MikroTik RouterOS™ V2.4 Reference Manual

If you want to see all sections together,
view this Manual as one file

Basic Software Reference

Software Technical Reference and Application Examples

• Device Driver Management
• Bridge Management
• Network Interface Management
• Internet Protocol Management
• Routing Protocols
• System Information and Utilities
• Diagnostics Tools
• SNMP Service

If you want to see all sections together,
view this Manual as one file

MikroTik RouterOS V2.4 Basic Setup Guide

The Guide describes the basic steps of installing and configuring a dedicated PC router running MikroTik RouterOS V2.4. The following sections are included in this Guide:

Downloading and Installing the MikroTik RouterOS
Obtaining the Software License
Logging into the MikroTik Router
Navigating the Terminal Console

Working with Interfaces
Adding Addresses
Configuring the Default Route
Testing the Network Connectivity

Application Example with Masquerading
Application Example with Bandwidth Management
Application Example with NAT

Accessing the Router Remotely using Web Browser and Java Console
Adding Software Packages
Software Licensing Issues

The download and installation process of the MikroTik RouterOS is described in the following diagram:

1. Download the basic installation archive file.

Depending on the desired media to be used for installing the MikroTik RouterOS please chose one of the following archive types for downloading:

• ISO image of the installation CD, if you have a CD writer for creating CDs. The ISO image is in the MTcdimage_v2.4_dd-mmm-yyyy.zip archive file containing a bootable CD image. The CD will be used for booting up the dedicated PC and installing the MikroTik RouterOS on its hard-drive or flash-drive.
• MikroTik Disk Maker, if you want to create 3.5' installation floppies. The Disk Maker is a self-extracting archive DiskMaker_v2-4_dd-mmm-yyyy.exe file, which should be run on your Win95/98/NT/2K workstation to create the installation floppies. The installation floppies will be used for booting up the dedicated PC and installing the MikroTik RouterOS on its hard-drive or flash-drive.
• MikroTik Disk Maker in a set of smaller files, if you have problems downloading one large file.

2. Create the installation media

Use the appropriate installation archive to create the Installation CD or floppies.

• For the CD, write the ISO image onto a blank CD.
• For the floppies, run the Disk Maker on your Windows workstation to create the installation floppies. Follow the instructions and insert the floppies in your FDD as requested, label them as Disk 1,2,3, etc.

3. Install the MikroTik RouterOS software.

• A 486 or newer Intel compatible motherboard and processor (dual processors are not supported);
• 24MB or more RAM (32MB suggested);
• 30MB or more PRIMARY MASTER IDE HDD or IDE flashdrive. Note: The hard disk will be entirely reformatted during the installation and all data on it will be lost!
• A network adapter (NE2000 compatible PCI or ISA Ethernet card, or any other supported NIC, see specifications of supported interfaces on our web page);
• A SECONDARY MASTER CD drive set as primary boot device, if you want to use the created CD for installing the MikroTik RouterOS onto the primary master HDD;
• A 3.5' FDD set as primary boot device, if you want to use the created set of floppies for installing the MikroTik RouterOS;
• A monitor and keyboard for installation and initial setup of the MikroTik Router. The monitor and keyboard do not need to be connected to the router after it is set up for connecting to it over the network.

After successful installation please remove the installation media from your CD or floppy disk drive and hit 'Enter' to reboot the router. While the router will be starting up for the first time you will be given a Software ID for your installation and asked to supply a valid software license key (Software Key) for it. Write down the Software ID. You will need it to obtain the Software License through the MikroTik Account Server.

If you need extra time to obtain the Software License Key, you may want to power off the router. Press Ctrl-Alt-Del keys to properly shut down and reboot the router. Power the router off while the BIOS is doing memory check.

Obtaining the Software License

The MikroTik RouterOS Software licensing process is described in the following diagram:

After installing the router and starting it up for the first time you will be given a Software ID.

1. Write down the Software ID reported by the RouterOS.
2. If you have an account with MikroTik, follow to the next step.
   If you do not have an account at www.mikrotik.com, just press the 'New' button on the upper right-hand corner of the MikroTik's web page to create your account.

   

   You will be presented with the Account Sign-Up Form where you chose your account name and fill in the required information.
3. To obtain the Software License Key, log on to your account at www.mikrotik.com entering your account name and password (upper right-hand corner on this webpage), for example:

   

4. After logging on to the Account Server select "Free Demo License" or "Order Software License" in the Account Menu.

   Note! The CD installation cannot be 'unlocked' with the Free Demo Key. Use the Floppy installation, or, purchase the License Key.

5. The Software Key will be sent to the email address, which has been specified in your account setup.
6. Read your email and enter the Software Key at the router's console, for example:

   Software ID: 5T4V-IUT
   Software key: 4N7X-UZ8-6SP
   

After entering the correct Software License Key you will be presented with the MikroTik Router's login prompt.

Logging into the MikroTik Router

MikroTik v2.4.1
Login: admin
Password: 

The password can be changed with the '/password' command.

Navigating the Terminal Console

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

Mikrotik RouterOS v2.4 (c) 1999-2001       http://www.mikrotik.com/
[MikroTik] >                                                                   

The command prompt shows the identity name of the router and the current menu level, for example:

[MikroTik] >                          Base level menu
[MikroTik] interface>                 Interface configuration
[MikroTik] ip firewall static-nat>    NAT rule management                                         

The list of available commands at any menu level can be obtained by entering the question mark '?', for example:

[MikroTik] > ?
     bridge  Bridge settings
     driver  Driver management
     e-mail  sending e-mail from router
     export  print configuration as set of router commands
       file  Local router file storage.
     import  Run exported configuration script
  interface  Interface configuration
         ip  IP protocol settings
        log  System logs
   password  Change password
       ping  Send ICMP Echo packets
       port  Serial ports
       quit  Quit console
       redo  Redo previosly undone action
    restore  Restore previously backed up configuration
    routing  Routing protocol configuration
      setup  Do basic setup of system
     system  System information and utilities
       tool  Diagnostics tools
       undo  Undo previous action
       user  User management
[MikroTik] > ip ?
      accounting  Traffic accounting
         address  Address management
             arp  ARP entries management
     dhcp-client  DHCP client settings
     dhcp-server  DHCP server settings
             dns  DNS settings
          export  print configuration as set of router commands
        firewall  Firewall management
        neighbor  Neighbor discovery
         packing  IP Packet Packing setup
  policy-routing  Policy routing setup
             ppp  PPP general settings
           queue  Bandwidth management
           route  Route management
         service
[MikroTik] >

The list of available commands and menus has short descriptions next to the items. You can move to the desired menu level by typing its name and hitting the [Enter] key, for example:

[MikroTik]>                      Base level menu
[MikroTik]> driver               Enter 'driver' to move to the driver level menu
[MikroTik] driver> /             Enter '/' to move to the base level menu from any level 
[MikroTik]> interface            Enter 'interface' to move to the interface level menu
[MikroTik] interface> /ip        Enter '/ip' to move to the IP level menu from any level
[MikroTik] ip>

A command or an argument does not need to be completed, if it is not ambiguous. For example, instead of typing 'interface' you can type just 'in' or 'int'. To complete a command use the [Tab] key.

The commands may be invoked from the menu level, where they are located, by typing its name. If the command is in a different menu level than the current one, then the command should be invoked using its full or relative path, for example:

[MikroTik] ip route> print                  Prints the routing table
[MikroTik] ip route> .. address print       Prints teh IP address table           
[MikroTik] ip route> /ip address print      Prints teh IP address table       

The commands may have arguments. The arguments have their names and values. Some arguments, that are required, may have no name. Below is a summary on executing the commands and moving between the menu levels:

       Command                               Action
command [Enter]      Execute the command
[?]                  Show the list of all available commands
command [?]          Display help on the command and the list of arguments
command argument [?] Display help on the command's argument
[Tab]                Complete the command/word. If the input is ambiguous, a
                     second  gives possible options
/                    Move up to the base level
/command             Execute the base level command
..                   Move up one level
""                   Enter an empty string
"word1 word2"        Enter 2 words that contain a space

You can abbreviate names of levels, commands and arguments.

For the IP address configuration, instead of using the 'address' and 'netmask' arguments, in most cases you can specify the address together with the number of bits in the network mask, i.e., there is no need to specify the 'netmask' separately. Thus, the following two entries would be equivalent:

/ip address add address 10.0.0.1/24 interface ether1
/ip address add address 10.0.0.1 netmask 255.255.255.0 interface ether1

However, if the netmask argument is not specified, you must specify the size of the network mask in the address argument, even if it is the 32-bit subnet, i.e., use 10.0.0.1/32 for address 10.0.0.1 and netmask 255.255.255.255

Working with Interfaces

[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0 X ether1               1500  ether                                         
[MikroTik] interface>                                                          

The device drivers for NE2000 compatible ISA cards need to be loaded using the 'add' command under the /drivers menu. For example, to load the driver for a card with IO address 0x280 and IRQ 5, it is enough to issue the command:

[MikroTik] driver> add name=ne2k-isa io=0x280                                       
[MikroTik] driver> print                                                       
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D PCI NE2000                                                               
  1   ISA NE2000                            280                                
[MikroTik] driver>                                                             

The interfaces need to be enabled, if you want to use them for communications. Use the '/interface enable name' command to enable the interface with a given name, for example:

[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0 X ether1               1500  ether                                         
  1 X ether2               1500  ether                                         
[MikroTik] interface> enable 0                                                  
[MikroTik] interface> enable ether2                                             
[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   ether2               1500  ether                                         
[MikroTik] interface>

You can use the number or the name of the interface in the 'enable' command.

The interface name can be changed to a more descriptive one by using the '/interface set' command:

[MikroTik] interface> set 0 name=Public                                            
[MikroTik] interface> set 1 name=Local                                         
[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   Public               1500  ether                                         
  1   Local                1500  ether                                         
[MikroTik] interface> 

Use of the 'setup' Command

Assume you need to configure the MikroTik router for the following network setup:

Please note that the addresses assigned to different interfaces of the router should belong to different networks. In the current example we use two networks:

• The local LAN with network address 192.168.0.0 and 24-bit netmask 255.255.255.0 The router's address is 192.168.0.254 in this network.
• The ISP's network with address 10.1.1.0 and 24-bit netmask 255.255.255.0 The router's address is 10.1.1.12 in this network.

[MikroTik] ip address> add address 192.168.0.254/24 interface Local
[MikroTik] ip address> add address 10.1.1.12/24 interface Public
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      Public                
[MikroTik] ip address>

Here, the network mask has been specified in the value of the address argument. Alternatively, the argument 'netmask' could have been used with the value '255.255.255.0'. The network and broadcast addresses were not specified in the input since they could be calculated automatically.

Configuring the Default Route

[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0 D  connect 192.168.0.0/24     A            0.0.0.0     0        Local      
  1 D  connect 10.1.1.0/24        A            0.0.0.0     0        Public     
[MikroTik] ip route> print detail                                              
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  0 D  dst-address=192.168.0.0/24 gateway=0.0.0.0 nexthop-state=A 
       preferred-source=192.168.0.254 interface=Local distance=0 type=connect 

  1 D  dst-address=10.1.1.0/24 gateway=0.0.0.0 nexthop-state=A 
       preferred-source=10.1.1.12 interface=Public distance=0 type=connect 

[MikroTik] ip route>   

These routes show, that IP packets with destination to 10.1.1.0/24 would be sent through the interface Public, whereas IP packets with destination to 192.168.0.0/24 would be sent through the interface Local. However, you need to specify where the router should forward packets, which have destination other than networks connected directly to the router. This is done by adding the default route (destination 0.0.0.0, netmask 0.0.0.0). In this case it is the ISP's gateway 10.1.1.254, which can be reached through the interface Public:

[MikroTik] ip route> add gateway=10.1.1.254       
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.1.1.254  1        Public     
  1 D  connect 192.168.0.0/24     A            0.0.0.0     0        Local      
  2 D  connect 10.1.1.0/24        A            0.0.0.0     0        Public     
[MikroTik] ip route>      

Here, the default route is listed under #0. As we see, the gateway 10.1.1.254 can be reached through the interface 'Public'. If the gateway would have been specified incorrectly, the value for the argument 'interface' would be unknown. Note, that you cannot add two routes to the same destination, i.e., destination-address/netmask! It applies to the default routes as well. Instead, you can enter multiple gateways for one destination. For more information on IP routes, please read the relevant topic in the Manual.

If you have added an unwanted static route accidentally, use the 'remove' command to delete the unneeded one. Do not remove the dynamic (D) routes! They are added automatically and should not be deleted 'by hand'. If you happen to, then reboot the router, the route will show up again.

Testing the Network Connectivity

[MikroTik] ip address> /ping 10.1.1.17
10.1.1.17 pong: ttl=255 time<1 ms
10.1.1.17 pong: ttl=255 time<1 ms
10.1.1.17 pong: ttl=255 time<1 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0/0.0/0 ms
interrupted
[MikroTik] ip address> /ping 192.168.0.1
192.168.0.1 pong: ttl=255 time<1 ms
192.168.0.1 pong: ttl=255 time<1 ms
192.168.0.1 pong: ttl=255 time<1 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0/0.0/0 ms
interrupted
[MikroTik] ip address> 

The workstation and the laptop can reach (ping) the router at its local address 192.168.0.254, whereas the server can reach the router at its local address 10.1.1.12. The router's address 192.168.0.254 should be specified as the default gateway in the TCP/IP configuration of both the workstation and the laptop. Then you should be able to ping the router's address 10.1.1.12, which is on the ISP's network:

C:\>ping 10.1.1.12
Pinging 10.1.1.12 with 32 bytes of data:
Reply from 10.1.1.12: bytes=32 time<10ms TTL=255
Reply from 10.1.1.12: bytes=32 time<10ms TTL=255
Reply from 10.1.1.12: bytes=32 time<10ms TTL=255
C:\>

However, you cannot ping the workstation and laptop from the server, unless you do the following:

• Add a static route on the ISP's gateway, which specifies the host 10.1.1.12 as the gateway to network 192.168.0.0/24. Then all hosts on the ISP's network, including the server, will be able to communicate with the hosts on the LAN.
• Alternatively, specify the address 10.1.1.12 as the default gateway for the server. Then the server will forward packets with destination other than 10.1.1.0/24 to the MikroTik router.

Next will be discussed situation with 'hiding' the private LAN 192.168.0.0/24 'behind' one address 10.1.1.12 given to you by the ISP.

Application Example with Masquerading

Masquerading helps to ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. Masquerading also conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.

To use masquerading, a firewall rule with action 'masq' should be added to the forward chain of the router's firewall configuration:

[MikroTik] ip firewall rule forward>
add action=masq interface=Public src-address=192.168.0.0/24 
[MikroTik] ip firewall rule forward>                                           
Flags: X - disabled, I - invalid 
  0   protocol=all src-address=192.168.0.0/24:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=masq 
      tcp-options=all log=no 

[MikroTik] ip firewall rule forward>                                           

Please consult the Firewall Manual for more information on masquerading.

Application Example with Bandwidth Management

[MikroTik] ip queue>
add interface Local queue red limit-at 128000 max-burst 0 bounded yes
add interface Public queue red limit-at 64000 max-burst 0 bounded yes
[MikroTik] ip queue> print                                                     
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535 
      protocol=all queue=red limit-at=128000 max-burst=0 bounded=yes priority=8 
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60 
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=Local 

  1   src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535 
      protocol=all queue=red limit-at=64000 max-burst=0 bounded=yes priority=8 
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60 
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=Public 

[MikroTik] ip queue>    

Leave all other parameters as set by default. The limit is approximately 128kbps going to the LAN and 64kbps leaving the client's LAN. No burst of the packets is allowed. Please note, that the queues have been added for the outgoing interfaces regarding the traffic flow.

Please consult the Queues Manual for more information on bandwidth management and queuing.

Application Example with NAT

Assume we have moved the server in our previous examples from the public network to our local one:

The server's address now is 192.168.0.17, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.1.1.12:80. This can be done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public address:port 10.1.1.12:80 will be translated to the Local address:port 192.168.0.17:80. Two static NAT rules are required for translating the address:port - one for the incoming packets, and one for the outgoing packets:

[MikroTik]> ip firewall static-nat
[MikroTik] ip firewall static-nat>
add interface Public translate yes direction in protocol tcp \
    dst-address 10.1.1.12/32:80 to-dst-address 192.168.0.17/32:80
add interface Public translate yes direction out protocol tcp \
    src-address 192.168.0.17/32:80 to-src-address 10.1.1.12/32:80
[MikroTik] ip firewall static-nat>                                             
Flags: X - disabled, I - invalid 
  0   interface=Public src-address=0.0.0.0/0:0-65535 dst-address=10.1.1.12/32:80 
      protocol=tcp to-src-address=0.0.0.0/0:0 to-dst-address=192.168.0.17/32:80 
      translate=yes direction=in 

  1   interface=Public src-address=192.168.0.17/32:80 dst-address=0.0.0.0/0:0-65535 
      protocol=tcp to-src-address=10.1.1.12/32:80 to-dst-address=0.0.0.0/0:0 
      translate=yes direction=out 

[MikroTik] ip firewall static-nat>

Since we use masquerading for the Local network 192.168.0.0/24 (see the Application Example above), we should exclude masquerading for the server's address 192.168.0.17 and TCP port 80 by adding a rule with action 'accept' to the forward chain. After adding the rule, it should be moved before the masquerading rule:

[MikroTik]> ip firewall rule forward
[MikroTik] ip firewall rule forward>
add src-address 192.168.0.17/32:80 protocol tcp interface Public 
[MikroTik] ip firewall rule forward>                                           
Flags: X - disabled, I - invalid 
  0   protocol=all src-address=192.168.0.0/24:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=masq 
      tcp-options=all log=no 

  1   protocol=tcp src-address=192.168.0.17/32:80 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=accept 
      tcp-options=all log=no 

[MikroTik] ip firewall rule forward> move 1 0                                     
[MikroTik] ip firewall rule forward> print                                     
Flags: X - disabled, I - invalid 
  0   protocol=tcp src-address=192.168.0.17/32:80 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=accept 
      tcp-options=all log=no 

  1   protocol=all src-address=192.168.0.0/24:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=masq 
      tcp-options=all log=no 

[MikroTik] ip firewall rule forward> 

Please consult the Static NAT Manual for more information on NAT.

The MikroTik router can be accessed remotely using

• the telnet protocol, for example, using the telnet client of your Windows or Unix workstation. Working with the telnet console is the same as working with the monitor and keyboard attached to the router locally.
• the ftp for uploading the software upgrade packages or retrieving the exported configuration files.
• the http and Java Console, for example, using the web browser of your workstation.

To use the Java Console, you will need IE5.0 or Netscape 4.0 or higher with Java Runtime Environment (JRE) 1.2 or higher installed. Please download the JRE and install it on your workstation to enable the Java Console access. When connecting to the MikroTik router via http, the router's Welcome Page is displayed in the web browser, for example:

By clicking on the Java Console icon you can open the Java console with the login window. Use the username and password to log on to the router, for example:

After logging on to the router you can work with the MikroTik router's configuration through the Java console and perform the same tasks as using the regular console:

You can use the menu bar to navigate through the router's configuration menus, open configuration windows. By double clicking on some list items in the windows you can open configuration windows for the specific items, and so on. Please consult the MikroTik RouterOS Manual for more detailed description of using the Java console.

The additional software packages should have the same version as the system package. If not, the packege wont be installed. Please consult the MikroTik RouterOS Software Package Installation and Upgrading Manual for more detailed information about installing additional software packages.

Software Licensing Issues

[MikroTik] system license> print                                               
      software-id: TPNG-SXN
              key: 2C6A-YUE-3H2
    upgradable-to: may/01/2002
[MikroTik] system license> feature print                                       
Flags: X - disabled 
  #   FEATURE                                                                  
  0 X AP                                                                       
  1 X synchronous                                                              
  2 X radiolan                                                                 
  3 X wireless-2.4gHz                                                          
  4   licensed                                                                 
[MikroTik] system license> set key=D45G-IJ6-QM3                                
[MikroTik] system license> /system reboot
Reboot, yes? [y/N]: y
system will reboot shortly

If there is no appropriate license, the appropriate interfaces wont show up under the interface list, even though the packages can be installed on the MikroTik RouterOS and corresponding drivers loaded.

MikroTik RouterOS V2.4 Terminal Console Manual

Overview

Contents of the Manual

• Overview of Common Functions
• General Layout of Command Levels

Overview of Common Functions

The console allows configuration of the router settings using text commands. The command structure is similar to the Unix shell. Since there's a whole lot of available commands, they're split into hierarchy. For example, all (well, almost all) commands that work with routes start with "ip route":

[drax]> ip route print
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    ;;; test multihop route
       static      0.0.0.0/0          A          10.0.0.1   1        ether2    
                                      I          1.1.1.1             (unknown) 
  1 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether2    
  2 D  connect     7.7.7.0/24         A          0.0.0.0    0        tunl        
[drax]> ip route set 0 gateway=10.0.0.1
[drax]> ip route print
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    ;;; test multihop route
       static      0.0.0.0/0          A          10.0.0.1   1        ether2    
  1 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether2    
  2 D  connect     7.7.7.0/24         A          0.0.0.0    0        tunl        

Instead of typing "ip route" before each command, "ip route" can be typed once to "change into" that particular branch of command hierarchy. Thus, the example above could also be executed like this:

[drax]> ip route
[drax] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    ;;; test multihop route
       static      0.0.0.0/0          A          10.0.0.1   1        ether2    
  1 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether2    
  2 D  connect     7.7.7.0/24         A          0.0.0.0    0        tunl        

...etc

Notice that prompt changes to show where in the command hierarchy you are located at the moment. To change to top level, type "/"

[drax] ip route> /
[drax]>

To move up one command level, type ".."

[drax] ip route> ..
[drax] ip>

You can also use "/" and ".." to execute commands from other levels without changing the current level:

[drax] ip route> /ping 10.0.0.10
timeout: ping reply not recieved after 1000 mss
timeout: ping reply not recieved after 1000 mss
2 packets transmitted, 0 packets received, 100% packet loss

Or alternatively, to go back to the base level you could use the ".." twice:

[drax] ip route> .. .. ping 10.0.0.10
10.0.0.10 pong: ttl=128 time=1 ms
10.0.0.10 pong: ttl=128 time<1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0/0.5/1 ms
[drax] ip route>

Lists

[drax]> interface print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0 X ether1               1500  ether                                         
  1   ether2               1500  ether                                         
  2 X pptp-in1                   pptp-in                                       
  3   tunl                 1500  eoip-tunnel                                   

To change parameters of an item (interface settings in this particular case), you have to specify it's number to the "set" command:

[drax]> interface set 1 mtu=1460
[drax]> interface print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0 X ether1               1500  ether                                         
  1   ether2               1460  ether                                         
  2 X pptp-in1                   pptp-in                                       
  3   tunl                 1500  eoip-tunnel                                   

Numbers are assigned by "print" command and are not constant - it is possible that two successive "print" commands will order items differently. Thus, you must use the print command before any other command that works with list items, to assign numbers.

Note: Although numbers can change each time you use the "print" command, they don't change between these uses. Once assigned, they will remain the same until you quit the console or until the next "print" command is executed. Also, numbers are assigned separately for every item list, so "ip address print" won't change numbers for interface list.

Let's assume "ip address print" hasn't been executed already. In this case:

[drax]> ip address set 1 netmask=255.255.0.0
ERROR: item numbers not assigned

Console is telling that there has been no "ip address print" command, and thus, it cannot know which address number 1 corresponds to.

To understand better how do item numbers work, you can play with "from" argument of "print" commands:

[drax]> interface print from=1
  #   NAME                 MTU   TYPE                                          
  0   ether2               1460  ether                                         

The "from" argument specifies what items to show. Numbers are assigned by every "print" command, thus, after executing command above there will be only one item accessible by number - interface "ether2" by number 0.

Item names

[drax]> interface set ether2 mtu 1500

You don't have to use the "print" command before accessing items by name. As opposed to numbers, names are not assigned by the console internally, but are one of the items' parameters. Thus, they won't change on their own. However, there are all kinds of obscure situations possible when several users are changing router configuration at the same time. Generally, item names are more "stable" than numbers, and also more informative, so you should prefer them to numbers when writing console scripts. Also, [tab] completions work on item names, making them easy to type.

Quick Typing

/inte_ becomes /interface _

Here, "_" is the cursor position.

If there's more than one match, but they all have a common beginning, which is longer than that what you have typed, then the word is completed to this common part, and no space is appended:

/interface set e_

becomes

/interface set ether_ 

because "e" matches both "ether5" and "ether1" in this example)

If you've typed just the common part, pressing the tab key once has no effect. However, pressing it for the second time shows all possible completions in compact form:

[drax]> /interface set e_
[drax]> /interface set ether_
[drax]> /interface set ether
ether1 ether5
[drax]> /interface set ether_

The tab key can be used almost in any context where the console might have a clue about possible values - command names, argument names, arguments that have only several possible values (like names of items in some lists or name of protocol in firewall and NAT rules). You can't complete numbers, IP addresses and similar values.

New in V2.4: It is now possible to complete not only beginning, but also any distinctive substring of name. When is pressed, console builds list of all possible words that can be entered at current cursor position. It then looks for words that begin with string immediately before cursor. If there is more that one match, then second key will display them in a compact table form. If there's a single match, then it is completed at cursor position. Otherwise, console starts to look for words that have string being completed as first letters of a multiple word name, or that simply contain letters of this string in the same order. If single such word is found, it is completed at cursor position. For example:

[drax]> /interface x_
[drax]> /interface export _

"x" is completed to "export", because no other word in this context contains 'x'.

[drax]> /interface mt_
[drax]> /interface monitor-traffic _

No word begins with letters "mt", but it is an abbreviation of "monitor-traffic".

Another way to press fewer keys while typing is to abbreviate command and argument names. You can type only beginning of command name, and, if it is not ambiguous, console will accept it as a full name. So typing:

[drax]> ip f st r 1

equals to typing:

[drax]> ip firewall static-nat remove 1

and:

[drax]> pi 10.1 c 3 s 100

equals to:

[drax]> ping 10.0.0.1 count 3 size 100

Help

Internal item numbers

Multiple items

[drax]> interface print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   ether2               1500  ether                                         
[drax]> interface set "0 1" mtu=1600
[drax]> interface print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1600  ether                                         
  1   ether2               1600  ether                                         

Note: In the example above, "0 1" could be substituted with "0,1". Lists can be entered either whitespace separated, in quotes, or comma separated. In later case quotes are not required.

This is handy when you want to perform same action on several items, or do a selective export. However, this feature becomes really useful when combined with scripting.

Return values

[drax]> interface
[drax] interface> print from=[find name=ether2]
  #   NAME                 MTU   TYPE
  0   ether2               1600  ether
[drax] interface> set 0 mtu 1460
[drax] interface> print from=[find mtu=1460]
  #   NAME                 MTU   TYPE
  0   ether2               1460  ether

If you don't give "find" any arguments, it returns internal numbers of all items:

[drax] interface> set [find] mtu=1500
[drax] interface> print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   ether2               1500  ether                                         

You can see the return value of "find" command (and other router commands) using ":put" command:

[drax] interface> :put [find]
*1 *2 

These are internal numbers of all router interfaces. Also, there's a trailing space after last number, so you can concatenate results of several "find" commands:

[drax] interface> print from [find][find]
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   ether2               1500  ether                                         
  3   ether1               1500  ether                                         
  4   ether2               1500  ether                                         

The "get" command allows to access item values that can be seen with "print" command from scripts. It takes two arguments - item number and name of property:

[drax] interface> :put [get 0 name]
ether1

Item numbers cannot be used in scripts, instead use item names or result of "find" command:

[drax] interface> :put [get ether2 type]
ether

Time Setting

"d", "da", "day", "days" - for days (86400 seconds each)
"h", "ho" ... "hours" - for hours (3600 seconds each)
"m", "mi", "min" - for minutes (60 seconds each)
"s" - for seconds
"ms" - for milliseconds

Variables

[drax]> :set var1 J.Random.String

If the value is assigned to a non-existing variable, then the variable is created, otherwise current value is replaced. To access the value of variable, you have to type "$" followed by the name of the variable, and it will be replaced by the value of the variable:

[drax]> :put $var1
J.Random.String
[drax]> :put $var1-$var1-yo-ho-ho-$var1
J.Random.String-J.Random.String-yo-ho-ho-J.Random.String

Magic Variable

[bainug] interface> /ip route 
[bainug] ip route> export 
/ ip route 
add dst-address=0.0.0.0/0 gateway=10.0.0.1,1.1.1.1 prefered-source=0.0.0.0 
comment $^ "test multihop route"
enable $^ 

This script could also be rewritten so that it does not use "^" variable, at the expense of clarity:

/ ip route
set item [add dst-address=0.0.0.0/0 gateway=10.0.0.1,1.1.1.1 \
    prefered-source=0.0.0.0]
comment $item "test multihop route"
enable $item

General Layout of Command Levels

Most command groups have some or all of these commands: print, set remove, add, find, get, export, enable, disable, comment. These commands have similar behavior in all hierarchy.

print

The "print" command shows all information that's accessible from particular command level. Thus, "/system clock print" shows system date and time, "/ip route print" shows all routes etc. If there's a list of items in this level and they are not read-only, i.e. you can change/remove them (example of read-only item list is "/system history", which shows history of executed actions), then "print" command also assigns numbers that are used by all commands that operate on items in this list. Thus, "print" usually must be executed before any other commands in the same command level.

If there's list of items then "print" usually can have a "from" argument. The "from" argument accepts space separated list of item numbers, names (if items have them), and internal numbers. The action (printing) is performed on all items in this list in the same order in which they're given.

Output can be formatted either as a table, with one item per line, or as a list with "property=value" pairs for each item. By default "print" uses one of these forms, but it can be set explicitly with "brief" and "detail" arguments. In "brief" (table) form, "columns" argument can be set to a list of property names that should be shown in the table. The "without-paging" argument suppresses prompting after each screen of output.

set

The "set" command allows you to change values of general parameters or item parameters. The "set" command has arguments with names corresponding to values you can change. Use "?" or double tab to see list of all arguments. If there is list of items in this command level, then set has one unnamed argument that accepts the number of item (or list of numbers) you wish to set up. Values for unnamed arguments must follow right after the name of the command, and their order can't be changed. Example: in firewall rules, the "set" command has two unnamed arguments - first is the name of chain and second is the number of rule in this chain. "set" returns internal numbers of items it has set up.

remove

The "remove" command has one unnamed argument, which contains number(s) of item(s) to remove.

add

The "add" command usually has the same arguments as "set", minus the unnamed number argument. It adds new item with values you've specified, usually to the end of list (in places where order is relevant). There are some values that you have to supply (like interface for new route), and other values that are set to defaults if you don't supply them. The "add" command returns internal number of item it has added.

New in 2.4: You can create a copy of an existing item by using "copy-from" argument. It takes default values of new item's properties from another item. If you don't want exact copy, you can specify new values for some properties. When copying items that have names, you will usually have to give new name to a copy.

find

The "find" command has the same arguments as "set", and an additional "from" argument which works like the "from" argument with the "print" command. The "find" command returns internal numbers of all items that have the same values of arguments as specified.

export

The "export" command prints a script that can be used to restore configuration. If it has the argument "from", then it is possible to export only specified items. Also, if the "from" argument is given, "export" does not descend recursively through the command hierarchy. The "export" command also has the argument "file", which allows you to save the script in file on router to retrieve it later via ftp. Argument "noresolve" is used to disable reverse resolving of IP addresses if it proves to be problem.

enable/disable

You can enable/disable some items (like ip address or default route). If an item is disabled, it is marked with the "X" flag. If an item is invalid, but not disabled, it is marked with the "I" flag:

[MikroTik] ip route>                                                           
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    static      0.0.0.0/0          A          10.0.0.1   1        ether1    
  1 X  static      192.168.0.0/16     I          159.148... 1        (unknown) 
  2 I  static      10.1.1.0/24        I          10.0.1.3   1        (unknown) 
  3 D  connect     159.148.24.0/24    A          0.0.0.0    0        ether1    
  4 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether1    
[MikroTik] ip route>

comment

You can add comments to some items. If the item is commented, comments are shown next to the item number before all parameters and prefixed with ";;;":

[Main_GW] ip route> print                                                          
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    ;;; our default gateway
       static      0.0.0.0/0          A          192.168... 1        ispnet    
  1    ;;; to-pptp-client in the branch office
       static      192.168.223.55/32  A          192.168... 1        ispnet    
  3 D  ospf        159.148.36.0/24    A          10.1.0.2   110      rlan      
  4 D  connect     192.168.248.128/25 A          0.0.0.0    0        ispnet    
...

MikroTik RouterOS V2.4 Java Console Manual

Overview

This manual describes the general Java console operation principles.

Contents of the Manual

• Overview of Common Functions
• Troubleshooting for Java Console

When connecting to the MikroTik router via http (TCP port 80), the router's Welcome Page is displayed in the web browser, for example:

By clicking on the Java Console icon you can open the Java console with the login window. Use the username and password to log on to the router, for example:

The Java Console uses TCP port 3986. After logging on to the router you can work with the MikroTik router's configuration through the Java console and perform the same tasks as using the regular console:

You can use the menu bar to navigate through the router's configuration menus, open configuration windows. By double clicking on some list items in the windows you can open configuration windows for the specific items, and so on.

There are some hints for using the Java Console:

• To open the required window, simply click on the corresponding menu item.
• To add a new entry you should click on the
  icon in the corresponding window.
• To remove an existing entry click on the
  icon.
• To enable an item, click on the
  icon.
• To disable an item, click on the
  icon.
• To make or edit a comment for a selected item, click on the
  icon.
• To refresh the window, click on the
  icon.
• To undo an action, click on the
  icon above the main menu.
• To redo an action, click on the
  icon above the main menu.
• To logout from the Java Console, click on the
  icon.

• I cannot open the Java box
  The MikroTik Java console requires the Java2 web browser plug-in. You may download this from http://java.sun.com/j2se/1.3/. Java2 supports Windows 95/98/NT & Solaris & Linux.
• I have installed Java2 and the MikroTik Java console still does not work.
  Run the "Java Plug-in Control Panel" from the "Programs" pull-down menu (standard windows "Program" menu):
  • In "Java Plug-in Control Panel" window, under the "Basic" tab, select "Enable Java Plug-in." Under the "Advanced" tab, select "JRE 1.2 in ..." and make sure the path is correct.
  • In "Proxies" window, make sure that you are not using a proxy.
• I still cannot open the Java Console
  The Java Console uses TCP port 3986. Make sure you have access to it through the firewall.

MikroTik RouterOS V2.4 Software Package Installation and Upgrading

Overview

Features

• Ability to add RouterOS functions by installing additional software packages
• Optimal usage of the storage space by the modular/compressed system
• The software packages can be uninstalled
• The RouterOS functions and software can be easily upgraded
• Multiple packages can be installed at once
• The package dependency is checked before installing a software package. The package wont be installed, if the required software package is missing
• The version of the software package should be the same as that of the system package
• The packages are stored on the router using ftp and installed only when the router is going for shutdown during the reboot process of the router.
• If the software package file can be uploaded to the router, then the disk space is sufficient for installation of the package

Contents of the Manual

Software Upgrade Instructions
Software Package Installation Instructions
Contents of the Software Packages
Software Package Resource Usage
Troubleshooting

Software Upgrade Instructions

MikroTik v2.4rc19
Login:

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4rc19               sep/10/2001 12:58:27 no       
  1 ppp                    2.4rc19               sep/10/2001 12:58:36 no       
  2 pptp                   2.4rc19               sep/10/2001 12:59:07 no       
  3 system                 2.4rc19               sep/10/2001 12:58:09 no       
  4 ssh                    2.4rc19               sep/10/2001 12:59:28 no       
[MikroTik] > 

The list shows the number, name, version, and build time of the installed software packages. If the functions provided by a software package are not required for the router implementation, the package can be marked for uninstalling at the next shutdown/reboot of the router. Use the /system package set command to mark the packages for uninstallation:

[MikroTik] > system package set 0 uninstall=yes                                
[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4rc19               sep/10/2001 12:58:27 yes      
  1 ppp                    2.4rc19               sep/10/2001 12:58:36 no       
  2 pptp                   2.4rc19               sep/10/2001 12:59:07 no       
  3 system                 2.4rc19               sep/10/2001 12:58:09 no       
  4 ssh                    2.4rc19               sep/10/2001 12:59:28 no       
[MikroTik] >

If a package is marked for uninstallation, but it is required for another (dependent) package, then the marked package cannot be uninstalled. For example, the ppp package wont be uninstalled, if the pptp package is installed. You should uninstall the depended package too. For package dependencies see the section about contents of the software packages below. The system package wont be uninstalled even if marked for uninstallation.

Software Package Installation Instructions

• Check the availability of free HDD space on the router using the /system resource print command:

  [MikroTik] > /system resource print                                            
             uptime: 11d23h58m50s
       total-memory: 30856
        free-memory: 7368
           cpu-type: Intel
      cpu-frequency: 233
          hdd-total: 30362
           hdd-free: 10295
  [MikroTik] > 
  

  Note! If there is not enough free disk space for storing the upgrade packages, disk space can be freed up by uninstalling some software packages, which provide functionality not required for your needs.

• If the free disk space is sufficient for storing the upgrade packages, connect to the router using ftp. Use user name and password of a user with full access privileges.
• Select the BINARY mode file transfer.
• Upload the software package files to the router and disconnect.
• View the information about the uploaded software packages using the /file print command.
• Reboot the router by issuing the /system reboot command or by pressing Ctrl-Alt-Del keys at the router's console.

[MikroTik] > /file print                                                       
  # NAME                  SIZE       TYPE                  TIME                
  0 ssh_host_key.pub      332        unknown               feb/14/2001 15:10:19
  1 ssh_host_dsa_key.pub  603        unknown               feb/14/2001 15:10:35
  2 ppp-2.4.npk           314563     package               sep/25/2001 11:39:14
  3 pppoe-2.4.npk         125822     package               sep/25/2001 11:39:14
  4 pptp-2.4.npk          113055     package               sep/25/2001 11:39:15
  5 ssh-2.4.npk           462380     package               sep/25/2001 11:39:16
  6 system-2.4.npk        6566535    package               sep/25/2001 11:39:28
[MikroTik] >

The installation/upgrade process is shown on the console screen (monitor) attached to the router. After successful installation the software packages are shown on the output list of the /system package print command, for example:

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 ppp                    2.4                   sep/24/2001 03:37:21 no       
  1 pptp                   2.4                   sep/24/2001 03:38:03 no       
  2 ssh                    2.4                   sep/24/2001 03:43:19 no       
  3 system                 2.4                   sep/24/2001 03:33:17 no       
  4 pppoe                  2.4                   sep/24/2001 03:39:04 no       
[MikroTik] > 

Note! The versions of packages should match the version number of the system software package.

Automatic Software Package Upgrading

System Software Package

• IP address, ARP, static IP routing, policy routing, firewall (packet filtering, masquerading, and static NAT), IP traffic accounting, DHCP server and client, MikroTik Neighbour Discovery, IP Packet Packing, queuing (traffic shaping), DNS settings, IP service (servers)
• Ethernet interfaces
• IP over IP tunnel interfaces (IPIP)
• Ethernet over IP tunnel interfaces (EoIP)
• driver management for Ethernet ISA cards
• serial port management
• local user management
• export and import of router configuration scripts
• backup and restore of the router's configuration
• e-mail setup
• undo and redo of configuration changes
• network diagnostics tools (ping, traceroute, floodping, bandwidth tester, traffic monitor, and network monitor)
• bridge configuration
• system resource management
• package management
• telnet client
• local or remote logging facility

Additional Software Feature Packages

If additional license is required to enable the functionality of a software package, the license should be obtained for the Software ID of your system. The new key should be entered using the /system license set key command, and the router should be rebooted afterwards:

[MikroTik] system license> print                                               
      software-id: TPNG-SXN
              key: 2C6A-YUE-3H2
    upgradable-to: may/01/2002
[MikroTik] system license> feature print                                       
Flags: X - disabled 
  #   FEATURE                                                                  
  0 X AP                                                                       
  1 X synchronous                                                              
  2 X radiolan                                                                 
  3 X wireless-2.4gHz                                                          
  4   licensed                                                                 
[MikroTik] system license> set key=D45G-IJ6-QM3                                
[MikroTik] system license> /system reboot
Reboot, yes? [y/N]: y
system will reboot shortly

If there is no appropriate license, the appropriate interfaces wont show up under the interface list, even though the packages can be installed on the MikroTik RouterOS and corresponding drivers loaded.

Software Package Resource Usage

Name	Memory (RAM) usage, MB	Storage (HDD) usage, MB
system	16.5	16.0
routing	0.6	1.2
snmp	0.6	0.5
ssh	1.0	1.2
lcd	0.4	0.1
ups	0.5	0.2
ppp	2.0	0.8
pptp	1.3	0.3
pppoe	1.2	0.4
isdn	2.4	1.0
telephony	4.8	4.5
framerelay	0.1	0.1
moxa-c101	0.8	0.1
lmc-wan	0.8	0.1
cyclades	0.8	0.1
aironet	1.1	0.2
arlan	0.8	0.1
wavelan	1.1	0.1
teletronics	0.8	0.1
radiolan	0.8	0.2
prism	1.3	0.5
thinrouter-pcipc	1.0	0.01

Troubleshooting

• After upgrading to V2.4 the router requires entering the Software ID.
  If you have a purchased the license, and your license period has not expired, please send your current Software ID to support@mikrotik.com We will issue you a new Software KEY, which needs to be entered prior upgrading to V2.4
• I have Free Demo license for V2.3 of MikroTik RouterOS, and I want to upgrade to V2.4 You will need to obtain a new demo license after the upgrade, or purchase the license. It can be done prior the upgrade.
• Not enough space to upgrade the system package.
  Uninstall some packages not in use.
• The system package does not install because of incorrect version.
  Use system package version that is greater than the currently installed one.
• Additional packages do not install because of incorrect version of the system package.
  Upgrade the system package first, then install the additional packages. The packages should be of the same version as your system package.
• The package file is corrupted after upload.
  Use BINARY mode for file transfer.
• The package has been successfully installed and the driver loaded, but there is no interface in the interface list
  Obtain the required license to enable the functionality of provided by the software package.
• The package files have been uploaded to the router, but they have not been installed.
  Reboot the router!
• The version 2.2.x has been upgraded to the version 2.3.y, but the connection to the router was lost after the reboot. The interfaces are disabled and they do not have the previously specified names. Also, the IP addresses, routes, filtering rules have interface -UNKNOWN-.
  Using the console (monitor and keyboard attached to the router), specify new names for the interfaces, enable them, and specify interfaces for IP addresses, routes and filters.
• The version 2.2.x has been upgraded to the version 2.4.y, but the connection to the router was lost after the reboot. The configuration has been lost.
  Using the console (monitor and keyboard attached to the router), restore the configuration.

MikroTik RouterOS V2.4 SSH Installation and Usage

Overview

The MikroTik RouterOS supports:

• SSH 1.3, 1.5, and 2.0 protocol standards
• server functions for secure administration of the router
• telnet session termination with 40 bit RSA SSH encryption is supported
• secure ftp is not supported

• PuTTY
• Secure CRT
• Most SSH compatible telnet clients

Contents of the Manual

• Installation
• Hardware Resource Usage
• Suggested Windows Client Setup
• Suggested UNIX/Linux Client Setup

[MikroTik] > system package print
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 aironet                2.4                   sep/25/2001 05:08:05 no
  1 pptp                   2.4                   sep/25/2001 05:06:44 no
  2 ppp                    2.4                   sep/25/2001 05:06:35 no
  3 pppoe                  2.4                   sep/25/2001 05:06:45 no
  4 ssh                    2.4                   sep/25/2001 05:08:11 no
  5 routing                2.4                   sep/25/2001 05:06:07 no
  6 snmp                   2.4                   sep/25/2001 05:06:09 no
  7 moxa-c101              2.4                   sep/25/2001 05:08:08 no
  8 framerelay             2.4                   sep/25/2001 05:08:56 no
  9 system                 2.4                   sep/25/2001 05:05:48 no
[MikroTik] >

Line 4 shows that the SSH package is installed.

Hardware Resource Usage

Download this program from the MikroTik utilities download page or http://www.chiark.greenend.org.uk/~sgtatham/putty.html (suggested for the most recent program version).

Simple instructions:

1. After downloading, run the program,
2. Set the connection type to SSH,
3. On the first connection to the router a Security Alert will notify that the server’s host is not in the registry. Answer 'YES' to trust this server.
4. The normal router login will not be display. Instead, 'login as:' and 'name@xxx.xxx.xxx.xxx’s password:' will appear.

