MikroTik RouterOS™ V2.7 Reference Manual

PDF version (for printing)

Document revision 1.99 (30-Dec-2003)
This document applies to the MikroTik RouterOS™ V2.7

If you want to see all sections together,
view this Manual as one file

User Guides

Software Technical Reference and Application Examples

If you want to see all sections together,
view this Manual as one file

© Copyright 1999-2003, MikroTik MikroTik RouterOS™ V2.7 Basic Setup Guide

MikroTik RouterOS™ V2.7 Basic Setup Guide

PDF version

Document revision 1.3 (09-Jun-2003)
This document applies to the MikroTik RouterOS™ V2.7

Table Of Contents

Summary

MikroTik RouterOS™ is independent Linux-based Operating System for PC-based routers and thinrouters. It does not require any additional components and has no software prerequirements. It is designed with easy-to-use yet powerful interface allowing network administrators to deploy network structures and functions, that would require long education elsewhere simply by following the Reference Manual (and even without it).

Related Documents

Software Package Installation and Upgrading
Device Driver List
License Management
Ping
Queues and Data Rate Management
Packet Filter (Firewall) and NAT (Network Address Translation)

Description

MikroTik RouterOS™ turns a standard PC computer into a powerful network router. Just add standard network PC interfaces to expand the router capabilities.
  • Remote control with easy real-time Windows application (WinBox)
  • Telnet/SSH/console/serial console control with RADIUS authentication
  • Advanced bandwidth control
  • Network firewall with packet-filtering, masquerading, network address translation, logging and connection monitoring
  • DHCP support
  • HotSpot gateway with RADIUS authentication
  • Ethernet 10/100/1000Mb/s
  • Wireless client and Access Point 2.4GHz 11Mb/s (IEEE802.11b), 5GHz 54Mb/s (IEEE802.11a) and 2.4GHz 54Mb/s (IEEE802.11g) with RADIUS authentication for AP
  • V.35 synchronous 8.448Mb/s with Sync-PPP, HDLC or Frame Relay
  • X.21 synchronous 8.448Mb/s with Sync-PPP, HDLC or Frame Relay
  • Async PPP (up to 128 ports) with RADIUS authetication for modem pools
  • E1/T1 support
  • IP Telephony Gateway
  • Built-in Web-proxy
  • And much more

    The Guide describes the basic steps of installing and configuring a dedicated PC router running MikroTik RouterOS™.

    Setting up MikroTik RouterOS™

    Downloading and Installing the MikroTik RouterOS™

    The download and installation process of the MikroTik RouterOS™ is described in the following diagram:

    1. Download the basic installation archive file.

    Depending on the desired media to be used for installing the MikroTik RouterOS™ please chose one of the following archive types for downloading:

    2. Create the installation media

    Use the appropriate installation archive to create the Installation CD or floppies.

    3. Install the MikroTik RouterOS™ software.

    Your dedicated PC router hardware should have: For installation purposes (and only for that time) you should also have: Boot up your dedicated PC router from the Installation Media you created and follow the instructions on the console screen while the HDD is reformatted and MikroTik RouterOS™ installed on it.

    After successful installation please remove the installation media from your CD or floppy disk drive and hit 'Enter' to reboot the router. While the router will be starting up for the first time you will be given a Software ID for your installation and asked to supply a valid software license key (Software Key) for it. Write down the Software ID. You will need it to obtain the Software License through the MikroTik Account Server. If you need extra time to obtain the Software License Key, you may want to power off the router. Type shutdown in the Software key prompt and power the router off when the router is halted.

    Notes

    The installation from CD or network requires Base (paid) License. If you intend to obtain the Free Demo License, you should use the floppy installation media.

    The hard disk will be entirely reformatted during the installation and all data on it will be lost!

    You can move the hard drive with MikroTik RouterOS™ installed to a new hardware without loosing a license, but you cannot move the RouterOS™ to a different hard drive without purchasing an another license (except hardware failure situations). For additional information write to support[at]mikrotik.com

    Obtaining the Software License

    The MikroTik RouterOS™ Software licensing process is described in the following diagram:

    After installing the router and starting it up for the first time you will be given a Software ID.

    1. Write down the Software ID reported by the RouterOS™.
    2. If you have an account with MikroTik, follow to the next step.
      If you do not have an account at www.mikrotik.com, just press the 'New' button on the upper right-hand corner of the MikroTik's web page to create your account.

      You will be presented with the Account Sign-Up Form where you chose your account name and fill in the required information.

    3. To obtain the Software License Key, log on to your account at www.mikrotik.com entering your account name and password (upper right-hand corner on this webpage), for example:

    4. After logging on to the Account Server select "Free Demo License" or "Order Software License" in the Account Menu.
    5. The Software Key will be sent to the email address, which has been specified in your account setup.
    6. Read your email and enter the Software Key at the router's console, for example: 
      Software ID: 5T4V-IUT
Software key: 4N7X-UZ8-6SP

    Instead of entering the license key you can enter shutdown to shut down the router and enter the license key later, or enter display to read the License Agreement, or help to see a help message.

    After entering the correct Software License Key you will be presented with the MikroTik Router's login prompt.

    Notes

    The CD or Netinstall installation cannot be 'unlocked' with the Free Demo Key. Use the Floppy installation or purchase a Licensed Key.

    Logging into the MikroTik Router

    When logging into the router via terminal console, you will be presented with the MikroTik RouterOS™ login prompt. Use 'admin' and no password (hit 'Enter') for logging on to the router for the first time, for example: 

    MikroTik v2.7
Login: admin
Password:

    The password can be changed with the /password command.

    Adding Software Packages

    The basic installation comes with only the "system" package and few other packages. This includes basic IP routing and router administration. To have additional features such as IP Telephony, OSPF, wireless and so on, you will need to download additional software packages.

    The additional software packages should have the same version as the system package. If not, the package won't be installed. Please consult the MikroTik RouterOS™ Software Package Installation and Upgrading Manual for more detailed information about installing additional software packages.

    Software Licensing Issues

    If you want to upgrade your 'free' version of MikroTik RouterOS™ installation to a 'paid' version, please purchase the new Software License KEY for the Software ID you used when getting the 'free' demo license. Similarly, if additional license is required to enable the functionality of a software package, the license should be obtained for the Software ID of your system. The new key should be entered using the /system license set key command, and the router should be rebooted afterwards: 

    [admin@MikroTik] ip firewall src-nat> /system license print
         software-id: "SB6T-R8T"
                 key: "3YIV-ZW8-DH2"
    upgradable-unitl: apr/01/2004
[admin@MikroTik] system license> feature print
Flags: X - disabled
  #   FEATURE
  0 X AP
  1 X synchronous
  2 X radiolan
  3 X wireless-2.4gHz
  4   licensed
[admin@MikroTik] system license> set key=D46G-IJ6-QW3
[admin@MikroTik] system license>/system reboot
Reboot, yes? [y/N]: y
system will reboot shortly

    Notes

    If there is no appropriate license, the appropriate interfaces wont show up under the interface list, even though the packages can be installed on the MikroTik RouterOS™ and corresponding drivers loaded.

    Navigating the Terminal Console

    Welcome Screen and Command Prompt

    After logging into the router you will be presented with the MikroTik RouterOS™ Welcome Screen and command prompt, for example: 

    
  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS v2.7 (c) 1999-2003       http://www.mikrotik.com/

Terminal xterm detected, using multiline mode
[admin@MikroTik] >

    The command prompt shows the identity name of the router and the current menu level, for example: 

    [admin@MikroTik] >                Base level menu
[admin@MikroTik] interface>       Interface configuration
[admin@MikroTik] ip address>      IP Address management

    Commands

    The list of available commands at any menu level can be obtained by entering the question mark '?', for example: 
    [admin@MikroTik] > ?

     driver  Driver management
       file  Local router file storage.
     import  Run exported configuration script
  interface  Interface configuration
        log  System logs
   password  Change password
       ping  Send ICMP Echo packets
       port  Serial ports
       quit  Quit console
     radius  Radius client settings
       redo  Redo previosly undone action
      setup  Do basic setup of system
       snmp  SNMP settings
       undo  Undo previous action
       user  User management
        ppp  Point to Point Protocol
         ip  IP options
      queue  Bandwidth management
     system  System information and utilities
       tool  Diagnostics tools
    routing  Various routing protocol settings
     export  Print or save an export script that can be used to restore
             configuration


[admin@MikroTik] > ip ?

      accounting  Traffic accounting
         address  Address management
             arp  ARP entries management
             dns  DNS settings
        firewall  Firewall management
        neighbor  Neighbors
         packing  Packet packing settings
            pool  IP address pools
           route  Route management
         service  IP services
  policy-routing  Policy routing
            upnp
     dhcp-client  DHCP client settings
     dhcp-server  DHCP server settings
       dns-cache  DNS cache management
           ipsec  IP security
          export  Print or save an export script that can be used to restore
                  configuration
[admin@MikroTik] > ip

    The list of available commands and menus has short descriptions next to the items. You can move to the desired menu level by typing its name and hitting the [Enter] key, for example: 

    [admin@MikroTik] >                      Base level menu
[admin@MikroTik] > driver               Enter 'driver' to move to the driver level
                                       menu
[admin@MikroTik] driver> /             Enter '/' to move to the base level menu
                                       from any level
[admin@MikroTik] > interface            Enter 'interface' to move to the interface
                                       level menu
[admin@MikroTik] interface> /ip        Enter '/ip' to move to the IP level menu
                                       from any level
[admin@MikroTik] ip>

    A command or an argument does not need to be completed, if it is not ambiguous. For example, instead of typing 'interface' you can type just 'in' or 'int'. To complete a command use the [Tab] key.

