
Router Users.........................................................................................................................393 Monitoring Active Router Users.......................................................................................... 394 Router User Remote AAA................................................................................................... 394 Local Point-to-Point AAA....................................................................................................
SNMP Service.................................................................................... 432 General Information............................................................................................................. 432 SNMP Setup.........................................................................................................................433 SNMP Communities............................................................................................................
General Information............................................................................................................. 463 The Traceroute Command....................................................................................................464 ICMP Bandwidth Test....................................................................... 465 General Information ............................................................................................................ 465 ICMP Bandwidth Test.....
General Information ............................................................................................................ 486 Serial Console Configuration............................................................................................... 487 Setting Serial Console.......................................................................................................... 487 Using Serial Terminal.................................................................................................
BIOS upgrading....................................................................................................................526 BIOS Configuration............................................................................................................. 526 System Health Monitoring................................................................................................... 527 LED Managment.........................................................................................................
Description Notes Logging into the Wandy Router Description Adding Software Packages Description Navigating The Terminal Console Description Notes Basic Configuration Tasks Description Notes Basic Examples Example Viewing Routes Adding Default Routes Testing the Network Connectivity Advanced Configuration Tasks Description Application Example with Masquerading Example with Bandwidth Management Example with NAT General Information Summary Wandy RouterOS is independent Linux-based Operating System for IA-32
standard network PC interfaces to expand the router capabilities. Remote control with easy real-time Windows application (WinBox) • Advanced Quality of Service control with burst support • Stateful firewall with P2P protocol filtering, tunnels and IPsec • STP bridging with filtering capabilities • Super high speed 802.11a/b/g wireless with WEP • WDS and Virtual AP features • HotSpot for Plug-and-Play access • RIP, OSPF, BGP routing protocols • Gigabit Ethernet ready • V.35, X.
• For the CD, write the ISO image onto a blank CD. • For the floppies, run the Disk Maker on your Windows workstation to create the installation floppies. Follow the instructions and insert the floppies in your FDD as requested, label them as Disk 1,2,3, etc. 3. Install the Wandy RouterOS software.
www.Wandy.com, just press the 'New' button on the upper right-hand corner of the Wandy's web to create your account • Choose the appropriate licence level that meets your needs. Please see the License Manual or the Software price list. Note that there is a free license with restricted features (no time limitation) • There are different methods how to get a license from the accout server: 1. Enter the software ID in the account server, and get the license key by e-mail.
Adding Software Packages Description The basic installation comes only with the system package. This includes basic IP routing and router administration. To have additional features such as IP Telephony, OSPF, wireless and so on, you will need to download additional software packages. The additional software packages should have the same version as the system package. If not, the package won't be installed.
radius Radius client settings redo Redo previosly undone action setup Do basic setup of system snmp SNMP settings special-login Special login users undo Undo previous action user User management ip IP options queue Bandwidth management system System information and utilities tool Diagnostics tools export Print or save an export script that can be used to restore configuration [admin@Wandy] > [admin@Wandy] ip> accounting Traffic accounting address Address management arp ARP entries management dns DNS setting
Command Action command [Enter] Executes the command [?] Shows the list of all available commands command [?] Displays help on the command and the list of arguments command argument [?] Displays help on the command's argument [Tab] Completes the command/word. If the input is ambiguous, a second [Tab] gives possible options / Moves up to the base level /command Executes the base level command ..
enable name command to enable the interface with a given name or number, for example: [admin@Wandy] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 X ether1 ether 0 0 1500 1 X ether2 ether 0 0 1500 [admin@Wandy] interface> enable 0 [admin@Wandy] interface> enable ether2 [admin@Wandy] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R ether2 ether 0 0 1500 [admin@Wandy] interface> The i
• The local LAN with network address 192.168.0.0 and 24-bit netmask: 255.255.255.0. The router's address is 192.168.0.254 in this network • The ISP's network with address 10.0.0.0 and 24-bit netmask 255.255.255.0. The router's address is 10.0.0.217 in this network The addresses can be added and viewed using the following commands: [admin@Wandy] ip address> add address 10.0.0.217/24 interface Public [admin@Wandy] ip address> add address 192.168.0.
Here, the default route is listed under #0. As we see, the gateway 10.0.0.1 can be reached through the interface 'Public'. If the gateway was specified incorrectly, the value for the argument 'interface' would be unknown. Notes You cannot add two routes to the same destination, i.e., destination-address/netmask! It applies to the default routes as well. Instead, you can enter multiple gateways for one destination.
To set up routing, it is required that you have some knowledge of configuring TCP/IP networks. There is a comprehensive list of IP resources compiled by Uri Raz at http://www.private.org.il/tcpip_rl.html. We strongly recommend that you obtain more knowledge, if you have difficulties configuring your network setups. Advanced Configuration Tasks Description Next will be discussed situation with 'hiding' the private LAN 192.168.0.0/24 'behind' one address 10.0.0.217 given to you by the ISP.
one: The server's address is now 192.168.0.4, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80. This can be done by means of Static Network Address translation (NAT) at the Wandy Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port 192.168.0.4:80.
Command Description Safe Mode Description General Information Summary The Terminal Console is used for accessing the Wandy Router's configuration and management features using text terminals, id est remote terminal clients or locally attached monitor and keyboard. The Terminal Console is also used for writing scripts. This manual describes the general console operation principles. Please consult the Scripting Manual on some advanced console commands and on how to write scripts.
[admin@Wandy] > Instead of typing ip route path before each command, the path can be typed only once to move into this particular branch of menu hierarchy. Thus, the example above could also be executed like this: [admin@Wandy] > ip route [admin@Wandy] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0.0.0.0/0 r 192.168.2.1 1 WAN 1 DC 192.168.124.0/24 r 0.0.0.0 0 LAN 2 DC 192.168.
numbers, names are not assigned by the console internally, but are one of the items' properties. Thus, they would not change on their own. However, there are all kinds of obscure situations possible when several users are changing router's configuration at the same time. Generally, item names are more "stable" than the numbers, and also more informative, so you should prefer them to numbers when writing console scripts.
If you've typed just the common part, pressing the tab key once has no effect.
# NAME TYPE MTU 0 R ether1 ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 [admin@Wandy] > interface set 0,1,2 mtu=1460 [admin@Wandy] > interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1460 1 R ether2 ether 1460 2 R ether3 ether 1460 3 R ether4 ether 1500 [admin@Wandy] > General Commands Description There are some commands that are common to nearly all menu levels, namely: print, set, remove, add, find, get, export, enable, disable,
added - places a new item before an existing item with specified position. Thus, you do not need to use the move command after adding an item to the list - controls disabled/enabled state of the newly added item(-s) - holds the description of a newly created item remove - removes item(-s) from a list - contains number(-s) or name(-s) of item(-s) to remove. move - changes the order of items in list where one is relevant.
If another user tries to enter safe mode, he's given following message: [admin@Wandy] > Hijacking Safe Mode from someone - unroll/release/don't take it [u/r/d]: • [u] - undoes all safe mode changes, and puts the current session in safe mode. • [d] - leaves everything as-is. • [r] - keeps all current safe mode changes, and puts current session in a safe mode.
General Information Summary The Wandy RouterOS is distributed in the form of software packages. The basic functionality of the router and the operating system itself is provided by the system software package. Other packages contain additional software features as well as support to various network interface cards.
descriptive name, version number and extension .npk, exempli gratia system-2.8rc3.npk, routerboard-2.8rc3.npk. You should check the available hard disk space prior to downloading the package file by issuing /system resource print command. If there is not enough free disk space for storing the upgrade packages, it can be freed up by uninstalling some software packages, which provide functionality not required for your needs.
Notes If a package is marked for uninstallation, but it is required for another (dependent) package, then the marked package cannot be uninstalled. You should uninstall the dependent package too. For the list of package dependencies see the 'Software Package List; section below. The system package will not be uninstalled even if marked for uninstallation.
Description System Software Package The system software package provides the basic functionality of the Wandy RouterOS, namely: • IP address management, ARP, static IP routing, policy routing, firewall (packet filtering, content filtering, masquerading, and static NAT), traffic shaping (queues), IP traffic accounting, Wandy Neighbour Discovery, IP Packet Packing, DNS client settings, IP service (servers) • Ethernet interface support • IP over IP tunnel interface support • Ethernet over IP tunnel interface s
gps support for GPS devices none none hotspot HotSpot gateway none any additional license isdn support for ISDN devices ppp none lcd support for none none informational LCD display ntp network time protocol support none none ppp support for PPP, PPTP, L2TP, PPPoE and ISDN PPP none none radiolan Provides support for 5.8GHz RadioLAN cards none 2.
PCI-to-CardBus Bridge to use IRQ 11 as in ThinRouters none none ups APC Smart Mode UPS support none none web-proxy HTTP Web proxy support none none wireless Provides support for Cisco Aironet cards, PrismII and Atheros wireless stations and APs none 2.4GHz/5GHz Wireless Client / 2.4GHz/5GHz Wireless Server (optional) Specifications Sheet Document revision 2.5 (Wed Apr 21 10:49:51 GMT 2004) This document applies to Wandy RouterOS V2.
• Routing - Static routing; Equal cost multi-path routing; Policy based routing (classification by source and destination addresses and/or by firewall mark); RIP v1 / v2, OSPF v2, BGP v4 • Data Rate Management - per IP / protocol / subnet / port / firewall mark; HTB, PCQ, RED, SFQ, byte limited queue, packet limited queue; hierarchical limitation, CIR, MIR, contention ratios, dynamic client rate equalizing (PCQ) • HotSpot - HotSpot Gateway with RADIUS authentication/accounting; data rate limitation; traffic
• ISDN - ISDN dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; 128K bundle support; Cisco HDLC, x75i, x75ui, x75bui line protocols; dial on demand • SDSL - Single-line DSL support; line termination and network termination modes Layer 2 connectivity Hardware requirements • CPU and motherboard - advanced 4th generation (core frequency 100MHz or more), 5th generation (Intel Pentium, Cyrix 6X86, AMD K5 or comparable) or newer uniprocessor Inte
card with monitor • Serial console - First RS232 asynchronous serial port (usually, onboard port marked as COM1), which is by default set to 9600bit/s, 8 data bits, 1 stop bit, no parity When router is not configured, there are only two ways to configure it: • Local teminal console - AT, PS/2 or USB keyboard and VGA-compatible video controller card with monitor • Serial console - any (you may choose any one; the first, also known as COM1, is used by default) RS232 asynchronous serial port, which is by defau
Synchronous Specifications Description Asynchronous Specifications Description ISDN Specifications Description VoIP Specifications Description xDSL Specifications Description HomePNA Specifications Description LCD Specifications Description PCMCIA Adapters Specifications Description General Information Summary The document lists the drivers, included in Wandy RouterOS and the devices that are tested to work with Wandy RouterOS.
3Com FastEtherLink Chipset type: 3Com 3c590/3c900 (3Com FastEtherLink and FastEtherLink XL) PCI 10/100Base Compatibility: • 3c590 Vortex 10Mbps • 3c592 chip • 3c595 Vortex 100baseTX • 3c595 Vortex 100baseT4 • 3c595 Vortex 100base-MII • 3c597 chip • 3Com Vortex • 3c900 Boomerang 10baseT • 3c900 Boomerang 10Mbps Combo • 3c900 Cyclone 10Mbps Combo • 3c900B-FL Cyclone 10base-FL • 3c905 Boomerang 100baseTX • 3c905 Boomerang 100baseT4 • 3c905B Cyclone 100baseTX • 3c905B Cyclone 10/100/BNC • 3c905B-FX Cyclone 100b
Chipset type: AMD PCnet32 PCI 10BaseT and 10/100BaseT Compatibility: • AMD PCnet-PCI • AMD PCnet-32 • AMD PCnet-Fast Broadcom Tigon3 Chipset type: Broadcom Tigon3 PCI 10/100/1000BaseT Compatibility: • Broadcom Tigon3 570x • Broadcom Tigon3 5782 • Broadcom Tigon3 5788 • Broadcom Tigon3 5901 • Broadcom Tigon3 5901-2 • SysKonnect SK-9Dxx Gigabit Ethernet • SysKonnect SK-9Mxx Gigabit Ethernet • Altima AC100x • Altima AC9100 Davicom DM9102 Chipset type: Davicom DM9102 PCI 10/100Base Compatibility: • Davicom DM
• Intel 21145 Tulip • IMC QuikNic FX • Conexant LANfinity Intel EtherExpressPro Chipset type: Intel i82557 "Speedo3" (Intel EtherExpressPro) PCI 10/100Base Compatibility: • Intel i82557/i82558/i82559ER/i82801BA-7 EtherExpressPro PCI cards Intel PRO/1000 Chipset type: Intel i8254x (Intel PRO/1000) PCI 10/100/1000Base Compatibility: • Intel PRO/1000 Gigabit Server Adapter (i82542, Board IDs: 700262-xxx, 717037-xxx) • Intel PRO/1000 F Server Adapter (i82543, Board IDs: 738640-xxx, A38888-xxx) • Intel PRO/100
• N-Way PCI-Bus Giga-Card 1000/100/10Mbps(L) • SK-9521 10/100/1000Base-T Adapter • SK-98xx Gigabit Ethernet Server Adapter • SMC EZ Card 1000 • Marvell Yukon 88E8010 based • Marvell Yukon 88E8003 based • Marvell Yukon 88E8001 based National Semiconductor DP83810 Chipset type: National Semiconductor DP83810 PCI 10/100BaseT Compatibility: • RouterBoard 200 built-in Ethernet • RouterBoard 24 4-port Ethernet • NS DP8381x-based cards National Semiconductor DP83820 Chipset type: National Semiconductor DP83820 P
• NS8390-based PCMCIA cards RealTek RTL8129 Chipset type: RealTek RTL8129 PCI 10/100Base Compatibility: • RealTek RTL8129 Fast Ethernet • RealTek RTL8139 Fast Ethernet • RTL8139A/B/C chip • RTL8130 chip • SMC1211TX EZCard 10/100 (RealTek RTL8139) • Accton MPX5030 (RealTek RTL8139) • D-Link DFE 538TX RealTek RTL8169 Chipset type: RealTek RTL8169 PCI 10/100/1000Base Compatibility: • RealTek RTL8169 Gigabit Ethernet Sundance ST201 "Alta" Chipset type: Sundance ST201 "Alta" PCI 10/100Base Compatibility: • D-
• VIA VT6121 • VIA VT6122 VIA vt86c100 "Rhine" Chipset type: VIA vt86c100 "Rhine" PCI 10/100Base Compatibility: • VIA Rhine (vt3043) • VIA Rhine II (vt3065 AKA vt86c100) • VIA VT86C100A Rhine • VIA VT6102 Rhine-II • VIA VT6105 Rhine-III • VIA VT6105M Rhine-III • RouterBOARD 44 4-port Fast Ethernet card • D-Link DFE 530TX Winbond w89c840 Chipset type: Winbond w89c840 PCI 10/100Base Compatibility: • Winbond W89c840 • Compex RL100-ATX Notes For ISA cards load the driver by specifying the I/O base address.
chips), IEEE802.11b/g (AR5212 MAC plus AR2111 PHY chips), IEEE802.11a/b/g (AR5212 MAC plus AR5111 and 2111 PHY chips) cards Cisco/Aironet Chipset type: Cisco/Aironet ISA/PCI/PC 11Mbit/s IEEE802.11b Compatibility: • Aironet ISA/PCI/PC4800 2.4GHz DS 11Mbps Wireless LAN Adapters (100mW) • Aironet ISA/PCI/PC4500 2.4GHz DS 2Mbps Wireless LAN Adapters (100mW) • CISCO AIR-PCI340 2.4GHz DS 11Mbps Wireless LAN Adapters (30mW) • CISCO AIR-PCI/PC350/352 2.
• WaveLAN Bronze/Gold/Silver ISA/PCMCIA Aironet Arlan Packages required: arlan Description This is driver for legacy Aironet Arlan cards, not for newer Cisco/Aironet cards. Chipset type: Aironet Arlan IC2200 ISA 2Mbit/s IEEE802.11b Compatibility: • Aironet Arlan 655 RadioLAN Packages required: radiolan Description This is driver for legacy RadioLAN cards. Chipset type: RadioLAN ISA/PC 10Mbit/s 5.
PCI 2/4/8 port up to 4 cards (up to 32 ports) • Cyclades Cyclom-Y and Cyclades-Z Series up to 32 ports per card, up to 4 cards (up to 128 ports) • TCL DataBooster 4 or 8 PCI cards ISDN Packages required: isdn Description PCI ISDN cards: • Eicon.Diehl Diva PCI • Sedlbauer Speed Card PCI • ELSA Quickstep 1000PCI • Traverse Technologie NETjet PCI S0 card • Teles PCI • Dr.
HomePNA Packages required: system Description Linksys HomeLink PhoneLine Network Card (up to 10Mbit/s home network over telephone line) LCD Packages required: lcd Description • Crystalfontz Intelligent Serial LCD Module 632 (16x2 characters) • Powertip Character LCD Module PC2404 (24x4 characters) PCMCIA Adapters Packages required: system Description • Vadem VG-469 PCMCIA-ISA adapter (one or two PCMCIA ports) • RICOH PCMCIA-PCI Bridge with R5C475 II or RC476 II chip (one or two PCMCIA ports) • CISCO/Ai
Notes Example Removing Device Drivers Description Notes on PCMCIA Adapters Description Notes General Information Summary Device drivers represent the software interface part of installed network devices. Some drivers are included in the system software package and some in additional feature packages. For complete list of supported devices and respective device driver names please consult the 'Related Documents' section.
io (integer) - input-output port base address irq (integer) - interrupt request number isdn-protocol (euro | german; default: euro) - line protocol setting for ISDN cards memory (integer; default: 0) - shared memory base address name (name) - driver name Notes Not all combinatios of irq and io base addresses might work on your particular system. It is recommended, that you first find an acceptable irq setting and then try different i/o base addresses.
2 APIC U 3 4 serial port U 5 U 6 U 7 U 8 9 ether1 10 ether2 11 [Texas Instruments PCI1250 PC card Cardbus Controller] 11 [Texas Instruments PCI1250 PC card Cardbus Controller (#2)] 11 [prism2_cs] 11 [orinoco_cs] 12 [usb-ohci] U 13 14 IDE 1 [admin@Wandy] system resource> Suppose we need to load a driver for a NE2000 compatible ISA card. Assume we had considered the information above and have checked avalable resources in our system.
only Other PCMCIA-ISA and PCMCIA-PCI adapters might not function properly. Notes The Ricoh adapter might not work properly with some older motherboards. When recognized properly by the BIOS during the boot up of the router, it should be reported under the PCI device listing as "PCI/CardBus bridge". Try using another motherboard, if the adapter or the PCMCIA card are not recognized properly. The maximum number of PCMCIA ports for a single system is equal to 8.
Related Documents • Wireless Client and Wireless Access Point Manual • Bridge Interfaces • ARLAN 655 Wireless Client Card • CISCO/Aironet 2.4GHz 11Mbps Wireless Interface • Cyclades PC300 PCI Adapters • Ethernet Interfaces • EoIP Tunnel Interface • FarSync X.
Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R bridge1 bridge 0 0 1500 2 R ether2 ether 0 0 1500 3 R wlan1 wlan 0 0 1500 [admin@Wandy] interface> Traffic Monitoring Command name: /interface monitor-traffic Description The traffic passing through any interface can be monitored. Notes One or more interfaces can be monitored at the same time.
Property Description Example Troubleshooting Description Synchronous Link Applications Wandy router to Wandy router Wandy router to Wandy router P2P using X.21 line Wandy router to Cisco router using X.21 line Wandy router to Wandy router using Frame Relay General Information Summary The Wandy RouterOS supports FarSync T-Series X.21 synchronous adapter hardware. These cards provide versatile high performance connectivity to the Internet or to corporate networks over leased lines.
