MikroTik™ v2.3 Router Software Technical Reference Manual

Preface

Document Organization

The document consists of 16 main parts. Parts can be divided further into sections. Each section (or a part if it doesn't consist of sections) of this document is divided into three subsections. In the first subsection, management from the Java Console is described. Management from the Console is described in the second subsection. The third subsection is devoted to description of the parameters. However some sections are not divided if it is not necessary.

The current manual version is being updated to a new format. Some sections of this manual are in our old format and some in the newer format. It is expected that all sections will be updated by June.

Document Conventions

In this publication, the following conventions are used:

• All console related settings: commands, arguments, parameters, examples and keywords are marked out with the Courier New font;
• The following conventions are used in the command syntax description:
  • In the place where something is written in between of "<" and ">" you need to enter a value, e.g. <address>
  • Optional parameters are enclosed in brackets, e.g. [interface <name>];
  • The vertical line "|" means "OR";

   

1. MikroTik RouterOS V2.3 Basic Setup Guide

Downloading and Installing the MikroTik RouterOS
Obtaining the Software License
Navigating the Console

Working with Interfaces
Adding Addresses
Configuring the Default Route
Testing the Network Connectivity

Application Example with Masquerading
Application Example with Bandwidth Management

Accessing the Router Remotely using Web Browser and Java Console

Downloading and Installing the MikroTik RouterOS

The download and installation process of the MikroTik RouterOS is described in the following diagram:

1. Download the basic installation archive file.

• ISO image of the installation CD, if you have a CD writer for creating CDs. The ISO image is in the MTcdimage_v2.3_dd-mmm-yyyy.zip archive file containing a bootable CD image. The CD will be used for booting up the dedicated PC and installing the MikroTik RouterOS on its hard-drive or flash-drive.
• MikroTik Disk Maker, if you want to create five 3.5' installation floppies. The Disk Maker is a self-extracting archive DiskMaker_v2-3_dd-mmm-yyyy.exe file, which should be run on your Win95/98/NT/2K workstation to create the installation floppies. The installation floppies will be used for booting up the dedicated PC and installing the MikroTik RouterOS on its hard-drive or flash-drive.
• MikroTik Disk Maker in a set of smaller files, if you have problems downloading one large file.

2. Create the installation media

• For the CD, write the ISO image onto a blank CD.
• For the floppies, run the Disk Maker on your Windows workstation to create the installation floppies. Follow the instructions and insert the floppies in your FDD as requested, label them as Disk 1,2,3, etc.

3. Install the MikroTik RouterOS software.

• A 486 or Pentium motherboard and processor;
• 24MB or more RAM (32MB suggested);
• 30MB or more PRIMARY MASTER IDE HDD or IDE flashdrive. Please make sure you have correct BIOS settings for the IDE disk. Note: It will be entirely reformatted during the installation!
• A network adapter (NE2000 compatible PCI or ISA Ethernet card, or any other supported NIC, see specifications of supported interfaces on our web page);
• A CD drive set as primary boot device, if you want to use the created CD for installing the MikroTik RouterOS;
• A 3.5' FDD set as primary boot device, if you want to use the created set of floppies for installing the MikroTik RouterOS;
• A monitor and keyboard for installation and initial setup of the MikroTik Router. The monitor and keyboard do not need to be connected to the router after it is set up for connecting to it over the network.

After successful installation please remove the installation media from your CD or floppy disk drive and hit 'Enter' to reboot the router. While the router will be starting up for the first time you will be given a Software ID for your installation and asked to supply a valid software license key (Software Key) for it. Write down the Software ID. You will need it to obtain the Software License after logging on to the MikroTik Account Server.

If you need extra time to obtain the Software License Key, you may want to power off the router. Press Ctrl-Alt-Del keys to properly shut down and reboot the router. Power the router off while the BIOS is doing memory check.

Obtaining the Software License

The MikroTik RouterOS Softare licensing process is described in the following diagram:

After installing the router and starting it up for the first time you will be given a Softwarte ID.

1. Write down the Software ID reported by the RouterOS.
2. To obtain the Software License Key, log on to your account at www.mikrotik.com (upper right-hand corner on this webpage), for example:

   

   If you do not have an account at www.mikrotik.com, just press the 'New' button to create your account. You will be presented with the Account Sign-Up Form where you chose your account name and fill in the required information.

3. After logging on to the Account Server select "Free Demo License" or "Order Software License" in the Account Menu.
4. The Software Key will be sent to the email address which has been specified in your account setup.
5. Read your email and enter the Software Key at the router's console, for example:

   Software ID: 5T4V-IUT
   Software key: 4N7X-UZ8-6SP
   

After entering the correct Software License Key you will be presented with the MikroTik Router's login prompt. Use 'admin' and no password (hit 'Enter') for logging on to the router, for example:

MikroTik v2.3.8 (build 9)
mikrotik login: admin
Password:

The password can be changed with the '/password' command.

Navigating the Console

After logging on to the router you will be presented with the MikroTik RouterOS Welcome Screen and command prompt, for example:

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS V2.3 (c) 1999-2001       http://mikrotik.com/

command [Enter] Executes the command

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments
command arg [?] Gives help on the command's argument

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level

Tip: Read the manual.

[mikrotik]>

The command prompt shows the identity name of the router and the current menu level, for example:

[mikrotik]>                      Base level menu
[mikrotik]> driver               Enter 'driver' to move to the driver level menu
[mikrotik] driver> /             Enter '/' to move to the base level menu from any level 
[mikrotik]> interface            Enter 'interface' to move to the interface level menu
[mikrotik] interface> /ip        Enter '/ip' to move to the IP level menu from any level
[mikrotik] ip>

A command or an argument does not need to be completed, if it is not ambiguous. For example, instead of typing 'interface' you can type just 'in' or 'int'. To complete a command use 'Tab' key. Use '?' to see the list of possible commands at a given menu level.

Working with Interfaces

Before configuring the IP addresses and routes please check the '/interface' menu to see the list of available interfaces. If you have PCI Ethernet cards installed in the router, it is most likely that the device drivers have been loaded for them automatically, and the relevant interfaces appear on the '/interface print' list, for example:

[mikrotik] interface> print 
  # NAME                                                   TYPE        MTU
( 0)ether0                                                 ether       1500
( 1)ether1                                                 ether       1500
[mikrotik] interface> 

The device drivers for NE2000 compatible ISA cards need to be loaded using the 'load' command under the /drivers menu. For example, to load the driver for a card with IO address 0x300 and IRQ 5, it is enough to issue the command:

[mikrotik] driver> load ne2k-isa io 0x300
[mikrotik] driver> 

The interfaces need to be enabled if you want to use them for communications. Use the '/interface enable name' command to enable the interface with a given name. Enabled interfaces do not have the numbers enclosed in braces. For example:

[mikrotik] interface> enable 0
[mikrotik] interface> enable ether1
[mikrotik] interface> print 
  # NAME                                                   TYPE        MTU
  0 ether0                                                 ether       1500
  1 ether1                                                 ether       1500
[mikrotik] interface> 

You can use the number or the name of the interface in the 'enable' command.

Adding Addresses

Assume you need to configure the MikroTik router for the following network setup:

Please note that the addresses assigned to different interfaces of the router should belong to different networks. In the current example we use two networks:

• The local LAN with network address 192.168.0.0 and 24-bit netmask 255.255.255.0 The router's address is 192.168.0.254 in this network.
• The ISP's network with address 10.1.1.0 and and 24-bit netmask 255.255.255.0 The router's address is 10.1.1.12 in this network.

The addresses can be added and viewed using the following commands:

[mikrotik] ip address> add address 192.168.0.254/24 interface ether1
[mikrotik] ip address> add address 10.1.1.12/24 interface ether0
[mikrotik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      ether0
[mikrotik] ip address> 

Here, the network mask has been specified in the value of the address argument. Alternatively, the argument 'netmask' could have been used with the value '255.255.255.0'. The network and broadcast addresses were not specified in the input since they could been calculated automatically.

Configuring the Default Route

You can see two dynamic (D) kernel (K) routes, which have been added automatically when the addresses were added:

[mikrotik] ip address> /ip route print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTERFACE
  0 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1     D K
  1 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       ether0     D K
[mikrotik] ip address>

These routes show, that IP packets with destination to 10.1.1.0/24 would be sent through the interface ether0, whereas IP packets with destination to 192.168.0.0/24 would be sent through the interface ether1. However, you need to specify where the router should forward packets, which have destination other than networks connected directly to the router. This is done by adding the default route (destination 0.0.0.0, netmask 0.0.0.0). In this case it is the ISP's gateway 10.1.1.254, which can be reached through the interface ether0:

[mikrotik] ip address> /ip route add gateway 10.1.1.254 interface test 
[mikrotik] ip address> /ip route print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTERFACE
  0 10.0.0.0        255.255.255.0   0.0.0.0         10.0.0.222      developers D K
[mikrotik] ip address> /ip route print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTERFACE
  0 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1     D K
  1 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       ether0     D K
  2 0.0.0.0         0.0.0.0         10.0.0.1        0.0.0.0         ether0
[mikrotik] ip address>

Here, the default route is listed under #2. Note, that you should not have two routes to the same destination, i.e., destination-address/netmask! It applies to the default routes as well. Situation with two routes to the same destination is confusing.

If you have added an unwanted static route accidentally, use the 'remove' command to delete the unneeded one. Do not remove the kernel (K) or dynamic (D) routes! They are added automatically and should not be deleted 'by hand'. If you happen to, then reboot the router, the route will show up again.

Testing the Network Connectivity

From now on, the '/ping' command can be used to test the network connectivity on both interfaces. You can reach any host on both connected networks from the router:

[mikrotik] ip address> /ping 10.1.1.17
10.1.1.17 pong: ttl=255 time<1 ms
10.1.1.17 pong: ttl=255 time<1 ms
10.1.1.17 pong: ttl=255 time<1 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0/0.0/0 ms
interrupted
[mikrotik] ip address> /ping 192.168.0.1
192.168.0.1 pong: ttl=255 time<1 ms
192.168.0.1 pong: ttl=255 time<1 ms
192.168.0.1 pong: ttl=255 time<1 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0/0.0/0 ms
interrupted
[mikrotik] ip address> 

The workstation and the laptop can reach (ping) the router at its local address 192.168.0.254, whereas the server can reach the router at its local address 10.1.1.12 The router's address 192.168.0.254 should be specified as the default gateway in the TCP/IP configuration of both the workstation and the laptop. Then you should be able to ping the router's address 10.1.1.12 which is on the ISP's network:

C:\>ping 10.1.1.12
Pinging 10.1.1.12 with 32 bytes of data:
Reply from 10.1.1.12: bytes=32 time<10ms TTL=255
Reply from 10.1.1.12: bytes=32 time<10ms TTL=255
Reply from 10.1.1.12: bytes=32 time<10ms TTL=255
C:\>

You cannot ping the workstation and laptop from the server, unless you do the following:

• Add a static route on the ISP's gateway, which specifies the host 10.1.1.12 as the gateway to network 192.168.0.0/24. Then all hosts on the ISP's network, including the server, will be able to communicate with the hosts on the LAN.
• Alternatively, specify the address 10.1.1.12 as the default gateway for the server. Then the server will forward packets with destination other than 10.1.1.0/24 to the MikroTik router.

Next will be discussed situation with 'hiding' the private LAN 192.168.0.0/24 'behind' one address 10.1.1.12 given to you by the ISP.

Application Example with Masquerading

If you want to 'hide' the private private LAN 192.168.0.0/24 'behind' one address 10.1.1.12 given to you by the ISP, you should use the masquerading function of the MikroTik router. Masquerading is useful, if you want to access the ISP's network and the Internet appearing as all requests coming from the host 10.1.1.12 of the ISP's network. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.1.1.12 of the router, when the packet is routed through it.

A firewall rule with action 'masq' should be added to the forward chain of the router's firewall configuration:

[mikrotik] ip firewall rule> add forward action masq interface ether0 
[mikrotik] ip firewall rule> print forward 
0   action: masq protocol: all src-address: 0.0.0.0 src-netmask: 0.0.0.0
    src-ports: 0-65535 dst-address: 0.0.0.0 dst-netmask: 0.0.0.0
    dst-ports: 0-65535 interface: ether0 log: no
[mikrotik] ip firewall rule> 

More detailed information about using the masquerading can be found in the IP Firewalling section of the MikroTik RouterOS Manual.

Application Example with Bandwidth Management

Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all hosts on the LAN. Bandwidth limitation is done by applying queues for outgoing interfaces regarding the traffic flow. It is enough to add two queues at the MikroTik router:

[mikrotik] ip queue>add interface ether1 queue red limit-at 128000 max-burst 0 bounded yes
[mikrotik] ip queue>add interface ether0 queue red limit-at 64000 max-burst 0 bounded yes
[mikrotik] ip queue> print
0   src-address: 0.0.0.0/0:0-65535 dst-address: 0.0.0.0/0:0-65535 interface: ether1
    protocol: 0 queue: red limit-at: 128000 max-burst: 0 bounded: yes priority: 8
    weight: 1 allot: 1538 red-limit: 60 red-min-threshold: 10
    red-max-threshold: 50 red-burst: 20
1   src-address: 0.0.0.0/0:0-65535 dst-address: 0.0.0.0/0:0-65535 interface: ether0
    protocol: 0 queue: red limit-at: 64000 max-burst: 0 bounded: yes priority: 8
    weight: 1 allot: 1538 red-limit: 60 red-min-threshold: 10
    red-max-threshold: 50 red-burst: 20
[mikrotik] ip queue>

Leave all other parameters as set by default. The limit is approximately 128kbps going to the LAN and 64kbps leaving the client's LAN. No burst of the packets is allowed. Please note, that each queue has been added for the outgoing interface regarding the traffic flow.

More detailed information about using the bandwidth management can be found in the Bandwidth Management and Queuing section of the MikroTik RouterOS Manual.

Accessing the Router Remotely using Web Browser and Java Console

The MikroTik router can be accessed remotely using

• the telnet protocol, for example, using the telnet client of your Windows or Unix workstation. Working with the telnet console is the same as working with the monitor and keyboard attached to the router locally.
• the ftp for uploading the software upgrade packages or retrieving the exported configuration files.
• the http and Java Console, for example, using the web browser of your workstation.

By clicking on the Java Console icon you can open the Java console with the login window. Use the username and password to log on to the router, for example:

After logging on to the router you can work with the MikroTik router's configuration through the Java console and perform the same tasks as using the regular console:

You can use the menu bar to navigate through the router's configuration menus, open configuration windows. By double clicking on some list items in the windows you can open configuration windows for the specific items, and so on. Please consult the MikroTik RouterOS Manual for more detailed description of using the Java console.

Adding Software Packages

The basic installation comes with only the "system" package and few other packages. This includes basic IP routing and router administration. To have additional features such as IP Telephony, OSPF, wireless, and so on, you will need to download additional software packages. Please consult the MikroTik RouterOS Software Package Installation and Upgrading Manual for more detailed information about installing additional software packages.

2. User Interconnection Description

Java Interconnection Description

MikroTik Java Console requires Java 2 browser plug-in. This may be downloaded from the "Download" page at mikrotik.com or www.sun.com.

In the Web Browser open the page with the address http://<IPAddressOfTheRouter>. Then start the applet.

General Information

When you type your login name and password you are logged in the router via Java Console.

All operations are performed via the main menu that is situated on the left of the main window. It consists of twelve items. If a menu item has an arrow sign then it contains submenu. Each of menu item is described in the User Manual in the corresponding chapters, excluding menu item "Help". The table below describes the correlation.

How To

Here are the most common actions that you perform on the entries:

Main Menu

Console Interconnection Description

When you log into the router via console or telnet you get a base level prompt. As it is in Java almost every command has the corresponding chapter in the Manual. In the table below base level commands are described:

How To

The table below describes how you can execute commands, move through the levels in the console, etc.

You can abbreviate names of levels, commands and arguments.

Overview of Common Functions

The console allows configuration of the router settings using text commands. The command structure is similar to the Unix shell. Since there's a whole lot of available commands, they're split into hierarchy. For example, all commands that work with routes start with "ip route":

[drax]> ip route print

[drax]> ip route set 1 netmask 255.255.0.0
[drax]> ip route print

Instead of typing "ip route" before each command, "ip route" can be typed once to "change into" that particular branch of command hierarchy. Thus, the example above could also be executed like this:

[drax]> ip route
[drax] ip route> print

[drax] ip route> set 1 netmask 255.255.0.0
[drax]> ip route print

Notice that prompt changes to show where in the command hierarchy you are located at the moment. To change to top level, type "/"

[drax] ip route> /
[drax]>

To move up one command level, type ".."

[drax] ip route> ..
[drax] ip>

You can also use "/" and ".." to execute commands from other levels without changing the current level:

[drax] ip route> /ping 10.0.0.10
timeout: ping reply not recieved after 1000 mss
timeout: ping reply not recieved after 1000 mss
ping interrupted 2 packets transmitted, 0 packets received, 100% packet loss
interrupted

Or alternatively, to go back to the base level you could use the ".." twice:

[drax] ip route> .. .. ping 10.0.0.10
10.0.0.10 pong: ttl=128 time=2 ms
10.0.0.10 pong: ttl=128 time=1 ms
ping interrupted 2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1/1.5/2 ms
interrupted
[drax] ip route>

- Lists -

Many of the command levels operate with arrays of items: interfaces, routes, users etc. Such arrays are displayed in similar looking lists. All items in the list have an item number followed by it's parameter values. For example:

[drax]> interface print
# NAME STATE TYPE MTU

To change parameters of an item (interface in this particular case), you have to specify it's number:

[drax]> interface set 1 mtu 1234
[drax]> interface print

Numbers are assigned by "print" command and are not constant - it is possible that two successive "print" commands will order items differently. Thus, you must use the print command before any other command that works with list items, to assign numbers.

Note Although numbers can change each time you use the "print" command, they don't change between these uses. Once assigned, they will remain the same until you quit the console or until the next "print" command. Also, numbers are assigned separately for every item list, so "ip address print" won't change numbers for interface list.

Let's assume "ip address print" hasn't been executed already. In this case:

[drax]> ip address set 123 netmask 255.255.0.0
Error: number : (no numbers assigned)

To understand better how do item numbers work, you can play with "from" argument of "print" commands:

[drax]> interface print from 1

The "from" argument specifies what items to show. Numbers are assigned by every "print" command, thus, after executing command above there will be only one item accessible by number - interface "ether1" by number 0.