    The commands may be invoked from the menu level, where they are located, by typing its name. If the command is in a different menu level than the current one, then the command should be invoked using its full (absolute) or relative path, for example: 

    [admin@MikroTik] ip route> print                  Prints the routing table
[admin@MikroTik] ip route> .. address print       Prints the IP address table
[admin@MikroTik] ip route> /ip address print      Prints the IP address table

    The commands may have arguments. The arguments have their names and values. Some commands, may have a required argument that has no name.

    Summary on executing the commands and moving between the menu levels

           Command                               Action
command [Enter]      Execute the command
[?]                  Show the list of all available commands
command [?]          Display help on the command and the list of arguments
command argument [?] Display help on the command's argument
[Tab]                Complete the command/word. If the input is ambiguous, a
                     second [Tab] gives possible options
/                    Move up to the base level
/command             Execute the base level command
..                   Move up one level
""                   Enter an empty string
"word1 word2"        Enter 2 words that contain a space

    You can abbreviate names of levels, commands and arguments.

    For the IP address configuration, instead of using the 'address' and 'netmask' arguments, in most cases you can specify the address together with the number of true bits in the network mask, i.e., there is no need to specify the 'netmask' separately. Thus, the following two entries would be equivalent: 

    /ip address add address 10.0.0.1/24 interface ether1
/ip address add address 10.0.0.1 netmask 255.255.255.0 interface ether1

    Notes

    You must specify the size of the network mask in the address argument, even if it is the 32-bit subnet, i.e., use 10.0.0.1/32 for address 10.0.0.1 and netmask 255.255.255.255

    Accessing the Router Remotely Using Web Browser and WinBox Console

    Summary

    The MikroTik router can also be accessed remotely using http and WinBox Console, for example, using the web browser of your workstation.

    Description

    The Winbox Console is used for accessing the MikroTik Router configuration and management features using graphical user interface.

    All Winbox interface functions are as close as possible to Console functions: all Winbox functions are exactly in the same place in Terminal Console and vice versa (except functions that are not implemented in Winbox). That is why there are no Winbox sections in the manual.

    The Winbox Console plugin loader, the winbox.exe program, can be retrieved from the MikroTik router, the URL is http://router_address/winbox/winbox.exe Use any web browser on Windows 95/98/ME/NT4.0/2000/XP to retrieve the router's web page with the mentioned link.

    Note that if you change the default port for www service on the router, you will have to specify it just after the IP address separated by column (eg. 10.0.0.1:8080).

    The winbox plugins are cached on the local disk for each MikroTik RouterOS™ version. The plugins are not downloaded, if they are in the cache, and the router has not been upgraded since the last time it has been accessed.

    Starting the Winbox Console

    When connecting to the MikroTik router via http (TCP port 80 by default), the router's Welcome Page is displayed in the web browser, for example:

    By clicking on the Winbox Console link you can start the winbox.exe download. Choose the option "Run this program from its current location" and click "OK":

    Accept the security warning, if any:

    Alternatively, you can save the winbox.exe program to your disk and run it from there.

    The winbox.exe program opens the Winbox login window. Login to the router by specifying the IP address (and the port number if you have changed it from the default value of 80), user name, and password, for example:

    Watch the download process of Winbox plugins:

    The Winbox console is opened after the plugins have been downloaded:

    The Winbox Console uses TCP port 3986 (not secure) or 3987 (secure; requires security package to be installed). After logging on to the router you can work with the MikroTik router's configuration through the Winbox console and perform the same tasks as using the regular console.

    Overview of Common Functions

    You can use the menu bar to navigate through the router's configuration menus, open configuration windows. By double clicking on some list items in the windows you can open configuration windows for the specific items, and so on.

    There are some hints for using the Winbox Console:

    Troubleshooting for Winbox Console

    Configuring Basic Functions

    Working with Interfaces

    Before configuring the IP addresses and routes please check the /interface menu to see the list of available interfaces. If you have Plug-and-Play cards installed in the router, it is most likely that the device drivers have been loaded for them automatically, and the relevant interfaces appear on the /interface print list, for example: 

    [admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
  #    NAME                 TYPE             MTU
  0  R ether1               ether            1500
  1  R ether2               ether            1500
  2  R ether3               ether            1500
  3  R ether4               ether            1500
  4  R ether5               ether            1500
  5  R sync1                sync             1500
  6  R pc1                  pc               1500
  7  R ether6               ether            1500
  8  R prism1               prism            1500
[admin@MikroTik] interface>

    The interfaces need to be enabled, if you want to use them for communications. Use the /interface enable name command to enable the interface with a given name or number, for example: 

    [admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
  #   NAME                 TYPE             MTU
  0 X  ether1               ether            1500
  0 X  ether2               ether            1500
[admin@MikroTik] interface> enable 0
[admin@MikroTik] interface> enable ether2
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
  #   NAME                 MTU   TYPE
  0  R ether1               ether            1500
  0  R ether2               ether            1500
[admin@MikroTik] interface>

    The interface name can be changed to a more descriptive one by using the /interface set command: 

    [admin@MikroTik] interface> set 0 name=Public
[admin@MikroTik] interface> set 1 name=Local
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
  #   NAME                 MTU   TYPE
  0  R Public               ether            1500
  0  R Local                ether            1500
[admin@MikroTik] interface>

    Use of the 'setup' Command

    The initial setup of the router can be done by using the /setup command which enables an interface, assigns an address/netmask to it, and configures the default route. If you do not use the setup command, or need to modify/add the settings for addresses and routes, please follow the steps described below.

    Notes

    The device drivers for NE2000 compatible ISA cards need to be loaded using the add command under the /drivers menu. For example, to load the driver for a card with IO address 0x280 and IRQ 5, it is enough to issue the command: 

    [admin@MikroTik] driver> add name=ne2k-isa io=0x280
[admin@MikroTik] driver> print
Flags: I - invalid, D - dynamic
  #   DRIVER                                IRQ IO       MEMORY   ISDN-PROTOCOL
  0 D RealTek 8139
  1 D Intel EtherExpressPro
  2 D PCI NE2000
  3   ISA NE2000                            280
  4   Moxa C101 Synchronous                              C8000
[admin@MikroTik] driver>
    There are some other drivers that should be added manually. Please refer to the respective manual sections for the detailed information on how drivers are to be loaded.

    Adding Addresses

    Assume you need to configure the MikroTik router for the following network setup:

    In the current example we use two networks:

    The addresses can be added and viewed using the following commands: 

    [admin@MikroTik] ip address> add address 10.0.0.217/24 interface Public
[admin@MikroTik] ip address> add address 192.168.0.254/24 interface Local
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.0.0.217/24      10.0.0.217      10.0.0.255      Public
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local
[admin@MikroTik] ip address>

    Here, the network mask has been specified in the value of the address argument. Alternatively, the argument 'netmask' could have been used with the value '255.255.255.0'. The network and broadcast addresses were not specified in the input since they could be calculated automatically.

    Notes

    Please note that the addresses assigned to different interfaces of the router should belong to different networks.

    Configuring the Default Route

    You can see two dynamic (D) and connected (C) routes, which have been added automatically when the addresses were added in the example above: 

    [admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0 DC 192.168.0.0/24     r 0.0.0.0         0        Local
    1 DC 10.0.0.0/24        r 0.0.0.0         0        Public
[admin@MikroTik] ip route> print detail
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    0 DC dst-address=192.168.0.0/24 preferred-source=192.168.0.254
         gateway=0.0.0.0 gateway-state=reachable distance=0 interface=Local

    1 DC dst-address=10.0.0.0/24 preferred-source=10.0.0.217 gateway=0.0.0.0
         gateway-state=reachable distance=0 interface=Public

[admin@MikroTik] ip route>

    These routes show, that IP packets with destination to 10.0.0.0/24 would be sent through the interface Public, whereas IP packets with destination to 192.168.0.0/24 would be sent through the interface Local. However, you need to specify where the router should forward packets, which have destination other than networks connected directly to the router.