Property Description hdlc-keepalive (time; default: 10s) - Cisco HDLC keepalive period in seconds clock-rate (integer; default: 64000) - the speed of internal clock clock-source (external | internal; default: external) - clock source disabled (yes | no; default: yes) - shows whether the interface is disabled frame-relay-dce (yes | no; default: no) - operate in Data Communications Equipment mode frame-relay-lmi-type (ansi | ccitt; default: ansi) - Frame Relay Local Management Interface type line-protocol (ci
Description • The farsync interface does not show up under the interface list Obtain the required license for synchronous feature • The synchronous link does not work Check the cabling and the line between the modems. Read the modem manual Synchronous Link Applications Wandy router to Wandy router Let us consider the following network setup with two Wandy routers connected to a leased line with baseband modems: The interface should be enabled according to the instructions given above.
round-trip min/avg/max = 26/27.6/31 ms [admin@Wandy] ip address> Wandy router to Wandy router P2P using X.21 line Consider the following example: The default value of the property clock-source must be changed to internal for one of the cards. Both cards must have media-type property set to X21.
[admin@hq] interface pvc> add dlci=42 interface=farsync1 [admin@hq] interface pvc> print Flags: X - disabled, R - running # NAME MTU DLCI INTERFACE 0 X pvc1 1500 42 farsync1 [admin@hq] interface pvc> Similar routine has to be done also on office router: [admin@office] interface pvc> add dlci=42 interface=farsync1 [admin@office] interface pvc> print Flags: X - disabled, R - running # NAME MTU DLCI INTERFACE 0 X pvc1 1500 42 farsync1 [admin@office] interface pvc> Finally we need to add IP addresses to pvc i
L2TP Interface Document revision 1.1 (Fri Mar 05 08:26:01 GMT 2004) This document applies to Wandy RouterOS V2.
• accessing an Intranet/LAN of a company for remote (mobile) clients (employees) Each L2TP connection is composed of a server and a client. The Wandy RouterOS may function as a server or client or, for various configurations, it may be the server for some connections and client for other connections.
interface l2tp-client Property Description name (name; default: l2tp-outN) - interface name for reference mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MTU to 1460 to avoid fragmentation of packets) mru (integer; default: 1460) - Maximum Receive Unit.
Example of an established connection [admin@Wandy] interface l2tp-client> monitor test2 status: "connected" uptime: 4m27s encoding: "MPPE128 stateless" [admin@Wandy] interface l2tp-client> L2TP Server Setup interface l2tp-server server Description The L2TP server supports unlimited connections from clients.
that in both cases P2P users must be configured properly.
And finally, the server must be enabled: [admin@HomeOffice] interface l2tp-server server> set enabled=yes [admin@HomeOffice] interface l2tp-server server> print enabled: yes mtu: 1460 mru: 1460 authentication: mschap2 default-profile: default [admin@HomeOffice] interface l2tp-server server> Add a L2TP client to the RemoteOffice router: [admin@RemoteOffice] interface l2tp-client> add connect-to=192.168.80.1 user=ex \ \...
(without need of bridging over EoIP tunnels). Please, consult the respective manual on how to set up a L2TP client with the software you are using. The router in this example: • [RemoteOffice] Interface ToInternet 192.168.81.1/24 Interface Office 10.150.1.254/24 The client computer can access the router through the Internet. On the L2TP server a user must be set up for the client: [admin@RemoteOffice] ppp secret> add name=ex service=l2tp password=lkjrht local-address=10.150.1.254 remote-address=10.150.1.
Troubleshooting Description • I use firewall and I cannot establish L2TP connection Make sure UDP connections can pass through both directions between your sites. • My Windows L2TP/IPsec VPN Client fails to connect to L2TP server with "Error 789" or "Error 781" The error messages 789 and 781 occur when IPsec is not configured properly on both ends. See the respective documentation on how to configure IPsec in the Microsoft L2TP/IPsec VPN Client and in the Wandy RouterOS.
Application Examples Point-to-Multipoint Wireless LAN Point-to-Point Wireless LAN General Information Summary The Wandy RouterOS supports the following CISCO/Aironet 2.4GHz Wireless ISA/PCI/PC Adapter hardware: • Aironet ISA/PCI/PC4800 2.4GHz DS 11Mbps Wireless LAN Adapters (100mW) • Aironet ISA/PCI/PC4500 2.4GHz DS 2Mbps Wireless LAN Adapters (100mW) • CISCO AIR-PCI340 2.4GHz DS 11Mbps Wireless LAN Adapters (30mW) • CISCO AIR-PCI/PC350/352 2.
Description CISCO/Aironet 2.4GHz card is an interface for wireless networks operating in IEEE 802.11b standard. If the wireless interface card is not registered to an AP, the green status led is blinking fast. If the wireless interface card is registered to an AP, the green status led is blinking slow. To set the wireless interface for working with an access point (register to the AP), typically you should set the following parameters: • The service set identifier. It should match the ssid of the AP.
ap2 (MAC address) - forces association to the specified access point ap3 (MAC address) - forces association to the specified access point ap4 (MAC address) - forces association to the specified access point ssid1 (text; default: tsunami) - establishes the adapter's service set identifier This value must match the SSID of the system in order to operate in infrastructure mode ssid2 (text; default: "") - service set identifier 2 ssid3 (text; default: "") - service set identifier 3 modulation (cck | default | m
Suppose we want to configure the wireless interface to accomplish registration on the AP with a ssid 'mt'. We need to change the value of ssid property to the corresponding value. To view the results, we can use monitor feature.
3. Choosing the frequency, in our case we use 2442MHz. 4. (For CISCO/Aironet Bridges only) Set Configuration/Radio/Extended/Bridge/mode=access_point. If you leave it to 'bridge_only', it wont register clients. 5. Setting the identity parameters Configuration/Ident: Inaddr, Inmask, and Gateway. These are required if you want to access the AP remotely using telnet or http. The IP addresses assigned to the wireless interface should be from the network 10.1.1.0/24: [admin@Wandy] ip address> add address 10.1.1.
access-point-name: "" signal-quality: 35 signal-strength: -62 error-number: 0 [admin@Wandy] interface pc> The other router of the point-to-point link requires the operation mode set to ad-hoc, the System Service Identifier set to 'mt', and the channel frequency set to 2412MHz.
IPIP Tunnel Interfaces Document revision 1.1 (Fri Mar 05 08:25:43 GMT 2004) This document applies to Wandy RouterOS V2.8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Additional Documents IPIP Setup Description Property Description Notes IPIP Configuration Application Example General Information Summary The IPIP tunneling implementation on the Wandy RouterOS is RFC 2003 compliant.
Related Documents • Package Management • Device Driver List • IP Addresses and ARP • Log Management Additional Documents • http://www.ietf.org/rfc/rfc1853.txt?number=1853 • http://www.ietf.org/rfc/rfc2003.txt?number=2003 • http://www.ietf.org/rfc/rfc1241.txt?number=1241 IPIP Setup interface ipip Description An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are RFC 2003 compliant. The IPIP tunnel may run over any connection that transports IP.
IPIP Configuration Application Example Suppose we want to add an IPIP tunnel between routers R1 and R2: At first, we need to configure IPIP interfaces and then add IP addresses to them. The configuration for router R1 is as follows: [admin@Wandy] interface ipip> add local-address: 10.0.0.1 remote-address: 22.63.11.6 [admin@Wandy] interface ipip> print Flags: X - disabled, R - running # NAME MTU LOCAL-ADDRESS REMOTE-ADDRESS 0 X ipip1 1480 10.0.0.1 22.63.11.
Additional Documents Ethernet Interface Configuration Property Description Notes Example Monitoring the Interface Status Property Description Notes Example Troubleshooting Description General Information Summary Wandy RouterOS supports various types of Ethernet Interfaces. The complete list of supported Ethernet NICs can be found in the Device Driver List. Specifications Packages required: system License required: level1 interface ethernet Standards and Technologies: IEEE 802.
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol mtu (integer; default: 1500) - Maximum Transmission Unit disable-running-check (yes | no; default: yes) - disable running check.
• unknown - the connection is not recognized rate (10 Mbps | 100 Mbps | 1000 Mbps) - the actual data rate of the connection auto-negotiation (done | incomplete) - fast link pulses (FLP) to the adjacent link station to negotiate the SPEED and MODE of the link • done - negotiation done • incomplete - negotiation failed full-duplex (yes | no) - whether transmission of data occurs in two directions simultaneously Notes See the IP Addresses and ARP section of the manual for information how to add IP addresses t
Synchronous Interface Configuration Description Property Description Notes Example Troubleshooting Description Synchronous Link Application Examples Wandy Router to Wandy Router Wandy Router to Cisco Router General Information Summary The Wandy RouterOS supports the MOXA C502 PCI Dual-port Synchronous 8Mb/s Adapter hardware. The V.35 synchronous interface is the standard for VSAT and other satellite modems. However, you must check with the satellite system supplier for the modem interface type.
Synchronous Interface Configuration interface moxa-c502 Description Moxa c502 synchronous interface is shown under the interfaces list with the name moxa-c502-N Property Description name (name; default: moxa-c502-N) - interface name cisco-hdlc-keepalive-interval (time; default: 10s) - keepalive period in seconds clock-rate (integer; default: 64000) - speed of internal clock clock-source (external | internal | tx-from-rx | tx-internal; default: external) - clock source frame-relay-dce (yes | no; default: n
dtr: yes rts: yes cts: yes dsr: yes dcd: yes [admin@Wandy] interface moxa-c502> Troubleshooting Description • The synchronous interface does not show up under the interfaces list Obtain the required license for synchronous feature • The synchronous link does not work Check the V.35 cabling and the line between the modems.
[admin@Wandy] ip address> add address 1.1.1.2/32 interface moxa \ \... network 1.1.1.1 broadcast 255.255.255.255 [admin@Wandy] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.1.1.12/24 10.1.1.12 10.1.1.255 Public 1 1.1.1.2/32 1.1.1.1 255.255.255.255 moxa [admin@Wandy] ip address> /ping 1.1.1.1 1.1.1.1 64 byte pong: ttl=255 time=31 ms 1.1.1.1 64 byte pong: ttl=255 time=26 ms 1.1.1.
ip address 1.1.1.2 255.255.255.252 serial restart-delay 1 ! ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.254 ! ... end CISCO# Send ping packets to the Wandy router: CISCO#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.
Summary VLAN is an implementation of the 802.1Q VLAN protocol for Wandy RouterOS 2.7. It allows you to have multiple Virtual LANs on a single ethernet cable, giving the ability to segregate LANs efficiently. It supports up to 250 vlan interfaces per ethernet device. Many routers, including Cisco and Linux based, and many Layer 2 switches also support it.
Additional Documents • http://www.csd.uwo.ca/courses/CS457a/reports/handin/jpbojtos/A2/trunking.htm • http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htm #xtocid114533 • http://www.cisco.com/warp/public/473/27.html#tagging • http://www.cisco.com/warp/public/538/7.html • http://www.nwfusion.com/news/tech/2001/0305tech.html • http://www.intel.com/network/connectivity/resources/doc_library/tech_brief/virtual_lans.
0 R test 1500 enabled 1 ether1 [admin@Wandy] interface vlan> Application Example VLAN example on Wandy Routers Let us assume that we have two or more Wandy RouterOS routers connected with a hub. Interfaces to the physical network, where VLAN is to be created is ether1 for all of them (it is needed only for example simplification, it is NOT a must). To connect computers through VLAN they must be connected physically and unique IP addresses should be assigned them so that they could ping each other.
[admin@Wandy] ip address> RadioLAN 5.8GHz Wireless Interface Document revision 1.1 (Fri Mar 05 08:17:04 GMT 2004) This document applies to Wandy RouterOS V2.
Related Documents • Package Management • Device Driver List • IP Addresses and ARP • Log Management Description Installing the Wireless Adapter These installation instructions apply to non-Plug-and-Play ISA cards. If You have a Plug-and-Play compliant system AND PnP OS Installed option in system BIOS is set to Yes AND you have a Plug-and-Play compliant ISA or PCI card (using PCMCIA or CardBus card with Plug-and-Play compliant adapter), the driver should be loaded automatically.
rx-diversity (enabled | disabled; default: disabled) - receive diversity tx-diversity (enabled | disabled; default: disabled) - transmit diversity default-destination (ap | as-specified | first-ap | first-client | no-destination; default: first-client) default destination.
successfully-sent: 1 max-retries: 0 average-retries: 0 min-retries: 0 sent: 11 successfully-sent: 11 max-retries: 0 average-retries: 0 min-retries: 0 sent: 21 successfully-sent: 21 max-retries: 0 average-retries: 0 min-retries: 0 sent: 31 successfully-sent: 31 max-retries: 0 average-retries: 0 min-retries: 0 sent: 41 successfully-sent: 41 max-retries: 0 average-retries: 0 min-retries: 0 sent: 50 successfully-sent: 50 max-retries: 0 average-retries: 0 min-retries: 0 [admin@Wandy] interface radiolan> Trouble
[admin@Wandy] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.1.1.12/24 10.1.1.0 10.1.1.255 ether1 1 10.1.0.1/30 10.1.0.0 10.1.0.3 radiolan1 [admin@Wandy] ip address> The default route should be set to the gateway router 10.1.1.254. A static route should be added for the network 192.168.0.0/24: [admin@Wandy] ip route> add gateway=10.1.1.
Troubleshooting Description General Information Summary Frame Relay is a multiplexed interface to packet switched network and is a simplified form of Packet Switching similar in principle to X.25 in which synchronous frames of data are routed to different destinations depending on header information. Frame Relay uses the synchronous HDLC frame format.
interface (name) - Frame Relay interface Notes A DLCI is a channel number (Data Link Connection Identifier) which is attached to data frames to tell the network how to route the data. Frame Relay is "statistically multiplexed", which means that only one frame can be transmitted at a time but many logical connections can co-exist on a single physical line. The DLCI allows the data to be logically tied to one of the connections so that once it gets to the network, it knows where to send it.
serial restart-delay 1 frame-relay lmi-type ansi frame-relay intf-type dce ! interface Serial0.1 point-to-point ip address 1.1.1.2 255.255.255.0 no arp frame-relay frame-relay interface-dlci 42 ! ... end. Send ping to Wandy router CISCO#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.
description connected to Internet no ip address encapsulation frame-relay IETF serial restart-delay 1 frame-relay lmi-type ansi frame-relay intf-type dce ! interface Serial0.1 point-to-point ip address 1.1.1.2 255.255.255.0 no arp frame-relay frame-relay interface-dlci 42 ! ... end. Send ping to Wandy router CISCO#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.
Description • I cannot ping through the synchronous frame relay interface between Wandy router and a Cisco router Frame Relay does not support address resolving and IETF encapsulation should be used. Please check the configuration on the Cisco router ISDN (Integrated Services Digital Network) Interface Document revision 1.1 (Fri Mar 05 08:15:11 GMT 2004) This document applies to Wandy RouterOS V2.
General Information Summary The Wandy router can act as an ISDN client for dialing out, or as an ISDN server for accepting incoming calls. The dial-out connections may be set as dial-on-demand or as permanent connections (simulating a leased line). The remote IP address (provided by the ISP) can be used as the default gateway for the router.
• HFC 2BDS0 based adapters - hfc • W6692 based adapters - w6692 For example, for the HFC based PCI card, it is enough to use /driver add name=hfc command to get the driver loaded. Note! ISDN ISA adapters are not supported! Property Description name (name) - name of the driver isdn-protocol (euro | german; default: euro) - data channel protocol ISDN Channels ISDN channels are added to the system automatically when the ISDN card driver is loaded.
ISDN dial-out connection, use the ISDN dial-out configuration menu under the submenu.
bundle-128K (yes | no; default: yes) - use both channels instead of just one authentication (pap | chap | mschap1 | mschap2; default: mschap2, mschap1, chap, pap) - used authentication Example A sample printout of ISDN server interface is as follows: [admin@Wandy] interface isdn-server> add msn="142" bundle-128K=no [admin@Wandy] interface isdn-server> print Flags: X - disabled, R - running 0 X name="isdn-in1" mtu=1500 mru=1500 msn="142" authentication=mschap2,chap,pap profile=default l2-protocol=x75bui bun
If you would like to remain connected all the time, i.e., as a leased line, then set the idle-timeout to 0s. All that remains is to enable the interface: [admin@Wandy] /interface set isdn-isp disabled=no You can monitor the connection status with the following command: [admin@Wandy] /interface isdn-client monitor isdn-isp ISDN Dial-in Dial-in ISDN connections allow remote clients to connect to your router via ISDN.
connection - netwatch, and a script, which runs the netwatch. This is an example of how to make simple router backup system. In this example we'll use an ISDN connection for purpose to backup a standard Ethernet connection. You can, however, use instead of the ISDN connection anything you need - PPP, for example. When the Ethernet fail (the router nr.1 cannot ping the router nr.2 to 2.2.2.2 (see picture) the router nr.
PPTP Interface Document revision 1.1 (Fri Mar 05 08:25:22 GMT 2004) This document applies to Wandy RouterOS V2.
Summary PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The Wandy RouterOS implementation includes support for PPTP client and server. General applications of PPTP tunnels: • For secure router-to-router tunnels over the Internet • To link (bridge) local Intranets or LANs (when EoIP is also used) • For mobile or remote clients to remotely access an Intranet/LAN of a company (see PPTP setup for Windows for more information) Each PPTP connection is composed of a server and a client.
• http://support.microsoft.com/support/kb/articles/q162/8/47.asp • http://www.ietf.org/rfc/rfc2637.txt?number=2637 • http://www.ietf.org/rfc/rfc3078.txt?number=3078 • http://www.ietf.org/rfc/rfc3079.txt?number=3079 PPTP Client Setup interface pptp-client Property Description name (name; default: pptp-outN) - interface name for reference mtu (integer; default: 1460) - Maximum Transmission Unit.
status (text) - status of the client • Dialing - attempting to make a connection • Verifying password...
PPTP Server Users interface pptp-server Description There are two types of items in PPTP server configuration - static users and dynamic connections. A dynamic connection can be established if the user database or the default-profile has its local-address and remote-address set correctly. When static users are added, the default profile may be left with its default values and only P2P user (in /ppp secret) should be configured. Note that in both cases P2P users must be configured properly.
Internet. On the Preforma PPTP server a user must be set up for the client: [admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht local-address=10.0.103.1 remote-address=10.0.103.2 [admin@HomeOffice] ppp secret> print detail Flags: X - disabled 0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default local-address=10.0.103.1 remote-address=10.0.103.
Test the connection through the PPTP tunnel to the LocalHomeOffice interface: [admin@RemoteOffice]> /ping 10.150.2.254 10.150.2.254 pong: ttl=255 time=3 ms 10.150.2.254 pong: ttl=255 time=3 ms 10.150.2.254 pong: ttl=255 time=3 ms ping interrupted 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 3/3.0/3 ms To bridge a LAN over this secure tunnel, please see the example in the 'EoIP' section of the manual.
PPTP Setup for Windows Microsoft provides PPTP client support for Windows NT, 2000, ME, 98SE, and 98. Windows 98SE, 2000, and ME include support in the Windows setup or automatically install PPTP. For 95, NT, and 98, installation requires a download from Microsoft. Many ISPs have made help pages to assist clients with Windows PPTP installation. • http://www.real-time.com/Customer_Support/PPTP_Config/pptp_config.html • http://www.microsoft.
Table of Contents Table of Contents General Information Summary Quick Setup Guide Specifications Related Documents Description Wireless Interface Configuration Description Property Description Notes Example Registration Table Description Property Description Example Access List Description Property Description Notes Example Info Description Property Description Notes Example Virtual Access Point Interface Description Property Description WDS Interface Configuration Description Property Description Notes Exa
Example Network Scan Description Property Description Example Wireless Security Description Property Description Notes Wireless Aplication Examples AP to Client Configuration Example WDS Configuration Example Wireless Security Example Troubleshooting Description General Information Summary The wireless interface operates using IEEE 802.11 set of standards. It uses radio waves as a physical signal carrier and is capable of wireless data transmission with speeds up to 108 Mbps (in 5GHz turbo-mode).
• To make the wireless interface as a wireless station, working in 802.11a standard and Service Set Identifier p2p: /interface wireless set wlan1 ssid="p2p" band=5GHz mode=station disabled=no Specifications Packages required: wireless License required: level4 (station and bridge mode), level5 (station, bridge and AP mode) interface wireless Standards and Technologies: IEEE802.11a, IEEE802.11b, IEEE802.