- Item names -

Some lists have items that have specific names assigned to each. Examples are "interface" or "user" levels. There you can use item names instead of numbers:

[drax]> interface set ether1 mtu 1234

You don't have to use the "print" command before accessing items by name - as opposed to numbers, names are not assigned by the console internally, but are one of the items' parameters. Thus, they won't change on their own (But there are all kinds of obscure situations possible when several users are changing router configuration at the same time). Generally, item names are more "stable" than numbers, and also more informative, so you should prefer them ver numbers when writing console scritps. Also, <tab> completions work on item names, making them easy to type.

- Quick typing -

There are two features in router console that help entering commands a lot quicker and easier - tab key completions and abbreviations of command names. Completions work similarly to the bash shell in UNIX. If you press the tab key after part of word, console tries to find command in current context that begins with this word. If there's only one match, it is automatically appended, followed by space character:

/inte<tab>_ becomes /interface _

(where "_" is cursor position)

If there's more than one match, but they all have a common beginning which is longer that what you've typed, then the word is completed to this common part, and no space is appended:

/interface set e<tab>_ becomes /interface set ether_
(because "e" matches both "ether5" and "ether1" in this example)

If you've typed just the common part, pressing the tab key once has no effect. However, pressing it second time shows all possible completions in compact form:

[drax]> /interface set e<tab>_
[drax]> /interface set ether<tab>_
[drax]> /interface set ether<tab> ether1 ether5
[drax]> /interface set ether_

The tab key can be used almost in any context where the console might have a clue about possible values - command names, argument names, arguments that have only several possible values (like names of items in some lists or name of protocol in firewall and NAT rules). You can't complete numbers, IP addresses and similar values.

Another way to press less keys while typing is to abbreviate command and argument names. You can type only beginning of command name, and if it is not ambiguous console will accept it as a full name:

[drax]> ip f s r 1 equals to [drax]> ip firewall static-nat remove 1

[drax]> pi 10.1 c 3 s 100 equals to [drax]> ping 10.0.0.1 count 3 size 100

Note ".." can be shortened to ".", because no other words in command levels begin with dot.

- Help -

The console has a built-in help, which can be accessed by typing '?'. General rule is that help shows what you can type in position where the '?' was pressed (similarly to pressing tab key twice, but in verbose form and with explanations).

- Internal item numbers -

Items can also be addressed by their internal numbers. These numbers are generated by console for scripting purposes and, as the name implies, are used internally. Although you can see them if you print return values of some commands (internal numbers look like hex number preceded by '*' - for example "*100A"), there's no reason for you to type them in manually. Use of invalid internal numbers can result in severe injury of your router configuration.

- Multiple items -

You can specify multiple items as targets of some commands. Almost everywhere, where you can write the number of items, you can also write a list of numbers:

[drax]> interface print

This is handy when you want to perform same action on several items, or do a selective export. However, this feature becomes really useful when combined with scripting.

- Return values -

The router console has limited scripting capability. Syntax is simple and similar to TCL. There's a new command "find" added to many of the command levels for scripting use. This command doesn't print anything on screen. Instead, it creates a return value that contains internal numbers of items that match parameters of the "find" command. This return value can be used in another command, by placing "find" in square brackets:

[drax]> interface
[drax] interface> print from [find name ether5]

If you don't give "find" any arguments, it returns internal numbers of all items:

[drax] interface> set [find] mtu 1500
[drax] interface> print

You can see the return value of "find" command (and other router commands) using ":put" command:

[drax] interface> :put [find]
*10002 *10001

These are internal numbers of all router interfaces. Also, there's a trailing space after last number, so you can concatenate results of several "find" commands:

[drax] interface> print from [find][find]

- Time Setting -

In the console time can be set in various ways. If it is just a number, then it is in seconds. You can also enter the following values:

If the is no number before the letters, it will be one unit. You also can use decimal numbers. Multiple time intervals can be written consequently - they will be summarized.

- Variables -

The console has variables that can store string values. Assigning such a variable is done by ":set" command:

[drax]> :set var1 J.Random.String

If the value is assigned to a non-existing variable, it's created, otherwise current value is replaced. To access the value of variable, you have to type "$" followed by the name of the variable, and it will be replaced by the value of the variable:

[drax]> :put $var1
J.Random.String
[drax]> :put $var1-$var1-yo-ho-ho-$var1
J.Random.String-J.Random.String-yo-ho-ho-
J.Random.String

- Magic Variables -

There are two magic variables in the console. "_" (underscore) has the last valid command entered.

[drax]> /system clock print
jun/16/2000 17:06:57
[drax]> :put $_
/system clock print
[drax]> :put $_
:put $_

The second magic variable is the "^" (caret). It contains the return value of the last executed command. Note that all commands return values (even if they're empty strings), so if you want to use the return value of some command (say, "find") several times, you have to assign it to normal variable. In the console, "^" is used to export some items:

[drax]> ip firewall static-nat
[drax] ip firewall static-nat> print

[drax] ip firewall static-nat> export
/ip firewall static-nat
add interface all src-address 0.0.0.0 src-netmask
0.0.0.0 \
dst-address 0.0.0.0 dst-netmask 0.0.0.0 protocol
all \
src-port 0-65535 dst-port 0-65535 to-src-address
0.0.0.0 \
to-dst-address 0.0.0.0 to-src-netmask 0.0.0.0 \
to-dst-netmask 0.0.0.0 to-src-port 0 to-dst-port 0
translate no \ direction in
comment $^ blah-blah\nyadda-yadda
disable $^
[drax] ip firewall static-nat>

Here, "add" returns internal number of item the it has added, and "comment" command returns list of internal numbers of items it received as the first argument. Thus "comment $^" will add comment to the item created by "add", and "disable $^" will disable this item.

- General layout of command levels -

There are two different kinds of command levels. First, there are levels that allow you to work with lists of similar items - routes, interfaces, users and the like. Second, there are levels that allow you to change some general parameters - time, bridge settings etc.

Most command groups have some or all of these commands:

print
set
remove
add
find
export
enable
disable
comment

These commands have similar behaviour in all hierarchy.

- print -

The "print" command shows all information that's accessible from particular command level. Thus, "/system time print" shows system time, "/ip route print" shows all routes etc. If there's a list of items in this level and they are not read-only, i.e. you can change/remove them (example of read-only item list is "/system history", which shows history of executed actions), then "print" command also assigns numbers that are used by all commands that operate on items in this list. Thus, "print" usually must be executed before any other commands in the same command level.

If there's list of items then "print" usually can have a "from" argument. The "from" argument accepts space separated list of item numbers, names (if items have them). and internal numbers. The action (printing) is performed on all items in this list in the same order in which they're given.

- set -

The "set" command allows you to change values of general parameters or item parameters. The "set" command has arguments with names corresponding to values you can change. Use "?" or double tab to see list of all arguments. If there is list of items in this command level, then set has one unnamed argument that accepts the number of item (or list of numbers) you wish to set up. Values for unnamed arguments must follow right after the name of the command, and their order can't be changed. Example: in firewall rules, the "set" command has two unnamed arguments - first is the name of chain and second is the number of rule in this chain. "set" returns internal numbers of items it has set up.

- remove -

"remove" has one unnamed argument which contains number(s) of item(s) to remove.

- add -

"add" usually has the same arguments as "set", minus the unnamed number argument. It adds new item with values you've specified, usually to the end of list (in places where order is relevant). There are some values that you have to supply (like interface for new route), and other values that are set to defaults if you don't supply them. The "add" command returns internal number of item it has added.

- find -

The "find" command has the same arguments as "set", and an additional "from" argument which works like the "from" argument with the "print" command. The "find" command returns internal numbers of all items that have the same values of arguments as specified.

- export -

The "export" command prints a script that can be used to restore configuration. If it has the argument "from", then it is possible to export only specified items. Also, if the "from" argument is given, "export" does not descend recursively through the command hierarchy. "export" also has the argument "file", which allows you to save the script in file on router to retrieve it later via ftp. Argument "noresolve" is used to disable reverse resolving of IP addresses if it proves to be problem.

- enable/disable -

You can enable/disable some items (like ip address or default route). Is an item is disabled, it number is shown in parenthesis. If an item is inactive, but not disabled, it number is shown in brackets.

- comment -

You can add comments to any item. If item is commented, comments are shown after item number before all parameters and prefixed with ";;;".

3. Device Driver Management

This document applies to the MikroTik RouterOS V2.3

Overview

The device drivers for PCI and PC cards are loaded automatically. Other network interface cards (ISA) require the device drivers loaded manually by using the '/driver add' command.

Users cannot add their own device drivers. Only drivers included in the Mikrotik RouterOS software packages can be used. If you need a device driver for a device, which is not supported by the MikroTik RouterOS, please suggest it at our suggestion page on our web site.

Contents of the Manual

• Loading Device Drivers
• Unloading Device Drivers
• List of Drivers
• Troubleshooting

[mikrotik] driver> load ?
Load driver name [irq IRQ] [io IO range start] [mem shared memory].
  _name_          Driver name
  irq             IRQ number
  mem             Shared Memory base address
  io              IO port base address
  isdn-protocol   ISDN line protocol
[mikrotik] driver>

If hexadecimal values are used, put 0x before the number. To see the list of available drivers, enter the 'load' command continued with double [Tab] keys:

[mikrotik] driver> load [Tab] [Tab]
3c509  ne2k-isa
[mikrotik] driver> load ne2k-isa io 0x280
[mikrotik] driver> print
  # DRIVER                                       IRQ IO     MEMORY     ISD...
  0 RealTek RTL8129/8139                                                      D
  1 ISA NE2000                                       0x280
[mikrotik] driver>

As we see, the driver for the Realtek PCI card has been loaded automatically. To see the system resources occupied by the devices, use the '/system resource io print' and '/system resource irq print' commands:

[mikrotik]> system resource io print
IO        OWNER
0020-003f APIC
0040-005f timer
0060-006f keyboard
0080-008f DMA
00a0-00bf APIC
00c0-00df DMA
00f0-00ff FPU
01f0-01f7 IDE 1
0280-029f ether1
03c0-03df VGA
03f6-03f6 IDE 1
03f8-03ff serial port
6100-61ff ether0
f000-f007 IDE 1
f008-f00f IDE 2
[mikrotik]> system resource irq print
IRQ OWNER
1   keyboard
2   APIC
3   ether1
4   serial port
5
6
7
8
9
10
11  ether0
12
13  FPU
14  IDE 1
[mikrotik]>

Note, that the resource list shows only the interfaces, if they are enabled!

Unloading Device Drivers

List of Drivers

ISA Drivers

• ne2k-isa
  Load the driver by specifying the I/O base address. IRQ is not required.
  Driver is suitable for most of the NE2000 compatible ISA cards.
• 3c509
  Load the driver by specifying the I/O base address. IRQ is not required.
  Driver is suitable for 3COM 509 Series ISA cards.

PCI Drivers

• ne2k-pci
  Driver is suitable for the Ethernet cards with RealTek RTL-8029 chip:
  RealTek RTL-8029
  Winbond 89C940
  Compex RL2000
  KTI ET32P2
  NetVin NV5000SC
  Via 86C926
  SureCom NE34
  Winbond
  Holtek HT80232
  Holtek HT80229

• 3c95x
  (3Com 3c590/3c900 series Vortex/Boomerang driver)
  This device driver is designed for the 3Com FastEtherLink and FastEtherLink XL, 3Com's PCI to 10/100baseT adapters. It also works with the 10Mbs versions of the FastEtherLink cards. The supported product IDs are:
  3c590, 3c592, 3c595, 3c597, 3c900, 3c905
  3c590 Vortex 10Mbps
  3c595 Vortex 100baseTx
  3c595 Vortex 100baseT4
  3c595 Vortex 100base-MII
  3Com Vortex
  3c900 Boomerang 10baseT
  3c900 Boomerang 10Mbps Combo
  3c900 Cyclone 10Mbps Combo
  3c900B-FL Cyclone 10base-FL
  3c905 Boomerang 100baseTx
  3c905 Boomerang 100baseT4
  3c905B Cyclone 100baseTx
  3c905B Cyclone 10/100/BNC
  3c905B-FX Cyclone 100baseFx
  3c905C Tornado
  3c980 Cyclone
  3cSOHO100-TX Hurricane
  3c555 Laptop Hurricane
  3c575 Boomerang CardBus
  3CCFE575 Cyclone CardBus
  3CCFE656 Cyclone CardBus
  3c575 series CardBus (unknown version)
  3Com Boomerang (unknown version)

• eepro100
  (Intel i82557/i82558 PCI EtherExpressPro driver)
  This device driver is designed for the Intel i82557 "Speedo3" chip, Intel's single-chip fast Ethernet controller for PCI, as used on the IntelEtherExpressPro 100 adapter.

• tulip
  This device driver is designed for the DECchip "Tulip", Digital's single-chip ethernet controllers for PCI. Supported members of the family are the 21040, 21041, 21140, 21140A, 21142, and 21143. Similar work-alike chips from Lite-On, Macronics, ASIX, Compex and other listed below are also supported:
  Interfaces: Digital DC21040 Tulip
  Digital DC21041 Tulip
  Digital DS21140 Tulip
  Digital DS21143 Tulip
  D-Link DFE 570TX
  Lite-On 82c168 PNIC
  Macronix 98713 PMAC
  Macronix 98715 PMAC
  Macronix 98725 PMAC
  ASIX AX88140
  Lite-On LC82C115 PNIC-II
  ADMtek AN981 Comet
  Compex RL100-TX
  Intel 21145 Tulip
  Xircom Tulip clone

• rtl8139
  This device driver is designed for the RealTek RTL8129, the RealTek Fast Ethernet controllers for PCI. This chip is used on a few clone boards:
  RealTek RTL8129 Fast Ethernet
  RealTek RTL8139 Fast Ethernet
  SMC1211TX EZCard 10/100 (RealTek RTL8139)
  Accton MPX5030 (RealTek RTL8139)

• winbond-840
  This driver is for the Winbond w89c840 chip:
  Winbond W89c840
  Compex RL100-ATX
  

For the list of drivers included in additional feature software packages, please see the manual of the relevant software package.

Troubleshooting

• Driver for a PCI or PC card does not load automatically.
  Check for a possible IRQ or IO conflict with other devices.
• The driver cannot be found on the system.
  Upload the required software package containing the required drivers.

4. Network Interface Management

Introduction

An Interface is physical or virtual device which provides a connection to an external network. Network interfaces are created automatically when the Network Interface Card driver is loaded. Virtual (software) interfaces can be created manually.

Managing Network Interfaces from Java

Select the "Interfaces" menu to open the interface list window. The interfaces list displays basic interface parameters. Interface type specific parameters can be changed from interface details windows (opened by double clicking on icon to the left from interface name). The Interface details window has a standard "Traffic" tab which displays traffic that enters and leaves router through the interface. It can also contain other tabs with interface type specific parameters.

The Interfaces list window also contains a "blink" button. Selecting this button causes traffic to be generated on the highlighted interface and therefore blink the LEDs (light emitting diodes) on the card so that an administrator can determine which Interface name corresponds to the actual interface (when there are multiple interfaces of the same type). Some interfaces must have an Ethernet cable connected before the lights will blink. Note that not all interfaces support this function.

Managing Network Interfaces from Console

Network interface commands and submenus are located in the "interface" menu. It contains several commands that are common to all interfaces:

Whre <interface> is interface name or number obtained from "print" command.

The "interface" menu also contains device type specific submenus with device type specific commands. The following device type submenus can be available, depending on what features are licensed for a particular installation:

Basic Interface Parameter Description

Ethernet Interfaces

Ethernet interfaces include standard 10/100 Mbit Ethernet network interface. Ethernet interfaces do not have any device type dependent parameters. Each Ethernet interface has its MAC-address (Medium Access Control).

Managing Ethernet Interfaces from Java

Ethernet interface parameters can be changed from interface list window or from interface details window "General" tab.

Managing Ethernet Interfaces from Console

Ethernet interface management is done in submenu "interface ether".

Where <interface> is interface name or number obtained from "print" command.

Ethernet Interface Parameters

PPP Server

PPP (or Point-to-Point Protocol) provides a method for transmitting datagrams over serial point-to-point links. The 'com1' and 'com2' ports from standard PC hardware configurations will appear as 'serial0' and 'serial1' automatically. It is possible to add thirty-two additional serial ports with the Moxa C168 PCI multiport asynchronous card (eight ports each) to use the router for a modem pool.

Managing PPP Server from Java

To add PPP server interface, you have to choose "Interfaces" and click "Add New"

Managing PPP Server from Console

PPP server management is done in the submenu "interface ppp-server".

Where <interface> is interface name or number obtained from "print" command.

PPP Client

Managing PPP Client from JAVA

To add PPP client interface, you have to choose "Interfaces" and click "Add New"

Managing PPP Client from console

PPP server management is done in the submenu "interface ppp-server".

PPP Interface Parameters

PPP Authentication and Accounting

Overview

PPP (point to point protocol) authentication on the MikroTik RouterOS is supported by a local authentication database or a RADIUS client.  Authentication is supported for PPP asynchronous connections, PPPoE, PPTP, and ISDN PPP (local only).  Authentication protocols supported are PAP, CHAP, and MS-CHAPv2.  The authentication process is as follows:  PPP sends a user authentication request, the user ID is first checked against the local user database for any users which have the PPP attribute, if no matching user is found then the RADIUS client (if enabled) will request authentication from the RADIUS server.  Note that the users will first be checked against the local database and then only against the RADIUS server.  Be careful not to have the same user with PPP on the local database and the RADIUS server – the authentication will finish at the local database in this case.

Topics covered in this section:

• Installation
• Hardware resource usage
• Local authentication overview
• Local authentication management of PPP users
• Local accounting of PPP users
• RADIUS overview
• RADIUS client setup
• RADIUS parameters
• RADIUS servers suggested

PPP authentication and accounting installation on the MikroTik RouterOS v2.3

The local authentication and local accounting features are included in the “system” package.  The RADIUS client and RADIUS accounting features are included in the “PPP” package.  Note, PPP features require that the PPP package be installed.

Hardware resource usage

No significant hardware resource usage.