    Example

    In the following example the default route (destination 0.0.0.0, netmask 0.0.0.0) will be added. In this case it is the ISP's gateway 10.0.0.1, which can be reached through the interface Public: 

    [admin@MikroTik] ip route> add gateway=10.0.0.1
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S 0.0.0.0/0          r 10.0.0.1        1        Public
    1 DC 192.168.0.0/24     r 0.0.0.0         0        Local
    2 DC 10.0.0.0/24        r 0.0.0.0         0        Public
[admin@MikroTik] ip route>

    Here, the default route is listed under #0. As we see, the gateway 10.0.0.1 can be reached through the interface 'Public'. If the gateway was specified incorrectly, the value for the argument 'interface' would be unknown.

    Notes

    You cannot add two routes to the same destination, i.e., destination-address/netmask! It applies to the default routes as well. Instead, you can enter multiple gateways for one destination. For more information on IP routes, please read the relevant topic in the Manual.

    If you have added an unwanted static route accidentally, use the remove command to delete the unneeded one. You will not be able to delete dynamic (DC) routes. They are added automatically and represent routes to the networks the router connected directly.

    Testing the Network Connectivity

    From now on, the /ping command can be used to test the network connectivity on both interfaces. You can reach any host on both connected networks from the router.

    Example

    In the example below it's seen, hows does ping command work: 

    [admin@MikroTik] ip route> /ping 10.0.0.4
10.0.0.4 64 byte ping: ttl=255 time=7 ms
10.0.0.4 64 byte ping: ttl=255 time=5 ms
10.0.0.4 64 byte ping: ttl=255 time=5 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 5/5.6/7 ms
[admin@MikroTik] ip route>
[admin@MikroTik] ip route> /ping 192.168.0.1
192.168.0.1 64 byte ping: ttl=255 time=1 ms
192.168.0.1 64 byte ping: ttl=255 time=1 ms
192.168.0.1 64 byte ping: ttl=255 time=1 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1/1.0/1 ms
[admin@MikroTik] ip route>

    The workstation and the laptop can reach (ping) the router at its local address 192.168.0.254, If the router's address 192.168.0.254 is specified as the default gateway in the TCP/IP configuration of both the workstation and the laptop, then you should be able to ping the router: 

    C:\>ping 192.168.0.254
Reply from 192.168.0.254: bytes=32 time=10ms TTL=253
Reply from 192.168.0.254: bytes=32 time<10ms TTL=253
Reply from 192.168.0.254: bytes=32 time<10ms TTL=253

C:\>ping 10.0.0.217
Reply from 10.0.0.217: bytes=32 time=10ms TTL=253
Reply from 10.0.0.217: bytes=32 time<10ms TTL=253
Reply from 10.0.0.217: bytes=32 time<10ms TTL=253

C:\>ping 10.0.0.4
Request timed out.
Request timed out.
Request timed out.

C:\>

    Notes

    You cannot access anything beyond the router (network 10.0.0.0/24 and the Internet), unless you do the one of the following:

    To set up routing, it is required that you have some knowledge of configuring TCP/IP networks. There is a comprehensive list of IP resources compiled by Uri Raz at http://www.private.org.il/tcpip_rl.html We strongly recommend that you obtain more knowledge, if you have difficulties configuring your network setups.

    Application Examples

    Next will be discussed situation with 'hiding' the private LAN 192.168.0.0/24 'behind' one address 10.0.0.217 given to you by the ISP.

    Application Example with Masquerading

    If you want to 'hide' the private LAN 192.168.0.0/24 'behind' one address 10.0.0.217 given to you by the ISP, you should use the source network address translation (masquerading) feature of the MikroTik router. Masquerading is useful, if you want to access the ISP's network and the Internet appearing as all requests coming from the host 10.0.0.217 of the ISP's network. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.0.0.217 of the router when the packet is routed through it.

    Masquerading conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.

    To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration: 

    [admin@MikroTik] ip firewall src-nat> add action=masquerade out-interface=Public
[admin@MikroTik] ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic
  0   src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535
      out-interface=Public protocol=all icmp-options=any:any flow=""
      connection="" content="" limit-count=0 limit-burst=0 limit-time=0s
      action=masquerade to-src-address=0.0.0.0 to-src-port=0-65535

[admin@MikroTik] ip firewall src-nat>

    Notes

    Please consult the Firewall Manual for more information on masquerading.

    Application Example with Bandwidth Management

    Mikrotik RouterOS™ V2.7 offers extensive queue management.

    Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all hosts on the LAN. Bandwidth limitation is done by applying queues for outgoing interfaces regarding the traffic flow. It is enough to add two queues at the MikroTik router: 

    [admin@MikroTik] queue simple> add interface=Local max-limit=128000
[admin@MikroTik] queue simple> add interface=Public max-limit=64000
[admin@MikroTik] queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
  0   name="queue1" src-address=0.0.0.0/0 dst-address=0.0.0.0/0
      interface=Local limit-at=0 queue=default priority=8 max-limit=128000

  1   name="queue2" src-address=0.0.0.0/0 dst-address=0.0.0.0/0
      interface=Public limit-at=0 queue=default priority=8 max-limit=64000

[admin@MikroTik] queue simple>

    Leave all other parameters as set by default. The limit is approximately 128kbps going to the LAN (download) and 64kbps leaving the client's LAN (upload).

    Notes

    The queues have been added for the outgoing interfaces regarding the traffic flow.

    Please consult the Queues Manual for more information on bandwidth management and queuing.

    Application Example with NAT

    Assume we have moved the server in our previous examples from the public network to our local one:

    The server'would have been s address now is 192.168.0.4, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80. This can be done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port 192.168.0.4:80. One destination NAT rule is required for translating the destination address and port: 

    [admin@MikroTik] ip firewall dst-nat> add action=nat protocol=tcp \
dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4
[admin@MikroTik] ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
  0   src-address=0.0.0.0/0:0-65535 in-interface=all
      dst-address=10.1.0.217/32:80 protocol=tcp icmp-options=any:any flow=""
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
      limit-time=0s action=nat to-dst-address=192.168.0.4 to-dst-port=0-65535

[admin@MikroTik] ip firewall dst-nat>

    Notes

    Please consult the Firewall Manual for more information on NAT.
    © Copyright 1999-2003, MikroTik MikroTik RouterOS V2.7 Terminal Console Manual

    Terminal Console Manual

    Document revision 1.1 (29-Jan-2003)
    This document applies to the MikroTik RouterOS v2.7

    Table of Contents

    Summary

    The Terminal Console is used for accessing the MikroTik Router configuration and management features using text terminals, i.e., remote terminal clients, as well as local monitor and keyboard. The Terminal Console is used for writing scripts. This manual describes the general console operation principles. Please consult the Scripting Manual on some advanced console commands and on how to write scripts.

    Specifications

    Packages required : system
    License required : Any
    Home menu level : None
    Protocols utilized : None
    Hardware usage: not significant

    Related Documents

    Scripting Manual

    Overview of Common Functions

    The console allows configuration of the router settings using text commands. The command structure is similar to the Unix shell. Since there's a lot of available commands, they're split into hierarchy. For example, all (well, almost all) commands that work with routes start with ip route: 

    [admin@MikroTik] > ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S 0.0.0.0/0          r 10.0.0.1        1        ether6
                            r 192.168.1.254            ether4
    1 DC 192.168.1.0/24     r 0.0.0.0         0        ether4
    2 DC 10.10.10.0/24      r 0.0.0.0         0        prism1
    3 DC 10.0.0.0/24        r 0.0.0.0         0        ether6
[admin@MikroTik] > ip route set 0 gateway=10.0.0.1
[admin@MikroTik] > ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S 0.0.0.0/0          r 10.0.0.1        1        ether6
    1 DC 192.168.1.0/24     r 0.0.0.0         0        ether4
    2 DC 10.10.10.0/24      r 0.0.0.0         0        prism1
    3 DC 10.0.0.0/24        r 0.0.0.0         0        ether6
[admin@MikroTik] >

    Instead of typing ip route before each command, ip route can be typed once to "change into" that particular branch of command hierarchy. Thus, the example above could also be executed like this: 

    [admin@MikroTik] > ip route
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S 0.0.0.0/0          r 10.0.0.1        1        ether6
    1 DC 192.168.1.0/24     r 0.0.0.0         0        ether4
    2 DC 10.10.10.0/24      r 0.0.0.0         0        prism1
    3 DC 10.0.0.0/24        r 0.0.0.0         0        ether6
[admin@MikroTik] ip route>

    Notice that prompt changes to show where in the command hierarchy you are located at the moment. To change to top level, type / 

    [admin@MikroTik] ip route> /
[admin@MikroTik] >

    To move up one command level, type .. 