Wandy RouterBoard and systems based on Intel i815 and i845 chipsets are tested and work stable with Atheros cards. There might be many other chipsets that are working stable, but it has been reported that some older chipsets, and some systems based on AMD Duron CPU are not stable. Wireless Interface Configuration interface wireless Description In this section we will discuss the most important part of the configuration.
• 5GHz-turbo - IEEE 802.11a up to 108Mbit scan-list (multiple choice: integer | default-ism; default: default-ism) - the list of channels to scan • default-ism - for 2.4GHz mode: 2412, 2417, 2422, 2427, 2432, 2437, 2442, 2447, 2452, 2457, 2462, 2467, 2472; for 5GHz mode: 5180, 5200, 5220, 5240, 5260, 5280, 5300, 5320, 5745, 5765, 5785, 5805; for 5GHz-turbo: 5210, 5250, 5290, 5760, 5800 burst-time (time; default: disabled) - time in microseconds which will be used to send data without stopping.
• disabled - WDS interfaces are disabled • dynamic - WDS interfaces are created 'on the fly' • static - WDS interfaces are created manually 802.
Registration Table interface wireless registration-table Description In the registration table you can see various information about currently connected clients. It is used only for Access Points.
Description The access list is used by the Access Point to restrict associations of clients and by clients to restrict associations to a given list of APs. This list contains MAC address of client and associated action to take when client attempts to connect. Also, the forwarding of frames sent by the client is controlled.
interface-type (read-only: text) - shows the hardware interface type noise-floor-control (read-only: yes | no) - does this interface support noise-floor-thershold detection firmware (read-only: text) - current firmware of the interface (used only for Prism chipset based cards) tx-power-control (read-only: yes | no) - provides information whether this device supports transmission power control ack-timeout-control (read-only: yes | no) - provides information whether this device supports transmission acceptanc
5355, 5360, 5365, 5370, 5375, 5380, 5385, 5390, 5395, 5400, 5405, 5410, 5415, 5420, 5425, 5430, 5435, 5440, 5445, 5450, 5455, 5460, 5465, 5470, 5475, 5480, 5485, 5490, 5495, 5500, 5505, 5510, 5515, 5520, 5525, 5530, 5535, 5540, 5545, 5550, 5555, 5560, 5565, 5570, 5575, 5580, 5585, 5590, 5595, 5600, 5605, 5610, 5615, 5620, 5625, 5630, 5635, 5640, 5645, 5650, 5655, 5660, 5665, 5670, 5675, 5680, 5685, 5690, 5695, 5700, 5705, 5710, 5715, 5720, 5725, 5730, 5735, 5740, 5745, 5750, 5755, 5760, 5765, 5770, 5775, 57
5305,5310,5315,5320,5325,5330,5335,5340,5345,5350,5355, 5360,5365,5370,5375,5380,5385,5390,5395,5400,5405,5410, 5415,5420,5425,5430,5435,5440,5445,5450,5455,5460,5465, 5470,5475,5480,5485,5490,5495,5500,5505,5510,5515,5520, 5525,5530,5535,5540,5545,5550,5555,5560,5565,5570,5575, 5580,5585,5590,5595,5600,5605,5610,5615,5620,5625,5630, 5635,5640,5645,5650,5655,5660,5665,5670,5675,5680,5685, 5690,5695,5700,5705,5710,5715,5720,5725,5730,5735,5740, 5745,5750,5755,5760,5765,5770,5775,5780,5785,5790,5795, 5800,580
simultaneously mtu (integer: 68..1600; default: 1500) - Maximum Transmission Unit name (name; default: wlanN) - interface name ssid (text; default: Wandy) - the service set identifier WDS Interface Configuration interface wireless wds Description WDS (Wireless Distribution System) allows packets to pass from one wireless AP (Access Point) to another, just as if the APs were ports on a wired Ethernet switch. APs must have equal System Set Identifiers (ssid), must use the same standard (802.11a, 802.
recommended to use WDS and DFS simultaneously - it is most probable that these routers will not connect to each other. Example [admin@Wandy] interface wireless wds> add master-interface=wlan1 \ \...
Example [admin@Wandy] interface wireless align> print frame-size: 300 active-mode: yes receive-all: yes audio-monitor: 00:00:00:00:00:00 filter-mac: 00:00:00:00:00:00 ssid-all: no frames-per-second: 25 audio-min: 0 audio-max: 64 [admin@Wandy] interface wireless align> Align Monitor Command name: /interface wireless align monitor Description This command is used to monitor current signal parameters to/from a remote host.
Property Description (name) - interface name to use for scanning refresh-interval (time; default: 1s) - time in seconds to refresh the displayed data address (read-only: MAC address) - MAC address of the AP ssid (read-only: text) - service set identifier of the AP band (read-only: text) - in which standard does the AP operate freq (read-only: integer) - the frequency of AP bss (read-only: yes | no) - basic service set privacy (read-only: yes | no) - whether all data is encrypted or not signal-strength (read
packets key-2 (text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep or 104bit-wep algorithm (algo-2) algo-3 (none | 40bit-wep | 104bit-wep; default: none) - which encryption algorithm to use: • none - do not use encryption and do not accept encrypted packets • 40bit-wep - use the 40bit encryption (also known as 64bit-wep) and accept only these packets • 104bit-wep - use the 104bit encryption (also known as 128bit-wep) and accept only these packets key-3 (text) - hexadecimal key w
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power=default noise-floor-threshold=default burst-time=disabled fast-frames=no antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none default-authentication=yes default-forwarding=yes hide-ssid=no 802.
Router Neighbour • ssid = wds-test • IP Address = 192.168.0.1 • Network Mask = 255.255.255.0 Router Home configuration. At first we should configure the wireless interface for router Home: [admin@Home] interface wireless> set wlan1 mode=ap-bridge ssid=wds-test \ \...
Flags: X - disabled, R - running, D - dynamic 0 R name="wds1" mtu=1500 mac-address=00:01:24:70:3B:AE arp=enabled disable-running-check=no master-inteface=wlan1 wds-address=00:01:24:70:3A:83 [admin@Neighbour] interface wireless wds> Add the IP address: [admin@Neighbour] ip address> add address=192.168.25.1/24 interface=wds1 [admin@Neighbour] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.25.1/24 192.168.25.0 192.168.25.
192.168.1.1 64 byte ping: ttl=64 time=16 ms 192.168.1.1 64 byte ping: ttl=64 time=15 ms 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 15/17.6/22 ms [admin@Client] interface wireless security> Troubleshooting Description • If I use WDS and DFS, the routers do not connect to each other! As the WDS routers must operate at the same frequency, it is very probable that DFS will not select the frequency that is used by the peer router.
General Information Summary Ethernet over IP (EoIP) Tunneling is a Wandy RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection. The EoIP interface appears as an Ethernet interface. When the bridging function of the router is enabled, all Ethernet traffic (all Ethernet protocols) will be bridged just as if there where a physical Ethernet interface and cable between the two routers (with bridging enabled). This protocol makes multiple network schemes possible.
• The EoIP protocol encapsulates Ethernet frames in GRE (IP protocol number 47) packets (just like PPTP) and sends them to the remote side of the EoIP tunnel. • Maximal count of EoIP tunnels is 65536. EoIP Setup interface eoip Property Description name (name; default: eoip-tunnelN) - interface name for reference mtu (integer; default: 1500) - Maximum Transmission Unit.
private intranet or the Internet. Both routers can communicate with each other through the IP network. Example Our goal is to create a secure channel between the routers and bridge both networks through it. The network setup diagram is as follows: To make a secure Ethernet bridge between two routers you should: 1. Create a PPTP tunnel between them. Our_GW will be the pptp server: [admin@Our_GW] interface pptp-server> /ppp secret add name=joe service=pptp \ \... password=top_s3 local-address=10.0.0.
# INTERFACE BRIDGE 0 eoip-remote none 1 office-eth none 2 isp none [admin@Our_GW] interface bridge> port set "0,1" bridge=bridge1 And the same for the Remote: [admin@Remote] interface bridge> add forward-protocols=ip,arp,other \ \...
Example Frame Relay Configuration Examples Wandy Router to Wandy Router Wandy Router to Cisco Router Troubleshooting Description General Information Summary The Wandy RouterOS supports the Xpeed 300 SDSL PCI Adapter hardware with speeds up to 2.32Mbps. This device can operate either using Frame Relay or PPP type of connection. SDSL (Single-line Digital Subscriber Line or Symmetric Digital Subscriber Line) stands for the type of DSL that uses only one of the two cable pairs for transmission.
• enabled - the interface will use ARP protocol • proxy-arp - the interface will be an ARP proxy • reply-only - the interface will only reply to the requests originated to its own IP addresses, but neighbor MAC addresses will be gathered from /ip arp statically set table only mode (network-termination | line-termination; default: line-termination) - interface mode, either line termination (LT) or network termination (NT) sdsl-speed (integer; default: 2320) - SDSL connection speed sdsl-invert (yes | no; defa
patch cable included with the Xpeed 300 SDSL adapter (such a connection is called Back-to-Back). Lets name the first router r1 and the second r2. Router r1 setup The following setup is identical to one in the first example: [admin@r1] ip address> add inter=xpeed1 address 1.1.1.1/24 [admin@r1] ip address> pri Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 1.1.1.1/24 1.1.1.0 1.1.1.
description connected to EthernetLAN ip address 10.0.0.254 255.255.255.0 ! interface Serial0 description connected to Internet no ip address encapsulation frame-relay IETF serial restart-delay 1 frame-relay lmi-type ansi frame-relay intf-type dce ! interface Serial0.1 point-to-point ip address 1.1.1.2 255.255.255.0 no arp frame-relay frame-relay interface-dlci 42 ! ... end. Send ping to Wandy router CISCO#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.
Specifications Related Documents Additional Documents Installation Example Wireless Interface Configuration Description Property Description Example Troubleshooting Description General Information Summary The Wandy RouterOS supports Arlan 655 Wireless Interface client cards. This card fits in the ISA expansion slot and provides transparent wireless communications to other network nodes.
0 D RealTek 8139 1 Arlan 655 0xD000 [admin@Wandy] driver> Wireless Interface Configuration interface arlan Description The wireless card status can be obtained from the two LEDs: the Status LED and the Activity LED.
0 R outer ether 1500 1 R arlan1 arlan 1500 More configuration and statistics parameters can be found under the /interface arlan menu: [admin@Wandy] interface arlan> print Flags: X - disabled, R - running 0 R name="arlan1" mtu=1500 mac-address=00:40:96:22:90:C8 arp=enabled frequency=2412 bitrate=2000 tma-mode=no card-name="test" sid=0x13816788 [admin@Wandy] interface arlan> You can monitor the status of the wireless interface: [admin@Wandy] interface arlan> monitor 0 registered: no access-point: 00:00:00:0
This document applies to Wandy RouterOS V2.
Summary MAC level bridging of Ethernet, Ethernet over IP (EoIP), Prism, Atheros and RadioLAN interfaces are supported. All 802.11b and 802.11a client wireless interfaces (both ad-hoc and infrastructure or station modes) do not support this because of the limitations of 802.11 - it is possible to bridge over them using the Ethernet over IP protocol (please see documentation on EoIP). For preventing loops in a network, you can use the Spanning Tree Protocol (STP).
data rate between hosts may vary). Additional Documents http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html Bridge Interface Setup interface bridge Description To bridge a number of networks into one bridge, a bridge interface should be created, that will group all the bridged interfaces. One MAC address will be assigned to all the bridged interfaces.
Port Settings interface bridge port Description The submenu is used to group interfaces in a particular bridge interface. Property Description interface (read-only: name) - interface name bridge (name; default: none) - the bridge interface the respective interface is grouped in • none - the interface is not grouped in a bridge priority (integer: 0..255; default: 128) - interface priority compared to other interfaces, which are destined to the same network path-cost (integer: 0..
root-port: ether2 path-cost: 180 [admin@Wandy] interface bridge> Bridge Port Monitoring Command name: /interface bridge port monitor Description Statistics of an interface that belongs to a bridge Property Description status (disabled | blocking | listening | learning | forwarding) - the status of the bridge port: • disabled - the interface is disabled.
[admin@Wandy] interface bridge host> print Flags: L - local BRIDGE MAC-ADDRESS ON-INTERFACE AGE bridge1 00:00:B4:5B:A6:58 ether1 4m48s bridge1 00:30:4F:18:58:17 ether1 4m50s L bridge1 00:50:08:00:00:F5 ether1 0s L bridge1 00:50:08:00:00:F6 ether2 0s bridge1 00:60:52:0B:B4:81 ether1 4m50s bridge1 00:C0:DF:07:5E:E6 ether1 4m46s bridge1 00:E0:C5:6E:23:25 prism1 4m48s bridge1 00:E0:F7:7F:0A:B8 ether1 1s [admin@Wandy] interface bridge host> Bridge Firewall interface bridge firewall Description Traffic between
protocol name/number • all - match all the IP protocols action (accept | drop | passthrough; default: accept) - action to undertake if the packet matches the rule: • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed • drop - silently drop the packet (without sending the ICMP reject message) • passthrough - ignore this rule.
2. Configure the bridge interface 3. Enable the bridge interface 4. Assign an IP address to the bridge interface, if needed Note that there should be no IP addresses on the bridged interfaces. Moreover, IP address on the bridge interface itself is not required for the bridging to work. When configuring the bridge settings, each protocol that should be forwarded should be added to the forward-protocols list. The other protocol includes all protocols not listed before (as VLAN).
actual interface will be the bridge interface to which these interfaces belong. You can check this by typing /ip address print detail Hosts on LAN segments #1 and #2 should use IP addresses from the same network. 192.168.0.0/24 and have the default gateway set to 192.168.0.254 (Wandy router). Troubleshooting Description • After I configure the bridge, there is no ping response from hosts on bridged networks. It may take up to 20...30s for bridge to learn addresses and start responding.
General Information Summary The Wandy RouterOS supports MOXA C101 Synchronous 4Mb/s Adapter hardware. The V.35 synchronous interface is the standard for VSAT and other satellite modems. However, you must check with the satellite system supplier for the modem interface type. Specifications Packages required: synchronous License required: level4 interface moxa-c101 Standards and Technologies: Cisco/HDLC-X.
22 RxCB IN X 23 RxCA IN V short 9 and 25 pin Additional Documents For more information about the MOXA C101 synchronous 4Mb/s adapter hardware please see: • http://www.moxa.com/product/sync/C101.
[admin@Wandy] interface moxa-c101> monitor 0 dtr: yes rts: yes cts: no dsr: no dcd: no [admin@Wandy] interface moxa-c101> Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on.
[admin@Wandy] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0.0.0.0/0 r 1.1.1.2 1 wan 1 DC 10.0.0.0/24 r 10.0.0.254 1 ether2 2 DC 192.168.0.0/24 r 192.168.0.254 0 ether1 3 DC 1.1.1.2/32 r 0.0.0.0 0 wan [admin@Wandy] ip route> The configuration of the Wandy router at the other end is similar: [admin@Wandy] ip address> add address 1.1.1.2/32 interface moxa \ \... network 1.1.1.
Building configuration... Current configuration: ... ! interface Ethernet0 description connected to EthernetLAN ip address 10.1.1.12 255.255.255.0 ! interface Serial0 description connected to Wandy ip address 1.1.1.2 255.255.255.252 serial restart-delay 1 ! ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.254 ! ... end CISCO# Send ping packets to the Wandy router: CISCO#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.
Description RSV/V.35 Synchronous Link Applications Example General Information Summary The Wandy RouterOS supports the following Cyclades PC300 Adapter hardware: • RSV/V.35 (RSV models) with 1 or 2 RS-232/V.35 interfaces on standard DB25/M.34 connector, 5Mbps, internal or external clock • T1/E1 (TE models) with 1 or 2 T1/E1/G.703 interfaces on standard RJ48C connector, Full/Fractional, internal or external clock • X.21 (X21 models) with 1 or 2 X.
Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on. The Wandy driver for the Cyclades Synchronous PCI Adapter allows you to unplug the V.35 cable from one modem and plug it into another modem with a different clock speed, and you do not need to restart the interface or router.
RSV/V.35 Synchronous Link Applications Example Let us consider the following network setup with Wandy Router connected to a leased line with baseband modems and a CISCO router at the other end: The driver for the Cyclades PC300/RSV Synchronous PCI Adapter should load automatically. The interface should be enabled according to the instructions given above. The IP addresses assigned to the cyclades interface should be as follows: [admin@Wandy] ip address> add address=1.1.1.
ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.254 ! ... end CISCO# Send ping packets to the Wandy router: CISCO#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms CISCO# PPPoE Document revision 1.4 (Fri Apr 30 06:43:11 GMT 2004) This document applies to Wandy RouterOS V2.
Troubleshooting Description Application Examples PPPoE in a multipoint wireless 802.11 network General Information Summary The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management and accounting benefits to ISPs and network administrators. Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain Ethernet networks. PPPoE is an extension of the standard Point to Point Protocol (PPP).
/interface pppoe-server server add service-name=internet interface=wlan1 \ \... default-profile=pppoe-profile • To configure Wandy RouterOS to be a PPPoE client 1. Just add a pppoe-client: /interface pppoe-client add name=pppoe-user-mike user=mike password=123 interface=wlan1 \ \...
interface (name) - interface the PPPoE server can be connected through mtu (integer; default: 1480) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 20 (so, for 1500-byte ethernet link, set the MTU to 1480 to avoid fragmentation of packets) mru (integer; default: 1480) - Maximum Receive Unit.
• Terminated - interface is not enabled or the other side will not establish a connection uptime (time) - connection time displayed in days, hours, minutes and seconds encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this connection uptime (time) - connection time displayed in days, hours, minutes and seconds service-name (text) - name of the service the client is connected to ac-name (text) - name of the AC the client is connected to ac-mac (MAC address) - MAC add
time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected. one-session-per-host (yes | no; default: no) - allow only one session per host (determined by MAC address). If a host will try to establish a new session, the old one will be closed default-profile (name; default: default) - default profile to use Notes The default keepalive-timeout value of 10 is OK in most cases. If you set it to 0, the router will not disconnect clients until they log out or router is restarted.
Troubleshooting Description • The PPPoE server shows more than one active user entry for one client, when the clients disconnect, they are still shown and active Set the keepalive-timeout parameter (in the PPPoE server configuration) to 10 if You want clients to be considered logged off if they do not respond for 10 seconds. Note that if the keepalive-timeout parameter is set to 0 and the only-one parameter (in PPP profile settings) is set to yes then the clients might be able to connect only once.
interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment.
And finally, we can set up PPPoE clients: [admin@MT_Prism_AP] ip pool> add name=pppoe ranges=10.0.0.230-10.0.0.240 [admin@MT_Prism_AP] ip pool> print # NAME RANGES 0 pppoe 10.0.0.230-10.0.0.240 [admin@MT_Prism_AP] ip pool> /ppp profile [admin@MT_Prism_AP] ppp profile> set default use-encryption=yes \ \... local-address=10.0.0.217 remote-address=pppoe [admin@MT_Prism_AP] ppp profile> print Flags: * - default 0 * name="default" local-address=10.0.0.
Notes Example PPP Server Setup Description Property Description Example PPP Client Setup Description Property Description Notes Example PPP Application Example Client - Server Setup General Information Summary PPP (Point-to-Point Protocol) provides a method for transmitting datagrams over serial point-to-point links. Physically it relies on com1 and com2 ports from standard PC hardware configurations. These appear as serial0 and serial1 automatically.
• Log Management • AAA Additional Documents • http://www.ietf.org/rfc/rfc2138.txt?number=2138 • http://www.ietf.org/rfc/rfc2138.txt?number=2139 Serial Port Configuration port Property Description name (name; default: serialN) - port name used-by (read-only: text) - shows the user of the port.
interface ppp-server Description PPP server provides a remode connection service for users. When dialing in, the users can be authenticated locally using the local user database in the /user menu, or at the RADIUS server specified in the /ip ppp settings.
profile (name; default: default) - local profile to use for dialout allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) the protocol to allow the client to use for authentication phone (integer; default: "") - phone number for dialout tone-dial (yes | no; default: yes) - defines whether use tone dial or pulse dial mtu (integer; default: 1500) - Maximum Transmission Unit.