Local authentication overview

Local PPP authentication is part of the general user database stored on the router – this database is also responsible for administration authentication for the router.  Certain PPP specific attributes are supported for PPP user entries.      

·        PPP remote address set from RADIUS server
·        Time limit of connections set from RADIUS server
·        MAC address (PPPoE) or remote client address (PPTP) reported to RADIUS server
·        System identity
·        Traffic accounting (PPP style – no IP pairs)

Local authentication management of PPP users

Only users which are in a group with the PPP attribute can be authenticated for PPP access. To add a user:

[mikrotik] user> add name client2 password ctest group ppp
[mikrotik] user> print

0   ;;; system default user
    name: admin group: full address: 0.0.0.0 netmask: 0.0.0.0 caller-id: ""
    only-one: no max-session-time: 0

1   name: client2 group: ppp address: 0.0.0.0 netmask: 0.0.0.0 caller-id: ""
    only-one: no max-session-time: 0

Descriptions of settings:

full address: 0.0.0.0 netmask: 0.0.0.0

        This is used to determine the address to be given to the remote site, if full address is set to a specific IP (for example: full address: 10.25.0.3 netmask: 255.255.255.255), then only 10.25.0.3 will be given to the remote site.  If the remote site will not accept this, then the connection will fail.  If a subnet were set (for example: full address: 10.25.0.3 netmask: 255.255.255.240), then an address in the subnet 10.25.0.0/28 would be allowed if the server gives an address in that range – or the server has no addresses set to give, and the client request an address in that range.  If no specific address or subnet is given (for example: full address: 0.0.0.0 netmask: 0.0.0.0.), then an address from the PPP server setup of “remote-address-from” and “remote-address-to” will be given.

caller-id: ""

only-one: no

If this is set to “yes”, then there may be only one connection at a time.

max-session-time: 0

If set to >0, then this is the max number of seconds this session can stay up.  “0” indicates no session limit.  

Local accounting of PPP users

To enable local authentication and accounting, set “[mikrotik] ip ppp> set accounting yes authentication local.”  If the “authentication” is set to “radius,”  then no local accounting logs will be made.  The following is an example of the local accounting when a PPPoE connection is made to the PPPoE server (access concentrator). 

[mikrotik]> log print

apr/04/2001 17:19:14     pppoe-in7: waiting for authentication
apr/04/2001 17:19:14     pppoe-in7: test logged in
apr/04/2001 17:19:14     pppoe-in7: connection established
apr/04/2001 17:19:20     pppoe-in7: using encoding - none
apr/04/2001 17:25:08     pppoe-in7: connection terminated by peer
apr/04/2001 17:25:08     pppoe-in7: modem hanged up
apr/04/2001 17:25:08     pppoe-in7: connection terminated
apr/04/2001 17:25:08     pppoe-in7: test logged out, 354 4574 1279 101 83

The last line is the accounting which is printed when the connection is terminated.  This line indicates that the user “test” connection has terminated at “apr/04/2001 17:25:08.”  The numbers following the “test logged out” entry represent the following:

354        session connection time in seconds
4574        bytes-in (from client)
1279        bytes-out (to client)
101        packets-in (from client)
83        packets-out (to client)

RADIUS Overview

RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network.  The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, and PPTP connections – no ISDN remote access support currently.  Features supported:

·        PPP remote address set from RADIUS server
·        Time limit of connections set from RADIUS server
·        MAC address (PPPoE) or remote client IP address (PPTP) reported to RADIUS server
·        System identity
·        Traffic accounting (PPP style – no IP pairs)

RADIUS client setup

Set  [mikrotik] ip ppp> set authentication radius auth-server 10.10.1.1 shared-secret users

Example output of the print command:

[mikrotik] ip ppp> pr

            primary-dns: 159.148.60.3
          secondary-dns: 0.0.0.0
         authentication: radius
            auth-server: 10.10.1.1
          shared-secret: users
             accounting: no
        accounting-port: 1646
    authentication-port: 1645       

Description of the output:

Pimary-dns – ppp setting for remote site
Secondary-dns – ppp setting for remote site
authentication – Can be set to “radius” or “local”
auth-server –  IP address of the server in a.b.c.d
shared-secret – corresponding text string from RADIUS server
accounting – enable by setting “yes” or “no”
accounting-port – default port 1646 according to RFC
authentication-port – default port 1645 according to RFC 

RADIUS parameters

Authentication data sent to server Data received from server Accounting information sent to server:

PW_SERVICE_TYPE       = PW_FRAMED     
PW_FRAMED_PROTOCOL    = PW_FRAME_PPP
PW_NAS_IDENTIFIER     = system identity
PW_NAS_IP_ADDRESS     = local PPP interface address
PW_NAS_PORT           = unique PPP port identifier number
PW_NAS_PORT_TYPE      = async or virtual in number form
PW_CALLING_STATION_ID = for PPTP, remote IP reported
                for PPPoE, remote MAC reported
                in form of xx:xx:xx:xx:xx:xx

Data received from server:

PW_ACCT_INTERIM_INTERVAL  = if non-zero then interval to update accouting data in seconds 
PW_FRAMED_IP_ADDRESS      = PPP remote address
PW_IDLE_TIMEOUT           = if no traffic in that time, connection is closed
PW_SESSION_TIMEOUT        = connection time allowed

Accounting information sent to server:

PW_USER_NAME
PW_ACCT_INPUT_OCTETS      = octets signifies bytes
PW_ACCT_INPUT_PACKETS
PW_ACCT_OUTPUT_OCTETS 
PW_ACCT_OUTPUT_PACKETS
ACCT_SESSION_TIME   = in the form of seconds

RADIUS servers suggested

Our RADIUS CLIENT should work well with all RFC complient servers. Our software has been tested with:

http://www.vircom.com/

PPPoE bandwidth setting
This feature is currently available only version 2.4RC (release candidate). For local authentication, this can be set in the [MikroTik] user> menu with the baud-rate value (identical to bits/s).
For Radius authentication, the account of each user in the radius server should be set with:
Paramater: Ascend-Data-Rate (with parameter ID 197 -- in bits/s)

Additional Resource

Links for SNMP documentation:

http://www.ietf.org/rfc/rfc2138.txt?number=2138
http://www.ietf.org/rfc/rfc2138.txt?number=2139
http://www.livingston.com/tech/docs/radius/introducing.html - 3707

[MikroTik] system package> print 
  # NAME                                             VERSION    BUILD UNINSTALL
  0 lcd                                              2.3.14     16    no
  1 system                                           2.3.14     30    no
  2 routing                                          2.3.14     19    no
  3 snmp                                             2.3.14     14    no
  4 ppp                                              2.3.14     18    no
  5 pptp                                             2.3.14     19    no
  6 pppoe                                            2.3.14     20    no
  7 ssh                                              2.3.14     24    no
  8 moxa-c101                                        2.3.14     14    no
[MikroTik] system package>

[MikroTik] system resource> irq print 
IRQ OWNER
1   keyboard                                                                  U
2   APIC                                                                      U
3
4   serial port                                                               U
5
6
7
8
9
10  ether1                                                                    U
11
12  ether2                                                                    U
13  FPU                                                                       U
14  IDE 1                                                                     U
[MikroTik] system resource> 

[MikroTik] driver> load c101 mem 0xd0000
[MikroTik] driver> print 
  # DRIVER                                       IRQ IO     MEMORY     ISD...
  0 RealTek RTL8129/8139                                                      D
  1 Moxa C101 Synchronous                                   0xd0000
[MikroTik] driver> 

[MikroTik] interface> print 
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 ether2                                                  ether       1500
( 2)sync1                                                   sync        1500
[MikroTik] interface> set 2 name moxa
[MikroTik] interface> enable moxa
[MikroTik] interface> print 
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 ether2                                                  ether       1500
  2 moxa                                                    sync        1500
[MikroTik] interface> 

  synchronous             Moxa Sync interfaces
[MikroTik] interface> synchronous 
[MikroTik] interface synchronous> print 
0   name: moxa mtu: 1500 rx-clock-source: rxc-line tx-clock-source: rxc-clock
    speed: 1092266 ignore-dcd: no line-protocol: cisco-hdlc

[MikroTik] interface synchronous> set ?
  _number_          Interface name or number
  name              New interface name
  mtu               Maximum Transmit Unit
  rx-clock-source   Receive clock source
  tx-clock-source   Transmit clock source
  speed             Speed of internal clock
  ignore-dcd        Ignore DCD
  line-protocol     Line protocol
[MikroTik] interface synchronous> set 

[MikroTik] interface synchronous> monitor 0
    dtr: yes
    rts: yes
    cts: no 
    dsr: no 
    dcd: no
[MikroTik] interface synchronous> 

[MikroTik] interface synchronous> monitor 0
    dtr: yes
    rts: yes
    cts: yes
    dsr: yes
    dcd: yes
[MikroTik] interface synchronous>

[MikroTik] ip address> add address 1.1.1.1/32 interface wan \
network 1.1.1.2 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.254      255.255.255.0   10.0.0.254      10.0.0.255      ether2
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
  2 1.1.1.1         255.255.255.255 1.1.1.2         255.255.255.255 wan
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27/27.0/27 ms
[MikroTik] ip address> 

[MikroTik] ip route> add gateway 1.1.1.2 interface wan 
[MikroTik] ip route> pr
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.0   0.0.0.0         10.0.0.213      ether2  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 1.1.1.2         255.255.255.255 0.0.0.0         1.1.1.1         wan     D K
  3 0.0.0.0         0.0.0.0         1.1.1.2         0.0.0.0         wan
[MikroTik] ip route> 

[MikroTik] ip address> add address 1.1.1.2/32 interface moxa \
network 1.1.1.1 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
  1 1.1.1.2         255.255.255.255 1.1.1.1         255.255.255.255 moxa
[MikroTik] ip address> /ping 1.1.1.1
1.1.1.1 pong: ttl=255 time=27 ms
1.1.1.1 pong: ttl=255 time=27 ms
1.1.1.1 pong: ttl=255 time=27 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27/27.0/27 ms
[MikroTik] ip address> 

[MikroTik] ip address> add address 1.1.1.1/32 interface wan \
network 1.1.1.2 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.254      255.255.255.0   10.0.0.254      10.0.0.255      ether2
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
  2 1.1.1.1         255.255.255.255 1.1.1.2         255.255.255.255 wan
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27/27.0/27 ms
[MikroTik] ip address> 

[MikroTik] ip route> add gateway 1.1.1.2 interface wan 
[MikroTik] ip route> pr
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.0   0.0.0.0         10.0.0.213      ether2  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 1.1.1.2         255.255.255.255 0.0.0.0         1.1.1.1         wan     D K
  3 0.0.0.0         0.0.0.0         1.1.1.2         0.0.0.0         wan
[MikroTik] ip route> 

CISCO#show running-config 
Building configuration...

Current configuration:
...
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.1.1.12 255.255.255.0
!
interface Serial0
 description connected to MikroTik
 ip address 1.1.1.2 255.255.255.252
 serial restart-delay 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
...
end

CISCO#

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
CISCO#

PPTP

Overview

PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP.  The Mikrotik RouterOS implementation includes a PPTP client, a PPTP dynamic server, and a PPTP static server.  The following tunnels are supported:

• MikroTik RouterOS client to any PPTP server – for example Windows 2000
• MikroTik RouterOS client to MikroTik RouterOS static or dynamic server
• MikroTik RouterOS dynamic server to multiple MikroTik RouterOS clients and any clients with PPTP support
• MikroTik RouterOS static server to MikroTik RouterOS client or any PPTP client

General usage of PPTP tunnels:

• For secure router-to-router tunnels over the Internet to link local Intranets or LANs (when EoIP is also used)
• For Windows clients to remotely access an Intranet/LAN of a company (see PPTP setup for Windows for more information)
• For “Mobile IP” – get your company IP when connected to third party Internet connections

Topics covered in this section:

• Installation
• Hardware resource usage
• PPTP protocol description
• PPTP client setup
• PPTP dynamic server setup
• PPTP static server setup
• PPTP monitoring
• PPTP setup for Windows
• PPTP router-to-router secure tunnel example
• PPTP resources

PPTP Installation on the MikroTik RouterOS v2.3

The “pptp-2.3.0.npk”(less than 160KB) package and the “ppp-2.3.0.npk”(less than 370KB)  are required.  The package can be downloaded from MikroTik’s web page www.mikrotik.com .  To install the packages, please upload them to the router with ftp and reboot.  You may check to see if the PPTP and PPP packages are installed with the command:

[mikrotik]> system package print

  # NAME                                             VERSION    BUILD UNINSTALL
  0 routing                                          2.3.6      5     no
  1 aironet                                          2.3.6      5     no
  2 wavelan                                          2.3.6      5     no
  3 system                                           2.3.6      5     no
  4 snmp                                             2.3.6      5     no
  5 option                                           2.3.6      5     no
  6 ppp                                              2.3.6      5     no
  7 pptp                                             2.3.6      5     no
  8 pppoe                                            2.3.6      5     no
  9 radiolan                                         2.3.6      5     no
 10 ssh                                              2.3.6      5     no

[mikrotik]>

 Lines six and seven show that the PPTP and PPP packages are installed.

Hardware resource usage

PPTP uses a minimum amount of memory.  The current version of PPTP on RouterOS v2.3 uses a CPU intensive system which will run 5.6Mb/s on a Celeron 600MHz CPU.  RouterOS v2.4 has a re-written PPTP engine that will run approximately 60Mb/s on a Celeron 600MHz CPU. 

PPTP protocol description

Though the following may sound complex, our implementation of PPTP is easy to setup and manage.  PPTP, together with PPP, is a secure tunnel for transporting IP traffic.  PPTP encapsulates PPP in virtual lines that run over IP.  PPTP incorporates PPP and MPPE (Microsoft point to point encryption) to make encrypted links.  The purpose of this protocol is to make well-managed secure connections between 1) routers and routers 2) routers and Windows clients (or other OS with PPTP support).  PPTP includes PPP authentication and accounting for each PPTP connection.  Full authentication and accounting of each connection may be done through a RADIUS client or locally.  There are also additional PPP configurations for management of users and connections.  MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.  PPTP traffic uses TCP port 1723 and IP protocol ID 47, as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for port 1723 to be routed through the firewall or router.  PPTP connections cannot be setup though a masqueraded/NAT IP connection.  Please see the Microsoft and RFC links at the end of this section for more information.

PPTP client setup

Each PPTP connection is composed of a server and a client.  The MikroTik RouterOS may function as a server or client – or for various configurations, it may be the server for some connections and client for other connections.  For example, the client created below could connect to a Windows 2000 server, another MikroTik Router, or another router which supports a PPTP server.  To add a PPTP client to the router:

[Rack1u] interface pptp-client> add name rack2u pap no chap no ms-chapv2 yes encryption required user test 
connect-to 10.5.8.171 idle-timeout 0 session-timeout 0
[Rack1u] interface pptp-client> print
(0) name: rack2u mtu: 1460 mru: 1460 pap: no chap: no ms-chapv2: yes
    encryption: required user: test connect-to: 10.5.8.171 idle-timeout: 0
    session-timeout: 0

name

Pap, chap, ms-chapv2

encryption

Will only work in encrypted mode when ms-chapv2 authentication is used.  For most links, it should be set to required.

none – no encryption

optional – 40bit or 128bit if server requests this

required – 40bit or 128bit if server agrees, link will be shut down if no agreement

non-stateless (description) – key is changed approximately every hour or depending on traffic

stateless – same as required plus key is changed for every packet

user

A user name and password must be added to the client router’s user database.  The user must be added with the attribute of group PPP.  When the client is being authenticated by the server, the client will send this user and the password from the client router’s user database.  The server user database must have the same user and password and PPP group attribute to authenticate the link.

Connect-to

idle-timeout

The link will be terminated if there is no activity with-in the time set – in seconds.  When set to “0,” there is no timeout.

session-timeout

The maximum time the connection can stay up.  When set to “0,” there is no timeout.

client-address

IP address of client connecting to the PPTP static server

PPTP dynamic server setup

The router supports one PPTP dynamic server.  This server supports unlimited connections from clients.  For each current connection, a dynamic interface is created.  While the PPTP dynamic server supports multiple clients, it does not support static routes, filters, and other IP level features that need to be attached to static interfaces.  The PPTP static server supports routes and other IP level features.

To add a dynamic server:

[Rack2u] interface pptp-dynamic-server server> set enabled yes pap no chap no ms-chapv2 yes encryption required 
local-address-from 10.9.0.1 local-address-to 10.9.0.1 remote-address-from 10.9.0.1 remote-address-to 10.9.0.100
[Rack2u] interface pptp-dynamic-server server> print

                enabled: yes
                    pap: no
                   chap: no
              ms-chapv2: yes
             encryption: required
                    mtu: 1460
                    mru: 1460
           idle-timeout: 0
        session-timeout: 0
     local-address-from: 10.9.0.1
       local-address-to: 10.9.0.1
    remote-address-from: 10.9.0.2
      remote-address-to: 10.9.0.100

enabled

        Yes or No 

Pap, chap, ms-chapv2

encryption

Will only work in encrypted mode when ms-chapv2 authentication is used.  For most links, it should be set to required.

none – no encryption

optional – 40bit or 128bit if client agrees to this

required – 40bit or 128bit if client agrees, link will be shut down if no agreement

non-stateless (description) – key is changed approximately every hour or depending on traffic

stateless – same as required plus key is changed for every packet

mtu

The default mtu is set to 1460 because of the PPTP overhead.  It may be changed for special situations.

mru

The default mru is set to 1460 because of the PPTP overhead.  It may be changed for special situations.

idle-timeout

The link will be terminated if there is no activity with-in the time set – in seconds.  When set to “0,” there is no timeout.

session-timeout

The maximum time the connection can stay up.  When set to “0,” there is no timeout.

local-address-from and local-address-to

The IP address of the PPTP local server.  Both the -from and –to can be the same.  The same local server address will be used on all connections that are created.

remote-address-from and remote-address-to

This should be set to an IP range.  This may limit the number of current connections if there are no free IPs available when a new connection is initiated.

PPTP static server setup

The PPTP static server is made for permanent connections between two routers.  One side of the PPTP tunnel must be set up as a static server and the other side as a client.  On both the static server side and the client side, it will be possible to add static routes, filters, and any other IP level features – for example an EoIP tunnel may be put on top of the PPTP encrypted tunnel to make an encrypted LAN-to-LAN bridge.