    [admin@MikroTik] ip route> ..
[admin@MikroTik] ip>

    You can also use / and .. to execute commands from other levels without changing the current level: 

    [admin@MikroTik] ip route> /ping 10.0.0.10
10.0.0.10 64 byte pong: ttl=128 time=5 ms
10.0.0.10 64 byte pong: ttl=128 time=6 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 5/5.5/6 ms
[admin@MikroTik] ip route>

    Or alternatively, to go back to the base level you could use multiple .. commands: 

    [admin@MikroTik] ip route> .. .. ping 10.0.0.10
10.0.0.10 64 byte pong: ttl=128 time=8 ms
10.0.0.10 64 byte pong: ttl=128 time=6 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 6/7.0/8 ms
[admin@MikroTik] ip route>

    Lists

    Many of the command levels operate with arrays of items: interfaces, routes, users etc. Such arrays are displayed in similarly looking lists. All items in the list have an item number followed by its parameter values. For example: 

    [admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
  #    NAME                 TYPE             MTU
  0  R ether1               ether            1500
  1  R ether2               ether            1500
  2  R ether3               ether            1500
  3  R ether4               ether            1500
  4  R prism1               prism            1500
[admin@MikroTik] >

    To change parameters of an item (interface settings in this particular case), you have to specify it's number to the set command: 

    [admin@MikroTik] interface> set 0 mtu=1460
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
  #    NAME                 TYPE             MTU
  0  R ether1               ether            1460
  1  R ether2               ether            1500
  2  R ether3               ether            1500
  3  R ether4               ether            1500
  4  R prism1               prism            1500
[admin@MikroTik] interface>

    Numbers are assigned by print command and are not constant - it is possible that two successive print commands will order items differently. But the results of last print commands are memorized and, thus, once assigned item numbers can be used even after add, remove and move operations (after move operations, item numbers are moved with the items). Item numbers are assigned for sessions, they will remain the same until you quit the console or until the next print command is executed. Also, numbers are assigned separately for every item list, so ip address print won't change numbers for interface list.

    Let's assume interface prism print hasn't been executed in this session. In this case: 

    [admin@MikroTik] interface> prism set 0 ssid=mt
ERROR: item numbers not assigned

    Console is telling that there has been no interface prism print command, and thus, it cannot (and also you) know which PRISM interface number 0 corresponds to.

    To understand better how do item numbers work, you can play with from argument of print commands: 

    [admin@MikroTik] interface> print from=1
Flags: X - disabled, D - dynamic, R - running
  #    NAME                 TYPE             MTU
  0  R ether2               ether            1500
[admin@MikroTik] interface>

    The from argument specifies what items to show. Numbers are assigned by every print command, thus, after executing command above there will be only one item accessible by number - interface ether2 with number 0.

    Item Names

    Some lists have items that have specific names assigned to each. Examples are interface or user levels. There you can use item names instead of numbers: 

    [admin@MikroTik] interface> set prism1 mtu=1460

    You don't have to use the print command before accessing items by name. As opposed to numbers, names are not assigned by the console internally, but are one of the items' properties. Thus, they won't change on their own. However, there are all kinds of obscure situations possible when several users are changing router configuration at the same time. Generally, item names are more "stable" than numbers, and also more informative, so you should prefer them to numbers when writing console scripts.

    Quick Typing

    There are two features in router console that help entering commands much quicker and easier - the [TAB] key completions, and abbreviations of command names. Completions work similarly to the bash shell in UNIX. If you press the [TAB] key after part of a word, console tries to find the command in current context that begins with this word. If there's only one match, it is automatically appended, followed by space character: 

    /inte[TAB]_ becomes /interface _

    Here, "_" is the cursor position. And [TAB] is pressed TAB key, not '[TAB]' character sequence.

    If there's more than one match, but they all have a common beginning, which is longer than that what you have typed, then the word is completed to this common part, and no space is appended: 

    /interface set e[TAB]_

    becomes

    /interface set ether_

    because "e" matches both "ether5" and "ether1" in this example

    If you've typed just the common part, pressing the tab key once has no effect. However, pressing it for the second time shows all possible completions in compact form: 

    [admin@MikroTik] > interface set e[TAB]_
[admin@MikroTik] > interface set ether[TAB]_
[admin@MikroTik] > interface set ether[TAB]_
ether1 ether5
[admin@MikroTik] > interface set ether_

    The tab key can be used almost in any context where the console might have a clue about possible values - command names, argument names, arguments that have only several possible values (like names of items in some lists or name of protocol in firewall and NAT rules).You can't complete numbers, IP addresses and similar values.

    Note that pressing [TAB] key while entering IP address will do a DNS lookup, instead of completion. If what is typed before cursor is a valid IP address, it will be resolved to a DNS name (reverse resolve), otherwise it will be resolved directly (i.e. to an IP address). To use this feature, DNS server must be configured and working. To avoid input lockups any such lookup will timeout after half a second, so you might have to press [TAB] several times, before name is actually resolved

    It is possible to complete not only beginning, but also any distinctive substring of name: if there is no exact match, console starts looking for words that have string being completed as first letters of a multiple word name, or that simply contain letters of this string in the same order. If single such word is found, it is completed at cursor position. For example: 

    [admin@MikroTik] > interface x[TAB]_
[admin@MikroTik] > interface export _

    x is completed to export, because no other word in this context contains 'x'. 

    [admin@MikroTik] > interface mt[TAB]_
[admin@MikroTik] > interface monitor-traffic _

    No word begins with letters 'mt', but it is an abbreviation of monitor-traffic.

    Another way to press fewer keys while typing is to abbreviate command and argument names. You can type only beginning of command name, and, if it is not ambiguous, console will accept it as a full name. So typing: 

    [admin@MikroTik] > pi 10.1 c 3 s 100

equals to:

[admin@MikroTik] > ping 10.0.0.1 count 3 size 100

    Help

    The console has a built-in help, which can be accessed by typing '?'. General rule is that help shows what you can type in position where the '?' was pressed (similarly to pressing tab key twice, but in verbose form and with explanations).

    Internal Item numbers

    Items can also be addressed by their internal numbers. These numbers are generated by console for scripting purposes and, as the name implies, are used internally. Although you can see them if you print return values of some commands (internal numbers look like hex number preceeded by '*' - for example "*100A"), there's no reason for you to type them in manually.

    Note: As an implication of internal number format, you should not use item names that begin with asterisk (*).

    Multiple Items

    You can specify multiple items as targets of some commands. Almost everywhere, where you can write the number of items, you can also write a list of numbers: 

    [admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
  #    NAME                 TYPE             MTU
  0  R ether1               ether            1500
  1  R ether2               ether            1500
  2  R ether3               ether            1500
  3  R ether4               ether            1500
[admin@MikroTik] > interface set 0,1,2 mtu=1460
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
  #    NAME                 TYPE             MTU
  0  R ether1               ether            1460
  1  R ether2               ether            1460
  2  R ether3               ether            1460
  3  R ether4               ether            1500
[admin@MikroTik] >

    This is handy when you want to perform same action on several items, or do a selective export. However, this feature becomes really useful when combined with scripting.

    General Commands

    Most command groups have some or all of these commands: print, set, remove, add, find, get, export, enable, disable, comment, move. These commands have similar behavior in all hierarchy.

    print

    The print command shows all information that's accessible from particular command level. Thus, /system clock print shows system date and time, /ip route print shows all routes etc. If there's a list of items in this level and they are not read-only, i.e. you can change/remove them (example of read-only item list is /system history, which shows history of executed actions), then print command also assigns numbers that are used by all commands that operate on items in this list.

    If there's list of items then print usually can have a from argument. The from argument accepts space separated list of item numbers, names (if items have them), and internal numbers. The action (printing) is performed on all items in this list in the same order in which they're given.