[admin@Wandy] ppp secret> /int ppp-server [admin@Wandy] interface ppp-server> add port=serial1 disabled=no [admin@Wandy] interface ppp-server> print Flags: X - disabled, R - running 0 name="ppp-in1" mtu=1500 mru=1500 port=serial1 authentication=mschap2,mschap1,chap,pap profile=default modem-init="" ring-count=1 null-modem=no [admin@Wandy] interface ppp-server> Now we need to setup the client to connect to the server: [admin@Wandy] interface ppp-client> add port=serial1 user=test password=test \ \...
Notes Example Proxy-ARP feature Description Example Unnumbered Interfaces Description Example General Information Summary The following Manual discusses IP address management and the Address Resolution Protocol settings. IP addresses serve as identification when communicating with other network devices using the TCP/IP protocol. In turn, communication between devices in one physical network proceeds with the help of Address Resolution Protocol and ARP addresses.
bridging between interfaces is used (starting from RouterOS version 2.8). In case of bridging, the IP address can be assigned to any interface in the bridge, but actually the address will belong to the bridge interface. You can use /ip address print detail to see to which interface the address belongs to.
entries. Normally the table is built dynamically, but to increase network security, it can be built statically by means of adding static entries. Property Description address (IP address) - IP address to be mapped interface (name) - interface name the IP address is assigned to mac-address (MAC address; default: 00:00:00:00:00:00) - MAC address to be mapped to Notes Maximal number of ARP entries is 1024. If arp feature is turned off on the interface, i.e.
Example Consider the following configuration: The Wandy Router setup is as follows: admin@Wandy] ip arp> /interface ethernet print Flags: X - disabled, R - running # NAME MTU MAC-ADDRESS ARP 0 R eth-LAN 1500 00:50:08:00:00:F5 proxy-arp [admin@Wandy] ip arp> /interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 eth-LAN ether 1500 1 prism1 prism 1500 2 D pppoe-in25 pppoe-in 3 D pppoe-in26 pppoe-in [admin@Wandy] ip arp> /ip address print Flags: X - disabled, I - invalid, D - dynamic
[admin@Wandy] ip address> As you can see, a dynamic connected route has been automatically added to the routes list. If you want the default gateway be the other router of the p2p link, just add a static route for it. It is shown as 0 in the example above. IP Security Document revision 3 (Mon May 10 11:59:20 GMT 2004) This document applies to Wandy RouterOS V2.
Wandy Router to Wandy Router IPsec Between two Masquerading Wandy Routers Wandy router to CISCO Router Wandy Router and Linux FreeS/WAN General Information Specifications Packages required: security License required: level1 ip ipsec Standards and Technologies: IPsec Hardware usage: consumes a lot of CPU time (Intel Pentium MMX or AMD K6 suggested as a minimal configuration) Related Documents • Package Management • IP Addresses and ARP • Firewall Filters Description IPsec (IP Security) supports secure (en
is looked up to decrypt it (using packet source, destination, security protocol and SPI value). If no SA is found, the packet is dropped. If SA is found, packet is decrypted. Then decrypted packet's fields are compared to policy rule that SA is linked to. If the packet does not match the policy rule it is dropped. If the packet is decrypted fine (or authenticated fine) it is "received once more" - it goes through dst-nat and routing (which finds out what to do - either forward or deliver locally) again.
Group 2 1024 bits RFC2409 Group 5 1536 bits RFC3526 IKE Traffic To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA (that this packet perhaps is trying to establish), locally originated packets with UDP source port 500 are not processed with SPD. The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check.
manual-sa (name; default: none) - name of manual-sa template that will be used to create SAs for this policy • none - no manual keys are set dont-fragment (clear | inherit | set; default: clear) - The state of the don't fragment IP header field • clear - clear (unset) the fields, so that packets previously marked as don't fragment got fragmented • inherit - do not change the field • set - set the field, so that each packet matching the rule will not be fragmented ph2-state (read-only: expired | no-phase2 |
To add a policy to encrypt all the traffic between two hosts (10.0.0.147 and 10.0.0.148), we need do the following: [admin@WiFi] ip ipsec policy> add sa-src-address=10.0.0.147 \ \... sa-dst-address=10.0.0.148 action=encrypt [admin@WiFi] ip ipsec policy> print Flags: X - disabled, D - dynamic, I - invalid 0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=10.0.0.147 sa-dst-address=10.0.0.
proposed lifetime hash-algorithm (multiple choice: md5 | sha; default: md5) - hashing algorithm. SHA (Secure Hash Algorithm) is stronger, but slower enc-algorithm (multiple choice: des | 3des | aes-128 | aes-192 | aes-256; default: 3des) - encryption algorithm.
Property Description local-address (read-only: IP address) - local ISAKMP SA address remote-address (read-only: IP address) - peer's IP address state (read-only: text) - state of phase 1 negotiation with the peer • estabilished - normal working state side (multiple choice, read-only: initiator | responder) - shows which side initiated the connection • initiator - phase 1 negotiation was started by this router • responder - phase 1 negotiation was started by peer estabilished (read-only: text) - shows date a
lifebytes (read-only: integer) - soft/hard expiration threshold for amount of processed data current-addtime (read-only: text) - time when this SA was installed current-usetime (read-only: text) - time when this SA was first used current-bytes (read-only: integer) - amount of data processed by this SA's crypto algorithms Example Sample printout looks as follows: [admin@WiFi] ip ipsec> installed-sa print Flags: A - AH, E - ESP, P - pfs, M - manual 0 E spi=E727605 direction=in src-address=10.0.0.
ip ipsec counters Property Description out-accept (read-only: integer) - shows how many outgoing packets were matched by accept policy (including the default "accept all" case) out-accept-isakmp (read-only: integer) - shows how many locally originated UDP packets on source port 500 (which is how ISAKMP packets look) were let through without policy matching out-drop (read-only: integer) - shows how many outgoing packets were matched by drop policy (or encrypt policy with level=require that does not have all
• transport mode example using ESP with automatic keying and automatic policy generating on Router 1 and static policy on Router 2 • for Router1 [admin@Router1] > ip ipsec peer add address=1.0.0.0/24 \ \... secret="gvejimezyfopmekun" generate-policy=yes • for Router2 [admin@Router2] > ip ipsec policy add sa-src=1.0.0.2 sa-dst=1.0.0.1 \ \... action=encrypt [admin@Router2] > ip ipsec peer add address=1.0.0.1 \ \...
[admin@Wandy] > ip ipsec peer add address=10.0.1.2 \ \... secret="gvejimezyfopmekun" enc-algorithm=des • for CISCO router ! Configure ISAKMP policy (phase1 config, must match configuration ! of "/ip ipsec peer" on RouterOS). Note that DES is default ! encryption algorithm on Cisco. SHA1 is default authentication ! algorithm crypto isakmp policy 9 encryption des group 2 hash md5 exit ! Add preshared key to be used when talking to RouterOS crypto isakmp key gvejimezyfopmekun address 10.0.1.1 255.255.255.
dst-address=10.0.1.1 auth-algorithm=sha1 enc-algorithm=des replay=4 state=mature auth-key="7575f5624914dd312839694db2622a318030bc3b" enc-key="633593f809c9d6af" add-lifetime=24m/30m use-lifetime=0s/0s lifebytes=0/0 current-addtime=jul/12/2002 16:13:21 current-usetime=jul/12/2002 16:13:21 current-bytes=0 [admin@Wandy] ip ipsec installed-sa> • on CISCO router cisco# show interface Serial 0 interface: Serial1 Crypto map tag: mymap, local addr. 10.0.1.2 local ident (addr/mask/prot/port): (10.0.2.0/255.255.255.
conn mt left=192.168.0.108 leftsubnet=192.168.87.0/24 right=192.168.0.155 rightsubnet=10.0.0.0/24 authby=secret pfs=no auto=add • ipsec.secrets config file: 192.168.0.108 192.168.0.155 : PSK "gvejimezyfopmekun" • Wandy Router configuration: [admin@Wandy] > /ip ipsec peer add address=192.168.0.108 \ \... secret="gvejimezyfopmekun" hash-algorithm=md5 enc-algorithm=3des \ \... dh-group=modp1024 lifetime=28800s [admin@Wandy] > /ip ipsec proposal auth-algorithms=md5 \ \...
Notes Example Application Examples Standard Policy-Routing Setup General Information Summary The following manual surveys the IP routes management, equal-cost multi-path (ECMP) routing technique, and policy-based routing, which gives the opportunity to select routes in order to restrict the use of network resources to certain classes of customers.
route with multiple gateways (in the form gateway=x.x.x.x,y.y.y.y) The routing protocols may create routes with equal cost automatically, if the cost of the interfaces is adjusted properly. For more information on using the routing protocols, please read the corresponding section of the Manual. Note! In routing process, the router decides which route it will use to send out the packet. Afterwards, when the packet is masqueraded, its source address is taken from the preferred-source field.
C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 192.168.0.0/16 r 10.10.10.2 1 Local 1 S 0.0.0.0/0 r 10.10.10.1 1 Public 2 DC 10.10.10.0/24 r 0.0.0.0 0 Public [admin@Wandy] ip route> print detail Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp 0 S dst-address=192.168.0.0/16 preferred-source=0.0.0.0 gateway=10.10.10.2 gateway-state=reachable distance=1 interface=Local 1 S dst-address=0.0.0.
Routing Tables Routing tables is a way to organize routing rules into groups for a purpose of easy management. These tables can be created/deleted in the /ip policy-routing menu. The routes in the routing tables are managed the same way as the static routes described above, but in the submenu /ip policy-routing table name submenu, where name is the name of the table.
src-address (IP address/mask) - source IP address/mask dst-address (IP address/mask) - destination IP address/mask interface (name | all; default: all) - interface name through which the packet arrives. Should be 'all' for the rule that should match locally generated or masqueraded packets, since at the moment of processing the routing table these packets have interface name set to loopback flow (name; default: "") - flow mask of the packet to be mached by this rule.
2. Create the default route in each of the tables: [admin@Wandy] ip policy-routing> table from_net1 add gateway=10.0.0.1 [admin@Wandy] ip policy-routing> table from_net2 add gateway=10.0.0.2 [admin@Wandy] ip policy-routing> table rest add gateway=10.0.0.254 [admin@Wandy] ip policy-routing> table from_net1 print Flags: X - disabled, I - invalid, D - dynamic, R - rejected # TYPE DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 static 0.0.0.0/0 u 10.0.0.
Table of Contents Table of Contents Summary Specifications Related Documents Notes Connection Tracking Description Property Description Example Service Ports Description Property Description Example General Information Summary Connection tracking or conntrack provides a facility for monitoring connections made through the router and respective state information.In turn, service port submenu allows to configure conntrack 'helpers' for various protocols.
Description Using Connection Tracking, you can observe connections passing through the router.
0 U 0.0.0.0:5678 255.255.255.255:5678 udp 1s 1 U 1.1.1.1:49679 255.255.255.255:69 udp 11s 2 U 1.1.1.1:56635 255.255.255.255:69 udp 27s 3 A 10.1.0.128:2413 10.10.1.1:23 tcp established 4d22h24m14s 4 U 10.1.0.157:5678 255.255.255.255:5678 udp 0s 5 U 10.1.0.172:5678 255.255.255.255:5678 udp 24s 6 U 10.1.0.175:5678 255.255.255.255:5678 udp 25s 7 U 10.1.0.209:5678 255.255.255.255:5678 udp 25s 8 U 10.1.0.212:5678 255.255.255.255:5678 udp 22s 9 A 10.5.7.242:32846 10.10.1.1:23 tcp established 4d23h59m59s 10 A 10.5.
Document revision 2.4 (Tue Apr 13 15:51:20 GMT 2004) This document applies to Wandy RouterOS V2.8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Mangle Description Property Description Example How to Mangle NATted Traffic General Information Summary Mangle is a kind of 'marker' to mark packets for future processing. Many other facilities in RouterOS make use of these marks, e.g. queue trees and NAT.
Description Packets entering the router can be marked for further processing them against the rules of firewall chains, source or destination NAT rules, as well as for applying queuing to them. It is also possible to mark the packets associated (including related) with the same connection as the marked packet (in other words, to mark a connection with all related connections, you need to mark only one packet belonging to that connection).
tcp-options (any | syn-only | non-syn-only; default: any) - TCP options protocol (ah | egp | ggp | icmp | ipencap | ospf | rspf | udp | xtp | all | encap | gre | idpr-cmtp | ipip | pup | st | vmtp | ddp | esp | hmp | igmp | iso-tp4 | rdp | tcp | xns-idp; default: all) - protocol setting • all - cannot be used, if you want to specify ports content (text; default: "") - the text packets should contain in order to match the rule flow (text) - flow mark to match.
limit-time=0s action=passthrough mark-flow=myflow tcp-mss=dont-change mark-connection="" 1 src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.
General Information Summary The Wandy Neighbor Discovery Protocol (MNDP) eases network configuration and management by enabling each Wandy router to discover other connected Wandy routers and learn information about the system along with features which are enabled. The Wandy routers can then automatically use learned information to set up some features with minimal or no configuration.
• if no info is received from a neighbor for more than 180 seconds the neighbor information is discarded Setup ip neighbor discovery Property Description name (read-only: name) - interface name for reference discover (yes | no; default: yes) - specifies whether the neighbour discovery is enabled or not Example To disable MNDP protocol on Public interface: [admin@Wandy] ip neighbor discovery> set Public discover=no [admin@Wandy] ip neighbor discovery> print # NAME DISCOVER 0 Public no 1 Local yes Neighbo
Firewall Filters Document revision 1.6 (Fri Apr 23 14:28:08 GMT 2004) This document applies to Wandy RouterOS V2.
Specifications Packages required: system License required: level1 (P2P filters limited to 1), level3 ip firewall Standards and Technologies: IP Hardware usage: Increases with filtering rules count Related Documents • Package Management • IP Addresses and ARP • Routes, Equal Cost Multipath Routing, Policy Routing • Network Address Translation • Description Network firewalls keep outside threats away from sensitive data available inside the network.
NAT rules and queuing. Additional arrows from IPsec boxes shows the processing of encrypted packets (they need to be encrypted / decrypted first and then processed as usual, id est from the point an ordinal packet enters the router). If the packet is bridged one, the 'Routing Decision' changes to 'Bridge Forwarding Decision'. In case the bridge is forwarding non-IP packets, all things regarding IP protocol are not applicable ('Universal Client', 'Conntrack', 'Mangle', et cetera).
the packet matches the rule, one of the: • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, except for mangle, and no more rules are processed in the relevant list/chain • drop - silently drop the packet (without sending the ICMP reject message) • jump - jump to the chain specified by the value of the jump-target argument • passthrough - ignore this rule, except for mangle, go on to the next one.
| integer; default: any) - specifies a match to the value of Type of Service (ToS) field of IP header: • any - match any packet (i.e., do not check this property) Notes Keep in mind, that protocol must be explicity specified, if you want to select port. Example For instance, we want to reject packets with dst-port=8080: [admin@Wandy] ip firewall rule input> add dst-port=8080 protocol=tcp action=reject [admin@Wandy] ip firewall rule input> print Flags: X - disabled, I - invalid 0 src-address=0.0.0.
should be used with destination to this chain from a rule within another chain. The policy of user added chains is none, and it cannot be changed. Chains cannot be removed, if they contain rules (are not empty). Notes Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall rules, since the original packets might be already modified by the NAT. The packets passing through the router are not processed against the rules of neither the input, nor output chains.
Address All connections form the private addresses are masqueraded, and appear as coming from one external address - that of the router. This can be done by enabling the masquerading action for source NAT rules. • Enforce the Internet Usage Policy from the Customer's Network Connections from the customer's network should be monitored. This can be done by putting rules in the forward chain, or/and by masquerading (source NAT) only those connections, that are allowed.
0 ;;; Allow established TCP connections protocol=tcp tcp-options=non-syn-only connection-state=established action=accept 1 ;;; Allow UDP connections protocol=udp action=accept 2 ;;; Allow ICMP messages protocol=icmp action=accept 3 ;;; Allow access from 'trusted' network 10.5.8.0/24 src-address=10.5.8.0/24 action=accept 4 ;;; Reject everything else action=reject log=yes [admin@Wandy] ip firewall rule input> Thus, the input chain will accept only allowed connections and reject, and log everything else.
src-address=:20 dst-address=:1024-65535 protocol=tcp tcp-options=syn-only action=accept 6 ;;; Reject and log everything else action=reject log=yes [admin@Wandy] ip firewall rule customer> Note about the rule #5: active ftp data connections are made from the server's port 20 to the client's tcp port above 1024.
addresses. If you want to allow connections to the server on the local network, you should use destination Network Address Translation (NAT). Example of Destination NAT Assume you need to configure the Wandy router for the following network setup, where the server is located in the private network area: The server has address 192.168.0.4, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80.
servers Specifications Packages required: system License required: level1 ip pool Standards and Technologies: none Hardware usage: Not significant Related Documents • Package Management • IP Addresses and ARP • AAA • DHCP Client and Server • HotSpot Gateway • Universal Client Interface Description IP pools simply group IP addresses for further usage. It is a single configuration point for all features that assign IP addresses to clients.
Peer-to-Peer Traffic Control Document revision 1.3 (Wed Apr 21 11:56:49 GMT 2004) This document applies to Wandy RouterOS V2.
Packages required: system License required: level1 (Limited to 1 firewall rule), level3 ip firewall, /ip firewall mangle, /queue Hardware usage: Increases with rule count Related Documents • Firewall Filters • Bandwidth Control • Packet Marking (Mangle) Description RouterOS is able to recognize connections of the most popular P2P protocols: • Fasttrack (Kazaa, KazaaLite, Diet Kazaa, Grokster, iMesh, giFT, Poisoned, mlMac) • Gnutella (Shareaza, XoLoX, , Gnucleus, BearShare, LimeWire (java), Morpheus, Phex,
• all-p2p - match all known P2P traffic • any - match any packet (i.e., do not check this property) mark-flow (text; default: "") - change flow mark of the packet to this value mark-connection (text; default: "") - change connection mark of the packet to this value Traffic Filtering ip firewall Description RouterOS gives you ability to filter out traffic generated by P2P networks.
Point-to-Point Traffic Control Examples Summary This section will give you two examples of tupical peer-to-peer traffic control configurations. Cumulative Bandwith Limiting Consider the following example: Suppose we need to drop all the P2P traffic coming from the Internet, but allow the use of WinMX client between two offices limiting it to 284 Kbps in both directions.
Document revision 1.4 (Fri Mar 05 08:42:58 GMT 2004) This document applies to Wandy RouterOS V2.
• Package Management • IP Addresses and ARP Description Virtual Router Redundancy Protocol is an election protocol that provides high availability for routers. A number of routers may participate in one or more virtual routers. One or more IP addresses may be assigned to a virtual router. A node of a virtual router can be in one of the following states: • MASTER state, when the node answers all the requests to the instance's IP addresses. There may only be one MASTER node in a virtual router.
• simple - plain text authentication • ah - Authentication Header using HMAC-MD5-96 algorithm password (text; default: "") - password required for authentication depending on method used can be ignored (if no authentication used), 8-character long text string (for plain-text authentication) or 16-character long text string (128-bit key required for AH authentication) on-backup (name; default: "") - script to execute when the node switch to backup state on-master (name; default: "") - script to execute when
[admin@Wandy] ip vrrp> address print Flags: X - disabled, A - active # ADDRESS NETWORK BROADCAST VIRUAL-ROUTER 0 192.168.1.1/24 192.168.1.0 192.168.1.255 vr1 [admin@Wandy] ip vrrp> A simple example of VRRP fail over Description VRRP protocol may be used to make a redundant Internet connection with seamless fail-over. Let us assume that we have 192.168.1.0/24 network and we need to provide highly available Internet connection for it.
Configuring Backup VRRP router Now we will create VRRP instance with lower priority (we can use the default value of 100), so this router will back up the preferred one: [admin@Wandy] ip vrrp> add interface=local [admin@Wandy] ip vrrp> print Flags: X - disabled, I - invalid, M - master, B - backup 0 B name="vr1" interface=local vrid=1 priority=100 interval=1 preemption-mode=yes authentication=none password="" on-backup="" on-master="" [admin@Wandy] ip vrrp> Now we should add the same virtual address as was
Table of Contents General Information Summary Specifications Related Documents Description Common NAT Parameters Description Property Description Notes Source NAT Description Property Description Notes Example Destination NAT Description Property Description Example General Information Summary Network Address Translation (NAT) provides ways for hiding local networks as well as to maintain public services on servers from these networks.