Suggested UNIX/Linux Client Setup

Additional Resources

Links for Windows Client:

Other links:

MikroTik RouterOS V2.4 Scripting Manual

Overview

Scripting gives the administrator a way to execute console commands by writing a script for the router which is executed on the basis of time or events that can be monitored on the router. Some examples of uses of scripting could be: setting bandwidth settings according to time. In RouterOS v2.4, a script may be started in three ways. A script may be started according to a specific time or an interval of time. A script may also be started on an event - for example, if the netwatch tool sees that an address does not respond to pings. Also, a script may be started by another script.

To write a script, the writer must learn all of the console commands described in the relevant documentation. Scripts may be written for the System Scheduler, the Traffic Monitoring Tool, and for the Netwatch Tool.

Note: RouterOS v2.5 will have additional scripting functions to better enable the reporting or monitored variable as well as a delay function.

Contents of the Manual

• System Scheduler
• Traffic Monitoring Tool
• Network Watching Tool

The sheduler is used to execute scripts at certain times. It has an ordered list of scripts; each script has following properties:

Descriptions of settings:

name - useful for disabling or changing properties of this item from other scripts
start-time and start-date - time and date of first execution
interval - interval between two script executions, if time "interval" is set to zero, the script is only executed at it's start time, otherwise it is executed repeatedly at the time interval specified
run-count - to monitor script usage, this counter is incremented each time the script is executed, it can be reset to zero.
script - the script itself

Here is a simple script that logs "kuku" every hour sharp:

[mountain] system scheduler> add name=x interval=1h script={:log message=kuku}
[mountain] system scheduler> print 
Flags: X - disabled 
  0   name=x start-time=00:00:00 start-date=jan/01/1970 interval=1h run-count=0 
      script=:log message=kuku 

[mountain] system scheduler>

Here are two scripts that will change the bandwidth setting of a queue rule. Everyday at 9AM the queue will be set to 64Kb/s and at 5PM the queue will be set to 128Kb/s.

/system scheduler add interval=24h name="set-64k" start-time=9:00:00 script={
    /ip queue set [/ip queue find dst-address=1.2.3.0/24:0-65535]
        limit-at=64000
}

/system scheduler add interval=24h name="set-128k" start-time=21:00:00 script={
    /ip queue set [/ip queue find dst-address=1.2.3.0/24:0-65535]
        limit-at=128000
}

The following console command schedules script that sends each week backup of router configuration by e-mail.

/system scheduler add interval=7d name="email-backup" script={
    /system backup save name=email
    /e-mail send to="madmin@1.2.3.4" \
        subject=[/system identity get name]" backup" \
        file=email.backup
}

If more than one script has to be executed at one time, they are executed in the order they appear in the scheduler configuration. This can be important if, for example, one scheduled script is used to disable another. The order of scripts can be changed with "move" command.

If a more complex execution pattern is needed, it can usually be done by scheduling several scripts, and making them enable and disable each other. Example below will put 'x' in logs each hour from midnight till noon:

[mountain] system scheduler> print 
Flags: X - disabled 
  0   name=x-up start-time=00:00:00 start-date=jan/01/1970 interval=24h
      run-count=1 script=/system scheduler enable x
  1 X name=x start-time=00:00:00 start-date=jan/01/1970 interval=1h run-count=3 
      script=:log message=x
  2   name=x-down start-time=12:00:00 start-date=jan/01/1970 interval=24h
      run-count=0 script=/system scheduler disable x

The traffic monitor tool is used to execute console scripts on when interface traffic crosses some given thresholds.

Each item in traffic monitor list consists of it's name (which is useful if you want to disable or change properties of this item from another script), some parameters specifying traffic condition and the script to execute when this condition is met.

[MikroTik] tool traffic-monitor> print 
Flags: X - disabled, I - invalid 
  0   name=e2warm interface=ether2 threshold=15000 trigger=above
      traffic=received script=...

  1   name=e2cold interface=ether2 threshold=12000 trigger=below 
      traffic=transmitted script=...

Descriptions of arguments:

name - Name of traffic monitor item.
interface - Interface to monitor.
threshold - Traffic threshold, in bits per second.
trigger - ( above / always / below ) Condition on which to execute script.
traffic - ( transmitted / received ) Type of traffic to monitor.
script - Script source.

You should specify the interface on which to monitor the traffic, the type of traffic to monitor (transmitted or received), the threshold (bits per second). The script is started, when traffic exceeds the threshold in direction given by the "trigger" argument. "above" means that script will be run each time traffic exceeds the threshold, i.e. goes from being less than threshold to being more than threshold value. "below" triggers script in the opposite condition, when traffic drops under the threshold. "always" triggers script on both "above" and "below" conditions.

Traffic Monitor Examples

[MikroTik] tool traffic-monitor > add name=turn_on interface=ether1 threshold=15000\
           script={/interface enable ether2} trigger=above traffic=received
[MikroTik] tool traffic-monitor > add name=turn_off interface=ether1 threshold=12000\
           script={/interface disable ether2} trigger=below traffic=received

The example monitor enables the interface ether2, if the received traffic exceeds 15kbps on ether1, and disables the interface ether2, if the received traffic falls below 12kbps on ether1.

Network Watching Tool

Netwatch monitors state of hosts on the network. It does so by sending ICMP pings to list of specified IP addresses. For each entry in netwatch table you can specify IP address, ping interval and console scripts. Here's an example configuration.

[bainug] tool netwatch> print 
Flags: X - disabled 
  #   HOST            TIMEOUT              INTERVAL             STATUS 
  0 X 10.0.0.17       998ms                2s                   unknown

Scripts are not displayed by default, to see them type "detail" after "print" command.

[bainug] tool netwatch> print detail 
Flags: X - disabled 
  0 X host=10.0.0.17 timeout=998ms interval=10s since=apr/1/2001 13:38:54 
      status=unknown up-script=/ip route set [/ip route find dst \
                              0.0.0.0] gateway 10.0.0.17
      
      down-script=/ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.255

This line (when enabled) will ping 10.0.0.17 every 10 seconds, and if nothing comes back, it will change status to "down". If some pings do return, status will change to "up".

Without scripts, netwatch can be used just as an information tool, to see which links are up, or which specific host are running at the moment. The "since" field shows last time when state of host has changed.

The main advantage of netwatch is ability to issue arbitrary console commands on host state changes. Let's look at the example above - it changes default route if gateway becomes unreachable. How it's done?

There are two scripts. The "up-script" is executed once when status of host changes to "up". In our case, it's equivalent to entering this console command:

[bainug] tool netwatch> /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.17

The "/ip route find dst 0.0.0.0" command returns list of all routes whose "dst-address" value is zero. Usually that's the default route. It is substituted as first argument to "/ip route set" command, which changes gateway of this route to 10.0.0.17

The second script is executed once when status of host becomes "down". It does the following:

[bainug] tool netwatch> /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.255

ie. it restores default gateway if 10.0.0.17 address has become unreachable. Here's another example, that sends email notification whenever the 10.3.15.7 host goes down:

[avots] tool netwatch> print detail 
Flags: X - disabled 
  0   host=10.3.15.7 timeout=999ms interval=20s since=sep/27/2001 13:55:04 
      status=up up-script=""
      down-script=/e-mail send from="router@vieta.lv" server=\
                 "159.144.25.102" body="Router down" subject="Router at \
                 second floor is down" to="admin@vieta.lv" 

Monitors hosts by pinging IP addresses. Following values can be configured for each list entry:

Descriptions of settings:

host - IP address of host that should be monitored
interval - Time between pings. Lowering this will make state changes more responsive, but can create unnecessary traffic and consume system resources.
timeout - Timeout for each ping. If no reply from host is received in this time, host is considered unreachable ("down").
up-script - Console script that is executed once when state of host changes from "unknown" or "down" to "up".
down-script - Console script that is executed once when state of host changes from "unknown" or "up" to "down".

In addition, following value is available with "print" command:

since - Time when state of host changed last time.

To see values of "up-script", "down-script" or "since" use "print detail" command form.

State of host changes to "unknown" when any properties of this list entry are changed, or it is enabled or disabled. Also, any entry that is added has state "unknown" initially.

Value of host IP address is available in both "up-script" and "down-script" scripts as value of variable "host". This variable is available only while the script is running, and it's values are not remembered or shared between multiple script executions.

MikroTik RouterOS V2.4 Device Driver Management

Overview

The device drivers for PCI and PC cards are loaded automatically. Other network interface cards (most ISA and ISDN PCI cards) require the device drivers loaded manually by using the /driver add command.

Users cannot add their own device drivers. Only drivers included in the Mikrotik RouterOS software packages can be used. If you need a device driver for a device, which is not supported by the MikroTik RouterOS, please suggest it at our suggestion page on our web site.

Contents of the Manual

• Loading Device Drivers
• Removing Device Drivers
• List of Drivers
• Troubleshooting

[MikroTik] driver> print                                                       
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D RealTek RTL8129/8139                                                     
[MikroTik] driver>

As we see, the driver for the Realtek PCI card has been loaded automatically.

If the driver required to be loaded, use the /driver add command. The syntax of the command is:

[MikroTik] driver> add ?                                                        
Load driver name [irq IRQ] [io IO range start] [mem shared memory]. 

  copy-from  Item number
         io  IO port base address
        irq  IRQ number
     memory  Shared Memory base address
       name  Driver name
[MikroTik] driver>

If hexadecimal values are used for the arguments, put 0x before the number. To see the list of available drivers, enter the /driver add name ? command:

[MikroTik] driver> add name=?
Name of driver to load. 

     3c509  3com 3c509 ISA
  ne2k-isa  ISA NE2000
[MikroTik] driver> add name=ne2k-isa io 0x280                                  
[MikroTik] driver> print                                                       
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D RealTek RTL8129/8139                                                     
  1   ISA NE2000                            280                                
[MikroTik] driver> 

To see the system resources occupied by the devices, use the '/system resource io print' and '/system resource irq print' commands:

[MikroTik] system resource> irq print                                          
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   no                                                                         
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   no                                                                         
 10  yes  Public                                                                
 11  yes  Local                                                                 
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
 15  yes  PCMCIA service                                                        
[MikroTik] system resource> io print                                           
 PORT-RANGE            OWNER                                                    
 20-3F                 APIC                                                     
 40-5F                 timer                                                    
 60-6F                 keyboard                                                 
 80-8F                 DMA                                                      
 A0-BF                 APIC                                                     
 C0-DF                 DMA                                                      
 F0-FF                 FPU                                                      
 1F0-1F7               IDE 1                                                    
 2F8-2FF               serial port                                              
 3C0-3DF               VGA                                                      
 3E0-3E1               PCMCIA service                                           
 3F6-3F6               IDE 1                                                    
 3F8-3FF               serial port                                              
 4000-4007             IDE 1                                                    
 4008-400F             IDE 2                                                    
 6300-631F             Local                                                    
 6700-67FF             Public                                                   
[MikroTik] system resource>  

Note, that the resource list shows only the interfaces, if they are enabled!

Removing Device Drivers

List of Drivers

ISA Drivers

• ne2k-isa
  Load the driver by specifying the I/O base address. IRQ is not required.
  Driver is suitable for most of the NE2000 compatible ISA cards.
• 3c509
  Load the driver by specifying the I/O base address. IRQ is not required.
  Driver is suitable for 3COM 509 Series ISA cards.

PCI Drivers

• ne2k-pci
  Driver is suitable for the Ethernet cards with RealTek RTL-8029 chip:
  RealTek RTL-8029
  Winbond 89C940
  Compex RL2000
  KTI ET32P2
  NetVin NV5000SC
  Via 86C926
  SureCom NE34
  Winbond
  Holtek HT80232
  Holtek HT80229

• 3c95x
  (3Com 3c590/3c900 series Vortex/Boomerang driver)
  This device driver is designed for the 3Com FastEtherLink and FastEtherLink XL, 3Com's PCI to 10/100baseT adapters. It also works with the 10Mbs versions of the FastEtherLink cards. The supported product IDs are:
  3c590, 3c592, 3c595, 3c597, 3c900, 3c905
  3c590 Vortex 10Mbps
  3c595 Vortex 100baseTx
  3c595 Vortex 100baseT4
  3c595 Vortex 100base-MII
  3Com Vortex
  3c900 Boomerang 10baseT
  3c900 Boomerang 10Mbps Combo
  3c900 Cyclone 10Mbps Combo
  3c900B-FL Cyclone 10base-FL
  3c905 Boomerang 100baseTx
  3c905 Boomerang 100baseT4
  3c905B Cyclone 100baseTx
  3c905B Cyclone 10/100/BNC
  3c905B-FX Cyclone 100baseFx
  3c905C Tornado
  3c980 Cyclone
  3cSOHO100-TX Hurricane
  3c555 Laptop Hurricane
  3c575 Boomerang CardBus
  3CCFE575 Cyclone CardBus
  3CCFE656 Cyclone CardBus
  3c575 series CardBus (unknown version)
  3Com Boomerang (unknown version)

• eepro100
  (Intel i82557/i82558 PCI EtherExpressPro driver)
  This device driver is designed for the Intel i82557 "Speedo3" chip, Intel's single-chip fast Ethernet controller for PCI, as used on the IntelEtherExpressPro 100 adapter.

• tulip
  This device driver is designed for the DECchip "Tulip", Digital's single-chip ethernet controllers for PCI. Supported members of the family are the 21040, 21041, 21140, 21140A, 21142, and 21143. Similar work-alike chips from Lite-On, Macronics, ASIX, Compex and other listed below are also supported:
  Interfaces: Digital DC21040 Tulip
  Digital DC21041 Tulip
  Digital DS21140 Tulip
  Digital DS21143 Tulip
  D-Link DFE 570TX
  Lite-On 82c168 PNIC
  Macronix 98713 PMAC
  Macronix 98715 PMAC
  Macronix 98725 PMAC
  ASIX AX88140
  Lite-On LC82C115 PNIC-II
  ADMtek AN981 Comet
  Compex RL100-TX
  Intel 21145 Tulip
  Xircom Tulip clone

• rtl8139
  This device driver is designed for the RealTek RTL8129, the RealTek Fast Ethernet controllers for PCI. This chip is used on a few clone boards:
  RealTek RTL8129 Fast Ethernet
  RealTek RTL8139 Fast Ethernet
  SMC1211TX EZCard 10/100 (RealTek RTL8139)
  Accton MPX5030 (RealTek RTL8139)

• winbond-840
  This driver is for the Winbond w89c840 chip:
  Winbond W89c840
  Compex RL100-ATX
  

For the list of drivers included in additional feature software packages, please see the manual of the relevant software package.

Troubleshooting

• Driver for a PCI or PC card does not load automatically.
  Check for a possible IRQ or IO conflict with other devices.
• The driver cannot be found on the system.
  Upload the required software package containing the required drivers and reboot the router.
• I have loaded the driver, but the interface does not show up.
  Obtain the required software license to enable the functionality of the interface.

MikroTik RouterOS V2.4 Bridge Management

Overview

Features include:

• Spanning Tree Protocol (STP)
• Bridge enabled or disabled on a per interface basis
• Protocol can be selected to be forwarded or discarded
• MAC address table can be monitored in real time
• IP address assignment for router access

Contents of the Manual

• Installation
• Hardware Resource Usage
• Bridge Setup
• Bridge Monitoring

[MikroTik] bridge> ?
Configure interfaces that are used for bridge forwarding, protocols that will
be forwarded and look at bridge forwarding table.

     export  print configuration as set of router commands
        get  get value of property
       host  Bridge forwarding table
  interface  Interfaces used for bridging
      print  print settings
        set  change settings
[MikroTik] bridge> print
           ip: discard
          ipx: discard
    appletalk: discard
         ipv6: discard
          arp: discard
        other: discard
     priority: 1
[MikroTik] bridge>

Assume we want to enable bridging between two Ethernet LAN segments and have the MikroTik router be the default gateway for them:

When configuring the MikroTik router for bridging you should do the following:

1. Configure the bridge settings
2. Configure the bridge interfaces for bridging
3. Enable the bridge interface
4. Assign an IP address to the bridge interface, if needed

When configuring the bridge settings, each protocol that should be forwarded should be set to 'forward'. The 'other' protocol includes all protocols not listed before:

[MikroTik] bridge> set ip=forward arp=forward other=forward
[MikroTik] bridge> print
           ip: forward
          ipx: discard
    appletalk: discard
         ipv6: discard
          arp: forward
        other: forward
     priority: 1
[MikroTik] bridge>

The priority argument is used by the Spanning Tree Protocol to determine, which port remains enabled if two ports form a loop.

Next, each interface that should be included in the bridging table should be set to 'forward=yes':

[MikroTik] bridge interface> print
  # INTERFACE                                                           FORWARD
  0 ether2                                                              no
  1 ether1                                                              no
[MikroTik] bridge interface> set 0 forward=yes
[MikroTik] bridge interface> set 1 forward=yes
[MikroTik] bridge interface> print
  # INTERFACE                                                           FORWARD
  0 ether2                                                              yes
  1 ether1                                                              yes
[MikroTik] bridge interface>

After setting some interface for bridging, a bridge interface is added to the router's interfaces table. You should enable the interface in order to start using it:

[MikroTik] bridge interface> /interface
[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 MTU   TYPE
  0   ether2               1500  ether
  1   ether1               1500  ether
  2   wavelan1             1500  wavelan
  3 X pppoe-out1           1492  pppoe-out
  4 X bridge1              1500  bridge
[MikroTik] interface> enable bridge1
[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 MTU   TYPE
  0   ether2               1500  ether
  1   ether1               1500  ether
  2   wavelan1             1500  wavelan
  3 X pppoe-out1           1492  pppoe-out
  4   bridge1              1500  bridge
[MikroTik] interface> bridge print
Flags: X - disabled
  #   NAME                 MAC-ADDRESS
  0   bridge1              FE:FD:08:00:9A:CB
[MikroTik] interface>

If you want to access the router through unnumbered bridged interfaces, it is required to add an IP address to the 'bridge' interface:

[MikroTik] ip address> add address=192.168.0.254/24 interface=bridge1
[MikroTik] ip address> add address=10.1.1.12/24 interface=wavelan1
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   bridge1
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      wavelan1
[MikroTik] ip address>

The hosts on LAN segments #1 and #2 should use IP addresses from the same network 192.168.0.0/24 and have the default gateway set to 192.168.0.254 (MikroTik router).

Bridge Monitoring

[MikroTik] bridge host> print
 MAC-ADDRESS       ON-INTERFACE                                       AGE
 00:00:40:11:A1:8D ether1                                             1831
 00:00:40:11:A1:8A ether1                                             1651
 00:00:39:E2:35:39 ether2                                             7
 00:00:40:11:A1:89 ether2                                             1591
 00:00:40:11:A1:8B ether1                                             1711
 00:00:40:11:A1:8C ether1                                             1771
[MikroTik] bridge host>

MikroTik RouterOS V2.4 Ethernet Interfaces

Document revision 05-Oct-2001
This document applies to the MikroTik RouterOS V2.4

Overview

MikroTik RouterOS supports the following types of Ethernet Network Interface Cards:

• Most NE2000 compatible ISA and PCI cards
• 3com 3c509 ISA cards
• Intel Pro Gigabit PCI cards

The complete list of supported Ethernet NICs can be found in the Device Driver Management Manual.

Contents of the Manual

• Ethernet Adapter Hardware and Software Installation
• Ethernet Interface Configuration

Software Packages

Software License

System Resource Usage

[MikroTik] > system resource irq print                                         
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   yes  PCMCIA service                                                        
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   no                                                                         
 10  yes  [e1000]                                                               
 11  yes  ether3                                                                
 12  yes  ether1                                                                
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
[MikroTik] > system resource io print                                          
 PORT-RANGE            OWNER                                                    
 20-3F                 APIC                                                     
 40-5F                 timer                                                    
 60-6F                 keyboard                                                 
 80-8F                 DMA                                                      
 A0-BF                 APIC                                                     
 C0-DF                 DMA                                                      
 F0-FF                 FPU                                                      
 1F0-1F7               IDE 1                                                    
 2F8-2FF               serial port                                              
 3C0-3DF               VGA                                                      
 3F6-3F6               IDE 1                                                    
 3F8-3FF               serial port                                              
 9400-94FF             ether1                                                   
 F000-F007             IDE 1                                                    
 F008-F00F             IDE 2                                                    
[MikroTik] >      

Loading the Driver

ISA adapters require the driver to be loaded by issuing the following command:

[MikroTik] driver> add name=ne2k-isa io=0x300                                       
[MikroTik] driver> print                                                       
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D RealTek RTL8129/8139                                                     
  1 D NationalSemiconductors 83820                                             
  2 D Intel PRO 1000 Server Adaper                                             
  3   ISA NE2000                            0x300
[MikroTik] driver> 

There can be several reasons for a failure to load the driver:

• The driver cannot be loaded because other device uses the requested IRQ.
  Try to free up the required IRQ, or get a different card.
• The requested I/O base address cannot be used on your motherboard.
  Get another motherboard.

Ethernet Interface Configuration

[MikroTik] interface > print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0 X ether1               1500  ether                                         
  1   ether2               1500  ether                                         
  2 X ether3               1500  ether                                         
[MikroTik] interface> enable 0                                                  
[MikroTik] interface> enable ether3                                             
[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   ether2               1500  ether                                         
  2   ether3               1500  ether                                         
[MikroTik] interface> 

You can monitor the traffic passing through any interface using the /interface monitor command:

[MikroTik] interface> monitor-traffic ether2                                   
    received-packets-per-second: 271       
      received-bytes-per-second: 148.4kbps 
        sent-packets-per-second: 600       
          sent-bytes-per-second: 6.72Mbps  

[MikroTik] interface>  

For some Ethernet NICs it is possible to blink the LEDs for 10s. Type /interface ethernet blink ether1 and watch the NICs to see the one which has blinking LED.

For some Ethernet NICs it is possible to monitor the Ethernet status:

[MikroTik] interface ethernet> monitor ether3
              status: no-link  
    auto-negotiation: disabled 
                rate: 100Mbit  
          fullduplex: yes      

[MikroTik] interface ethernet> monitor ether1                                  
              status: no-link    
    auto-negotiation: incomplete 

[MikroTik] interface ethernet> monitor ether2                                  
              status: unknown 

[MikroTik] interface ethernet>  

Please see the IP Address manual on how to add IP addresses to the interfaces.

MikroTik RouterOS V2.4 IP over IP (IPIP) Tunnel Interface

Overview

Network setups with IPIP interfaces:

• Possibility to tunnel Intranets over the Internet
• Possibility to avoid using source routing

Contents of the Manual

• Installation
• Hardware Resource Usage
• IPIP Interface and Protocol Description
• IPIP Setup
• IPIP CISCO Example

IPIP Setup IP over IP Interface management can be accessed under the /interface ipip submenu.

You can add an IPIP tunnel interface using the /interface ipip add command:

[MikroTik_1] interface ipip> add name test_IPIP mtu 1480 local-address 10.5.8.169 remote-address 10.5.8.171
[MikroTik_1] interface ipip> print                                               
Flags: X - disabled 
  0 X name: test_IPIP mtu=1480 local-address=10.5.8.169  remote-address=10.5.8.171

[MikroTik_1] interface ipip> enable 0                                              
[MikroTik_1] interface ipip> print                                               
Flags: X - disabled 
  0   name: test_IPIP mtu=1480 local-address=10.5.8.169  remote-address=10.5.8.171

[MikroTik_1] interface ipip> 

Descriptions of settings:

name - Interface name for reference
mtu - Maximum Transmit Unit. Should be set to 1480 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
local-address - Local address on router which sends IPIP traffic to the remote side.
remote-address - The IP address of the other side of the IPIP tunnel - may be any RFC 2003 compliant router.

For diagnostic purposes, you can assign an IP address to the IPIP interface.

There is no authentication or 'state' for this interface. The bandwidth usage of the interface may be monitored with the 'monitor' feature from the 'interface' menu.

The router at the other end should have the remote-address set to [MikroTik_1].

IPIP CISCO Example Our IPIP implementation has been tested with Cisco 1005. Sample of the Cisco 1005 configuration:

interface Tunnel0
 ip address 10.3.0.1 255.255.255.0
 tunnel source 10.5.8.179
 tunnel destination 10.5.8.169
 tunnel mode ipip

Additional Resources

http://www.ietf.org/rfc/rfc1853.txt?number=1853
http://www.ietf.org/rfc/rfc2003.txt?number=2003
http://www.ietf.org/rfc/rfc1241.txt?number=1241

MikroTik RouterOS V2.4 Ethernet over IP (EoIP) Tunnel Interface

Overview

Network setups with EoIP interfaces:

• Possibility to bridge LANs over the Internet
• Possibility to bridge LANs over encrypted tunnels
• Possibility to bridge LANs over 802.11b 'ad-hoc' wireless networks

Contents of the Manual

• Installation
• Hardware Resource Usage
• EoIP Interface and Protocol Description
• EoIP Setup
• EoIP Application Example

Specific Properties:

• Each EoIP tunnel interface can connect with one remote router which has a corresponding interface configured with the same 'Tunnel ID'.
• Up to sixteen (numbered 0-15) EoIP tunnels may be created on a router (please contact us if there is an important reason to increase the number of EoIP tunnels per router).
• The EoIP interface appears as an Ethernet interface under the interface list.
• This interface supports all features of and Ethernet interface. IP addresses and other tunnels may be run over the interface.
• The EoIP protocol encapsulates Ethernet frames in UDP packets and sends them to the remote side of the EoIP tunnel.
• The tunnel transmits and listens to the UDP port 4444 and to the tunnel ID.

EoIP Setup

You can add an EoIP tunnel interface using the /interface eoip add command:

[MikroTik] interface eoip> add                                                 
Creates new item with specified property values.
             arp  Address Resolution Protocol
       copy-from  Item number
             mtu  Maximum Trasfer Unit
            name  New tunnel name
  remote-address  Remote address of tunnel
       tunnel-id  ID of tunnel
[MikroTik_1] interface eoip> add name to_mt2 tunnel-id 1 remote-address 10.5.8.1
[MikroTik_1] interface eoip> print                                               
Flags: X - disabled 
  0 X name=to_mt2 mtu=1500 arp=enabled tunnel-id=1 remote-address=10.5.8.1 

[MikroTik_1] interface eoip> enable 0                                              
[MikroTik_1] interface eoip> print                                               
Flags: X - disabled 
  0   name=to_mt2 mtu=1500 arp=enabled tunnel-id=1 remote-address=10.5.8.1
      mac-address=fe:fd:00:00:00:00

[MikroTik_1] interface eoip> 

Descriptions of settings:

name - Interface name for reference
mtu - Maximum Transmit Unit. Should be the default 1500 bytes.
mac-address - A default virtual MAC address is generated. It cannot be changed.
arp - Address resolution protocol (disabled / enabled / proxy-arp). Enabled by default.
tunnel-id - Should be a number from 0-16 which has not been used for another EoIP tunnel.
remote-address - The IP address of the other side of the EoIP tunnel – must be a MikroTik router.

For diagnostic purposes, you can assign an IP address to the EoIP interface.

The router at the other end should have the same tunnel-id value, and should have the remote-address set to [MikroTik_1].

There is no authentication or 'state' for this interface. The bandwidth usage of the interface may be monitored with the 'monitor' feature from the '/interface' menu.

EoIP Application Example

Let us assume we want to bridge two networks: 'Office LAN' and 'Remote LAN'. The networks are connected to an IP network through the routers [Our_GW] and [Remote]. The IP network can be a private intranet or the Internet. Both routers can communicate with each other through the IP network.

Our goal is to create a secure channel between the routers and bridge both networks through it. The network setup diagram is as follows:

To make a secure Ethernet bridge between two routers you should:

1. Create a PPTP tunnel between them. Our_GW will be the static pptp server:

   [Our_GW] interface pptp-static-server>/user add name=joe group=ppp password=top_s3                                             
   [Our_GW] interface pptp-static-server>                                             
   add name="from_remote" client-address=192.168.2.1 mtu=1500 mru=1500 \
       local-address=10.0.0.1 remote-address=10.0.0.2 encryption=required 
   [Our_GW] interface pptp-static-server> enable from_remote
   [Our_GW] interface pptp-static-server> print                                              
   Flags: X - disabled 
     0   name=from_remote client-address=192.168.2.1 mtu=1500 mru=1500 pap=no chap=no 
         ms-chapv2=yes local-address=10.0.0.1 remote-address=10.0.0.2 idle-timeout=0s 
         session-timeout=0s encryption=required 
   
   [Our_GW] interface pptp-static-server>  
   

   The Remote router will be the pptp client:

   [Remote] interface pptp-client>                                                
   add name=pptp user=joe connect-to=192.168.1.1 mtu=1500 mru=1500 encryption=required
   [Remote] interface pptp-client> enable pptp
   [Remote] interface pptp-client> print                                                   
   Flags: X - disabled 
     0   name=pptp user=joe connect-to=192.168.1.1 mtu=1500 mru=1500 pap=no 
         chap=no ms-chapv2=yes idle-timeout=0s session-timeout=0s encryption=required 
         add-default-route=no 
   
   [Remote] interface pptp-client> monitor pptp                                       
         uptime: 39m19s              
       encoding: MPPE 128 bit, stateless 
         status: Connected               
   
   [Remote] interface pptp-client>                                                              
   

   See the PPTP Interface Manual for more details on setting up encrypted channels.

2. Configure the EoIP tunnel by adding the eoip tunnel interfaces at both routers. Use the ip addresses of the pptp tunnel interfaces when specifying the argument values for the EoIP tunnel:

   [Our_GW] interface eoip>
   add name="eoip-remote" tunnel-id=0 remote-address=10.0.0.2 
   enable eoip-remote 
   [Our_GW] interface eoip> print                                                            
   Flags: X - disabled 
     0   name=eoip-remote mtu=1500 arp=enabled tunnel-id=0 remote-address=10.0.0.2 
   [Our_GW] interface eoip>                                                                  
   
   [Remote] interface eoip>
   add name="eoip" tunnel-id=0 remote-address=10.0.0.1
   enable eoip-main 
   [Remote] interface eoip> print                                                          
   Flags: X - disabled 
     0   name=eoip mtu=1500 arp=enabled tunnel-id=0 remote-address=10.0.0.1 
   
   [Remote] interface eoip>                                                                
   

3. Enable bridging between the EoIP and Ethernet interfaces on both routers.

   [Our_GW] > /bridge print                                                                  
              ip: forward
             ipx: discard
       appletalk: discard
            ipv6: discard
             arp: forward
           other: forward
        priority: 1
   [Our_GW] > /bridge interface print                                                        
     # INTERFACE                                                 FORWARD
     0 eoip-remote                                               yes    
     1 office-eth                                                yes    
     2 isp                                                       no     
   [Our_GW] > interface print                                                                
   Flags: X - disabled, D - dynamic 
     #   NAME                 MTU   TYPE                                                    
     0   from_remote          1500  pptp-in                                                 
     1   eoip-remote          1500  eoip-tunnel                                             
     2   office-eth           1500  ether                                                   
     3   isp                  1500  ether                                                   
     4   bridge1              1500  bridge                                                  
   [Our_GW] >                                                                                
   
   [Remote] > bridge print                                                                 
              ip: forward
             ipx: discard
       appletalk: discard
            ipv6: discard
             arp: forward
           other: forward
        priority: 1
   [Remote] > bridge interface print                                                       
     # INTERFACE                                            FORWARD
     0 ether1                                               yes    
     1 adsl                                                 no     
     2 eoip-main                                            yes    
   [Remote] > interface print                                                              
   Flags: X - disabled, D - dynamic 
     #   NAME                 MTU   TYPE                                                    
     0   ether1               1500  ether                                                   
     1   isp1                 1500  ether                                                   
     2   pptp                 1500  pptp-out                                                
     3   bridge1              1500  bridge                                                  
     4   eoip                 1500  eoip-tunnel                                             
   [Remote] > 
   

4. Addresses from the same network can be used both in the Office LAN and in the Remote LAN

MikroTik RouterOS V2.4 PPP Client and PPP Server Interfaces

Overview

Contents of the Manual

• Installation
• Hardware Resource Usage
• PPP Server
• PPP Client
• PPP Authentication and Accounting:
  • Installation
  • Hardware Resourse Usage
  • Local Authentication Overview
  • Local Authentication Management of PPP Users
  • Local Accounting of PPP Users
  • RADIUS Overview
  • RADIUS Client Setup
  • RADIUS Parameters
  • RADIUS Servers Suggested
  • PPPoE Bandwidth Setting
  • Additional Resources
• PPP Troubleshooting

[MikroTik] > system package print
  # NAME                 VERSION     BUILD-TIME           UNINSTALL
  0 ppp                  2.4.5       dec/04/2001 14:55:36 no       
  1 system               2.4.5       dec/04/2001 14:53:19 no       
[MikroTik] >

The RADIUS client and RADIUS accounting features are included in the "PPP" package.

Hardware Resource Usage

To see the list of available serial ports, use the command /ports print, for example:

[MikroTik] > port print                                                     
  0 name=serial0 used-by=Serial Console baud-rate=9600 data-bits=8 
    parity=none stop-bits=1 flow-control=none 

  1 name=serial1 used-by="" baud-rate=9600 data-bits=8 parity=none 
    stop-bits=1 flow-control=none 

[MikroTik] > 

PPP Server

The PPP server management is done in the /interface ppp-serversubmenu.

[MikroTik] interface ppp-server>
add name=test local-address=1.1.1.1 remote-address=1.1.1.254 port serial1
[MikroTik] interface ppp-server> print
Flags: X - disabled 
  0 X port=serial1 pap=yes chap=yes ms-chapv2=yes local-address=1.1.1.1
      remote-address=1.1.1.254 mtu=1500 mru=1500 idle-timeout=0s session-timeout=0s
	  null-modem=no modem-init="" ring-count=3 port-id=0 encryption=none name=test 

[MikroTik] interface ppp-server> enable 0
[MikroTik] interface ppp-server> monitor test
        user:                     
      uptime: 0s                  
    encoding:                     
      status: Waiting for call... 

[MikroTik] interface ppp-server>

Description of settings:

port - Serial port
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
local-address - Assigns an individual address to the PPP-Server
remote-address - Assigns an individual address to the PPP-Client.
mtu - Maximum Transmit Unit. Maximum packet size to be transmitted.
mru - Maximum Receive Unit.
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.
null-modem - Enable/Disable null-modem mode (when enabled, no modem initialization strings are sent). Default value is "off" (for COM1 and COM2 only). So by default null-modem is turned off.
modem-init - Modem Initialization String.
ring-count - Number of rings to wait before answering phone.
port-id - number to be used for identification in Radius server. Should be 0..65535.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'.

• none – No encryption is used. If the other end supports compression, it will be used
• optional – If the other end supports encryption, it will be used (40bit or 128bit if server requests this)
• required – 40bit or 128bit if server agrees, link will be shut down if no agreement
• stateless – Stateless-MPPE is required. Router will use MPPE-128bit or MPPE-40bit depending on the other end of connection. In stateless mode password will be changed before every packet is transmitted.

name - Interface name for reference.

PPP Client Setup

You can add a PPP client using the add command:

[MikroTik] interface ppp-client>
add name=test local-address=1.1.1.254 remote-address=1.1.1.1 \
user=test add-default-route=yes port serial1 encryption=optional
[MikroTik] interface ppp-client> print
Flags: X - disabled 
  0 X name=test port=serial1 user=test pap=yes chap=yes ms-chapv2=yes 
      phone="" tone-dial=yes mtu=1500 mru=1500 local-address=1.1.1.254 
      remote-address=1.1.1.1 idle-timeout=0s session-timeout=0s null-modem=no
       modem-init="" dial-on-demand=no add-default-route=yes encryption=optional 

[MikroTik] interface ppp-client> enable 0
[MikroTik] interface ppp-client> monitor test2
      uptime: 0s
    encoding:
      status: Logging in to network...

[MikroTik] interface ppp-client>

Descriptions of settings:

name - New interface name.
port - Serial port
user - User name to use for dialout.
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
phone - Phone number for dialout.
tone-dial - Enable/Disable tone dial.
mtu - Maximum Transmit Unit. Maximum packet size to be transmitted.
mru - Maximum Receive Unit.
local-address - Local IP Address
remote-address - Remote IP Address.
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.
null-modem - Enable/Disable null-modem mode (when enabled, no modem initialization strings are sent). Default value is "off" (for COM1 and COM2 only). So by default null-modem is turned off.
modem-init - Modem Initialization String.
dial-on-demand - Enable/Disable dial on demand.
add-default-route - Add PPP remote address as a default route.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'.

• none – No encryption is used. If the other end supports compression, it will be used
• optional – If the other end supports encryption, it will be used (40bit or 128bit if server requests this)
• required – 40bit or 128bit if server agrees, link will be shut down if no agreement
• stateless – Stateless-MPPE is required. Router will use MPPE-128bit or MPPE-40bit depending on the other end of connection. In stateless mode password will be changed before every packet is transmitted.

If the PPP client is configured properly and it has established a connection to the server, you can:

1. Monitor the connection using the /interface ppp-client monitor command
2. See the ppp-out interface under the /interface print list
3. See the dynamic IP address under the /ip address print list
4. (Optionally) See the dynamic default route under the /ip route print list

[MikroTik] interface ppp-client> monitor test
      uptime: 4h35s
    encoding: none
      status: Connected
[MikroTik] interface ppp-client>

Description of display:

uptime - Connection time displayed in days, hours, minutes, and seconds.
encoding - Encryption being used in this connection.
status - The status of this client may be:

• Dialing – attempting to make a connection
• Verifying password... - connection has been established to the server, password verification in progress.
• Connected – self-explanatory
• Terminated – interface is not enabled or the other side will not establish a connection

Overview

The following topics are discussed below:

• Local Authentication Overview
• Local Authentication Management of PPP Users
• Local Accounting of PPP Users
• RADIUS Overview
• RADIUS Client Setup
• RADIUS Parameters
• RADIUS Servers Suggested
• PPPoE Bandwidth Setting
• Additional Resources

Local Authentication Overview

• PPP remote address set from RADIUS server
• Time limit of connections set from RADIUS server
• MAC address (PPPoE) or remote client address (PPTP) reported to RADIUS server
• System identity
• Traffic accounting (PPP style – no IP pairs)

Local Authentication Management of PPP Users

[mikrotik] user> add name client2 password ctest group ppp
[mikrotik] user> print
0   ;;; system default user
    name: admin group: full address: 0.0.0.0 netmask: 0.0.0.0 caller-id: ""
    only-one: no max-session-time: 0
1   name: client2 group: ppp address: 0.0.0.0 netmask: 0.0.0.0 caller-id: ""
    only-one: no max-session-time: 0

Descriptions of settings:

full address: 0.0.0.0 netmask: 0.0.0.0 - This is used to determine the address to be given to the remote site, if full address is set to a specific IP (for example: full address: 10.25.0.3 netmask: 255.255.255.255), then only 10.25.0.3 will be given to the remote site. If the remote site will not accept this, then the connection will fail. If a subnet were set (for example: full address: 10.25.0.3 netmask: 255.255.255.240), then an address in the subnet 10.25.0.0/28 would be allowed if the server gives an address in that range – or the server has no addresses set to give, and the client request an address in that range. If no specific address or subnet is given (for example: full address: 0.0.0.0 netmask: 0.0.0.0.), then an address from the PPP server setup of "remote-address-from" and "remote-address-to" will be given.
caller-id: "" - For PPTP, this may be set the IP address which a client must connect from in the form of “a.b.c.d”. For PPPoE, the MAC address which the client must connect from can be set in the form or “xx:xx:xx:xx:xx:xx”. When this is not set, there are no restrictions on from where clients may connect.
only-one: no - If this is set to “yes”, then there may be only one connection at a time.
max-session-time: 0 - If set to >0, then this is the max number of seconds this session can stay up. "0" indicates no session limit.

Local Accounting of PPP Users

[Mikrotik]> log print

apr/04/2001 17:19:14     pppoe-in7: waiting for authentication
apr/04/2001 17:19:14     pppoe-in7: test logged in
apr/04/2001 17:19:14     pppoe-in7: connection established
apr/04/2001 17:19:20     pppoe-in7: using encoding - none
apr/04/2001 17:25:08     pppoe-in7: connection terminated by peer
apr/04/2001 17:25:08     pppoe-in7: modem hanged up
apr/04/2001 17:25:08     pppoe-in7: connection terminated
apr/04/2001 17:25:08     pppoe-in7: test logged out, 354 4574 1279 101 83

354         session connection time in seconds
4574        bytes-in (from client)
1279        bytes-out (to client)
101         packets-in (from client)
83          packets-out (to client)

RADIUS Overview

RADIUS Client Setup

[MikroTik] ip ppp> set authentication radius auth-server 10.10.1.1 shared-secret users

[MikroTik] ip ppp> print
            primary-dns: 159.148.60.3
          secondary-dns: 0.0.0.0
         authentication: radius
            auth-server: 10.10.1.1
          shared-secret: users
             accounting: no
        accounting-port: 1646
    authentication-port: 1645

PW_SERVICE_TYPE       = PW_FRAMED     
PW_FRAMED_PROTOCOL    = PW_FRAME_PPP
PW_NAS_IDENTIFIER     = system identity
PW_NAS_IP_ADDRESS     = local PPP interface address
PW_NAS_PORT           = unique PPP port identifier number
PW_NAS_PORT_TYPE      = async or virtual in number form
PW_CALLING_STATION_ID = for PPTP, remote IP reported
                for PPPoE, remote MAC reported
                in form of xx:xx:xx:xx:xx:xx

Data received from serve:

PW_ACCT_INTERIM_INTERVAL  = if non-zero then interval to update accouting data in seconds 
PW_FRAMED_IP_ADDRESS      = PPP remote address
PW_IDLE_TIMEOUT           = if no traffic in that time, connection is closed
PW_SESSION_TIMEOUT        = connection time allowed

Accounting information sent to server:

PW_USER_NAME
PW_ACCT_INPUT_OCTETS      = octets signifies bytes
PW_ACCT_INPUT_PACKETS
PW_ACCT_OUTPUT_OCTETS 
PW_ACCT_OUTPUT_PACKETS
ACCT_SESSION_TIME         = in the form of seconds

http://www.vircom.com/

PPPoE Bandwidth Setting

Additional Resources

http://www.ietf.org/rfc/rfc2138.txt?number=2138
http://www.ietf.org/rfc/rfc2138.txt?number=2139

PPP Troubleshooting

• I am using RADIUS authentication. After abnormal connection loss between the PPP, or PPTP, or PPPoE client and MikroTik server I cannot reconnect because of wrong username/password.
  The problem might ne in the RADIUS server, which has kept the client state as 'connected'. If only one connection per client is allowed, the second connection is not authenticated.
  To configure the delay time for the watchdog (Interim) packet, modify the attribute usually called "Interval Time Between Interim Packets". Enter there the time in seconds that Radius will expect an interim (WatchDog) packed before dropping the user from the users-online list. This interval should be at least 3 minutes more that the time the time configured for sending the interim packets.

• My link between the PPPoE client and the MikroTik Access Concentrator not always is stable, and the Windows PPPoE clients get disconnected.
  Set the Redialing Options of the Windows client to "Redial if line is dropped = yes" and "Time between redial attempts = 1s".

PPPoE – Point to Point Protocol over Ethernet

Overview

The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management, and accounting benefits to ISPs and network administrators. Currently, PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems. PPPoE is an extension of the standard dial-up and synchronous protocol PPP. The transport is over Ethernet – as opposed to modem transport.

A PPPoE connection is composed of a client and an access concentrator (server). The client may be a Windows computer that has the PPPoE client protocol installed. The MikroTik RouterOS supports both the client and access concentrator implementations of PPPoE. The PPPoE client and server work over any Ethernet level interface on the router – wireless 802.11 (Aironet, Cisco, WaveLAN), 10/100/1000 Mb/s Ethernet, RadioLAN, and EoIP (Ethernet over IP tunnel). No encryption, MPPE 40bit RSA, and MPPE 128bit RSA encryption are supported.

Our RouterOS has a RADIUS client that can be used for authentication of all PPP type connections – including PPPoE. For more information on PPP authentication, see the “PPP Authentication and Accounting” section of the PPP Client and Server Interfaces Manual.

Supported connections:

• MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator)
• MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are available for all OSs and some routers)

Topics covered in this manual:

• Installation
• Hardware resource usage
• PPPoE client setup
• PPPoE server setup (access concentrator)
• PPPoE bandwidth settings
• PPPoE in a multipoint wireless 802.11b network
• PPPoE Troubleshooting

PPPoE Installation on the MikroTik RouterOS v2.4

[mikrotik]> system package print
  # NAME                                             VERSION    BUILD UNINSTALL
  0 routing                                          2.4.0      1     no
  1 aironet                                          2.4.0      1     no
  2 wavelan                                          2.4.0      1     no
  3 system                                           2.4.0      1     no
  4 snmp                                             2.4.0      1     no
  5 option                                           2.4.0      1     no
  6 ppp                                              2.4.0      1     no
  7 pptp                                             2.4.0      1     no
  8 pppoe                                            2.4.0      1     no
  9 radiolan                                         2.4.0      1     no
 10 ssh                                              2.4.0      1     no

[mikrotik]>

PPPoE hardware resource usage

The PPPoE client uses a minimum amount of memory.

