MikroTik v2.3 Router Software Manual

4. Network Interface Management

Introduction

An Interface is physical or virtual device which provides a connection to an external network. Network interfaces are created automatically when the Network Interface Card driver is loaded. Virtual (software) interfaces can be created manually.

Managing Network Interfaces from Java

Select the "Interfaces" menu to open the interface list window. The interfaces list displays basic interface parameters. Interface type specific parameters can be changed from interface details windows (opened by double clicking on icon to the left from interface name). The Interface details window has a standard "Traffic" tab which displays traffic that enters and leaves router through the interface. It can also contain other tabs with interface type specific parameters.

The Interfaces list window also contains a "blink" button. Selecting this button causes traffic to be generated on the highlighted interface and therefore blink the LEDs (light emitting diodes) on the card so that an administrator can determine which Interface name corresponds to the actual interface (when there are multiple interfaces of the same type). Some interfaces must have an Ethernet cable connected before the lights will blink. Note that not all interfaces support this function.

Managing Network Interfaces from Console

Network interface commands and submenus are located in the "interface" menu. It contains several commands that are common to all interfaces:

Command syntax	Description
print	Show interface summary
set [enable] [disable] <interface number> [name <new name>] [mtu <MTU>]	Change basic interface properties and/ or enable or disable it
find [from] [name] [mtu] [up][down]
export [file <name>] [noresolve]
blink <interface number>	Generate traffic to blink LEDs
monitor-traffic <interface number>	Monitor traffic on interface

Whre <interface> is interface name or number obtained from "print" command.

The "interface" menu also contains device type specific submenus with device type specific commands. The following device type submenus can be available, depending on what features are licensed for a particular installation:

Submenu	Description
ethernet	Ethernet interfaces
ppp	Async PPP interfaces
synchronous	Moxa Sync interfaces
pptp-client	PPTP dial-out interfaces
pptp-server	PPTP server connections
bridge	Bridge interface
arlan	Arlan IC2200 interfaces
radiolan	RadioLAN interfaces
wavelan	WaveLAN IEEE 802.11 interfaces
pc	Aironet 35/45/4800 interfaces
samsung	Samsung IEEE 802.11 interfaces

Basic Interface Parameter Description

Name in Console	Name in Java	Description
name	Name	Human friendly name for the interface. Maximum 31 character.
enable	Enbled (yes)	Enable interface
disable	Enabled (no)	Disable interface
mtu	MTU	Maximum Transfer Unit (in bytes)
arp	ARP	Address Resolution Protocol Settings
disabled		Disable ARP protocol, use only static ARP entries
enabled		Enable ARP protocol for an interface (send ARP requests and replies)
proxy-arp		Enable ARP protocol for an interface and also reply on ARP requests about IP addresses for which the router is a gateway

Ethernet Interfaces

Ethernet interfaces include standard 10/100 Mbit Ethernet network interface. Ethernet interfaces do not have any device type dependent parameters. Each Ethernet interface has its MAC-address (Medium Access Control).

Managing Ethernet Interfaces from Java

Ethernet interface parameters can be changed from interface list window or from interface details window "General" tab.

Managing Ethernet Interfaces from Console

Ethernet interface management is done in submenu "interface ether".

Command syntax	Description
print [<interface>]	Show interface(s) information
set <interface> [enable] [disable] [name <new name>] [mtu <MTU>] [arp disabled\|enabled\|proxy-arp]	Change interface properties
find
export

Where <interface> is interface name or number obtained from "print" command.

Ethernet Interface Parameters

Name in Console	Name in Java	Description
enable/ disable	Enabled (yes/ no)	Set Ethernet interface up or down
mtu	MTU	Maximum Transfer Unit. Maximum packet size to be transmitted
arp	ARP	Address Resolution Protocol Settings
mac-address	MAC Address	Medium Access Control Address

PPP Server

PPP (or Point-to-Point Protocol) provides a method for transmitting datagrams over serial point-to-point links. The 'com1' and 'com2' ports from standard PC hardware configurations will appear as 'serial0' and 'serial1' automatically. It is possible to add thirty-two additional serial ports with the Moxa C168 PCI multiport asynchronous card (eight ports each) to use the router for a modem pool.