Network Address Translation is subdivided into two separate facilities: • Source NAT This type of NAT allows 'hiding' of private networks beyond the router. It alters forwarded IP packets' source addresses. • Destination NAT This one is used for accessing public services on the local servers from outside the intranet. It can also help to accomplish some additional tasks like transparent proxying. Destination NAT alters forwarded IP packets' destination addresses.
The TOS can be one of five types, each of them is an instruction to: • low-cost - minimize monetary cost • low-delay - minimize delay • normal - normal service • max-reliability - maximize reliability • max-throughput - maximize throughput Common NAT Parameters Description The src-nat and the dst-nat have some common properties listed below. In turn, properties specific to each type of NAT will be listed in appropriate sections. Property Description dst-address (IP address; default: 0.0.0.
Source NAT Description Source NAT is a firewall function that can be used to 'hide' private networks behind one external IP address of the router. For example, it is useful, if you want to access the ISP's network and the Internet appearing as all requests coming from one single IP address given to you by the ISP. The Source NAT will change the source IP address and port of the packets originated from the private network to the external address of the router, when the packet is routed through it.
If the packet matches the masquerade rule, then the router opens a connection to the destination, and sends out a modified packet with its own address and a port allocated for this connection. The router keeps track about masqueraded connections and performs the "demasquerading" of packets, which arrive for the opened connections.
Example This example shows how to add a dst-NAT rule that gives access to the http server 192.168.0.4 on the local network via external address 10.0.0.217: [admin@Wandy] ip firewall dst-nat> add action=nat protocol=tcp \ \... dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4 [admin@Wandy] ip firewall dst-nat> print Flags: X - disabled, I - invalid, D - dynamic 0 src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=10.0.0.
Specifications Packages required: system License required: level1 ip upnp Standards and Technologies: TCP/IP, HTTP, XML, IGD Hardware usage: Not significant Description UPnP enables data communication between any two devices under the command of any control device on the network. Universal Plug and Play is completely independent of any particular physical medium. It supports networking with automatic discovery without any initial configuration, whereby a device can dynamically join a network.
interface (name) - interface name UPnP will be run on type (external | internal) - interface type, one of the: • external - the interface global IP address is assigned to • internal - router's local interface Notes It is highly recommended to upgrade DirectX runtime libraries to version DirectX 9.0a or higher and Windows Messenger to versionWindows Messenger 5.0 or higher in order to get UPnP to work properly.
Description Property Description Notes Example General Information Summary The Wandy Packet Packer Protocol (M3P) optimizes the data rate usage of links using protocols that have a high overhead per packet transmitted. The basic purpose of this protocol is to better enable wireless networks to transport VoIP traffic and other traffic that uses small packet sizes of around 100 bytes.
• small packets going to the same MAC level destination (regardless of IP destination) are collected according to the set configuration and aggregated into a large packet according to the set size • the packet is sent as soon as the maximum aggregated-packet packet size is reached or a maximum time of 15ms (+/-5ms) Setup ip packing Description M3P is working only between Wandy routers, which are discovered with Wandy Neighbor Discovery Protocol (MNDP).
Example To enable maximal compression on the ether1 interface: [admin@Wandy] ip packing> add interface=ether1 packing=compress-all \ \... unpacking=compress-all [admin@Wandy] ip packing> print Flags: X - disabled # INTERFACE PACKING UNPACKING AGGREGATED-SIZE 0 ether1 compress-all compress-all 1500 [admin@Wandy] ip packing> DNS Client and Cache Document revision 1.1 (Mon Mar 22 09:23:47 GMT 2004) This document applies to Wandy RouterOS V2.
Summary DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time. This is a simple recursive DNS server with local items. Specifications Packages required: system License required: level1 ip dns Standards and Technologies: DNS Hardware usage: Not significant Related Documents • Package Management • HotSpot Gateway • AAA Description The Wandy router with DNS cache feature enabled can be set as a primary DNS server for any DNS-compliant clients.
Notes If the property use-peer-dns under /ip dhcp-client is set to yes then primary-dns under /ip dns will change to a DNS address given by DHCP Server. Example To set 159.148.60.2 as the primary DNS server, do the following: [admin@Wandy] ip dns> set primary-dns=159.148.60.2 [admin@Wandy] ip dns> print resolve-mode: remote-dns primary-dns: 159.148.60.2 secondary-dns: 0.0.0.
Flushing DNS cache Command name: /ip dns cache flush Command Description flush - clears internal DNS cache Example [admin@Wandy] ip dns> cache flush [admin@Wandy] ip dns> print primary-dns: 159.148.60.2 secondary-dns: 0.0.0.0 allow-remote-requests: no cache-size: 2048 kB cache-max-ttl: 7d cache-used: 10 kB [admin@Wandy] ip dns> Services, Protocols, and Ports Document revision 1.0.0 (Fri Mar 05 08:38:56 GMT 2004) This document applies to Wandy RouterOS V2.
case you want to prevent or grant access to the certain services. Please see the relevant sections of the Manual for more explanations. ip service Related Documents • Firewall Filters • Packet Marking (Mangle) • Certificate Management Modifying Service Settings ip service Property Description name - service name port (integer: 1..65535) - the port particular service listens on address (IP address/mask; default: 0.0.0.
additional package to be installed, as well as to be enabled by administrator, exempli gratia bandwidth server.
HotSpot Gateway Document revision 3.3 (Tue Apr 27 20:43:43 GMT 2004) This document applies to Wandy RouterOS V2.
HotSpot Cookies Description Property Description Notes Example Walled Garden Description Property Description Notes Example Customizing HotSpot Servlet Description Notes Example Possible Error Messages Description HotSpot Step-by-Step User Guide for dhcp-pool Method Description Example HotSpot Step-by-Step User Guide for enabled-address Method Description Example Optional Settings General Information Summary The Wandy HotSpot Gateway enables providing of public network access for clients using wireless or
• connection time • downloaded/uploaded traffic (bytes) Universal Client feature may be used with HotSpot enabled-address method to provide IP network services regardless of client computers' IP network settings Specifications Packages required: hotspot, dhcp (optional) License required: level1 (Limited to 1 active user), level3 (Limited to 1 active user), level4 (Limited to 200 active users), level5 (Limited to 500 active users), level6 ip hotspot Standards and Technologies: ICMP, DHCP Hardware usage: Not
amount of traffic each of its clients have used, and also can send this information to a RADIUS server. The HotSpot system may limit each particular user's bitrate, total amount of traffic, uptime and some other parameters mentioned further in this document. The HotSpot system is targeted to provide authentication within a local network, but may as well be used to authorize access from outer networks to local networks.
either case, HTTP POST method (if not possible, then - HTTP GET method) is used to send data to the HotSpot gateway. HotSpot can authenticate users using local user database or a RADIUS server (local database is consulted first, then - a RADIUS server). If authentication is done locally, profile corresponding to that user is used, otherwise (in case of RADIUS) default profile is used to set default values for parameters, which are not set in RADIUS access-accept message.
firewall table.
Notes Depending on current settings and answers to the previous questions, default values of following questions may be different. Some questions may disappear if they become redundant (for example, there is no use of setting up temporary network when login method is enabled-address) If Universal Client is enabled, and DNS cache is not used, DNS requests are redirected to the first DNS server configured.
enabled http-cookie-lifetime (time; default: 1d) - validity time of HTTP cookies allow-unencrypted-passwords (yes | no; default: no) - whether to authenticate user if plain-text password is received login-mac-universal (yes | no; default: no) - whether to log in every host of Universal client instantly in case it has its MAC address listed in HotSpot user list split-user-domain (yes | no; default: no) - whether to split username from domain name when the username is given in "user@domain" or in "domain\user
auth-mac-password: no auth-http-cookie: yes http-cookie-lifetime: 1d allow-unencrypted-passwords: no login-mac-universal: no split-user-domain: no [admin@Wandy] ip hotspot> HotSpot User Profiles ip hotspot profile Description HotSpot User profiles are used for common user settings. Profiles are like user groups, they are grouping users with the same limits.
To choose the login method to be used if smart method is set as the value of login-method property, the following algorithm is used: • If a client has a dynamic DHCP address lease received from the router, correct HotSpot server is set for the DHCP server issued that lease, and the client has specific IP address set in the /ip hotspot user configuration, dhcp-pool method will be used • else, if mark-flow property is defined in the client's profile), enabled-addressmethod will be used • else, if the client h
routes may be specified separated with commas limit-uptime (time; default: 0s) - total uptime limit for user (pre-paid time) • 0s - no limit limit-bytes-in (integer; default: 0) - maximum amount of bytes user can transmit • 0 - no limit limit-bytes-out (integer; default: 0) - maximum amount of bytes user can receive • 0 - no limit uptime (read-only: time) - total time user has been logged in bytes-in (read-only: integer) - total amount of bytes received from user bytes-out (read-only: integer) - total amoun
HotSpot Active Users ip hotspot active Description The active user list shows the list of currently logged in users.
Notes RADIUS user database is consulted only if the required username is not found in local user database The value set in interim-update is overridden by the value sent by a RADIUS server (if any) Example To enable RADIUS AAA: [admin@Wandy] ip hotspot aaa> set use-radius=yes [admin@Wandy] ip hotspot aaa> print use-radius: yes accounting: yes interim-update: 0s [admin@Wandy] ip hotspot aaa> HotSpot Server Settings ip hotspot server Description HotSpot Server configuration is used to modify DHCP leases fo
Example To add a HotSpot server named dhcp1 to the DHCP server hotspot-dhcp giving IP addresses from the hotspot address pool: [admin@Wandy] ip hotspot server> add name=dhcp1 dhcp-server=hotspot-dhcp \ \...
information about HotSpot service provider or billing options.
the login page 2. request for '/' on the HotSpot host • if user is logged in, rstatus.html is displayed; if rstatus.html is not found, redirect.html is used to redirect to the status page • if user is not logged in, rlogin.html is displayed; if rlogin.html is not found, redirect.html is used to redirect to the login page 3. request for '/login' page • if user has successfully logged in (or is already logged in), alogin.html is displayed; if alogin.html is not found, redirect.
• hostname - DNS name or IP address (if DNS name is not given) of the HotSpot Servlet ("hotspot.example.net") • identity - RouterOS identity name ("Wandy") • ip - IP address of the client ("10.5.50.2") • link-logout - link to logout ("http://10.5.50.1/logout") • link-login - link to login including original URL requested ("http://10.5.50.1/login?dst=http://www.example.com/") • link-status - link to status ("http://10.5.50.1/status") • link-orig - original URL requested ("http://www.example.
• uptime-secs - uptime in seconds ("125") • session-timeout-secs - session timeout in seconds ("3475" or "" if there is such timeout) • idle-timeout-secs - idle timeout in seconds ("88" or "" if there is such timeout) • limit-bytes-in - byte limit for send ("1000000" or "---" if there is no limit) • limit-bytes-out - byte limit for receive ("1000000" or "---" if there is no limit) • remain-bytes-in - remaining bytes until limit-bytes-in will be reached ("337465" or "---" if there is no limit) • remain-bytes
concatenation of the following: chap-id, the password of the user and chap-challenge (in the given order) The gateway uses CHAP authentication in case client's browser is hashing his/her pasword (in other words, if the main variable was initialized successfully befor the form is being submitted). In case plain-text password has been sent, PAP authentication algorithm is used.
Description There are two kinds of errors: fatal non-fatal. Fatal errors are shown on a separate HTML page called error.html. Non-fatal errors are basically indicating incorrect user actions and are shown on the login form. General non-fatal errors: • You are not logged in - trying to access the status or log off while not logged in. Solution: log in • IP is already logged in - trying to log in while somebody from this IP address has already been logged in.
• your uptime limit is reached - self-explanatory • your traffic limit is reached - either limit-bytes-in or limit-bytes-out limit is reached • no more sessions are allowed for user - the shared-users limit for the user's profile is reached.
added to the ARP table. DHCP server will add entries only for clients which have obtained DHCP leases: /interface prism set prism1 arp=reply-only 4. Add two IP addresses to the prism1 interface: /ip address add address=192.168.0.1/24 interface=prism1 \ comment="hotspot temporary network" /ip address add address=10.5.50.1/24 interface=prism1 \ comment="hotspot real network" 5. add 2 IP address pools: /ip pool add name=hs-pool-temp ranges=192.168.0.2-192.168.0.254 /ip pool add name=hs-pool-real ranges=10.5.
/ip firewall rule hotspot-temp add action=reject \ comment="reject access for unauthorized hotspot clients" 13. Add hotspot chain: /ip firewall add name=hotspot comment="account authorized hotspot clients" 14. Pass all through-going traffic to the hotspot chain: /ip firewall rule forward add action=jump jump-target=hotspot \ comment="account traffic for authorized hotspot clients" Note that in order to use SSL authentication, you should install an SSL certificate.
/ip firewall rule hotspot-temp add flow="hs-auth" action=return \ comment="return if connection is authorized" /ip firewall rule hotspot-temp add protocol=icmp action=return \ comment="allow ping requests" /ip firewall rule hotspot-temp add protocol=udp dst-port=53 action=return \ comment="allow dns requests" /ip firewall rule hotspot-temp add action=reject \ comment="reject access for unauthorized clients" 6.
1. make sure, web-proxy software package is installed and DNS client is configured 2. it is assumed, that HotSpot is set up and successfully running on port 8088. Hotspot clients are connected to the interface named prism1 3. set up HotSpot to use one of the router's local IP addresses (10.5.50.1): /ip hotspot set hotspot-address=10.5.50.1 4. set up web-proxy to run on the same IP address on the port 3128: /ip web-proxy set enabled=yes src-address=10.5.50.1:3128 transparent-proxy=yes 5.
Summary Specifications Description Additional Documents DHCP Client Setup Description Property Description Command Description Notes Example DHCP Client Lease Description Property Description Example DHCP Server Setup Description Property Description Notes Example DHCP Networks Property Description Notes DHCP Leases Description Property Description Command Description Notes Example DHCP Relay Description Property Description Notes Example Question&Answer-Based Setup Command Description Notes Example Genera
General usage of DHCP: • IP assignment in LAN, cable-modem, and wireless systems • Obtaining IP settings on cable-modem systems IP addresses can be bound to MAC addresses using static lease feature. DHCP server can be used with Wandy RouterOS HotSpot feature to authenticate and account DHCP clients. See the HotSpot Manual for more information.
add-default-route (yes | no; default: yes) - whether to add the default route to the gateway specified by the DHCP server use-peer-dns (yes | no; default: yes) - whether to accept the DNS settings advertized by DHCP server (they will appear in /ip dns submenu) Command Description renew - renew current leases. If the renew operation was not successful, client tries to reinitialize lease (i.e.
DHCP server) • renewing... - the DHCP client is trying to renew the lease • rebinding...
interface and the source-address is left as 0.0.0.0, then the static address will be used.
dns-server (text) - the DHCP client will use these as the default DNS servers. Two comma-separated DNS servers can be specified to be used by DHCP client as primary and secondary DNS servers wins-server (text) - the Windows DHCP client will use these as the default WINS servers.
server (read-only: name) - server name which serves this client expires-after (read-only: time) - time until lease expires tx-rate (integer; default: 0) - maximal transmit bitrate to the client (for users it is download bitrate)) • 0 - no limitation rx-rate (integer; default: 0) - maximal receive bitrate to the client (for users it is upload bitrate)) • 0 - no limitation status (read-only: waiting | testing | busy | offered | bound) - lease status: • waiting - not used static lease • testing - testing wheth
Description DHCP Relay is just a proxy that is able to receive a DHCP request and resend it to the real DHCP server Property Description name (name) - descriptive name for relay interface (name) - interface name the DHCP relay will be working on dhcp-server (text) - list of DHCP servers' IP addresses which should be the DHCP requests forwarded to local-address (IP address; default: 0.0.0.0) - the unique IP address of this DHCP relay needed for DHCP server to distinguish relays: • 0.0.0.
Notes Depending on current settings and answers to the previous questions, default values of following questions may be different. Some questions may disappear if they become redundant (for example, there is no use of asking for 'relay' when the server will lend the directly connected network) Example To configure DHCP server on ether1 interface to lend addresses from 10.0.0.2 to 10.0.0.254 which belong to the 10.0.0.0/24 network with 10.0.0.1 gateway and 159.148.60.
Description Universal Client Interface Setup Property Description Notes Example Universal Host List Description Property Description Example Universal Access List Description Property Description Example Service Port Description Property Description Example General Information Summary Universal Client Interface allows to work with clients regardless of their IP addresses, translating these addresses to the ones the router is able to work with.
Universal Client Interface Setup ip hotspot universal Property Description interface (name) - interface to run universal client on address-pool (name) - IP address pool name arp (all-arp | no-arp; default: all-arp) - ARP handling mode: • all-arp - respond to all ARP requests • no-arp - respond to ARP requests normally use-dhcp (yes | no; default: yes) - do not translate the addresses assigned by DHCP server idle-timeout (time; default: 5m) - idle timeout (maximal period of inactivity) for client added dyna
Property Description mac-address (read-only: MAC address) - client's MAC address address (read-only: IP address) - client's IP address to-address (read-only: IP address) - IP address to translate the address to interface (read-only: name) - interface name the client is connected to idle-time (read-only: time) - inactivity time uptime (read-only: time) - how long the client is active bytes-in (read-only: integer) - the amount of bytes received from the client bytes-out (read-only: integer) - the amount of by
Service Port ip hotspot universal service-port Description Just like for classic NAT, the Universal Client Interface 'breaks' some protocols that are incompatible with address translation. To leave these protocols consistent, helper modules must be used. For the Universal Client Interface the only such a module is for FTP protocol.
Property Description Notes Voicetronix Voice Ports Property Description Command Description Notes LineJack Voice Ports Property Description Command Description Notes PhoneJack Voice Ports Property Description Command Description Zaptel Voice Ports Property Description Command Description ISDN Voice Ports Property Description Command Description Notes Voice Port for Voice over IP (voip) Description Property Description Numbers Description Property Description Notes Example Regional Settings Description Prope
A simple example Description Setting up the Wandy IP Telephone Setting up the IP Telephony Gateway Setting up the Welltech IP Telephone Setting up Wandy Router and CISCO Router Setting up PBX to PBX Connection over an IP Network General Information Summary The Wandy RouterOS IP Telephony feature enables Voice over IP (VoIP) communications using routers equipped with the following voice port hardware: • Quicknet LineJACK or PhoneJACK analog telephony cards • ISDN cards • Voicetronix OpenLine4 (was V4PCI) -
• Quicknet Technologies cards: • Internet PhoneJACK (ISA or PCI) for connecting an analog telephone (FXS port) • Internet LineJACK (ISA) for connecting an analog telephone line (FXO port) or a telephone (FXS port) • ISDN client cards (PCI) for connecting an ISDN line.
Description This submenu is used for managing all IP telephony voice ports (linejack, phonejack, isdn, voip, voicetronix, zaptel) Property Description name (name) - assigned name of the voice port type (read-only: phonejack | linejack | phonejack-lite | phonejack-pci | voip | isdn | voicetronix | zaptel) - type of the installed telephony voice port: • phonejack - Quicknet PhoneJACK (ISA) • linejack - Quicknet LineJACK (ISA) • phonejack-lite - Quicknet PhoneJACK Lite Linux Edition (ISA) • phonejack-pci - Qu
parameters of PSTN line, as well as for detecting and generating the tones agc-on-playback (yes | no; default: no) - automatic gain control on playback (can not be used together with hardware voice codecs) agc-on-record (yes | no; default: no) - automatic gain control on record (can not be used together with hardware voice codecs) detect-cpt (yes | no; default: no) - automatically detect call progress tones balance-registers (integer: 0..
CODEC used for the audio connection (time) - duration of the phone call Notes As some Voicetronix cards fail to detect loop drop correctly, with loop-drop-detection you can manage whether loop drop detection feature is enabled. The effect of not working loop-drop detection is call terminated at once when connection is established.