To add a PPTP static server interface:

[Rack2u] interface pptp-static-server> add name rack1u client-address 10.5.8.169 pap no chap no ms-chapv2 yes 
encryption required local-address 10.7.0.1 remote-address 10.7.0.2
[Rack2u] interface pptp-static-server> print
(0) name: rack1u client-address: 10.5.8.169 pap: no chap: no ms-chapv2: yes encryption: required 
mtu: 1460 mru: 1460 idle-timeout: 0 session-timeout: 0 local-address: 10.7.0.1 remote-address: 10.7.0.2

Pap, chap, ms-chapv2

Encrypted links are only supported when ms-chapv2 is selected.  This is a feature of the protocol.  It is suggest that pap and chap always be set to no, unless there is a special situation which requires an unencrypted link.

encryption

Will only work in encrypted mode when ms-chapv2 authentication is used.  For most links, it should be set to required.

none – no encryption

optional – 40bit or 128bit if client agrees to this

required – 40bit or 128bit if client agrees, link will be shut down if no agreement

non-stateless (description) – key is changed approximately every hour or depending on traffic

stateless – same as required plus key is changed for every packet

mtu

The default mtu is set to 1460 because of the PPTP overhead.  It may be changed for special situations.

mru

The default mru is set to 1460 because of the PPTP overhead.  It may be changed for special situations.

idle-timeout

A standard PPP setting.  The link will be terminated if there is no activity with-in the time set – in seconds.  When set to “0,” there is no timeout.

session-timeout

The maximum time the connection can stay up.  When set to “0,” there is no timeout.

local-address

The IP address of the PPTP local server.  The same local server address can be used on multiple static sever interfaces.

remote-address

This should be set to an IP address of the remote client.  PPTP connections for this static server will only be accepted from this address.

PPTP monitoring

To monitor a PPTP client:

[Rack1u] interface pptp-client> mon 0
      uptime: 2s
    encoding: MPPE 128 bit, stateless
      status: Connected

uptime



Connection time displayed in days, hours, minutes, and seconds.

encoding

Encryption being used in this connection. 

status

Dialing – attempting to make a connection

Connected – self-explanatory

Terminated – interface is not enabled or the other side will not establish a connection

PPTP router-to-router secure tunnel example

The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet.

There are three routers in this example:

HomeOffice

Interface LocalHomeOffice 10.150.2.254/24
Interface ToInternet 192.168.80.1/24

Internet

Interface ToHomeOffice 192.168.80.254/24
Interface ToRemoteOffice 192.168.81.254/24

RemoteOffice

Interface ToInternet 192.168.81.1/24
Interface LocalRemoteOffice 10.150.1.254/24

[RemoteOffice] user> add name remote password remote group ppp
[HomeOffice] user> add name remote password remote group ppp

[HomeOffice] interface pptp-static-server> print

0   name: FromRemoteOffice client-address: 192.168.81.1 pap: no chap: no
    ms-chapv2: yes encryption: required mtu: 1460 mru: 1460 idle-timeout: 0
    session-timeout: 0 local-address: 10.0.103.1 remote-address: 10.0.103.2

Add a PPTP client to the RemoteOffice router –

[RemoteOffice] interface pptp-client> pr

0   name: Tunnel_To_HomeOffice mtu: 1460 mru: 1460 pap: no chap: no
    ms-chapv2: yes encryption: required user: remote connect-to: 192.168.80.1 
    idle-timeout: 0 session-timeout: 0

To route the local Intranets over the PPTP tunnel – add these routes

To the HomeOffice router

  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  4 10.150.2.0      255.255.255.0   10.0.103.1      0.0.0.0         Tunn...

To the RemoteOffice router

  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  7 10.150.1.0      255.255.255.0   10.0.103.2      0.0.0.0         From...

Test the PPTP tunnel connection

[RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Test the connection through the PPTP tunnel to the Intranet interface

[RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

PPTP Windows setup

Microsoft provides PPTP client support for Windows NT, 2000, ME, 98se, and 98.  Windows 98se, 2000, and ME include support in the Windows setup or automatically install PPTP.  For 95, NT, and 98, installation requires a download from Microsoft.  Many ISPs have made help pages to assist clients with Windows PPTP installation.  A zipped download of an instructional web page is available in PPTP_client_files.zip – this can be found in the utilities section of the download section.   This zipped file also includes files needed from Microsoft for upgrading Windows 95 and 98 to support PPTP.

Links:

http://www.real-time.com/Customer_Support/PPTP_Config/pptp_config.html
http://www.microsoft.com/windows95/downloads/contents/WUAdminTools/S_WUNetworkingTools/W95WinsockUpgrade/Default.asp

Sample instructions for PPTP (VPN) installation and client setup – Windows 98se:

 Additional Resources

Links for PPTP documentation:

http://msdn.microsoft.com/library/backgrnd/html/understanding_pptp.htm
http://support.microsoft.com/support/kb/articles/q162/8/47.asp
http://www.ietf.org/rfc/rfc2637.txt?number=2637
http://www.ietf.org/rfc/rfc3078.txt?number=3078
http://www.ietf.org/rfc/rfc3079.txt?number=3079

[mikrotik]> system package print
  # NAME                                             VERSION    BUILD UNINSTALL
  0 routing                                          2.4.0      1     no
  1 aironet                                          2.4.0      1     no
  2 wavelan                                          2.4.0      1     no
  3 system                                           2.4.0      1     no
  4 snmp                                             2.4.0      1     no
  5 option                                           2.4.0      1     no
  6 ppp                                              2.4.0      1     no
  7 pptp                                             2.4.0      1     no
  8 pppoe                                            2.4.0      1     no
  9 radiolan                                         2.4.0      1     no
 10 ssh                                              2.4.0      1     no

[mikrotik]>

  0   name=pppoe-out1 interface=gig service-name=testSN user=john pap=no

      chap=yes ms-chapv2=no mtu=1492 mru=1492 idle-timeout=0s

      session-timeout=0s add-default-route=yes dial-on-demand=no

      use-peer-dns=no encryption=none compression=no local-address=0.0.0.0

      remote-address=0.0.0.0 ac-name="" mss-update=1452

 

name

interface

mtu and mru

Pap, chap, ms-chapv2

encryption

        none – no encryption

        optional – 40bit or 128bit if server requests this

        required – 40bit or 128bit if server agrees, link will be shut down if no agreement

        non-stateless (description) – key is changed approximately every hour or depending on traffic

        stateless – same as required plus key is changed for every packet

user

idle-timeout

session-timeout

dial-on-demand

use-peer-dns

compression

local-address

session-timeout

remote-address

service

ac-name

Add-default-route

mss-update

  0   service-name=testSN interface=gig local-from=5.5.5.1 local-to=5.5.5.1

      remote-from=6.6.6.1 remote-to=6.6.6.250 mtu=1492 mru=1492 pap=no chap=yes

      ms-chapv2=no idle-timeout=0s session-timeout=0s compression=no

      encryption=none

 

Pap, chap, ms-chapv2

encryption
        Will only work in encrypted mode when ms-chapv2 authentication is used.  For most setups, it should be set to none. 
        none – no encryption
        optional – 40bit or 128bit if client agrees to this
        required – 40bit or 128bit if client agrees, link will be shut down if no agreement
        non-stateless (description) – key is changed approximately every hour or depending on traffic
        stateless – same as required (non-stateless) plus key is changed for every packet 
interface

compression

service

mtu

mru

idle-timeout

session-timeout

local-address-from and local-address-to

remote-address-from and remote-address-to 

IPIP Tunnels

Overview

The IPIP tunneling implementation on the MikroTik RouterOS is RFC 2003 compliant.  IPIP tunnel is a simple protocol that encapsulates IP packets in IP to make a tunnel between two routers.  The IPIP interface appears as an interface.  Many routers, including Cisco and Linux based, support this protocol.  This protocol makes multiple network schemes possible. 

Network setups with IPIP interfaces:

• Possibility to tunnel Intranets over the Internet
• Possibility to avoid using source routing

Topics covered in this section:

• Installation
• Hardware resource usage
• IPIP interface and protocol description
• IPIP setup
• IPIP Cisco example

IPIP installation on the MikroTik RouterOS v2.3

The IPIP tunnel feature is included in the “system” package.

Hardware resource usage

This protocol uses a minimum of resources.

IPIP interface and protocol description

An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are RFC 2003 compliant.  The IPIP tunnel may run over any connection that transports IP.  Each IPIP tunnel interface can connect with one remote router which has a corresponding interface configured. An unlimited number of IPIP tunnels may be added to the router.  For more details on IPIP tunnels, see RFC 2003.

IPIP setup

To add an IPIP interface:

[Rack1u] interface ipip> add name test_IPIP mtu 1480 local-address 10.5.8.169 remote-address 10.5.8.171
[Rack1u] interface ipip> print

(0) name: test_IPIP mtu: 1480 local-address: 10.5.8.169
    remote-address: 10.5.8.171

name

mtu

local-address

remote-address

The IP address of the other side of the IPIP tunnel – may be any RFC 2003 compliant router.

There is no authentication or “state” for this interface.  The bandwidth usage of the interface may be monitored with the “monitor” feature from the “interface” menu.

IPIP Cisco example

Our IPIP implementation has been tested with Cisco 1005.  Sample of the Cisco 1005 configuration:

interface Tunnel0

 ip address 10.3.0.1 255.255.255.0
tunnel source 10.5.8.179
tunnel destination 10.5.8.169
tunnel mode ipip

Additional Resources

Links for IPIP documentation:

http://www.ietf.org/rfc/rfc1853.txt?number=1853
http://www.ietf.org/rfc/rfc2003.txt?number=2003
http://www.ietf.org/rfc/rfc1241.txt?number=1241

Ethernet over IP Tunnels (EoIP)

Overview

Ethernet over IP (EoIP) Tunneling is a RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection.  The EoIP interface appears as an Ethernet interface.  When the bridging function of the router is enabled, all Ethernet level traffic (all Ethernet protocols) will be bridged just as if there where a physical Ethernet interface and cable between the two routers (with bridging enabled).  This protocol makes multiple network schemes possible. 

Network setups with EoIP interfaces:

• Possibility to bridge LANs over the Internet
• Possibility to bridge LANs over encrypted tunnels
• Possibility to bridge LANs over 802.11b “ad-hoc” wireless networks

Topics covered in this section:

• Installation
• Hardware resource usage
• EoIP interface and protocol description
• EoIP setup

EoIP installation on the MikroTik RouterOS v2.3

The Ethernet over IP tunnel feature is included in the “system” package.

Hardware resource usage

To achieve 100Mb/s Ethernet level wire speed (85Mb/s), it is suggested that Celeron 600MHz and higher CPUs be used on each router – in this situation, the CPU usage was ~60%.  Optimization of this implementation will soon decrease the usage of resource usage.

EoIP interface and protocol description

An EoIP interface should be configured on two routers that have the possibility for an IP level connection.  The EoIP tunnel may run over an IPIP tunnel, a PPTP 128bit encrypted tunnel, a PPPoE connection, or any connection that transports IP.  Each EoIP tunnel interface can connect with one remote router which has a corresponding interface configured with the same “Tunnel ID.”  Up to sixteen (numbered 0-15) EoIP tunnels may be created on a router (please contact us if there is an important reason to increase the number of EoIP tunnels per router).  The EoIP interface appears as an Ethernet interface under the interface list.  This interface supports all features of and Ethernet interface.  IP addresses and other tunnels may be run over the interface.  The EoIP protocol encapsulates Ethernet frames in UDP packets and sends them to the remote side of the EoIP tunnel.  The tunnel transmits and listens to the UDP port 4444 + tunnel ID.

EoIP setup

To add an EoIP interface:

[Rack1u] interface eoip> add name to_2u tunnel-id 1 remote-address 10.5.8.171

0   name: to_2u mtu: 1500 mac-address: FE:FD:00:00:00:00 arp: enabled
    tunnel-id: 1 remote-address: 10.111.0.1

Descriptions of settings:

name

Interface name for reference

mtu

Should be set to 1500bytes.

mac-address

A default virtual MAC address is generated.  It may be changed if there is a conflict.

arp

Enabled by default.

tunnel-id

Should be a number from 0-16 which has not been used for another EoIP tunnel.

remote-address

The IP address of the other side of the EoIP tunnel – must be a MikroTik router.

To make an Ethernet bridge between two routers with EoIP tunnels, bridging should be enabled on both routers.  There is no authentication or “state” for this interface.  The bandwidth usage of the interface may be monitored with the “monitor” feature from the “interface” menu.

ISDN Server

Managing ISDN Server from Console

It is done from "interface isdn-server" submenu.

Where <interface> is an interface name or number obtained from "print" command.

ISDN Client

Managing ISDN Client from JAVA

It is done from Interfaces list. To add isdn client you have to choose add

Managing ISDN Client from Console

It is done from "interface isdn-client" submenu.

Where <interface> is an interface name or number obtained from "print" command.

LMC- WAN

Managing LMC- WAN from Console

It is done from "lmc-wan" submenu.

Where <interface> is an interface name or number obtained from "print" command.

[mikrotik]> system package print 
  # NAME                                                VERSION    BUILD UNINSTALL
  0 system                                              2.3.7      8     no
  1 ppp                                                 2.3.7      6     no
  2 pppoe                                               2.3.7      10    no
  3 pptp                                                2.3.7      6     no
  4 routing                                             2.3.7      7     no
  5 ssh                                                 2.3.6      7     no
  6 aironet                                             2.3.7      6     no
[mikrotik]> 

[mikrotik]> system resource irq print
IRQ OWNER
1   keyboard                                                                  U
2   APIC                                                                      U
3   Local                                                                     U
4   serial port                                                               U
5
6
7
8
9
10
11  Public                                                                    U
12
13  FPU                                                                       U
14  IDE 1                                                                     U
[mikrotik]> system resource io print
IO        OWNER
0020-003f APIC
0040-005f timer
0060-006f keyboard
0080-008f DMA
00a0-00bf APIC
00c0-00df DMA
00f0-00ff FPU
01f0-01f7 IDE 1
0300-031f Local
03c0-03df VGA
03f6-03f6 IDE 1
03f8-03ff serial port
6100-61ff Public
f000-f007 IDE 1
f008-f00f IDE 2

[mikrotik]> driver load pc-isa io 0x180
[mikrotik]> driver print
  # DRIVER                                       IRQ IO     MEMORY     ISD...
  0 RealTek RTL8129/8139                                                      D
  1 ISA NE2000                                       0x300
  2 Aironet ISAxx00                                  0x180
[mikrotik] driver>

[mikrotik] interface> print
  # NAME                                                    TYPE        MTU
  0 Public                                                  ether       1500
  1 Local                                                   ether       1500
 (2)pc0                                                     pc          1500
[mikrotik] interface> set 2 name aironet
[mikrotik] interface> enable aironet
[mikrotik] interface> print
  # NAME                                                    TYPE        MTU
  0 Public                                                  ether       1500
  1 Local                                                   ether       1500
  2 aironet                                                 pc          1500

[mikrotik] interface> pc
[mikrotik] interface pc> print
0   name: aironet mtu: 1500 mac-address: 00:40:96:29:02:88
    mode: infrastructure rts-threshold: 2312 fragmentation-threshold: 2312
    tx-power: 100 rx-diversity: right tx-diversity: right long-retry-limit: 16
    short-retry-limit: 16 channel: 2437MHz data-rate: auto
    ap1: 00:00:00:00:00:00 ap2: 00:00:00:00:00:00 ap3: 00:00:00:00:00:00
    ap4: 00:00:00:00:00:00 ssid1: tsunami ssid2: "" ssid3: "" modulation: cck
    client-name: "" beacon-period: 100 join-net: 10s arp: enabled
    firmware-version: PC4800A(3.65)

[mikrotik] interface pc>

[mikrotik] interface pc> monitor 0
              quality: 0
             strength: 0
         current-rate: 11Mbit/s
    current-frequency: 2437MHz
         synchronized: no
           associated: no
                 ssid: tsunami
         access-point: FF:FF:FF:FF:FF:FF
    access-point-name:

[mikrotik] interface pc>

[mikrotik] interface pc> set 0 ssid1 mt
[mikrotik] interface pc> monitor 0
              quality: 63
             strength: 131
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: yes
                 ssid: mt
         access-point: 00:40:96:00:06:72
    access-point-name: Gulf
[mikrotik] interface pc>

[mikrotik] interface pc> set 0 ssid1 mt mode infrastructure
[mikrotik] interface pc> monitor 0
              quality: 62
             strength: 129
         current-rate: 11Mbit/s
    current-frequency: 2442MHz
         synchronized: yes
           associated: yes
                 ssid: mt
         access-point: 00:40:96:00:06:72
    access-point-name: Gulf
[mikrotik] interface pc>

[mikrotik] ip address> add address 10.1.1.12/24 interface aironet
[mikrotik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   Local
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      aironet
[mikrotik] ip address>

[mikrotik] ip route> add gw 10.1.1.254 interface aironet
[mikrotik] ip route> print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   Local   D K
  1 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       aironet D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         aironet
[mikrotik] ip route>

[mikrotik] interface pc> set 0 mode ad-hoc ssid1 b_link channel 2442MHz data-rate auto
[mikrotik] interface pc> monitor 0
              quality: 0
             strength: 0
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: no
           associated: no
                 ssid: b_link
         access-point: FF:FF:FF:FF:FF:FF
    access-point-name:
[mikrotik] interface pc>

[mikrotik] interface pc> monitor 0
              quality: 62
             strength: 129
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: no
                 ssid: b_link
         access-point: 16:01:0B:02:17:00
    access-point-name:
[mikrotik] interface pc>

[wnet_gw] interface pc> set 0 mode ad-hoc ssid1 b_link channel 2412MHz data-rate auto
[wnet_gw] interface pc> monitor 0
              quality: 58
             strength: 122
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: no
                 ssid: b_link
         access-point: 16:01:0B:02:17:00
    access-point-name:
[wnet_gw] interface pc> 

[mikrotik] ip address> add address 192.168.11.1/30 interface aironet
[mikrotik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   Local
  1 192.168.11.1    255.255.255.252 192.168.11.1    192.168.11.3    aironet
[mikrotik] ip address>

[wnet_gw] ip address> add address 192.168.11.2/30 interface pc1 
[wnet_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 192.168.11.2    255.255.255.252 192.168.11.2    192.168.11.3    pc1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
[wnet_gw] ip address> /ping 192.168.11.1
192.168.11.1 pong: ttl=255 time=3 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 ping interrupted
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1/1.5/3 ms
interrupted
[wnet_gw] ip address> /tool btest 192.168.11.1 protocol tcp 
connecting
current = 4.6Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.7Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.7Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.3Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.5Mbps   10secavg = 4.5Mbps   totalavg = 4.5Mbps
current = 4.6Mbps   10secavg = 4.5Mbps   totalavg = 4.5Mbps
[wnet_gw] ip address> /tool btest 192.168.12.1 protocol udp size 1500
connecting
current = 1500.0kbps   10secavg = 1500.0kbps   totalavg = 1500.0kbps
current = 2.0Mbps   10secavg = 1775.3kbps   totalavg = 1775.3kbps
current = 2.9Mbps   10secavg = 2.1Mbps   totalavg = 2.1Mbps
current = 4.4Mbps   10secavg = 2.7Mbps   totalavg = 2.7Mbps
current = 5.6Mbps   10secavg = 3.3Mbps   totalavg = 3.3Mbps
current = 5.6Mbps   10secavg = 3.6Mbps   totalavg = 3.6Mbps
current = 5.6Mbps   10secavg = 3.9Mbps   totalavg = 3.9Mbps
current = 5.6Mbps   10secavg = 4.1Mbps   totalavg = 4.1Mbps
[wnet_gw] ip address> 

Arlan IC2200 Interfaces

Arlan IC2200 interfaces include Aironet’s Arlan IC2200 (655) 2.4GHz 2Mbps ISA Client Cards. This hardware line has been discontinued.