    Output can be formatted either as a table, with one item per line or as a list with property=value pairs for each item. By default print uses one of these forms, but it can be set explicitly with brief and detail arguments. In brief (table) form, column argument can be set to a list of property names that should be shown in the table: 

    [admin@MikroTik] interface ethernet> print
Flags: X - disabled, R - running
  #    NAME                 MTU   MAC-ADDRESS       ARP
  0  R ether1               1460  00:50:08:00:00:F5 enabled
  1  R ether2               1460  00:50:08:00:00:F6 enabled
[admin@MikroTik] interface ethernet> print brief
Flags: X - disabled, R - running
  #    NAME                 MTU   MAC-ADDRESS       ARP
  0  R ether1               1460  00:50:08:00:00:F5 enabled
  1  R ether2               1460  00:50:08:00:00:F6 enabled
[admin@MikroTik] interface ethernet> print detail
Flags: X - disabled, R - running
  0  R name="ether1" mtu=1460 mac-address=00:50:08:00:00:F5 arp=enabled
       disable-running-check=yes

  1  R name="ether2" mtu=1460 mac-address=00:50:08:00:00:F6 arp=enabled
       disable-running-check=yes


[admin@MikroTik] interface ethernet> print brief column=mtu,arp
Flags: X - disabled, R - running
  #    MTU   ARP
  0  R 1460  enabled
  1  R 1460  enabled
[admin@MikroTik] interface ethernet> print

    Rules that do some accounting (for example, ip firewall or queue rules) may have two additional views of packets and of bytes matched these rules: 

    [admin@MikroTik] ip firewall rule forward> print packets
Flags: X - disabled, I - invalid
  #   SRC-ADDRESS                    DST-ADDRESS                    PACKETS
  0   0.0.0.0/0:0-65535              0.0.0.0/0:0-65535              0
[admin@MikroTik] ip firewall rule forward> print bytes
Flags: X - disabled, I - invalid
  #   SRC-ADDRESS                    DST-ADDRESS                    BYTES
  0   0.0.0.0/0:0-65535              0.0.0.0/0:0-65535              0
[admin@MikroTik] ip firewall rule forward>
    To reset these counters reset-counters command is used.

    Some items might have statistics other than matched bytes and packets. You can see it by using print stats command: 

    [admin@MikroTik] ip ipsec> policy print stats
Flags: X - disabled, I - invalid
  0   src-address=10.0.0.205/32:any dst-address=10.0.0.201/32:any
      protocol=icmp ph2-state=no-phase2 in-accepted=0 in-dropped=0
      out-accepted=0 out-dropped=0 encrypted=0 not-encrypted=0 decrypted=0
      not-decrypted=0


[admin@MikroTik] ip ipsec>
    There migtht also be print status command: 
    [admin@MikroTik] routing bgp peer> print status
  # REMOTE-ADDRESS  REMOTE-AS STATE          ROUTES-RECEIVED
  0 159.148.42.158  2588      connected      1
[admin@MikroTik] routing bgp>
    Normally, the print command pauses after the screen is full and asks whether to continue or not. Press any key other from [Q] or [q] to continue printing.

    The without-paging argument suppresses prompting after each screen of output.

    You can specify interval for repeating the command until [Ctrl]+[C] is pressed. Thus, you do not need to repeatedly press the [Up-Arrow] and [Enter] buttons to see repeated printouts of a changing list you want to monitor. Instead, you use the argument interval=2s for print.

    The other useful parameter is count-only, that shows the total number of items in the table. 

    [admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
  #    NAME                 TYPE             MTU
  0  R ether1               ether            1460
  1  R ether2               ether            1460
  2  R ether3               ether            1460
  3  R ether4               ether            1500
[admin@MikroTik] interface> print count-only
4
[admin@MikroTik] interface>

    set

    The set command allows you to change values of general parameters or item parameters. The set command has arguments with names corresponding to values you can change. Use ? or double [TAB] to see list of all arguments. If there is list of items in this command level, then set has one unnamed argument that accepts the number of item (or list of numbers) you wish to set up. set does not return anything.

    Examples are given above.

    add

    The add command usually has the same arguments as set, minus the unnamed number argument. It adds new item with values you've specified, usually to the end of list (in places where order is relevant). There are some values that you have to supply (like interface for new route), and other values that are set to defaults if you don't supply them. The add command returns internal number of item it has added.

    You can create a copy of an existing item by using copy-from argument. It takes default values of new item's properties from another item. If you don't want exact copy, you can specify new values for some properties. When copying items that have names, you will usually have to give new name to a copy.

    You can place a new item before an existing item by using place-before argument. Thus, you do not need to use the move command after adding an item to the list. You can control disabled/enabled state of new items by using disabled argument, if present. You can supply description for new item using comment argument, if present: 

    [admin@MikroTik] ip route> set 0 comment="our default gateway"
[admin@MikroTik] ip route> set 1 comment="wireless network gateway"
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S ;;; our default gateway
         0.0.0.0/0          r 10.0.0.1        1        ether6
    1  S ;;; wireless network gateway
         10.100.0.0/16      r 10.0.0.254      1        ether6
    2 DC 192.168.1.0/24     r 0.0.0.0         0        ether4
    3 DC 10.10.10.0/24      r 0.0.0.0         0        prism1
[admin@MikroTik] ip route>

    remove

    The remove command has one unnamed argument, which contains number(s) or name(s) of item(s) to remove. 

    [admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S ;;; our default gateway
         0.0.0.0/0          r 10.0.0.1        1        ether6
    1  S ;;; wireless network gateway
         10.100.0.0/16      r 10.0.0.254      1        ether6
    2 DC 192.168.1.0/24     r 0.0.0.0         0        ether4
    3 DC 10.10.10.0/24      r 0.0.0.0         0        prism1
[admin@MikroTik] ip route> remove 0
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S ;;; wireless network gateway
         10.100.0.0/16      r 10.0.0.254      1        ether6
    1 DC 192.168.1.0/24     r 0.0.0.0         0        ether4
    2 DC 10.10.10.0/24      r 0.0.0.0         0        prism1
[admin@MikroTik] ip route>

    move

    If the order of items is relevant, command level will also contain move command. First argument is a list of items, whose order will be changed, second argument specifies item before which to place all items being moved (they are placed at the end of the list if second argument is not given). Item numbers after move command are left in a consistent, but hardly intuitive order, so it's better to resync by using print after each move command. 
    [admin@MikroTik] ip firewall mangle> print brief
Flags: X - disabled, I - invalid, D - dynamic
  #   SRC-ADDRESS                     DST-ADDRESS
  0   0.0.0.0/0:80                    0.0.0.0/0:0-65535
  1   1.1.1.1/32:80                   0.0.0.0/0:0-65535
  2   2.2.2.2/32:80                   0.0.0.0/0:0-65535
  3   3.3.3.3/32:80                   0.0.0.0/0:0-65535
[admin@MikroTik] ip firewall mangle> move 0
[admin@MikroTik] ip firewall mangle> print brief
Flags: X - disabled, I - invalid, D - dynamic
  #   SRC-ADDRESS                     DST-ADDRESS
  0   1.1.1.1/32:80                   0.0.0.0/0:0-65535
  1   2.2.2.2/32:80                   0.0.0.0/0:0-65535
  2   3.3.3.3/32:80                   0.0.0.0/0:0-65535
  3   0.0.0.0/0:80                    0.0.0.0/0:0-65535
[admin@MikroTik] ip firewall mangle> move 0 2
[admin@MikroTik] ip firewall mangle> print brief
Flags: X - disabled, I - invalid, D - dynamic
  #   SRC-ADDRESS                     DST-ADDRESS
  0   2.2.2.2/32:80                   0.0.0.0/0:0-65535
  1   3.3.3.3/32:80                   0.0.0.0/0:0-65535
  2   1.1.1.1/32:80                   0.0.0.0/0:0-65535
  3   0.0.0.0/0:80                    0.0.0.0/0:0-65535
[admin@MikroTik] ip firewall mangle> move 3,2,0 0
[admin@MikroTik] ip firewall mangle> print brief
Flags: X - disabled, I - invalid, D - dynamic
  #   SRC-ADDRESS                     DST-ADDRESS
  0   0.0.0.0/0:80                    0.0.0.0/0:0-65535
  1   1.1.1.1/32:80                   0.0.0.0/0:0-65535
  2   2.2.2.2/32:80                   0.0.0.0/0:0-65535
  3   3.3.3.3/32:80                   0.0.0.0/0:0-65535
[admin@MikroTik] ip firewall mangle>

    find

    The find command has the same arguments as set, and an additional from argument which works like the from argument with the print command. Plus, find command has flag arguments like disabled, invalid that take values yes or no depending on the value of respective flag. To see all flags and their names, look at the top of print command's output. The find command returns internal numbers of all items that have the same values of arguments as specified. 
    [admin@MikroTik] interface> print                               
Flags: X - disabled, D - dynamic, R - running                   
  #    NAME                 TYPE             MTU                
  0  R ether1               ether            1500               
  1  R ipip1                ipip             1480               
  2  R eoip-tunnel1         eoip-tunnel      1500               
                                                                