Command Description blink - blink the LEDs of the specified voice port for five seconds after it is invoked.
PhoneJack Voice Ports ip telephony voice-port phonejack Property Description name (name) - name given by the user or the default one type (read-only: phonejack | phonejack-lite | phonejack-pci) - type of the card autodial (integer; default: "") - phone number which will be dialed immediately after the handset has been lifted. If this number is incomplete, then the remaining part has to be dialed on the dial-pad. If the number is incorrect, busy tone is played.
• on-hook - the handset is on-hook, no activity • off-hook - the handset is off-hook, the number is being dialed • ring - call in progress, direction of the call is shown by the direction property • connection - the connection has been established • busy - the connection has been terminated, the handset is still off-hook (phone | line) - the active port of the card • phone - telephone connected to the card (POTS FXS port) • line - line connected to the card (PSTN FXO port) (ip-to-port | port-to-ip) - direct
Command Description clear-call - terminate a current call established with the specified voice port (name) - port name to clear call with show-stats - show voice port statistics (name) - port name show statistics of (time) - maximal time of packet round trip (integer) - number of packets sent by this card (these packets are digitalized input of the voice port) (integer) - number of bytes sent by this card (these packets are digitalized input of the voice port) (text) - minimal/average/maximal intervals betw
playback-volume (integer: -48..48; default: 0) - playback volume in dB • 0 - 0dB meand no change to signal level record-volume (integer: -48..48; default: 0) - record volume in dB • 0 - 0dB meand no change to signal level region (name; default: us) - regional setting for the voice port.
• [ ] - matches any single character from the set in brackets • [^ ] - matches any single character not from the set in brackets There is a possibility to enter some special symbols in lmsn property. Meaning of the special symbols: Voice Port for Voice over IP (voip) ip telephony voice-port voip Description The voip voice ports are virtual ports, which designate a voip channel to another host over the IP network. You must have at least one voip voice port to be able to make calls to other H.
This is the so-called "routing table" for voice calls. This table assigns numbers to the voice ports.The main function of the numbers routing table is to determine: • to which voice port route the call • what number to send over to the remote party Property Description dst-pattern (integer) - pattern of the telephone number. Symbol '.' designate any digit, symbol '_' (only as the last one) designate any symbols (i.e.
# DST-PATTERN VOICE-PORT PREFIX 0 12345 XX 1 1111. YY 2 22... ZZ 333 3 ... QQ 55 4 222 KK 44444 5 3.. LL 553 [admin@Wandy] ip telephony numbers> • If nr=222 => the best match is the record #4 => nc=44444, vp=KK (note: the 'best match' means that it has the most coinciding digits between the nr and destination pattern).
ip telephony region Description Regional settings are used to adjust the voice port properties to the PSTN system or the PBX. For example, to detect hang-up from line, there has to be correct regional setting (correct busy-tone-frequency and busy-tone-cadence). Without that, detect-cpt parameter the voice port has to be enabled. Property Description name (name) - name of the regional setting busy-tone-cadence (integer: 0..
quality can be achieved by using the G.711-uLaw CODEC requiring 64kb/s throughput for each direction of the call. It is used mostly within a LAN. The G.723.1 CODEC is the most popular one to be used for audio connections over the Internet. It requires only 6.3kb/s throughput for each direction of the call. Example [admin@Wandy] ip telephony codec> print Flags: X - disabled # NAME 0 G.723.1-6.3k/sw 1 G.728-16k/hw 2 G.711-ALaw-64k/hw 3 G.711-uLaw-64k/hw 4 G.711-uLaw-64k/sw 5 G.711-ALaw-64k/sw 6 G.
• h323-call-type - call leg type (should be VoIP) • h323-call-origin - indicates origin of call relatively to the gateway (answer for calls from IP network, originate - to IP network) • h323-setup-time - call setup time • h323-conf-id - unique session ID • h323-remote-address - the remote address of the session • NAS-Port-Id - voice port ID • Acct-Status-Type - record type (START when session is established; STOP when session is closed; INTERIM-UPDATE (ALIVE)session is alive).
Gatekeeper ip telephony gatekeeper Description For each H.323 endpoint gatekeeper stores its telephone numbers. So, gatekeeper knows all telephone numbers for all registered endpoints. And it knows which telephone number is handled by which endpoint. Mapping between endpoints and their telephone numbers is the main functionality of gatekeepers. If endpoint is registered to endpoint, it does not have to know every single endpoint and every single telephone number, which can be called.
registered Example In most simple case with one phonejack card and some remote gatekeeper, configuration can be as follows: [admin@Wandy] ip telephony voice-port> print Flags: X - disabled # NAME TYPE AUTODIAL 0 phonejack1 phonejack 1 voip1 voip [admin@Wandy] ip telephony voice-port voip> print Flags: X - disabled, D - dynamic, R - registered # NAME AUTODIAL REMOTE-ADDRESS JITTER-BUFFER PREFERED-CODEC SIL FAS 0 voip1 0.0.0.
Flags: I - invalid, X - disabled, D - dynamic, R - registered # DST-PATTERN VOICE-PORT PREFIX 0 78 linejack1 1 3... vctx1 2 33_ voip1 3 5.. voip1 4 XD 78 local 78 5 XD 3_ local 3 6 D 76 10.0.0.100 76 7 D 77 10.0.0.100 77 8 D 1_ 10.0.0.100 1 Here we can see how aliases and prefixes are added to numbers table. Entries 0..3 are static. Entries 4 and 5 are added by registering the local endpoint to the local gatekeeper. Entries 6..8 are added by registering endpoint (with IP address 10.0.0.
RouterOS. Let us consider the following example of IP telephony gateway, one Wandy IP telephone, and one Welltech LAN Phone 101 setup: Setting up the Wandy IP Telephone If you pick up the handset, a dialtone should be heard. The basic telephony configuration should be as follows: • Add a voip voice port to the /ip telephony voice-port voip for each of the devices you want to call, or want to receive calls from, i.e., (the IP telephony gateway 10.1.1.12 and the Welltech IP telephone 10.5.8.
call, or want to receive calls from, i.e., (the IP telephone 10.0.0.224 and the Welltech IP telephone 10.5.8.2): [admin@voip_gw] ip telephony voice-port voip> add name=joe \ \... remote-address=10.0.0.224 [admin@voip_gw] ip telephony voice-port voip> add name=rob \ \... remote-address=10.5.8.2 prefered-codec=G.723.1-6.3k/hw [admin@voip_gw] ip telephony voice-port voip> print Flags: X - disabled, D - dynamic, R - registered # NAME AUTODIAL REMOTE-ADDRESS JITTER-BUFFER PREFERED-CODEC SIL FAS 0 joe 10.0.0.
2. Check if you have the codecs arranged in the desired order: usr/config$ voice -print Voice codec setting relate information Sending packet size : G.723.1 : 30 ms G.711A : 20 ms G.711U : 20 ms G.729A : 20 ms G.729 : 20 ms Priority order codec : g7231 g711a g711u g729a g729 Volume levels : voice volume : 54 input gain : 26 dtmf volume : 23 Silence suppression & CNG: G.723.1 : Off Echo canceller : On JitterBuffer Min Delay : 90 JitterBuffer Max Delay : 150 usr/config$ 3. Make sure you have set the H.
Configuration on the Wandy side • G.729a codec MUST be disabled (otherwise connections are not possible at all!!!) /ip telephony codec disable G.729A-8k/sw • G.711-ALaw codec should not be used (in some cases there is no sound) /ip telephony codec disable "G.711-ALaw-64k/sw G.
ip address 10.0.0.101 255.255.255.0 no ip mroute-cache speed auto half-duplex ! ip classless ip route 0.0.0.0 0.0.0.0 10.0.0.1 no ip http server ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! voice-port 0/0 ! voice-port 0/1 ! voice-port 2/0 ! voice-port 2/1 ! dial-peer voice 1 pots destination-pattern 101 port 0/0 ! dial-peer voice 97 voip destination-pattern 097 session target ipv4:10.0.0.
voice-port=vctx1 prefix=1 • IP telephony gateway #2 should have /ip telephony voice-port voip add name=gw1 remote-address=10.0.0.182 /ip telephony numbers add dst-pattern=2.. voice-port=vctx1 prefix=1 add dst-pattern=1.. voice-port=gw1 prefix=2 The system works as follows: To dial from the main office PBX#1 any extension of the remote office PBX#2, the extension with the connected gateway at PBX#1 should be dialed first.
Virtual Links Description Property Description Notes Example Neighbours Description Property Description Notes Example General Information Summary Wandy RouterOS implements OSPF Version 2 (RFC 2328). The OSPF protocol is the link-state protocol that takes care of the routes in the dynamic network structure that can employ different paths to its subnetworks. It always chooses shortest path to the subnetwork first.
1. Change general OSPF settings of redistributing connected, static and default routes. The default route should be distributed only from border routers of your area 2. Configure additional areas, if any 3. If you are using encryption, you should configure keys in /routing ospf interface command level 4. Add OSPF network records for all networks you want the OSPF to run on The OSPF protocol is started after you will add a record to the OSPF network list.
Notes Within one area, only the router that is connected to another AS (i.e. border router) should have the propagation of the default route enabled. OSPF protocol will try to use the shortest path (path with the smallest total cost) if available. OSPF protocol supports two types of metrics: • type1 - metrics are internal ('cheap') metrics, id est the router expects the cost of a link to a network which is external to AS to be the same order of magnitude as the cost of the internal links.
• simple - plain text authentication • md5 - Keyed Message Digest 5 authentication Example To define additional OSPF area named local_10 with area-id=0.0.10.5, do the following: [admin@WiFi] routing ospf area> add area-id=0.0.10.5 name=local_10 [admin@WiFi] routing ospf area> print Flags: X - disabled, I - invalid # NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION 0 backbone 0.0.0.0 none 1 local_10 0.0.10.
This facility profides tools for additional in-depth configuration of OSPF interface specific parameters. You do not have to configure interfaces in order to run OSPF. Property Description interface (name; default: all) - interfaceon which OSPF will run • all - is used for the interfaces not having any specific settings cost (integer: 1..65535; default: 1) - interface cost expressed as link state metric priority (integer: 0..255; default: 1) - router's priority.
Property Description neighbor-id (IP address; default: 0.0.0.0) - specifies router-id of the neighbour transit-area (name; default: (unknown)) - a non-backbone area the two routers have in common Notes Virtual links can not be estabilished through stub areas Example To add a virtual link with the 10.0.0.201 router through the ex area, do the following: [admin@Wandy] routing ospf virtual-link> add neighbor-id=10.0.0.201 \ \...
dr-id (read-only: IP address) - designated router's router id for this neighbor backup-dr-id (read-only: IP address) - backup designated router's router id for this neighbor Notes The neighbour's list also displays the router itself Example The following text can be observed just after adding an OSPF network: admin@Wandy] routing ospf> neighbor print router-id=10.0.0.204 address=10.0.0.204 priority=1 state="2-Way" state-changes=0 ls-retransmits=0 ls-requests=0 db-summaries=0 dr-id=0.0.0.0 backup-dr-id=0.
Example Neighbors Description Property Description Example Routes Property Description Notes Example Example General Information Summary Wandy RouterOS implements RIP Version 1 (RFC1058) and Version 2 (RFC 2453). RIP enables routers in an autonomous system to exchange routing information. It always uses the best path (the path with the fewest number of hops (i.e. routers)) available.
• RIPv2 Protocol • Cisco Systems RIP protocol overview General Setup Property Description redistribute-static (yes | no; default: no) - specifies whether to redistribute static routes to neighbour routers or not redistribute-connected (yes | no; default: no) - specifies whether to redistribute connected routes to neighbour routers or not redistribute-ospf (yes | no; default: no) - specifies whether to redistribute routes learned via OSPF protocol to neighbour routers or not redistribute-bgp (yes | no; defa
garbage-timer: 2m [admin@Wandy] routing rip> Interfaces routing rip interface Description In general you do not have to configure interfaces in order to run RIP. This command level is provided only for additional configuration of specific RIP interface parameters.
To start the RIP protocol, you have to define the networks on which RIP will run. Property Description address (IP address/mask; default: 0.0.0.0/0) - specifies the network on which RIP will run. Only directly connected networks of the router may be specified netmask (IP address; default: 0.0.0.0) - specifies the network part of the address (if it is not specified in the address argument) Notes For point-to-point links you should specify the remote endpoint IP address as the network IP address.
Property Description dst-address (read-only: IP address/mask) - network address and netmask of destination gateway (read-only: IP address) - last gateway on the route to destination metric (read-only: integer) - distance vector length to the destination network from (IP address) - specifies the IP address of the router from which the route was received Notes This list shows routes learned by all dynamic routing protocols (RIP, OSPF and BGP) Example To view the list of the routes: [admin@Wandy] routing rip
metric-static: 1 metric-connected: 1 metric-ospf: 1 metric-bgp: 1 update-timer: 30s timeout-timer: 3m garbage-timer: 2m [admin@Wandy] routing rip> The minimum required configuration of RIP interface is just enabling the network associated with the ether1 interface: [admin@Wandy] routing rip network> add address=10.0.0.0/2 [admin@Wandy] routing rip network> print # ADDRESS 0 10.0.0.
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is 192.168.1.2 to network 0.0.0.0 10.0.0.0/24 is subnetted, 1 subnets C 10.0.0.0 is directly connected, Ethernet0 R 192.
Example Troubleshooting Description General Information Summary The Border Gateway Protocol (BGP) allows setting up an interdomain dynamic routing system that automatically generates the routing table for routing between autonomous systems (AS). Wandy RouterOS supports BGP Version 4, as defined in RFC1771.
routing bgp Property Description enabled (yes | no; default: no) - enable or disable BGP as (integer; default: 1) - autonomous system number router-id (IP address; default: 0.0.0.0) - the Router identification in form of an IP address redistribute-connected (yes | no) - if enabled, the router will redistribute the information about all connected routes, i.e.
network (IP address/mask; default: 0.0.0.0/0) - network to advertise Notes You can add to the list as many networks as required. The router is not checking whether the network is in the routing table, it always advertises all the routes that are specified here. Note the difference with OSPF, that use network list for different purpose - to determine where to send updates. Example To advertise the network 159.148.150.192/27: [admin@modux] routing bgp network> add network=159.148.150.
0 192.168.0.254 65002 no no none none [admin@Wandy] routing bgp> peer print status # REMOTE-ADDRESS REMOTE-AS STATE ROUTES-RECEIVED 0 192.168.0.254 65002 connected 1 [admin@Wandy] routing bgp> Troubleshooting Description • The BGP does not learn routes from its peer Try to see if the peer is directly attached, or you should use the multihop flag when defining the peer and static routing to get the connection between the peers.
General Information Summary Prefix lists are used to filter routes received from or sent to other routers. Specifications Packages required: routing License required: level1 routing prefix-list Hardware usage: Not significant Related Documents • Package Management • IP Addresses and ARP • Routes, Equal Cost Multipath Routing, Policy Routing • RIP • BGP Description Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list.
Prefix List Rules routing prefix-list list Property Description prefix (IP address/mask; default: 0.0.0.0/0) - network prefix to match prefix-length (integer; default: 0-32) - length (range) of the network prefix in bits action (accept | reject; default: accept) - action to perform on list member Notes There are two different values to match - prefix (i.e. destination address of the route applying the network mask) and prefix length. Prefix length matches network mask of the received route.
Property Description Notes Example Router Users Property Description Notes Example Monitoring Active Router Users Property Description Example Router User Remote AAA Property Description Notes Example Local Point-to-Point AAA Local P2P User Profiles Description Property Description Notes Example Local P2P User Database Description Property Description Example Monitoring Active P2P Users Property Description Example P2P User Remote AAA Property Description Notes Example Local IP Traffic Accounting Descriptio
RADIUS Client Setup Description Property Description Notes Example Suggested RADIUS Servers Description Supported RADIUS Attributes Description General Information Summary Authentication, Authorization and Accounting feature provides a possibility of local and/or remote (on RADIUS server) Point-to-Point and HotSpot user management and traffic accounting (all IP traffic passing the router is accounted).
exception is that particular IP addresses take precedence over IP pools in the local-address and remote-address settings, as described later on). RADIUS authentication gives the ISP or network administrator the ability to manageP2P user access and accounting from one server throughout a large network. The Wandy RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, PPTP, L2TP and ISDN connections.
[admin@Wandy] user group> add name=reboot policy=telnet,reboot,read [admin@Wandy] user group> print 0 ;;; users with read only permission name="read" policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,web 1 ;;; users with write permission name="write" policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,web 2 ;;; users with complete access name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web 3 name="reboot" policy=!local,telnet,!ssh,!ftp,reboot,read,!write,!policy,!test
Monitoring Active Router Users user active print Property Description when (read-only: date) - log-in time name (read-only: name) - user name address (read-only: IP address) - IP address from which the user is accessing the router • 0.0.0.0 - the user is logged in locally via (read-only: console | telnet | ssh | web) - user's access method Example [admin@Wandy] user> active print Flags: R - radius # WHEN NAME ADDRESS VIA 0 feb/21/2003 17:48:21 admin 0.0.0.0 console 1 feb/24/2003 22:14:48 admin 10.0.0.
Local Point-to-Point AAA Local P2P User Profiles ppp profile Description P2P profiles are used to define default values to users managed in /ppp secret submenu. Settings in /ppp secret override corresponding /ppp profile settings except in the case when local-address or remote-address are configured in both /ppp secret and /ppp profile, but in one of them ip pool is referred, concrete IP addresses always take precedence.
outgoing-filter="" wins-server="" [admin@Wandy] ppp profile> Use VJ compression only if you have to because it may slow down the communications on bad or congested channels. Example To add the profile ex that will assign the router itself the 10.0.0.1 address, and the addresses from the ex pool to the clients: [admin@Wandy] ppp profile> add name=ex local-address=10.0.0.1 remote-address=ex [admin@Wandy] ppp profile> print Flags: * - default 0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.
Flags: X - disabled # NAME SERVICE CALLER-ID PASSWORD PROFILE 0 ex pptp lkjrht ex [admin@Wandy] ppp secret> print detail Flags: X - disabled 0 name="ex" service=pptp caller-id="" password="lkjrht" profile=ex local-address=0.0.0.0 remote-address=0.0.0.
To enable RADIUS AAA: [admin@Wandy] ppp aaa> set use-radius=yes [admin@Wandy] ppp aaa> print use-radius: yes accounting: yes interim-update: 0s [admin@Wandy] ppp aaa> Local IP Traffic Accounting ip accounting Description As each packet passes through the router, the packet source and destination addresses are matched against an IP pair in the accounting table and the traffic for that pair is increased. The traffic of PPP, PPTP, PPPoE, ISDN and HotSpot clients can be accounted on per-user basis too.
Local IP Traffic Accounting Table ip accounting snapshot Description When a snapshot is made for data collection, the accounting table is cleared and new IP pairs and traffic data are added. The more frequently traffic data is collected, the less likelihood that the IP pairs thereshold limit will be reached.
initiated to the web page. The snapshot will be displayed on the web page. TCP protocol, used by http connections with the wget tool guarantees that none of the traffic data will be lost. The snapshot image will be made when the connection from wget is initiated. Web browsers or wget should connect to URL: http://routerIP/accounting/ip.cgi Property Description accessible-via-web (yes | no; default: no) - wheather the snapshot is available via web address (IP address/mask; default: 0.0.0.
Notes The order of the items in this list is significant. Microsoft Windows clients send their usernames in form domain\username Example To set a RADIUS server for HotSpot and PPP services that has 10.0.0.3 IP address and ex shared secret, you need to do the following: [admin@Wandy] radius> add service=hotspot,ppp address=10.0.0.3 secret=ex [admin@Wandy] radius> print Flags: X - disabled # SERVICE CALLED-ID DOMAIN ADDRESS SECRET 0 ppp,hotspot 10.0.0.
other UNIX RADIUS servers (eg. XTRadius). Note that it may conflict with the default configuration files of RADIUS server, which have references to the Attributes, absent in this dictionary. Please correct the configuration files, not the dictionary, as no other Attributes are supported by Wandy RouterOS. There is also dictionary.Wandy that can be included in an existing dictionary to support Wandy vendor-specific Attributes.