Managing Arlan IC2200 Interfaces from Java

Arlan IC2200 specific parameters can be controlled from the “Radio” tab in interface details window. Current status (registration status and registered router and backbone) can be monitored in real time on “Status” tab in interface details window.

Managing Arlan IC2200 Interfaces from Console

Arlan IC2200 interface management is done in the submenu “interface arlan”.

Where <interface> is interface name or number obtained from “print“ command.

Interface status includes registration status and registered router and backbone.

Arlan IC2200 Parameter Description

RadioLAN Interfaces

[MikroTik]> system package print
  # NAME                                             VERSION    BUILD UNINSTALL
  0 routing                                          2.3.15     21    no
  1 snmp                                             2.3.15     15    no
  2 ppp                                              2.3.15     20    no
  3 pptp                                             2.3.15     21    no
  4 pppoe                                            2.3.15     22    no
  5 ssh                                              2.3.15     26    no
  6 system                                           2.3.15     32    no
  7 radiolan                                         2.3.15     16    no
[MikroTik]>

[MikroTik]> system resource irq print
IRQ OWNER
1   keyboard                                                                  U
2   APIC                                                                      U
3
4   serial port                                                               U
5
6
7
8
9   ether1                                                                    U
10
11
12
13  FPU                                                                       U
14  IDE 1                                                                     U
[MikroTik]> system resource io print
IO        OWNER
0020-003f APIC
0040-005f timer
0060-006f keyboard
0080-008f DMA
00a0-00bf APIC
00c0-00df DMA
00f0-00ff FPU
01f0-01f7 IDE 1
02f8-02ff serial port
03c0-03df VGA
03f6-03f6 IDE 1
03f8-03ff serial port
ef00-efff ether1
fc00-fc07 IDE 1
fc08-fc0f IDE 2
fc10-fc7f [CS5530]
[MikroTik]>

[MikroTik]> driver load radiolan io 0x300
[MikroTik]> driver print
  # DRIVER                                       IRQ IO     MEMORY     ISD...
  0 RealTek RTL8129/8139                                                      D
  1 ISA RadioLAN                                     0x300
[MikroTik]>

[MikroTik] interface> print
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
( 1)radiolan1                                               radiolan    1500
[MikroTik] interface> enable radiolan1
[MikroTik] interface> print
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 radiolan1                                               radiolan    1500
[MikroTik] interface>

[MikroTik] interface> radiolan
[MikroTik] interface radiolan> print
0   name: radiolan1 mtu: 1500 mac-address: 00:A0:D4:20:42:EE distance: 0-150m
    tx-diversity: disabled rx-diversity: disabled default-dst: firstclient
    max-retries: 15 sid: bbbb card-name: 00A0D42042EE
    cfg-destination: 00:00:00:00:00:00 arp: enabled

[MikroTik] interface radiolan>

[MikroTik] interface radiolan> monitor radiolan1
    default: 00:00:00:00:00:00
      valid: no
[MikroTik] interface radiolan>

[MikroTik] interface radiolan> set 0 sid ba72 distance 4.7km-6.6km
[MikroTik] interface radiolan> print
0   name: radiolan1 mtu: 1500 mac-address: 00:A0:D4:20:42:EE
    distance: 4.7km-6.6km tx-diversity: disabled rx-diversity: disabled
    default-dst: firstclient max-retries: 15 sid: ba72 card-name: 00A0D42042EE
    cfg-destination: 00:00:00:00:00:00 arp: enabled

[MikroTik] interface radiolan> monitor 0
    default: 00:A0:D4:20:42:47
      valid: yes

[MikroTik] interface radiolan>

[MikroTik] interface radiolan> neighbours print radiolan1
NAME             MAC-ADDRESS       FLAGS ACCESS-POINT
00A0D4204247     00:A0:D4:20:42:47    D
[MikroTik] interface radiolan>

[MikroTik] interface radiolan> ping radiolan1 \
mac-address 00:A0:D4:20:42:47 size 1500 count 50
Sent: 2/50 (4%), Ok: 2/2 (100%) max/avg/min retries: 0/0.0/0
Sent: 12/50 (24%), Ok: 12/12 (100%) max/avg/min retries: 0/0.0/0
Sent: 22/50 (44%), Ok: 22/22 (100%) max/avg/min retries: 0/0.0/0
Sent: 32/50 (64%), Ok: 32/32 (100%) max/avg/min retries: 0/0.0/0
Sent: 42/50 (84%), Ok: 42/42 (100%) max/avg/min retries: 0/0.0/0
Sent: 50/50 (100%), Ok: 50/50 (100%) max/avg/min retries: 0/0.0/0
[MikroTik] interface radiolan>

[MikroTik] ip address> add address 10.1.0.1/30 interface radiolan1
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.0.1        255.255.255.252 10.1.0.1        10.1.0.3        radiolan1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      ether1
[MikroTik] ip address>

[MikroTik] ip route> add gateway 10.1.1.254 interface ether1
[MikroTik] ip route> add dst-address 192.168.0.0/24 gateway 10.1.0.2 \
interface radiolan1
[MikroTik] ip route> print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       ether1  D K
  1 10.1.0.0        255.255.255.252 0.0.0.0         10.1.0.1        radi... D K
  2 192.168.0.0     255.255.255.0   10.1.0.2        0.0.0.0         radi...
  3 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         ether1
[MikroTik] ip route>

[MikroTik] bridge> set ip forward arp forward other forward
[MikroTik] bridge> print
           ip: forward
          arp: forward
          ipx: discard
    appletalk: discard
         ipv6: discard
        other: forward
     priority: 1
[MikroTik] bridge> interface
[MikroTik] bridge interface> print
  # INTERFACE                                                           FORWARD
  0 ether1                                                              no
  1 radiolan1                                                           no
[MikroTik] bridge interface> set 0 forward yes
[MikroTik] bridge interface> set 1 forward yes
[MikroTik] bridge interface> pr
  # INTERFACE                                                           FORWARD
  0 ether1                                                              yes
  1 radiolan1                                                           yes
[MikroTik] bridge interface>

[MikroTik] interface> print
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 radiolan1                                               radiolan    1500
( 2)bridge1                                                 bridge      1500
[MikroTik] interface> enable 2
[MikroTik] interface> /ip address
[MikroTik] ip address> add address 10.1.1.12/24 interface bridge1
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      bridge1
[MikroTik] ip address> .. route add gateway 10.1.1.254 interface bridge1
[MikroTik] ip address> .. route print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       bridge1 D K
  1 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         bridge1
[MikroTik] ip address>

WaveLAN Interfaces Base Configuration

[MikroTik] system package> print 
  # NAME                                             VERSION    BUILD UNINSTALL
  0 routing                                          2.3.15     21    no
  1 snmp                                             2.3.15     15    no
  2 ppp                                              2.3.15     20    no
  3 pptp                                             2.3.15     21    no
  4 pppoe                                            2.3.15     22    no
  5 ssh                                              2.3.15     26    no
  6 system                                           2.3.15     32    no
  7 option                                           2.3.15     20    no
  8 wavelan                                          2.3.15     21    no
[MikroTik] system package>

[[MikroTik] system resource> irq print 
IRQ OWNER
1   keyboard                                                                  U
2   APIC                                                                      U
3
4
5
6
7
8
9
10  ether1                                                                    U
11
12
13  FPU                                                                       U
14  IDE 1                                                                     U
[MikroTik] system resource> io print 
IO        OWNER
0020-003f APIC
0040-005f timer
0060-006f keyboard
0080-008f DMA
00a0-00bf APIC
00c0-00df DMA
00f0-00ff FPU
01f0-01f7 IDE 1
03c0-03df VGA
03e0-03e1 PCMCIA service
03f6-03f6 IDE 1
6100-611f ether1
[MikroTik] system resource> 

[MikroTik] interface> print 
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
( 1)wavelan1                                                wavelan     1500
[MikroTik] interface> enable 1
[MikroTik] interface> print 
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 wavelan1                                                wavelan     1500
[MikroTik] interface> 

[MikroTik] interface> wavelan 
[MikroTik] interface wavelan> print 
0   name: wavelan1 mtu: 1500 mac-address: 00:02:2D:07:17:23 channel: 2412MHz
    date-rate: 11Mbit/s mode: ad-hoc ssid: "" client-name: "" key1: ""
    key2: "" key3: "" key4: "" tx-key: key1 encryption: no arp: arp

[MikroTik] interface wavelan> 

[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:00:00:00:00:00
           channel: 2422MHz
         data-rate: 2Mbit/s
              ssid:
    signal-quality: 0
      signal-level: 154
             noise: 154
[MikroTik] interface wavelan> 

[MikroTik] interface wavelan> set 0 ssid MT_w_AP
[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:60:B3:66:C7:40
           channel: 2452MHz
         data-rate: 11Mbit/s
              ssid: MT_w_AP
    signal-quality: 56
      signal-level: 213
             noise: 157
[MikroTik] interface wavelan> 

[MikroTik] interface wavelan> set wavelan1 ssid mt
[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:60:B3:66:C7:40
           channel: 2442MHz
         data-rate: 11Mbit/s
              ssid: mt
    signal-quality: 56
      signal-level: 214
             noise: 158
[MikroTik] interface wavelan> 

[MikroTik] ip address> add address 10.1.1.12/24 interface wavelan1 
[MikroTik] ip address> add address 192.168.0.254/24 interface ether1 
[MikroTik] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      wavelan1
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
[MikroTik] ip address> 

[MikroTik] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       wave... D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         wave...
[MikroTik] ip route> 

[MikroTik] interface wavelan> set 0 ssid b_link mode ad-hoc channel 2412MHz 
[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:02:2D:07:17:23
           channel: 2412MHz
         data-rate: 11Mbit/s
              ssid: b_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[MikroTik] interface wavelan> 

[wnet_gw] interface wavelan> set 0 ssid b_link mode ad-hoc channel 2412MHz 
[wnet_gw] interface wavelan> enable 0
[wnet_gw] interface wavelan> monitor 0
             bssid: 00:02:2D:07:17:23
           channel: 2412MHz
         data-rate: 11Mbit/s
              ssid: b_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[wnet_gw] interface wavelan> 

[MikroTik] ip address> add address 10.0.0.1/30 interface wavelan1 
[MikroTik] ip address> add address 192.168.0.254/24 interface ether1 
[MikroTik] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.1        255.255.255.252 10.0.0.1        10.0.0.3        wavelan1
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
[MikroTik] ip address> /ip route add gateway 10.0.0.2 interface wavelan1 
[MikroTik] ip address> /ip route print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.252 0.0.0.0         10.0.0.1        wave... D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 0.0.0.0         0.0.0.0         10.0.0.2        0.0.0.0         wave...
[MikroTik] ip address>

[wnet_gw] ip address> add address 10.0.0.2/30 interface wl1 
[wnet_gw] ip address> add address 10.1.1.12/24 interface Public 
[wnet_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.2        255.255.255.252 10.0.0.2        10.0.0.3        wl1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
[wnet_gw] ip address> /ip route 
[wnet_gw] ip route> add gateway 10.1.1.254 interface Public 
[wnet_gw] ip route> add gateway 10.0.0.1 interface wl1 \
                    dst-address 192.168.0.0/24
[wnet_gw] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.252 0.0.0.0         10.0.0.2        wl1     D K
  1 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       Public  D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         Public
  3 192.168.0.0     255.255.255.0   10.0.0.1        0.0.0.0         wl1
[wnet_gw] ip route> 

[MikroTik]> ping 10.0.0.2
10.0.0.2 pong: ttl=255 time=2 ms
10.0.0.2 pong: ttl=255 time=2 ms
10.0.0.2 pong: ttl=255 time=2 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/2.0/2 ms
interrupted
[MikroTik]> tool btest 10.0.0.2 protocol udp size 1500
connecting
current = 1500.0kbps   10secavg = 1500.0kbps   totalavg = 1500.0kbps
current = 2039.0kbps   10secavg = 1769.5kbps   totalavg = 1769.5kbps
current = 2.8Mbps   10secavg = 2.1Mbps   totalavg = 2.1Mbps
current = 4.1Mbps   10secavg = 2.6Mbps   totalavg = 2.6Mbps
current = 4.1Mbps   10secavg = 2.9Mbps   totalavg = 2.9Mbps
current = 4.1Mbps   10secavg = 3.1Mbps   totalavg = 3.1Mbps
current = 4.2Mbps   10secavg = 3.2Mbps   totalavg = 3.2Mbps
[MikroTik]> 

[home_gw] interface wavelan> set wl-home channel 2447MHz \
          mode ad-hoc ssid home_link
[home_gw] interface wavelan> enable wl-home 
[home_gw] interface wavelan> print 
0   name: wl-home mtu: 1500 mac-address: 00:02:2D:07:D8:44 channel: 2447MHz
    date-rate: 11Mbit/s mode: ad-hoc ssid: home_link client-name: "" key1: ""
    key2: "" key3: "" key4: "" tx-key: key1 encryption: no arp: arp

[home_gw] interface wavelan> monitor 0
             bssid: 02:02:2D:07:D8:44
           channel: 2447MHz
         data-rate: 11Mbit/s
              ssid: home_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[home_gw] interface wavelan> 

[home_gw] ip address> add interface Public address 10.1.1.12/24
[home_gw] ip address> add interface wl-home address 192.168.0.254/24
[home_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   wl-home
[home_gw] ip address> /ip route 
[home_gw] ip route> add gateway 10.1.1.254 interface Public
[home_gw] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       Public  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   wl-home D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         Public
[home_gw] ip route>

[home_gw] ip dhcp-server> print
0   interface: Public enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

1   interface: wl-home enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

[home_gw] ip dhcp-server> set 1 enabled yes from-address 192.168.0.1 to-address
192.168.0.200 netmask 255.255.255.0 gateway 192.168.0.254 src-address 192.168.0.
254 dns-server 159.148.147.194 domain myhome.com
[home_gw] ip dhcp-server> print
0   interface: Public enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

1   interface: wl-home enabled: yes from-address: 192.168.0.1
    to-address: 192.168.0.200 lease-time: 0:10:00 netmask: 255.255.255.0
    gateway: 192.168.0.254 src-address: 192.168.0.254
    dns-server: 159.148.147.194 domain: myhome.com

[home_gw] ip dhcp-server> 

[home_gw] ip dhcp-server> lease print 
  # ADDRESS         MAC-ADDRESS       INTERFACE            EXPIRES-AT
  0 192.168.0.1     00:02:2D:07:17:23 wl-home              sep/14/2001 10:58:23
[home_gw] ip dhcp-server>

[home_gw] ip dhcp-server> /ping 192.168.0.1
192.168.0.1 pong: ttl=32 time=3 ms
192.168.0.1 pong: ttl=32 time=2 ms
192.168.0.1 pong: ttl=32 time=2 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/2.3/3 ms
interrupted
[home_gw] ip dhcp-server> 

[home_gw] ip firewall rule> add forward action masq src-address 192.168.0.0/24 i
nterface Public 
[home_gw] ip firewall rule> print forward 
0   action: masq protocol: all src-address: 192.168.0.0
    src-netmask: 255.255.255.0 src-ports: 0-65535 dst-address: 0.0.0.0
    dst-netmask: 0.0.0.0 dst-ports: 0-65535 interface: Public log: no

[home_gw] ip firewall rule> 

PrismII Wireless Client and Wireless Access Point

Document revision 09-Aug-2001
This document applies to the V2.4 of the MikroTik RouterOS

Overview

• RF-LINK 1100N 2.4GHz DSSS 11Mbps Wireless LAN PC Card
• Z-Com's LANEscape XI-300 Wireless PC Card

For more information about adapter hardware please see the relevant User’s Guides and Technical Reference Manuals of the hardware manufacturers.

The MikroTik RouterOS supports the PrismII chipset based wireless adapter cards for working both as wireless clients (station mode) and wireless access points (access point mode).

Contents of the Manual

• Wireless Adapter Hardware and Software Installation
• Wireless Interface Configuration
  Station Mode Configuration
  Access Point Mode Configuration
  
• Troubleshooting
• Wireless Network Applications

Software Packages

[MikroTik] > sys package print                                                 
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4rc6                aug/06/2001 15:56:22 no       
  1 snmp                   2.4rc6                aug/06/2001 15:56:24 no       
  2 ppp                    2.4rc6                aug/06/2001 15:56:37 no       
  3 pptp                   2.4rc6                aug/06/2001 15:56:47 no       
  4 pppoe                  2.4rc6                aug/06/2001 15:56:53 no       
  5 ssh                    2.4rc6                aug/06/2001 15:58:11 no       
  6 system                 2.4rc6                aug/06/2001 15:56:04 no       
  7 prism                  2.4rc6                aug/06/2001 15:58:54 no       
[MikroTik] >   

Software License

The 2.4GHz Wireless Feature License enables only the station mode of the Prism II card. To enable the access point mode, additionally the Wireless AP Feature License is required.