The PPPoE server (access concentrator) uses a minimum amount of memory for the basic setup. Each current PPPoE server connection uses approximately 100-200KB of memory. For PPPoE servers (access concentrators) designed for a large number of PPPoE connections, additional RAM should be added. In version 2.4, there is currently a maximum of 5000 connections. For example, a 1,000 user system should have 200MBs of free RAM above the normal operating RAM. For large number of clients a faster processor system is required. We recommend to use a Celeron 600MHz processor or higher. A future rewrite of parts of PPP is expected to significantly reduce the requirements.

PPPoE client setup

The PPPoE client supports high-speed connections. It is fully compatible with the MikroTik PPPoE server (access concentrator). Test with different ISPs and access concentrators are currently underway.

Note for Windows: Some connection instructions may use the form where the “phone number” is “MikroTik_AC\mt1” to indicate that “MikroTik_AC” is the access concentrator name and “mt1” is the service name.

An example of a PPPoE client on the MikroTik RouterOS:

  [RemoteOffice] interface pppoe-client> print 
  0   name=pppoe-out1 interface=gig service-name=testSN user=john pap=no
      chap=yes ms-chapv2=no mtu=1492 mru=1492 idle-timeout=0s
      session-timeout=0s add-default-route=yes dial-on-demand=no
      use-peer-dns=no encryption=none compression=no local-address=0.0.0.0
      remote-address=0.0.0.0 ac-name="" mss-update=1452

Descriptions of settings:

name - This settable name will appear in interface and IP address list when the PPPoE session is active.
interface - The PPPoe client can be attached to any Ethernet like interface – for example: wireless, 10/100/1000 Ethernet, and EoIP tunnels.
mtu and mru - Represents the MTU and MRU when the 8 byte PPPoE overhead is subtracted from the standard 1500 byte Ethernet packet
Pap, chap, ms-chapv2 - It is suggested that chap be set to yes to have encrypted authentication. If there is a special situation that requires an encrypted link, only ms-chapv2 should be set to yes. Encrypted links are only supported when ms-chapv2 is selected. This is a requirement of the protocol.
encryption Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to none.

• none – no encryption
• optional – 40bit or 128bit if server requests this
• required – 40bit or 128bit if server agrees, link will be shut down if no agreement
• non-stateless (description) – key is changed approximately every hour or depending on traffic
• stateless – same as required plus key is changed for every packet

user - A user name and password must be added to the client router’s user database. The user must be added with the attribute of group PPP. When the server is authenticating the client, the client will send this user and the password from the client router’s user database. The server user database must have the same user and password and PPP group attribute to authenticate the link – unless the RADIUS client is enabled.
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to “0,” there is no timeout.
dial-on-demand - Connects to AC only when outbound traffic is generated and disconnects when there is no traffic for the period set in the idle-timeout value.
use-peer-dns - Sets the router default DNS to the PPP peer DNS.
compression - May be selected if encryption is not used. The default setting of “no compression” is suggested.
local-address - If the ppp server allows, a local-address may be set. The default setting of 0.0.0.0 is suggested. In this case, the address set by the server will be used.
session-timeout - The maximum time the connection can stay up set in seconds. When set to “0,” there is no timeout.
remote-address - If the ppp server allows, a remote-address may be set. The default setting of 0.0.0.0 is suggested.
service - The service name set on the access concentrator. Many ISPs give user-name and address in the form of “user-name@service-name”
ac-name - This may be left blank and the client will connect to any access concentrator that offers the “service” name selected.
Add-default-route - Select yes to have a default route added automatically. Note, the dynamic default route will not be added if there is already a default route set.
mss-update - This setting changes the mss (maximum segment size) setting of each packet to the selected size. The default of 1452 is suggested. This fixes a common problem for PPPoE when mis-configured servers or networks do not let the IP protocol work properly. The common symptom is a partial download of a web page.

The PPPoE server (access concentrator) supports multiple servers for each interface – with differing service names. Currently, a maximum of 5000 PPPoE connections are supported. Currently the throughput of the PPPoE server has been tested to 160Mb/s on a Celeron 600 CPU. Using higher speed CPUs should increase the throughput proportionately.

The setting below is the optimal setting to work with Windows clients such as RASPPPoE client for Win98/2000/ME. The password authentication and encryption are set to “pap no chap yes ms-chapv2 no encryption none” specifically to ensure a quick login by the windows client. In the example below, the login is encrypted with PAP. Currently it is possible to make encrypted links to Windows clients, but usually they quit passing IP after five minutes but remain connected and do show that data is passed – this is a bug which is being worked on. There are no problems with encryption between MikroTik PPPoE client and server.

The access concentrator has a hard limit of 5000 current connections. The user setting for the connections limit is done by setting the “remote-to” and “remote-from” IP addresses range. For example, For a limit of 1020 users: remote-from=10.0.0.1 remote-to=10.0.4.255 . Even if you are using a RADIUS server for client addresses, the remote-from and remote-to arguments must include an IP range which will limit/enable the number of current connections.

The “access concentrator name” and PPPoE “service name” are used by clients to identify the access concentrator to register with. The “access concentrator name” is the same as the “identity” of the router. The identity many be set with the command: /system identity set xxxxx .

  0   service-name=testSN interface=gig local-from=5.5.5.1 local-to=5.5.5.1
      remote-from=6.6.6.1 remote-to=6.6.6.250 mtu=1492 mru=1492 pap=no chap=yes
      ms-chapv2=no idle-timeout=0s session-timeout=0s compression=no
      encryption=none

Descriptions of settings:

Pap, chap, ms-chapv2 - It is suggested that chap always be set to yes. PAP is best disabled because it sends the user-name and password in clear text. ms-chapv2 should be disable as it is not needed unless there is a special situation that requires an encrypted link. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol.
encryption - Will only work in encrypted mode when ms-chapv2 authentication is used. For most setups, it should be set to none.

• none – no encryption
• optional – 40bit or 128bit if client agrees to this
• required – 40bit or 128bit if client agrees, link will be shut down if no agreement
• non-stateless (description) – key is changed approximately every hour or depending on traffic
• stateless – same as required (non-stateless) plus key is changed for every packet

interface - The PPPoe server can be attached to any Ethernet like interface – for example: wireless, 10/100/1000 Ethernet, and EoIP tunnels.
compression - Standard PPP level compression.
service - The PPPoE service name.
mtu - The default mtu is set to 1492 because of the PPPoE overhead. It may be changed for special situations.
mru - The default mru is set to 1492 because of the PPPoE overhead. It may be changed for special situations.
idle-timeout - A standard PPP setting. The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.
session-timeout - The maximum time the connection can stay up in the format of Xh or Xm or Xs. When set to “0,” there is no timeout.
local-address-from and local-address-to - The IP address pool of the PPPoE local server for each new PPPoE connection. One local address can be used on multiple static sever interfaces. Usually, it is best that this is not a real IP address. Only the client could have a use for a real IP address. Example: local-address-from 10.0.0.1 local-address-to 10.0.0.1 .
remote-address-from and remote-address-to - The IP address pool for the PPPoE remote client for each new PPPoE connection. One address must be available for each current connection – the number in the range selected will be the maximum number of current connections. If radius authentication is used to give addresses, it is still required to have a range of addresses set in this server setup.

PPPoE bandwidth setting

For local authentication, this can be set in the “[MikroTik] user>” menu with the “baud-rate” value (identical to bits/s). For Radius authentication, the account of each user in the radius server should be set with:

Paramater: Ascend-Data-Rate (with parameter ID 197 -- in bits/s) 

In a wireless network, the PPPoE server may be attached to our PRISMII 2.4GHz Access Point (infrastructure mode) interface. Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment.

PPPoE Troubleshooting

• For some reason my PPPoE windows clinets do not obtain the DNS server information from the MikroTik PPPoE server
  Configure the DNS server addresses under the /ip ppp menu of your MikroTik PPPoE server router.
• My windows PPPoE client obtains IP address and default gateway from the MikroTik PPPoE server, but it cannot ping beyond the PPPoE server and use the Internet.
  PPPoE server is not bridging the clients. Configure masquerading for the PPPoE client addresses, or make sure you have proper routing for the address space used by the clients.
• I want to have logs for PPPoE connection establishment
  Configure the logging feature under the /system logging facility and enable the PPP type logs.

Additional Resources

Links for PPPoE documentation:

• http://www.ietf.org/rfc/rfc2516.txt
• http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120dc/120dc3/pppoe.htm
• http://www.carricksolutions.com
• http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/6400_ds.htm

PPPoE Clients:

• RASPPPoE for Windows 98/98SE/ME/2000/XP/2002 http://user.cs.tu-berlin.de/~normanb/

MikroTik RouterOS V2.4 Point to Point Tunnel Protocol (PPTP)

Overview

• MikroTik RouterOS client to any PPTP server – for example Windows 2000
• MikroTik RouterOS client to MikroTik RouterOS static or dynamic server
• MikroTik RouterOS dynamic server to multiple MikroTik RouterOS clients and any clients with PPTP support
• MikroTik RouterOS static server to MikroTik RouterOS client or any PPTP client

• For secure router-to-router tunnels over the Internet
• To link local Intranets or LANs (when EoIP is also used)
• For Windows clients to remotely access an Intranet/LAN of a company (see PPTP setup for Windows for more information)
• For 'Mobile IP' – get your company's IP when connected to third party Internet connections

Contents of the Manual

• Installation
• Hardware Resource Usage
• PPTP Protocol Description
• PPTP Client Setup
• PPTP Dynamic Server Setup
• PPTP Static Server Setup
• Troubleshooting
• PPTP Router-to-Router Secure Tunnel Example
• PPTP Setup for Windows
• Additional Resources

[MikroTik] > system package print
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 aironet                2.4                   sep/25/2001 05:08:05 no
  1 pptp                   2.4                   sep/25/2001 05:06:44 no
  2 ppp                    2.4                   sep/25/2001 05:06:35 no
  3 pppoe                  2.4                   sep/25/2001 05:06:45 no
  4 ssh                    2.4                   sep/25/2001 05:08:11 no
  5 routing                2.4                   sep/25/2001 05:06:07 no
  6 snmp                   2.4                   sep/25/2001 05:06:09 no
  7 moxa-c101              2.4                   sep/25/2001 05:08:08 no
  8 framerelay             2.4                   sep/25/2001 05:08:56 no
  9 system                 2.4                   sep/25/2001 05:05:48 no
[MikroTik] >

Lines one and two show that the PPP and PPTP packages are installed.

Hardware Resource Usage

PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally. There are also additional PPP configurations for management of users and connections.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

PPTP traffic uses TCP port 1723 and IP protocol ID 47, as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router.

PPTP connections may be limited or impossible to setup though a masqueraded/NAT IP connection. Please see the Microsoft and RFC links at the end of this section for more information.

PPTP Client Setup

The PPTP client management can be accessed under the /interface pptp-client submenu.

You can add a PPTP client using the add command:

[MikroTik] interface pptp-client>
add name=test2 connect-to=10.1.1.12 encryption=required \
user=john add-default-route=yes
[MikroTik] interface pptp-client> print
Flags: X - disabled
  0 X name=test2 user=john connect-to=10.1.1.12 mtu=1460 mru=1460 pap=no
      chap=no ms-chapv2=yes idle-timeout=0s session-timeout=0s
      encryption=required add-default-route=yes

[MikroTik] interface pptp-client> enable 0
[MikroTik] interface pptp-client> monitor test2
      uptime: 0s
    encoding:
      status: Terminated

[MikroTik] interface pptp-client>

Descriptions of settings:

name - Interface name for reference
mtu - Maximum Transmit Unit. Should be set to the default 1460 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
mru - Maximum Receive Unit. Should be set to the default 1460 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
connect-to - The IP address of the PPTP server to connect to.
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'.

• none – no encryption
• optional – 40bit or 128bit if server requests this
• required – 40bit or 128bit if server agrees, link will be shut down if no agreement
• non-stateless (cannot be selected) – key is changed approximately every hour or depending on traffic
• stateless – same as required plus key is changed for every packet. If stateless is not supported by the other end, then non-stateless is used

user - User name to use when logging on to the remote server. The user with ppp group privileges and a password must be added to the client router’s user database. When the client is being authenticated by the server, the client will send this user and the password from the client router’s user database. The server user database must have the same user and password and PPP group attribute to authenticate the link.
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.
add-default-route - When the PPTP connection is up, the default route (gateway) will be added using as gateway the other side of the PPP link.

If the PPTP client is configured properly and it has established a connection to the server, you can:

1. Monitor the connection using the /interface pptp-client monitor command
2. See the pptp-out interface under the /interface print list
3. See the dynamic IP address under the /ip address print list
4. (Optionally) See the dynamic default route under the /ip route print list

[MikroTik] interface pptp-client> monitor test2
      uptime: 4h35s
    encoding: MPPE 128 bit, stateless
      status: Connected
[MikroTik] interface pptp-client>

Description of display:

uptime - Connection time displayed in days, hours, minutes, and seconds.
encoding - Encryption being used in this connection.
status - The status of this client may be:

• Dialing – attempting to make a connection
• Verifying password... - connection has been established to the server, password verification in progress.
• Connected – self-explanatory
• Terminated – interface is not enabled or the other side will not establish a connection

The PPTP dynamic server management can be accessed under the /interface pptp-dynamic-server server submenu.

You can enable the PPTP dynamic server using the set command:

[MikroTik] interface pptp-dynamic-server server>
set enabled yes encryption required \
local-address-from 10.9.0.1 local-address-to 10.9.0.1 \
remote-address-from 10.9.0.1 remote-address-to 10.9.0.100
[MikroTik] interface pptp-dynamic-server server> print
                enabled: yes
                    pap: no
                   chap: no
              ms-chapv2: yes
                    mtu: 1460
                    mru: 1460
     local-address-from: 10.9.0.1
       local-address-to: 10.9.0.1
    remote-address-from: 10.9.0.1
      remote-address-to: 10.9.0.100
           idle-timeout: 0s
        session-timeout: 0s
             encryption: required

[MikroTik] interface pptp-dynamic-server server>

Descriptions of settings:

enabled - (yes / no). Enable or disable the server.
mtu - Maximum Transmit Unit. Should be set to the default 1460 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
mru - Maximum Receive Unit. Should be set to the default 1460 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
local-address-from, local-address-to - The IP address of the PPTP local server. Both the -from and –to can be the same. The same local server address will be used on all connections that are created.
remote-address-from, remote-address-to - This should be set to an IP range. This may limit the number of current connections if there are no free IPs available when a new connection is initiated.
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'.

• none – no encryption
• optional – 40bit or 128bit if server requests this
• required – 40bit or 128bit if server agrees, link will be shut down if no agreement
• non-stateless (cannot be selected) – key is changed approximately every hour or depending on traffic
• stateless – same as required plus key is changed for every packet. If stateless is not supported by the other end, then non-stateless is used

idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.

If the PPTP dynamic server is configured properly and it has established connections with the clients, you can:

1. See the list of connected clients using the /interface pptp-dynamic-server print command
2. Monitor the connected clients using the /interface pptp-dynamic-server monitor command
3. See the pptp-in-dyn interfaces under the /interface print list
4. See the dynamic IP addresses under the /ip address print list
5. See the dynamic routes under the /ip route print list

The PPTP static server management can be accessed under the /interface pptp-static-server submenu.

To add a PPTP static server interface use the add command:

[MikroTik] interface pptp-static-server>
add name=test remote-address=1.1.1.2 local-address=1.1.1.1 \
client-address=10.1.1.13 mtu=1500 mru=1500 encryption=required 
[MikroTik] interface pptp-static-server> print
Flags: X - disabled
  0 X name=test client-address=10.1.1.13 mtu=1500 mru=1500 pap=no chap=no
      ms-chapv2=yes local-address=1.1.1.1 remote-address=1.1.1.2
      idle-timeout=0s session-timeout=0s encryption=required

[MikroTik] interface pptp-static-server> enable test
[MikroTik] interface pptp-static-server> monitor test
        user: john
      uptime: 5s
    encoding: MPPE 128 bit, stateless
[MikroTik] interface pptp-static-server>

Descriptions of settings:

name - Interface name for reference
client-address - This should be set to the IP address of the client that will attempt to make a PPTP connection.
mtu - Maximum Transmit Unit. Should be set to the default 1460 bytes because of the PPTP overhead, since packet fragmentation is avoided. May be set to 1500 bytes when working with MikroTik clients, if mtu path discovery is not working properly on links. Should be set to 1460 to work with non-MikroTik clients. When set to 1500, there will be no MTU problems which can come up when communicating with mis-configured networks.
mru - Maximum Receive Unit. Should be set to the default 1460 bytes because of the PPTP overhead, since packet fragmentation is avoided. May be set to 1500 bytes when working with MikroTik clients, if mtu path discovery is not working properly on links. Should be set to 1460 to work with non-MikroTik clients. When set to 1500, there will be no MTU problems which can come up when communicating with mis-configured networks.
local-address - The IP address of the PPTP local server. The same local server address can be used on multiple static sever interfaces.
remote-address - This should be set to an IP address that will be given to the remote client.
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'.

• none – no encryption
• optional – 40bit or 128bit if server requests this
• required – 40bit or 128bit if server agrees, link will be shut down if no agreement
• non-stateless (cannot be selected) – key is changed approximately every hour or depending on traffic
• stateless – same as required plus key is changed for every packet. If stateless is not supported by the other end, then non-stateless is used

idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.

If the PPTP static server is configured properly and it has established a connection with the client, you can:

1. Monitor the connection using the /interface pptp-static-server monitor command
2. See the pptp-in interface under the /interface print list
3. See the dynamic IP address under the /ip address print list
4. See the dynamic route under the /ip route print list

• I use firewall and I cannot establish PPTP connection
  Make sure the TCP connections to port 1723 can pass through both directions between your sites. Also, IP protocol 47 should be passed through.
• I use OSPF and PPTP. The router locks up just after PPTP connection is made and routing information exchanged between the routers.
  This is an internal loop problem, when the new routing information changes the route to the PPTP client or server. This can be avoided by adding static routes at both routers, which have destination address of the other router. See the application example below and the note for OSPF and RIP users.

The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet.

There are two routers in this example:

• [HomeOffice]
  Interface LocalHomeOffice 10.150.2.254/24
  Interface ToInternet 192.168.80.1/24
• [RemoteOffice]
  Interface ToInternet 192.168.81.1/24
  Interface LocalRemoteOffice 10.150.1.254/24

Each router is connected to a different ISP. One router can access another router through the Internet.

To add a secure Tunnel between the HomeOffice and RemoteOffice routers, add an identical user and password with the group 'ppp' to both the HomeOffice and RemoteOffice router:

[RemoteOffice] user> add name remote password remote group ppp
[HomeOffice] user> add name remote password remote group ppp

Add a PPTP static server interface to the HomeOffice router:

[HomeOffice] interface pptp-static-server> print
0   name: FromRemoteOffice client-address: 192.168.81.1 pap: no chap: no
    ms-chapv2: yes encryption: required mtu: 1460 mru: 1460 idle-timeout: 0
    session-timeout: 0 local-address: 10.0.103.1 remote-address: 10.0.103.2

Add a PPTP client to the RemoteOffice router:

[RemoteOffice] interface pptp-client> print
0   name: Tunnel_To_HomeOffice mtu: 1460 mru: 1460 pap: no chap: no
    ms-chapv2: yes encryption: required user: remote connect-to: 192.168.80.1 
    idle-timeout: 0 session-timeout: 0

Thus, a PPTP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It enables 'direct' communication between the routers over third party networks.

To route the local Intranets over the PPTP tunnel – add these routes:

[HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

Test the PPTP tunnel connection:

[RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Test the connection through the PPTP tunnel to the LocalHomeOffice interface:

[RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Note for OSPF and RIP users! Router can lock up, if using OSPF or RIP with the PPTP. It is caused by internal loop, which results from the new routing information, which is obtained through the OSPF or RIP, when the PPTP connection is established.

To avoid this, two static routes should be added to each of the routers before creating the PPTP tunnel:

[HomeOffice] > ip route add dst-address 192.168.81.1/32 gateway 192.168.80.254
[RemoteOffice] > ip route add dst-address 192.168.80.1/32 gateway 192.168.81.254

To bridge a LAN over this secure tunnel, please read the 'EoIP' section of the manual. To set the maximum speed for traffic over this tunnel, please the 'Queues' section.

PPTP Setup for Windows

Links:

http://www.real-time.com/Customer_Support/PPTP_Config/pptp_config.html
http://www.microsoft.com/windows95/downloads/contents/WUAdminTools/S_WUNetworkingTools/W95WinsockUpgrade/Default.asp

Sample instructions for PPTP (VPN) installation and client setup – Windows 98se

If the VPN (PPTP) support is installed, select 'Dial-up Networking' and 'Create a new connection'. The option to create a 'VPN' should be selected. If there is no 'VPN' options, then follow the installation instructions below. When asked for the 'Host name or IP address of the VPN server', type the IP address of the router. Double-click on the 'new' icon and type the correct user name and password (must also be in the user database on the router or RADIUS server used for authentication).

The setup of the connections takes nine seconds after selection the 'connect' button. It is suggested that the connection properties be edited so that 'NetBEUI', 'IPX/SPX compatible', and 'Log on to network' are unselected. The setup time for the connection will then be two seconds after the 'connect' button is selected.

To install the 'Virtual Private Networking' support for Windows 98se, go to the 'Setting' menu from the main 'Start' menu. Select 'Control Panel', select 'Add/Remove Program', select the 'Windows setup' tab, select the 'Communications' software for installation and 'Details'. Go to the bottom of the list of software and select 'Virtual Private Networking' to be installed.

Additional Resources

http://msdn.microsoft.com/library/backgrnd/html/understanding_pptp.htm
http://support.microsoft.com/support/kb/articles/q162/8/47.asp
http://www.ietf.org/rfc/rfc2637.txt?number=2637
http://www.ietf.org/rfc/rfc3078.txt?number=3078
http://www.ietf.org/rfc/rfc3079.txt?number=3079

CISCO/Aironet 2.4GHz 11Mbps Wireless Interface

Overview

• Aironet ISA/PCI/PC4800 2.4GHz DS 11Mbps Wireless LAN Adapters (100mW)
• Aironet ISA/PCI/PC4500 2.4GHz DS 2Mbps Wireless LAN Adapters (100mW)
• CISCO AIR-PCI340 2.4GHz DS 11Mbps Wireless LAN Adapters (30mW)
• CISCO AIR-PCI/PC350/352 2.4GHz DS 11Mbps Wireless LAN Adapters (100mW)

For more information about the CISCO/Aironet PCI/ISA adapter hardware please see the relevant User’s Guides and Technical Reference Manuals in .pdf format:

• 710-003638a0.pdf for PCI/ISA 4800 and 4500 series adapters
• 710-004239B0.pdf for PC 4800 and 4500 series adapters

Documentation about CISCO/Aironet Wireless Bridges and Access Points can be found in archives:

• AP48MAN.exe for AP4800 Wireless Access Point
• BR50MAN.exe for BR500 Wireless Bridge

Contents of the Manual

• Wireless Adapter Hardware and Software Installation
• Wireless Interface Configuration
• Troubleshooting
• Wireless Network Applications

Software Packages

[MikroTik] > /sys package print                                                 
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 aironet                2.4                   sep/25/2001 05:08:05 no       
  1 routing                2.4                   sep/25/2001 05:06:07 no       
  2 system                 2.4                   sep/25/2001 05:05:48 no       
  3 ppp                    2.4                   sep/25/2001 05:06:35 no       
  4 ssh                    2.4                   sep/25/2001 05:08:11 no       
  5 pptp                   2.4                   sep/25/2001 05:06:44 no       
[MikroTik] >  

Software License

System Resource Usage

[MikroTik] > /sys resource irq print                                            
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   no
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   no                                                                         
 10  no                                                                         
 11  yes  backbone                                                              
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
 15  yes  PCMCIA service                                                        
[MikroTik] > /sys resource io print                                             
 PORT-RANGE            OWNER                                                    
 20-3F                 APIC                                                     
 40-5F                 timer                                                    
 60-6F                 keyboard                                                 
 80-8F                 DMA                                                      
 A0-BF                 APIC                                                     
 C0-DF                 DMA                                                      
 F0-FF                 FPU                                                      
 1F0-1F7               IDE 1                                                    
 2F8-2FF               serial port                                              
 3C0-3DF               VGA                                                      
 3E0-3E1               PCMCIA service                                           
 3F6-3F6               IDE 1                                                    
 3F8-3FF               serial port                                              
 4000-4007             IDE 1                                                    
 4008-400F             IDE 2                                                    
 6300-631F             backbone                                                 
[MikroTik] >  

Installing the Wireless Adapter

1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
3. Set the DIP switches on the ISA board according to the following plan:
   DIP switch #6 to 'on' (non-PnP mode)
   Use the DIP switches #1,2,3 to select the IRQ number Use the DIP switches #4,5 to select the I/O Base Address

Loading the Driver for the Wireless Adapter

The ISA card requires the driver to be loaded by issuing the following command:

[MikroTik]> driver add name=pc-isa io=0x180
[MikroTik]> driver print
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D PCI NE2000                                                               
  1   Aironet ISAxx00                       0x180
[MikroTik] driver>

There can be several reasons for a failure to load the driver:

• The driver cannot be loaded because other device uses the requested IRQ.
  Try to set different IRQ using the DIP switches.
• The requested I/O base address cannot be used on your motherboard.
  Try to change the I/O base address using the DIP switches.

[MikroTik] interface> print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   backbone             1500  ether                                         
  1 X pc1                  1500  pc                                            
[MikroTik] interface> set 1 name aironet
[MikroTik] interface> enable aironet
[MikroTik] interface> print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   backbone             1500  ether                                         
  1   aironet              1500  pc                                            

More configuration and statistics parameters can be found under the '/interface pc' menu:

[MikroTik] interface> pc
[MikroTik] interface pc> print
Flags: X - disabled 
  0   name=aironet mtu=1500 mac-address=00:40:96:37:70:68 arp=enabled 
      mode=infrastructure rts-threshold=2312 fragmentation-threshold=2312 
      tx-power=100 rx-diversity=right tx-diversity=right long-retry-limit=16 
      short-retry-limit=16 frequency=2427MHz bitrate=auto ap1=00:40:96:25:83:63 
      ap2=00:40:96:25:83:63 ap3=00:40:96:25:83:63 ap4=00:40:96:25:83:63 
      ssid1=tsunami ssid2="" ssid3="" modulation=cck 
      client-name=MikroTik_0 beacon-period=100 join-net=10s 
      firmware-version=PC4800A 3.85 

[MikroTik] interface pc>

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (256...2048 bytes). Deafault value is 1500 bytes.
mode - Operation mode of the card (infrastructure / ad-hoc)
rts-threshold - RTS threshold
fragmentation-threshold - Fragmentation threshold
tx-power - Transmit power in mW
rx-diversity - Receive diversity (both / default / left / right)
tx-diversity - Transmit diversity (both / default / left / right)
long-retry-limit - Long retry limit
short-retry-limit - Short retry limit
frequency - Channel frequency (2412MHz / 2422MHz / ... / 2484MHz)
bitrate - Data rate (11Mbit/s / 1Mbit/s / 2Mbit/s / 5.5Mbit/s / auto)
ap1 - Access Point 1
ap2 - Access Point 2
ap3 - Access Point 3
ap4 - Access Point 4
ssid1 - Service Set Identifier 1
ssid2 - Service Set Identifier 2
ssid3 - Service Set Identifier 3
modulation - Modulation mode (cck / default / mbok)
client-name - Client name
join-net - Beaconing period
arp - Address Resolution Protocol (disabled / enabled / proxy-arp)

You can monitor the status of the wireless interface:

[MikroTik] interface pc> monitor 0
              quality: 0
             strength: 0
         current-rate: 11Mbit/s
    current-frequency: 2437MHz
         synchronized: no
           associated: no
                 ssid: tsunami
         access-point: FF:FF:FF:FF:FF:FF
    access-point-name:
         error-number: 0                 

[MikroTik] interface pc>

If the wireless interface card is not registered to an AP, the green status led is blinking fast.

To set the wireless interface for working with an IEEE 802.11b access point (register to the AP), you should set the following parameters:

• The service set identifier. It should match the ssid of the AP. Can be blank, if you want the wireless interface card to register to an AP with any ssid. The ssid will be received from the AP, if the AP is broadcasting its ssid.
• The operation mode of the card should be set to 'infrastructure'.
• The bitrate of the card should match one of the supported data rates of the AP. Data rate 'auto' should work for most of the cases.

[MikroTik] interface pc> set 0 ssid1 mt
[MikroTik] interface pc> monitor 0
              quality: 63
             strength: 131
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: yes
                 ssid: mt
         access-point: 00:40:96:00:06:72
    access-point-name: Gulf
         error-number: 0                 

[MikroTik] interface pc>

If the wireless interface card is registered to an AP, the green status led is blinking slow.

Wireless Troubleshooting

• The pc interface does not show up under the interfaces list
  Obtain the required license for 2.4GHz wireless feature.
• The wireless card does not register to the AP
  Check the cabling and antenna alignment.

Two possible wireless network configurations are discussed in the following examples:

• Point-to-Multipoint (Wireless Infrastructure)
• Point-to-Point (Peer-to-Peer, or Ad-Hoc Wireless LAN)

[MikroTik] interface pc> set 0 ssid1 mt mode infrastructure
[MikroTik] interface pc> monitor 0
              quality: 62
             strength: 129
         current-rate: 11Mbit/s
    current-frequency: 2442MHz
         synchronized: yes
           associated: yes
                 ssid: mt
         access-point: 00:40:96:00:06:72
    access-point-name: Gulf
         error-number: 0                 
[MikroTik] interface pc>

[MikroTik] ip address> add address 10.1.1.12/24 interface aironet
[MikroTik] ip address> print                                                        
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.1.12/24       10.1.1.0        10.1.1.255      aironet               
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
[MikroTik] ip address>

[MikroTik] ip route> add gateway=10.1.1.254
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.1.1.254  1        aironet    
  1 D  connect 192.168.0.0/24     A            0.0.0.0     0        Local      
  2 D  connect 10.1.1.0/24        A            0.0.0.0     0        aironet    
[MikroTik] ip route> 

Point-to-Point Wireless LAN

[MikroTik] interface pc> set 0 mode ad-hoc ssid1 b_link frequency 2442MHz bitrate auto
[MikroTik] interface pc> monitor 0
              quality: 0
             strength: 0
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: no
           associated: no
                 ssid: b_link
         access-point: FF:FF:FF:FF:FF:FF
    access-point-name:
         error-number: 0                 
[MikroTik] interface pc>

[MikroTik] interface pc> monitor 0
              quality: 62
             strength: 129
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: no
                 ssid: b_link
         access-point: 16:01:0B:02:17:00
    access-point-name:
         error-number: 0                 
[MikroTik] interface pc>

[wnet_gw] interface pc> set 0 mode ad-hoc ssid1 b_link frequency 2412MHz bitrate auto
[wnet_gw] interface pc> monitor 0
              quality: 58
             strength: 122
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: no
                 ssid: b_link
         access-point: 16:01:0B:02:17:00
    access-point-name:
         error-number: 0                 
[wnet_gw] interface pc> 

[MikroTik] ip address> add address 192.168.11.1/30 interface aironet
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.11.1/30    192.168.11.0    192.168.11.3    aironet               
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
[MikroTik] ip address>

[wnet_gw] ip address> add address 192.168.11.2/30 interface pc1 
[wnet_gw] ip address> print 
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.11.2/30    192.168.11.0    192.168.11.3    pc1
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      Public
[wnet_gw] ip address> /ping 192.168.11.1
192.168.11.1 pong: ttl=255 time=3 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 ping interrupted
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1/1.5/3 ms
interrupted
[wnet_gw] ip address> /tool btest 192.168.11.1 protocol tcp 
connecting
current = 4.6Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.7Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.7Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.3Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.5Mbps   10secavg = 4.5Mbps   totalavg = 4.5Mbps
current = 4.6Mbps   10secavg = 4.5Mbps   totalavg = 4.5Mbps
[wnet_gw] ip address> /tool btest 192.168.12.1 protocol udp size 1500
connecting
current = 1500.0kbps   10secavg = 1500.0kbps   totalavg = 1500.0kbps
current = 2.0Mbps   10secavg = 1775.3kbps   totalavg = 1775.3kbps
current = 2.9Mbps   10secavg = 2.1Mbps   totalavg = 2.1Mbps
current = 4.4Mbps   10secavg = 2.7Mbps   totalavg = 2.7Mbps
current = 5.6Mbps   10secavg = 3.3Mbps   totalavg = 3.3Mbps
current = 5.6Mbps   10secavg = 3.6Mbps   totalavg = 3.6Mbps
current = 5.6Mbps   10secavg = 3.9Mbps   totalavg = 3.9Mbps
current = 5.6Mbps   10secavg = 4.1Mbps   totalavg = 4.1Mbps
[wnet_gw] ip address> 

WaveLAN/ORiNOCO 2.4GHz 11Mbps Wireless Interface

Overview

The MikroTik RouterOS supports the following WaveLAN/ORiNOCO 2.4GHz 11Mbps Wireless Adapter hardware:

• ORiNOCO 2.4GHz 11Mbps PC Card (Silver/Gold), firmware versions 4.xx...7.52.
• ORiNOCO ISA and PCI adapters for using the PC card in desktop computers.

For more information about the WaveLAN / ORiNOCO adapter hardware please see the relevant User’s Guides and Technical Reference Manuals in .pdf format from the manufacturer:

• orinoco_pc_card_getting_started_guide.pdf ORiNOCO PC Card Getting Started Guide
• orinoco_pc_card_user_guide.pdf ORiNOCO PC Card User's Guide
• orinoco_isa_adapter.pdf ORiNOCO ISA Adapter Getting Started Guide
• orinoco_pci_adapter.pdf ORiNOCO PCI Adapter Getting Started Guide

Information about configuring the ORiNOCO wireless access point can be found there:

• orinoco_ap_1000_guide.pdf ORiNOCO Access Point 1000 (AP-1000) Getting Started Guide
• orinoco_manager_suite_user_guide.pdf ORiNOCO Manager Suit User's Guide

Contents of the Manual

• Wireless Adapter Hardware and Software Installation
• Wireless Interface Configuration
• Troubleshooting
• Wireless Network Applications

Software Packages

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 wavelan                2.4                   sep/25/2001 05:08:09 no       
  1 routing                2.4                   sep/25/2001 05:06:07 no       
  2 ssh                    2.4                   sep/25/2001 05:08:11 no       
  3 system                 2.4                   sep/25/2001 05:05:48 no       
  4 ppp                    2.4                   sep/25/2001 05:06:35 no       
  5 pppoe                  2.4                   sep/25/2001 05:06:45 no       
  6 pptp                   2.4                   sep/25/2001 05:06:44 no       
[MikroTik] > 

Software License

System Resource Usage

[MikroTik] > system resource irq print                                         
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   yes  Wavelan 802.11                                                        
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   no                                                                         
 10  yes  Public                                                                
 11  yes  Local                                                                 
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
 15  yes  PCMCIA service                                                        
[MikroTik] > system resource io print                                          
 PORT-RANGE            OWNER                                                    
 20-3F                 APIC                                                     
 40-5F                 timer                                                    
 60-6F                 keyboard                                                 
 80-8F                 DMA                                                      
 A0-BF                 APIC                                                     
 C0-DF                 DMA                                                      
 F0-FF                 FPU                                                      
 100-13F               Wavelan 802.11                                           
 1F0-1F7               IDE 1                                                    
 2F8-2FF               serial port                                              
 3C0-3DF               VGA                                                      
 3E0-3E1               PCMCIA service                                           
 3F6-3F6               IDE 1                                                    
 3F8-3FF               serial port                                              
 4000-4007             IDE 1                                                    
 4008-400F             IDE 2                                                    
 6300-631F             Local                                                    
 6700-67FF             Public                                                   
[MikroTik] >                                                                   

Installing the Wireless Adapter

1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.

Special Notice for PCMCIA-PCI adapter users! The IRQ is not being reported back correctly on some MB for PCMCIA-PCI adapters. As a result, the wireless interface appears to be operational, but there can be no data transmitted over the wireless link. For example, when pinging the AP or GW form the router, there is no response to the ping, although the other end gets the MAC address of the WaveLAN interface of the router. To solve this, try using another MB, or use PCMCIA-ISA adapter.

Loading the Driver for the Wireless Adapter

Note! The PC card can be inserted in the PCMCIA-ISA or PCI adapter when the system is running. The wavelan driver is not listed under the list of loaded drivers.

There can be several reasons for a failure to load the driver:

• The driver cannot be loaded because other device uses the requested IRQ.
  Try to set different IRQ to other devices.
• The requested I/O base address cannot be used on your motherboard.
  Change the motherboard.

[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   Public               1500  ether                                         
  1   Local                1500  ether                                         
  2 X wavelan1             1500  wavelan                                       
[MikroTik] interface> enable 2                                                  
[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   Public               1500  ether                                         
  1   Local                1500  ether                                         
  2   wavelan1             1500  wavelan                                       
[MikroTik] interface>                                                          

More configuration and statistics parameters can be found under the '/interface wavelan' menu:

[MikroTik] interface> wavelan                                                  
[MikroTik] interface wavelan> print                                            
Flags: X - disabled 
  0   name=wavelan1 mtu=1500 mac-address=00:02:2D:07:D8:44 arp=enabled 
      frequency=2412MHz data-rate=11Mbit/s mode=ad-hoc ssid="" client-name="" 
      key1="" key2="" key3="" key4="" tx-key=key1 encryption=no 

[MikroTik] interface wavelan>  

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (256...2296 bytes). The default value is 1500 bytes.
mac-address - MAC address of the card. Cannot be changed.
frequency - Channel frequency (2412MHz / 2422MHz / ... / 2484MHz)
data-rate - Data rate (11Mbit/s / 1Mbit/s / 2Mbit/s / 5.5Mbit/s / auto)
mode - Operation mode of the card (infrastructure / ad-hoc)
ssid - Service Set Identifier
client-name - Client name
key1 - Encryption key #1
key2 - Encryption key #2
key3 - Encryption key #3
key4 - Encryption key #4
tx-key - Transmit key (key1 / key2 / key3 / key4)
encryption - Encryption (no / yes)
arp - Address Resolution Protocol (disabled / enabled / proxy-arp)

You can monitor the status of the wireless interface:

[MikroTik] interface wavelan>                                                  
             bssid: 44:44:44:44:44:44 
         frequency: 2422MHz           
         data-rate: 11Mbit/s          
              ssid: tsunami                
    signal-quality: 0                 
      signal-level: 0               
             noise: 0               

[MikroTik] interface wavelan>

To set the wireless interface for working with an IEEE 802.11b access point (register to the AP), you should set the following parameters:

• The Service Set Identifier. It should match the ssid of the AP.
• The Operation Mode of the card should be set to 'infrastructure'.
• The Data Rate of the card should match one of the supported data rates of the AP. Data rate 'auto' should work for most of the cases.

[MikroTik] interface wavelan> set 0 ssid MT_w_AP mode infrastructure           
[MikroTik] interface wavelan> monitor wavelan1                                 
             bssid: 00:40:96:42:0C:9C 
         frequency: 2437MHz           
         data-rate: 11Mbit/s          
              ssid: MT_w_AP           
    signal-quality: 65                
      signal-level: 228               
             noise: 163               

[MikroTik] interface wavelan>  

Wireless Troubleshooting

• The wavelan interface does not show up under the interfaces list
  Obtain the required license for 2.4GHz wireless feature.
• The wireless card does not register to the AP
  Check the cabling and antenna alignment.
• I get the wireless interface working and registering to the AP, but there is no data transmitted, I cannot ping the AP
  This is IRQ conflict. See the special notice for PCMCIA-PCI adapter users under the Wireless Adapter Installation instructions above.

Two possible wireless network configurations are discussed in the following examples:

• Point-to-Multipoint (Wireless Infrastructure)
• Point-to-Point with MikroTik Client (Peer-to-Peer, or Ad-Hoc Wireless LAN)
• Point-to-Point with Windows Client (Peer-to-Peer, or Ad-Hoc Wireless LAN)

[MikroTik] interface wavelan> set wavelan1 ssid mt mode infrastructure
[MikroTik] interface wavelan>                                                  
             bssid: 00:40:96:42:0C:9C 
         frequency: 2437MHz           
         data-rate: 11Mbit/s           
              ssid: mt                
    signal-quality: 64                
      signal-level: 228               
             noise: 163               

[MikroTik] interface wavelan>   

[MikroTik] ip address> add address 10.1.1.12/24 interface wavelan1 
[MikroTik] ip address> add address 192.168.0.254/24 interface ether1 
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   ether1                
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      wavelan1              
[MikroTik] ip address>

[MikroTik] ip route> add gateway 10.1.1.254
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.1.1.254  1        wavelan1   
  1 D  connect 192.168.0.0/24     A            0.0.0.0     0        ether1     
  2 D  connect 10.1.1.0/24        A            0.0.0.0     0        wavelan1   
[MikroTik] ip route>   

Point-to-Point Wireless LAN

[MikroTik] interface wavelan> set 0 ssid b_link mode ad-hoc frewency 2412MHz 
[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:02:2D:07:17:23
         frequency: 2412MHz
         data-rate: 11Mbit/s
              ssid: b_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[MikroTik] interface wavelan> 

[wnet_gw] interface wavelan> set 0 ssid b_link mode ad-hoc frequency 2412MHz 
[wnet_gw] interface wavelan> enable 0
[wnet_gw] interface wavelan> monitor 0
             bssid: 00:02:2D:07:17:23
         frequency: 2412MHz
         data-rate: 11Mbit/s
              ssid: b_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[wnet_gw] interface wavelan> 

[MikroTik] ip address> add address 10.0.0.1/30 interface wavelan1 
[MikroTik] ip address> add address 192.168.0.254/24 interface ether1 
[MikroTik] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.1        255.255.255.252 10.0.0.1        10.0.0.3        wavelan1
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
[MikroTik] ip address> /ip route add gateway 10.0.0.2 
[MikroTik] ip address> /ip route print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.252 0.0.0.0         10.0.0.1        wave... D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 0.0.0.0         0.0.0.0         10.0.0.2        0.0.0.0         wave...
[MikroTik] ip address>

[wnet_gw] ip address> add address 10.0.0.2/30 interface wl1 
[wnet_gw] ip address> add address 10.1.1.12/24 interface Public 
[wnet_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.2        255.255.255.252 10.0.0.2        10.0.0.3        wl1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
[wnet_gw] ip address> /ip route 
[wnet_gw] ip route> add gateway 10.1.1.254 interface Public 
[wnet_gw] ip route> add gateway 10.0.0.1 interface wl1 \
                    dst-address 192.168.0.0/24
[wnet_gw] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.252 0.0.0.0         10.0.0.2        wl1     D K
  1 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       Public  D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         Public
  3 192.168.0.0     255.255.255.0   10.0.0.1        0.0.0.0         wl1
[wnet_gw] ip route> 

[MikroTik]> ping 10.0.0.2
10.0.0.2 pong: ttl=255 time=2 ms
10.0.0.2 pong: ttl=255 time=2 ms
10.0.0.2 pong: ttl=255 time=2 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/2.0/2 ms
interrupted
[MikroTik]> tool btest 10.0.0.2 protocol udp size 1500
connecting
current = 1500.0kbps   10secavg = 1500.0kbps   totalavg = 1500.0kbps
current = 2039.0kbps   10secavg = 1769.5kbps   totalavg = 1769.5kbps
current = 2.8Mbps   10secavg = 2.1Mbps   totalavg = 2.1Mbps
current = 4.1Mbps   10secavg = 2.6Mbps   totalavg = 2.6Mbps
current = 4.1Mbps   10secavg = 2.9Mbps   totalavg = 2.9Mbps
current = 4.1Mbps   10secavg = 3.1Mbps   totalavg = 3.1Mbps
current = 4.2Mbps   10secavg = 3.2Mbps   totalavg = 3.2Mbps
[MikroTik]> 

Point-to-Point Wireless LAN with Windows Client

[home_gw] interface wavelan> set wl-home frequency 2447MHz \
          mode ad-hoc ssid home_link
[home_gw] interface wavelan> enable wl-home 
[home_gw] interface wavelan> print 
0   name: wl-home mtu: 1500 mac-address: 00:02:2D:07:D8:44 frequency: 2447MHz
    date-rate: 11Mbit/s mode: ad-hoc ssid: home_link client-name: "" key1: ""
    key2: "" key3: "" key4: "" tx-key: key1 encryption: no arp: arp

[home_gw] interface wavelan> monitor 0
             bssid: 02:02:2D:07:D8:44
         frequency: 2447MHz
         data-rate: 11Mbit/s
              ssid: home_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[home_gw] interface wavelan> 

[home_gw] ip address> add interface Public address 10.1.1.12/24
[home_gw] ip address> add interface wl-home address 192.168.0.254/24
[home_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   wl-home
[home_gw] ip address> /ip route 
[home_gw] ip route> add gateway 10.1.1.254
[home_gw] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       Public  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   wl-home D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         Public
[home_gw] ip route>

[home_gw] ip dhcp-server> print
0   interface: Public enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

1   interface: wl-home enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

[home_gw] ip dhcp-server> set 1 enabled yes from-address 192.168.0.1 to-address
192.168.0.200 netmask 255.255.255.0 gateway 192.168.0.254 src-address 192.168.0.
254 dns-server 159.148.147.194 domain myhome.com
[home_gw] ip dhcp-server> print
0   interface: Public enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

1   interface: wl-home enabled: yes from-address: 192.168.0.1
    to-address: 192.168.0.200 lease-time: 0:10:00 netmask: 255.255.255.0
    gateway: 192.168.0.254 src-address: 192.168.0.254
    dns-server: 159.148.147.194 domain: myhome.com

[home_gw] ip dhcp-server> 

[home_gw] ip dhcp-server> lease print 
  # ADDRESS         MAC-ADDRESS       INTERFACE            EXPIRES-AT
  0 192.168.0.1     00:02:2D:07:17:23 wl-home              sep/14/2001 10:58:23
[home_gw] ip dhcp-server>

[home_gw] ip dhcp-server> /ping 192.168.0.1
192.168.0.1 pong: ttl=32 time=3 ms
192.168.0.1 pong: ttl=32 time=2 ms
192.168.0.1 pong: ttl=32 time=2 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/2.3/3 ms
interrupted
[home_gw] ip dhcp-server> 

[home_gw] ip firewall rule> add forward action masq src-address 192.168.0.0/24 i
nterface Public 
[home_gw] ip firewall rule> print forward 
0   action: masq protocol: all src-address: 192.168.0.0
    src-netmask: 255.255.255.0 src-ports: 0-65535 dst-address: 0.0.0.0
    dst-netmask: 0.0.0.0 dst-ports: 0-65535 interface: Public log: no

[home_gw] ip firewall rule> 

RadioLAN 5.8GHz Wireless Interface

Overview

• RadioLAN ISA card (Model 101).