Managing PPP Server from Java

To add PPP server interface, you have to choose "Interfaces" and click "Add New" . Then choose PPP Server and set all PPP server settings. When next time you want to change PPP server settings or check out status or traffic of the PPP server you have to double click on PPP server interface you added in the Interfaces list.

Managing PPP Server from Console

PPP server management is done in the submenu "interface ppp-server".

Command syntax	Description
print	Show interface(s) information
set <interface> [enable] [disable] [name<new name>] [mtu <MTU>] [mru <MRU>] [port-id <id>] [pap no\|yes] [chap no\|yes] [ms-chap no\|yes] [ms-chapv2 no\|yes] [encryption none\|optional\|required\| stateless] [ring-count <rings>] [idle-timeout <time>] [null-modem <on\|off>] [modem-init <string>] [local-address <address>] [remote-address <address>]	Change interface properties
find
export
monitor <interface>	Monitor interface status in real time

Where <interface> is interface name or number obtained from "print" command.

PPP Client

Managing PPP Client from JAVA

To add PPP client interface, you have to choose "Interfaces" and click "Add New" . Then choose PPP Client and set all PPP client settings. When next time you want to change PPP client settings or check out status or traffic of the PPP client you have to double click on PPP client interface you added in the Interfaces list.

Managing PPP Client from console

PPP server management is done in the submenu "interface ppp-server".

Command syntax	Description
print	Show interface(s) information
set <interface> [enable] [disable] [name<new name>] [mtu <MTU>] [mru <MRU>] [port-id <id>] [pap no\|yes] [chap no\|yes] [ms-chap no\|yes] [ms-chapv2 no\|yes] [user <name>] [encryption none\|optional\|required\| stateless] [tone-dial <enable\|disable>] [dial-on-demand <enable\|disable>] [add-default-route <address>] [phone <number>] [idle-timeout <time>] [null-modem <on\|off>] [modem-init <string>] [local-address <address>] [remote-address <address>] [use-peer-dns <enable\|disable>]	Change interface properties
find
export
monitor <interface>	Monitor interface status in real time

PPP Interface Parameters

Name in Console	Name in Java	Description
mtu	MTU	Maximum Transfer Unit. Maximum packet size to be transmitted
mru	MRU	Maximum Size of received packets
pap/ms-chap/ chap/ms-chapv2	Authentication Allow	Authentication protocol type
encryption	Encryption	Which encryption to use.
none	none	No encryption is used. If the other end supports compression, it will be used
optional	optional	If the other end supports encryption, it will be used
required	required	Encryption is required, without it connection won't be established
stateless	stateless	Stateless-MPPE is required. Router will use MPPE-128bit or MPPE-40bit depending on the other end of connection. In stateless mode password will be changed before every packet is transmitted
user	User	User name to use to log into server when dialing out. Can contain letters, digits, "@", "-",".", or be "*"
phone	Phone Number	Phone number to call when dialing out
tone-dial	Tone Dial	Enable/Disable tone dial
ring-count	Rings	Number of rings to wait before answering phone
null-modem	Null Modem	Enable/Disable null-modem mode (when enabled, no modem initialization strings are sent). Default value is "on" (for COM1 and COM2 only). So by default null-modem is turned on.
dial-on-demand	Dial On Demand	Enable/Disable dial on demand
idle-timeout	Idle Time	Idle time after which close connection
modem-init	Modem Init	Modem Initialization String
add-default-route	Add Default Route	Add PPP remote address as a default route. Other settings are: destination=0.0.0.0 netmask=0.0.0.0 interface=ppp, preferred source=0.0.0.0
local-address	Local Address	Local IP Address
remote-address	Remote Address	Remote IP Address

PPP Authentication and Accounting

Overview

PPP (point to point protocol) authentication on the MikroTik RouterOS is supported by a local authentication database or a RADIUS client. Authentication is supported for PPP asynchronous connections, PPPoE, PPTP, and ISDN PPP (local only). Authentication protocols supported are PAP, CHAP, and MS-CHAPv2. The authentication process is as follows: PPP sends a user authentication request, the user ID is first checked against the local user database for any users which have the PPP attribute, if no matching user is found then the RADIUS client (if enabled) will request authentication from the RADIUS server. Note that the users will first be checked against the local database and then only against the RADIUS server. Be careful not to have the same user with PPP on the local database and the RADIUS server – the authentication will finish at the local database in this case.