The MikroTik RouterOS supports as many PrismII chipset based cards as many free resources are on your system, i.e., IRQs and adapter slots. One license is valid for all cards on your system.

System Resource Usage

[MikroTik] > system resource irq print                                         
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   no
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   yes  ether1                                                                
 10  no                                                                         
 11  no                                                                         
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
[MikroTik] > system resource io print                                          
 PORT-RANGE            OWNER                                                    
 32-63                 APIC                                                     
 64-95                 timer                                                    
 96-111                keyboard                                                 
 128-143               DMA                                                      
 160-191               APIC                                                     
 192-223               DMA                                                      
 240-255               FPU                                                      
 496-503               IDE 1                                                    
 760-767               serial port                                              
 960-991               VGA                                                      
 992-993               PCMCIA service                                           
 1014-1014             IDE 1                                                    
 1016-1023             serial port                                              
 61184-61439           ether1                                                   
 64512-64519           IDE 1                                                    
 64520-64527           IDE 2                                                    
 64528-64639           [CS5530]                                                 
[MikroTik] >

Installing the Wireless Adapter

1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.

Loading the Driver for the Wireless Adapter

There can be several reasons for a failure to load the driver, for example:

• The driver cannot be loaded because other device uses the requested IRQ.
  Try to set the IRQ assignment to PCI slots using the system BIOS configuration.

[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  2 X prism1               1500  prism                                         
[MikroTik] > interface enable 1
[MikroTik] > interface set 1 name=wireless                                    
[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   wireless             1500  prism                                         
[MikroTik] > 

More configuration and statistics parameters can be found under the '/interface prism' menu:

[MikroTik] interface prism> print                                              
Flags: X - disabled 
  0   name=wireless mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=station frequency=2412MHz ssid=abc client-name="" 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MikroTik] interface prism>

Argument description:

number - Interface number in the list
name - Interface name (same as for other interfaces)
mtu - Maximum transfer unit (same as for other interfaces)
mac-address - MAC address of card. In AP mode this will also be BSSID of BSS.
arp - ARP mode (same as for ethernet interfaces)
mode - (station|access-point). If station - card works as station, if access-point, card works as access point. After mode is changed from access-point to station, for station mode to activate, have to reboot (changing back to AP mode will work fine). Change from station to AP can be done without rebooting.
frequency - Frequency that AP will use to create BSS
ssid - Service Set Identifier. In station mode - ssid to connect to, in AP mode - ssid to use when creating BSS (this can not be left blank, because AP needs ssid to work, but in station mode cards hang up without ssid.
client-name - Client name
max-associations - meaningless for station. For AP means how many stations can be associated at the same time (min: 1, max: 500)
hide-ssid - meaningless for station. For AP tells that SSID should not be transmitted in beacon frames (so none can read ssid when sniffing radio), and that AP should not answer probe requests that do not have our ssid in them. Basically this means that if this setting is set to "yes", every client that wants to connect to this AP has to have correct ssid configured.
supported-rates - For both - station and AP - rates at which this node will work.
basic-rates - Meaningless for station. For AP - rates that every client that plans to connect to this AP should be able to work at.
fragmentation-threshold - for both STA and AP - bigger packets than this value will be fragmented before transmission (min: 256, max: 2346)
rts-threshold - for both STA and AP - bigger packets than this value will be transmitted using RTS/CTS medium reservation method. This medium reservation ensures that no other radios transmit at this time (min: 0, max: 2432)
default-access-action - (allow|deny) - meaningless for STA, for AP - what to do with client that wants to associate, but it is not in the access-list.

You can monitor the status of the wireless interface:

[MikroTik] interface prism> monitor 0                                            
       signal-quality: 0            
         signal-level: 27           
          noise-level: 27           
         current-rate: 2            
               status: disconnected 

[MikroTik] interface prism>

Station Mode Configuration

• The Service Set Identifier. It should match the ssid of the AP.
• The Operation Mode of the card should be set to 'station'.
• The Supported Rate of the card should match one of the supported data rates of the AP.

[MikroTik] interface prism> set 0 ssid=mt                                      
[MikroTik] interface prism> monitor 0                                          
                bssid: 00:40:96:37:71:1E 
    current-frequency: 2442MHz           
       signal-quality: 92                
         signal-level: 183               
          noise-level: 0                 
         current-rate: 8                 
               status: connected         

[MikroTik] interface prism>     

If the wireless interface card is registered to an AP.

Access Point Mode Configuration

• The Service Set Identifier. It should be unique for your system.
• The Operation Mode of the card should be set to 'station'.
• The Frequency of the card.

All other parameters can be left as default. To configure the wireless interface for working as an access point with ssid "mt" and use the frequency 2442MHz, it is enough to enter the command:

[MikroTik] interface prism> set 0 mode=access-point ssid=mt frequency=2442MHz          
[MikroTik] interface prism> monitor                                            
                bssid: 00:03:C0:00:06:72 
    current-frequency: 2442MHz           
               status: ap-mode           

[MikroTik] interface prism>

To see the list of all clients currently registered to all configured APs,

[MikroTik] interface prism> registration-table print                           
  # INT MAC-ADDRESS       SIGNAL     SILENCE    RATE       UPTIME              
  0 wir 00:40:96:37:71:1E 183        0          11         00:03:32            
  1 wir 00:40:96:29:02:88                                  00:01:15            
[MikroTik] interface prism>

Argument description for the registration-table entry:

mac-address - mac address of the registered client
interface - interface that client is registered to
signal - signal level
silence - silence level
rate - current rate
uptime - how long client is connected

The monitor command gives additional per-client statistics:

[MikroTik] interface prism> registration-table monitor 0                       
        packets: 13,2                          
          bytes: 0,616                         
            bps: 0.0bps/0.0bps,0.0bps/4.10kbps 
            pps: 0/1,0/1                       
         signal: 171/186/195                   
        silence: 0/0/0                         
           rate: 11/11/11                      
    last-update: 00:00:02                      
         uptime: 00:09:01                      

[MikroTik] interface prism> 

Access List

Ta add an access list entry for MAC address 00:40:96:37:71:1E, use command:

[MikroTik] interface prism access-list> add allow=yes interface=wireless \
mac-address=00:40:96:37:71:1E
[MikroTik] interface prism access-list> print
Flags: X - disabled, I - invalid 
  #   MAC-ADDRESS       ALLOW INTERFACE                                        
  0   00:40:96:37:71:1E yes   wireless                                         
[MikroTik] interface prism access-list>

Argument description:

allow - (yes|no) - accept this client when it tries to connect or not
interface - AP interface
mac-address - MAC address of the client

If you have default access action for the interface set to 'allow', you can disallow this node to register at the AP's interface 'wireless' by changing the 'allow' argument value to 'no':

[MikroTik] interface prism access-list> .. print                               
Flags: X - disabled 
  0   name=wireless mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=access-point frequency=2442MHz ssid=mt client-name=MT_Prism 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MikroTik] interface prism access-list> set 0 allow=no                         
[MikroTik] interface prism access-list> print                                  
Flags: X - disabled, I - invalid 
  #   MAC-ADDRESS       ALLOW INTERFACE                                        
  0   00:40:96:37:71:1E no    wireless                                         
[MikroTik] interface prism access-list>

Thus, all nodes except this one will be able to register to the interface 'wireless'.

If you have default access action for the interface set to 'deny', you can allow this node to register at the AP's interface 'wireless' by changing the 'allow' argument value to back 'yes':

[MikroTik] interface prism access-list> .. print                               
Flags: X - disabled 
  0   name=wireless mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=access-point frequency=2442MHz ssid=mt client-name=MT_Prism 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=deny 

[MikroTik] interface prism access-list> set 0 allow=yes 
[MikroTik] interface prism access-list> print                                  
Flags: X - disabled, I - invalid 
  #   MAC-ADDRESS       ALLOW INTERFACE                                        
  0   00:40:96:37:71:1E yes   wireless                                         
[MikroTik] interface prism access-list>

Wireless Troubleshooting

• The prism interface does not show up under the interfaces list
  Obtain the required license for 2.4GHz wireless feature.
• The access-list has entries restricting the registration, but the node is still registered.
  Set some parameter of the prism interface to get all nodes re-register.
• The wireless card does not register to the AP
  Check the cabling and antenna alignment.

Two possible wireless network configurations are discussed in the following examples:

• Wireless Client
• Wireless Access Point

[MikroTik] interface prism> set 0 ssid=mt                                      
[MikroTik] interface prism> monitor 0
                bssid: 00:40:96:37:71:1E 
    current-frequency: 2442MHz           
       signal-quality: 92                
         signal-level: 195               
          noise-level: 0                 
         current-rate: 8                 
               status: connected         

[MikroTik] interface prism>                                                    

[MikroTik] ip address> add address=10.1.1.12/24 interface=prism1               
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.1.12/24       10.1.1.0        10.1.1.255      prism1                
  1   192.168.0.254/24   192.168.0.254   192.168.0.254   ether1                
[MikroTik] ip address>

[MikroTik] ip route> add gateway=10.1.1.254
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE     
  0    static         0.0.0.0/0          10.1.1.254     1        prism1        
  1 D  connect        10.1.1.0/24        0.0.0.0        0        prism1        
  2 D  connect        192.168.0.254/24   0.0.0.0        0        ether1        
[MikroTik] ip route>   

Wireless Access Point

[MT_Prism_AP] interface prism> set 0 mode=access-point frequency=2442MHz       
[MT_Prism_AP] interface prism> print                                           
Flags: X - disabled 
  0   name=prism1 mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=access-point frequency=2442MHz ssid=mt client-name= 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MT_Prism_AP] interface prism> monitor 0                                       
                bssid: 00:03:C0:00:06:72 
    current-frequency: 2442MHz           
               status: ap-mode           

[MT_Prism_AP] interface prism> 

[MT_Prism_AP] interface prism> registration-table print                        
  # INT MAC-ADDRESS       SIGNAL     SILENCE    RATE       UPTIME              
  0 pri 00:40:96:29:02:88 210        0          11         00:12:50            
  1 pri 00:40:96:37:71:1E 192        0          11         00:00:35            
[MT_Prism_AP] interface prism>   

[MikroTik] ip address> print                                                
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.1.12/24       10.1.1.0        10.1.1.255      aironet                
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                
[MikroTik] ip address>   

5. Bridge

Overview

MAC level bridging of Ethernet packets is supported. The router has one internal bridging table. Interfaces can be included or excluded. Ethernet, Ethernet over IP (EoIP), and RadioLAN interfaces are supported .Features include:

• Spanning Tree Protocol (STP)
• Bridge enabled or disabled on a per interface basis
• Protocol can be selected to be forwarded or discarded
• MAC address table can be monitored in real time

Topics covered in this section:

• Installation
• Hardware resource usage
• Bridge setup
• Bridge monitoring

Bridge installation on the MikroTik RouterOS v2.3

The Bridge feature is included in the “system” package.  No installation is needed for this feature.

Hardware resource usage

When Bridge is enabled, it uses a small amount of memory.  No increase of memory is suggested.

Bridge setup

Each protocol that should be forwarded should be set to forward.  Protocols selectable are:  appletalk, arp, ip, ipv6, ipx, and other.  The other protocol includes are protocols not listed before.

  priority

Set  [mikrotik]> bridge set ip forward yes forward yes

Each interface that should be included in the bridging table should be set to forward.

Set [mikrotik]> bridge interface set ether1

Example output of the print command:

[mikrotik] bridge interface> print

  # INTERFACE                                                        FORWARD
  0 ether1                                                           yes
  1 ether2                                                           yes

Bridge Monitoring

The bridge can be monitored in real time.  The bridging table shows the MAC address of hosts, interface which can forward packets to the host, and the age of the information shown in seconds.

[mikrotik] bridge host> print

MAC-ADDRESS        ON-INTERFACE AGE

00:C0:DF:07:68:30  ether1       253

Command Reference

[mikrotik] bridge> ?

Bridging feature is used to pass MAC layer packets between network interfaces.

  ..

  print         Show bridge settings

  set           Change bridge settings

  export        Export bridge configuration

  interface     Bridge interfaces

  host

[mikrotik] bridge> print

           ip: discard

          arp: discard

          ipx: discard

    appletalk: discard

         ipv6: discard

        other: discard

     priority: 1

[mikrotik] bridge interface> ?

  ..

  print      Show bridge interfaces

  set        Change bridge interface settings

  find       Find bridge interfaces

  export     Export bridge interfaces settings

[mikrotik] bridge host> ?

  ..

  print

6. Internet Protocol Management

The Internet Protocol Management section includes configuration of all IP level settings such as IP addresses, DHCP, static routes, and so on.

Addresses

Addresses serve as identification when communicating with other network devices. It is possible to add multiple IP addresses to each of the interfaces or to leave interfaces without addresses assigned to them.

Managing Addresses from Java

Select the IP/Addresses menu. The “Addresses List” list shows all IP addresses with basic settings. From the ”Address List” window addresses can be edited, added (

Select “address” in the “ip” menu.

General Address Parameters

Routes

Routes are needed for communicating with networks that are not directly attainable via the router’s local interfaces. Routes to locally connected interfaces and networks are created automatically based on the IP address assigned to local interfaces. Static routes, including the default route, are set in the IP/Routes menu. Other automatic routes are created by routing daemons, such as RIP and OSPF, which can be found in the Routing menu from the base level. Dynamic routes are shown in IP/Routes, too.

Managing Routes from Java

Select the “Routes” menu under the “IP” menu. The “Routes List” shows current routes settings which can be edited, added, and deleted. Disabled routes (interface they are using is disabled) are shown in gray and italic. Dynamic routes are marked with blue icon, others with green.

Managing Routes from Console

Select the submenu “ip route”.

General Routes Parameters

ARP

ARP (Address Resolution Protocol) displays IP addresses and respective MAC addresses of interfaces which are physically connected to local interface. The ARP table entries appear automatically as it sends broadcast messages to all interfaces physically connected to the local interfaces. It is possible to manually assign static ARP entries.

Managing ARP from Java

Select the ‘ARP’ menu under the ‘IP’ menu. The ‘ARP List’ displays IP addresses, MAC addresses, and interface names and allows to edit, add, and remove ARP entries. Inactive entries are shown in gray color and italic font.

Managing ARP from Console

Select the located in “address” menu that is in the “ip” menu.

General ARP Parameters

[MikroTik_AC] ip dhcp-client> set enabled yes interface ether1 client-id test

[MikroTik_AC]

    [MikroTik_AC]> system identity set Mikro2345
    [Mikro2345]>

enabled yes

interface

client-id

[MikroTik_AC] ip dhcp-server> set ether1 enabled yes lease-time 72h from-address

 10.5.0.1 to-address 10.5.0.100 netmask 255.255.255.0 gateway 10.5.0.254 dns-ser

ver 10.5.0.254 domain rm219

[MikroTik_AC] ip dhcp-server> print

0   interface: ether1 enabled: yes from-address: 10.5.0.1

    to-address: 10.5.0.100 lease-time: 3 days 0:00:00 netmask: 255.255.255.0

    gateway: 10.5.0.254 src-address: 0.0.0.0 dns-server: 10.5.0.254

    domain: ether1-area

1   interface: Local219 enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0

    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0

    dns-server: 0.0.0.0 domain: ""

Descriptions of settings:

interface

enabled

from-address

to-address

lease-time

netmask

gateway

source-address

dns-server

domain

Firewall

The firewall supports filtering and security functions that are used to manage data flows to the router and through it. Along with the Network Address Translation they serve as security tools for preventing unauthorized access to networks.

Filtering rules organized together in chains do packet filtering. Each chain can be considered as a set of rules. There are three default chains, which cannot be deleted. More chains can be added for grouping together filtering rules. When processing a chain, rules are taken from the chain in the order they are listed from the top to the bottom.

Packets entering the router through one of the interfaces are first matched against the filtering rules of the Input chain. If the packet is not dropped or rejected, and it is for the router itself, the packet is delivered locally. If the packet is not dropped or rejected, but it has to be delivered outside the router, then the packet is processed according to the routing table. If the processing is successful, then the packet is matched to the filtering rules of the forward chain. After that, packet is passed to the output interface and processed according to the rules of output chain.

Packets originated from the router are processed according to the output chain only.

Managing Firewall Functions from Java

Select the “Firewall” menu under the “IP” menu. Use

Managing Firewall Functions from Console

Firewall management can be performed from the “ip firewall” menu.

“ip firewall rule” menu commands:

“ip firewall masq” menu commands:

General Firewall Parameters

Rule parameters:

Actions to perform on rules:

Chain parameters:

Accounting

Managing IP Accounting from JAVA

IP Accounting you can manage by choosing IP and then "accounting".

Managing IP Accounting from Console

It is done from "ip accounting" submenu.

"ip accounting web" submenu.

Static Network Address Translation (NAT)

Overview

Remark: To use a private address space, NAT is not required. It is required only to map one global IP address and/or port to a local one. Typically, masquerading (a firewall feature) is used to masquerade the local inside network addresses and ports to one global outside IP address and ports.
Please consult the Basic Setup Guide and the Firewall Manual for more information on masquerading.

The NAT rules are applied in the following order:

• When a packet arrives at an interface, the NAT rules are applied first. The firewall and routing are applied after the packet has passed the NAT rule set. This is important when setting up firewall rules, since the original packets might be already modified by the NAT.
• When a packet leaves an interface, the NAT rules are applied after the routing and firewall. Queuing is performed after the NAT.

For more information about NAT, see RFC 1631. For example, you can visit this site: http://www.faqs.org/rfcs/rfc1631.html

Contents of the Manual

• Configuring NAT
• Command Reference
• Troubleshooting
• NAT Applications

NAT Installation

Adding a NAT Rule

NAT rules can be added using the /ip firewall static-nat add command. The argument description is as follows:

src-address - Source IP address.
src-netmask - Source netmask
src-port - Source port number or range (0-65535). 0 means all ports 1-65535.
dst-address - Destination IP address.
dst-netmask - Destination netmask
dst-port - Destination port number or range (0-65535). 0 means all ports 1-65535.
to-src-address - Translated source IP address.
to-src-netmask - Translated source netmask
to-src-port - Source port number. 0 means no change (leave as it was).
to-dst-address - Translated destination IP address. 0.0.0.0 means no change.
to-dst-netmask - Translated destination netmask
to-dst-port - Translated destination port number. 0 means no change (leave as it was).
interface - Interface, for which the rule should be used
protocol - Protocol
translate - translate or not (yes/no). If 'no', then the packet is passed through without translation, and no more NAT rules are processed.
direction - direction of the packet regarding the interface. 'in' means from the interface into the router, and 'out' means from the router to the interface.