For more information about the RadioLAN adapter hardware please see the relevant User’s Guides and Technical Reference Manuals.

Contents of the Manual

• Wireless Adapter Hardware and Software Installation
• Wireless Interface Configuration
• Troubleshooting
• Wireless Network Applications

Software Packages

[MikroTik] system package> print
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 radiolan               2.4                   sep/25/2001 05:08:05 no
  1 pptp                   2.4                   sep/25/2001 05:06:44 no
  2 ppp                    2.4                   sep/25/2001 05:06:35 no
  3 pppoe                  2.4                   sep/25/2001 05:06:45 no
  4 ssh                    2.4                   sep/25/2001 05:08:11 no
  5 routing                2.4                   sep/25/2001 05:06:07 no
  6 snmp                   2.4                   sep/25/2001 05:06:09 no
  7 system                 2.4                   sep/25/2001 05:05:48 no
[MikroTik] system package>

Software License

System Resource Usage

[MikroTik] system resource> irq print
 IRQ USED OWNER
 1   yes  keyboard
 2   yes  APIC
 3   no
 4   yes  serial port
 5   no
 6   no
 7   no
 8   no
 9   yes  ether1
 10  no
 11  yes  pc1
 12  no
 13  yes  FPU
 14  yes  IDE 1
 [MikroTik] system resource> io print
 PORT-RANGE            OWNER
 20-3F                 APIC
 40-5F                 timer
 60-6F                 keyboard
 80-8F                 DMA
 A0-BF                 APIC
 C0-DF                 DMA
 F0-FF                 FPU
 1F0-1F7               IDE 1
 2F8-2FF               serial port
 3C0-3DF               VGA
 3F6-3F6               IDE 1
 3F8-3FF               serial port
 EE00-EEFF             ether1
 EF40-EF7F             pc1
 FC00-FC07             IDE 1
 FC08-FC0F             IDE 2
 FC10-FC7F             [CS5530]
[MikroTik] system resource>

Installing the Wireless Adapter

1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
3. Use the RLProg.exe to set the IRQ and Base Port address of the RadioLAN ISA card (Model 101). RLProg must be run from a DOS window. Use a separate computer or a bootable floppy] to run the RLProg utility and set the hardware parameters. The factory default values of I/O 0x300 and IRQ 10 might conflict with other devices.

Loading the Driver for the Wireless Adapter

[MikroTik] > driver add name=radiolan io=0x300
[MikroTik] > driver print
Flags: I - invalid, D - dynamic
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D RealTek RTL8129/8139
  1   ISA RadioLAN                          0x300
[MikroTik] >

There can be several reasons for a failure to load the driver:

• The driver cannot be loaded because other device uses the requested IRQ.
  Try to set different IRQ using the RadioLAN configuration utility.
• The requested I/O base address cannot be used on your motherboard.
  Try to change the I/O base address using the RadioLAN configuration utility.

[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 MTU   TYPE
  0   ether1               1500  ether
  1 X radiolan1            1500  radiolan
[MikroTik] interface>
[MikroTik] interface> enable radiolan1
[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 MTU   TYPE
  0   ether1               1500  ether
  1   radiolan1            1500  radiolan
[MikroTik] interface>

More configuration and statistics parameters can be found under the '/interface radiolan' menu:

[MikroTik] interface> radiolan
[MikroTik] interface radiolan> print
0   name: radiolan1 mtu: 1500 mac-address: 00:A0:D4:20:42:EE distance: 0-150m
    tx-diversity: disabled rx-diversity: disabled default-dst: firstclient
    max-retries: 15 sid: bbbb card-name: 00A0D42042EE
    cfg-destination: 00:00:00:00:00:00 arp: enabled

[MikroTik] interface radiolan>

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (68...1900 bytes). Default value is 1500 bytes.
mac-address - MAC address. Cannot be changed.
distance - distance setting for the link (0-10.2km)
rx-diversity - Receive diversity (disabled / enabled)
tx-diversity - Transmit diversity (disabled / enabled)
default-dst - deafault destination (alone / ap / cfg / firstap / firstclient). It sets the destination where to send the packet if it is not for a clinet in the radio network.
max-retries - maximum retries before dropping the packet
sid - Service Set Identifier
card-name - Card name
cfg-destination - MAC address of a host in the radio network where to send the packet, if it is for none of the radio clients.
arp - Address Resolution Protocol (disabled / enabled / proxy-arp)

You can monitor the status of the wireless interface:

[MikroTik] interface radiolan> monitor radiolan1
    default: 00:00:00:00:00:00
      valid: no
[MikroTik] interface radiolan>

Here, the wireless interface card has not found any neighbour.

To set the wireless interface for working with another wireless card in a point-to-point link, you should set the following parameters:

• The Service Set Identifier. It should match the sid of the other card.
• The Distance should be set to that of the link. For example, if you have 6km link, use distance 4.7km-6.6km.

[MikroTik] interface radiolan> set 0 sid ba72 distance 4.7km-6.6km
[MikroTik] interface radiolan> print
0   name: radiolan1 mtu: 1500 mac-address: 00:A0:D4:20:42:EE
    distance: 4.7km-6.6km tx-diversity: disabled rx-diversity: disabled
    default-dst: firstclient max-retries: 15 sid: ba72 card-name: 00A0D42042EE
    cfg-destination: 00:00:00:00:00:00 arp: enabled

[MikroTik] interface radiolan> monitor 0
    default: 00:A0:D4:20:42:47
      valid: yes

[MikroTik] interface radiolan>

You can monitor the list of neighbours having the same sid and being within the radio range:

[MikroTik] interface radiolan> neighbours print radiolan1
NAME             MAC-ADDRESS       FLAGS ACCESS-POINT
00A0D4204247     00:A0:D4:20:42:47    D
[MikroTik] interface radiolan>

[MikroTik] interface radiolan> ping radiolan1 \
mac-address 00:A0:D4:20:42:47 size 1500 count 50
Sent: 2/50 (4%), Ok: 2/2 (100%) max/avg/min retries: 0/0.0/0
Sent: 12/50 (24%), Ok: 12/12 (100%) max/avg/min retries: 0/0.0/0
Sent: 22/50 (44%), Ok: 22/22 (100%) max/avg/min retries: 0/0.0/0
Sent: 32/50 (64%), Ok: 32/32 (100%) max/avg/min retries: 0/0.0/0
Sent: 42/50 (84%), Ok: 42/42 (100%) max/avg/min retries: 0/0.0/0
Sent: 50/50 (100%), Ok: 50/50 (100%) max/avg/min retries: 0/0.0/0
[MikroTik] interface radiolan>

Wireless Troubleshooting

• The radiolan interface does not show up under the interfaces list
  Obtain the required license for RadioLAN 5.8GHz wireless feature.
• The wireless card does not obtain the MAC address of the default destination
  Check the cabling and antenna alignment.

Two possible wireless network configurations are discussed in the following examples:

• Point-to-Point Setup with Routing
• Point-to-Point Setup with Bridging

[MikroTik] ip address> add address 10.1.0.1/30 interface radiolan1
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.0.1        255.255.255.252 10.1.0.1        10.1.0.3        radiolan1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      ether1
[MikroTik] ip address>

[MikroTik] ip route> add gateway 10.1.1.254 interface ether1
[MikroTik] ip route> add dst-address 192.168.0.0/24 gateway 10.1.0.2 \
interface radiolan1
[MikroTik] ip route> print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       ether1  D K
  1 10.1.0.0        255.255.255.252 0.0.0.0         10.1.0.1        radi... D K
  2 192.168.0.0     255.255.255.0   10.1.0.2        0.0.0.0         radi...
  3 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         ether1
[MikroTik] ip route>

The Router#2 should have addresses 10.1.0.2/30 and 192.168.0.254/24 assigned to the radiolan and Ethernet interfaces respectively. The default route should be set to 10.1.0.1

Point-to-Point Setup with Bridging

[MikroTik] bridge> set ip forward arp forward other forward
[MikroTik] bridge> print
           ip: forward
          arp: forward
          ipx: discard
    appletalk: discard
         ipv6: discard
        other: forward
     priority: 1
[MikroTik] bridge> interface
[MikroTik] bridge interface> print
  # INTERFACE                                                           FORWARD
  0 ether1                                                              no
  1 radiolan1                                                           no
[MikroTik] bridge interface> set 0 forward yes
[MikroTik] bridge interface> set 1 forward yes
[MikroTik] bridge interface> pr
  # INTERFACE                                                           FORWARD
  0 ether1                                                              yes
  1 radiolan1                                                           yes
[MikroTik] bridge interface>

[MikroTik] interface> print
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 radiolan1                                               radiolan    1500
( 2)bridge1                                                 bridge      1500
[MikroTik] interface> enable 2
[MikroTik] interface> /ip address
[MikroTik] ip address> add address 10.1.1.12/24 interface bridge1
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      bridge1
[MikroTik] ip address> .. route add gateway 10.1.1.254 interface bridge1
[MikroTik] ip address> .. route print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       bridge1 D K
  1 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         bridge1
[MikroTik] ip address>

PrismII Wireless Client and Wireless Access Point

Overview

• RF-LINK 1100N 2.4GHz DSSS 11Mbps Wireless LAN PC Card
• Z-Com's LANEscape XI-300 Wireless PC Card
• GemTek WL-211 Wireless LAN PC Card
• Most PrismII chipset based Wireless PC Cards

For more information about adapter hardware please see the relevant User’s Guides and Technical Reference Manuals of the hardware manufacturers.

The MikroTik RouterOS supports the PrismII chipset based wireless adapter cards for working both as wireless clients (station mode) and wireless access points (access-point mode).

Notice about PCMCIA Adapters: Currently only the following PCMCIA-ISA and PCMCIA-PCI adapters are recognized properly by the MikroTik RouterOS:

• Vadem VG-469 PCMCIA-ISA adapter,
• RICON PCMCIA-PCI Bridge with R5C475 II chip.

Contents of the Manual

• Wireless Adapter Hardware and Software Installation
• Wireless Interface Configuration
  Station Mode Configuration
  Access Point Mode Configuration
  
• Troubleshooting
• Wireless Network Applications

Software Packages

[MikroTik] > sys package print                                                 
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4rc6                aug/06/2001 15:56:22 no       
  1 snmp                   2.4rc6                aug/06/2001 15:56:24 no       
  2 ppp                    2.4rc6                aug/06/2001 15:56:37 no       
  3 pptp                   2.4rc6                aug/06/2001 15:56:47 no       
  4 pppoe                  2.4rc6                aug/06/2001 15:56:53 no       
  5 ssh                    2.4rc6                aug/06/2001 15:58:11 no       
  6 system                 2.4rc6                aug/06/2001 15:56:04 no       
  7 prism                  2.4rc6                aug/06/2001 15:58:54 no       
[MikroTik] >   

Software License

The 2.4GHz Wireless Feature License enables only the station mode of the Prism II card. To enable the access point mode, additionally the Wireless AP Feature License is required.

The MikroTik RouterOS supports as many PrismII chipset based cards as many free resources are on your system, i.e., IRQs and adapter slots. One license is valid for all cards on your system.

System Resource Usage

[MikroTik] > system resource irq print                                         
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   no
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   yes  ether1                                                                
 10  no                                                                         
 11  no                                                                         
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
[MikroTik] > system resource io print                                          
 PORT-RANGE            OWNER                                                    
 32-63                 APIC                                                     
 64-95                 timer                                                    
 96-111                keyboard                                                 
 128-143               DMA                                                      
 160-191               APIC                                                     
 192-223               DMA                                                      
 240-255               FPU                                                      
 496-503               IDE 1                                                    
 760-767               serial port                                              
 960-991               VGA                                                      
 992-993               PCMCIA service                                           
 1014-1014             IDE 1                                                    
 1016-1023             serial port                                              
 61184-61439           ether1                                                   
 64512-64519           IDE 1                                                    
 64520-64527           IDE 2                                                    
 64528-64639           [CS5530]                                                 
[MikroTik] >

Installing the Wireless Adapter

1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.

Loading the Driver for the Wireless Adapter

There can be several reasons for a failure to load the driver, for example:

• The driver cannot be loaded because other device uses the requested IRQ.
  Try to set the IRQ assignment to PCI slots using the system BIOS configuration.

[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1 X prism1               1500  prism                                         
[MikroTik] > interface enable 1
[MikroTik] > interface set 1 name=wireless                                    
[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   wireless             1500  prism                                         
[MikroTik] > 

More configuration and statistics parameters can be found under the '/interface prism' menu:

[MikroTik] interface prism> print                                              
Flags: X - disabled 
  0   name=wireless mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=station frequency=2412MHz ssid=abc client-name="" 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MikroTik] interface prism>

Argument description:

number - Interface number in the list
name - Interface name (same as for other interfaces)
mtu - Maximum transfer unit (same as for other interfaces)
mac-address - MAC address of card. In AP mode this will also be BSSID of BSS.
arp - ARP mode (same as for ethernet interfaces)
mode - (station|access-point). If station - card works as station, if access-point, card works as access point. After mode is changed from access-point to station, for station mode to activate, have to reboot (changing back to AP mode will work fine). Change from station to AP can be done without rebooting.
frequency - Frequency that AP will use to create BSS
ssid - Service Set Identifier. In station mode - ssid to connect to, in AP mode - ssid to use when creating BSS (this can not be left blank, because AP needs ssid to work, but in station mode cards hang up without ssid).
client-name - Client name
max-associations - meaningless for station. For AP means how many stations can be associated at the same time (min: 1, max: 500)
hide-ssid - meaningless for station. For AP tells that SSID should not be transmitted in beacon frames (so none can read ssid when sniffing radio), and that AP should not answer probe requests that do not have our ssid in them. Basically this means that if this setting is set to "yes", every client that wants to connect to this AP has to have correct ssid configured.
supported-rates - For both - station and AP - rates at which this node will work.
basic-rates - Meaningless for station. For AP - rates that every client that plans to connect to this AP should be able to work at.
fragmentation-threshold - for both STA and AP - bigger packets than this value will be fragmented before transmission (min: 256, max: 2346)
rts-threshold - for both STA and AP - bigger packets than this value will be transmitted using RTS/CTS medium reservation method. This medium reservation ensures that no other radios transmit at this time (min: 0, max: 2432)
default-access-action - (allow|deny) - meaningless for STA, for AP - what to do with client that wants to associate, but it is not in the access-list.

You can monitor the status of the wireless interface:

[MikroTik] interface prism> monitor 0                                            
       signal-quality: 0            
         signal-level: 27           
          noise-level: 27           
         current-rate: 2            
               status: disconnected 

[MikroTik] interface prism>

Station Mode Configuration

• The Service Set Identifier. It should match the ssid of the AP.
• The Operation Mode of the card should be set to 'station'.
• The Supported Rate of the card should match one of the supported data rates of the AP.

[MikroTik] interface prism> set 0 ssid=mt                                      
[MikroTik] interface prism> monitor 0                                          
                bssid: 00:40:96:37:71:1E 
    current-frequency: 2442MHz           
       signal-quality: 92                
         signal-level: 183               
          noise-level: 0                 
         current-rate: 11                 
               status: connected         

[MikroTik] interface prism>     

The monitor command shows the MAC address of the AP, to which the card is registered.

Access Point Mode Configuration

• The Service Set Identifier. It should be unique for your system.
• The Operation Mode of the card should be set to 'access-point'.
• The Frequency of the card.

All other parameters can be left as default. To configure the wireless interface for working as an access point with ssid "mt" and use the frequency 2442MHz, it is enough to enter the command:

[MikroTik] interface prism> set 0 mode=access-point ssid=mt frequency=2442MHz          
[MikroTik] interface prism> monitor 0                                    
                bssid: 00:03:C0:00:06:72 
    current-frequency: 2442MHz           
               status: ap-mode           

[MikroTik] interface prism>

To see the list of all clients currently registered to all configured APs,

[MikroTik] interface prism> registration-table print                           
  # INT MAC-ADDRESS       SIGNAL     SILENCE    RATE       UPTIME              
  0 wir 00:40:96:37:71:1E 183        0          11         00:03:32            
  1 wir 00:40:96:29:02:88                                  00:01:15            
[MikroTik] interface prism>

Argument description for the registration-table entry:

mac-address - mac address of the registered client
interface - interface that client is registered to
signal - signal level
silence - silence level
rate - current rate
uptime - how long the client is connected

The monitor command gives additional per-client statistics:

[MikroTik] interface prism> registration-table monitor 0                       
        packets: 13,2                          
          bytes: 0,616                         
            bps: 0.0bps/0.0bps,0.0bps/4.10kbps 
            pps: 0/1,0/1                       
         signal: 171/186/195                   
        silence: 0/0/0                         
           rate: 11/11/11                      
    last-update: 00:00:02                      
         uptime: 00:09:01                      

[MikroTik] interface prism> 

Access List

Ta add an access list entry for MAC address 00:40:96:37:71:1E, use command:

[MikroTik] interface prism access-list> add allow=yes interface=wireless \
mac-address=00:40:96:37:71:1E
[MikroTik] interface prism access-list> print
Flags: X - disabled, I - invalid 
  #   MAC-ADDRESS       ALLOW INTERFACE                                        
  0   00:40:96:37:71:1E yes   wireless                                         
[MikroTik] interface prism access-list>

Argument description:

allow - (yes|no) - accept this client when it tries to connect or not
interface - AP interface
mac-address - MAC address of the client

If you have default access action for the interface set to 'allow', you can disallow this node to register at the AP's interface 'wireless' by changing the 'allow' argument value to 'no':

[MikroTik] interface prism access-list> .. print                               
Flags: X - disabled 
  0   name=wireless mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=access-point frequency=2442MHz ssid=mt client-name=MT_Prism 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MikroTik] interface prism access-list> set 0 allow=no                         
[MikroTik] interface prism access-list> print                                  
Flags: X - disabled, I - invalid 
  #   MAC-ADDRESS       ALLOW INTERFACE                                        
  0   00:40:96:37:71:1E no    wireless                                         
[MikroTik] interface prism access-list>

Thus, all nodes except this one will be able to register to the interface 'wireless'.

If you have default access action for the interface set to 'deny', you can allow this node to register at the AP's interface 'wireless' by changing the 'allow' argument value back to 'yes':

[MikroTik] interface prism access-list> .. print                               
Flags: X - disabled 
  0   name=wireless mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=access-point frequency=2442MHz ssid=mt client-name=MT_Prism 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=deny 

[MikroTik] interface prism access-list> set 0 allow=yes 
[MikroTik] interface prism access-list> print                                  
Flags: X - disabled, I - invalid 
  #   MAC-ADDRESS       ALLOW INTERFACE                                        
  0   00:40:96:37:71:1E yes   wireless                                         
[MikroTik] interface prism access-list>

Wireless Troubleshooting

• The prism interface does not show up under the interfaces list
  Obtain the required license for 2.4GHz wireless feature.
• The access-list has entries restricting the registration, but the node is still registered.
  Set some parameter of the prism interface to get all nodes re-register.
• The wireless card does not register to the AP
  Check the cabling and antenna alignment.

Two possible wireless network configurations are discussed in the following examples:

• Wireless Client
• Wireless Access Point

[MikroTik] interface prism> set 0 ssid=mt                                      
[MikroTik] interface prism> monitor 0
                bssid: 00:40:96:37:71:1E 
    current-frequency: 2442MHz           
       signal-quality: 92                
         signal-level: 195               
          noise-level: 0                 
         current-rate: 11                 
               status: connected         

[MikroTik] interface prism>                                                    

[MikroTik] ip address> add address=10.1.1.12/24 interface=prism1               
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.1.12/24       10.1.1.0        10.1.1.255      prism1                
  1   192.168.0.254/24   192.168.0.254   192.168.0.254   ether1                
[MikroTik] ip address>

[MikroTik] ip route> add gateway=10.1.1.254
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE     
  0    static         0.0.0.0/0          10.1.1.254     1        prism1        
  1 D  connect        10.1.1.0/24        0.0.0.0        0        prism1        
  2 D  connect        192.168.0.254/24   0.0.0.0        0        ether1        
[MikroTik] ip route>   

Wireless Access Point

[MT_Prism_AP] interface prism> set 0 mode=access-point \
                               frequency=2442MHz ssid=mt      
[MT_Prism_AP] interface prism> print                                           
Flags: X - disabled 
  0   name=prism1 mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=access-point frequency=2442MHz ssid=mt client-name= 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MT_Prism_AP] interface prism> monitor 0                                       
                bssid: 00:03:C0:00:06:72 
    current-frequency: 2442MHz           
               status: ap-mode           

[MT_Prism_AP] interface prism> 

[MT_Prism_AP] interface prism> registration-table print                        
  # INT MAC-ADDRESS       SIGNAL     SILENCE    RATE       UPTIME              
  0 pri 00:40:96:29:02:88 210        0          11         00:12:50            
  1 pri 00:40:96:37:71:1E 192        0          11         00:00:35            
[MT_Prism_AP] interface prism>   

[mikrotik] ip address> print                                                
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.1.12/24       10.1.1.0        10.1.1.255      aironet                
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                
[mikrotik] ip address>   

[mikrotik] ip route> add gateway=10.1.1.254
[mikrotik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE     
  0    static         0.0.0.0/0          10.1.1.254     1        aironet        
  1 D  connect        10.1.1.0/24        0.0.0.0        0        aironet       
  2 D  connect        192.168.0.254/24   0.0.0.0        0        Local       
[mikrotik] ip route>   

Cyclades PC300 PCI Adapters

...Draft...

Document revision 14-Dec-2001
This document applies to the MikroTik RouterOS V2.4

Overview

The MikroTik RouterOS supports the following Cyclades PC300 Adapter hardware:

• RSV/V.35 (RSV models) with 1 or 2 RS-232/V.35 interfaces on standard DB25/M.34 connector, 5Mbps, internal or external clock
• T1/E1 (TE models) with 1 or 2 T1/E1/G.703 interfaces on standard RJ48C connector, Full/Fractional, internal or external clock
• X.21 (X21 models) with 1 or 2 X.21 on standard DB-15 connector, 8Mbps, internal or external clock

For more information about the Cyclades PCI Adapter hardware please see the relevant documentation:

• http://www.cyclades.com/products/svrbas/pc300.htm - The product on-line documentation
• Cyclades PC300 Installation Manual - The Installation Manual in .pdf format

Contents of the Manual

The following topics are covered in this manual:

• Adapter Hardware and Software Installation
• Interface Configuration
• Troubleshooting
• RSV/V.35 Synchronous Link Applications

Software Packages

The MikroTik Router should have the cyclades software package installed. The software package file cyclades-2.4.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4.5                 dec/04/2001 14:54:29 no       
  1 snmp                   2.4.5                 dec/04/2001 14:54:41 no       
  2 ppp                    2.4.5                 dec/04/2001 14:55:36 no       
  3 pppoe                  2.4.5                 dec/04/2001 14:56:30 no       
  4 ssh                    2.4.5                 dec/04/2001 14:58:22 no       
  5 pptp                   2.4.5                 dec/04/2001 14:55:54 no       
  6 cyclades               2.4.5                 dec/04/2001 14:58:39 no       
  7 framerelay             2.4.5                 dec/04/2001 15:07:21 no       
  8 system                 2.4.5                 dec/04/2001 14:53:19 no       
[MikroTik] >  

Software License

The Cyclades PC300 PCI Adapter requires the Synchronous Feature License. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The Synchronous Feature is not included in the Free Demo or Basic Software License. The Synchronous Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

[MikroTik] > system resource irq print                                         
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   yes  serial port                                                           
 4   yes  serial port                                                           
 5   no                                                                         
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   yes  ether1                                                                
 10  no                                                                         
 11  yes  [Cyclades-PC300]                                                      
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
[MikroTik] > system resource io print                                          
 PORT-RANGE            OWNER                                                    
 20-3F                 APIC                                                     
 40-5F                 timer                                                    
 60-6F                 keyboard                                                 
 80-8F                 DMA                                                      
 A0-BF                 APIC                                                     
 C0-DF                 DMA                                                      
 F0-FF                 FPU                                                      
 1F0-1F7               IDE 1                                                    
 2F8-2FF               serial port                                              
 3C0-3DF               VGA                                                      
 3F6-3F6               IDE 1                                                    
 3F8-3FF               serial port                                              
 EE00-EEFF             ether1                                                   
 EF80-EFFF             [Cyclades-PC300]                                         
 FC00-FC07             IDE 1                                                    
 FC08-FC0F             IDE 2                                                    
 FC10-FC7F             [CS5530]                                                 
[MikroTik] 

Installing the Synchronous Adapter

The basic installation steps of the PCI adapter should be as follows:

1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.

The Cyclades PC300 PCI Adapter should be recognized by your motherboard automatically and appear on the list of PCI devices as "Simple COMM Controller" with the IRQ assigned to it.

Loading the Driver for the Cyclades PC300 PCI Adapter

[MikroTik] > driver print                                                      
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D Cyclades                                                                 
  1 D RealTek RTL8129/8139                                                     
[MikroTik] > 

There can be several reasons for a failure to load the driver, for example:

• The driver cannot be loaded because other device uses the requested IRQ.
  Try to set the IRQ assignment to PCI slots using the system BIOS configuration.

[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1 X cyclades1            1600  cyclades                                      
[MikroTik] > interface
[MikroTik] interface> enable 1
[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   cyclades1            1600  cyclades                                      
[MikroTik] interface> 

More configuration and statistics parameters can be found under the '/interface cyclades' menu. For the Cyclades PC300/RSV Synchronous PCI Adapter you should set the mtu to 1500, and have other argument values as below:

[MikroTik] interface cyclades> print                                           
Flags: X - disabled 
  0   name=cyclades1 mtu=1600 media-type=V35 line-code=none framing-mode=none 
      line-build-out=0dB rx-sensitivity=none line-protocol=cisco-hdlc 
      frame-relay-type=ansi frame-relay-dce=no speed=0 active-channels=0x0 

[MikroTik] interface cyclades> set 0 mtu=1500 
[MikroTik] interface cyclades> print                                           
Flags: X - disabled 
  0   name=cyclades1 mtu=1500 media-type=V35 line-code=none framing-mode=none 
      line-build-out=0dB rx-sensitivity=none line-protocol=cisco-hdlc 
      frame-relay-type=ansi frame-relay-dce=no speed=0 active-channels=0x0 

[MikroTik] interface cyclades>

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (68...1600 bytes). Deafault value is 1500 bytes.
media-type - The hardware media used for this interface (E1/RS232/T1/V35/X21)
line-code - For T1/E1 channels only. The line code (AMI/B8ZS/HDB3/NRZ/none)
framing-mode - For T1/E1 channels only. The frame mode (CRC4/D4/ESF/ESF-Japan/Non-CRC4/none/unframe)
line-build-out - For T1 channels only. Line Build Out Signal Level(0dB/15dB/22.5dB/7.5dB)
rx-sensitivity - For T1/E1 channels only. Receiver sensitivity (long-haul/none/short-haul)
line-protocol - Line Protocol (cisco-hdlc/sync-ppp)
speed - The clock mode or clock rate in bps. If '0', the external clock mode is selected. For V.35 should be set to '0' to use the external clock from the modem. Valeus greater than '0' represent the clock speed (which implies an internal clock).
active-channel - For T1/E1 channels only. The active 64Kb channels.

The Cyclades PC300/RSV Synchronous PCI Adapter comes with a V.35 cable. This cable should work for all standard modems, which have V.35 connections. For synchronous modems, which have a DB-25 connection, you should use a standard DB-25 cable.

Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on. The MikroTik driver for the Cyclades Synchronous PCI Adapter allows you to unplug the V.35 cable from one modem and plug it into another modem with a different clock speed, and you do not need to restart the interface or router.

Troubleshooting

• The cyclades interface does not show up under the interfaces list
  Obtain the required license for synchronous feature.
• The synchronous link does not work
  Check the V.35 cabling and the line between the modems. Read the modem manual.

Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end:

The driver for the Cyclades PC300/RSV Synchronous PCI Adapter should load automatically. The interface should be enabled according to the instructions given above. The IP addresses assigned to the cyclades interface should be as follows:

[MikroTik] ip address> add interface cyclades1 address 1.1.1.1/32 \
network 1.1.1.2 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.254      255.255.255.0   10.0.0.209      10.0.0.255      ether2
  1 1.1.1.1         255.255.255.255 1.1.1.2         255.255.255.255 cyclades1
  2 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 pong: ttl=255 time=28 ms
1.1.1.2 pong: ttl=255 time=28 ms
1.1.1.2 pong: ttl=255 time=28 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 28/28.0/28 ms
interrupted
[MikroTik] ip address> /tool fping 1.1.1.2 size 1500 count 50
Sent: 1(2%) Received: 0(0%) min/avg/max RTT: 0/0/0 ms
Sent: 6(12%) Received: 5(83%) min/avg/max RTT: 212/212/212 ms
Sent: 11(22%) Received: 10(90%) min/avg/max RTT: 212/212/212 ms
Sent: 15(30%) Received: 14(93%) min/avg/max RTT: 212/212/212 ms
Sent: 20(40%) Received: 19(95%) min/avg/max RTT: 212/212/212 ms
Sent: 25(50%) Received: 24(96%) min/avg/max RTT: 212/212/213 ms
Sent: 30(60%) Received: 29(96%) min/avg/max RTT: 212/212/213 ms
Sent: 35(70%) Received: 34(97%) min/avg/max RTT: 212/212/213 ms
Sent: 39(78%) Received: 38(97%) min/avg/max RTT: 212/212/213 ms
Sent: 44(88%) Received: 43(97%) min/avg/max RTT: 212/212/214 ms
Sent: 49(98%) Received: 48(97%) min/avg/max RTT: 212/212/214 ms
Sent: 50(100%) Received: 50(100%) min/avg/max RTT: 212/212/214 ms
[MikroTik] ip address> 

Note, that for the point-to-point link the network mask is set to 32 bits, the argument 'network' is set to the IP address of the other end, and the broadcast address is set to 255.255.255.255. The default route should be set to the gateway router 1.1.1.2:

[MikroTik] ip route> add gateway 1.1.1.2 interface cyclades1
[MikroTik] ip route> print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.0   0.0.0.0         10.0.0.254      ether2  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 1.1.1.2         255.255.255.255 0.0.0.0         1.1.1.1         cyc...  D K
  3 0.0.0.0         0.0.0.0         1.1.1.2         0.0.0.0         cyc...
[MikroTik] ip route> 

The configuration of the CISCO router at the other end (part of the configuration) is:

CISCO#show running-config 
Building configuration...

Current configuration:
...
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.1.1.12 255.255.255.0
!
interface Serial0
 description connected to MikroTik
 ip address 1.1.1.2 255.255.255.252
 serial restart-delay 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
...
end

CISCO#

Send ping packets to the MikroTik router:

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
CISCO#

MikroTik RouterOS V2.4 MOXA C101 Synchronous Interface

Document revision 14-Dec-2001

This document applies to the MikroTik RouterOS V2.4

Overview

The MikroTik RouterOS supports the MOXA C101 Synchronous 5Mb/s Adapter hardware. The V.35 synchronous interface is the standard for VSAT and other satellite modems. However, you must check with the satellite system supplier for the modem interface type.

For more information about the MOXA C101 Synchronous 5Mb/s Adapter hardware please see the relevant documentation:

• http://www.moxa.com/product/sync/C101.htm - The product on-line documentation
• C101 SuperSync Board User's Manual - The User's Manual in .pdf format

Contents of the Manual

The following topics are covered in this manual:

• Synchronous Adapter Hardware and Software Installation
• Synchronous Interface Configuration
• Troubleshooting
• Synchronous Link Applications

Software Packages

The MikroTik Router should have the moxa c101 synchronous software package installed. The software package file moxa-c101-2.4.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4.5                 dec/04/2001 14:54:29 no       
  1 snmp                   2.4.5                 dec/04/2001 14:54:41 no       
  2 ppp                    2.4.5                 dec/04/2001 14:55:36 no       
  3 pppoe                  2.4.5                 dec/04/2001 14:56:30 no       
  4 ssh                    2.4.5                 dec/04/2001 14:58:22 no       
  5 pptp                   2.4.5                 dec/04/2001 14:55:54 no       
  6 moxa-c101              2.4.5                 dec/04/2001 14:56:39 no       
  7 framerelay             2.4.5                 dec/04/2001 15:07:21 no       
  8 system                 2.4.5                 dec/04/2001 14:53:19 no       
[MikroTik] >  

Software License

The MOXA C101 Synchronous Adapter requires the Synchronous Feature License. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The Synchronous Feature is not included in the Free Demo or Basic Software License. The Synchronous Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the synchronous adapter, please check the availability of free IRQ's:

[MikroTik] > system resource irq print                                         
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   yes  serial port                                                           
 4   yes  serial port                                                           
 5   no                                                                         
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   yes  ether1                                                                
 10  no                                                                         
 11  no 
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
[MikroTik] > 

Installing the Synchronous Adapter

You can install up to four MOXA C101 synchronous cards in one PC box, if you have so many ISA slots and IRQs available. The basic installation steps of the adapter should be as follows:

1. Check the system BIOS settings for peripheral devices, like, Parallel or Serial Communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
2. Set the jumper of the IRQ to one, which is free on your system. Usually IRQ 5 is fine.
3. Set the dip switches of the memory mapping base address. Each C101 Super-Sync Board will occupy 16KB memory window. Not all addresses might be available on your motherboard. Use, for example, switch #3 should be OFF, and 1,2,4,5 should be ON for address 0x0D0000. Consult the table in the C101 manual for these settings.
4. Set the jumper of the transmit clock direction to 'in'
5. Set the jumper of the communication interface to V.35

Please note, that not all combinations of memory mapping base addresses and IRQ's may work on your motherboard. It is recommended that you choose one IRQ that is not used in your system, and then try an acceptable memory base address setting.

Loading the Driver for the MOXA C101 Synchronous Adapter

The MOXA C101 ISA card requires the driver to be loaded by issuing the following command:

[MikroTik] driver> add name=c101 mem=0xd0000
[MikroTik] driver> print 
  # DRIVER                                       IRQ IO     MEMORY     ISD...
  0 RealTek RTL8129/8139                                                      D
  1 Moxa C101 Synchronous                                   0xd0000
[MikroTik] driver> 

There can be several reasons for a failure to load the driver:

• The driver cannot be loaded because other device uses the requested IRQ.
  Try to set different IRQ using the DIP switch.
• The requested memory base address cannot be used on your motherboard.
  Try to change the memory base address using the DIP switches.

If the driver has been loaded successfully (no error messages), and you have the required Synchronous Software License, then the synchronous interface should appear under the interfaces list with the name syncn, where n is 0,1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1 X sync1                1500  sync                                                                               
[MikroTik] >
[MikroTik] interface> set 1 name moxa
[MikroTik] interface> enable moxa
[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   moxa                 1500  sync                                      
[MikroTik] >  

More configuration and statistics parameters can be found under the '/interface synchronous' menu:

[MikroTik] interface> synchronous 
[MikroTik] interface synchronous> print 
0   name: moxa mtu: 1500 rx-clock-source: rxc-line tx-clock-source: rxc-clock
    speed: 1092266 null-modem: no line-protocol: cisco-hdlc

[MikroTik] interface synchronous> set ?
  _number_          Interface name or number
  name              New interface name
  mtu               Maximum Transmit Unit
  rx-clock-source   Receive clock source
  tx-clock-source   Transmit clock source
  speed             Speed of internal clock
  null-modem        Ignore DCD
  line-protocol     Line protocol
[MikroTik] interface synchronous> set 

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (68...1600 bytes). Deafault value is 1500 bytes.
rx-clock-source - Receive clock source (internal / rxc-line)
tx-clock-source - Transmit clock source (internal / rxc-clock / txc-line)
speed - Speed of internal clock
line-protocol - Line protocol (cisco-hdlc / sync-ppp)
null-modem - Enable/Disable null-modem mode (yes / no). In null-modem mode the DCD signal is ignored.

You can monitor the status of the synchronous interface:

[MikroTik] interface synchronous> monitor 0
    dtr: yes
    rts: yes
    cts: no 
    dsr: no 
    dcd: no
[MikroTik] interface synchronous> 

If you purchased the MOXA C101 Synchronous card from MikroTik, you have received a V.35 cable with it. This cable should work for all standard modems, which have V.35 connections. For synchronous modems, which have a DB-25 connection, you should use a standard DB-25 cable.

Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on. If the link is working properly the status of the interface is:

[MikroTik] interface synchronous> monitor 0
    dtr: yes
    rts: yes
    cts: yes
    dsr: yes
    dcd: yes
[MikroTik] interface synchronous>

The MikroTik driver for the MOXA C101 Synchronous adapter allows you to unplug the V.35 cable from one modem and plug it into another modem with a different clock speed, and you do not need to restart the interface or router.

• The synchronous interface does not show up under the interfaces list
  Obtain the required license for synchronous feature.
• The synchronous link does not work
  Check the V.35 cabling and the line between the modems. Read the modem manual.

Two possible synchronous line configurations are discussed in the following examples:

• MikroTik Router to MikroTik Router
• MikroTik Router to CISCO Router

[MikroTik] ip address> add address 1.1.1.1/32 interface wan \
network 1.1.1.2 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.254      255.255.255.0   10.0.0.254      10.0.0.255      ether2
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
  2 1.1.1.1         255.255.255.255 1.1.1.2         255.255.255.255 wan
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27/27.0/27 ms
[MikroTik] ip address> 

[MikroTik] ip route> add gateway 1.1.1.2 interface wan 
[MikroTik] ip route> pr
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.0   0.0.0.0         10.0.0.254      ether2  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 1.1.1.2         255.255.255.255 0.0.0.0         1.1.1.1         wan     D K
  3 0.0.0.0         0.0.0.0         1.1.1.2         0.0.0.0         wan
[MikroTik] ip route> 

[MikroTik] ip address> add address 1.1.1.2/32 interface moxa \
network 1.1.1.1 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
  1 1.1.1.2         255.255.255.255 1.1.1.1         255.255.255.255 moxa
[MikroTik] ip address> /ping 1.1.1.1
1.1.1.1 pong: ttl=255 time=27 ms
1.1.1.1 pong: ttl=255 time=27 ms
1.1.1.1 pong: ttl=255 time=27 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27/27.0/27 ms
[MikroTik] ip address> 

MikroTik Router to CISCO Router

Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end:

The driver for MOXA C101 card should be loaded and the interface should be enabled according to the instructions given above. The IP addresses assigned to the synchronous interface should be as follows:

[MikroTik] ip address> add address 1.1.1.1/32 interface wan \
network 1.1.1.2 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.254      255.255.255.0   10.0.0.254      10.0.0.255      ether2
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
  2 1.1.1.1         255.255.255.255 1.1.1.2         255.255.255.255 wan
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27/27.0/27 ms
[MikroTik] ip address> 

Note, that for the point-to-point link the network mask is set to 32 bits, the argument 'network' is set to the IP address of the other end, and the broadcast address is set to 255.255.255.255. The default route should be set to the gateway router 1.1.1.2:

[MikroTik] ip route> add gateway 1.1.1.2 interface wan 
[MikroTik] ip route> pr
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.0   0.0.0.0         10.0.0.254      ether2  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 1.1.1.2         255.255.255.255 0.0.0.0         1.1.1.1         wan     D K
  3 0.0.0.0         0.0.0.0         1.1.1.2         0.0.0.0         wan
[MikroTik] ip route> 

The configuration of the CISCO router at the other end (part of the configuration) is:

CISCO#show running-config 
Building configuration...

Current configuration:
...
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.1.1.12 255.255.255.0
!
interface Serial0
 description connected to MikroTik
 ip address 1.1.1.2 255.255.255.252
 serial restart-delay 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
...
end

CISCO#

Send ping packets to the MikroTik router:

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
CISCO#

MikroTik RouterOS V2.4 FrameRelay (PVC) Interfaces

Overview

Frame Relay is a multiplexed interface to packet switched network. Frame Relay is a simplified form of Packet Switching similar in principle to X.25 in which synchronous frames of data are routed to different destinations depending on header information. Frame Relay uses the synchronous HDLC frame format.

Topics covered in this manual:

• Frame Relay Installation
• Frame Relay Configuration
• Frame Relay Example with Cyclades Interface
• Frame Relay Example with MOXA Interface
• Frame Relay Troubleshooting

Frame Relay Installation on the MikroTik RouterOS v2.4

• Hardware part of Frame Relay installation

To use Frame Relay interface you must have already working synchronous interface. You can read how to set up synchronous boards supported by Mikrotik RouterOS v2.4:
Cyclades PC300 PCI Adapters
Moxa C101 Synchronous interface

• Software part of Frame Relay installation

The “framerelay-2.4.x.npk”(32KB) package is required. The package can be downloaded from MikroTik’s web page www.mikrotik.com. To install this package, please upload it to the router with ftp and reboot. You may check to see if the package is installed with the command:

[MikroTik] > system package print
  # NAME                                           VERSION                                       BUILD-TIME           UNINSTALL
  0 routing                                        2.4.5                                         dec/04/2001 14:54:29 no
  1 snmp                                           2.4.5                                         dec/04/2001 14:54:41 no
  2 ppp                                            2.4.5                                         dec/04/2001 14:55:36 no
  3 pppoe                                          2.4.5                                         dec/04/2001 14:56:30 no
  4 ssh                                            2.4.5                                         dec/04/2001 14:58:22 no
  5 pptp                                           2.4.5                                         dec/04/2001 14:55:54 no
  6 cyclades                                       2.4.5                                         dec/04/2001 14:58:39 no
  7 framerelay                                     2.4.5                                         dec/04/2001 15:07:21 no
  8 system                                         2.4.5                                         dec/04/2001 14:53:19 no
[MikroTik] >

Line seven shows that required package "framerelay-2.4.5.npk" is installed.

Package enables Frame Relay PVC (Permanent Virtual Circuit) interface, which acts as a logical network interface where endpoints and class of service are defined by network management. This logical interface is using one of supported Moxa or Cyclades synchronous adapters as a physical interface.

Configuring Frame Relay Interface

To configure frame relay, you should first set up the synchronous interface, and then the PVC interface.