Topics covered in this section:

Installation
Hardware resource usage
Local authentication overview
Local authentication management of PPP users
Local accounting of PPP users
RADIUS overview
RADIUS client setup
RADIUS parameters
RADIUS servers suggested

PPP authentication and accounting installation on the MikroTik RouterOS v2.3

The local authentication and local accounting features are included in the “system” package. The RADIUS client and RADIUS accounting features are included in the “PPP” package. Note, PPP features require that the PPP package be installed.

Hardware resource usage

No significant hardware resource usage.

Local authentication overview

Local PPP authentication is part of the general user database stored on the router – this database is also responsible for administration authentication for the router. Certain PPP specific attributes are supported for PPP user entries.

·        PPP remote address set from RADIUS server
·        Time limit of connections set from RADIUS server
·        MAC address (PPPoE) or remote client address (PPTP) reported to RADIUS server
·        System identity
·        Traffic accounting (PPP style – no IP pairs)

Local authentication management of PPP users

Only users which are in a group with the PPP attribute can be authenticated for PPP access. To add a user:

[mikrotik] user> add name client2 password ctest group ppp
[mikrotik] user> print

0   ;;; system default user
    name: admin group: full address: 0.0.0.0 netmask: 0.0.0.0 caller-id: ""
    only-one: no max-session-time: 0

1   name: client2 group: ppp address: 0.0.0.0 netmask: 0.0.0.0 caller-id: ""
    only-one: no max-session-time: 0

Descriptions of settings:

full address: 0.0.0.0 netmask: 0.0.0.0

This is used to determine the address to be given to the remote site, if full address is set to a specific IP (for example: full address: 10.25.0.3 netmask: 255.255.255.255), then only 10.25.0.3 will be given to the remote site. If the remote site will not accept this, then the connection will fail. If a subnet were set (for example: full address: 10.25.0.3 netmask: 255.255.255.240), then an address in the subnet 10.25.0.0/28 would be allowed if the server gives an address in that range – or the server has no addresses set to give, and the client request an address in that range. If no specific address or subnet is given (for example: full address: 0.0.0.0 netmask: 0.0.0.0.), then an address from the PPP server setup of “remote-address-from” and “remote-address-to” will be given.

caller-id: ""

For PPTP, this may be set the IP address which a client must connect from in the form of “a.b.c.d”. For PPPoE, the MAC address which the client must connect from can be set in the form or “xx:xx:xx:xx:xx:xx”. When this is not set, there are no restrictions on from where clients may connect.

only-one: no

If this is set to “yes”, then there may be only one connection at a time.

max-session-time: 0

If set to >0, then this is the max number of seconds this session can stay up.  “0” indicates no session limit.

Local accounting of PPP users

To enable local authentication and accounting, set “[mikrotik] ip ppp> set accounting yes authentication local.” If the “authentication” is set to “radius,” then no local accounting logs will be made. The following is an example of the local accounting when a PPPoE connection is made to the PPPoE server (access concentrator).

[mikrotik]> log print

apr/04/2001 17:19:14     pppoe-in7: waiting for authentication
apr/04/2001 17:19:14     pppoe-in7: test logged in
apr/04/2001 17:19:14     pppoe-in7: connection established
apr/04/2001 17:19:20     pppoe-in7: using encoding - none
apr/04/2001 17:25:08     pppoe-in7: connection terminated by peer
apr/04/2001 17:25:08     pppoe-in7: modem hanged up
apr/04/2001 17:25:08     pppoe-in7: connection terminated
apr/04/2001 17:25:08     pppoe-in7: test logged out, 354 4574 1279 101 83

The last line is the accounting which is printed when the connection is terminated. This line indicates that the user “test” connection has terminated at “apr/04/2001 17:25:08.” The numbers following the “test logged out” entry represent the following:

354        session connection time in seconds
4574        bytes-in (from client)
1279        bytes-out (to client)
101        packets-in (from client)
83        packets-out (to client)