The existing NAT rules can be listed using the /ip firewall static-nat print command. Example output is:

[mikrotik]> ip firewall static-nat 
[mikrotik] ip firewall static-nat> print
0   src-address: 0.0.0.0 src-netmask: 0.0.0.0 src-port: 0-65535
    dst-address: 10.1.1.12 dst-netmask: 255.255.255.255 dst-port: 80
    interface: all translate: yes direction: in protocol: tcp
    to-src-address: 0.0.0.0 to-dst-address: 192.168.0.17
    to-src-netmask: 0.0.0.0 to-dst-netmask: 255.255.255.255 to-src-port: 0
    to-dst-port: 80

1   src-address: 192.168.0.17 src-netmask: 255.255.255.255 src-port: 80
    dst-address: 0.0.0.0 dst-netmask: 0.0.0.0 dst-port: 0-65535 interface: all
    translate: yes direction: out protocol: tcp to-src-address: 10.1.1.12
    to-dst-address: 0.0.0.0 to-src-netmask: 255.255.255.255
    to-dst-netmask: 0.0.0.0 to-src-port: 80 to-dst-port: 0

[mikrotik] ip firewall static-nat>

For argument description see the add command above.

The NAT rule parameters can be changed using the /ip firewall static-nat set # command, where the # is the NAT rule number obtained from the print command.

NAT rules are processed in the order they appear under the /ip firewall static-nat print command list. Use the /ip firewall static-nat move #1 #2 command to change the order of NAT rules. Here, the #1 is current number of the rule in the list, whereas the #2 is the desired number of the rule.

NAT rules can be enabled or disabled using the /ip firewall static-nat enable # and /ip firewall static-nat disable # commands. Disabled NAT rules are not processed.

Command Reference

print - Show NAT rules
set - Change NAT rule
find - Find NAT rules
add - Add new NAT rule
remove - Remove NAT rule
comment - Set rule comment
enable - Enable rule
disable - Disable rule
export - Export rules
move - Move rule

Troubleshooting

• The NAT rule does translate the addresses.
  Add firewall rule that logs the packets and helps to determine where the problem is.
• The NAT does not work when masquerading is in use.
  Masquerading changes the source address of packets leaving the router ('outgoing' traffic). Therefore a firewall rule should be added to the forward chain, which excludes masquerading for the address:port and protocol to be translated. (See the Application Example!)
• The NAT does not work form the local network.
  The server should be on another logical network than the local workstations. (See the Application Example!)

NAT Applications

Further on, several examples of using NAT are given arranged according to complexity:

Example of NAT
Example of NAT with Masquerading
Example of NAT for ftp
Example of NAT and Access from the Local Network

Assume we want to map external address 10.1.1.12 and port 8080 to the internal address 192.168.0.17 and port 80. The basic network setup is in the following diagram:

The IP addresses and routes of the MikroTik router are as follows:

[mikrotik]> ip address print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   Local
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
[mikrotik]> ip route print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   Local   D K
  1 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       Public  D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         Public
[mikrotik]>

Two static NAT rules are required for translating the address:port - one for the incoming packets, and one for the outgoing packets:

[mikrotik]> ip firewall static-nat

[mikrotik] ip firewall static-nat> add dst-address 10.1.1.12 \
dst-netmask 255.255.255.255 dst-port 8080 protocol tcp \
direction in interface Public translate yes \
to-dst-address 192.168.0.17 to-dst-netmask 255.255.255.255 to-dst-port 80

[mikrotik] ip firewall static-nat> add src-address 192.168.0.17 \
src-netmask 255.255.255.255 src-port 80 protocol tcp \
direction out interface Public translate yes \
to-src-address 10.1.1.12 to-src-netmask 255.255.255.255 to-src-port 8080

[mikrotik] ip firewall static-nat> print
0   src-address: 0.0.0.0 src-netmask: 0.0.0.0 src-port: 0-65535
    dst-address: 10.1.1.12 dst-netmask: 255.255.255.255 dst-port: 8080
    interface: Public translate: yes direction: in protocol: tcp
    to-src-address: 0.0.0.0 to-dst-address: 192.168.0.17 to-src-netmask: 0.0.0.0
    to-dst-netmask: 255.255.255.255 to-src-port: 0 to-dst-port: 80

1   src-address: 192.168.0.17 src-netmask: 255.255.255.255 src-port: 80
    dst-address: 0.0.0.0 dst-netmask: 0.0.0.0 dst-port: 0-65535
    interface: Public translate: yes direction: out protocol: tcp
    to-src-address: 10.1.1.12 to-dst-address: 0.0.0.0
    to-src-netmask: 255.255.255.255 to-dst-netmask: 0.0.0.0 to-src-port: 8080
    to-dst-port: 0

[mikrotik] ip firewall static-nat> 

From the global network, the server can be accessed at 10.1.1.12:8080.
From the local network, the server can be accessed at 192.168.0.17:80.
The server cannot be accessed at 10.1.1.12:8080 from the local network. It is due to the fact, that the server sees request coming from its own network, and it responds back directly, i.e., bypassing the router and the NAT rule. Please see the further examples for enabling the use of global address 10.1.1.12:8080 for accessing the server locally.

Example of NAT with Masquerading

[mikrotik]> ip firewall rule
[mikrotik] ip firewall rule> add forward src-address 192.168.0.17/32 \
src-ports 80 protocol tcp interface Public 
[mikrotik] ip firewall rule> add forward src-address 192.168.0.0/24 \
action masq interface Public 
[mikrotik] ip firewall rule> print forward 
0   action: accept protocol: tcp src-address: 192.168.0.17
    src-netmask: 255.255.255.255 src-ports: 80 dst-address: 0.0.0.0
    dst-netmask: 0.0.0.0 dst-ports: 0-65535 interface: Public tcp-option: all
    log: no
1   action: masq protocol: all src-address: 0.0.0.0 src-netmask: 0.0.0.0
    src-ports: 0-65535 dst-address: 0.0.0.0 dst-netmask: 0.0.0.0
    dst-ports: 0-65535 interface: Public log: no
[mikrotik] ip firewall rule>

Example of NAT for ftp

The ftp uses TCP port 21 on the server for establishing the connection, and the server's tcp port 20 when connecting back to the client for data connections.

To translate the addresses and ports, totally four static NAT rules would be required. However, ports 20 and 21 can be grouped in a port range, and only two rules are required then:

[mikrotik] ip firewall static-nat> add dst-address 10.1.1.12 \
dst-netmask 255.255.255.255 dst-port 20-21 protocol tcp \
direction in interface Public translate yes \
to-dst-address 192.168.0.17 to-dst-netmask 255.255.255.255

[mikrotik] ip firewall static-nat> add src-address 192.168.0.17 \
src-netmask 255.255.255.255 src-port 20-21 protocol tcp \
direction out interface Public translate yes \
to-src-address 10.1.1.12 to-src-netmask 255.255.255.255

[mikrotik] ip firewall static-nat> print
0   src-address: 0.0.0.0 src-netmask: 0.0.0.0 src-port: 0-65535
    dst-address: 10.1.1.12 dst-netmask: 255.255.255.255 dst-port: 20-21
    interface: Public translate: yes direction: in protocol: tcp
    to-src-address: 0.0.0.0 to-dst-address: 192.168.0.17
    to-src-netmask: 0.0.0.0 to-dst-netmask: 255.255.255.255 to-src-port: 0
    to-dst-port: 0

1   src-address: 192.168.0.17 src-netmask: 255.255.255.255 src-port: 20-21
    dst-address: 0.0.0.0 dst-netmask: 0.0.0.0 dst-port: 0-65535
    interface: Public translate: yes direction: out protocol: tcp
    to-src-address: 10.1.1.12 to-dst-address: 0.0.0.0
    to-src-netmask: 255.255.255.255 to-dst-netmask: 0.0.0.0 to-src-port: 0
    to-dst-port: 0

[mikrotik] ip firewall static-nat>

Note, that the to-src-port and to-dst-port arguments have not be specified, and they have value '0', i.e., 'no translation' for ports.

Also, do not forget to exclude source address:ports 192.168.0.17:20-21 from masquerading, if it is used for local addresses:

[mikrotik] ip firewall rule> add forward src-address 192.168.0.17 \
src-netmask 255.255.255.255 src-ports 20-21 interface Public protocol tcp
[mikrotik] ip firewall rule> add forward action masq interface Public
[mikrotik] ip firewall rule> print forward
0   action: accept protocol: tcp src-address: 192.168.0.17
    src-netmask: 255.255.255.255 src-ports: 20-21 dst-address: 0.0.0.0
    dst-netmask: 0.0.0.0 dst-ports: 0-65535 interface: Public tcp-option: all
    log: no

1   action: masq protocol: all src-address: 0.0.0.0 src-netmask: 0.0.0.0
    src-ports: 0-65535 dst-address: 0.0.0.0 dst-netmask: 0.0.0.0
    dst-ports: 0-65535 interface: Public log: no

[mikrotik] ip firewall rule>

Example of NAT and Access from the Local Network

Let us reconsider the previous example of using NAT for ftp. To enable the local workstations 192.168.0.1...2 accessing the server on the local net using its global address 10.1.1.12:21, the network configuration should be changed. The requests to the server should appear as coming rather from another network than form it's own one. Then the 'backward' translation rules will be used too, since the packets would be sent back to the router.

To accomplish this:

1. The server's IP address should be configured to be on another network, say 192.168.1.0/24
2. The NAT rules should be set for all interfaces.

The network diagram looks like follows:

To add another address to the router, use:

[mikrotik] ip address> add address 192.168.1.24/24 interface Local
[mikrotik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   Local
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
  2 192.168.1.24    255.255.255.0   192.168.1.24    192.168.1.255   Local
[mikrotik] ip address>

Add two static NAT rules:

[mikrotik] ip firewall static-nat> add dst-address 10.1.1.12 \
dst-netmask 255.255.255.255 dst-port 20-21 protocol tcp \
direction in translate yes \
to-dst-address 192.168.1.17 to-dst-netmask 255.255.255.255

[mikrotik] ip firewall static-nat> add src-address 192.168.1.17 \
src-netmask 255.255.255.255 src-port 20-21 protocol tcp \
direction out translate yes \
to-src-address 10.1.1.12 to-src-netmask 255.255.255.255

[mikrotik] ip firewall static-nat> print
0   src-address: 0.0.0.0 src-netmask: 0.0.0.0 src-port: 0-65535
    dst-address: 10.1.1.12 dst-netmask: 255.255.255.255 dst-port: 20-21
    interface: all translate: yes direction: in protocol: tcp
    to-src-address: 0.0.0.0 to-dst-address: 192.168.1.17
    to-src-netmask: 0.0.0.0 to-dst-netmask: 255.255.255.255 to-src-port: 0
    to-dst-port: 0

1   src-address: 192.168.1.17 src-netmask: 255.255.255.255 src-port: 20-21
    dst-address: 0.0.0.0 dst-netmask: 0.0.0.0 dst-port: 0-65535 interface: all
    translate: yes direction: out protocol: tcp to-src-address: 10.1.1.12
    to-dst-address: 0.0.0.0 to-src-netmask: 255.255.255.255
    to-dst-netmask: 0.0.0.0 to-src-port: 0 to-dst-port: 0

[mikrotik] ip firewall static-nat>

[mikrotik] ip firewall rule> add forward src-address 192.168.1.17/32 \
src-ports 20-21 protocol tcp interface Public 

[mikrotik] ip firewall rule> add forward action masq interface Public 

[mikrotik] ip firewall rule> print forward
0   action: accept protocol: tcp src-address: 192.168.1.17
    src-netmask: 255.255.255.255 src-ports: 20-21 dst-address: 0.0.0.0
    dst-netmask: 0.0.0.0 dst-ports: 0-65535 interface: Public tcp-option: all
    log: no

1   action: masq protocol: all src-address: 0.0.0.0 src-netmask: 0.0.0.0
    src-ports: 0-65535 dst-address: 0.0.0.0 dst-netmask: 0.0.0.0
    dst-ports: 0-65535 interface: Public log: no

[mikrotik] ip firewall rule>

The local workstations form Network 0 will be accessing the server on Network 1 solely through the router, and all packets will be processed against the translation rules.

DNS

By using a DNS server, router administrators can use hostnames instead of IP addresses when setting up routes, filters, and other places where a numbered IP address is not required.

Managing DNS from Java

Select the “DNS” menu under the “IP” menu. The “DNS” box can be configured with the primary DNS and secondary DNS by selecting the DNS settings icon

Managing DNS from Console

“ip dns” menu commands:

“ip dns static” menu commands:

DNS Parameters

General DNS Settings:

Static DNS parameters:

7. SNMP Service Configuration

Overview

SNMPv2 (Simple Network Management Protocol version 2) is supported in limited functionality.  Installation of the SNMP packages makes the router into an SNMP agent.

·       SNMPv2 support only
·       Read-only access is provided to the NMS (network management system)
·       Communities are limited to “Public”
·       No Trap support

Topics covered in this section:

• Installation
• Hardware resource usage
• SNMP setup
• Tools for SNMP data collection and analysis
• Utilities for SNMP

SNMP Installation on the MikroTik RouterOS v2.3

The “snmp-2.3.0.npk”(less than 150KB) package for v2.3 is required.  The package can be downloaded from MikroTik’s web page www.mikrotik.com .  To install the package, please upload it to the router with ftp and reboot.  You may check to see if the SNMP package is installed with the command:

[mikrotik]> system package print

  # NAME                                             VERSION    BUILD UNINSTALL

  0 routing                                          2.3.5      5     no
  1 aironet                                          2.3.5      6     no
  2 wavelan                                          2.3.5      8     no
  3 system                                           2.3.5      15    no
  4 snmp                                             2.3.5      5     no
  5 option                                           2.3.5      7     no
  6 ppp                                              2.3.5      7     no
  7 pptp                                             2.3.5      5     no
  8 pppoe                                            2.3.5      5     no
  9 radiolan                                         2.3.5      6     no
 10 ssh                                              2.3.5      7     no

[mikrotik]>

Line 4 shows that the SNMP package is installed.

Hardware resource usage

When SNMP is enabled, it uses approximately 2MB of RAM.  When using SNMP, memory usage estimates should be made, system resources should be monitored, and RAM should be increased accordingly.  

SNMP setup

Set  [mikrotik] ip accounting set enabled yes

Example output of the print command:

[mikrotik] snmp-server> print

         enabled: yes
    contact-info: Sysadmin-555-1212
        location: MikroTik

Description of the output:

enabled - SNMP is disabled by default.  Settings are enabled yes and enabled no.
contact-info and location - Both contact-info and location are informative only settings for the NMS. 

Tools for SNMP data collection and analysis

MRTG (Multi Router Traffic Grapher) is the most commonly used SNMP monitor.

http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/

Additional Resources

Links for SNMP documentation:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm

Command Reference

 [mikrotik] snmp-server> ?

SNMP allows remote monitoring of router and statistics collecting.

  ..
  print      Show SNMP configuration
  set        Change SNMP configuration
  export     Export SNMP server configuration

[mikrotik] snmp-server> set ?

Allows to change router location and administrator contact information.

  enabled        Enable/disable SNMP service
  contact-info   Administrator contact information
  location       Router location

8. Queue Management and Bandwidth Control

Overview

The MikroTik RouterOS V2.3 supports the following queuing mechanisms:

PFIFO - Packets Packet First-In First-Out,
BFIFO - Bytes First-In First-Out,
RED - Random Early Detection

The queuing can be used for limiting the bandwidth for certain IP addresses, protocols or ports. The queuing is performed for packets leaving the router through an interface. It means, that the queues should always be configured on the outgoing interface regarding the traffic flow. If there is a desire to limit the traffic arriving at the router, then it should be done at the outgoing interface of some other router.

The following topics are covered in this section:

• Configuring Queues
• Queue Command Reference
• Troubleshooting
• Queue Applications

Queue Management Installation

The queue management feature is included in the "system" software package. No additional software package installation is needed for this feature.

Configuring Queues

Adding a Queue

/ip queue add
[ src-address a.b.c.d \ ]
[ src-netmask a.b.c.d \ ]
[ src-port port_range \ ]
[ dst-address a.b.c.d \ ]
[ dst-netmask a.b.c.d \ ]
[ dst-port port_range \ ]
interface name \
[ protocol all/ggp/igmp/ip-sec/udp/egp/icmp/ip-encap/tcp \ ]
[ queue bfifo/none/pfifo/red \ ]
[ limit-at bandwidth \ ]
[ max-burst burst \ ]
[ bounded yes/no \ ]
[ priority 1..15 \ ]
[ weight number \ ]
[ allot bytes \ ]
[ bfifo-limit number \ ]
[ pfifo-limit number \ ]
[ red-limit number \ ]
[ red-min-threshold number \ ]
[ red-max-threshold number \ ]
[ red-burst number ]

Argument description:

src-address - Source IP address. Can be in the form a.b.c.d/n:p1[-p2], that consists of the IP address, number of bits in the network mask, and the port or port range.
src-netmask - Source netmask
src-port - Source port number or range (0-65535)
dst-address - Destination IP address. Can be in the form a.b.c.d/n:p1[-p2], that consists of the IP address, number of bits in the network mask, and the port or port range.
dst-netmask - Destination netmask
dst-port - Destination port number or range (0-65535)
interface - Interface which packet leaves
protocol - Protocol
queue - Queue type (see explanation below)
limit-at - Maximum stream bandwidth (bits/s)
max-burst - Maximal number of packets allowed for bursts of packets when there are no packets in the queue. Set to '0' for no burst.
bounded - Queue is bounded. The queue can not occupy bandwidth of other queues.
priority - Flow priority (1..15)
weight - Flow weight
allot - Number of bytes allocated for the bandwidth. Should not be less than the MTU for the interface.
bfifo-limit - BFIFO queue limit. Maximum packet number that queue can hold.
pfifo-limit - PFIFO queue limit. Maximum byte number that queue can hold.
red-limit - RED queue limit
red-min-threshold - RED minimum threshold. Before this value is achieved no packets will be thrown away.
red-max-threshold - RED maximum threshold. When this value is achieved the queue will throw away the packets using maximum probability, where this probability is a function of the average queue size.
red-burst - RED burst. Number of packets allowed for bursts of packets when there are no packets in the queue. The minimum value that can be used here is equal to the value of 'red-min-threshold'.