NOTE: if Framed-IP-Address or Framed-Pool is specified it overrides remote-address in default configuration Idle-Timeout overrides idle-timeout in default configuration Session-Timeout overrides session-timeout in default configuration Class cookie, will be included in Accounting-Request unchanged Framed-Route !!format is specified in RFC2865 (Ch. 5.22)!!, can be specified as many times as needed. Filter-Id firewall filter chain name.
Stop Accounting-Request These packets can additionally have: Acct-Terminate-Cause session termination cause (see RFC2866 5.
This document applies to Wandy RouterOS V2.8 Table of Contents Table of Contents Summary Specifications Description Certificates Description Property Description Command Description Notes Example General Information Summary SSL (Secure Socket Layer) is a security technology to ensure encrypted transactions over a public network. To protect the data, an encryption key should be negotiated. SSL protocol is using Certificates to negotiate a key for data encryption.
used for encryption, and the other - for decryption. It is important to understand, that both keys can encrypt and decrypt, but what is encrypted by one of them can be decrypted only by the another. Private key must be kept securely, so that nobody else can get it and use this certificate. Usually private key is encrypted with a passphrase. Most trusted Certificate Authorities sell the service of signing Certificates (Certificates also have a finite validity term, so you will have to pay regularly).
Notes Server certificates may have ca property set to no, but Certificate Authority certificates must have it set to yes Certificates and encrypted private keys are imported from and exported to the router's FTP server. Public keys are not stored on a router in unencrypted form. Cached decrypted private keys are stored in encrypted form, using key that is derived from the router ID. Passphrases are not stored on router. Configuration backup does not include cached decrypted private keys.
4 ssh 22 0.0.0.0/0 5 hotspot-ssl 443 0.0.0.0/0 cert1 [admin@Wandy] ip service> FTP (File Transfer Protocol) Server Document revision 2.2 (Tue Apr 06 13:25:13 GMT 2004) This document applies to Wandy RouterOS V2.8 Table of Contents Table of Contents Summary Specifications Related Documents File Transfer Protocol Server Description Property Description Command Description General Information Summary Wandy RouterOS implements File Transfer Protocol (FTP) server feature.
File Transfer Protocol Server file Description Wandy RouterOS has an industry standard FTP server feature. It uses ports 20 and 21 for communication with other hosts on the network. Do not disable these ports on your router! Uploaded files as well as exported configuration or backup files can be accessed under /file menu. There you can delete unnecessary files from your router. Authorization via ftp uses router's system user account names and passwords.
Example General Information Summary Ping uses Internet Control Message Protocol (ICMP) Echo messages to determine if a remote host is active or inactive and to determine the round-trip delay when communicating with it.
If DNS service is configured, it is possible to ping by DNS address. To do it from Winbox, you should resolve DNS address first, pressing right mouse button over it address and choosing Lookup Address. Packet size may not be greater than the interface's mtu. If 'pinging' by MAC address, minimal packet size iz 50. Only neighbour Wandy RouterOS routers with MAC-ping feature enabled can be 'pinged' by MAC address. Example An example of Ping command: [admin@Wandy] > ping 159.148.60.
Summary Specifications Related Documents Description Additional Documents Queue Types Description Property Description Notes Example Interface Default Queues Property Description Example Configuring Simple Queues Description Property Description Notes Example Configuring Queue Trees Description Property Description Notes Example Troubleshooting Description Queue Applications Description Example of Emulating a 128k/64k Line Example of Guaranteed Quality of Service Peer-to-Peer Limitation with PCQ General In
queues should always be configured on the outgoing interface regarding the traffic flow. There are two additional virtual interfaces in queue tree which are used to limit all the traffic coming to (global-in) or leaving (global-out) the router regardless of physical interface.
queues (known as classless queues) are attached to the main (attached to the root, which represent real interface) Hierarchical Token Bucket (HTB) and thus have some properties derived from that parent queue. With classful queues it is possible to deploy hierarchical queue trees. For example, we can set a maximum data rate for a workgroup and then distribute that amount of traffic between the members of that group as we can do with simple queues attached to the main HTB, but with upper limit.
• global-in - represents all the input interfaces in general (INGRESS queue). Please note that queues attached to global-in applies to incomming traffic, not outgoing. global-in queueing is taking place just after mangle and dst-nat. PCQ PCQ (Per Connection Queue) type is used for limiting data rate for each connection.
kind (pfifo | bfifo | red | sfq | pcq; default: pfifo) - kind of the queuing algorithm used: • pfifo - Packets First-In First-Out • bfifo - Bytes First-In First-Out • red - Random Early Detection • sfq - Stohastic Fair Queuing • pcq - Per Connection Queuing bfifo-limit (integer; default: 15000) - BFIFO queue limit. Maximum byte count that queue can hold pfifo-limit (integer; default: 10) - PFIFO queue limit.
Property Description interface (name) - interface name queue (name; default: default) - default queue for the interface Example To change the default queue type to wireless-default for the wlan1 interface: [admin@Wandy] queue interface> print # INTERFACE QUEUE 0 ether1 default 1 wlan1 default [admin@Wandy] queue interface> set wlan1 queue=wireless-default [admin@Wandy] queue interface> print # INTERFACE QUEUE 0 ether1 default 1 wlan1 wireless-default [admin@Wandy] queue interface> Configuring Simple Queue
total-burst-threshold (text; default: 0) - Total (bidirectional) average burst threshold (bits/s) total-burst-time (text; default: 0) - total (bidirectional) burst time Notes max-limit must be equal or greater than limit-at. Queue rules are processed in the order they appear in the list. If some packet matches the queue rule, then the queuing mechanism specified in that rule is applied to it, and no more rules are processed for that packet. The value 0 means that these settings will be ignored.
burst-time (text; default: 0) - for how long the burst is allowed Notes max-limit must be equal or greater than limit-at. To apply queues on flows, the mangle feature should be used first to mark incomming packets. The router tries to apply queue trees before simple queues. Example To mark all the traffic going from web-servers (TCP port 80) with abc-http mark: [admin@Wandy] ip firewall mangle> \...
Thus, the network administrator is able to allocate a definite portion of the total data rate and grant it to a particular network segment or interface. Also the data rate of particular nodes can be limited by using this mechanism. Example of Emulating a 128k/64k Line Assume we want to emulate a 128k download and 64k upload line connecting IP network 192.168.0.0/24. The network is served through the Local interface of customer's router.
1 name="Server" target-address=0.0.0.0/0 dst-address=192.168.0.17/32 interface=Local queue=default priority=8 limit-at=0/0 max-limit=0/0 [admin@Wandy] queue simple> move 1 0 [admin@Wandy] queue simple> print Flags: X - disabled, I - invalid, D - dynamic 0 name="Server" target-address=0.0.0.0/0 dst-address=192.168.0.17/32 interface=Local queue=default priority=8 limit-at=0/0 max-limit=0/0 1 name="LimitClients" target-address=0.0.0.0/0 dst-address=0.0.0.
priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 [admin@Wandy] queue tree> Thus, we used queue trees for limiting the upload.
[admin@Wandy] ip firewall src-nat> Then we have to mark download and upload traffic. To do so with masqueraded traffic, let's add 2 mangle rules - the first one stands for marking the p2p connection with the mark p2p_con which is comming from the local network (192.168.0.0/24) , the second one will mark all packets whithin this connection with mark p2p_limit, which will be used for limiting the upload and download traffic. [admin@Wandy] ip firewall mangle> add src-address=192.168.0.0/24 p2p=all-p2p \ \...
Configuration Export and Import Document revision 2.1 (Fri Mar 05 08:51:02 GMT 2004) This document applies to Wandy RouterOS V2.8 Table of Contents Table of Contents Summary Specifications Related Documents Description The Export Command Example The Import Command Description Example General Information Summary Configuration export feature is used to dump the part or whole RouterOS configuration. Then it can be edited and imported to the same or to an another router.
not descend recursively through the command hierarchy. export also has the argument file, which allows you to save the script in a file on the router to retrieve it later via ftp. The root level command /import file_name restores the exported information from the specified file. This is used to restore configuration or part of it after a /system reset event or anything that causes configuration data loss. Note that it is impossible to import the whole router configuration using this feature.
Description The import command is used to load a saved configuration script. Example To load the saved export file use the following command: [admin@Wandy] > import address.rsc Opening script file address.rsc Script file loaded successfully [admin@Wandy] > SNMP Service Document revision 1.6 (Thu Mar 18 20:00:38 GMT 2004) This document applies to Wandy RouterOS V2.
General Information Summary SNMP is an application layer protocol. It is called simple because it works that way - the management station makes a request, and the managed device (SNMP agent) replies to this request. In SNMPv1 there are three main actions - Get, Set, and Trap. RouterOS supports only Get, which means that you can use this implementation only for network monitoring. Hosts receive SNMP generated messages on UDP port 161 (except the trap messages, which are received on UDP port 162).
Property Description enabled (yes | no) - whether the SNMP service is enabled contact (text; default: "") - contact information for the NMS location (text; default: "") - location information for the NMS Example To enable the service, specifying some info: [admin@Wandy] snmp> set contact="admin@riga-2" location="3rd floor" enabled="yes" [admin@Wandy] snmp> print enabled: yes contact: admin@riga-2 location: 3rd floor [admin@Wandy] snmp> SNMP Communities snmp community Description The community name is a v
You can use the SNMP protocol to get statistics from the router in these submenus: • /interface • /interface pc • /interface wavelan • /interface wireless • /interface wireless registration-table • /queue simple • /queue tree • /system identity • /system resource Example To see available OID values, just type print oid. For example, to see available OIDs in /system resource: [admin@motors] system resource> print oid uptime: .1.3.6.1.2.1.1.3.0 total-hdd-space: .1.3.6.1.2.1.25.2.3.1.5.1 used-hdd-space: .1.3.
interfaces.ifTable.ifEntry.ifIndex interfaces.ifTable.ifEntry.ifDescr interfaces.ifTable.ifEntry.ifType interfaces.ifTable.ifEntry.ifMtu interfaces.ifTable.ifEntry.ifSpeed interfaces.ifTable.ifEntry.ifPhysAddress interfaces.ifTable.ifEntry.ifAdminStatus interfaces.ifTable.ifEntry.ifOperStatus interfaces.ifTable.ifEntry.ifLastChange interfaces.ifTable.ifEntry.ifInOctets interfaces.ifTable.ifEntry.ifInUcastPkts interfaces.ifTable.ifEntry.ifInNUcastPkts interfaces.ifTable.ifEntry.ifInDiscards interfaces.
ip.ipForward.ipCidrRouteTable.ipCidrRouteEntry.ipCidrRouteNextHopAS ip.ipForward.ipCidrRouteTable.ipCidrRouteEntry.ipCidrRouteMetric1 ip.ipForward.ipCidrRouteTable.ipCidrRouteEntry.ipCidrRouteMetric2 ip.ipForward.ipCidrRouteTable.ipCidrRouteEntry.ipCidrRouteMetric3 ip.ipForward.ipCidrRouteTable.ipCidrRouteEntry.ipCidrRouteMetric4 ip.ipForward.ipCidrRouteTable.ipCidrRouteEntry.ipCidrRouteMetric5 ip.ipForward.ipCidrRouteTable.ipCidrRouteEntry.ipCidrRouteStatus Note that obsolete ip.
ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutBroadcastPkts ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHighSpeed RFC2790 host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageAllocationFailures Tools for SNMP Data Collection and Analysis Description MRTG (Multi Router Traffic Grapher) is the most commonly used SNMP monitor. For further information, see this link: http://people.ee.ethz.
| Max Speed: | 1250.0 kBytes/s | | IP: | 10.10.2.1 |
### Queue 'queue1' Target[RouterBOARD_queue]: 1.3.6.1.4.1.14988.1.1.2.1.1.8.1&1.3.6.1.4.1.14988.1.1.2.1.1.9.1:public@1.1.1.3 #SetEnv[RouterBOARD_queue]: MRTG_INT_IP="1.1.1.Specifications Related Documents MAC Telnet Server Property Description Notes Example Monitoring Active Session List Property Description MAC Telnet Client Example General Information Summary MAC telnet is used to provide access to a router that has no IP address set. It works just like IP telnet. MAC telnet is possible between two Wandy RouterOS routers only.
Example To enable MAC telnet server on ether1 interface only: [admin@Wandy] tool mac-server> Flags: X - disabled # INTERFACE 0 all [admin@Wandy] tool mac-server> [admin@Wandy] tool mac-server> [admin@Wandy] tool mac-server> Flags: X - disabled # INTERFACE 0 ether1 [admin@Wandy] tool mac-server> print remove 0 add interface=ether1 disabled=no print Monitoring Active Session List tool mac-server sessions Property Description interface (read-only: name) - interface the client is connected to src-address (r
Ping Document revision 15-Jul-2003 (1.10) This document applies to Wandy RouterOS V2.
the number of routers between the source and the destination. The Ping Command Command name: /ping Property Description (IP address | MAC address) - IP or MAC address for destination host size (integer: 28..65535; default: 64) - size of the IP packet (in bytes, including the IP and ICMP headers) do-not-fragment - if added, packets will not be fragmented interval (time: 10ms..
To disable MAC pings: [admin@Wandy] tool mac-server ping> set enabled=no [admin@Wandy] tool mac-server ping> print enabled: no [admin@Wandy] tool mac-server ping> DDNS Update Tool Document revision 1.2 (Fri Mar 05 09:33:48 GMT 2004) This document applies to Wandy RouterOS V2.
Standards and Technologies: Dynamic Updates in the DNS (RFC 2136), Secure DNS Dynamic Update (RFC 3007) Hardware usage: Not significant Related Documents • Package Management Description Dynamic DNS Update is a tool that should be manually run to update dynamic DNS server. Note that you have to have a DNS server that supports DNS updates properly configured.
Document revision 1.2 (Fri Mar 05 09:45:04 GMT 2004) This document applies to Wandy RouterOS V2.8 Table of Contents Table of Contents General Information Summary Specifications Related Documents Description The Torch Command Property Description Notes Example General Information Summary Realtime traffic monitor may be used to monitor the traffic flow through an interface.
Property Description interface (name) - the name of the interface to monitor protocol (any | any-ip | icmp | igmp | ipip | ospf | pup | tcp | udp | integer) - the name or number of the protocol • any - any ethernet or IP protocol • any-ip - any IP protocol port (name | integer) - the name or number of the port source-address (IP address/mask) - source address and network mask to filter the traffic only with such an address, any source address: 0.0.0.
Bandwidth Test Document revision 1.5 (Fri Mar 05 09:19:20 GMT 2004) This document applies to Wandy RouterOS V2.
Protocol Description The TCP test uses the standard TCP protocol with acknowledgments and follows the TCP algorithm on how many packets to send according to latency, dropped packets, and other features in the TCP algorithm. Please review the TCP protocol for details on its internal speed settings and how to analyze its behavior. Statistics for throughput are calculated using the entire size of the TCP packet.
[admin@Wandy] tool> Active sessions: [admin@Wandy] tool> bandwidth-server session print # CLIENT PROTOCOL DIRECTION USER 0 35.35.35.1 udp send admin 1 25.25.25.1 udp send admin 2 36.36.36.
tx-total-average: 3.53Mbps rx-current: 3.33Mbps rx-10-second-average: 3.68Mbps rx-total-average: 3.49Mbps [admin@Wandy] tool> Packet Sniffer Document revision 1.3 (Tue Mar 30 18:37:16 GMT 2004) This document applies to Wandy RouterOS V2.
Property Description Example Sniff MAC Address General Information Summary Packet sniffer is a feature that catches all the data travelling over the network, that it is able to get (when using switched network, a computer may catch only the data addressed to it or is forwarded through it).
filter-protocol (all-frames | ip-only | mac-only-no-ip; default: ip-only) - specific protocol group to filter • all-frames - sniff all packets • ip-only - sniff IP packets only • mac-only-no-ip - sniff non-IP packets only filter-address1 (IP address/mask:port; default: 0.0.0.0/0:0-65535) - criterion of choosing the packets to process filter-address2 (IP address/mask:port; default: 0.0.0.
file save command is used.
• idpr-cmtp - idpr Control Message Transport • gre - General Routing Encapsulation • esp - IPsec ESP protocol • ah - IPsec AH protocol • rspf - Radio Shortest Path First • vmtp - Versatile Message Transport Protocol • ospf - Open Shortest Path First • ipip - IP encapsulation • encap - IP encapsulation protocol (read-only: ip | arp | rarp | ipx | ipv6) - the name/number of ethernet protocol • ip - Internet Protocol • arp - Address Resolution Protocol • rarp - Reverse Address Resolution Protocol • ipx - Inter
• rarp - Reverse Address Resolution Protocol • ipx - Internet Packet exchange protocol • ipv6 - Internet Protocol next generation ip-protocol (ip | icmp | igmp | ggp | ipencap | st | tcp | egp | pup | udp | hmp | xns-idp | rdp | iso-tp4 | xtp | ddp | idrp-cmtp | gre | esp | ah | rspf | vmtp | ospf | ipip | encap) - the name/number of IP protocol • ip - Internet Protocol • icmp - Internet Control Message Protocol • igmp - Internet Group Management Protocol • ggp - Gateway-Gateway Protocol • ipencap - IP Enca
tool sniffer host Description The submenu shows the list of hosts that were participating in data excange you've sniffed.
is running, and select a specific interface: [admin@Wandy] tool sniffer> stop [admin@Wandy] tool sniffer> set interface=bridge1 [admin@Wandy] tool sniffer> start [admin@Wandy] tool sniffer> print interface: bridge1 only-headers: no memory-limit: 10 file-name: file-limit: 10 streaming-enabled: no streaming-server: 0.0.0.0 filter-stream: yes filter-protocol: ip-only filter-address1: 0.0.0.0/0:0-65535 filter-address2: 0.0.0.
Table of Contents General Information Summary Specifications Related Documents Description The Traceroute Command Property Description Notes Example General Information Summary Traceroute determines how packets are being routed to a particular host.
Property Description (IP address) - IP address of the host you are tracing route to port (integer: 0..65535) - UDP port number protocol (UDP | ICMP) - type of protocol to use. If one fails (for example, it is blocked by a firewall), try the other size (integer: 28..1500; default: 64) - packet size in bytes timeout (time: 1s..8s; default: 1s) - response waiting timeout, i.e. delay between messages tos (integer: 0..
Table of Contents Table of Contents Summary Specifications Related Documents ICMP Bandwidth Test Description Property Description Example General Information Summary The ICMP Bandwidth Tester (Ping Speed) can be used to approximately evaluate the throughput to any remote computer and thereby help to discover network 'bottlenecks'.
first-ping-size (integer: 32..64000; default: 32) - first ICMP packet size second-ping-size (integer: 32..64000; default: 1500) - second ICMP packet size time-between-pings (integer) - the time between the first and the second ICMP echo-requests in seconds. A new ICMP-packet pair will never be sent before the previous pair is completely sent and the algorithm itself will never send more than two requests in one second once - specifies that the ping will be performed only once interval (time: 20ms..
PCI Information Property Description Example Reboot Description Notes Example Shutdown Description Notes Example Configuration Reset Description Example Router Identity Description Example Date and Time Property Description Notes Example Configuration Change History Description Command Description Notes Example General Information Summary Wandy RouterOS offers several features for monitoring and managing the system resources.
System Resource system resource Notes In monitor command priotout the values for cpu usage and free memory are in percentage and kilobytes, respectively.
14 IDE 1 [admin@Wandy] > IO Port Usage Monitor Command name: /system resource io print Description IO usage shows which IO (Input/Output) ports are currently used by hardware.
Example To list all available USB ports: [admin@Wandy] system resource usb> print # DEVICE VENDOR NAME SPEED 0 1:1 USB OHCI Root Hub 12 Mbps [admin@Wandy] system resource usb> PCI Information Command name: /system resource pci print Property Description device (read-only: text) - number of device vendor (read-only: text) - vendor name of the USB device name (read-only: text) - name of the USB port irq (read-only: integer) - IRQ number which this device uses Example To see PCI slot details: [admin@Wandy]
Only users, which are members of groups with reboot privileges are permitted to reboot the router. Reboot can be called from scripts, in which case it does not prompt for confirmation. Example [admin@Wandy] > system reboot Reboot, yes? [y/N]: y system will reboot shortly [admin@Wandy] > Shutdown Command name: /system shutdown Description Before turning the power off for the router, the system should be brought to halt.
system identity Description The router identity is displayed before the command prompt. It is also used for DHCP client as 'host name' parameter when reporting it to the DHCP server.