RADIUS Overview

RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, and PPTP connections – no ISDN remote access support currently. Features supported:

·        PPP remote address set from RADIUS server
·        Time limit of connections set from RADIUS server
·        MAC address (PPPoE) or remote client IP address (PPTP) reported to RADIUS server
·        System identity
·        Traffic accounting (PPP style – no IP pairs)

RADIUS client setup

Set [mikrotik] ip ppp> set authentication radius auth-server 10.10.1.1 shared-secret users

Example output of the print command:

[mikrotik] ip ppp> pr

            primary-dns: 159.148.60.3
          secondary-dns: 0.0.0.0
         authentication: radius
            auth-server: 10.10.1.1
          shared-secret: users
             accounting: no
        accounting-port: 1646
    authentication-port: 1645

Description of the output:

Pimary-dns – ppp setting for remote site
Secondary-dns – ppp setting for remote site
authentication – Can be set to “radius” or “local”
auth-server –  IP address of the server in a.b.c.d
shared-secret – corresponding text string from RADIUS server
accounting – enable by setting “yes” or “no”
accounting-port – default port 1646 according to RFC
authentication-port – default port 1645 according to RFC

RADIUS parameters

Authentication data sent to server Data received from server Accounting information sent to server:

PW_SERVICE_TYPE       = PW_FRAMED     
PW_FRAMED_PROTOCOL    = PW_FRAME_PPP
PW_NAS_IDENTIFIER     = system identity
PW_NAS_IP_ADDRESS     = local PPP interface address
PW_NAS_PORT           = unique PPP port identifier number
PW_NAS_PORT_TYPE      = async or virtual in number form
PW_CALLING_STATION_ID = for PPTP, remote IP reported
                for PPPoE, remote MAC reported
                in form of xx:xx:xx:xx:xx:xx

Data received from serve:

PW_ACCT_INTERIM_INTERVAL  = if non-zero then interval to update accouting data in seconds 
PW_FRAMED_IP_ADDRESS      = PPP remote address
PW_IDLE_TIMEOUT           = if no traffic in that time, connection is closed
PW_SESSION_TIMEOUT        = connection time allowed

Accounting information sent to server:

PW_USER_NAME
PW_ACCT_INPUT_OCTETS      = octets signifies bytes
PW_ACCT_INPUT_PACKETS
PW_ACCT_OUTPUT_OCTETS 
PW_ACCT_OUTPUT_PACKETS
ACCT_SESSION_TIME   = in the form of seconds

RADIUS servers suggested

Our RADIUS CLIENT should work well with all RFC complient servers. Our software has been tested with:

http://www.vircom.com/

PPPoE bandwidth setting
This feature is currently available only version 2.4RC (release candidate). For local authentication, this can be set in the [MikroTik] user> menu with the baud-rate value (identical to bits/s).
For Radius authentication, the account of each user in the radius server should be set with:
Paramater: Ascend-Data-Rate (with parameter ID 197 -- in bits/s)

Additional Resource

Links for SNMP documentation:

http://www.ietf.org/rfc/rfc2138.txt?number=2138
http://www.ietf.org/rfc/rfc2138.txt?number=2139
http://www.livingston.com/tech/docs/radius/introducing.html - 3707

MOXA C101 Synchronous 5Mb/s Adapter

Document revision 27-July-2001
This document applies to the V2.3 of the MikroTik RouterOS

Overview

The MikroTik RouterOS supports the MOXA C101 Synchronous 5Mb/s Adapter hardware.