Cyclades PC300 interface

[MikroTik] > interface cyclades print
Flags: X - disabled
  0   name=cyclades1 mtu=1600 media-type=V35 line-code=B8ZS framing-mode=ESF line-build-out=0dB rx-sensitivity=short-haul
      line-protocol=frame-relay frame-relay-type=ansi frame-relay-dce=no speed=0 active-channels=FFFFFFFF

[MikroTik] >

Argument description:

• name - Assigned name of the interface
• mtu - Maximum Transfer Unit of an interface
• media-type - The hardware media used for this port
• line-code - The line code (For T1/E1 channels only)
• framing-mode - The frame mode (For T1/E1 channels only)
• line-build-out - LBO For T1 channels only
• rx-sensitivity - The receiver sensitivity (For T1/E1 channels only)
• line-protocol - Line protocol (cisco-hdlc / sync-ppp)
• frame-relay-type - Type of frame relay (ansi or ccitt)
• frame-relay-dce - Parameter to determine if the interface will be a DCE or DTE
• speed - Speed of internal clock
• active-channels - Active 64Kb channels (For T1/E1 channels only)

MOXA C101 interface

[MikroTik] > interface synchronous print
Flags: X - disabled
  0   name=sync1 mtu=1600 speed=76 rx-clock-source=rxc-line tx-clock-source=rxc-clock ignore-dcd=no line-protocol=cisco-hdlc
      frame-relay-type=ansi frame-relay-dce=no

[MikroTik] >

Argument description:

• name - Assigned name of the interface
• mtu - Maximum Transfer Unit of an interface
• speed - Speed of internal clock
• tx-clock-source - Transmit clock source (internal / rxc-clock / txc-line)
• rx-clock-source - Receive clock source (internal / rxc-line)
• ignore-dcd - Parameter to ignore DCD
• line-protocol - Type of data transfer protocol
• frame-relay-type - Type of frame relay (ansi or ccitt)
• frame-relay-dce - Parameter to determine if the interface will be a DCE or DTE

Frame Relay PVC interface

To add a PVC interface, use the /interface pvc add command. For example, for a Cyclades interface and DLCI equal to 42, we should use the command:

[MikroTik] > interface pvc add dlci=42 interface=cyclades1
[MikroTik] > interface pvc print
Flags: X - disabled
  #   NAME                 MTU  DLCI INTERFACE
  0   pvc1                 1590 42   cyclades1
[MikroTik] >

Argument description:

• dlci - Data-Link Connection Identifier assigned to the PVC interface
• mtu - Maximum Transfer Unit of an interface
• name - Assigned name of the interface
• interface - Physical interface

Frame Relay Configuration Example with Cyclades Interface

Let us consider the following network setup with MikroTik Router with Cyclades PC300 interface connected to a leased line with baseband modems and a CISCO router at the other end.

[MikroTik] ip address> add interface=pvc1 address=1.1.1.1 netmask=255.255.255.0
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   1.1.1.1/24         1.1.1.0         1.1.1.255       pvc1
[MikroTik] ip address>

PVC and Cyclades interface configuration

Cyclades

[MikroTik] interface cyclades> print
Flags: X - disabled
  0   name=cyclades1 mtu=1600 media-type=V35 line-code=B8ZS framing-mode=ESF line-build-out=0dB rx-sensitivity=short-haul
      line-protocol=frame-relay frame-relay-type=ansi frame-relay-dce=no speed=0 active-channels=FFFFFFFF

[MikroTik] interface cyclades>

PVC

[MikroTik] interface pvc> print
Flags: X - disabled
  #   NAME                 MTU  DLCI INTERFACE
  0   pvc1                 1590 42   cyclades1
[MikroTik] interface pvc>

CISCO router setup

CISCO# show running-config

Building configuration...

Current configuration...

...
!
ip subnet-zero
no ip domain-lookup
frame-relay switching
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.0.0.254 255.255.255.0
!
interface Serial0
 description connected to Internet
 no ip address
 encapsulation frame-relay IETF
 serial restart-delay 1
 frame-relay lmi-type ansi
 frame-relay intf-type dce
!
interface Serial0.1 point-to-point
 ip address 1.1.1.2 255.255.255.0
 no arp frame-relay
 frame-relay interface-dlci 42
!
...
end.

Send ping to MikroTik router

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
CISCO#

Frame Relay Configuration Example with MOXA Interface

Let us consider the following network setup with MikroTik Router with MOXA C101 synchronous interface connected to a leased line with baseband modems and a CISCO router at the other end.

[MikroTik] ip address> add interface=pvc1 address=1.1.1.1 netmask=255.255.255.0
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   1.1.1.1/24         1.1.1.0         1.1.1.255       pvc1
[MikroTik] ip address>

PVC and Moxa interface configuration

Moxa

[MikroTik] interface sync1> print
Flags: X - disabled
  0   name=sync1 mtu=1600 speed=76 rx-clock-source=rxc-line tx-clock-source=rxc-clock ignore-dcd=no line-protocol=frame-relay
      frame-relay-type=ansi frame-relay-dce=no

[MikroTik] interface sync1>

PVC

[MikroTik] interface pvc> print
Flags: X - disabled
  #   NAME                 MTU  DLCI INTERFACE
  0   pvc1                 1590 42   sync1
[MikroTik] interface pvc>

CISCO router setup

CISCO# show running-config

Building configuration...

Current configuration...

...
!
ip subnet-zero
no ip domain-lookup
frame-relay switching
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.0.0.254 255.255.255.0
!
interface Serial0
 description connected to Internet
 no ip address
 encapsulation frame-relay IETF
 serial restart-delay 1
 frame-relay lmi-type ansi
 frame-relay intf-type dce
!
interface Serial0.1 point-to-point
 ip address 1.1.1.2 255.255.255.0
 no arp frame-relay
 frame-relay interface-dlci 42
!
...
end.

Send ping to MikroTik router

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
CISCO#

Frame Relay Troubleshooting

• I cannot ping through the synchronous frame relay interface between MikroTik router and a Cisco router
  FrameRelay does not support address resolving and IETF encapsulation should be used. Please check the configuration on the Cisco router.

MikroTik RouterOS IP Addresses and Address Resolution Protocol (ARP)

Overview

MikroTik RouterOS has following types of addresses:

• Static IP Addresses are user-assigned addresses to the network interfaces.
• Dynamic IP Addresses are assigned automatically when ppp, ppptp, or pppoe connections are established.

Contents of the Manual

• Assigning IP Addresses
• Address Resolution Protocol (ARP)
• Using the Proxy-ARP Feature
• Troubleshooting

[MikroTik] ip address>
IP addresses are given to router to access it remotely and to specify it as a
gateway for other hosts/routers.

    print  Show IP addresses
      get  get value of item's property
     find  Find addresses
      set  Change IP address properties
      add  Add IP address
   remove  Remove IP address
   enable  Enable IP address
  disable  Disable IP address
  comment  Set comment for IP address
   export  Export list of IP addresses
[MikroTik] ip address>

Use the /ip address add command to add an IP address to an interface. In most cases, it is enough to specify the address, the netmask, and the interface arguments. The network preffix and the brodcast address are calculated automatically, for example:

[MikroTik] ip address> add address=192.168.0.254/24 interface=Local
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   Local
[MikroTik] ip address> 

Description of the arguments:

number - number assigned to the item in the list
flag - shows the status of the item
address - local IP address, can be in the form address/mask, where mask is number of bits in the subnet mask.
netmask - network mask to be used with the network prefix. Must be in the decimal form xxx.xxx.xxx.xxx
network - (optional) network prefix to be used with the address. It shows what network can be reached through the interface with the given IP address. If not specified, will be calculated from local address and network mask. For point-to-point links should be the address of the remote end.
broadcast - (optional) broadcast address to be used with the address. If not specified, will be calculated from local address and network mask.
interface - name of the interface the address will be used with

Address Resolution Protocol (ARP)

The ARP management can be accessed under the /ip arp submenu:

[MikroTik] ip arp> ?                                                            
      add  Add static ARP entry
  comment  Set comment for ARP entry
  disable  Disable static ARP entry
   enable  Enable static ARP entry
   export  Export list of ARP entries
     find  Find ARP entries
      get  Get value of item's property
    print  Show ARP entries
   remove  Remove ARP entry
      set  Change ARP entry properties
[MikroTik] ip arp>

To view the list of arp entries, use the /ip arp print command:

[MikroTik] ip arp> print                                                       
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS         MAC-ADDRESS       INTERFACE                              
  0 D 10.1.1.254      00:80:C8:C9:B0:45 Public                                 
  1 D 10.5.8.214      08:00:46:04:33:17 Local                           
  2 D 10.5.9.202      00:00:E8:69:65:5F sales                              
  3 D 10.5.9.204      00:00:E8:69:69:9F sales                              
  4 D 10.5.8.204      00:60:52:0B:B4:80 Local                           

[MikroTik] ip arp> 

If static arp entries are used for network security on an interface, you should disable arp on the relevan interface under the /interfaces menu and add the static arp entries:

[MikroTik] ip arp> /interface ethernet set Local arp=disabled                         
[MikroTik] ip arp>
add address=10.5.8.214 mac-address=08:00:46:04:33:17 interface=Local
[MikroTik] ip arp> print                                                       
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS         MAC-ADDRESS       INTERFACE                              
  0 D 10.1.1.254      00:80:C8:C9:B0:45 Public                                 
  1   10.5.8.214      08:00:46:04:33:17 Local                           
  2 D 10.5.9.202      00:00:E8:69:65:5F sales                              
  3 D 10.5.9.204      00:00:E8:69:69:9F sales                              

[MikroTik] ip arp> 

Since the ARP requests from the clients are not answered by the router, if the arp feature is turned off on the interface, static arp entry should be added to the clients as well. For example, the router's IP and MAC addresses should be added to the windows workstations using the 'arp' command, for example:

C:\> arp -s 10.5.8.254  00-aa-00-62-c6-09

See the relevant documentation on how to manage static arp entries on your system.

Using the Proxy-ARP Feature

All physical interfaces, like Ethernet, Prism, Aironet (PC), WaveLAN, etc., can be set for using the Address Resolution Protocol or not. By default, the arp feature is 'enabled'. However, it can be changed to 'proxy-arp'. The Proxy-ARP feature means that the router will be listening to arp requests received at the relevant interface and respond to them with it's own MAC address, if the requests matches any other IP address of the router. For example, you can assign IP addresses to dial-in (ppp, pppoe, pptp) clients from the same address space as used on the connected LAN, of you enable the 'proxy-arp' on the LAN interface. Let us consider the following setup:

The MikroTik router setup is as follows:

[MikroTik] > interface ethernet print
Flags: X - disabled
  #   NAME                 MTU   MAC-ADDRESS       ARP
  0   eth-LAN              1500  00:E0:C5:BC:12:1C proxy-arp
[MikroTik] > interface print
Flags: X - disabled, D - dynamic
  #   NAME                 TYPE             MTU
  0   eth-LAN              ether            1500
  1   prism1               prism            1500
  2 D pppoe-in25           pppoe-in
  3 D pppoe-in26           pppoe-in
[MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.0.0.217/24      10.0.0.0        10.0.0.255      eth-LAN
  1 D 10.0.0.217/32      10.0.0.230      0.0.0.0         pppoe-in25
  2 D 10.0.0.217/32      10.0.0.231      0.0.0.0         pppoe-in26
[MikroTik] > ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S 0.0.0.0/0          r 10.0.0.1        1        eth-LAN
    1 DC 10.0.0.0/24        r 0.0.0.0         0        eth-LAN
    2 DC 10.0.0.230/32      r 0.0.0.0         0        pppoe-in25
    3 DC 10.0.0.231/32      r 0.0.0.0         0        pppoe-in26
[MikroTik] >

• I added IP addresses 10.0.0.1/24 and 10.0.0.2/24 to the interfaces ether1 and ether2, but nothing works.
  Both addresses are from the same network 10.0.0.0/24, use addresses from different networks on different interfaces, or enable proxy-arp on ether1 or ether2.
• I was going to use static ARP and have my network secured that way. For the first 10 minutes everything is fine, then router totally becomes unavailable.
  After you turn off ARP on router's interface, the dynamic ARP entries expire on the client computers. You should add the router's IP and MAC addresses to the static ARP entries of the workstations.

MikroTik RouterOS V2.4 IP Route Management

Overview

• Connected Routes are created automatically when adding address to an interface. These routes specify networks, which can be accessed directly through the interface.
• Static Routes are user-defined routes that specify a specific destination for packets moving through the router between a source and a destination. Static routes are important if it is not possible to build a route to a particular destination. They are useful for specifying the default gateway to which all unroutable packets will be sent.
• OSPF Routes are dynamic routes, which have been created by the OSPF protocol.
• RIP Routes are dynamic routes, which have been created by the RIP protocol.

Contents of the Manual

• Adding Static Routes
• Equal Cost Multipath Routing
• Policy Routing
• Additional Resources

[MikroTik] ip route> /ip address print                                         
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.216/24      10.0.0.216      10.0.0.255      ether1                
  1   159.148.24.23/24   159.148.24.0    159.148.24.255  ether2                
[MikroTik] ip route> add dst-address=192.168.0.0/16 gateway=10.0.0.2
[MikroTik] ip route> add gateway=159.148.24.254

There are several ways of viewing the routes:

[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    static      10.5.8.0/24        A          10.0.0.1   1        ether1    
  1    static      192.168.0.0/16     A          10.0.0.2   1        ether1    
  2    static      0.0.0.0/0          A          159.148... 1        ether2    
  3 D  connect     159.148.24.0/24    A          0.0.0.0    0        ether2    
  4 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether1    
[MikroTik] ip route> print columns="type dst-address gateway interface         
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE              DST-ADDRESS        GATEWAY           INTERFACE        
  0    static            10.5.8.0/24        10.0.0.1          ether1           
  1    static            192.168.0.0/16     10.0.0.2          ether1           
  2    static            0.0.0.0/0          159.148.24.254    ether2           
  3 D  connect           159.148.24.0/24    0.0.0.0           ether2           
  4 D  connect           10.0.0.0/24        0.0.0.0           ether1           
[MikroTik] ip route> print detail                                              
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  0    dst-address=10.5.8.0/24 gateway=10.0.0.1 nexthop-state=A 
       preferred-source=0.0.0.0 interface=ether1 distance=1 type=static 

  1    dst-address=192.168.0.0/16 gateway=10.0.0.2 nexthop-state=A 
       preferred-source=0.0.0.0 interface=ether1 distance=1 type=static 

  2    dst-address=0.0.0.0/0 gateway=159.148.24.254 nexthop-state=A 
       preferred-source=0.0.0.0 interface=ether2 distance=1 type=static 

  3 D  dst-address=159.148.24.0/24 gateway=0.0.0.0 nexthop-state=A 
       preferred-source=159.148.24.23 interface=ether2 distance=0 type=connect 

  4 D  dst-address=10.0.0.0/24 gateway=0.0.0.0 nexthop-state=A 
       preferred-source=10.0.0.216 interface=ether1 distance=0 type=connect 

[MikroTik] ip route>

Description of the arguments:

number - number assigned to the item in the list
flag - shows the status of the item
type - type of the route shows "where it came from" (connected / static / RIP / OSPF)
dst-address - destination address, can be in the form address/mask, where mask is number of bits in the subnet mask.
netmask - network mask in the decimal form xxx.xxx.xxx.xxx, the default value is 0.0.0.0
gateway - gateway host, that can be reached directly through some of the interface. You can specify multiple gateways separated by period "," for equal cost multipath routes. See more information on that below.
nexthop-state - shows the status of the next hop. Can be "A" (active).
preferred-source - source address of packets leaving the router via this route. Must be a valid address of the router, which is assigned to the router's interface, where the packet leaves. Default value is 0.0.0.0, i.e., it is determined at the time of sending the packet out through the interface.
interface - interface through which the gateway can be reached. If (unknown), then the gateway cannot be reached directly, or the route has been disabled.
distance - administrative distance of the route. When forwarding a packet the router will use the route with the lowest administrative distance and reachable gateway.

Equal Cost Multipath Routing

New gateway is chosen for new source/destination IP pair. This means that, for example, one FTP connection will use only one link, but new connection to different server will use other link. So on big backbones this should distribute traffic fine. Also this has another good feature - single connection packets do not get reordered and therefore do not kill TCP performance.

Equal cost multipath routes can be created by routing protocols (RIP or OSPF), or adding a static route with multiple gateways. The routing protocols may create routes with equal cost automatically, if the cost of the interfaces is adjusted properly. For more information on using the routing protocols, please read the corresponding section of the Manual.

To create a static multipath route, specify the gateway argument in the form "gateway=x.x.x.x,y.y.y.y", for example:

[MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    static      10.5.8.0/24        A          10.0.0.1   1        ether1    
  1    static      192.168.0.0/16     A          10.0.0.2   1        ether1    
  2    static      0.0.0.0/0          A          159.148... 1        ether2    
  3 D  connect     159.148.24.0/24    A          0.0.0.0    0        ether2    
  4 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether1    
[MikroTik] ip route> set 1 gateway=10.0.0.2,10.0.0.3,159.148.24.1
[MikroTik] ip route> print columns="type dst-address gateway interface "       
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE              DST-ADDRESS        GATEWAY           INTERFACE        
  0    static            10.5.8.0/24        10.0.0.1          ether1           
  1    static            192.168.0.0/16     10.0.0.2          ether1           
                                            10.0.0.3          ether1           
                                            159.148.24.1      ether2           
  2    static            0.0.0.0/0          159.148.24.254    ether2           
  3 D  connect           159.148.24.0/24    0.0.0.0           ether2           
  4 D  connect           10.0.0.0/24        0.0.0.0           ether1           
[MikroTik] ip route> 

Policy Routing

The Policy Routing is implemented in the MikroTik RouterOS based on source and destination addresses of the packet and on the interface the packet arrives at the router.

Note! Policy routing will not function 'as desired' for packets originated from the router or masqueraded packets. It is because these packets have source address 0.0.0.0 at the moment when they are processed by the routing table. Therefore it is not possible to have masquerading with different source addresses.

When finding the route for a packet, the packet is matched against policy routing rules one after another, until some rule matches the packet. Then action specified in that rule is executed. If no rule matches the packet, it is assumed that there is no route to given host and appropriate action is taken (packet dropped and ICMP error sent back to the source).

If the routing table does not have a route for the packet, next rule after the one that directed to current table is examined, until either route is found, end of rule list is reached, or some rule with action drop or unreachable is hit.

This way it is good to have last rule say "from everywhere to everywhere, all interfaces, lookup main route table", because then gateways can be found (connected routes are entered in the main table only).

Action for the rule can be one of:

• drop - silently drop packet
• unreachable - reply that destination host is unreachable
• lookup - lookup route in given routing table

Policy routing rules are configured in /ip policy-routing rule menu

[MikroTik] ip policy-routing rule> pr
Flags: X - disabled, I - invalid
  #   SRC-ADDRESS        DST-ADDRESS        INTERFACE   ACTION      TABLE
  0   0.0.0.0/0          0.0.0.0/0          all         lookup      main

After installation, there is one default rule, which says that routes for all packets should be looked up in the "main" table. Argument description:

src-address - Source IP address. Can be in the form address/mask, where mask is number of bits in the subnet, e.g., x.x.x.x/32 for the address x.x.x.x and the 32-bit netmask 255.255.255.255
src-netmask - Source netmask in decimal form x.x.x.x
dst-address - Destination IP address. Can be in the form address/mask, where mask is number of bits in the subnet, e.g., x.x.x.x/32 for the address x.x.x.x and the 32-bit netmask 255.255.255.255
dst-netmask - Source netmask in decimal form x.x.x.x
Interface - Interface name through which the packet arrives. Should be 'all' for the rule that should match locally generated or masqueraded packets, since at the moment of processing the routing table these packets have interface name set to loopback.

Routing tables can be created/deleted in the '/ip policy-routing' menu:

[MikroTik] ip policy-routing> pr
Flags: X - disabled
  #   NAME
  0   main

There is always the table "main" - this one can not be deleted and its name can not be changed. The "main" table is routing table that can be changed by issuing commands in the '/ip route' menu.

A new table can be added:

[MikroTik] ip policy-routing> add name=karlis
[MikroTik] ip policy-routing> pr
Flags: X - disabled
  #   NAME
  0   karlis
  1   main

Routes in a routing table can be added/removed/changed in '/ip policy-routing table _table-name_' menu:

[MikroTik] ip policy-routing> table main
[MikroTik] ip policy-routing table main> pr
Flags: X - disabled, I - invalid, D - dynamic, R - rejected
  #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE
  0 D  connect        10.0.0.0/24        0.0.0.0        0        ether2

You can see that the "main" table is the same as one in '/ip route':

[MikroTik] ip policy-routing table main> /ip route pr
Flags: X - disabled, I - invalid, D - dynamic, R - rejected
  #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE
  0 D  connect        10.0.0.0/24        0.0.0.0        0        ether2
[MikroTik] ip policy-routing table main>

Application Example for Policy Routing

We want packets coming from 1.1.1.0/24 use gateway 10.0.0.1 and packets from 2.2.2.0/24 use gateway 10.0.0.2. And the rest of packets use gateway 10.0.0.254 (assuming we already have it so):

Commands to achieve this:

1. Add 2 new routing tables:

   [MikroTik] ip policy-routing>
   add name=from_net1
   add name=from_net2
   [MikroTik] ip policy-routing> print
   Flags: X - disabled
     #   NAME
     0   from_net1
     1   from_net2
     2   main
   [MikroTik] ip policy-routing>
   

2. Create the default route in each of the tables:

   [MikroTik] ip policy-routing>
   table from_net1 add gateway=10.0.0.1
   table from_net2 add gateway=10.0.0.2
   [MikroTik] ip policy-routing> table from_net1 print
   Flags: X - disabled, I - invalid, D - dynamic, R - rejected
     #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE
     0    static  0.0.0.0/0          A            10.0.0.1    1        Public
   [MikroTik] ip policy-routing> table from_net2 print
   Flags: X - disabled, I - invalid, D - dynamic, R - rejected
     #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE
     0    static  0.0.0.0/0          A            10.0.0.2    1        Public
   [MikroTik] ip policy-routing>
   

3. Create rules that will direct traffic from sources to given tables, and arrange them in the desired order:

   [MikroTik] ip policy-routing> rule
   [MikroTik] ip policy-routing rule> print
   Flags: X - disabled, I - invalid
     #   SRC-ADDRESS        DST-ADDRESS        INTERFACE   ACTION      TABLE
     0   0.0.0.0/0          0.0.0.0/0          all         lookup      main
   [MikroTik] ip policy-routing rule>
   add src-address=1.1.1.1/32 action=lookup table=main
   add src-address=2.2.2.1/32 action=lookup table=main
   add src-address=1.1.1.0/24 action=lookup table=from_net1
   add src-address=2.2.2.0/24 action=lookup table=from_net2
   [MikroTik] ip policy-routing rule> print
   Flags: X - disabled, I - invalid
     #   SRC-ADDRESS        DST-ADDRESS        INTERFACE   ACTION      TABLE
     0   0.0.0.0/0          0.0.0.0/0          all         lookup      main
     1   1.1.1.1/32         0.0.0.0/0          all         lookup      main
     2   2.2.2.1/32         0.0.0.0/0          all         lookup      main
     3   1.1.1.0/24         0.0.0.0/0          all         lookup      from_net1
     4   2.2.2.0/24         0.0.0.0/0          all         lookup      from_net2
   [MikroTik] ip policy-routing rule> move 0 4
   [MikroTik] ip policy-routing rule> print
   Flags: X - disabled, I - invalid
     #   SRC-ADDRESS        DST-ADDRESS        INTERFACE   ACTION      TABLE
     0   1.1.1.1/32         0.0.0.0/0          all         lookup      main
     1   2.2.2.1/32         0.0.0.0/0          all         lookup      main
     2   1.1.1.0/24         0.0.0.0/0          all         lookup      from_net1
     3   2.2.2.0/24         0.0.0.0/0          all         lookup      from_net2
     4   0.0.0.0/0          0.0.0.0/0          all         lookup      main
   [MikroTik] ip policy-routing rule>
   

   Here the rules #0 and #1 are needed to pocess correctly connections from the local networks to the local addresses of the router. Namely, the 'connected' routes from the main table should be used instead of using the default routes from table from_net1 or from_net2. Rules #2 and #3 will handle packets with destination other than locally connected networks.

Additional Resources

• http://www.ietf.org/rfc/rfc2328.txt

MikroTik RouterOS V2.4 IP Traffic Accounting

Overview

The IP Traffic Accounting feature enables administrators to keep an accurate record of traffic passed through the router between IP level hosts. ISPs or network administrators can use this for traffic based billing or detailed monitoring of network activity. This feature generates simple traffic data. Additional utilities are required for useful analysis and calculation of the traffic data. Information on utilities and examples of scripts for collecting data are provided in this manual.

The MikroTik RouterOS supports:

• Cisco "IP pairs" and "snapshot" image traffic data output style
• Collection of "snapshot" image with standard Unix/Linux utilities
• Collection of "snapshot" image with MT_Syslog utility
• Viewing of "snapshot" image from the console

Topics covered in this manual:

• Installation
• Hardware resource usage
• Traffic accounting setup
• Traffic data description
• Threshold settings
• Traffic data display and collection
• Traffic data analysis
• Additional Resources

Installation

The Traffic Accounting feature is included in the "system" package. No installation is needed for this feature.

Hardware Resource Usage

The maximum number [threshold] of "IP pairs" stored may require additional RAM installation. Each IP pair uses approximately 40 bytes. The system uses a "current" table which accounts for current data. The system also keeps the "snapshot" table for retrieval. Therefore, the memory usage for the IP pairs can be calculated with "number of IP pairs" x "40 bytes" x 2 (for the two tables). The default threshold of IP pairs is set to 1000 (80KB). When using the default threshold setting of 1000, no additional memory is suggested. For threshold settings higher than 12,500(1MB), memory usage estimates should be made, system resources should be monitored, and RAM should be increased accordingly. The maximum setting is 100,000 IP pairs.

Traffic accounting setup

[MikroTik] ip accounting> set enabled yes
[mikrotik] ip accounting> print
    threshold: 256
      enabled: yes

Description of arguments:

enabled - Traffic accounting is disabled by default. Settings are 'enabled yes' and 'enabled no'
threshold - The threshold setting sets the maximum number of IP pairs for the traffic accounting table – see "Threshold settings" for more information on the optimal settings. The default setting is for 1000 IP pairs.

Traffic data description

Only IP traffic is accounted. As each packet passes through the router, the packet source and destination is matched to an IP pair in the accounting table and the traffic for that pair is increased. If no matching IP pair exists, a new entry to the table will be created. Both the number of packets and number of bytes are accounted. Only packets that enter and leave the router are counted. Packets that are dropped in the router are not counted. Packets that are sent from the router itself are not counted – such as packets used for administration connections (i.e. web and telnet connections to the router). Packets that are masqueraded with the router will be accounted for with the actual IP hosts addresses on each side.

See Traffic Display and collection for a printout of a snapshot.

For example, a TCP connection between two computers with traffic going through the router will cause two IP pairs to be added to the traffic accounting table. One IP pair will have computer A as the source and computer B as the destination. Another IP pair will have computer B as the source and computer A as the destination.

Threshold settings

The threshold setting limits the maximum number of IP pairs in the accounting table. When the limit is reached, no new IP pairs will be added to the accounting table. Each packet that is not accounted for in the accounting table will then be added to the "uncounted" counter. To see if the limit on pairs has been reached, check the "uncounted" counter:

[MikroTik] ip accounting uncounted> print
    packets: 0
      bytes: 0

When a snapshot is made for data collection, the accounting table is cleared and new IP pairs and traffic data are added. The more frequently traffic data is collected, the less likelihood that the IP pairs threshold limit will be reached. It is suggested that traffic data be collected every 15 minutes.

Traffic data display and collection

The traffic data can be viewed by both the telnet/terminal console and java console. The traffic data can be collected manually or by using standard Unix/Linux utilities and MikroTik’s shareware MT_Syslog Daemon. This manual section will cover:

• Snapshots
• Web report setup

The traffic accounting system consist of a "current" accounting table and a "snapshot" image. When the "snapshot" image is made of the "current" accounting table, the "current" accounting table is cleared and starts accounting data anew. The "snapshot" image can be made in two ways.

An image of traffic data can be made manually by issuing the "snapshot" command from the terminal/console or java console. The "shapshot" can then be viewed with the print command. The traffic data from the telnet/terminal console will appear:

[mikrotik] ip accounting snapshot> print

SRC-ADDRESS     DST-ADDRESS     PACKETS                 BYTES
10.9.5.88       10.8.0.4        408534                  39822596
10.8.0.4        10.9.5.88       103944                  12874447
19.11.254.136   10.0.0.144      15191                   1243118
10.7.0.105      159.148.147.194 33239                   2526124
159.148.147.194 10.7.0.105      33237                   2526012

The web page report makes it possible to use the standard Unix/Linux tool wget to collect the traffic data and save it to a file. If the web report is enabled and the web page is "viewed", the snapshot will be made when the wget (or standard browser) connection is initiated to the web page. The "snapshot" will then be displayed on the web page. TCP protocol used by http connections with the wget tool guarantees that none of the traffic data will be lost. The "snapshot" image will be made when the connection from wget is initiated. Web browsers or wget should connect to URL http://routerIP/accounting/ip.cgi

[MikroTik] ip accounting web> print

    address: 0.0.0.0
       mask: 0.0.0.0
    enabled: yes

For security purposes, an IP address or IP subnet can be limited to the collection of the web report. The above example of address: 0.0.0.0 and netmask: 0.0.0.0 allows all IP hosts to access the web reports. With the settings address: 10.1.0.3 and netmask: 255.255.255.255, only IP host 10.1.0.3 is allowed to access the web reports.

A simple script can be run with crond and wget to periodically collect traffic data. Timestamps can be added to the traffic data file as well as other features.

MikroTik Download Utilities Page

Traffic data analysis

There are many tools and systems to analyze traffic data. Useful common tools are:

• Microsoft Excel
• Grep – Unix/Linux utility
• Perl scripts

Additional Resources

Links for documentation:

http://www.gnu.org/manual/wget/
http://www.gnu.org/manual/grep-2.4/

MikroTik RouterOS V2.4 Static Network Address Translation (NAT)

Overview

Remark: To use a private address space, NAT is not required. It is required only to map one global IP address and/or port to a local one. Typically, masquerading (a firewall feature) is used to masquerade the local inside network addresses and ports to one global outside IP address and ports.
Please consult the Basic Setup Guide and the Firewall Manual for more information on masquerading.

The NAT rules are applied in the following order:

• When a packet arrives at an interface, the NAT rules are applied first. The firewall and routing are applied after the packet has passed the NAT rule set. This is important when setting up firewall rules, since the original packets might be already modified by the NAT.
• When a packet leaves an interface, the NAT rules are applied after the routing and firewall. Queuing is performed after the NAT.

For more information about NAT, see RFC 1631. For example, you can visit this site: http://www.faqs.org/rfcs/rfc1631.html

Contents of the Manual

• Installation
• Configuring NAT
• Troubleshooting
• NAT Applications

[MikroTik] ip firewall static-nat>                                             
NAT allows to translate addresses and ports of IP packets as they leave or 
enter the router. This allows to use IP address space more efficiently. 

      add  Add new NAT rule
  comment  Set rule comment
  disable  Disable rule
   enable  Enable rule
   export  Export rules
     find  Find NAT rules
      get  Get value of item's property
     move  Move rule
    print  Show NAT rules
   remove  Remove NAT rule
      set  Change NAT rule
[MikroTik] ip firewall static-nat> 

NAT can be managed through the JAVA Console as well. Go to IP/Firewall and open the Static NAT window by pressing the button with two arrows.

Adding a NAT Rule

NAT rules can be added using the /ip firewall static-nat add command. The argument description is as follows:

src-address - Source IP address. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
src-netmask - Source netmask in decimal form x.x.x.x
src-port - Source port number or range (0-65535). 0 means all ports 1-65535.
dst-address - Destination IP address. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
dst-netmask - Destination netmask in decimal form x.x.x.x
dst-port - Destination port number or range (0-65535). 0 means all ports 1-65535.
to-src-address - Translated source IP address. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
to-src-netmask - Translated source netmask
to-src-port - Source port number. 0 means no change (leave as it was).
to-dst-address - Translated destination IP address. 0.0.0.0 means no change. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
to-dst-netmask - Translated destination netmask
to-dst-port - Translated destination port number. 0 means no change (leave as it was).
interface - Interface, for which the rule should be used
protocol - Protocol
translate - translate or not (yes/no). If 'no', then the packet is passed through without translation, and no more NAT rules are processed.
direction - direction of the packet regarding the interface. 'in' means from the interface into the router, and 'out' means from the router to the interface.

The existing NAT rules can be listed using the /ip firewall static-nat print command. Example output is:

[MikroTik]> ip firewall static-nat 
[MikroTik] ip firewall static-nat> print                                       
Flags: X - disabled, I - invalid 
  0   interface=Public src-address=0.0.0.0/0:0-65535 dst-address=10.1.1.12/32:80 
      protocol=tcp to-src-address=0.0.0.0/0:0 to-dst-address=192.168.0.17/32:80 
      translate=yes direction=in 

  1   interface=Public src-address=192.168.0.17/32:80 dst-address=0.0.0.0/0:0-65535 
      protocol=tcp to-src-address=10.1.1.12/32:80 to-dst-address=0.0.0.0/0:0 
      translate=yes direction=out 

[MikroTik] ip firewall static-nat>  

For argument description see the add command above.

The NAT rule parameters can be changed using the /ip firewall static-nat set # command, where the # is the NAT rule number obtained from the print command.

NAT rules are processed in the order they appear under the /ip firewall static-nat print command list. Use the /ip firewall static-nat move #1 #2 command to change the order of NAT rules. Here, the #1 is current number of the rule in the list, whereas the #2 is the desired number of the rule.

NAT rules can be enabled or disabled using the /ip firewall static-nat enable # and /ip firewall static-nat disable # commands. Disabled NAT rules are not processed.

Troubleshooting

• The NAT rule does translate the addresses.
  Add firewall rule that logs the packets and helps to determine where the problem is.
• The source or destination 0.0.0.0/0:0 does not match packet with any_address:any_port
  Set the port to 0-65535, i.e., 0.0.0.0/0:0-65535.
• The NAT does not work when masquerading is in use.
  Masquerading changes the source address of packets leaving the router ('outgoing' traffic). Therefore a firewall rule should be added to the forward chain, which excludes masquerading for the address:port and protocol to be translated. (See the Application Example!)
• The NAT does not work from the local network.
  The server should be on another logical network than the local workstations. (See the Application Example!)

NAT Applications

Further on, several examples of using NAT are given arranged according to complexity:

Example of NAT
Example of NAT with Masquerading
Example of NAT for ftp
Example of NAT and Access from the Local Network

Assume we want to map external address 10.1.1.12 and port 8080 to the internal address 192.168.0.17 and port 80. The basic network setup is in the following diagram:

The IP addresses and routes of the MikroTik router are as follows:

[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      Public                
[MikroTik] ip address> /ip route print                                         
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.1.1.254  1        Public     
  1 D  connect 192.168.0.0/24     A            0.0.0.0     0        Local      
  2 D  connect 10.1.1.0/24        A            0.0.0.0     0        Public     
[MikroTik] ip address>

Two static NAT rules are required for translating the address:port - one for the incoming packets, and one for the outgoing packets:

[MikroTik]> ip firewall static-nat
[MikroTik] ip firewall static-nat> 
add dst-address 10.1.1.12/32:8080 protocol tcp \
    direction in interface Public translate yes \
    to-dst-address 192.168.0.17/32:80
add src-address 192.168.0.17/32:80 protocol tcp \
    direction out interface Public translate yes \
    to-src-address 10.1.1.12/32:8080

[MikroTik] ip firewall static-nat> print
Flags: X - disabled, I - invalid 
  0   interface=Public src-address=0.0.0.0/0:0-65535 dst-address=10.1.1.12/32:8080 
      protocol=tcp to-src-address=0.0.0.0/0:0 to-dst-address=192.168.0.17/32:80 
      translate=yes direction=in 

  1   interface=Public src-address=192.168.0.17/32:80 dst-address=0.0.0.0/0:0-65535 
      protocol=tcp to-src-address=10.1.1.12/32:8080 to-dst-address=0.0.0.0/0:0 
      translate=yes direction=out 

[MikroTik] ip firewall static-nat> 

From the global network, the server can be accessed at 10.1.1.12:8080.
From the local network, the server can be accessed at 192.168.0.17:80.
The server cannot be accessed at 10.1.1.12:8080 from the local network. It is due to the fact, that the server sees request coming from its own network, and it responds back directly, i.e., bypassing the router and the NAT rule. Please see the further examples for enabling the use of global address 10.1.1.12:8080 for accessing the server locally.

Example of NAT with Masquerading

[MikroTik]> ip firewall rule forward
[MikroTik] ip firewall rule forward >
add src-address 192.168.0.17/32:80 protocol tcp interface Public 
add src-address 192.168.0.0/24 action masq interface Public 
[MikroTik] ip firewall rule forward> print                                           
Flags: X - disabled, I - invalid 
  0   protocol=tcp src-address=192.168.0.17/32:80 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=accept 
      tcp-options=all log=no 

  1   protocol=all src-address=192.168.0.0/24:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=masq 
      tcp-options=all log=no 

[MikroTik] ip firewall rule forward>

Example of NAT for ftp

The ftp uses TCP port 21 on the server for establishing the connection, and the server's tcp port 20 when connecting back to the client for data connections.

To translate the addresses and ports, totally four static NAT rules would be required. However, ports 20 and 21 can be grouped in a port range, and only two rules are required then:

[MikroTik] ip firewall static-nat>
add dst-address 10.1.1.12/32:20-21 protocol tcp \
    direction in interface Public translate yes \
    to-dst-address 192.168.0.17/32
add src-address 192.168.0.17/32:20-21 protocol tcp \
    direction out interface Public translate yes \
    to-src-address 10.1.1.12/32
[MikroTik] ip firewall static-nat> print                                       
Flags: X - disabled, I - invalid 
  0   interface=Public src-address=0.0.0.0/0:0-65535 dst-address=10.1.1.12/32:20-21 
      protocol=tcp to-src-address=0.0.0.0/0:0 to-dst-address=192.168.0.17/32:0 
      translate=yes direction=in 

  1   interface=Public src-address=192.168.0.17/32:20-21 
      dst-address=0.0.0.0/0:0-65535 protocol=tcp to-src-address=10.1.1.12/32:0 
      to-dst-address=0.0.0.0/0:0 translate=yes direction=out 

[MikroTik] ip firewall static-nat>     

Note, that the to-src-port and to-dst-port arguments have not be specified, and they have value '0', i.e., 'no translation' for ports.

Also, do not forget to exclude source address:ports 192.168.0.17:20-21 from masquerading, if it is used for local addresses:

[MikroTik] ip firewall rule forward>
add src-address 192.168.0.17/32:20-21 interface Public protocol tcp
add action masq interface Public
[MikroTik] ip firewall rule forward> print                                     
Flags: X - disabled, I - invalid 
  0   protocol=tcp src-address=192.168.0.17/32:20-21 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=accept 
      tcp-options=all log=no 

  1   protocol=all src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=masq 
      tcp-options=all log=no 

[MikroTik] ip firewall rule forward>   

Example of NAT and Access from the Local Network

Let us reconsider the previous example of using NAT for ftp. To enable the local workstations 192.168.0.1...2 accessing the server on the local net using its global address 10.1.1.12:21, the network configuration should be changed. The requests to the server should appear as coming rather from another network than from it's own one. Then the 'backward' translation rules will be used too, since the packets would be sent back to the router.

To accomplish this:

1. The server's IP address should be configured to be on another network, say 192.168.1.0/24
2. The NAT rules should be set for all interfaces.

The network diagram looks like follows:

To add another address to the router, use:

[MikroTik] ip address> add address 192.168.1.24/24 interface Local
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
  1   192.168.1.254/24   192.168.1.0     192.168.1.255   Local                 
  2   10.1.1.12/24       10.1.1.0        10.1.1.255      Public                
[MikroTik] ip address>

Add two static NAT rules:

[MikroTik] ip firewall static-nat>
add dst-address 10.1.1.12/32:20-21 protocol tcp \
    direction in translate yes to-dst-address 192.168.1.17/32
add src-address 192.168.1.17/32:20-21 protocol tcp \
    direction out translate yes to-src-address 10.1.1.12/32
[MikroTik] ip firewall static-nat> print                                       
Flags: X - disabled, I - invalid 
  0   interface=all src-address=0.0.0.0/0:0-65535 dst-address=10.1.1.12/32:20-21 
      protocol=tcp to-src-address=0.0.0.0/0:0 to-dst-address=192.168.1.17/32:0 
      translate=yes direction=in 

  1   interface=all src-address=192.168.1.17/32:20-21 
      dst-address=0.0.0.0/0:0-65535 protocol=tcp to-src-address=10.1.1.12/32:0 
      to-dst-address=0.0.0.0/0:0 translate=yes direction=out 

[MikroTik] ip firewall static-nat> 

Add two rules to the forward chain:

[MikroTik] ip firewall rule forward>
add src-address 192.168.1.17/32:20-21 protocol tcp interface Public 
add action masq interface Public 
[MikroTik] ip firewall rule forward> print                                     
Flags: X - disabled, I - invalid 
  0   protocol=tcp src-address=192.168.1.17/32:20-21 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=accept 
      tcp-options=all log=no 

  1   protocol=all src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=masq 
      tcp-options=all log=no 

[MikroTik] ip firewall rule forward>

The local workstations from Network 0 will be accessing the server on Network 1 solely through the router, and all packets will be processed against the translation rules.

MikroTik RouterOS V2.4 Firewall Filters

Overview

Firewall Features

• Firewall rules are grouped together in chains. Each chain can be considered as a set of rules.
• There are three default chains (input, forward, and output), which cannot be deleted.
• More chains can be added for grouping together filtering rules.
• Masquerading can be used for packets passing through the router. Filtering rules of the forward chain can have the masquerading action.
• Additional firewall features include the Static Network Address Translation (NAT), which is discussed in a separate section of the Manual.

It is very advantageous, if packets can be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. For example, packets must be matched against the IP addresses and ports. Then matching against the IP addresses can be done in one chain without specifying the protocol ports. Matching against the protocol ports can be done in a separate chain without specifying the IP addresses.

Firewall Chains

The Forward Chain is used to process packets passing through the router.

The Output Chain is used to process all packets leaving the router through the interface. Packets originated from the router are processed according to the output chain only.

The firewall rules are applied in the following order:

• When a packet arrives at an interface, the NAT rules are applied first. The firewall rules of the input chain and routing are applied after the packet has passed the NAT rule set. This is important when setting up firewall rules, since the original packets might be already modified by the NAT.
• If the packet should be forwarded through the router, the firewall rules of the forward chain are applied next.
• When a packet leaves an interface, firewall rules of the output chain are applied first, then the NAT rules and queuing.

IP packet flow through the router is given in the following diagram:

When processing a chain, rules are taken from the chain in the order they are listed there from the top to the bottom. If it matches the criteria of the rule, then the specified action is performed on the packet, and no more rules are processed in that chain. If the packet has not matched any rule within the chain, then the default policy action of the chain is performed.

Contents of the Manual

The following topics are covered in this manual:

• Installation
• Configuring Firewall Chains and Rules
• Using the Masquerading
• Basic Firewall Building Principles
• Troubleshooting
• Firewall Applications

Managing Firewall Chains

[MikroTik] ip firewall> print                                                  
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
[MikroTik] ip firewall>                                                      

These three chains cannot be deleted. The available policy actions are:

• accept - Accept the packet
• deny - Silently drop the packet (without sending the ICMP reject message)
• reject - Reject the packet and send an ICMP reject message
• masq - Use masquerading for the packet (only for the forward chain)

Note! Be careful about changing the default policy action to these chains! You may lose the connection to the router, if you change the policy to deny or reject, and there are no rules in the chain, that allow connection to the router.

Usually packets should be matched against several criteria. More general filtering rules can be grouped together in a separate chain. To process the rules of additional chains, the 'jump' action should be used to this chain from another chain.

To add a new chain, use the /ip firewall add command:

[MikroTik] ip firewall> add name=router                                        
[MikroTik] ip firewall> print                                                  
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
  3 router                                                               none  
[MikroTik] ip firewall>

The policy of user added chains is 'none', and it cannot be changed. Chains cannot be removed, if they contain rules (are not empty).