The history of system configuration changes is held until the next router shutdown. The invoked commands can be 'undone' (in reverse order they have been invoked). The 'undone' commands may be 'redone' (in reverse order they have been 'undone').
Table of Contents Table of Contents Summary Specifications Related Documents Description Configuring the LCD's Settings Property Description Example LCD Information Display Configuration Description Property Description Notes Example LCD Troubleshooting Description General Information Summary LCDs are used to display system information. The Wandy RouterOS supports the following LCD hardware: • Crystalfontz (http://www.crystalfontz.
2 Data 0 7 3 Data 1 8 4 Data 2 9 5 Data 3 10 6 Data 4 11 7 Data 5 12 8 Data 6 13 9 Data 7 14 14 Register Select 4 18-25, GND Ground 1, 5, 16 Powering: As there are only 16 pins for the PC1602 modules, you need not connect power to the 17th pin. GND and +5V can be taken from computer's internal power supply (use black wire for GND and red wire for +5V) WARNING! Be very careful connecting power supply. We do not recommend using external power supplies. In no event shall Wandy liable for any hardware damages.
enabled: no type: powertip [admin@Wandy] system lcd> To enable Powertip parallel port LCD: [admin@Wandy] system enabled: no type: powertip [admin@Wandy] system [admin@Wandy] system enabled: yes type: powertip [admin@Wandy] system lcd> print lcd> set enabled=yes lcd> print lcd> To enable Crystalfontz serial LCD on serial1: [admin@Wandy] system lcd> set type=crystalfontz ERROR: can't acquire requested port - already used [admin@Wandy] system lcd> set type=crystalfontz serial-port=serial1 [admin@Wandy] sy
3 X 5s Aggregate traffic in packets/sec 4 X 5s Aggregate traffic in bits/sec 5 X 5s Software version and build info 6 X 5s ether1 7 X 5s prism1 [admin@Wandy] system lcd page> enable [find] [admin@Wandy] system lcd page> print Flags: X - disabled # DISPLAY-TIME DESCRIPTION 0 5s System date and time 1 5s System resources - cpu and memory load 2 5s System uptime 3 5s Aggregate traffic in packets/sec 4 5s Aggregate traffic in bits/sec 5 5s Software version and build info 6 5s ether1 7 5s prism1 [admin@Wandy] sy
Support Output File Document revision 2.1.0 (Wed Mar 03 16:11:16 GMT 2004) This document applies to Wandy RouterOS V2.8 Table of Contents Table of Contents Summary Specifications Generating Support Output File Example General Information Summary The support file is used for debugging Wandy RouterOS and to solve the support questions faster. All Wandy Router information is saved in a binary file, which is stored on the router and can be downloaded from the router using ftp.
problem. SSH (Secure Shell) Server and Client Document revision 2.0 (Fri Mar 05 09:09:40 GMT 2004) This document applies to Wandy RouterOS V2.8 Table of Contents Table of Contents Summary Specifications Related Documents Additional Documents SSH Server Description Property Description Example SSH Client Example General Information Summary SSH Client authenticates server and encrypts traffic between the client and server.
• PuTTY • Secure CRT • Most SSH compatible telnet clients Specifications Packages required: security License required: level1 system ssh Standards and Technologies: SSH Hardware usage: Not significant Related Documents • Package Management Additional Documents • http://www.zip.com.au/~roca/ttssh.html • http://www.chiark.greenend.org.uk/~sgtatham/putty.htmll • http://pgpdist.mit.edu/FiSSH/index.html • http://telneat.lipetsk.ru/ • http://akson.sgh.waw.pl/~chopin/ssh/index_en.html • http://cs.mscd.
2 www 80 0.0.0.0/0 3 hotspot 8088 0.0.0.0/0 4 ssh 65 0.0.0.0/0 5 X hotspot-ssl 443 0.0.0.0/0 none [admin@Wandy] ip service> SSH Client Command name: /system ssh Example [admin@Wandy] ip service> /system ssh address: [admin@Wandy] ip service> / [admin@Wandy] > system ssh 10.1.0.
General Information Summary The configuration backup can be used for backing up Wandy RouterOS configuration to a binary file, which can be stored on the router or downloaded from it using ftp. The configuration restore can be used for restoring the router's configuration from a backup file. For exporting configuration or part of it to a text (script) file and importing it, please refer to the configuration export and import section of the Wandy RouterOS Manual.
Command name: /system backup load Example To load the saved backup file test: [admin@Wandy] system backup> load name=test Restore and reboot? [y/N]: N Serial Console and Terminal Document revision 2.0 (Wed Mar 03 16:12:49 GMT 2004) This document applies to Wandy RouterOS V2.
that can be connected to a serial (asynchronous) port. Specifications Packages required: system License required: level1 system Standards and Technologies: RS-232 Hardware usage: Not significant Related Documents • Package Management Additional Documents • http://www.camiresearch.com/Data_Com_Basics/RS232_standard.html • http://www.ctsystems.org/rs.
7 RTS OUT 8 8 CTS IN 7 Setting Serial Console system serial-console Property Description enabled (yes | no; default: no) - whether serial console is enabled or not port (name; default: serial0) - which port should the serial terminal listen to Example To enable Serial Console: [admin@Wandy] system serial-console> set enabled=yes [admin@Wandy] system serial-console> print enabled: yes port: serial0 [admin@Wandy] system serial-console> To check if the port is available or used: [admin@Wandy] system serial
To send [Ctrl]+[X] to to serial port, press [Ctrl]+[X] [Ctrl]+[X] To send [Ctrl]+[Q] to to serial port, press [Ctrl]+[X] [Ctrl]+[Q] Example To connect to a device connected to the serial1 port: [admin@Wandy] system> serial-terminal serial1 [Type Ctrl-Q to return to console] [Ctrl-X is the prefix key] GPS Synchronization Document revision 2.0 (Fri Mar 05 08:56:37 GMT 2004) This document applies to Wandy RouterOS V2.
Specifications Packages required: gps License required: level1 system gps Standards and Technologies: GPS, NMEA 0183, Simple Text Output Protocol Hardware usage: Not significant Related Documents • Package Management • NTP (Network Time Protocol) Description Global Positioning System (GPS) is used for determining precise location of a GPS receiver. There are two types of GPS service: • Precise Positioning Service (PPS) that is used only by U. S. and Allied military, certain U. S.
Notes If you are synchronizing system time with a GPS device, you should correctly choose time zone if it is different from GMT as satellites are broadcasting GMT (a.k.a. UTC) time.
Scripting Host and Complementary Tools Document revision 2.3 (Thu Apr 15 19:03:33 GMT 2004) This document applies to Wandy RouterOS V2.
Description Property Description Command Description Notes Example Task Management Description Property Description Example Script Editor Description Command Description Notes Example System Scheduler Specifications Description Property Description Notes Example Network Watching Tool Specifications Description Property Description Example Traffic Monitor Specifications Description Property Description Example Sigwatch Specifications Description Property Description Notes Example General Information Summary
console expressions. The configuration commands are described in the relevant documentation. The events can be used to invoke a script include the System Scheduler, the Traffic Monitoring Tool, and for the Netwatch Tool generated events.
prefix : action for action_args i params[=values] from=1 to=10 do={:put $i} /interface monitor-traffic ether1,ether2,ipip1 prefix / path interface action monitor-traffic action_args ether1,ether2,ipip1 Expression Grouping Description This feature provides the easy way to execute commands from within one command level, by enclosing them in braces '{ }'.
Variables Description Console allows you to create and use global (system wide) and local (only usable within the current script) variables. Variables can be accessed by writing '$' followed by a name of variable. Variable names can contain letters, digits and '-' character. A variable must be declared prior to using it in scripts. There are three types of declaration available: • global - defined by action global, global variables can be accessed by all scripts and console logins on the same router.
[admin@Wandy] [admin@Wandy] [admin@Wandy] [admin@Wandy] *1,*2 [admin@Wandy] > /interface interface> find type=ether interface> interface> :put [find type=ether] interface> This way you can see console internal numbers of items. Naturally, you can use them in other commands: [admin@Wandy] interface> enable [find type=ether] [admin@Wandy] interface> Operators Description Console can do simple calculations with numbers, time values, ip addresses, strings and lists.
an element to a list. Notes When comparing two arrays note, that two arrays are equal if their respective elements are equal.
comparison [admin@Wandy] false [admin@Wandy] true [admin@Wandy] false [admin@Wandy] false [admin@Wandy] false [admin@Wandy] ERROR: cannot [admin@Wandy] interface> :put (10.0.2.3<=2.0.3.
• boolean • string There is no way to explicitly control this type conversion. In console integers are internally represented as 64 bit signed numbers, so the range of variable values can be from -9223372036854775808 to 9223372036854775807. It is possible to input them as hexadecimal numbers, by prefixing with 0x. Lists are written as comma separated sequence of values. Putting whitespaces around commas is not recommended, because it might confuse console about word boundaries.
\... do={:put $i; :incr i;}; :unset i;} 0 1 2 3 4 5 6 7 8 9 [admin@Wandy] > do - this action takes one argument, which holds the console commands that must be executed. It is similar to the do statement of other commands. It has also two parameters, while and if. If no parameters are given, do just executes its payload once, which does not make much use.
[admin@Wandy] > delay - this action does nothing for a given amount of time. It takes one argument, an amount of time to wait, whish defaults to one second. time - this action calculates the amount of time needed to execute given console commands. It takes one argument, which holds console commands the time action should be applied to. The commands are executed once and the total amount of time taken is returned. [admin@Wandy] > :put [:time {:delay}] 1s34.
Monitor action with do argument can also be called directly from scripts. It will not print anything then, just execute the given script. Names of properties that can be accessed by get are the same as shown by print action, plus names of item flags (like the disabled in the example below). You can use [tab] key completions to see what properties any particular get action can return.
system script Description In RouterOS, a script may be started in three different ways: • according to a specific time or an interval of time • on an event - for example, if the netwatch tool sees that an address does not respond to pings • by another script Property Description source (text; default: "") - the script source code itself owner (name; default: admin) - the name of the user who created the script run-count (integer; default: 0) - script usage counter.
Task Management system script job Description This facility is used to manage the active or scheduled tasks.
• Ctrl+x - exits editor discarding changes Command Description edit (name) - opens the script specified by the name argument in full-screen editor Notes All characters that are deleted by backspace, delete or Ctrl+k keys are accumulated in the buffer. Pressing any other key finishes adding to this buffer (Ctrl+y can paste it's contents), and the next delete operation will replace it's contents. Undo doesn't change contents of cut buffer.
If more than one script has to be executed simultaneously, they are executed in the order they appear in the scheduler configuration. This can be important if one scheduled script is used to disable another one. The order of scripts can be changed with the move command. If a more complex execution pattern is needed, it can usually be done by scheduling several scripts, and making them enable and disable each other.
[admin@Wandy] system scheduler> add interval=7d name="email-backup" \ \... on-event=e-backup [admin@Wandy] system scheduler> print Flags: X - disabled # NAME ON-EVENT START-DATE START-TIME INTERVAL RUN-COUNT 0 email-... e-backup oct/30/2008 15:19:28 7d 1 [admin@Wandy] system scheduler> Do not forget to set the e-mail settings, i.e., the SMTP server and From: address under /tool e-mail. For example: [admin@Wandy] tool e-mail> set server=159.148.147.198 from=SysAdmin@host.
interval (time; default: 1s) - the time between pings. Lowering this will make state changes more responsive, but can create unnecessary traffic and consume system resources timeout (time; default: 1s) - timeout for each ping.
{.. subject="Router at second floor is up" to="rieks@latnet.lv"} [admin@Wandy] system script> [admin@Wandy] system script> /tool netwatch [admin@Wandy] system netwatch> add host=10.0.0.215 timeout=999ms \ \... interval=20s up-script=e-up down-script=e-down [admin@Wandy] tool netwatch> print detail Flags: X - disabled 0 host=10.0.0.
[admin@Wandy] system script> /tool traffic-monitor [admin@Wandy] tool traffic-monitor> add name=turn_on interface=ether1 \ \... on-event=eth-up threshold=15000 trigger=above traffic=received [admin@Wandy] tool traffic-monitor> add name=turn_off interface=ether1 \ \...
Notes You can type actual script source instead of the script name from /system script list. Example In the following example we will add a new sigwatch item that monitors whether the port serial1 has cts signal. [admin@10.179] tool sigwatch> pr Flags: X - disabled # NAME PORT SIGNAL ON-CONDITION LOG 0 test serial1 cts change no [admin@Wandy] tool sigwatch> By typing a command print detail interval=1s, we can check whether a cable is connected or it is not.
UPS Monitor Document revision 2.0 (Fri Mar 05 09:14:02 GMT 2004) This document applies to Wandy RouterOS V2.8 Table of Contents Table of Contents Summary Specifications Related Documents Description UPS Monitor Setup Property Description Notes Example Runtime Calibration Description Notes Example UPS Monitoring Property Description Example General Information Summary The UPS monitor feature works with APC UPS units that support “smart” signaling.
when the ‘utility’ power returns.
battery power is below 10% alarm-setting (delayed | immediate | low-battery | none; default: immediate) - UPS sound alarm setting: • delayed - alarm is delayed to the on-battery event • immediate - alarm immediately after the on-battery event • low-battery - alarm only when the battery is low • none - do not alarm rtc-alarm-setting (delayed | immediate | low-battery | none; default: none) - UPS sound alarm setting during run time calibration: • delayed - alarm is delayed to the on-battery event • immediate
Runtime Calibration Command name: /system ups run-time-calibration Description The run-time-calibration command causes the UPS to start a run time calibration until less than 25% of full battery capacity is reached. This command calibrates the returned run time value. Notes The test begins only if the battery capacity is 100%.
Example When running on utility power: [admin@Wandy] system ups> monitor on-line: yes on-battery: no run-time-left: 11m battery-charge: 100 battery-voltage: 13 line-voltage: 221 output-voltage: 221 load: 57 fequency: 50 [admin@Wandy] system ups> When running on battery: [admin@Wandy] system ups> monitor on-line: no on-battery: yes transfer-cause: "utility voltage notch or spike detected" run-time-left: 9m battery-charge: 95 battery-voltage: 11 line-voltage: 0 output-voltage: 233 load: 66 fequency: 50 [admi
Example Time Zone Notes Example General Information Summary NTP protocol allows synchronizing time among computers in network. It is good if there is an internet connection available and local NTP server is synchronized to correct time source. List of publec NTP servers is available at http://www.eecis.udel.edu/~mills/ntp/servers.
parallel client continues to look for more NTP servers by sending multicast messages periodically. Client system ntp client Property Description enabled (yes | no; default: no) - whether the NTP client is enabled or not mode (unicast | broadcast | multicast | manycast; default: unicast) - NTP client mode primary-ntp (IP address; default: 0.0.0.0) - specifies IP address of the primary NTP server secondary-ntp (IP address; default: 0.0.0.
239.192.1.1 and responds to them Notes NTP server activities only when local NTP client is in synchronized or using-local-clock mode. If NTP server is disabled, all NTP requests are ignored. If NTP server is enabled, all individual time requests are answered. CAUTION! Using broadcast, multicast and manycast modes is dangerous! Intruder (or simple user) can set up his own NTP server.
RouterBoard-specific functions Document revision 2.4 (Wed Mar 03 16:13:40 GMT 2004) This document applies to Wandy RouterOS V2.
• Health monitoring • LED control (may be used in scripting) • Console reset jumper Specifications Packages required: routerboard License required: level1 system routerboard Hardware usage: works only on RouterBOARD platform BIOS upgrading system routerboard Description The BIOS is needed to recognize all the hardware and boot the system up. Newer BIOS versions might have support for more hardware, so it's generally a good idea to upgrade the BIOS once a newer version is available.
BIOS Configuration system routerboard bios Description In addition to BIOS own setup possibilities, it is possible to configure BIOS parameters in RouterOS condole Property Description baud-rate (1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200; default: 9600) - initian bitrate of the onboard serial port debug-level (none | low | high) - BIOS output debug level • none - no debugging output • low - show only some debugging information • high - show all debugging information about the boot process
Description LM87 health controller chip provides some measurments of temperature and voltage. Information becomes available not sooner than 2 minutes after boot up. It is not available if LM87 chip is not detected successfully. All values are 10 second averages, with short peak values ignored as likely read errors Property Description core - CPU core voltage 3.3v - +3.
led1 (yes | no; default: no) - whether the LED1 is on led2 (yes | no; default: no) - whether the LED2 is on led3 (yes | no; default: no) - whether the LED3 is on led4 (yes | no; default: no) - whether the LED3 is on length (time; default: 0s) - how long to hold the given combination • 0s - no limit Notes The command does not imply a pause in execution. It works asynchronously, allowing execution to continue just after the command was entered, not waiting for LEDs to switch off.
Table of Contents Table of Contents General Information Summary Specifications Description License Management Description Property Description Command Description General Information Summary Wandy RouterOS software has a licensing system with Software License (Software Key) issued for each individual installation of the RouterOS. RouterOS version 2.8 introduces a new licensing scheme with different key system. You should upgrade your key when updating to 2.8 version from 2.5, 2.6 or 2.7 versions.
When upgrading to 2.8, you can update your existing key for version 2.5, 2.6 or 2.7 for free (during the existing key upgrade term) during the three-day demonstration period either manually on our accounting server or with a console or WinBox command. This three-day term allows you to use all the existing key. There is also a possibility in 2.8 version to upgrade your key (i.e. to extend licensing term) from the console or WinBox. Note that the license is kept on hard drive.
(text; default: "") - script to execute while the command is running (time; default: 1s) - how frequently to execute the given script - if specified, executes the sctipt once, and then terminates the command - command's execution status • Resolving www.Wandy.com - resolving DNS name • Failed to resolve www.Wandy.
been converted to 2.8 version • ERROR: Key for specified software ID is expired. You can purchase new key at www.Wandy.com website! - you may not update an expired key to the version 2.8, you must purchase a new one • ERROR: You are not allowed to use this service! - please contact sales@Wandy.com for further assistance • Key upgraded successfully - the upgrade procedure has been completed successfully Telnet Server and Client Document revision 2.
Standards and Technologies: Telnet (RFC 854) Hardware usage: Not significant Related Documents • Package Management • System Resource Management Telnet Server Description Telnet protocol is intended to provide a fairly general, bi-directional, eight-bit byte oriented communications facility. The main goal is to allow a standard method of interfacing terminal devices to each other. Wandy RouterOS implements industry standard Telnet server.
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK Wandy RouterOS 2.8beta12 (c) 1999-2003 http://www.Wandy.com/ Terminal unknown detected, using single line input mode [admin@10.1.0.1] > Log Management Document revision 2.2 (Fri Mar 26 20:01:53 GMT 2004) This document applies to Wandy RouterOS V2.
Specifications Packages required: system License required: level1 system logging, /log Standards and Technologies: Syslog Hardware usage: Not significant Related Documents • Package Management Description The logging feature sends all of your actions on the router to a log file or to a logging daemon. Router has several global configuration settings that are applied to logging. Logs have different facilities. Logs from each facility can be configured to be discarded, logged locally or remotely.
facility (name) - name of the log group, message type local (disk | memory | none; default: memory) - how to treat local logs • disk - logs are saved to hard drive • memory - logs are saved to local buffer.
Property Description time (text) - date and time of the event message (text) - message text Notes print command has arguments: • follow - monitor system logs • without-paging - print the log without paging • file - saves the log information to ftp Example To view the local logs: # TIME MESSAGE 0 dec/24/2003 08:20:36 0 dec/24/2003 08:20:36 0 dec/24/2003 08:20:36 0 dec/24/2003 08:20:36 0 dec/24/2003 08:20:36 0 dec/24/2003 08:20:36 -- [Q quit|D dump] log log log log log log configuration configuration conf