[admin@MikroTik] interface> print from=1                        
Flags: X - disabled, D - dynamic, R - running                   
  #    NAME                 TYPE             MTU                
  0  R ipip1                ipip             1480               
                                                                
[admin@MikroTik] interface> print from=[find mtu=1500]          
Flags: X - disabled, D - dynamic, R - running                   
  #    NAME                 TYPE             MTU                
  0  R ether1               ether            1500               
  1  R eoip-tunnel1         eoip-tunnel      1500               
                                                                
[admin@MikroTik] interface> print                              
Flags: X - disabled, D - dynamic, R - running
  #    NAME                 TYPE             MTU               
  0  R ether1               ether            1500              
  1  R ipip1                ipip             1480              
  2  R eoip-tunnel1         eoip-tunnel      1500              
                                                               
[admin@MikroTik] interface> print from=[find mtu=1500 from=0,1]
Flags: X - disabled, D - dynamic, R - running                  
  #    NAME                 TYPE             MTU               
  0  R ether1               ether            1500              
                                                               
[admin@MikroTik] interface>

    export

    The export command prints a script that can be used to restore configuration. If it has the argument from, then it is possible to export only specified items. Also, if the from argument is given, export does not descend recursively through the command hierarchy. The export command also has the argument file, which allows you to save the script in file on router to retrieve it later via ftp. Note that it is not possible to bring back router configuration after reset just from the export scripts. Some important things like interface name assignment, or user passwords just cannot be saved in export script. To back up all configuration, use /system backup save command.

    enable/disable

    You can enable/disable some items (like ip address or default route). If an item is disabled, it is marked with the X flag. If an item is invalid, but not disabled, it is marked with the I flag. All such flags, if any, are described at the top of the print command's output. 

    [admin@MikroTik] > ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S 0.0.0.0/0          r 10.0.0.1        1        ether6
    1 DC 192.168.1.0/24     r 0.0.0.0         0        ether4
    2 DC 10.10.10.0/24      r 0.0.0.0         0        prism1
    3 DC 10.0.0.0/24        r 0.0.0.0         0        ether6
[admin@MikroTik] >

    Safe Mode

    It is possible to change router configuration in a way that will make it not accessible except from local console. Usually this is done by accident, but there is no way to undo last change when connection to router is already cut. Safe mode can be used to minimize such risk.

    Safe mode is entered by pressing [Ctrl]+[X]. To quit safe mode, press [Ctrl]+[X] again. 

    [admin@MikroTik] ip firewall rule input> [Ctrl]+[X]
[Safe Mode taken]
[admin@MikroTik] ip firewall rule input<SAFE>
    Message Safe Mode taken is displayed and prompt changes to show that session is now in safe mode. All configuration changes that are made (also from other login sessions), while router is in safe mode, are automatically undone if safe mode session terminates abnormally. You can see all such changes that will be automatically undone tagged with an F flag in system history: 
    [admin@MikroTik] ip firewall rule input<SAFE> add
[admin@MikroTik] ip firewall rule input<SAFE> /system history print
Flags: U - undoable, R - redoable, F - floating-undo
   ACTION              BY            POLICY
 F rule added          admin         write
[admin@MikroTik] ip firewall rule input<SAFE>
    Now, if telnet connection is cut, then after a while (TCP timeout is 9 minutes) all changes that were made while in safe mode will be undone. Exiting session by [Ctrl]+[D] also undoes all safe mode changes, while /quit doesn't.

    If another user tries to enter safe mode, he's given following message: 

    [admin@MikroTik] >
Hijacking Safe Mode from someone - unroll/release/don't take it [u/r/d]:
  • Pressing [u] will undo all safe mode changes, and put the current session in safe mode.
  • Pressing [r] will keep all current safe mode changes, and put current session in a safe mode. Previous owner of safe mode is notified about this: 
    [admin@MikroTik] ip firewall rule input
[Safe mode released by another user]
  • Pressing [d] will leave everything as-is.

    If too many changes are made while in safe mode, and there's no room in history to hold them all (currently history keeps up to 100 most recent actions), then session is automatically put out of the safe mode, no changes are automatically undone. Thus, it is best to change configuration in small steps, while in safe mode. Pressing [Ctrl]+[X] twice is an easy way to empty safe mode action list.

    © Copyright 1999-2003, MikroTik MikroTik RouterOS V2.7 Software Package Management

    Software Package Management

    Document revision 1.3 (06-Sep-2003)
    This document applies to the MikroTik RouterOS V2.7

    Table of Contents

    Summary

    The MikroTik RouterOS is distributed in the form of software packages. The basic functionality of the router and the operating system itself is provided by the system software package. Other packages contain additional software features as well as support to various network interface cards (NICs).

    Specifications

    Packages required : None
    License required : Any
    Home menu level : /system package
    Standards and Technologies : FTP (RFC 959)
    Hardware usage : not significant

    Additional Documents

    Basic Setup Guide
    Device Driver Management
    License management

    Features

    The modular software package system of MikroTik RouterOS has the following features:

    Software Package Installation (Upgrade)

    Description

    Installation of the MikroTik RouterOS software packages can be done by uploading the newer version of the package to the router and rebooting it.

    The software package files are compressed binary files, which can be downloaded from the MikroTik's web page www.mikrotik.com download section. The full name of the package file consists of a descriptive name, version number, and file extension '.npk'. For example, system-2.7rc4.npk, ppp-2.7rc4.npk, etc.

    You should check the available hard disk space prior to downloading the package file by issuing /system resource print command. If there is not enough free disk space for storing the upgrade packages, it can be freed up by uninstalling some software packages, which provide functionality not required for your needs. If you have a sufficient amount of free space for storing the upgrade packages, connect to the router using ftp. Use user name and password of a user with full access privileges.

  • Select the BINARY mode file transfer.
  • Upload the software package files to the router and disconnect (Note that the packages uploaded should retain the original name and also be in lowercase)
  • View the information about the uploaded software packages using the /file print command.
  • Reboot the router by issuing the /system reboot command or by pressing Ctrl+Alt+Del keys at the router's console.

    • After successful installation the software packages installed can be viewed using /system package print command.

    Notes

    The installation/upgrade process is shown on the console screen (monitor) attached to the router.

    The Free Demo License do not allow software upgrades using ftp. You should use complete reinstall from floppies, or purchase the license.

    Before upgrading the router, please check the current version of the system package and of the additional software packages. The versions of additional packages should match the version number of the system software package. The version of the MikroTik RouterOS system software (and the build number) are shown before the console login prompt. Information about the version numbers and build time of the installed MikroTik RouterOS software packages can be obtained using the /system package print command, for example: 

    [admin@MikroTik] system license> .. package print
Flags: I - invalid
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   web-proxy             2.7.11               sep/04/2003 17:22:32 no
  1   ppp                   2.7.11               sep/04/2003 17:18:26 no
  2   dhcp                  2.7.11               sep/04/2003 17:13:37 no
  3   telephony             2.7.11               sep/04/2003 17:51:46 no
  4   system                2.7.11               sep/05/2003 13:17:40 no
  5   routing               2.7.11               sep/04/2003 17:20:20 no
  6   security              2.7.11               sep/04/2003 17:12:36 no
  7   advanced-tools        2.7.11               sep/04/2003 17:09:35 no
  8   ntp                   2.7.11               sep/04/2003 17:52:46 no
  9   dns-cache             2.7.11               sep/04/2003 17:20:49 no

[admin@MikroTik] system license>
    The list shows the number, name, version, and build time of the installed software packages. If the functions provided by a software package are not required for the router implementation, the package can be scheduled for uninstallation at the next shutdown/reboot of the router. Use the /system package set command to mark the packages for uninstallation.

    If a package is marked for uninstallation, but it is required for another (dependent) package, then the marked package cannot be uninstalled. You should uninstall the dependent package too. For package dependencies see the section about contents of the software packages below. The system package will not be uninstalled even if marked for uninstallation.

    Software Package List

    System Software Package

    The system software package provides the basic functionality of the MikroTik RouterOS, namely: It also includes winbox server as well as winbox executable with some plugins

    After installing the MikroTik RouterOS, a license should be obtained from MikroTik to enable the basic system functionality.