Managing Firewall Rules

[MikroTik] ip firewall> rule input                                             
[MikroTik] ip firewall rule input> print                                       
Flags: X - disabled, I - invalid 
[MikroTik] ip firewall rule input>                                             

There are currently no rules in the input chain. To add a rule, use the add command, for example:

[MikroTik] ip firewall rule input> add ?                                     
Creates new item with specified property values.
       action  Rule action
    copy-from  Item number
  dst-address  Destination address
  dst-netmask  Destination mask
    dst-ports  Destination port range
    interface  Interface name (or all)
          log  Enable/Disable logging
     protocol  Protocol
  src-address  Source address
  src-netmask  Source mask
    src-ports  Source port range
       target  Target chain
  tcp-options  TCP options
[MikroTik] ip firewall rule input> add dst-ports=8080 protocol=tcp action=reject
[MikroTik] ip firewall rule input> print                                       
Flags: X - disabled, I - invalid 
  0   protocol=tcp src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:8080 
      interface=all action=reject tcp-options=all log=no 

[MikroTik] ip firewall rule input>

Argument description:

src-address - Source IP address. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
src-netmask - Source netmask in decimal form x.x.x.x
src-ports - Source port number or range (0-65535). 0 means all ports 1-65535.
dst-address - Destination IP address. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
dst-netmask - Destination netmask in decimal form x.x.x.x
dst-ports - Destination port number or range (0-65535). 0 means all ports 1-65535.
interface - Interface, for which the rule should be used. Can be 'all'.
protocol - Protocol
tcp-options - ( all / sysn / nosyn ). 'nosyn' is for all other options than 'syn'.
action - ( accept / deny / jump / masq / none / reject / return )
target - Name of the target chain, if the action=jump is used
log - Log the action ( yes / no )

If the packet matches the criteria of the rule, then the performed action can be:

• accept - Accept the packet
• deny - Silently drop the packet (without sending the ICMP reject message)
• jump - jump to the chain specified by the value of the target argument.
• masq - Use masquerading for the packet (only for the forward chain)
• none - N/A
• reject - Reject the packet and send an ICMP reject message
• return - Return to the previous chain, from where the 'jump' took place.

Note for V2.3 users, who have upgraded to V2.4:

V2.4 has easier management of firewall rules, since it is possible to select a chain, and all commands do not need to contain the argument value for the chain This difference should be considered, when importing firewall configuration script of V2.3 into the V2.4 router. For example:

[MikroTik V2.4] ip firewall rule input> add protocol tcp src-...
[MikroTik V2.4] ip firewall rule input> print

[MikroTik V2.3] ip firewall rule> add input protocol tcp src-...
[MikroTik V2.3] ip firewall rule> print input

Logging of the Firewall Actions

[MikroTik] system logging facility> set Firewall-Log logging=local             
[MikroTik] system logging facility> print                                      
  # FACILITY            LOGGING PREFIX              REMOTE-ADDRESS  REMOTE-PORT
  0 Firewall-Log        local                                                  
  1 PPP-Account         none                                                   
  2 PPP-Info            none                                                   
  3 PPP-Error           none                                                   
  4 System-Info         local                                                  
  5 System-Error        local                                                  
  6 System-Warning      local                                                  
[MikroTik] system logging facility> 

You can send UDP log messages to a remote syslog host by specifying the remote address and port (usually 514). Local logs can be viewed using the /log print command:

[MikroTik] > log print 
...
 sep/26/2001 17:40:26 user admin logged in at Wed Sep 26 17:40:26 2001 
                      from 10.5.8.203 via telnet                      
 sep/26/2001 17:42:30 Public: input->REJECT, prot TCP(SYN),
                      10.5.8.48:4366->10.1.1.12:8080, len 60                     
[MikroTik] > log print 
(The format of the log is:
DATE TIME Interface: Chain -> ACTION, protocol,
                      src-address:port->dst-address:port, packet_length)

Using the Masquerading

Masquerading helps to ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. Masquerading also conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.

To use masquerading, a firewall rule with action 'masq' should be added to the forward chain of the router's firewall configuration:

[MikroTik] ip firewall rule forward>
add action=masq interface=Public src-address=192.168.0.0/24 
[MikroTik] ip firewall rule forward>                                           
Flags: X - disabled, I - invalid 
  0   protocol=all src-address=192.168.0.0/24:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=masq 
      tcp-options=all log=no 

[MikroTik] ip firewall rule forward>                                           

If the packet matches the 'masquerading' rule, then the router opens a connection to the destination, and sends out a modified packet with its address as the source and source port above 60000. The router keeps track about masqueraded connections and performs the 'demasquerading' of packets, which arrive for the opened connections.

The list of currently opened masqueraded connections can be viewed using the /ip firewall masqueraded-connections print command:

[MikroTik] > ip firewall masqueraded-connections print detail               
  0 protocol=tcp src-address=10.5.6.202:3454 dst-address=193.178.150.165:1774 
    masq-port=61068 expires=00:07:54 

  1 protocol=udp src-address=10.5.8.203:137 dst-address=63.95.59.228:137 
    masq-port=61296 expires=00:04:57 

[MikroTik] > 

Basic Firewall Building Principles

• Protection of the Router from Unauthorized Access
  Connections to the addresses assigned to the router itself should be monitored. Only access from certain hosts to certain TCP ports of the router should be allowed.

  This can be done by putting rules in the input chain to match packets with the destination address of the router entering the router through all interfaces.

• Protection of the Customer's hosts
  Connections to the addresses assigned to the customer's network should be monitored. Only access to certain hosts and services should be allowed.

  This can be done by putting rules in the output chain to match packets with the destination addresses of customer's network leaving the interface.

• Using Masquerading to 'Hide' the Private Network Behind one External Address
  All connections form the private addresses are masqueraded, and appear as coming form one external address - that of the router.

  This can be done by enabling the masquerading action for rules in the forward chain.

• Enforcing the Internet Usage Policy from the Customer's Network
  Connections from the customer's network should be monitored.

  This can be done by putting rules in the forward chain. You can masquerade only those connections, that are allowed, and reject everything else.

Examples of setting up firewalls are discussed later.

Troubleshooting

• I set the policy for the input chain to 'reject', and I lost connection to the router
  You should add rules to the chain allowing required communications, and only then change the default policy of the chain!
• I put up filtering rules, but they seem not to work
  Use the Firewall logging to see, whether you are matching the packets with your rules or not!
• I am trying to use policy routing based on source addresses and masquerading, but it does not work.
  Masqueraded packets have source address 0.0.0.0 at the moment when they are processed according to the routing table. Therefore it is not possible to have masquerading with different source address. See the Routes Manual for more information.

IP Firewall Applications

Further on, the following examples of using firewall rules are given:

Example of Firewall Filters
Example of Masquerading

Assume we want to create a firewall, that

• protects the MikroTik router from unauthorized access from anywhere. Only access from the ISP's hosts 10.1.1.16...24 is allowed.
• protects the customer's hosts within the network 192.168.0.0/24 from unauthorized access from anywhere.
• gives access from the Internet to the http and smtp services on 192.168.0.17
• Allows only ICMP ping from all customer's hosts and forces use of the proxy server on 192.168.0.17

The basic network setup is in the following diagram:

The IP addresses and routes of the MikroTik router are as follows:

[MikroTik] > /ip address print                                                 
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      Public                
[MikroTik] > /ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.1.1.254  1        Public     
  1 D  connect 192.168.0.0/24     A            0.0.0.0     0        Local      
  2 D  connect 10.1.1.0/24        A            0.0.0.0     0        Public     
[MikroTik] >                                                                   

Protecting the Router

[MikroTik] > ip firewall add name router
[MikroTik] > ip firewall rule router
[MikroTik] ip firewall rule router> 
add protocol tcp tcp-option nosyn
add protocol udp 
add protocol icmp
add src-addr 10.1.1.16/29
add action reject log yes 
[MikroTik] ip firewall rule router> print                                      
Flags: X - disabled, I - invalid 
  0   protocol=tcp src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=all action=accept 
      tcp-options=nosyn log=no 

  1   protocol=udp src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=all action=accept tcp-options=all 
      log=no 

  2   protocol=icmp src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=all action=accept tcp-options=all 
      log=no 

  3   protocol=all src-address=10.1.1.16/29:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=all action=accept tcp-options=all 
      log=no 

  4   protocol=all src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=all action=reject tcp-options=all 
      log=yes 

[MikroTik] ip firewall rule router>

Here, we created a new chain 'router' and added rules to it, that

1. allow established TCP connections
2. allow UDP connections
3. allow ICMP messages
4. allow access from "trusted" network 10.1.1.16/29 of ours
5. reject and log everything else

[MikroTik] ip firewall rule input>
add dst-address=10.1.1.12/32 action=jump target=router
add dst-address=192.168.0.254/32 action=jump target=router
[MikroTik] ip firewall rule input> print                                       
Flags: X - disabled, I - invalid 
  0   protocol=all src-address=0.0.0.0/0:0-65535 
      dst-address=10.1.1.12/32:0-65535 interface=all action=jump target=router 
      tcp-options=all log=no 

  1   protocol=all src-address=0.0.0.0/0:0-65535 
      dst-address=192.168.0.254/32:0-65535 interface=all action=jump 
      target=router tcp-options=all log=no 

[MikroTik] ip firewall rule input>

Thus, the input chain will match packets with the destination address of the router, and the router chain will accept the allowed connections and reject and log everything else.

Protecting the Customer's Network

To protect the customer's network, we should match all packets with destination address 192.168.0.0/24, that leave the Local interface, and process them against rules of another chain, say, 'customer'. We create the new chain and add rules to it:

[MikroTik] ip firewall> add name=customer                                      
[MikroTik] ip firewall> print                                                  
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
  3 router                                                               none  
  4 customer                                                             none  
[MikroTik] ip firewall> rule customer
[MikroTik] ip firewall rule customer> 
add protocol tcp tcp-option nosyn
add protocol udp 
add protocol icmp
add protocol tcp tcp-option syn dst-address 192.168.0.17/32:80
add protocol tcp tcp-option syn dst-address 192.168.0.17/32:25
add protocol tcp tcp-option syn src-port 20 dst-port 1024-65535
add action reject log yes 
[MikroTik] ip firewall rule customer> print                                    
Flags: X - disabled, I - invalid 
  0   protocol=tcp src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=all action=accept 
      tcp-options=nosyn log=no 

  1   protocol=udp src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=all action=accept tcp-options=all 
      log=no 

  2   protocol=icmp src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=all action=accept tcp-options=all 
      log=no 

  3   protocol=tcp src-address=0.0.0.0/0:0-65535 
      dst-address=192.168.0.17/32:80 interface=all action=accept 
      tcp-options=syn log=no 

  4   protocol=tcp src-address=0.0.0.0/0:0-65535 
      dst-address=192.168.0.17/32:25 interface=all action=accept 
      tcp-options=syn log=no 

  5   protocol=tcp src-address=0.0.0.0/0:20 dst-address=0.0.0.0/0:1024-65535 
      interface=all action=accept tcp-options=syn log=no 

  6   protocol=all src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=all action=reject tcp-options=all 
      log=yes 

[MikroTik] ip firewall rule customer>

Here, we created a new chain 'customer' and added rules to it, that

1. allow established TCP connections
2. allow UDP connections
3. allow ICMP messages
4. allow http and smtp connections to the server at 192.168.0.17
5. allow ftp data connections from servers on the Internet (active ftp data connections are made from the server's port 20 to the client's tcp port above 1024)
6. reject and log everything else

[MikroTik] ip firewall rule output>
add dst-address=192.168.0.0/24 interface=Local action=jump target=customer
[MikroTik] ip firewall rule output> print
Flags: X - disabled, I - invalid
  0   protocol=all src-address=0.0.0.0/0:0-65535
      dst-address=192.168.0.0/24:0-65535 interface=Local action=jump
      target=customer tcp-options=all log=no

[MikroTik] ip firewall rule output>

Enforcing the 'Internet Policy'

[MikroTik] ip firewall rule forward>                                           
add protocol icmp interface Public
add src-address 192.168.0.17/32 interface Public
add action reject interface Public log yes
[MikroTik] ip firewall rule forward> print                                     
Flags: X - disabled, I - invalid 
  0   protocol=icmp src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=accept 
      tcp-options=all log=no 

  1   protocol=all src-address=192.168.0.17/32:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=accept 
      tcp-options=all log=no 

  2   protocol=all src-address=0.0.0.0/0:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=reject 
      tcp-options=all log=yes 

[MikroTik] ip firewall rule forward>

Here, we added rules to the forward chain, that

1. allow ICMP ping packets
2. allow all outgoing connections form the server at 192.168.0.17
3. reject and log everything else

[mikrotik] ip firewall rule forward>
add src-address 192.168.0.0/24 action masq interface Public 
[MikroTik] ip firewall rule forward> print                                     
Flags: X - disabled, I - invalid 
  0   protocol=all src-address=192.168.0.0/24:0-65535 
      dst-address=0.0.0.0/0:0-65535 interface=Public action=masq 
      tcp-options=all log=no 

[MikroTik] ip firewall rule forward>    

Queue Management and Bandwidth Control

Overview

The MikroTik RouterOS supports the following queuing mechanisms:

PFIFO - Packets Packet First-In First-Out,
BFIFO - Bytes First-In First-Out,
RED - Random Early Detection

The queuing can be used for limiting the bandwidth for certain IP addresses, protocols or ports. The queuing is performed for packets leaving the router through an interface. It means that the queues should always be configured on the outgoing interface regarding the traffic flow. If there is a desire to limit the traffic arriving at the router, then it should be done at the outgoing interface of some other router.

References on Class-Based Queuing (CBQ) can be found at http://www.aciri.org/floyd/cbq.html

Contents of the Manual

• Installation
• Configuring Queues
• Troubleshooting
• Queue Applications

Installation

Queues can be added using the add command:

[MikroTik] ip queue> add interface=ether2 queue=red limit-at=64000 bounded=yes
[MikroTik] ip queue> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535
      protocol=all queue=red limit-at=64000 max-burst=20 bounded=yes priority=8
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=ether2

[MikroTik] ip queue>

Argument description:

allot - Number of bytes allocated for the bandwidth. Should not be less than the MTU for the interface.
bfifo-limit - BFIFO queue limit. Maximum packet number that queue can hold.
bounded - Queue is bounded. If set to 'yes', the queue can not occupy bandwidth of other queues. If set to 'no', the queue would use over the allocated bandwith whenever possible. Only in case when other queues (the actual queues) are getting too long and a connection is not being satisfied, then the 'not-bounded' queues would be limited at their allocated bandwidth.
dst-address - Destination IP address. Can be in the form a.b.c.d/n:p1[-p2], that consists of the IP address, number of bits in the network mask, and the port or port range.
dst-netmask - Destination netmask
dst-port - Destination port number or range (0-65535). '0' means all ports.
interface - Interface which packet leaves. Queues work only for packets leaving the interface.
limit-at - Maximum stream bandwidth (bits/s). '0' means no limit (default for the interface).
max-burst - Maximal number of packets allowed for bursts of packets when there are no packets in the queue. Set to '0' for no burst.
pfifo-limit - PFIFO queue limit. Maximum byte number that queue can hold.
priority - Flow priority (1..15)
protocol - Protocol
queue - Queue type (see explanation below)
red-burst - RED burst. Number of packets allowed for bursts of packets when there are no packets in the queue. The minimum value that can be used here is equal to the value of 'red-min-threshold'.
red-limit - RED queue limit
red-min-threshold - RED minimum threshold. Before this value is achieved no packets will be thrown away.
red-max-threshold - RED maximum threshold. When this value is achieved the queue will throw away the packets using maximum probability, where this probability is a function of the average queue size.
src-address - Source IP address. Can be in the form a.b.c.d/n:p1[-p2], that consists of the IP address, number of bits in the network mask, and the port or port range.
src-netmask - Source netmask
src-port - Source port number or range (0-65535). '0' means all ports.
weight - Flow weight

Queue types:

pfifo - Packet First-In First-Out – is the simplest queuing algorithm. The packets are served in the same order as they are received.
bfifo - The same as pfifo, except that this algorithm is byte-based but not packet-based.
red - Random Early Detection – an algorithm for congestion avoidance in packet-switched networks.
none - (same as default) The queue type as it is by default for the specific interface.

Queue rules are processed in the order they appear in the /ip queue print list. If some packet matches the queue rule, then the queuing mechanism specified in that rule is applied to it, and no more rules are processed for that packet.

You can group several networks together and have one queue for them, if a common network mask can be found for the networks. For example, networks 10.0.128.0/24 and 10.0.129.0/24 can be grouped together using a common network address/mask 10.0.128.0/22

Troubleshooting

• The queue is not added for the correct interface.
  Add the queue to the interface through which the traffic is leaving the router. Queuing works only for packets leaving the router!
• The source/destination addresses of the packets do not match the values specified in the queue setting
  Make sure the source and destination addresses, as well as ports are specified correctly!
• The queuing does not work when masquerading is in use.
  Masquerading changes the source address of packets leaving the router ('outgoing' traffic). Therefore the queuing rule should match packets having the router's external address as source.
• The traffic is not limited, when the 'bounded' parameter is not set to 'yes'.
  Use the 'bounded' flag for the queue, if you do not want to exceed the set limit when other queues are not using the available bandwidth for the interface.
• Queuing does not work for the start of the file transfer. It starts limiting the bandwidth only after the first x packets have been downloaded.
  Do not use the 'burst' parameter value greater than '0', if you do not want to allow any traffic bursts.

Queue Applications

Further on, several examples of using bandwidth management are given arranged according to complexity:

Example of Emulating a 128k/64k Line
Example of Using Masquerading

Assume we want to emulate a 128k download and 64k upload line connecting IP network 195.13.1.32/27. The network is served through the interface 'ether' of customer's router The basic network setup is in the following diagram:

The IP addresses and routes of the MikroTik router are as follows:

[MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   195.10.0.1/24      195.10.0.0      195.10.0.255    radio
  1   195.13.1.62/27     195.13.1.32     195.13.1.63     ether
[MikroTik] > ip route print detail
Flags: X - disabled, I - invalid, D - dynamic, R - rejected
  0    dst-address=0.0.0.0/0 gateway=195.10.0.254 nexthop-state=A
       preferred-source=0.0.0.0 interface=radio distance=1 type=static

  1 D  dst-address=195.13.1.32/27 gateway=0.0.0.0 nexthop-state=A
       preferred-source=195.13.1.62 interface=ether distance=0 type=connect

  2 D  dst-address=195.10.0.0/24 gateway=0.0.0.0 nexthop-state=A
       preferred-source=195.10.0.1 interface=radio distance=0 type=connect

[MikroTik] >

It is enough to add two queues at the customer's router:

[MikroTik] ip queue>
add dst-address 195.13.1.32/27 interface ether \
queue red limit-at 128000 max-burst 0 bounded yes
add src-address 195.13.1.32/27 interface radio \
queue red limit-at 64000 max-burst 0 bounded yes
[MikroTik] ip queue> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 dst-address=195.13.1.32/27:0-65535
      protocol=all queue=red limit-at=128000 max-burst=0 bounded=yes priority=8
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=ether

  1   src-address=195.13.1.32/27:0-65535 dst-address=0.0.0.0/0:0-65535
      protocol=all queue=red limit-at=64000 max-burst=0 bounded=yes priority=8
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=radio

[MikroTik] ip queue>

Leave all other parameters as set by default. The limit is approximately 128kbps going to the client's network and 64kbps leaving the client's network. No burst of the packets is allowed. Please note, that each queue has been added for the outgoing interface regarding the traffic flow.

If local address space 192.168.0.0/24 and masquerading are used for the client computers in the previous example setup, then the outgoing traffic has masqueraded source address 195.10.0.1, i.e., the outgoing packets have external address of the router as the source. The network diagram is as follows:

The IP addresses, routes, and masquerading firewall rule of the MikroTik router are as follows:

[MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   195.10.0.1/24      195.10.0.0      195.10.0.255    radio
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   ether
[MikroTik] > ip route print detail
Flags: X - disabled, I - invalid, D - dynamic, R - rejected
  0    dst-address=0.0.0.0/0 gateway=195.10.0.254 nexthop-state=A
       preferred-source=0.0.0.0 interface=radio distance=1 type=static

  1 D  dst-address=195.10.0.0/24 gateway=0.0.0.0 nexthop-state=A
       preferred-source=195.10.0.1 interface=radio distance=0 type=connect

  2 D  dst-address=192.168.0.0/24 gateway=0.0.0.0 nexthop-state=A
       preferred-source=192.168.0.254 interface=ether distance=0 type=connect

[MikroTik] > ip firewall rule forward print
Flags: X - disabled, I - invalid
  0   protocol=all src-address=192.168.0.254/24:0-65535
      dst-address=0.0.0.0/0:0-65535 interface=radio action=masq tcp-options=all
      log=no

[MikroTik] >

The queuing rule for incoming traffic should match the customer's local addresses, whereas the rule for outgoing traffic should match the router's external address as the source address:

[MikroTik] ip queue>
add dst-address 192.168.0.0/24 interface ether \
queue red limit-at 128000 max-burst 0 bounded yes
add src-address 195.10.0.1/32 interface radio \
queue red limit-at 64000 max-burst 0 bounded yes
[MikroTik] ip queue> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 dst-address=192.168.0.0/24:0-65535
      protocol=all queue=red limit-at=128000 max-burst=0 bounded=yes priority=8
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=ether

  1   src-address=195.10.0.1/32:0-65535 dst-address=0.0.0.0/0:0-65535
      protocol=all queue=red limit-at=64000 max-burst=0 bounded=yes priority=8
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=radio

[MikroTik] ip queue>

Let us assume that for administrative purposes, we want to contact the MikroTik router without being affected by the bandwidth limitation. Then additional rule(s) having no limitation should be added before the limiting one(s). For example, we want no limitation to host 159.148.60.200. The queue rule should be added as follows:

[MikroTik] ip queue>
add src-address 195.10.0.1/32 dst-address 159.148.60.200/32 interface radio
[MikroTik] ip queue> pr
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 dst-address=192.168.0.0/24:0-65535
      protocol=all queue=red limit-at=128000 max-burst=0 bounded=yes priority=8
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=ether

  1   src-address=195.10.0.1/32:0-65535 dst-address=0.0.0.0/0:0-65535
      protocol=all queue=red limit-at=64000 max-burst=0 bounded=yes priority=8
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=radio

  2   src-address=195.10.0.1/32:0-65535 dst-address=159.148.60.200/32:0-65535
      protocol=all queue=none limit-at=0 max-burst=20 bounded=no priority=8
      weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
      red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=radio

[MikroTik] ip queue>

Move the rule #2 to the top:

[MikroTik] ip queue> move 2 0
[MikroTik] ip queue> print columns="src-address dst-address interface " brief
Flags: X - disabled, I - invalid
  #   SRC-ADDRESS                    DST-ADDRESS                    INTERFACE
  0   195.10.0.1/32:0-65535          159.148.60.200/32:0-65535      radio
  1   0.0.0.0/0:0-65535              192.168.0.0/24:0-65535         ether
  2   195.10.0.1/32:0-65535          0.0.0.0/0:0-65535              radio
[MikroTik] ip queue>

The first rule means no limitation to the host 159.148.60.200, whereas the second two rules limit customer's incoming and outgoing traffic, respectively.

MikroTik RouterOS V2.4 IP Packet Packer Protocol (M3P)

Overview

M3P features:

• enabled by a per interface setting
• other routers with MikroTik Discovery Protocol enabled will broadcast M3P settings
• significantly increases bandwidth availability over some wireless links – by approximately four times
• offer configuration settings to customize this feature

Contents of the Manual

• Installation
• Hardware Resource Usage
• MikroTik Packet Packer Protocol Description
• MikroTik Packet Packer Protocol Setup

Specific Properties:

• may work on any Ethernet-like media
• is enabled by default for all new wireless interfaces
• when older version on the RouterOS are upgraded from a version without M3P to a version with discovery, current wireless interfaces will not be automatically enabled for M3P
• small packets going to the same MAC level destination (regardless of IP destination) are collected according to the set configuration and aggregated into a large packet according to the set size
• the packet is sent as soon as the maximum aggregated-packet packet size is reached or a maximum time of 15ms (+/-5ms)

MikroTik Packet Packer Protocol Setup

[MikroTik] ip packing>                                                         
     export  print configuration as set of router commands
        get  get value of property
  interface  Interface packing settings
      print  Show packing settings
        set  Change packing settings
[MikroTik] ip packing> print                                                   
       expected-size: 28
     aggregated-size: 1000
    enable-unpacking: yes
[MikroTik] ip packing>

Argument description:

expected-size – the average size packet you expect for aggregation, i.e., if your VoIP generates 100 byte packets – this would be the expected size. This is used by the protocol to determine if it should wait for another packet to complete the aggregated packet – determined by the 'aggregated-size' setting – or send an aggregated packet immediately even though it has not reached the size of the “aggregated-size” setting.
aggregated-size – the maximum size of the aggregated packet – the suggested setting is 1000 bytes and the maximum setting is the MTU size of the interface (generally 1500 bytes)
enable-unpacking – enables unpacking feature of M3P for all Ethernet like interfaces on the router – should be enabled if you have any interface set to send M3P packets

To see the interface settings use:

[MikroTik] ip packing interface> print
Flags: X - disabled
  #   INTERFACE
  0 X bridge1
  1 X ether1
  2 X Local219
  3   wireless
[MikroTik] ip packing interface>

MikroTik RouterOS V2.4 Neighbor Discovery Protocol (MNDP)

Overview

MNDP features:

• works on IP level connections
• works on all non-dynamic interfaces
• distributes basic information on the software version
• distributes information on configured features that should interoperate with other MikroTik routers

Contents of the Manual

• Installation
• Hardware Resource Usage
• MikroTik Discovery Protocol Description
• MikroTik Discovery Protocol Setup

Specific Properties:

• works on interfaces that support IP protocol and have least one IP address
• is enabled by default for all new Ethernet-like interfaces -- Ethernet, radio, EoIP, IPIP tunnels, PPTP-static-server
• when older version on the RouterOS are upgraded from a version without discovery to a version with discovery, current Ethernet like interfaces will not be automatically enabled for MNDP
• uses UDP protocol port 5678
• a UDP packet with router info is broadcasted over the interface every 60 seconds
• every 30 seconds, the router checks if some of the neighbor entries are not stale
• if no info is received from a neighbor for more than 180 seconds the neighbor information is discarded

MikroTik Discovery Protocol Setup

[MikroTik] ip neighbor>                                                        
     export  print configuration as set of router commands
       find  Finds items by value
        get  Get value of item's property
  interface  Per interface discovery settings
      print  Show discovered neighbors
[MikroTik] ip neighbor> print                                                  
  # INTERFACE  ADDRESS         MAC-ADDRESS       UNPACKING AGE                 
  0 Public     10.5.8.196      00:E0:C5:BC:12:07 yes       23s                 
  1 Public     10.5.8.167      00:E0:4C:39:23:31 yes       0s                  
  2 Public     10.5.8.1        00:80:C8:C9:B0:45 yes       3s                  
[MikroTik] ip neighbor>

Argument description:

INTERFACE – local interface to which the neighbor is connected
ADDRESS – IP address of the neighbor router
MAC-ADDRESS – MAC-address of the neighbor router
UNPACKING – identifies if the interface of the neighbor router is unpacking 'Packed Packets'
AGE – a counter (in seconds) that shows the age of the information

To see the interface settings use:

[MikroTik] ip neighbor interface> print                                        
  # NAME                 DISCOVER
  0 Public               yes     
  1 Local                yes     
[MikroTik] ip neighbor interface>

To change the interface settings, use /ip neighbor interface set command:

[MikroTik] ip neighbor interface> set Public discover=no                       
[MikroTik] ip neighbor interface> print                                        
  # NAME                 DISCOVER
  0 Public               no      
  1 Local                yes     
[MikroTik] ip neighbor interface>

MikroTik RouterOS V2.4 DHCP Client and Server

Overview

General usage of DHCP:

• For IP assignment in LAN (typically office networks)
• For IP assignment on cable-modem systems
• For IP assignment on wireless ISP systems

Contents of the Manual

• Installation
• Hardware Resource Usage
• DHCP Description
• DHCP Client Setup
• DHCP Server Setup

DHCP Client Setup

To add a DHCP client to the router:

[MikroTik] ip dhcp-client> set enabled yes interface ether1 client-id test

Descriptions of arguments:

[MikroTik] - The text inside the brackets is the 'system identity' of the router. If the DHCP server requires a 'host name', then the MikroTik 'system identity' should be set to the same. This 'system identity' will be reported to the DHCP server as the 'host name'.
enabled - (yes / no). Enables or disables the DHCP client.
interface - Can be set to any Ethernet like interface – this includes wireless and EoIP tunnels.
client-id - (optional) If needed, it should correspond to the settings suggested by the network administrator or ISP.

To change the 'system identity', use the cammand:

[MikroTik]> system identity set name=Mikro2345 
[Mikro2345]>

DHCP Server Setup

The router supports an individual server for each Ethernet like interface. The MikroTik RouterOS DHCP server supports the basic functions of giving each requesting client an IP address lease, default gateway, and DNS-server information.

To add a DHCP server:

[MikroTik] ip dhcp-server>
set ether1 enabled yes lease-time 72h from-address 10.5.0.1 \
to-address 10.5.0.100 netmask 255.255.255.0 gateway 10.5.0.254 \
dns-server 10.5.0.254 domain rm219
[MikroTik] ip dhcp-server> print
0   interface: ether1 enabled: yes from-address: 10.5.0.1
    to-address: 10.5.0.100 lease-time: 3 days 0:00:00 netmask: 255.255.255.0
    gateway: 10.5.0.254 src-address: 0.0.0.0 dns-server: 10.5.0.254
    domain: ether1-area
1   interface: Local219 enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""
[MikroTik] ip dhcp-server>

Descriptions of arguments:

interface - All Ethernet like interfaces may run a DHCP server.
enabled - (yes / no) Enable or disable the DHCP server.
from-address - Beginning number of IP address range to give to requesting DHCP clients. This address must be in the range of a static address on the same interface.
to-address - Ending number of IP address range to give to requesting DHCP clients. This address must be in the range of a static address on the same interface.
lease-time - Dictates the time that a client may use an address. Suggested setting is three days 3d'. The client will request a new address' after this time limit expires.
netmask - The netmask to be given with the IP address coming from the range of addresses that can be given out.
gateway - The default gateway to be used by the DHCP client.
source-address - The address which the DHCP client must use to renew an IP address lease. If there is only one static address on the DHCP server interface and the source-address is left as 0.0.0.0, then the static address will be used. If there are multiple addresses on the interface, an address in the same subnet as the range of given addresses should be used.
dns-server - The DHCP client will use this as the default DNS server.
domain - The DHCP client will use this as the 'DNS domain' setting for the network adapter.

Additional DHCP Resources

http://www.ietf.org/rfc/rfc2131.txt?number=2131
http://www.isc.org/products/DHCP/
http://www1.fatbrain.com/asp/BookInfo/BookInfo.asp?theisbn=1578701376&from=xjb375
http://www.linuxdoc.org/HOWTO/mini/DHCP/
http://arsinfo.cit.buffalo.edu/FAQ/faq.cgi?pkg=ISC%20DHCP

MikroTik RouterOS V2.4 IP Telephony

__ Draft __

The MikroTik RouterOS IP Telephony feature enables Voice over IP (VoIP) connunications using routers equiped with the following voice ports:

• Quicknet LineJACK or PhoneJACK analog telephony cards
• ISDN cards

Topics covered in this manual:

• IP Telephony Specifications
• IP Telephony Hardware and Software Installation
• IP Telephony Configuration
  Voice Ports
  Numbers
  Regional Settings
  Audio CODEC
  
• Troubleshooting
• IP Telephony Applications

Supported Hardware

• Internet PhoneJACK (ISA) for connecting an analog telephone,
  
• Internet LineJACK (ISA) for connecting an analog telephone line or a telephone.

Supported Standards

• Standards for VoIP
  The MikroTik RouterOS supports IP Telephony in compliance with the International Telecommunications Union - Telecommunications (ITU-T) specification H.323v2 without gatekeeper support. H.323 is a specification for transmitting multimedia (voice, video, and data) across an IP network. H.323v2 includes: H.245, H.225, Q.931, RTP(real-time protocol)
• CODECs
  The following audio CODECs are supported:
  G.711 - the 64 kbps Pulse code modulation (PCM) voice coding technique. The encoded voice is already in the correct format for digital voice delivery in the PSTN or through PBXs.
  G.723.1 - the 6.4 kbps compression technique that can be used for compressing audio signal at very low bit rate.
  G.728 - the 16 kbps coding
  GSM-06.10 - the 13.2 kbps coding
  LPC-10 - the 2.5 kbps coding
  
• RFCs
  Compliant to the RFC1889(RTP) http://www.ietf.org/rfc/rfc1889.txt?number=1889
  
• Regional Standards
  United States, United Kingdom, France, Germany, Australia, Japan.

Implementation Options

• IP Telephony Gateway
  When connected to a PBX or PSTN telephone line, the MikroTik router can act as a gateway between the telephone network and the VoIP network.
• IP Telephone System
  When connecting an analog telephone, the MikroTik router acts as an IP Telephone

• Microsoft Netmeeting
• Siemens IP phone HiNet LP 5100
• Most H.323 compatible devices

Software Packages

The software package size is 1.2MB, after installation it requires 9.1MB of additional HDD space and 8.8MB of additional RAM. Please make sure you have the required capacity. Use /system resource print command to see the amount of available resources:

[MikroTik] > system resource print                                             
           uptime: 7m17s
     total-memory: 61240
      free-memory: 32756
         cpu-type: AMD-K6(tm)
    cpu-frequency: 300
        hdd-total: 46474
         hdd-free: 20900
[MikroTik] > 

You may want to increase the amount of RAM from 32MB to 48/64MB if you use telephony. Use the /system package print command to see the list of installed packages:

[MikroTik] > system package print
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 ppp                    2.4.1                 oct/12/2001 10:09:35 no
  1 pptp                   2.4.1                 oct/12/2001 10:10:17 no
  2 pppoe                  2.4.1                 oct/12/2001 10:11:17 no
  3 ssh                    2.4.1                 oct/12/2001 10:16:38 no
  4 isdn                   2.4.1                 oct/12/2001 10:19:04 no
  5 telephony              2.4.1                 oct/12/2001 10:35:03 no
  6 wavelan                2.4.1                 oct/12/2001 10:15:18 no
  7 system                 2.4.1                 oct/12/2001 10:05:27 no
  8 routing                2.4.1                 oct/12/2001 10:07:32 no
  9 snmp                   2.4.1                 oct/12/2001 10:07:58 no
[MikroTik] >

Software License

Hardware Installation

If the MikroTik router will be used as

• an IP telephone - connect an analog telephone with tone dialing capability to the PhoneJACK or LineJACK card,
• an IP telephony gateway - connect an analog telephone line to the LineJACK card.

Configuration of the IP telephony can be accessed under the /ip telephony menu:

[MikroTik] ip telephony> ?
       codec  Audio compression capability management
      export  Export IP Telephony settings
     numbers  Telephone numbers management
      region  Telephony voice port regional setting management
  voice-port  Telephony voice port management
[MikroTik] ip telephony>

Telephony Voice Ports

[MikroTik] ip telephony voice-port> print
Flags: X - disabled
  #   NAME                          AUTODIAL                     TYPE
  0   PBX_Line                                                   linejack
  1   ISDN_GW                                                    isdn
  2   VoIP_GW                                                    voip
[MikroTik] ip telephony voice-port>

Description of arguments:

name - name assigned to the voice port by user.
type - ( phonejack / linejack / isdn / voip ) type of the installed telephony voice port, i.e., PhoneJack or LineJack.
autodial-number - number to be dialed automatically, if the voice port is to be used. The number should be present under the /ip telephony numbers list

Monitoring the Voice Ports

[MikroTik] ip telephony voice-port linejack> monitor PBX_Line
               status: connection
                 port: phone
            direction: port-to-ip
          line-status: unplugged
         phone-number: 26
    remote-party-name: pbx_20 [10.5.8.12]
                codec: G.723.1-6.4k/hw
             duration: 14s
			 
[MikroTik] ip telephony voice-port linejack>

Argument description:

status - current state of the port
'on-hook' - the handset is on-hook, no activity
'off-hook' - the handset is off-hook, the number is being dialed
'ring' - call in progress, direction of the call is shown by the argument 'direction'
'connection' - the connection has been established
'busy' - the connection has been terminated, the handset is still 'off-hook'
port - (only for linejack) the active port of the card
'phone' - telephone connected to the card (POTS)
'line' - line connected to the linejack card (PSTN)
direction - direction of the call
'ip-to-port' - call from the IP network to the voice card
'port-to-ip' - call from the voice card to an IP address
line-status - (only for linejack) state of the PSTN line
'plugged' - the telephone line is connected to the PSTN port of the linejack card
'unplugged' - theri is no vorking line connected to the PSTN port of the linejack card
phone-number - the number which is being dialed
remote-party-name - name and IP address of the remote party
codec - CODEC used for the audio connection
duration - duration of the audio call

Voice-Port Statistics

[MikroTik] ip telephony voice-port linejack> show-stats PBX_Line
        round-trip-delay: 5ms
            packets-sent: 617
              bytes-sent: 148080
           max-send-time: 31ms
           avg-send-time: 30ms
           min-send-time: 29ms
        packets-received: 589
          bytes-received: 141360
        max-receive-time: 41ms 
        avg-receive-time: 30ms
        min-receive-time: 19ms
    average-jitter-delay: 59ms
            packets-lost: 0
    packets-out-of-order: 0
        packets-too-late: 2
		
[MikroTik] ip telephony voice-port linejack>

The average-jitter-delay shows the approximate delay time till fhe received voice packet is forwarded to the driver for playback. The value shown is never less than 30ms, although the actual delay time could be less. If the shown value is >40ms, then it is close (+/-1ms) to the real delay time.

The jitter buffer preserves quality of the voice signal against the loss or delay of packets while traveling over the network. The larger the jitter buffer, the larger the total delay, but fewer packets lost due to timeout. If the jitter-buffer=0, then it is adjusted automatically during the conversation to minimize the number of lost packets. The 'average-jitter-delay' is the approximate average time from the moment of receiving an audio packet from the IP network till it is played back over the telephony voice port.

The total delay from the moment of recording the voice signal till its playback is the sum of following three delay times:

• delay time at the recording point (approx. 38ms),
  
• delay time of the IP network (1..5ms and up),
  
• delay time at the playback point (the jitter delay).

A voice call can be terminated using the clear-call command in phonejack, linejack or isdn submenus. If the voiceport has an actve connection, the command cler-call voiceport terminates it. The command is useful in the cases, when the termantion of connection has not been detected by one of the parties, and there is an "infinete call". It can also be used to terminate someones call, if it is using up the required line for another call.

Voice Port PhoneJack (phonejack) and LineJack (linejack)

[MikroTik] ip telephony voice-port linejack> print                                
Flags: X - disabled 
  0   name=linejack autodial="" playback-volume=-2 record-volume=-2 
      ring-cadence=++-++--- ++-++--- region=us echo-cancellation=yes 
      aec-tail-length=short aec-nlp-threshold=low aec-atten-scaling=4 
      aec-atten-boost=0 

  1   name=linejack_1 autodial="" playback-volume=-2 record-volume=-2 
      ring-cadence=++-++--- ++-++--- region=us echo-cancellation=yes 
      aec-tail-length=short aec-nlp-threshold=low aec-atten-scaling=4 
      aec-atten-boost=0 

[MikroTik] ip telephony voice-port linejack>                                   

Argument descriptions:

name - name given by the user or the default one (phonejack or phonejack_x)
type - (only for phonejack) type of the card (phonejack, phonejack-lite or phonejack-pci), cannot be changed
autodial - phone number which will be dialed immediately after the handset has been lifted. If this number is incomplete, then the remaining part has to be dialed on the dial-pad. If the number is incorrect, busy tone is played. If the number is correct, then the appropriate number is dialed. If it is an incoming call from the PSTN line (linejack), then the 'directcall' mode is used - the line is picked up only after the remote party answers the call.
playback-volume - playback volume in dB, 0dB means no change, possible values are -24...24dB.
record-volume - recording volume in dB, 0dB means no change, possible values are -24...24dB.
ring-cadence - a 16-symbol ring cadence for the phone, each symbol is 0.5 seconds, '+' means ringing, '-' means no ringing.
region - regional setting for the voice port. For phonejack, this setting is used for generating the tones. For linejacks, this setting is used for detecting the parameters of PSTN line, as well as for detecting and generating the tones.
echo-cancellation - echo detection and cancellation. Possible values are 'yes/no'.
If the echo cancellation is on, then the following parameters are used:
aec-tail-length - size of the buffer of echo detection. Possible values are 'short/medium/long'.
aec-nlp-threshold - level of cancellation of silent sounds. Possible values are 'off/low/medium/high'.
aec-atten-scaling - factor of additional echo attenuation. Possible values are 0...10.
aec-atten-boost - level of additional echo attenuation. Possible values are 0, 6, 12 ... 84, 90dB, i.e., should be multipliers of 6.

For linejacks, there is a command blink voiceport, which blinks the LEDs of the specified voiceport for five seconds after it is invoked. This command can be used to locate the respective card under several linejack cards.

Voice Port ISDN (isdn)

[MikroTik] ip telephony voice-port isdn> print
Flags: X - disabled
  #   NAME       MSN        AUTODIAL   REGION     PLAYBACK-VOLUME RECORD-VOLUME
  0   ISDN_GW                          us         -2              -2
[MikroTik] ip telephony voice-port isdn>

Argument descriptions:

name - Name given by the user or the default one.
msn - Telephone number of the ISDN voice port (ISDN MSN number). It determines which calls from the ISDN line this voice port should answer.
autodial - phone number which will be dialed immediately after the handset has been lifted. If this number is incomplete, then the remaining part has to be dialed on the dial-pad. If the number is incorrect, busy tone is played. If the number is correct, then the appropriate number is dialed. If it is an incoming call from the ISDN line, then the 'directcall' mode is used - the line is picked up only after the remote party answers the call.
playback-volume - playback volume in dB, 0dB means no change, possible values are -24...24dB.
record-volume - recording volume in dB, 0dB means no change, possible values are -24...24dB.
region - regional setting for the voice port (for generating tones only).

Voice Port Voice over IP (voip)

[MikroTik] ip telephony voice-port voip> print detail
Flags: X - disabled
  0   name=VoIP_GW autodial="" address=10.5.8.12 jitter-buffer=50ms
      silence-detection=no prefered-codec=none fast-start=yes

[MikroTik] ip telephony voice-port voip>

Argument description:

name - Name given by the user or the default one.
address - IP address of the remote party (IP telephone or gateway) associated with this voice port. If the call has to be performed through this voice port, then the specified IP address is called. If there is an incoming call from the specified IP address, then the parameters of this voice port are used. If there is an incoming call from an IP address, which is not specified in any of the voip voice port records, then the default record with the address 0.0.0.0 is used. If there is no default record, then default values are used.
autodial - phone number which will be added in front of the telephone number received over the IP network. In most cases it should be blank.
jitter-buffer - size of the jitter buffer, 0...1000ms. The jitter buffer preserves quality of the voice signal against the loss or delay of packets while traveling over the network. The larger the jitter buffer, the larger the total delay, but fewer packets lost due to timeout. If the setting is jitter-buffer=0, the size of it is adjusted automatically during the conversation, to minimize the number of lost packets and the length of the jitter buffer.
silence-detection - if 'yes', then no silence is detected and no audio data is sent over the IP network during the silence period.
prefered-codec - the preferred codec to be used for this voip voice port. If possible, the specified codec will be used.
fast-start - allow or disallow the fast start. The fast start allows establishing the audio connection in a shorter time. However, not always it is possible. Therefore, it should be turned off, there are problems using the fast start mode.

Numbers

[MikroTik] ip telephony numbers> print
Flags: I - invalid, X - disabled
  #    DESTINATION-PATTERN      VOICE-PORT              PREFIX
  0    26                       VoIP_GW                 26
[MikroTik] ip telephony numbers>

Argument description:

destination-pattern - pattern of the telephone number. Symbols '.' and '#' designate any digit. The telephone numbers should be unique.
voice-port - voice port to be used when calling the specified telephone number.
prefix - prefix, which will be used to substitute the known part of the 'destination-pattern', i.e., the part containing digits, when using this voice port. The 'destination-pattern' argument is used to determine which voice port to be used, whereas the 'prefix' argument designated the number to dial over the voice port (be sent over to the remote party). If the remote party is an IP telephony gateway, then the number will be used for making the call.

The main function of the number routing table is to determine:

1. to which voice port route the call, and
2. what number to send over to the remote party.

[MikroTik] ip telephony numbers> print
Flags: I - invalid, X - disabled
  #    DESTINATION-PATTERN      VOICE-PORT              PREFIX
  0    12345                    XX		     
  1    1111.                    YY		     
  2    22...                    ZZ                      333
  3    ...                      QQ                      55

[MikroTik] ip telephony numbers>

We will analyze the Number Received (nr) - number dialed at the telephone, or received over the line, the Voice Port (vp) - voice port to be used for the call, and the Number to Call (nc) - number to be called over the Voice Port.

If nr=55555, it does not match any of the destination patterns, therefore it is rejected.
If nr=123456, it does not match any of the destination patterns, therefore it is rejected.
If nr=1234, it does not match any of the destination patterns (incomplete for record #0, therefore it is rejected.
If nr=12345, it matches the record #0, therefore number "" is dialed over the voice port XX.
If nr=11111, it matches the record #1, therefore number "1" is dialed over the voice port YY.
If nr=22987, it matches the record #2, therefore number "333987" is dialed over the voice port ZZ.
If nr=22000, it matches the record #2, therefore number "333000" is dialed over the voice port ZZ.
If nr=444, it matches the record #3, therefore number "55444" is dialed over the voice port QQ.