Queue types:

pfifo - Packet First-In First-Out – is the simplest queuing algorithm. The packets are served in the same order as they are received.
bfifo - The same as pfifo, except that this algorithm is byte-based but not packet-based.
red - Random Early Detection – an algorithm for congestion avoidance in packet-switched networks.
none - (same as default) The queue type as it is by default for the specific interface.

You can group several networks together and have one queue for them, if a common network mask can be found for the networks. For example, networks 10.0.128.0/24 and 10.0.129.0/24 can be grouped together using a common network address/mask 10.0.128.0/22

The existing queues can be listed using the /ip queue print command. Example output is:

[mikrotik] ip queue> print
0   src-address: 0.0.0.0/0:0-65535 dst-address: 10.0.0.0/24:0-65535
    interface: developers protocol: all queue: red limit-at: 64000
    max-burst: 0 bounded: yes priority: 1 weight: 1 allot: 1536
    red-limit: 50 red-min-threshold: 12 red-max-threshold: 30
    red-burst: 20

1   src-address: 10.0.0.0/24:0-65535 dst-address: 0.0.0.0/0:0-65535
    interface: internet protocol: all queue: red limit-at: 64000
    max-burst: 0 bounded: yes priority: 1 weight: 1 allot: 1536
    red-limit: 50 red-min-threshold: 12 red-max-threshold: 30
    red-burst: 20

[mikrotik] ip queue> 

Changing Queue Parameters

[mikrotik] ip queue> print
0   src-address: 0.0.0.0/0:0-65535 dst-address: 10.0.0.0/24:0-65535
    interface: developers protocol: all queue: red limit-at: 64000
    max-burst: 0 bounded: yes priority: 1 weight: 1 allot: 1536
    red-limit: 50 red-min-threshold: 12 red-max-threshold: 30
    red-burst: 20
[mikrotik] ip queue> set 0 max-burst 20

[mikrotik] ip queue>
move number destination

Argument description:

number - Source queue number (from print)
destination - Destination queue number (from print)

Command Reference

/ip queue print - Show queues
/ip queue set - Change queue properties
/ip queue find - Find queues
/ip queue add - Add new queue
/ip queue remove - Remove queue
/ip queue comment - Set queue comment
/ip queue enable - Enable queue
/ip queue disable - Disable queue
/ip queue export - Export queues configuration
/ip queue move - Move queue

Troubleshooting

• The queue is not added for the correct interface.
  Add the queue to the interface through which the traffic is leaving the router. queuing works only for packets leaving the router!
• The source/destination addresses of the packets do not match the values specified in the queue setting
  Make sure the source and destination addresses, as well as ports are specified correctly!
• The queuing does not work when masquerading is in use
  Masquerading changes the source address of packets leaving the router ('outgoing' traffic). Therefore the queuing rule should match packets having the router's external address as source.
• The traffic is not limited, when the 'bounded' parameter is not set to 'yes'.
  Use the 'bounded' flag for the queue, if you do not want to exceed the set limit when other queues are not using the available bandwidth for the interface.
• Queuing does not work for the start of the file transfer. It starts limiting the bandwidth only after the first x packets have been downloaded.
  Do not use the 'burst' parameter value greater than '0', if you do not want to allow any traffic bursts.

Queue Applications

Further on, several examples of using bandwidth management are given arranged according to complexity:

Example of Emulating a 128k/64k Line
Example of Using Masquerading
Example of Using Masquerading and both Private and Registered Addresses

Example of Emulating a 128k/64k Line

The IP addresses, routes, and masquerading firewall rule of the MikroTik router are as follows:

[MikroTik]> ip address print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 195.10.0.1      255.255.255.0   195.10.0.1      195.10.0.255    radio
  1 195.13.1.62     255.255.255.224 195.13.1.62     195.13.1.63     ether

[MikroTik]> /ip route print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTERFACE
  0 195.10.0.0      255.255.255.0   0.0.0.0         195.10.0.1      radio      D K
  1 195.13.1.32     255.255.255.224 0.0.0.0         195.13.1.33     ether      D K
  3 0.0.0.0         0.0.0.0         195.10.0.254    0.0.0.0         radio

It is enough to add two queues at the customer's router:

[MikroTik] ip queue>add dst-address 195.13.1.32/27 interface ether \
queue red limit-at 128000 max-burst 0 bounded yes

[mikrotik] ip queue>add src-address 195.13.1.32/27 interface radio \
queue red limit-at 64000 max-burst 0 bounded yes

Example of Using Masquerading

The IP addresses, routes, and masquerading firewall rule of the MikroTik router are as follows:

[MikroTik]> ip address print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 195.10.0.1      255.255.255.0   195.10.0.1      195.10.0.255    radio
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether

[MikroTik]> /ip route print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTERFACE
  0 195.10.0.0      255.255.255.0   0.0.0.0         195.10.0.1      radio      D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether      D K
  3 0.0.0.0         0.0.0.0         195.10.0.254    0.0.0.0         radio

[MikroTik]> /ip firewall rule print forward 
0   action: masq protocol: all src-address: 192.168.0.0 src-netmask: 255.255.255.0
    src-ports: 0-65535 dst-address: 0.0.0.0 dst-netmask: 0.0.0.0 dst-ports: 0-65535
    interface: radio log: no

The queuing rule for incoming traffic should match the customer's local addresses, whereas the rule for outgoing traffic should match the router's external address as the source address:

[MikroTik] ip queue>add dst-address 192.168.0.0/24 interface ether \
queue red limit-at 128000 max-burst 0 bounded yes

[MikroTik] ip queue>add src-address 195.10.0.1/32 interface radio \
queue red limit-at 64000 max-burst 0 bounded yes

Let us assume, that for administrative purposes, we want to contact the MikroTik router without being affected by the bandwidth limitation. Then additional rule(s) having no limitation should be added before the limiting one(s). For example, we want no limitation to networks 195.10.0.0/24 and 159.148.60.128/25. The queue rules should be added as follows:

[MikroTik] ip queue>add src-address 195.10.0.1/32 dst-address 195.10.0./24 \
interface radio queue red limit-at 10000000 max-burst 0 bounded no

[MikroTik] ip queue>add src-address 195.10.0.1/32 dst-address 159.148.60.128/25 \
interface radio queue red limit-at 10000000 max-burst 0 bounded no

[MikroTik] ip queue>add dst-address 192.168.0.0/24 interface ether \
queue red limit-at 128000 max-burst 0 bounded yes

[MikroTik] ip queue>add src-address 195.10.0.1/32 interface radio \
queue red limit-at 64000 max-burst 0 bounded yes

The first two rules mean no limitation to the networks 195.10.0.0/24 and 159.148.60.128/25, whereas the second two rules limit customer's incoming and outgoing traffic, respectively.

Example of Using Masquerading and both Private and Registered Addresses

When contacting hosts outside the local network the private addresses are masqueraded by the external address 195.13.1.61 of the router. The IP addresses, routes, and masquerading firewall rule of the MikroTik router are as follows:

[MikroTik]> ip address print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.1.1        255.255.255.0   10.0.1.1        10.0.1.255      radio
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether
  2 195.13.1.62     255.255.255.224 195.13.1.62     195.13.1.63     ether
  3 195.13.1.61     255.255.255.255 195.12.1.61     195.13.1.61     radio

[MikroTik]> /ip route print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTERFACE
  0 10.0.1.0        255.255.255.0   0.0.0.0         10.0.1.1        radio      D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether      D K
  2 195.13.1.32     255.255.255.224 0.0.0.0         195.13.1.62     ether      D K
  3 0.0.0.0         0.0.0.0         10.0.1.254      195.13.1.61     radio
  4 159.148.60.128  255.255.255.128 10.0.1.254      0.0.0.0         radio

[MikroTik]> /ip firewall rule print forward 
0   action: masq protocol: all src-address: 192.168.0.0 src-netmask: 255.255.255.0
    src-ports: 0-65535 dst-address: 0.0.0.0 dst-netmask: 0.0.0.0 dst-ports: 0-65535
    interface: radio log: no

Please note, that:

1. There is one additional address 195.13.1.61 with 32-bit network mask (address #3) assigned to the radio interface of the router. This address is used as the source address for packets originated from the router, or for the masqueraded packets, if the packet destination is determined by the default route (#3 in the routes list).
2. If the local radio network 10.0.1.0/24 is the packet's destination, then the route #0 is used. Packets originated from the router or masqueraded packets will have source address 10.0.1.0. It means, that, when contacted from the local network 10.0.1.0/24, the router will respond using the address 10.0.1.1.
3. If the the router is contacted at its private address from the ISP's network 159.148.60.128/25, we want the router to respond using its private address 10.0.1.1 too. Therefore we have added a static route to the ISP's network 159.148.60.128/25 (rule #4) without specifying the preferred address.

[MikroTik] ip queue>add dst-address 192.168.0.0/24 interface ether \
queue red limit-at 128000 max-burst 0 bounded yes

[MikroTik] ip queue>add src-address 195.13.1.61/32 interface radio \
queue red limit-at 64000 max-burst 0 bounded yes

The first rule matches traffic going to the ordinary users on network 192.168.0.0/24 and limits them to 128kbps. The second rule matches masqueraded packets with default destination (Internet), excluding the ISP's network 159.148.60.128/25, and limits the traffic to 64kbps. Traffic originated form the router, as well as the masqueraded connections to the ISP's network, are not limited.

The minimum configuration of the ISP_GW router is given below:

[ISP_GW]> ip address print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.1.254      255.255.255.0   10.0.1.254      10.0.1.255      air
  1 159.148.60.129  255.255.255.128 159.148.60.129  159.146.60.255  isp_eth

[ISP_GW]> /ip route print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTERFACE
  0 10.0.1.0        255.255.255.0   0.0.0.0         10.0.1.254      air        D K
  1 159.148.60.128  255.255.255.128 0.0.0.0         159.148.60.129  isp_eth    D K
  3 0.0.0.0         0.0.0.0         159.148.60.254  0.0.0.0         isp_eth
  4 195.13.1.32     255.255.255.224 10.0.1.1        0.0.0.0         air

9. Advanced Routing Management

Standard kernel routes are created when adding an address to the router and static routes are added by the user. A third type of route is created by routing protocol. For exchanging the routing information between the routers, MikroTik™ Router Software supports two interior routing protocols: the Routing Information Protocol (RIP) [Version 1 and Version 2] and the Open Shortest Path First (OSPF) protocol.

Routing Information Protocol

RIP selects the route with the lowest metric as the best route. The metric is a hop count representing the number of gateways through which data must pass through to reach its destination. To enable the exchange of routing information between two routers connected to the same network both routers should have RIP enabled on the interfaces to the network which connects them.

Select the “Routing” menu and the “RIP” menu. Select the icon of the desired interface to change its RIP settings. To choose to redistribute static, connected and OSPF routes, click on the icon

Managing RIP from Console

Go to the “router” menu by executing the command with the corresponding name from the base level. Then go to the “rip” menu.

To set RIP for a specific interface, go to “interface” submenu. Here are the commands:

General RIP Parameters

Open Shortest Path First

OSPF is a shortest path first or link-state protocol. OSPF is an interior gateway protocol that distributes routing information between routers in a single autonomous system. OSPF chooses the least cost path as the best path. OSPF is better suited than RIP for complex networks with many routers. To enable OSPF for an interface, OSPF network with this interface network and mask. If interface has multiple logical networks all of these networks should be added as OSPF networks.

Select the “Routing” menu and then the “OSPF” menu. Four tabs can be used for configuration: “Interfaces”, “Areas”, “Networks” and “Virtual Links”. To change general OSPF settings (router ID and routes redistribution) click on the

Go to the “routing ospf” menu.

OSPF interfaces menu commands:

OSPF areas menu commands:

OSPF networks menu commands:

OSPF virtual links menu commands:

OSPF Parameters

Interface parameters:

Area parameters:

Network parameters:

Virtual links parameters:

10. System Configuration

Terminal Setup and Basic System Setup

This action can be performed only in the console. The described below commands can be executed from the base level or from anywhere else if you type “/” before them.

Basic Router Setup

Basic router setup can be done from the base level using setup command.

Terminal setup is performed in the “terminal” menu.

Packages

Packages are used to upgrade the router or add features. Packages should be obtained from the MikroTik web site. After rebooting the router, the packages will be installed.

Viewing Packages from Java

Select the “System” menu. Information about packages is divided in two parts – one about installed packages (“Packages”) and the other about uploaded ones (“Store”). Press

Viewing Packages from Console

In the console installed and uploaded packages information can be found under the “system package” and “system store” menus.

“sys package” menu commands:

“sys store” menu commands:

Packages Parameters

General packages parameters:

System History

The system keeps a history of the configuration changes since last boot. The history is lost when the router is rebooted. The ‘history’ buttons on the Java panel (

Viewing System History from Java

Select the “History” menu. The system history can be viewed in the appeared “History” window. The information is read only. Use the buttons on the main widow to ‘undo’ and ‘redo’ actions. The action that is undone is marked with blue dot

Viewing System History from Console

The system history can be viewed from the “system history” menu.

System History Parameters

User Management

User management includes adding users, removing users, setting names, access, access groups, and passwords.

User Management from Java

User management can be performed from the “Users List” windows that appears after you select the “Users” menu. Under “Groups” tag click twice on a group to edit it’s policies.

User Management from Console

Go to the “user” menu.

“user group” menu commands:

User Parameters

Note user “*” will be used for PPP as any user

Policies:

Change Password

You can easily change password using this special command.

In the main menu there is an item “Password”. You will be prompted to enter your old password and enter new password twice. When you logout and login for the next time, you must enter the new password. The old password is lost forever.

Go to the base level and execute the following command:

You will be prompted to enter your old password and enter new password twice. When you logout and login for the next time, you must enter the new password. The old password is lost forever.

System Resources

System’s uptime, total memory, HDD/Flash drive size, CPU type, and CPU frequency are displayed.

Viewing System Resources from Java

Select the “System” menu and the “Resources” menu. Java gives you expanded possibilities in viewing the system resources. Under the ‘Monitor’ tab a window shows the utilization of system’s CPU and memory usage in graphical form. Under the ‘IRQ’ tab, the system’s hardware IRQ’s and their usage are shown. Under ‘IO’ tab, the system’s IO memory ranges used by various devices are shown.

Viewing System Resources from Console

In the console, system resources can be viewed in the “system resource” menu. There are three submenu there.

System Resources Parameters

General parameters:

IRQ parameters:

I/O parameters:

System Shutdown

System shutdown (halt), reboot, and reset controls. For most systems, it is necessary to wait approximately 30 seconds for a safe power down.

System Shutdown from Java

Select the “System” menu then the “Shutdown” menu. The dialog box will appear asking you whether you want to reboot or shutdown the router. Warning: after entering ‘shutdown,’ it is necessary to manually restart the router.

System Shutdown from Console

The following commands can be executed in the “system” menu:

System Identity

Set the identification name of the router.

Setting System Identity from Java

Select “System” menu and then “Identity” and enter the router name.

Setting System Identity from Console

Go to the “system identity” menu.

System Identity Parameters

System Date and Time

View and change the system date and time settings.

Setting Date and Time from Java

Select the “System” menu and the “Clock” menu.

Setting Date and Time from Console

In the system console date and time settings can be change in two different menus. These commands can be executed from the “sys date” menu:

Date and time settings become permanent and effect BIOS settings.

Date and Time Parameters

Date parameters:

System Logs Management

Various system events and status information can be logged. Logs can be saved in a file on the router or sent to a remote server running a syslog daemon. MikroTik provides a shareware Windows Syslog daemon at MikroTik.com.

Managing System Logs from Java

Click on the “System” menu. If you want to view all system logs then go to the “Logs” menu. For configuring logs select the “Log Manager” menu. Select the “Log Default Settings” icon to set number of buffer lines, default IP address, and default port. To configure log sources select the icon of the corresponding line.

Managing System Logs from Console

Local logs can be viewed in the “log” menu:

Global logging management is performed in the “system logging” menu.

“system logging” menu commands:

“facility” submenu commands:

System Logs Parameters

Log facility parameters:

Types of logging:

Global logging parameters:

License

You can view and set Software ID Number by executing the following commands in “system license” menu in console.

11. Tools

MikroTik tools include standard TCP/IP tools such as ping and trace-route and also custom made tools. MikroTik custom tools are designed to assist you in verifying the quality of links – stability and bandwidth. If you have any suggestion for improving these tools, please suggest it at our suggestion page on our web site.

Ping

Ping uses Internet Control Message Protocol (ICMP) Echo messages to determine if a remote host is active or inactive and to determine the round-trip delay when communicating with it.

Launching Ping Utility from Java

Select the “Ping” submenu in the “Tools” menu. The Ping utility sends four ping messages and displays them in real time in the Ping list box.

Launching Ping Utility from Console

From local console enter the command “ping” from the base level or us /ping from any location in the console.

Ping utility shows Time To Live value of the received packet (ttl) and Roundtrip time (time) in ms.

The console Ping session may be stopped when the Ctrl + C is pressed.

Ping Utility Parameter Description

Traceroute

Traceroute is a TCP/IP protocol-based utility, which allows the user to determine how packets are being routed to a particular host. Traceroute works by increasing the time-to-live value of packets and seeing how far they get until they reach the given destination; thus, a lengthening trail of hosts passed through is built up.

Launching Traceroute Utility from Java

Select the “Traceroute” window in the “Tools” menu. When the trace is complete, the output indicates total number of hops to the host and corresponding TTL values per hop.

Launching Traceroute Utility from Console

Execute the command “traceroute“ from the base level:

Traceroute shows the number of hops to the given host address of every passed gateway. Traceroute utility sends packets three times to each passed gateway so it shows three timeout values for each gateway in ms.

General Traceroute Utility Parameters