    Additional Software Feature Packages

    The table below shows additional software feature packages, the provided functionality, the required prerequisites and additional licenses, if any.
    Name Contents Prerequisites Additional License
    advanced-tools Provides email client, pingers, netwatch and other utilities - -
    arlan Provides support for DSSS 2.4GHz 2mbps Aironet ISA cards - 2.4GHz/5GHz Wireless Client
    dhcp Provides DHCP server and client support - -
    dns-cache DNS cache - -
    hotspot HotSpot gateway - any additional license
    isdn Provides ISDN support ppp -
    lcd Provides LCD monitor support - -
    ntp Provides network time protocol support - -
    ppp Provides support for PPP, PPTP, L2TP, PPPoE and ISDN PPP - -
    radiolan Provides support for 5.8GHz RadioLAN cards - 2.4GHz/5GHz Wireless Client
    routing Provides support for RIP, OSPF and BGP4 - -
    security Provides support for IPSEC, SSH and secure connectivity with WinBox - -
    synchronous Provides support for framerelay and Moxa C101, Moxa C512, Farsync, Cyclades PC300 and XPeed synchronous cards - Sync and Hotspot
    telephony Provides IP telephony support (H.323) - -
    thinrouter-pcipc Forces PCItoCardBus Bridge to use IRQ 11 as in ThinRouters - -
    ups Provides APC Smart Mode UPS support - -
    web-proxy HTTP Web proxy package - -
    wireless Provides support for Cisco Aironet cards and PrismII and Atheros wireless stations and APs - 2.4GHz/5GHz Wireless Client / 2.4GHz/5GHz Wireless Server (optional)

    Software Package Uninstalling

    Description

    Usually, you do not need to uninstall software packages. However, if you have installed a wrong package, or you need additional free space to install new one, you have to uninstall some unused packages.

    Installed software packages can be viewed using /system package print command.

    In order to uninstall software package, you have to set uninstall property for that package to yes and reboot the router.

    Example

    Suppose we need to uninstall web-proxy package from a router. 
    [admin@MikroTik] > /system package print
Flags: I - invalid
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   web-proxy             2.7.11               sep/04/2003 17:22:32 no
  1   ppp                   2.7.11               sep/04/2003 17:18:26 no
  2   dhcp                  2.7.11               sep/04/2003 17:13:37 no
  3   telephony             2.7.11               sep/04/2003 17:51:46 no
  4   system                2.7.11               sep/05/2003 13:17:40 no
  5   routing               2.7.11               sep/04/2003 17:20:20 no
  6   security              2.7.11               sep/04/2003 17:12:36 no
  7   advanced-tools        2.7.11               sep/04/2003 17:09:35 no
  8   ntp                   2.7.11               sep/04/2003 17:52:46 no
  9   dns-cache             2.7.11               sep/04/2003 17:20:49 no

[admin@MikroTik] > /system package set 0 uninstall=yes
[admin@MikroTik] > /system reboot

    Troubleshooting

    © Copyright 1999-2003, MikroTik MikroTik RouterOS™ V2.7 Specifications Sheet

    MikroTik RouterOS™ V2.7 Specifications Sheet

    Document revision 1.6 (09-Jul-2002)
    This document applies to the MikroTik RouterOS™ V2.7

    Hardware

    CPU and motherboard - advanced 4th generation (core frequency 100MHz or more), 5th generation (Intel Pentium, Cyrix 6X86, AMD K5 or comparable) or newer uniprocessor Intel IA-32 (i386) compatible (multiple processors are not supported);
    RAM - minimum 32 MB, maximum 1 GB; 48 MB or more recommended
    hard disk/Flash IDE - minimum 32 MB; 48MB or more recommended
    for installation time - floppy drive, CD reader or PXE-compatible NIC (depending on installation method), keyboard, monitor

    Basic Network Platform

    TCP/IP protocol suite

    Special Protocols

    Caching Features

    Administration

    General

    History undo / redo / display; multiple administrator connections; safe-mode operations
    Real time updates in WinBox GUI; real time configuration

    Scripting

    Scripts can be scheduled for executing at certain times, periodically, or on events. All Terminal Console commands are supported in scripts.

    Hardware Supported

    See Device Driver List for more complete supported device list.

    Wireless Interfaces

    (additional license purchase required)

    Synchronous

    (additional license purchase required)

    Asynchronous Interfaces

    Ethernet Interfaces

    Most widely used single and multiport Ethernet interface cards including:

    ISDN Interfaces

    VoIP Interfaces

    xDSL Interfaces

    (additional license purchase required - 'Synchronous')

    HomePNA Interfaces

    Phone:   +371 7 317 700
Fax:     +371 7 317 701
URL:     http://www.mikrotik.com
E-mail:  mt@mikrotik.com
Call the office using our H.323 gateway:        VoIP.MikroTik.COM
Office hours:   Monday-Friday 9AM-5PM local time (GMT + 2)
    © Copyright 1999-2003, MikroTik MikroTik RouterOS V2.7 Device Driver List

    Device Driver List

    Document revision 1.29 (04-Sep-2003)
    This document applies to the MikroTik RouterOS V2.7

    Table of Contents

    Summary

    The document lists the drivers, included in MikroTik RouterOS and the devices that are tested to work with MikroTik RouterOS. If a device is not listed here, it does not mean the device is not supported, it still may work. It just means that the device is not tested.

    Ethernet (system)

  • 3Com 509 Series
    Load the driver by specifying the I/O base address. IRQ is not required.
    Chipset type: 3Com 509 Series ISA 10Base
    Compatibility: 3Com EtherLink III

  • 3Com FastEtherLink
    Chipset type: 3Com 3c590/3c900 (3Com FastEtherLink and FastEtherLink XL) PCI 10/100Base
    Compatibility:
  • ADMtek Pegasus
    Chipset type: ADMtek Pegasus/Pegasus II USB 10/100BaseT
    Compatibility:
  • AMD PCnet
    For ISA cards load the driver by specifying the I/O base address. IRQ is not required.
    Chipset type: AMD PCnet/PCnet II ISA/PCI 10BaseT
    Compatibility:
  • AMD PCnet32
    Chipset type: AMD PCnet32 PCI 10BaseT and 10/100BaseT
    Compatibility:
  • Davicom DM9102
    Chipset type: Davicom DM9102 PCI 10/100Base
    Compatibility:
  • DEC 21x4x "Tulip"
    Chipset type: DEC 21x4x "Tulip" PCI 10/100Base
    Compatibility:
  • Intel EtherExpressPro
    Chipset type: Intel i82557 "Speedo3" (Intel EtherExpressPro) PCI 10/100Base
    Compatibility: Intel i82557/i82558/i82559ER/i82801BA-7 EtherExpressPro PCI cards

  • Intel PRO/1000
    Chipset type: Intel i8254x (Intel PRO/1000) PCI 10/100/1000Base
    Compatibility:
  • National Semiconductor DP83810
    Chipset type: National Semiconductor DP83810 PCI 10/100BaseT
    Compatibility:
  • National Semiconductor DP83820
    Chipset type: National Semiconductor DP83820 PCI 10/100/1000BaseT
    Compatibility:
  • NE2000 ISA
    Load the driver by specifying the I/O base address. IRQ is not required.
    Chipset type: NE2000 ISA 10Base
    Compatibility: various ISA cards

  • NE2000 PCI
    Chipset type: NE2000 PCI 10Base
    Compatibility:
  • NS8390
    Chipset type: NS8390 PCMCIA/CardBus 10Base
    Compatibility:
  • RealTek RTL8129
    Chipset type: RealTek RTL8129 PCI 10/100Base
    Compatibility:
  • Sundance ST201 "Alta"
    Chipset type: Sundance ST201 "Alta" PCI 10/100Base
    Compatibility
  • TI ThunderLAN
    Chipset type: TI ThunderLAN PCI 10/100Base
    Compatibility:
  • VIA vt86c100 "Rhine"
    Chipset type: VIA vt86c100 "Rhine" PCI 10/100Base
    Compatibility:
  • Winbond w89c840
    Chipset type: Winbond w89c840 PCI 10/100Base
    Compatibility:

    Wireless (wireless)

  • Aironet Arlan
    Chipset type: Aironet Arlan IC2200 ISA 2Mbit/s IEEE802.11b
    Compatibility: Aironet Arlan 655

  • Atheros
    Chipset type: Atheros AR5001X PC/PCI 11/54Mbit/s IEEE802.11a/b/g
    Compatibility:
  • Cisco/Aironet
    Chipset type: Cisco/Aironet ISA/PCI/PC 11Mbit/s IEEE802.11b
    Compatibility:
  • Intersil Prism II
    Chipset type: Intersil Prism II PC/PCI 11Mbit/s IEEE802.11b
    Compatibility:
  • RadioLAN
    Chipset type: RadioLAN ISA/PC 10Mbit/s 5.8GHz
    Compatibility:
  • WaveLAN/ORiNOCO
    Chipset type: Lucent/Agere/Proxim WaveLAN/ORiNOCO ISA/PC 11Mbit/s IEEE802.11b
    Compatibility:

    Synchronous (synchronous)

  • Moxa C101 V.35 (4 Mbit/s)
  • Moxa C502 PCI 2-port V.35 (8 Mbit/s)
  • Cyclades PC-300 V.35 (5 Mbit/s)
  • Cyclades PC-300 E1/T1
  • FarSync V.35/X.21 (8.448 Mbit/s)

    Asynchronous (system)

  • Standard Communication Ports Com1 and Com2
  • Moxa Smartio C104H, C168H, CP-114, CP-132, CP-168U, CP-104U, CP-134U, CP-132U PCI 2/4/8 port up to 4 cards (up to 32 ports)
  • Cyclades Cyclom-Y and Cyclades-Z Series up to 32 ports per card, up to 4 cards (up to 128 ports)
  • TCL DataBooster 4 or 8 PCI cards

    ISDN (isdn)

    PCI ISDN cards:

    VoIP (telephony)

  • H.323 Protocol VoIP Analog Gateways

    xDSL (synchronous)

    Xpeed 300 SDSL cards (up to 6.7km twisted pair wire connection, max 2.3Mbit/s)

    HomePNA (system)

    Linksys HomeLink PhoneLine Network Card (up to 10Mbit/s home network over telephone line)

    LCD (lcd)

  • Crystalfontz (www.crystalfontz.com) Intelligent Serial LCD Module 632 (16x2 characters) and 634 (20x4 characters)
  • Powertip (www.powertip.com.tw) Character LCD Module PC1602 (16x2 characters) and PC2404 (24x4 characters)

    PCMCIA Adapters (system)

  • Vadem VG-469 PCMCIA-ISA adapter (one or two PCMCIA ports)
  • RICOH PCMCIA-PCI Bridge with R5C475 II or RC476 II chip (one or two PCMCIA ports)
  • CISCO/Aironet PCMCIA adapter (ISA and PCI versions) for CISCO/Aironet PCMCIA cards only

    © Copyright 1999-2003, MikroTik MikroTik RouterOS V2.7 How to Read Manual

    How to Read Reference Manual

    Document revision 1.1 (15-Apr-2003)
    This document applies to the MikroTik RouterOS V2.7

    Table of Contents

    Summary

    This document contains general information on how to read Reference Manual. Here you can find information about Manual purposes, structure and common conventions.

    The Purpose

    The Reference Manual is designed to give information about all aspects of MikroTik RouterOS installation, configuration, maintenance and upgrading as well as some tupical examples.

    The Structure

    The full list of covered topics can be accessed within the main Manual page. Each topic consists of:
  • Note, that some items do not present in each Manual part. Such items are put in brackets [].

  • Main Header - here the theme and document revision are shown
  • Table of Contents - contains table of links to different subtopics of a theme
  • Summary - short summary of functions and (or) technology.
  • Specifications - holds information about packages and licences needed as well as utilized protocols and hardware requirements
  • Related Documents - contains links to related entries in the Manual
  • Description - General item description. Includes theoretical aspects and implementation specs
  • Property Description - Describes available arguments of commands (if any)
  • Notes - some facts worth to hold in mind
  • Example - shows typical example or (and) application example

    • Each manual entry can contain subtopics which hold their own Description, Property Description, Notes and Example items.

    Common Conventions

    There are some common conventions through the entire Manual which are worth to know:
  • All commands or arguments are in bold, i.e /ip adress add address=10.10.10.1/24
  • In case instead of actual value a range has been entered, it is in italics, id est dst-address (IP adress)
  • Default value of an argument is in bold and is prefixed by the keyword 'default' , i.e action (drop | accept, default: accept)
    • There are some access modifiers used in Property Description:
  • read-only - the argument can not be modified by the user directly, exempli gratia from set command
  • multiple choice - these arguments can be selected in combinations, id est supported-rates-a=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps

    • Additional Resources

    Key words for use in RFCs to Indicate Requirement Levels
    © Copyright 1999-2003, MikroTik MikroTik RouterOS V2.7 Glossary

    Glossary

    Document revision 1.0 (28-Apr-2003)
    This document applies to MikroTik RouterOS v2.7

    Table of Contents

    Summary

    The Glossary consists of two parts.
    The first part 'Common Properties' will give definitions to some common properties listed under 'Property Description' subtopics as well as respective values description.
    The second part 'Terms and Abbreviations" will explain the meaning of technical terms, difficult worlds or phrases and abbreviations used throughout the Reference Manual.

    Common Properties

    arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol (ARP) setting (for more information, see IP Addresses and Address Resolution Protocol):
  • disabled - the interface will not use ARP
  • enabled - the interface will use ARP
  • proxy-arp - the interface will use the ARP proxy feature
  • reply-only - the interface will only reply to the requests originated to its own IP addresses. Neighbour MAC addresses will be resolved using /ip arp statically set table only

    • card-type (read-only: type) - a string with some basic information about adapter type and model

    mac-address (MAC address) - an IEEE Media Access Control (MAC) address. This is a hardware address that uniquely identifies each node of a network. It is shown as a sequence of six two-digits hexadecimal numbers separated by colons, exempli gratia: 00:2f:21:c1:11:0a. In the console it also can be entered without delimiters, id est 002f21c1110a

    mtu (integer) - Maximum Transmission Unit, the largest physical packet size, measured in bytes, that a network can transmit. Any packets larger than the MTU are fragmented into smaller ones before being sent over the network; this slows down transmission speeds. There are some tupical settings of MTU: the MTU of many PPP connections is 576 while most ethernet networks have an MTU of 1500

    name (name) - assigned feature name. Usually is used for inner reference and scripting

    Terms and Abbreviations

    Access Point - see AP

    ad-hoc mode - a network framework provided by IEEE 802.11 standard set in which all communications between wireless clients are made without the use of an Access Point (AP). This mode sometimes is referred as a peer-to-peer mode

    AP - short for Access Point, a set of hardware and software that acts as a communication hub for wireless clients to connect to a wired LAN. APs are important for providing heightened wireless network security and for extending the physical range of service a wireless client has access to.
    See infrastructure mode and ad-hoc mode.

    ARP - short for address resolution protocol. This protocol is used to resolve IP addresses to MAC addresses

    Basic Service Set - (BSS). A network setup with a set of wireless clients and one AP connected to a wired network

    dlci - short for data link connection identifier. Identifies the number of the logical circuit the data travels over. DLCI is a number of a switched virtual or private circuit in a Frame Relay network, which is used to determine how to route the data.

    Extended Service Set - (ESS). A set of two or more BSSs that for one single subnetwork

    IEEE - short for Institute of Electrical and Electronics Engineers. IEEE is best known for developing various standards for the computer and electronic industry

    infrastructure mode - a network framework provided by IEEE 802.11 standard set in which all communications between wireless clients are made with a help of an Access Point (AP). In this mode, wireless devices can communicate either with each other or with a wired network. There are two possible infrastructure mode configurations referred as Basic Service Set (BSS) and Extended Service Set (ESS). The infrastructure mode is widely used in corporate networks in order to gain access to wired LAN services such as file or application servers and printers

    IP address - short for Internet Protocol address. This is a logical address belonging to the OSI layer 3. Consists of four (IPv4) or six (IPv6) binary octets. Usually is shown in decimal form, exempli gratia 159.148.60.2.

    MAC address - short for Media Access Control address. This is OSI layer 2 hardware address defined by IEEE standard and is used to deliver packets in the local network. It is sequence of six two-digits hexadecimal numbers separated by colons, exempli gratia: 00:2f:21:c1:11:0a.

    RFC - short for request for comments. This is a set of technical and organizational notes about the Internet. Memos in the RFC series discuss many aspects of computer networking, including protocols, procedures, programs, and concepts

    ssid - short for Service Set Identifier. The SSID is a 32-character identifier which is used in wireless networking to separate different networks. All devices within the same network must have the same SSID.

    EAP - short for Extensible Authentication Protocol defined in RFC 2284. It is general authentication protocol which supports various methods of authentication, such as passwords, public keys, Kerberos and smart cards.

    In wireless communications using EAP, a user requests connection to a WLAN through an AP, which then requests the identity of the user and transmits that identity to an authentication server such as RADIUS. The server asks the AP for proof of identity, which the AP gets from the user and then sends back to the server to complete the authentication.

    © Copyright 1999-2003, MikroTik MikroTik RouterOS V2.7 Device Driver Management

    Device Driver Management

    Document revision 1.5 (15-May-2003)
    This document applies to the MikroTik RouterOS V2.7

    Table of Contents

    Summary

    Device drivers represent the software interfa