Regional Settings

Regional settings are managed under the /ip telephony region menu:

[MikroTik] ip telephony region> print
Flags: P - predefined
  0 P name=us data-access-arrangement=us dial-tone-frequency=350x-6,440x-6
      dial-tone-filter=350-440 busy-tone-frequency=480x-6,620x-6
      busy-tone-filter=480-620 busy-tone-cadence=500,500,500,500
      ring-tone-frequency=480x-6,440x-6 ring-tone-filter=440-480
      ring-tone-cadence=2000,4000

  1 P name=uk data-access-arrangement=uk dial-tone-frequency=350x-6,440x-6
      dial-tone-filter=350-440 busy-tone-frequency=400x-6 busy-tone-filter=400
      busy-tone-cadence=375,375,375,375 ring-tone-frequency=400x-6,450x-6
      ring-tone-filter=400-450 ring-tone-cadence=400,200,400,2000

  2 P name=france data-access-arrangement=france dial-tone-frequency=440x-6
      dial-tone-filter=440 busy-tone-frequency=440x-6 busy-tone-filter=440
      busy-tone-cadence=250,250,250,250 ring-tone-frequency=440x-6
      ring-tone-filter=440 ring-tone-cadence=1500,3500

Argument description:

flag - (P) predefined, cannot be changed or removed. Users can add their own regional settings, which can be changed and removed.
name - Name of the regional setting
busy-tone-cadence - Busy tone cadence in ms (0 - end of cadence)
busy-tone-filter - Busy tone detection frequency Hz
busy-tone-frequency - Frequency and volume gain of busy tone Hz x dB
data-access-arrangement - Ring voltage, impedance setting for line-jack card
dial-tone-filter - Dial tone detection frequency Hz
dial-tone-frequency - Frequency and volume gain of dial tone Hz x dB
ring-tone-cadence - Ring tone cadence in ms (0 - end of cadence)
ring-tone-filter - Ring tone detection frequency Hz
ring-tone-frequency - Frequency and volume gain of ring tone Hz x dB

[MikroTik] ip telephony region> add
Creates new item with specified property values.
        busy-tone-cadence  Busy tone cadence in ms (0 - end of cadence)
         busy-tone-filter  Busy tone detection frequency Hz
      busy-tone-frequency  Frequency and volume gain of busy tone Hz x dB
                copy-from  Item number
  data-access-arrangement  Ring voltage, impedance setting for line-jack card
         dial-tone-filter  Dial tone detection frequency Hz
      dial-tone-frequency  Frequency and volume gain of dial tone Hz x dB
                     name  New regional setting name
        ring-tone-cadence  Ring tone cadence in ms (0 - end of cadence)
         ring-tone-filter  Ring tone detection frequency Hz
      ring-tone-frequency  Frequency and volume gain of ring tone Hz x dB
[MikroTik] ip telephony region> add

Audio CODEC

[MikroTik] ip telephony codec> print
Flags: X - disabled
  #   NAME
  0   G.723.1-6.4k/hw
  1   G.728-16k/hw
  2   G.711-ALaw-64k/hw
  3   G.711-uLaw-64k/hw
  4   G.711-uLaw-64k/sw
  5   G.711-ALaw-64k/sw
  6   G.729A-8k/sw
  7   G.723.1-6.4k/sw
  8   GSM-06.10-13.2k/sw
  9   LPC-10-2.5k/sw
[MikroTik] ip telephony codec>

CODECs are listed according to their priority of use. The highest priority is at the top. CODECs can be enabled, disabled and moved within the list. When connecting with other H.323 systems, the protocol will negotiate the CODEC which both of them support according to the priority order.

The hardware codecs (/hw) are built-in CODECs supported by Quicknet cards. If an ISDN card is used, then the hardware CODECs are ignored, only software CODECs (/sw) are used.

The choice of the CODEC type is based on the throughput and speed of the network. Better audio quality can be achieved by using CODEC requiring higher network throughput. The highest audio quality can be achieved by using the G.711-uLaw CODEC requiring 64kb/s throughput for each direction of the call. It is used mostly within a LAN. The G.723.1 CODEC is the most popular one to be used for audio connections over the Internet. It requires only 6.4kb/s throughput for each direction of the call.

IP Telephony Troubleshooting

• The IP Telephony gateway does not detect the drop of the line when connected to some PBXs
  Different regional setting should be used to match the parameters of the PBX. For example, try using 'uk' for Meridian PBX.
• The IP Telephone does not call the gateway, but gives busy signal
  Enable the logging of IP telephony events under /system logging facility. Use the monitoring function for voice ports to debug your setup while making calls.

• Setting up the IP Telephone
• Setting up the IP Telephony Gateway
• Setting up the MikroTik Router and CISCO Router

Let us consider the following example of two IP telephones and an IP telephony gateway setup:

1. Add a voip voice port to the /ip telephony voice-port voip for each of the devices you want to call, or want to receive calls from, i.e., (the IP telephony gateway 10.5.8.12 and the second IP telephone 10.5.8.2):

   [Joe] ip telephony voice-port voip>
   add name=gw address=10.5.8.12
   add name=robert address=10.5.8.2
   [Joe] ip telephony voice-port voip> print                                      
   Flags: X - disabled 
     #   NAME       ADDRESS         AUTODIAL JITTER-BUFFER        PREFE... SIL FAS
     0   gw         10.5.8.12                50ms                 none     no  yes
     1   robert     10.5.8.2                 50ms                 none     no  yes
   [Joe] ip telephony voice-port voip>  
   

2. Add a at least one unique number to the /ip telephony numbers for each voice port. This number will be used to call that port:

   [Joe] ip telephony numbers>
   add destination-pattern=31 voice-port=robert
   add destination-pattern=33 voice-port=linejack
   add destination-pattern=1. voice-port=gw prefix=1
   [Joe] ip telephony numbers> print                                              
   Flags: I - invalid, X - disabled 
     #    DESTINATION-PATTERN      VOICE-PORT              PREFIX                 
     0    31                       robert                                         
     1    33                       linejack                                       
     2    1.                       gw                      1                      
   [Joe] ip telephony numbers>  
   

Making calls from the IP telephone 10.0.0.224:

• To call the IP telephone 10.5.8.2, it is enough to lift the handset and dial the number "31".
• To call the PBX extension 13, it is enough to lift the handset and dial the number "13".

  After establishing the connection with '13', the voice port monitor shows:

  [Joe] ip telephony voice-port linejack> monitor linejack                       
                 status: connection           
                   port: phone                
              direction: port-to-ip           
            line-status: unplugged            
           phone-number: 13                   
      remote-party-name: PBX_Line [10.1.1.12] 
                  codec: G.723.1-6.4k/hw      
               duration: 16s                  
  
  [Joe] ip telephony voice-port linejack>    
  

1. Set the regional setting to match our PBX. The 'mikrotik' seems to be best suited:

   [voip_gw] ip telephony voice-port linejack> set 0 region=mikrotik
   [voip_gw] ip telephony voice-port linejack> print
   Flags: X - disabled
     0   name=PBX_Line autodial="" playback-volume=-2 record-volume=-2
         ring-cadence=++-++--- ++-++--- region=mikrotik echo-cancellation=yes
         aec-tail-length=short aec-nlp-threshold=low aec-atten-scaling=4
         aec-atten-boost=0
   
   [voip_gw] ip telephony voice-port linejack>
   

2. Add a voip voice port to the /ip telephony voice-port voip for each of the devices you want to call, or want to receive calls from, i.e., (the IP telephone 10.0.0.224 and the second IP telephone 10.5.8.2):

   [voip_gw] ip telephony voice-port voip>
   add name=joe address=10.0.0.224
   add name=robert address=10.5.8.2 prefered-codec=G.723.1-6.4k/hw
   [voip_gw] ip telephony voice-port voip> print detail
   Flags: X - disabled
     0   name=joe autodial="" address=10.0.0.224 jitter-buffer=50ms
         silence-detection=no prefered-codec=none fast-start=yes
   
     1   name=robert autodial="" address=10.5.8.2 jitter-buffer=50ms
         silence-detection=no prefered-codec=G.723.1-6.4k/hw fast-start=yes
   
   [voip_gw] ip telephony voice-port voip>
   

3. Add a at least one unique number to the /ip telephony numbers for each voice port. This number will be used to call that port:

   [voip_gw] ip telephony numbers>
   add destination-pattern=31 voice-port=robert prefix=31
   add destination-pattern=33 voice-port=joe prefix=33
   add destination-pattern=1. voice-port=PBX_Line prefix=1
   [voip_gw] ip telephony numbers> print
   Flags: I - invalid, X - disabled
     #    DESTINATION-PATTERN      VOICE-PORT              PREFIX
     0    31                       robert                  31
     1    33                       joe                     33
     2    1.                       PBX_Line                1
   [voip_gw] ip telephony numbers>
   

Making calls through the IP telephony gateway:

• To dial the IP telephone 10.0.0.224 from the office PBX line, the extension #19 should be dialed, and, after the dial tone has been received, the number 33 should be entered. Thus, the telephone [Joe] is ringed.

  After establishing the voice connection with '33' (the call has been answered), the voice port monitor shows:

  [voip_gw] ip telephony voice-port linejack> monitor PBX_Line                   
                 status: connection            
                   port: line                  
              direction: port-to-ip            
            line-status: plugged               
           phone-number: 33                    
      remote-party-name: linejack [10.0.0.224] 
                  codec: G.723.1-6.4k/hw       
               duration: 1m46s                 
  
  [voip_gw] ip telephony voice-port linejack>                                    
  

• To dial the IP telephone 10.5.8.2 from the office PBX line, the extension #19 should be dialed, and, after the dial tone has been received, the number 31 should be entered.

Setting up the MikroTik Router and CISCO Router

Tested on:

• MT: 2.4.1
• CISCO: 1750

• G.729a codec MUST be disabled (otherwise connections are not possible at all)!!!

  /ip telephony codec disable G.729A-8k/sw
  

• G.711-ALaw codec should not be used (in some cases there is no sound)

  /ip telephony codec disable "G.711-ALaw-64k/sw G.711-ALaw-64k/hw"
  

• Fast start has to be used (otherwise no ring-back tone and problems with codec negotiation)

  /ip telephony voice-port set cisco fast-start=yes
  

• Telephone number we want to call to must be sent to Cisco, for example

  /ip telephony numbers add destination-pattern=101 voice-port=cisco prefix=101
  

• Telephone number, cisco will call us, must be assigned to some voice port, for example,

  /ip telephony numbers add destination-pattern=098 voice-port=linejack
  

Configuration on the CISCO side:

• IP routing has to be enabled

  ip routing
  

• Default values for fast start can be used

  voice service pots
      default h323 call start
      exit
  voice service voip
      default h323 call start
      exit

• Enable opening of RTP streams

  voice rtp send-recv

• Assign some E.164 number for local telephone, for example, 101 to port 0/0

  dial-peer voice 1 pots
      destination-pattern 101
      port 0/0
      exit

• create preferred codec listing

  voice class codec codec_class_number
      codec preference 1 g711ulaw
      codec preference 2 g723r63
      exit

  NOTE: g723r53 codec can be used, too
• Tell, that some foreign E.164 telephone number can be reached by calling to some IP address, for example, 098 by calling to 10.0.0.98

  dial-peer voice 11 voip
      destination-pattern 098
      session target ipv4:10.0.0.98
      voice-class codec codec_class_number
      exit

  NOTE: instead of codec class, one specified codec could be specified:

  codec g711ulaw

For reference, following is an exported CISCO configuration, that works:

!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
enable secret 5 $1$bTMC$nDGl9/n/pc3OMbtWxADMg1
enable password 123
!
memory-size iomem 25
ip subnet-zero
no ip finger
!
call rsvp-sync
voice rtp send-recv
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g723r63
!
interface FastEthernet0
 ip address 10.0.0.101 255.255.255.0
 no ip mroute-cache
 speed auto
 half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
voice-port 0/0
!
voice-port 0/1
!
voice-port 2/0
!
voice-port 2/1
!
dial-peer voice 1 pots
 destination-pattern 101
 port 0/0
!
dial-peer voice 97 voip
 destination-pattern 097
 session target ipv4:10.0.0.97
 codec g711ulaw
!
dial-peer voice 98 voip
 destination-pattern 098
 voice-class codec 1
 session target ipv4:10.0.0.98
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password 123
 login
!
end

MikroTik RouterOS V2.4 OSPF Routing Protocol

Overview

OSPF distributes routing information between routers belonging to a single autonomous system (AS). An AS is a group of routers exchanging routing information via a common routing protocol.

Contents of the Manual

• Installation
• Hardware Resource Usage
• OSPF Description
• OSPF Setup
• Troubleshooting
• Additional Resources
• OSPF Application Examples

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4.5                 dec/04/2001 14:54:29 no       
  1 snmp                   2.4.5                 dec/04/2001 14:54:41 no       
  2 ppp                    2.4.5                 dec/04/2001 14:55:36 no       
  3 pppoe                  2.4.5                 dec/04/2001 14:56:30 no       
  4 ssh                    2.4.5                 dec/04/2001 14:58:22 no       
  5 pptp                   2.4.5                 dec/04/2001 14:55:54 no       
  6 cyclades               2.4.5                 dec/04/2001 14:58:39 no       
  7 framerelay             2.4.5                 dec/04/2001 15:07:21 no       
  8 system                 2.4.5                 dec/04/2001 14:53:19 no       
[MikroTik] >                                                                   

Hardware Resource Usage

When implementing the OSPF, all routers should be configured in a coordinated manner. Routers belonging to one area should have the same area ID configured.

OSPF Setup

After you have determined which routers belong to your OSPF area, you have to configure the following settings on each of the routers belonging to the selected area:

1. Change the general OSPF settings for redistributing connected, static and default routes. Generally, the default route should be distributed only from one router of your area;
2. Add an OSPF area record, if the area is not the backbone area;
3. Add OSPF network records for each interface you want the OSPF to run on.

Note! The OSPF protocol is started only on interfaces configured under the /routing ospf network

Setting the Basic OSPF Argument Values

[MikroTik] routing ospf> print                                                 
                 router-id: 0.0.0.0
    redistribute-connected: no
       redistribute-static: no
          redistribute-rip: no
        distribute-default: never
[MikroTik] routing ospf>  
[MikroTik] routing ospf> set redistribute-static=yes redistribute-connected=yes

Argument description:

router-id – The Router ID. If not specified (default 0.0.0.0), OSPF uses the largest IP address configured on the interfaces as its router ID.
redistribute-connected – ( yes / no ) If set to yes, then the router will redistribute the information about all connected routes, i.e., routes to networks, that can be directly reached from the router.
redistribute-static – ( yes / no ) If set to yes, then the router will redistribute the information about all static routes added to its routing database, i.e., routes, that have been created using the /ip route add command of the router.
redistribute-rip – ( yes / no ) If set to yes, then the router will redistribute the information about all routes learned by the RIP protocol.
distribute-default – ( always / if-installed / never ). Controls how to propagate the default route to other routers.
never - do not send own default route to other routers;
if-installed - send the default route only if it has been installed (a static default route, or route added by DHCP, PPP, etc.);
always - always send the default route.
Note! Within an area, only the area gateway (border) router should have the propagation of the default route enabled.

Usually you want to redistribute connected and static routes, if any. Therefore change the settings for these arguments and proceed to the OSPF areas and networks.

OSPF Areas

[MikroTik] routing ospf area> print                                            
Flags: X - disabled 
  0   name=backbone area-id=0.0.0.0 default-cost=0 stub=no 
      authentication=none 

[MikroTik] routing ospf area>

[MikroTik] routing ospf area> add area-id=0.0.10.5 name=local_10               
[MikroTik] routing ospf area> print                                            
Flags: X - disabled 
  0   name=backbone area-id=0.0.0.0 default-cost=0 stub=no 
      authentication=none 

  1   name=local_10 area-id=0.0.10.5 default-cost=0 stub=no 
      authentication=none 

[MikroTik] routing ospf area>

Argument description:

name - area name. Cannot be changed for the backbone area.
area-id - area ID, must be in IP address notation. Cannot be changed for the backbone area.
default-cost - Cost for the default summary route used for a stub area. Only for area boundary router.
stub - ( yes / no ) Sets the area type.
authentication - ( md5 / none / simple ) authentication method for OSPF
none - no authentication;
simple - clear text authentication;
md5 - Keyed Message Digest 5 (MD5) authentication.

OSPF Network

To start the OSPF protocol, you have to define the interfaces on which OSPF runs and the area ID for those interfaces. Use the /routing ospf network add command:

[MikroTik] routing ospf network> add area=local_10 address=10.0.0.0/24         
[MikroTik] routing ospf network> print                                         
Flags: X - disabled 
  #   ADDRESS            AREA                                                  
  0   10.0.0.0/24        local_10                                              
[MikroTik] routing ospf network>

area - Area to be associated with the address range. The area name should be from the /routing ospf area list.
address - the network address/mask that is associated with the area. The address argument allows defining one or multiple interfaces to be associated with a specific OSPF area. Only local address of the router should be covered by the address/mask.

Note on using OSPF over point-to-point links:
Never include the remote address of a pint-to-point link (PPP, PPPoE, PPTP, IPIP) in to the network address/mask. OSPF will not function properly. Only the local address should be included! See the Application example below!

For OSPF to operate on the interface, any address of that interface must be covered by the address specified in the network record. For example:

[MikroTik] routing ospf network> /ip address print                             
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.212/24      10.0.0.212      10.0.0.255      ether1                
  1   192.168.0.1/24     192.168.0.0     192.168.0.255   ether1                
  2   1.1.1.1/24         1.1.1.0         1.1.1.255       sync1                 
[MikroTik] routing ospf network> print                                         
Flags: X - disabled 
  #   ADDRESS            AREA                                                  
  0   192.168.0.0/24     local_10                                              
[MikroTik] routing ospf network> /ip route print                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.0.0.1    1        ether1     
  1 I  ospf    192.168.0.0/24     A            0.0.0.0     110      ether1     
  2 D  connect 192.168.0.0/24     A            0.0.0.0     0        ether1     
  3 I  ospf    10.0.0.0/24        A            0.0.0.0     110      ether1     
  4 D  connect 10.0.0.0/24        A            0.0.0.0     0        ether1     
  5 D  connect 1.1.1.0/24         A            0.0.0.0     0        sync1      
[MikroTik] routing ospf network>  

The items #1 and #3 show, that OSPF protocol is running on the interface ether1, and two routes have been installed by the routing daemon. The routes are marked as invalid, because these routes match the connected routes, but there should not be two routes to the same destination. This is no malfunctioning of the program.

OSPF Interfaces

Normally you do not need to make any changes for the ospf interfaces, unless you want to adjust some interval settings for the OSPF messages, or change the interface cost or priority. To change the OSPF interface settings, go to the /routing ospf interface menu:

[MikroTik] routing ospf interface> set sync1 cost=50                               
[MikroTik] routing ospf interface> print                                       
Flags: X - disabled 
  0   interface=ether1 cost=1 priority=1 authentication-key="" 
      dead-interval=40s hello-interval=10s retransmit-interval=5s 
      transmit-delay=1s 

  1   interface=sync1 cost=50 priority=1 authentication-key="" 
      dead-interval=40s hello-interval=10s retransmit-interval=5s 
      transmit-delay=1s 

[MikroTik] routing ospf interface> 

Argument description:

authentication-key - Authentication key to be used by neighboring routers that are using OSPF's simple password authentication
cost - Interface cost (1..65535) expressed as the link state metric.
dead-interval - Interval after which a neighbor is declared dead. The interval is advertised in the router's hello packets. This value must be the same for all routers and access servers on a specific network.
hello-interval - The interval between hello packets that the router sends on the interface. The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers on a specific network.
priority - Router priority (0..255). It helps determine the designated router for the network. When two routers attached to a network both attempt to become the designated router, the one with the higher router priority takes precedence.
retransmit-interval - Time between retransmitting lost link state advertisements (3..65535 seconds). When a router sends a link state advertisement (LSA) to its neighbor, it keeps the LSA until it receives back the acknowledgment. If it receives no acknowledgment in seconds, it will retransmit the LSA.
transmit-delay - Link state transmit delay (1..65535 seconds) is the estimated time it takes to transmit a link state update packet on the interface

OSPF Troubleshooting

• The OSPF does not learn routes from other routers.
  Try to restart the OSPF daemon by disabling and enabling one of the network records under /routing ospf network:

  [MikroTik] routing ospf network> print                                         
  Flags: X - disabled 
    #   ADDRESS            AREA                                                  
    0   192.168.0.0/24     local_10                                              
  [MikroTik] routing ospf network> disable 0; enable 0                           
  [MikroTik] routing ospf network>
  

• I want to use OSPF over PPTP tunnel, but the router locks up as soon as I enable the OSPF and it learns the routes.
  The OSPF learns that the shortest path (least hops) to the other PPTP router address is through the PPTP tunnel. The PPTP attempts to send the PPTP encapsulation packets to the other PPTP side through through the tunnel -- thereby destroying the PPTP connection to the other PPTP router. By adding the static route which has higher priority than an OSPF route, the connection to the other side of the PPTP tunnel will not use the route learned by OSPF.

  To avoid such situations, there should always be a static route to the IP address of the PPTP peer. Please consult the PPTP Interface Manual for more information on it.

• OSPF does not work on point-to-point link (PPP, PPPoE, PPTP)
  Do not include the remote address of the point-to-point link into the '/router ospf network' record. For example, if you have

  [MikroTik] ip address> print
  Flags: X - disabled, I - invalid, D - dynamic 
    #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
    0   10.7.1.3/24        10.7.1.0        10.7.1.255      backbone              
    1   192.168.223.55/25  192.168.223.0   192.168.223.127 aironet               
    2 D 10.2.0.7/32        10.2.0.8        0.0.0.0         pptp-out1             
  [MikroTik] ip address>
  

  Use '/router ospf network add address=10.2.0.7/32 area=backbone'. Do not use 'address=10.2.0.0/24', since it includes the network address 10.2.0.8 of the point-to-point link! The OSPF will not work!

Additional Resources

• http://www.ietf.org/rfc/rfc2328.txt
• OSPF Design Guide, Cisco Systems
• Designing Large-Scale IP Internetworks, Cisco Systems

OSPF Application Examples

Let us consider the following examples of OSPF protocol used for backup links:

• OSPF Backup without using Tunnel
  The example is for the situation, when OSPF is running both on the main and the backup routers.
• OSPF Backup using Encrypted Tunnel through a Third Party
  The example is for situation, when a third party link and routers are involved for backup, and you do not have control over the involved routers.

OSPF Backup without using Tunnel

This examples shows how to use OSPF for backup purposes, if you are controlling all the involved routers, and you can run OSPF on them.

Let us assume, that the link between the routers OSPF-Main and OSPF-peer-1 is the main one. If it goes down, we want the traffic switch over to the links going through the router OSPF-peer-2.

For this:

1. We introduce an OSPF area with area ID=0.0.0.1, which includes all three routers shown on the diagram.
2. Only the OSPF-Main router will have the default route configured. Its interfaces peer1 and peer2 will be configured for the OSPF protocol. The interface main_gw will not be used for distributing the OSPF routing information.
3. The routers OSPF-peer-1 and OSPF-peer-2 will distribute their connected and static route information, and receive the default route using the OSPF protocol.

OSPF_Main Router Setup

The IP address configuration of the [OSPF_Main] router is as follows:

[OSPF-Main] interface> /ip address print                                            
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.214/24      10.0.0.0        10.0.0.255      main_gw               
  1   10.1.0.2/24        10.1.0.0        10.1.0.255      peer1                 
  2   10.2.0.2/24        10.2.0.0        10.2.0.255      peer2                 
[OSPF-Main] interface>

[OSPF-Main] > routing ospf print                                               
                 router-id: 0.0.0.0
    redistribute-connected: yes
       redistribute-static: yes
          redistribute-rip: no
        distribute-default: if-installed
[OSPF-Main] > routing ospf area print                                          
Flags: X - disabled 
  0   name=backbone area-id=0.0.0.0 default-cost=0 stub=no 
      authentication=none 

  1   name=local_10 area-id=0.0.0.1 default-cost=0 stub=no 
      authentication=none 

[OSPF-Main] > routing ospf network print                                       
Flags: X - disabled 
  #   ADDRESS            AREA                                                  
  0   10.1.0.0/24        local_10                                              
  1   10.2.0.0/24        local_10                                              
[OSPF-Main] >  

OSPF-peer-1 Router Setup

The IP address configuration of the [OSPF-peer-1] router is as follows:

[OSPF-peer-1] > ip address print                                               
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.0.1/24        10.1.0.0        10.1.0.255      main_link             
  1   10.3.0.1/24        10.3.0.0        10.3.0.255      backup                
  2   192.168.0.1/24     192.168.0.0     192.168.0.255   local                 
[OSPF-peer-1] > 

OSPF settings:

[OSPF-peer-1] > routing ospf print                                             
                 router-id: 0.0.0.0
    redistribute-connected: yes
       redistribute-static: yes
          redistribute-rip: no
        distribute-default: never
[OSPF-peer-1] > routing ospf area print                                        
Flags: X - disabled 
  0   name=backbone area-id=0.0.0.0 default-cost=0 stub=no 
      authentication=none 

  1   name=local_10 area-id=0.0.0.1 default-cost=0 stub=no 
      authentication=none 

[OSPF-peer-1] > routing ospf network print                                     
Flags: X - disabled 
  #   ADDRESS            AREA                                                  
  0   10.3.0.0/24        local_10                                              
  1   10.1.0.0/24        local_10                                              
[OSPF-peer-1] > 

OSPF-peer-2 Router Setup

The IP address configuration of the [OSPF-peer-2] router is as follows:

[OSPF-peer-2] > ip address print                                               
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.2.0.1/24        10.2.0.0        10.2.0.255      main                  
  1   10.3.0.2/24        10.3.0.0        10.3.0.255      to-peer2              
[OSPF-peer-2] > 

OSPF settings:

[OSPF-peer-2] > routing ospf print                                             
                 router-id: 0.0.0.0
    redistribute-connected: yes
       redistribute-static: yes
          redistribute-rip: no
        distribute-default: never
[OSPF-peer-2] > routing ospf area print                                        
Flags: X - disabled 
  0   name=backbone area-id=0.0.0.0 default-cost=0 stub=no 
      authentication=none 

  1   name=local_10 area-id=0.0.0.1 default-cost=0 stub=no 
      authentication=none 

[OSPF-peer-2] > routing ospf network print                                     
Flags: X - disabled 
  #   ADDRESS            AREA                                                  
  0   10.2.0.0/24        local_10                                              
  1   10.3.0.0/24        local_10                                              
[OSPF-peer-2] >   

Routing Tables

After the three routers have been set up as described above, and the links between them are operational, the routing tables of the three routers should look as follows:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.0.0.1    1        main_gw    
  1 D  ospf    192.168.3.0/24     A            10.1.0.1    110      peer1      
  2 D  ospf    192.168.0.0/24     A            10.1.0.1    110      peer1      
  3 D  ospf    10.3.0.0/24        A            10.2.0.1    110      peer2      
                                  A            10.1.0.1             peer1      
  4 I  ospf    10.2.0.0/24        A            0.0.0.0     110      peer2      
  5 D  connect 10.2.0.0/24        A            0.0.0.0     0        peer2      
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      peer1      
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        peer1      
  8 D  connect 10.0.0.0/24        A            0.0.0.0     0        main_gw    
[OSPF-Main] >  
=============================================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  192.168.3.0/24     A            192.168.0.3 1        local      
  1 D  ospf    0.0.0.0/0          A            10.1.0.2    110      main_link  
  2 D  connect 192.168.0.0/24     A            0.0.0.0     0        local      
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      backup     
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        backup     
  5 D  ospf    10.2.0.0/24        A            10.1.0.2    110      main_link  
                                  A            10.3.0.2             backup     
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      main_link  
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        main_link  
  8 D  ospf    10.0.0.0/24        A            10.1.0.2    110      main_link  
[OSPF-peer-1] > 
=============================================================================
[OSPF-peer-2] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0 D  ospf    0.0.0.0/0          A            10.2.0.2    110      main       
  1 D  ospf    192.168.3.0/24     A            10.3.0.1    110      to-peer2   
  2 D  ospf    192.168.0.0/24     A            10.3.0.1    110      to-peer2   
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      to-peer2   
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        to-peer2   
  5 I  ospf    10.2.0.0/24        A            0.0.0.0     110      main       
  6 D  connect 10.2.0.0/24        A            0.0.0.0     0        main       
  7 D  ospf    10.1.0.0/24        A            10.3.0.1    110      to-peer2   
                                  A            10.2.0.2             main       
  8 D  ospf    10.0.0.0/24        A            10.2.0.2    110      main       
[OSPF-peer-2] >     

Please note the three equal cost multipath routes (multiple gateways for one destination) in this setup. They have been created by the OSPF, because there is equal cost to go, for example, from the router OSPF-peer-2 to the network 10.1.0.0/24.

The cost is calculated as the sum of costs over each hop to the destination. Unless this is not specially desired, we may want to avoid such situations, i.e., and adjust the cost settings for the interfaces (links) accordingly.

Routing Tables with Revised Link Cost

Lat as assume, that the link between the routers OSPF-peer-1 and OSPF-peer-2 has a higher cost (might be slower, we have to pay more for the traffic through it, etc.). Since we have left all ospf interface cost settings as default (cost=1), we need to change the following settings:

[OSPF-peer-1] > routing ospf interface set backup cost=50 
[OSPF-peer-2] > routing ospf interface set to-peer2 cost=50 

The revised network diagram:

After changing the cost settings, we have only one equal cost multipath route left - to the network 10.3.0.0/24 from the OSPF-Main router:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.0.0.1    1        main_gw    
  1 D  ospf    192.168.3.0/24     A            10.1.0.1    110      peer1      
  2 D  ospf    192.168.0.0/24     A            10.1.0.1    110      peer1      
  3 D  ospf    10.3.0.0/24        A            10.2.0.1    110      peer2      
                                  A            10.1.0.1             peer1      
  4 I  ospf    10.2.0.0/24        A            0.0.0.0     110      peer2      
  5 D  connect 10.2.0.0/24        A            0.0.0.0     0        peer2      
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      peer1      
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        peer1      
  8 D  connect 10.0.0.0/24        A            0.0.0.0     0        main_gw    
[OSPF-Main] > 
===========================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  192.168.3.0/24     A            192.168.0.3 1        local      
  1 D  ospf    0.0.0.0/0          A            10.1.0.2    110      main_link  
  2 D  connect 192.168.0.0/24     A            0.0.0.0     0        local      
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      backup     
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        backup     
  5 D  ospf    10.2.0.0/24        A            10.1.0.2    110      main_link  
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      main_link  
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        main_link  
  8 D  ospf    10.0.0.0/24        A            10.1.0.2    110      main_link  
[OSPF-peer-1] >  
===========================================================
[OSPF-peer-2] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0 D  ospf    0.0.0.0/0          A            10.2.0.2    110      main       
  1 D  ospf    192.168.3.0/24     A            10.2.0.2    110      main       
  2 D  ospf    192.168.0.0/24     A            10.2.0.2    110      main       
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      to-peer2   
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        to-peer2   
  5 I  ospf    10.2.0.0/24        A            0.0.0.0     110      main       
  6 D  connect 10.2.0.0/24        A            0.0.0.0     0        main       
  7 D  ospf    10.1.0.0/24        A            10.2.0.2    110      main       
  8 D  ospf    10.0.0.0/24        A            10.2.0.2    110      main       
[OSPF-peer-2] > 

Functioning of the Backup

If the link between routers OSPF-Main and OSPF-peer-1 goes down, we have the following situation:

The OSPF routing changes as follows:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.0.0.1    1        main_gw    
  1 D  ospf    192.168.3.0/24     A            10.2.0.1    110      peer2      
  2 D  ospf    192.168.0.0/24     A            10.2.0.1    110      peer2      
  3 D  ospf    10.3.0.0/24        A            10.2.0.1    110      peer2      
  4 I  ospf    10.2.0.0/24        A            0.0.0.0     110      peer2      
  5 D  connect 10.2.0.0/24        A            0.0.0.0     0        peer2      
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      peer1      
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        peer1      
  8 D  connect 10.0.0.0/24        A            0.0.0.0     0        main_gw    
[OSPF-Main] >  
==========================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  192.168.3.0/24     A            192.168.0.3 1        local      
  1 D  ospf    0.0.0.0/0          A            10.3.0.2    110      backup     
  2 D  connect 192.168.0.0/24     A            0.0.0.0     0        local      
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      backup     
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        backup     
  5 D  ospf    10.2.0.0/24        A            10.3.0.2    110      backup     
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      main_link  
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        main_link  
  8 D  ospf    10.0.0.0/24        A            10.3.0.2    110      backup     
[OSPF-peer-1] >  
==========================================================
[OSPF-peer-2] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0 D  ospf    0.0.0.0/0          A            10.2.0.2    110      main       
  1 D  ospf    192.168.3.0/24     A            10.3.0.1    110      to-peer2   
  2 D  ospf    192.168.0.0/24     A            10.3.0.1    110      to-peer2   
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      to-peer2   
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        to-peer2   
  5 I  ospf    10.2.0.0/24        A            0.0.0.0     110      main       
  6 D  connect 10.2.0.0/24        A            0.0.0.0     0        main       
  7 D  ospf    10.1.0.0/24        A            10.2.0.2    110      main       
  8 D  ospf    10.0.0.0/24        A            10.2.0.2    110      main       
[OSPF-peer-2] > 

The change of the routing takes approximately 40 seconds (the hello-interval setting). If required, this setting can be adjusted, but it should be done on all routers within the OSPF area!

OSPF Backup using Encrypted Tunnel through a Third Party

This example shows how to use OSPF for backup purposes, if you have to use third party link for backup, and you are not controlling the routers on the backup link.

Let us assume that the link between the routers OSPF-Main and OSPF-peer-1 is the main one. When the main link goes down, the backup link should go through the ISP-2 router. Since we cannot control the ISP-2 router, we cannot run OSPF on the backup router like in the previous example with OSPF-peer-2. Therefore we have to create a tunnel between the routers OSPF-Main and OSPF-peer-1 that goes through the ISP-2 router. Thus, we will have two links between the routers, and the traffic should switch over to the backup when the main link goes down.

For this:

1. We create a PPTP tunnel between our two routers, which goes over the ISP-2 router. Please consult the PPTP Interface Manual on how to create PPTP tunnels.
2. We introduce an OSPF area with area ID=0.0.0.1, which includes our two routers OSPF-Main and OSPF-peer-1.
3. Only the OSPF-Main router will have the default route configured. Its interfaces peer1 and pptp-in1 will be configured for the OSPF protocol. The interface main_gw will not be used for distributing the OSPF routing information.
4. The router OSPF-peer-1 will distribute its connected and static route information, and receive the default route from OSPF-main using the OSPF protocol.

OSPF_Main Router Setup

The PPTP static server configuration is as follows:

[OSPF-Main] > ip route add dst-address=10.3.0.1/32 gateway=10.2.0.1 
[OSPF-Main] > user add name=ospf group=ppp password=asdf4                      
[OSPF-Main] > interface pptp-static-server \
add client-address=10.3.0.1 mtu=1500 mru=1500 \
    local-address=10.4.0.2 remote-address=10.4.0.1 \
    encryption=required 
[OSPF-Main] > interface pptp-static-server print                               
Flags: X - disabled 
  0   name=pptp-in1 client-address=10.3.0.1 mtu=1500 mru=1500 pap=no chap=no 
      ms-chapv2=yes local-address=10.4.0.2 remote-address=10.4.0.1 
      idle-timeout=0s session-timeout=0s encryption=required 

[OSPF-Main] > interface pptp-static-server monitor pptp-in1                    
      status: Connected               
      uptime: 51m56s                  
    encoding: MPPE 128 bit, stateless 
        user: ospf                    

[OSPF-Main] > 

The IP address configuration of the [OSPF_Main] router is as follows:

[OSPF-Main] > ip address print                                                 
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.214/24      10.0.0.0        10.0.0.255      main_gw               
  1   10.2.0.2/24        10.2.0.0        10.2.0.255      isp2                  
  2   10.1.0.2/24        10.1.0.0        10.1.0.255      peer1                 
  3 D 10.4.0.2/32        10.4.0.1        0.0.0.0         pptp-in1              
[OSPF-Main] > 

OSPF settings:

[OSPF-Main] routing ospf> print                                                
                 router-id: 0.0.0.0
        distribute-default: if-installed
    redistribute-connected: yes
       redistribute-static: no
          redistribute-rip: no
[OSPF-Main] routing ospf> interface set pptp-in1 cost=50                       
[OSPF-Main] routing ospf> interface print                                      
  # INTERFACE                      COST  PRIORITY AUTHENTICATION-KEY           
  0 main_gw                        1     1                                     
  1 isp2                           1     1                                     
  2 peer1                          1     1                                     
  3 pptp-in1                       50    1                                     
[OSPF-Main] routing ospf> area print                                           
  # NAME                               AREA-ID         ST.. DEFAULT-COST AUT...
  0 backbone                           0.0.0.0         no   0            none  
  1 local_10                           0.0.0.1         no   0            none  
[OSPF-Main] routing ospf> network print                                        
Flags: X - disabled 
  #   NETWORK            AREA                                                  
  0   10.1.0.0/24        local_10                                              
  1   10.4.0.1/32        local_10                                              
[OSPF-Main] routing ospf>  

Note, that the OSPF is configured only for the peer1 and pptp-in1 interfaces. Since the pptp-in1 is a point-to-point interface, the network address has 32 bits.

OSPF-peer-1 Router Setup

The PPTP client configuration is as follows:

[OSPF-peer-1] > ip route add dst-address=10.2.0.2/32 gateway=10.3.0.2 
[OSPF-peer-1] > user add name=ospf group=ppp password=asdf4                      
[OSPF-peer-1] > in pptp-client \
add mtu=1500 mru=1500 user=ospf connect-to=10.2.0.2 encryption=required
[OSPF-peer-1] > in pptp-client print                                           
Flags: X - disabled 
  0   name=pptp-out1 mtu=1500 mru=1500 pap=no chap=no ms-chapv2=yes 
      idle-timeout=0s session-timeout=0s encryption=required 
      add-default-route=no user=ospf connect-to=10.2.0.2 

[OSPF-peer-1] > in pptp-client monitor pptp-out1                               
      status: Connected               
      uptime: 20s                     
    encoding: MPPE 128 bit, stateless 

[OSPF-peer-1] > 

The IP address configuration of the [OSPF-peer-1] router is as follows:

[OSPF-peer-1] > ip address print                                               
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.0.1/24        10.1.0.0        10.1.0.255      main_link             
  1   10.3.0.1/24        10.3.0.0        10.3.0.255      backup                
  2   192.168.0.1/24     192.168.0.0     192.168.0.255   local                 
  3 D 10.4.0.1/32        10.4.0.2        0.0.0.0         pptp-out1             
[OSPF-peer-1] > 

OSPF settings:

[OSPF-peer-1] routing ospf> print                                              
                 router-id: 0.0.0.0
        distribute-default: never
    redistribute-connected: yes
       redistribute-static: yes
          redistribute-rip: no
[OSPF-peer-1] routing ospf> interface set pptp-out1 cost=50                    
[OSPF-peer-1] routing ospf> interface print                                    
  # INTERFACE                      COST  PRIORITY AUTHENTICATION-KEY           
  0 backup                         1     1                                     
  1 local                          1     1                                     
  2 pptp-out1                      50    1                                     
  3 main_link                      1     1                                     
[OSPF-peer-1] routing ospf> area print                                         
  # NAME                               AREA-ID         ST.. DEFAULT-COST AUT...
  0 backbone                           0.0.0.0         no   0            none  
  1 local_10                           0.0.0.1         no   0            none  
[OSPF-peer-1] routing ospf> network print                                      
Flags: X - disabled 
  #   NETWORK            AREA                                                  
  0   10.4.0.2/32        local_10                                              
  1   10.1.0.0/24        local_10                                              
[OSPF-peer-1] routing ospf>  

Routing Tables

After the PPTP tunnel and OSPF protocol between two routers has been set up as described above, and the links between them are operational, the routing tables of the two routers should look as follows:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 0.0.0.0/0          r 10.0.0.1        1        main_gw                 
    1  S 10.3.0.1/32        r 10.2.0.1        1        isp2                    
    2 DO 192.168.3.0/24     r 10.1.0.1        110      peer1                   
    3 DO 192.168.0.0/24     r 10.1.0.1        110      peer1                   
    4 DO 10.4.0.2/32        r 10.1.0.1        110      peer1                   
    5 IO 10.4.0.1/32        r 0.0.0.0         110      pptp-in1                
    6 DC 10.4.0.1/32        r 0.0.0.0         0        pptp-in1                
    7 DO 10.3.0.0/24        r 10.1.0.1        110      peer1                   
    8 IO 10.2.0.0/24        r 10.1.0.1        110      peer1                   
    9 DC 10.2.0.0/24        r 0.0.0.0         0        isp2                    
   10 DO 10.2.0.2/32        r 10.1.0.1        110      peer1                   
   11 IO 10.1.0.0/24        r 0.0.0.0         110      peer1                   
   12 DC 10.1.0.0/24        r 0.0.0.0         0        peer1                   
   13 DC 10.0.0.0/24        r 0.0.0.0         0        main_gw                 
[OSPF-Main] >   
=============================================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 10.2.0.0/24        r 10.3.0.2        1        backup                  
    1  S 192.168.3.0/24     r 192.168.0.20    1        local                   
    2  S 10.2.0.2/32        r 10.3.0.2        1        backup                  
    3 DO 0.0.0.0/0          r 10.1.0.2        110      main_link               
    4 DC 192.168.0.0/24     r 0.0.0.0         0        local                   
    5 IO 10.4.0.2/32        r 0.0.0.0         110      pptp-out1               
    6 DC 10.4.0.2/32        r 0.0.0.0         0        pptp-out1               
    7 DO 10.4.0.1/32        r 10.1.0.2        110      main_link               
    8 DC 10.3.0.0/24        r 0.0.0.0         0        backup                  
    9 IO 10.2.0.0/24        r 10.1.0.2        110      main_link               
   10 IO 10.1.0.0/24        r 0.0.0.0         110      main_link               
   11 DC 10.1.0.0/24        r 0.0.0.0         0        main_link               
   12 DO 10.0.0.0/24        r 10.1.0.2        110      main_link               
[OSPF-peer-1] > 

Functioning of the Backup

If the link between routers OSPF-Main and OSPF-peer-1 goes down, the OSPF routing changes as follows:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 0.0.0.0/0          r 10.0.0.1        1        main_gw                 
    1  S 10.3.0.1/32        r 10.2.0.1        1        isp2                    
    2 DO 192.168.3.0/24     r 10.4.0.1        110      pptp-in1                
    3 DO 192.168.0.0/24     r 10.4.0.1        110      pptp-in1                
    4 DO 10.4.0.2/32        r 10.4.0.1        110      pptp-in1                
    5 IO 10.4.0.1/32        r 0.0.0.0         110      pptp-in1                
    6 DC 10.4.0.1/32        r 0.0.0.0         0        pptp-in1                
    7 DO 10.3.0.0/24        r 10.4.0.1        110      pptp-in1                
    8 IO 10.2.0.0/24        r 10.4.0.1        110      pptp-in1                
    9 DC 10.2.0.0/24        r 0.0.0.0         0        isp2                    
   10 DO 10.2.0.2/32        r 10.4.0.1        110      pptp-in1                
   11 IO 10.1.0.0/24        r 0.0.0.0         110      peer1                   
   12 DC 10.1.0.0/24        r 0.0.0.0         0        peer1                   
   13 DC 10.0.0.0/24        r 0.0.0.0         0        main_gw                 
[OSPF-Main] > 
==========================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 10.2.0.0/24        r 10.3.0.2        1        backup                  
    1  S 192.168.3.0/24     r 192.168.0.20    1        local                   
    2  S 10.2.0.2/32        r 10.3.0.2        1        backup                  
    3 DO 0.0.0.0/0          r 10.4.0.2        110      pptp-out1               
    4 DC 192.168.0.0/24     r 0.0.0.0         0        local                   
    5 IO 10.4.0.2/32        r 0.0.0.0         110      pptp-out1               
    6 DC 10.4.0.2/32        r 0.0.0.0         0        pptp-out1               
    7 DO 10.4.0.1/32        r 10.4.0.2        110      pptp-out1               
    8 DC 10.3.0.0/24        r 0.0.0.0         0        backup                  
    9 IO 10.2.0.0/24        r 10.4.0.2        110      pptp-out1               
   10 IO 10.1.0.0/24        r 0.0.0.0         110      main_link               
   11 DC 10.1.0.0/24        r 0.0.0.0         0        main_link               
   12 DO 10.0.0.0/24        r 10.4.0.2        110      pptp-out1               
[OSPF-peer-1] > 

As we see, all routing goes through the PPTP tunnel now.

RIP – Routing Information Protocol

Overview

Routing Information Protocol (RIP) is one protocol in a series of routing protocols based on Bellman-Ford (or distance vector) algorithm. This interior routing protocol lets routers in the same autonomous system exchange routing information in the way of periodic RIP updates. Routers transmit their own RIP updates to neighboring networks and listen to the RIP updates from the routers on those neighboring networks to ensure their routing table reflects current state of the network and all the best paths are available. Best path is a path with the fewest hops (routers gateways).

Topics covered in this manual:

• Installation
• RIP Routing Setup
• RIP Examples

RIP Installation on the MikroTik RouterOS v2.4

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4.5                 dec/04/2001 14:54:29 no       
  1 snmp                   2.4.5                 dec/04/2001 14:54:41 no       
  2 ppp                    2.4.5                 dec/04/2001 14:55:36 no       
  3 pppoe                  2.4.5                 dec/04/2001 14:56:30 no       
  4 ssh                    2.4.5                 dec/04/2001 14:58:22 no       
  5 pptp                   2.4.5                 dec/04/2001 14:55:54 no       
  6 moxa-c101              2.4.5                 dec/04/2001 14:56:39 no       
  7 framerelay             2.4.5                 dec/04/2001 15:07:21 no       
  8 system                 2.4.5                 dec/04/2001 14:53:19 no       
[MikroTik] >  

RIP Routing Setup

RIP general settings are under the /routing rip menu:

[MikroTik]> routing rip print 
       redistribute-static: no
    redistribute-connected: no
         redistribute-ospf: no
       redistribute-kernel: no
             metric-static: 1
          metric-connected: 1
               metric-ospf: 1
             metric-kernel: 1
              update-timer: 30s
             timeout-timer: 3m
             garbage-timer: 2m
[MikroTik]> 

Argument description:

• redistribute-static - redistribution of static routes to other neighbor routers
• redistribute-connected - redistribution of connected routes to other neighbor routers
• redistribute-ospf - redistribution of routes learned by OSPF to other neighbor routers
• redistribute-kernel - redistribution of kernel (created by PPP or DHCP) routes to other neighbor routers
• metric-static - metric, the distance to the destination for static routes
• metric-connected - metric, the distance to the destination for connected routes
• metric-ospf - metric, the distance to the destination for OSPF routes
• metric-kernel - metric, the distance to the destination for kernel routes
• update-timer - time period for RIP update to start
• timeout-timer - time period after route is not valid more
• garbage-timer - time period after dropped out route is dropped from neighbor router table

Set the desired argument values to "yes" for redistributing the routing information to other routers, for example:

[MikroTik] routing rip> set redistribute-connected=yes
[MikroTik] routing rip> print                                                   
       redistribute-static: no
    redistribute-connected: yes
         redistribute-ospf: no
       redistribute-kernel: no
             metric-static: 1
          metric-connected: 1
               metric-ospf: 1
             metric-kernel: 1
              update-timer: 30s
             timeout-timer: 3m
             garbage-timer: 2m
[MikroTik] routing rip>    

RIP interface setup

[MikroTik]> routing rip interface print 
Flags: X - disabled 
  0 X interface=ether1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

  1 X interface=prism1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

[MikroTik]> routing rip interface enable 0
[MikroTik]> routing rip interface print 
Flags: X - disabled 
  0   interface=ether1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

  1 X interface=prism1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

[MikroTik]>

Argument description:

• interface - physical network to access the first router
• send - ( v1 / v1-2 / v2 ) distributed RIP protocol versions
• receive - ( v1 / v1-2 / v2 ) RIP protocol versions the router can receive
• authentication - ( md5 / none / simple ) authentication method for RIP messages
  none - no authentication;
  simple - clear text authentication;
  md5 - Keyed Message Digest 5 (MD5) authentication.
• authentication-key - authentication key for RIP messages

RIP Neighbors

To define a neighboring router with which to exchange routing information, use the /routing rip neighbour add command, for example:

[MikroTik] routing rip neighbour> add address=10.0.0.1                         
[MikroTik] routing rip neighbour> print                                        
Flags: X - disabled 
  #   ADDRESS        
  0   10.0.0.1       
[MikroTik] routing rip neighbour>                                              

Normally there is no need to add the neighbors, if the multicasting is working properly within the network. If there are problems with exchanging the routing information, the neighbors can be added to the list. It will force to exchange the routing information with the neighbor.

RIP Routes

The routes installed by RIP and other routing protocols can be viewed using the /routing rip route print command:

[MikroTik] routing rip route> print                                             
  0 type=ospf metric=1 prefix=0.0.0.0/0 gateway=10.7.1.254 from=0.0.0.0 
    timeout=0s 
...

 33 type=rip metric=2 prefix=159.148.10.104/29 gateway=10.6.1.1 
    from=10.6.1.1 timeout=2m44s 

 34 type=rip metric=2 prefix=159.148.10.112/28 gateway=10.6.1.1 
    from=10.6.1.1 timeout=2m44s 

[MikroTik] routing rip route>

Additional Resources

Links for RIP documentation:

• http://www.ietf.org/rfc/rfc1058.txt - RIPv1 Protocol
• http://www.ietf.org/rfc/rfc2453.txt - RIPv2 Protocol
• Cisco Systems RIP protocol overview

RIP Examples

Let us consider an example of routing information exchange between MikroTik router, a Cisco router, and the ISP (also mikrotik) routers:

The Configuration of the MikroTik Router

The configuration of the MikroTik router is as follows:

[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether2               1500  ether                                         
  1   ether1               1500  ether                                         
[MikroTik] > ip address print                                                  
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.174/24      10.0.0.174      10.0.0.255      ether1                
  1   192.168.0.1/24     192.168.0.0     192.168.0.255   ether2                
[MikroTik] >
[MikroTik] > ip route print                                                    
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  1 D  connect 192.168.0.0/24     A            0.0.0.0     0        ether2     
  2 D  connect 10.0.0.0/24        A            0.0.0.0     0        ether1     
[MikroTik] >

Note, that no default route has been configured. The route will be obtained using the RIP. The necessary configuration of the RIP general settings is as follows:

[MikroTik] routing rip> set redistribute-connected=yes
[MikroTik] routing rip> print                                                  
       redistribute-static: no
    redistribute-connected: yes
         redistribute-ospf: no
       redistribute-kernel: no
             metric-static: 1
          metric-connected: 1
               metric-ospf: 1
             metric-kernel: 1
              update-timer: 30s
             timeout-timer: 3m
             garbage-timer: 2m
[MikroTik] routing rip>

The minimum required configuration of RIP interface is just enabling the ether1:

[MikroTik] routing rip interface> enable ether1                                
[MikroTik] routing rip interface> print                                        
Flags: X - disabled 
  0 X interface=ether2 send=v2 receive=v2 authentication=none 
      authentication-key="" 

  1   interface=ether1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

[MikroTik] routing rip interface>  

Note, that the ether2 does not need to be enabled, if no propagation of RIP information is required into the Remote network. The routes obtained by RIP can be viewed in the /routing rip route menu:

[MikroTik] routing rip> route print                                            
  0 type=rip metric=2 prefix=0.0.0.0/0 gateway=10.0.0.26 from=10.0.0.26 
    timeout=2m52s 

  1 type=connect metric=1 prefix=10.0.0.0/24 gateway=0.0.0.0 from=0.0.0.0 
    timeout=0s 

  2 type=connect metric=1 prefix=192.168.0.0/24 gateway=0.0.0.0 from=0.0.0.0 
    timeout=0s 

  3 type=rip metric=2 prefix=192.168.1.0/24 gateway=10.0.0.26 from=10.0.0.26 
    timeout=2m52s 

  4 type=rip metric=3 prefix=192.168.3.0/24 gateway=10.0.0.26 from=10.0.0.26 
    timeout=2m52s 

[MikroTik] routing rip> 

The regular routing table is:

[MikroTik] routing rip> /ip route print                                        
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0 D  rip     0.0.0.0/0          A            10.0.0.26   120      ether1     
  1 D  rip     192.168.3.0/24     A            10.0.0.26   120      ether1     
  2 D  rip     192.168.1.0/24     A            10.0.0.26   120      ether1     
  3 D  connect 192.168.0.0/24     A            0.0.0.0     0        ether2     
  4 D  connect 10.0.0.0/24        A            0.0.0.0     0        ether1     
[MikroTik] routing rip> 

As we can see, the MikroTik router has learned RIP routes from the Cisco router.

The Configuration of the Cisco Router

Cisco#show running-config
...
interface Ethernet0
 ip address 10.0.0.26 255.255.255.0
 no ip directed-broadcast
!
interface Serial1
 ip address 192.168.1.1 255.255.255.252
 ip directed-broadcast
!
router rip
 version 2
 redistribute connected
 redistribute static
 network 10.0.0.0
 network 192.168.1.0
!
ip classless
!
...

The routing table of the Cisco router is:

Cisco#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
R    192.168.0.0/24 [120/1] via 10.0.0.174, 00:00:19, Ethernet0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, Serial1
R    192.168.3.0/24 [120/1] via 192.168.1.2, 00:00:05, Serial1
R*   0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:05, Serial1
Cisco#

As we can see, the Cisco router has learned RIP routes both from the MikroTik router (192.168.0.0/24), and from the ISP router (0.0.0.0/0 and 192.168.3.0/24).

MikroTik RouterOS V2.4 System Resource Management

Overview

Contents of the Manual

• System Resource Monitor
• Reboot and Shutdown
• Configuration Reset
• Router Identity
• Date and Time Settings
• Configuration Change History

[MikroTik] system resource>
      get  get value of property
       io  Input/Output ports usage information
      irq  Interrupt Request usage information
  monitor  Monitor CPU and memory usage
    print  Print basic system resources information
[MikroTik] system resource>

Basic System Resources

[MikroTik] system resource> print
           uptime: 14d8h49m58s
     total-memory: 28320
      free-memory: 7464
         cpu-type: ff/04
    cpu-frequency: 300
        hdd-total: 46474
         hdd-free: 25487
[MikroTik] system resource>

The argument values are self-explanatory.

System Resource Monitoring

[MikroTik] system resource> monitor
       cpu-used: 1
    free-memory: 7464

[MikroTik] system resource>

The values for cpu usage and free memory are in percentage and megabytes, respectively.

IRQ and IO Usage Monitor

[MikroTik] system resource> irq print
 IRQ USED OWNER
 1   yes  keyboard
 2   yes  APIC
 3   no
 4   yes  serial port
 5   no
 6   no
 7   no
 8   no
 9   yes  ether1
 10  no
 11  yes  pc1
 12  no
 13  yes  FPU
 14  yes  IDE 1
[MikroTik] system resource> io print
 PORT-RANGE            OWNER
 20-3F                 APIC
 40-5F                 timer
 60-6F                 keyboard
 80-8F                 DMA
 A0-BF                 APIC
 C0-DF                 DMA
 F0-FF                 FPU
 1F0-1F7               IDE 1
 2F8-2FF               serial port
 3C0-3DF               VGA
 3F6-3F6               IDE 1
 3F8-3FF               serial port
 EE00-EEFF             ether1
 EF40-EF7F             pc1
 FC00-FC07             IDE 1
 FC08-FC0F             IDE 2
 FC10-FC7F             [CS5530]
[MikroTik] system resource>

Reboot and Shutdown

[MikroTik] system> reboot
Reboot, yes? [y/N]: y
system will reboot shortly

Only users which are members of groups with reboot privileges can reboot the router or shutdown. The reboot process sends termination signal to all running processes, unmounts the file systems, and reboots the router.

Before turning the power off for the router, the system should be brought to halt using the halt command:

[MikroTik] system> shutdown
Shutdown, yes? [y/N]: y
system will shutdown promptly

For most systems, it is necessary to wait approximately 30 seconds for a safe power down.

Configuration Reset

[MikroTik] system>
Dangerous! Reset anyway? [y/N]:

The router is rebooted after the reset command.

Router Identity

[MikroTik] system identity> print
    name: MikroTik
[MikroTik] system identity> set name=Our_GW
[Our_GW] system identity>

Date and Time Settings

[MikroTik] system clock> print
    time: apr/26/2001 00:41:45
[MikroTik] system clock>

To set the system date and time use the set command:

[MikroTik] system clock> set
  date  New system date [month/DD/YYYY]
  time  New system time [HH:MM:SS]
[MikroTik] system clock> set date=oct/14/2001 time=20:25:00
[MikroTik] system clock> print
    time: oct/14/2001 20:25:03
[MikroTik] system clock>

Date and time settings become permanent and effect BIOS settings.

Configuration Change History

[MikroTik] system history> print
 ACTION                                BY                                   TYPE
 address removed                       admin                                undo
 route added                           admin                                undo
 system identity changed               admin                                undo
 system time changed                   admin                                undo
[MikroTik] system history>

[MikroTik] system history> /undo
[MikroTik] system history> print
 ACTION                                BY                                   TYPE
 address removed                       admin                                redo
 route added                           admin                                undo
 system identity changed               admin                                undo
 system time changed                   admin                                undo
[MikroTik] system history>

Tip: If you accidentally removed some item, or set wrong argument value, just execute the /undo command to undo previously done action. The /redo would do the opposite - redo the previous undo action.

MikroTik RouterOS V2.4 Users and Groups

Overview

Contents of the Manual

• User Management
• User Groups

[MikroTik] user> print
Flags: X - disabled
  0   ;;; system default user
      name=admin group=full address=0.0.0.0/0 caller-id="" baud-rate=0
      only-one=no max-session-time=0s

[MikroTik] user>

Use the add command to add a user to the user database:

[MikroTik] user> add name=joe group=ppp password=j1o2e3
[MikroTik] user> print
Flags: X - disabled
  0   ;;; system default user
      name=admin group=full address=0.0.0.0/0 caller-id="" baud-rate=0
      only-one=no max-session-time=0s

  1   name=joe group=ppp address=0.0.0.0/0 caller-id="" baud-rate=0
      only-one=no max-session-time=0s

[MikroTik] user>

Argument description:

name - (required) User name. Must start with an alphanumeric character and contain alphanumeric characters, "*", "_", ".", "@".
group - (required) Name of the group the user belongs to. The system default groups are 'full', 'write', 'read', and 'ppp'. See below on how to manage user groups.
password - User password. If not specified, it is left blank (hit 'Enter' when logging in). It conforms to standard Unix characteristics of passwords. Can contain letters, digits, "*" and "_"
baud-rate - Connection rate limit for PPPoE
caller-id - For PPTP it IP address of the client, for PPPoE it is MAC address of the client
max-session-time - (Only for PPP connections) Maximum session time user can have when logged in
only-one - (yes / no) (Only for PPP connections) If 'yes' user can have only one session at a time
address - Ip address form which the user is allowed to log in. When logging in using PPP, if the remote address is specified in PPP interface settings then this address should match the specified address in order to enable client to log in. Can be in the form address/mask, where 'mask' is the number of bits in the subnet mask.
netmask - Network mask of addresses assigned to the user

Note! User name "*" will be used for PPP as any user.

[MikroTik] > /user active print
  # WHEN                 NAME                           ADDRESS         VIA
  0 apr/19/2001 01:11:04 admin                          0.0.0.0         console
  1 apr/19/2001 01:12:26 1                              0.0.0.0         console
[MikroTik] >

When the user has logged on he can change his password using the /password command. The user is required to enter his/her current password before entering the new password. When the user logs out and logs in for the next time, the new password must be entered.

User Groups

[MikroTik] user group> print
  0 ;;; ppp users
    name=ppp policy=ppp

  1 ;;; users with read only permission
    name=read policy=local telnet ssh reboot read test web

  2 ;;; users with write permission
    name=write policy=local telnet ssh reboot read write test web

  3 ;;; users with complete access
    name=full policy=local telnet ssh ftp reboot read write policy test web

[MikroTik] user group>

There are four system groups which cannot be deleted. Use add command to add a user group:

[MikroTik] user group> add name=reboot policy="telnet reboot read"
[MikroTik] user group> print
  0 ;;; ppp users
    name=ppp policy=ppp

  1 ;;; users with read only permission
    name=read policy=local telnet ssh reboot read test web

  2 ;;; users with write permission
    name=write policy=local telnet ssh reboot read write test web

  3 ;;; users with complete access
    name=full policy=local telnet ssh ftp reboot read write policy test web

  4 name=reboot policy=reboot read telnet

[MikroTik] user group>

Here, the argument name is the name of the group, and policy contains the list of policies assigned to the group:

local - User can log on locally via console
telnet - User can log on remotely via telnet
ssh - User can log on remotely via secure shell
ftp - User can log on remotely via ftp and send and retrieve files from the router
reboot - User can reboot the router
read - User can retrieve the configuration
write - User can retrieve and change the configuration
policy - Manage user policies, add and remove user
test - User can run ping, traceroute, bandwidth test
web - user can log on remotely via http (Java Console)
ppp - User can log on using ppp connections to the router (PPP, PPTP, PPPoE)

MikroTik RouterOS V2.4 License

Overview

Contents of the Manual

• Managing the License
• Obtaining Additional License Features

[MikroTik] system license> print                                                                                      
          software-id: UKCX-J2N
                  key: BD25-1QN-ILK
    upgradeable-until: may/01/2002
[MikroTik] system license> ?
  feature  Unlocked router features
      get  get value of property
    print  Show license information
      set  Set the new Software Key
[Customers_PMI] system license>                                                                                            

Here, the upgradeable-until means the date until which software can be upgraded to higher versions.

To see the software features that are enabled with the current license use the following command:

[MikroTik] system license> feature print                                                                              
Flags: X - disabled 
  #   FEATURE                                                                                                              
  0 X AP                                                                                                                   
  1   synchronous                                                                                                          
  2 X radiolan                                                                                                             
  3   wireless-2.4gHz                                                                                                      
  4   licensed                                                                                                             
[MikroTik] system license>                                                                                            

Here we see, that the software has full license (not the demo version), and the 2.4GHz Wireless and Synchronous features are enabled.

Obtaining Additional License Features

[MikroTik] system license> set key=PSJ5-FG3-BCD                                                                       
[MikroTik] system license> /system reboot                                                                             
Reboot, yes? [y/N]: y

After reboot you will see the new licensing information, for example:

[MikroTik] system license> print                                                                                      
          software-id: UKCX-J2N
                  key: PSJ5-FG3-BCD
    upgradeable-until: dec/01/2002
[MikroTik] system license>

MikroTik RouterOS V2.4 Log Management

Overview

Various system events and status information can be logged. Logs can be saved in a file on the router or sent to a remote server running a syslog daemon. MikroTik provides a shareware Windows Syslog daemon, which can be downloaded from www.mikrotik.com.

Topics covered in this manual:

• Installation
• Hardware resource usage
• Log Management Description
• Log Management Examples

Installation

The Log Management feature is included in the 'system' package. No installation is needed for this feature.

Hardware Resource Usage

There is no significant resource usage.

Log Management Description

The logging feature sends all of your actions on the router to a log file or to a logging daemon. Router has several global configuration settings that are applied to logging. Logs have different facilities. Logs from each facility can be configured to be discarded, logged locally or remotely.

General settings for logging facility can be configured in the /system logging menu:

[MikroTik] system logging> print
    default-remote-address: 10.5.13.11
       default-remote-port: 514
              buffer-lines: 100

General logging parameters:

buffer-lines - Number of lines kept in local buffer. Contents of the local logs can be viewed using the /log print command. When number of lines in local log buffer is exceeded, lines from the beginning of buffer are deleted.
default-remote-address - Remote log server IP address. Used when remote logging is enabled but no IP address of the remote server is specified (IP=0.0.0.0).
default-remote-port - Remote log server UDP port. Used when remote logging is enabled but no UDP port of the remote server is specified (UDP=0).

Individual settings for various logging facilities are in the /system logging facility menu:

[MikroTik] system logging facility> print
  # FACILITY          LOGGING PREFIX     REMOTE-ADDRESS  REMOTE-PORT
  0 Firewall-Log      none
  1 PPP-Account       none
  2 PPP-Info          remote             10.5.13.10      514        
  3 PPP-Error         none
  4 System-Info       remote             10.5.13.11      514        
  5 System-Error      remote             10.5.13.11      514        
  6 System-Warning    local
  7 Telephony-Info    remote             10.5.13.10      514        
  8 Telephony-Error   remote             10.5.13.10      514        

Logging facility parameters:

facility - (Read-only) Name of the log group.
logging - Type of logging.
prefix - Local log prefix.
remote-address - Remote log server IP address. Used when logging type is remote. If not set, default log server IP address is used
remote-port - Remote log server UDP port. Used when logging type is remote. If not set, default log server UDP port is used.

Types of logging:

local - When type "local" is used, logs are stored in local log buffer. Local logs can be viewed using /log print command.
none - When type "none" is used, logs from this source are discarded.
remote - When type "remote" is used, logs are sent to remote log server.

Log Management Examples

Use the /log print command to view the local logs:

[MikroTik] log> print
 TIME                 MESSAGE                                                   
 dec/21/2001 12:10:59 pbx_26: Call from line, line picked up                    
 dec/21/2001 12:11:01 pbx_26: Calling by number 51 to 51@10.5.9.2               
 dec/21/2001 12:11:01 pbx_26: Waiting for Jevgenijs [10.5.9.2] to answer        
 dec/21/2001 12:11:46 pbx_26: Call ended, Remote endpoint did not answer in r...
 dec/21/2001 12:48:44 Incoming call from pernavas_46 [10.5.0.21] to 15 denied...
 dec/21/2001 21:04:20 Incoming call from linejack (MikroTik) [10.0.0.100] to ...
 dec/22/2001 12:41:11 Incoming call from ARNIS13 (013) [10.5.8.243] to 51 for...
 dec/22/2001 13:46:28 Incoming call from linejack (MikroTik) [10.0.0.154] to ...
 dec/22/2001 13:46:36 Incoming call from linejack (MikroTik) [10.0.0.154] to ...
 dec/22/2001 13:55:13 user admin logged in at Sat Dec 22 13:55:13 2001 from 1...
-- more

To view complete (not truncated) log lines, use the /log print detail command:

[MikroTik] log> print detail

 time=dec/22/2001 15:56:35 
    message=Incoming call from vpb_2 (MikroTik) [10.0.0.125] to 88 \
             forwarded to 88@10.0.0.154 

 time=dec/22/2001 15:58:10 
    message=user admin logged in at Sat Dec 22 15:58:10 2001 from \
             10.0.0.96 via telnet 
... 

MikroTik RouterOS V2.4 Export and Import

The configuration export can be used for dumping out MikroTik RouterOS configuration to the console screen or to a text (script) file, which can be downloaded from the router using ftp. The configuration import can be used to import the router configuration script (or part of it) from a text file.

For backing up configuration to a binary file and restoring it without alterations, please refer to the configuration backup and restore section of the MikroTik RouterOS Manual.

Topics covered in this manual:

• Installation
• Hardware resource usage
• Export and Import Description
• Export and Import Examples

Installation

Hardware Resource Usage

There is no significant resource usage.

Export and Import Description

The export command prints a script that can be used to restore configuration. The command can be invoked at any manu level, and it acts for that manu level and all menu levels below it. If the argument "from" is used, then it is possible to export only specified items. The "export" does not descend recursively through the command hierarchy. "export" also has the argument "file", which allows you to save the script in a file on the router to retrieve it later via ftp.

The root level command /import file_name restores the exported information from the specified file. This is used to restore configuration or part of it after a 'system reset' event or anything that causes configuration data loss.

Export and Import Examples

[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.5.5.244/24      10.5.5.244      10.5.5.255      ether1
  1   10.5.5.245/32      10.5.5.245      10.5.5.245      ether1
  2   10.5.5.246/32      10.5.5.246      10.5.5.246      ether1
[MikroTik] ip address>

[MikroTik] ip address> export file=address
[MikroTik] ip address>

[MikroTik] ip address> export file=address1 from=1
[MikroTik] ip address>

To see the files stored on the router use the following command:

[MikroTik] file> print
  # NAME                           SIZE       TYPE    TIME                
  0 address1.script                128        unknown jan/09/2002 16:00:13
  1 address.script                 354        unknown jan/09/2002 15:48:57
[MikroTik] file>

To export the setting on the display use the same command but without the 'file' argument:

[MikroTik] ip address> export from=0,2
/ ip address 
add address=10.5.5.244/24 network=10.5.5.244 broadcast=10.5.5.255 interface=ether1 
comment $^ "" 
enable $^ 
add address=10.5.5.246/32 network=10.5.5.246 broadcast=10.5.5.246 interface=ether1 
comment $^ "" 
enable $^ 
[MikroTik] ip address>

To load the saved export file use the following command:

[MikroTik] > import
file-name: address1.script
[MikroTik] >

MikroTik RouterOS V2.4 Backup and Restore

The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary file, which can be stored on the router or downloaded from the router using ftp. The configuration restore can be used to restoring the router's configuration from a backup file. For exporting configuration or part of it to a text (script) file and importing it, please refer to the configuration export and import section of the MikroTik RouterOS Manual.

Topics covered in this manual:

• Installation
• Hardware resource usage
• Backup and Restore Description
• Backup and Restore Examples

Installation

Hardware Resource Usage

There is no significant resource usage.

Backup and Restore Description

Backup and Restore feature can be found under "system backup" submenu. This function is used to store the entire router configuration in a backup file. The file is stored in the 'file' folder under "[MikroTik] file>". You can download this file through ftp to keep it as a backup for your hardware.

To restore the system configuration, for example, after a 'system reset', you can upload that file via ftp and then load that backup file, using 'load' command in "system backup" submenu.

Backup and Restore Examples

To make a backup file use the following command:

[MikroTik] system backup> save name=test
Configuration backup saved
[MikroTik] system backup>

To see the files stored on the router use the following command:

[MikroTik] file> print
  # NAME                       SIZE       TYPE    TIME
  0 test.backup                22727      backup  jan/08/2002 15:11:59
[MikroTik] file>

To load the saved backup file use the following command:

[MikroTik] system backup> load name=test
Restore and reboot? [y/N]:

The restored configuration is loaded and the router is rebooted.

MikroTik RouterOS V2.4 Serial Console

Overview

Contents of the Manual

• Installation
• Hardware Resource Usage
• Serial Console Configuration
• Troubleshooting

	1 --- 1
	2 --- 3
	3 --- 2
	4 --- 4
	5 --- 5
	6 --- 6
	7 --- 8
	8 --- 7
	9 n/c 9

After installation of the MikroTik RouterOS the serial console is configured to use port serial0 (COM1 on the motherboard), if available. To check the Serial Console settings use:

[MikroTik] system serial-console> print
    enabled: no
       port: serial0
[MikroTik] system serial-console>

To enable Serial Console:

[MikroTik] system serial-console> set enabled=yes
[MikroTik] system serial-console> print
    enabled: yes
       port: serial0
[MikroTik] system serial-console>

To change port:

[MikroTik] system serial-console> set port=serial1
[MikroTik] system serial-console> print
    enabled: yes
       port: serial1
[MikroTik] system serial-console>

To check if the port is available or used:

[MikroTik] system serial-console> /port print
  0 name=serial0 used-by="" baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=none 

  1 name=serial1 used-by=Serial Console baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=none 

[MikroTik] system serial-console>

Troubleshooting

MikroTik RouterOS V2.4 Telnet Client

Overview

Contents of the Manual

• Installation
• Hardware Resource Usage
• Telnet Client Description
• Telnet Client Examples

[MikroTik] system> telnet ?
Run telnet session to remote host. 

  <host>  IP address of host
[MikroTik] system> telnet

Telnet Client Examples

[MikroTik] > /system telnet 10.0.0.100
Trying 10.0.0.100...
Connected to 10.0.0.100.
Escape character is '^]'.

MikroTik v2.5beta8
Login:

Telnet using Telnet command mode:

[Mikrotik] > /system telnet
telnet> open 10.0.0.100
Trying 10.0.0.100...
Connected to 10.0.0.100.
Escape character is '^]'.

MikroTik v2.5beta8
Login:

MikroTik RouterOS V2.4 Serial Terminal

Overview

Contents of the Manual

• Installation
• Hardware Resource Usage
• Serial Terminal Description
• Serial Terminal Usage
• Serial Terminal Examples

Serial Terminal Usage

[MikroTik] system> serial-terminal port=serial0
[Type Ctrl-X to return to console]

Serial Terminal Examples

The serial-console was tested and found working with:

• PLANET FNSW-1600S Ethernet Smart Switch
• Cisco 1005
• US Robotics Courier V.Everything Modem
• MikroTik RouterOS

MikroTik RouterOS V2.4 UPS Monitor

Overview

The UPS monitor feature on the MikroTik RouterOS supports:

• hibernate and safe reboot on power and battery failure
• UPS battery test and run time calibration test
• monitoring of all “smart” mode status information supported by UPS
• logging of power changes

Contents of the Manual

• Installation
• Hardware Resource Usage
• UPS Monitor Setup
• UPS Monitor Features
• UPS Cable Pin-Out

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 ppp                    2.4.5                 dec/04/2001 14:55:36 no       
  1 pptp                   2.4.5                 dec/04/2001 14:55:54 no       
  2 pppoe                  2.4.5                 dec/04/2001 14:56:30 no       
  3 ssh                    2.4.5                 dec/04/2001 14:58:22 no       
  4 ups                    2.4.5                 dec/04/2001 15:06:29 no       
  5 system                 2.4.5                 dec/04/2001 14:53:19 no       
  6 routing                2.4.5                 dec/04/2001 14:54:29 no       
  7 snmp                   2.4.5                 dec/04/2001 14:54:41 no       
  8 radiolan               2.4.5                 dec/10/2001 12:54:14 no       
  9 framerelay             2.4.5                 dec/04/2001 15:07:21 no       
 10 moxa-c101              2.4.5                 dec/04/2001 14:57:41 no       
[MikroTik] >                                                                   

Line 4 shows that the UPS package is installed.

Hardware Resource Usage

[MikroTik] > port print                                                        
  0 name=serial0 used-by=Serial Console baud-rate=9600 data-bits=8 
    parity=none stop-bits=1 flow-control=none 

  1 name=serial1 used-by="" baud-rate=9600 data-bits=8 parity=none 
    stop-bits=1 flow-control=none 

[MikroTik] >  

The proprietary APC UPS smart-mode cable should be connected to the free port. To configure the ups monitoring in MikroTik RouterOS, go to the /system ups menu:

[MikroTik] system ups> print                                                   
                    enabled: no
                       port: (unknown)
              off-line-time: 5m
               min-run-time: 5m
              alarm-setting: immediate-alarm
          rtc-alarm-setting: no-alarm
[MikroTik] system ups>  

Argument description:

enabled - ( yes / no ) Status of the monitoring is disabled by default
port - A communication port of the router
off-line-time - How long to work on batteries
When set to a number >0, the router waits x hours/minutes/seconds and then goes into hibernate mode until the UPS reports that the ‘utility’ power is back. When set to 0, the router will go into hibernate mode according the “min-run-time” setting and 10% of battery power event. The default is set to 0. In this case, the router will wait until the UPS reports that the battery power is below 10%. The number setting should be followed by “h” for hours, “m” for minutes, and “s” for seconds.
min-run-time - Minimal run time remaining
After a ‘utility’ failure, the router will monitor the run-time-left value. When the value reaches the min-run-time value, the router will go to hibernate mode. If the min-run-time value is set to 0, then the router will go to hibernate mode when the “battery low” signal is sent indicating that the battery power is below 10%.
alarm-setting - UPS sound alarm setting
rtc-alarm-setting - UPS sound alarm setting during run time calibration

To enable the UPS monitor for port 'serial1', use the set command:

[MikroTik] system ups> set port=serial1 enabled=yes                            
[MikroTik] system ups> print                                                   
                    enabled: yes
                       port: serial1
              off-line-time: 5m
               min-run-time: 5m
              alarm-setting: immediate-alarm
          rtc-alarm-setting: immediate-alarm
                      model: QS0030311640
                    version: 60.11.I
                     serial: 
           manufacture-date: 07/18/00
    nominal-battery-voltage: 24
[MikroTik] system ups>

Argument description:

model - Less than 32 ASCII character string consisting of the UPS model name (the words on the front of the UPS itself).
version - The first field is an SKU number. The second field is a variable length decimal number indicating the firmware revision. The third field is one of the following country codes:
I = 220/230/240 Vac
D = 115/120 Vac
A = 100 Vac
M = 208 Vac
J = 200 Vac
Examples:
11.12.D
1.4.A
102.56.J
serial - A string of at least 8 characters directly representing the UPS's serial number as set at the factory. Newer SmartUPS models have 12-character serial numbers.
manufacture-date - represents the UPS's date of manufacture in the format " mm/dd/yy" (month, day, year).
nominal-battery-voltage - a three-digit number representing the UPS's nominal battery voltage rating. This is not the UPS's actual battery voltage, for example, the UPS returns "024" for a 24 Volt battery system, "018" for a 18 Volt battery system, and "048" for a 48 Volt battery system.

Runtime Calibration

[MikroTik] system ups> run-time-calibration

The run-time-calibration command causes the UPS to start a run time calibration until less than 25% of full battery capacity is reached. This command calibrates the returned run time value. The test begins only if battery capacity is 100%.

UPS Monitoring

[MikroTik] system ups> monitor                                             
                      read-state: reading remaining run time
                         on-line: yes
                      on-battery: no
                   run-time-left: 16m
                  battery-charge: 100
                 battery-voltage: 27
                    line-voltage: 228
                  output-voltage: 227
                            load: 67
                     temperature: 31
                   line-fequency: 50
                   alarm-setting: immediate-alarm

[MikroTik] system ups>  

Explanation of the output and possible output:

read-state - status of the UPS:
low-battery - appears when a low-battery event occurs
on-line - displayed when power is being provided by the external utility (power company)
on-battery - displayed when displayed when UPS battery is supplying power
transfer cause - Only shown when the unit is on-battery. Displays the reason for the most recent transfer to on-battery operation, which may be:
- unacceptable utility voltage rate of change.
- detection of high utility voltage.
- detection of low utility voltage.
- detection of a line voltage notch or spike.
- transfer in response to battery-test or run-time-calibration
replace battery - Only shown when the UPS report this status
overloaded-output - Only shown when the UPS report this status
smart-boost-mode - Only shown when the UPS report this status
smart-ssdd-mode - Only shown when the UPS report this status
run-time-calibration-running - Only shown when the UPS report this status
run-time-left - the UPS's estimated remaining run time in minutes. You can query the UPS when it is operating in the on-line, bypass, or on-battery modes of operation. The UPS's remaining run time reply is based on available battery capacity and output load.
battery-charge - the UPS's remaining battery capacity as a percent of the fully charged condition.
battery-voltage - the UPS's present battery voltage. The typical accuracy of this measurement is ±5% of the maximum value of 24 Vdc, 34 Vdc or 68 Vdc (depending upon the UPS's nominal battery voltage).
load-power - the UPS's output load as a percentage of full rated load in Watts. The typical accuracy of this measurement is ±3% of the maximum of 105%.
load-current - the true rms load current drawn from UPS. The typical accuracy of this measurement is ±7.5% of the load rating of UPS.
apparent-load-power - representing the UPS's output load as a percentage of the full rated load in Volt-Amps. The typical accuracy of this measurement is ±5% of the maximum of 105%.
temperature - the UPS's present internal operating temperature in degrees Celsius. The typical accuracy of this measurement is ±5% of the full scale value of 100°C.
line-frequency - When operating on-line, the UPS's internal operating frequency is synchronized to the line within variations within 3 Hz of the nominal 50 or 60 Hz. The typical accuracy of this measurement is ±1% of the full scale value of 63 Hz.

UPS Cable Pin-Out

The APC UPS (BackUPS Pro or SmartUPS) requires a special serial cable. If no cable came with the UPS, a cable may be ordered from APC or one can be made "in-house". Use the following diagram:

Router side             UPS side
(DB9 Female)            (DB9 Male)
2 (TD)          ->      2
3 (RD)          ->      1
5 (GND)         ->      4
7 (CTS)         ->      6

The cable for the ACP SMART-UPS and APC BACK-UPS:

Female 9-pin router side               Male 9-pin UPS side
1--------------------------------------------------------5
3--------------------------------------------------------1
2--------------------------------------------------------2
5--------------------------------------------------------4
8--------------------------------------------------------6

Additional Resources

http://www.linuxdoc.org/HOWTO/UPS-HOWTO.html

MikroTik RouterOS V2.4 Ping

Overview

Ping uses Internet Control Message Protocol (ICMP) Echo messages to determine if a remote host is active or inactive and to determine the round-trip delay when communicating with it.

Topics covered in this manual:

• Installation
• Hardware resource usage
• Ping Description
• Ping Examples

Installation

Hardware Resource Usage

There is no significant resource usage.

Ping Description

Ping utility shows Time To Live value of the received packet (ttl) and Roundtrip time (time) in ms. The console Ping session may be stopped when the Ctrl + C is pressed.

[MikroTik] > ping ?
Send ICMP Echo packets. Repeat after given time interval.

  <address>  IP address of host
      count  Number of packets
   interval  Delay between messages
       size  Packet size
[MikroTik] >

Descriptions of arguments:

address - IP address for the host you want to ping.
size - (optional) Size of the IP packet (in bytes, including the IP and ICMP headers). Can be 36...4096.
interval - (optional) Delay between messages (in seconds). Default is 1 second. Can be 10ms...5s.
count - How many time ICMP packets will be sent. If not specified, ping continues till CTRL+C is pressed.

Ping Examples

[MikroTik] > ping 159.148.60.2 count=5 interval=20ms size=64
159.148.60.2 pong: ttl=249 time=3 ms
159.148.60.2 pong: ttl=249 time<1 ms
159.148.60.2 pong: ttl=249 time<1 ms
159.148.60.2 pong: ttl=249 time<1 ms
159.148.60.2 pong: ttl=249 time<1 ms
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0/0.6/3 ms
[MikroTik] > 

MikroTik RouterOS V2.4 Traceroute

Overview

Traceroute is a TCP/IP protocol-based utility, which allows the user to determine how packets are being routed to a particular host. Traceroute works by increasing the time-to-live value of packets and seeing how far they get until they reach the given destination; thus, a lengthening trail of hosts passed through is built up.

Topics covered in this manual:

• Installation
• Hardware resource usage
• Traceroute Description
• Traceroute Examples

Installation

Hardware Resource Usage

There is no significant resource usage.

Traceroute Description

Traceroute shows the number of hops to the given host address of every passed gateway. Traceroute utility sends packets three times to each passed gateway so it shows three timeout values for each gateway in ms. The Traceroute session may be stopped when the Ctrl + C is pressed.

[MikroTik] tool> traceroute ?
Trace route to host by increasing Time To Live value in sent packets and waiting for "TTL expired" messages from routers.

  <address>  IP address of host
       port  UDP port number
   protocol  Protocol of sent packets
       size  Packet size
    timeout  Response wait timeout
        tos  Type of service
[MikroTik] >

Descriptions of arguments:

address - IP address of the host you are tracing route to.
port - Port number. Values are in range 0-65535.
protocol - Type of protocol to use (UDP or ICMP). If one fails (for example, it is blocked by a firewall) try the other.
size - (optional) Packet size in bytes (28..1428, default 64).
timeout - (optional) Response waiting timeout, i.e. delay between messages. Can be 1..5s, default 1s.
tos - Type Of Service – parameter of IP packet. Can be 0..255, default 0.

Traceroute Examples

[MikroTik] tool> traceroute 216.239.39.101 size=64 timeout=4s tos=0 protocol=icmp
     ADDRESS                                    STATUS
   1 159.148.60.227       3ms      3ms      3ms 
   2 195.13.173.221      80ms    169ms     14ms 
   3
195.13.173.28        6ms      4ms      4ms 
   4 195.158.240.21     111ms    110ms    110ms 
   5 213.174.71.49      124ms    120ms    129ms 
   6 213.174.71.134     139ms    146ms    135ms 
   7 213.174.70.245     132ms    131ms    136ms 
   8 213.174.70.58      211ms    215ms    215ms 
   9 195.158.229.130    225ms    239ms       0s 
  10 216.32.223.114     283ms    269ms    281ms 
  11 216.32.132.14      267ms    260ms    266ms 
  12 209.185.9.102      296ms    296ms    290ms 
  13 216.109.66.1       288ms    297ms    294ms 
  14 216.109.66.90      297ms    317ms    319ms 
  15 216.239.47.66      137ms    136ms    134ms 
  16 216.239.47.46      135ms    134ms    134ms 
  17 216.239.39.101     134ms    134ms    135ms 
[MikroTik] tool> 

MikroTik RouterOS V2.4 Bandwidth Test

Overview

The Bandwidth Tester can be used to monitor the throughput only to a remote MikroTik router (either wired or wireless) and thereby help to discover network ‘bottlenecks’.

The TCP test uses the standard TCP protocol with acknowledgments and follows the TCP algorithm on how many packets to send according to latency, dropped packets, and other features in the TCP algorithm. Please review the TCP protocol for details on its internal speed settings and how to analyze its behavior. Statistics for throughput are calculated using the entire size of the TCP packet. As acknowledgments are an internal working of TCP, their size and usage of the link are not included in the throughput statistics. Therefore this statistic is not as reliable as the UDP statistic when estimating throughput.

The UDP tester sends 110% or more packets than currently reported as received on the other side of the link. To see the maximum throughput of a link, the packet size should be set for the maximum MTU allowed by the links – usually this is 1500 bytes. There is no acknowledgment required by UDP; this implementation means that the closest approximation of the throughput can be seen.

Topics covered in this manual:

• Installation
• Hardware resource usage
• Bandwidth Test Description
• Bandwidth Test Examples

Installation

Hardware Resource Usage

!Caution! Bandwidth Test uses all available bandwidth and may impact network usability.

Bandwidth Test Description

Bandwidth Test uses TCP or UDP protocol for test. It tries to use maximum bandwidth available, and reports amount of data sent to remote router. Note that remote router must be MikroTik router in order to run the test. Be aware that test uses all available bandwidth and may impact network usability.

[MikroTik] tool> bandwidth-test ?
Run TCP or UDP bandwidth test. Test tries to use maximum bandwidth available, 
and reports amount of data sent to remote router. Note that remote router must 
be MikroTik router in order to run the test. Be aware that test uses all 
available bandwidth and may impact network usability. 

  <address>  IP address of host
   interval  Interval between screen updates
   protocol  Protocol to use for test
       size  UDP packet size
[MikroTik] tool>

Descriptions of arguments:

address - IP address of destination host.
interval - (optional) Delay between messages (in seconds). Default is 1 second. Can be 20ms...5s.
protocol - Type of protocol to use (UDP or TCP, default TCP).
size - Packet size in bytes (50..1500, default 512). Works only with UDP protocol.

Bandwidth Test Examples

[MikroTik] tool> bandwidth-test 10.0.0.224 interval=2s protocol=udp size=1500
               status: running
              current: 9.73Mbps
    10-second-average: 9.72Mbps
        total-average: 8.81Mbps

[MikroTik] tool> 



[MikroTik] tool> bandwidth-test 10.0.0.152 interval=1s protocol=tcp
               status: running
              current: 7.13Mbps
    10-second-average: 6.58Mbps
        total-average: 6.73Mbps

[MikroTik] tool> 

MikroTik RouterOS V2.4 SNMP Service

Overview

The MikroTik RouterOS supports:

• SNMPv2 only
• Read-only access is provided to the NMS (network management system)
• Communities are limited to 'Public'
• No Trap support

Contents of the Manual

• Installation
• Hardware Resource Usage
• SNMP Setup
• Tools for SNMP Data Collection and Analysis
• Utilities for SNMP

[MikroTik] > system package print
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 wavelan                2.4                   sep/25/2001 05:08:09 no
  1 snmp                   2.4                   sep/25/2001 05:06:09 no
  2 routing                2.4                   sep/25/2001 05:06:07 no
  3 ssh                    2.4                   sep/25/2001 05:08:11 no
  4 system                 2.4                   sep/25/2001 05:05:48 no
  5 ppp                    2.4                   sep/25/2001 05:06:35 no
  6 pppoe                  2.4                   sep/25/2001 05:06:45 no
  7 pptp                   2.4                   sep/25/2001 05:06:44 no
[MikroTik] >

Line 1 shows that the SNMP package is installed.

Hardware Resource Usage

[MikroTik] snmp> set contact=Sysadmin-555-1212 location=MikroTik enabled=yes
[MikroTik] snmp> print
     contact: Sysadmin-555-1212
    location: MikroTik
     enabled: yes
[MikroTik] snmp>

Description of arguments:

contact-info, location - Informative only settings for the NMS.
enabled - (yes / no). SNMP service is disabled by default.

http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/

Additional Resources