For more information about the MOXA C101 Synchronous 5Mb/s Adapter hardware please see the relevant documentation:

http://www.moxa.com/product/sync/C101.htm - The product on-line documentation
C101 SuperSync Board User's Manual - The User's Manual in .pdf format

Contents of the Manual

The following topics are covered in this manual:

Synchronous Adapter Hardware and Software Installation
Synchronous Interface Configuration
Troubleshooting
Synchronous Link Applications

Synchronous Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the moxa c101 synchronous software package installed. The software package file moxa-c101-2.x.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] system package> print 
  # NAME                                             VERSION    BUILD UNINSTALL
  0 lcd                                              2.3.14     16    no
  1 system                                           2.3.14     30    no
  2 routing                                          2.3.14     19    no
  3 snmp                                             2.3.14     14    no
  4 ppp                                              2.3.14     18    no
  5 pptp                                             2.3.14     19    no
  6 pppoe                                            2.3.14     20    no
  7 ssh                                              2.3.14     24    no
  8 moxa-c101                                        2.3.14     14    no
[MikroTik] system package>

Software License

The MOXA C101 Synchronous Adapter requires the Synchronous Feature License. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The Synchronous Feature is not included in the Free Demo or Basic Software License. The Synchronous Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the synchronous adapter, please check the availability of free IRQ's:

[MikroTik] system resource> irq print 
IRQ OWNER
1   keyboard                                                                  U
2   APIC                                                                      U
3
4   serial port                                                               U
5
6
7
8
9
10  ether1                                                                    U
11
12  ether2                                                                    U
13  FPU                                                                       U
14  IDE 1                                                                     U
[MikroTik] system resource>

Installing the Synchronous Adapter

You can install up to four MOXA C101 synchronous cards in one PC box, if you have so many ISA slots and IRQs available. The basic installation steps of the adapter should be as follows:

Check the system BIOS settings for peripheral devices, like, Parallel or Serial Communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
Set the jumper of the IRQ to one, which is free on your system. Usually IRQ 5 is fine.
Set the dip switches of the memory mapping base address. Each C101 Super-Sync Board will occupy 16KB memory window. Not all addresses might be available on your motherboard. Use, for example, switch #3 should be OFF, and 1,2,4,5 should be ON for address 0x0D0000. Consult the table in the C101 manual for these settings.
Set the jumper of the transmit clock direction to 'in'
Set the jumper of the communication interface to V.35

Please note, that not all combinations of memory mapping base addresses and IRQ's may work on your motherboard. It is recommended that you choose one IRQ that is not used in your system, and then try an acceptable memory base address setting.

Loading the Driver for the MOXA C101 Synchronous Adapter

The MOXA C101 ISA card requires the driver to be loaded by issuing the following command:

[MikroTik] driver> load c101 mem 0xd0000
[MikroTik] driver> print 
  # DRIVER                                       IRQ IO     MEMORY     ISD...
  0 RealTek RTL8129/8139                                                      D
  1 Moxa C101 Synchronous                                   0xd0000
[MikroTik] driver>

There can be several reasons for a failure to load the driver:

The driver cannot be loaded because other device uses the requested IRQ.
Try to set different IRQ using the DIP switch.
The requested memory base address cannot be used on your motherboard.
Try to change the memory base address using the DIP switches.

Synchronous Interface Configuration

If the driver has been loaded successfully (no error messages), and you have the required Synchronous Software License, then the synchronous interface should appear under the interfaces list with the name syncn, where n is 0,1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] interface> print 
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 ether2                                                  ether       1500
( 2)sync1                                                   sync        1500
[MikroTik] interface> set 2 name moxa
[MikroTik] interface> enable moxa
[MikroTik] interface> print 
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 ether2                                                  ether       1500
  2 moxa                                                    sync        1500
[MikroTik] interface>

More configuration and statistics parameters can be found under the '/interface synchronous' menu:

  synchronous             Moxa Sync interfaces
[MikroTik] interface> synchronous 
[MikroTik] interface synchronous> print 
0   name: moxa mtu: 1500 rx-clock-source: rxc-line tx-clock-source: rxc-clock
    speed: 1092266 ignore-dcd: no line-protocol: cisco-hdlc

[MikroTik] interface synchronous> set ?
  _number_          Interface name or number
  name              New interface name
  mtu               Maximum Transmit Unit
  rx-clock-source   Receive clock source
  tx-clock-source   Transmit clock source
  speed             Speed of internal clock
  ignore-dcd        Ignore DCD
  line-protocol     Line protocol
[MikroTik] interface synchronous> set

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit
rx-clock-source - Receive clock source (internal / rxc-line)
tx-clock-source - Transmit clock source (internal / rxc-clock / txc-line)
speed - Speed of internal clock
ignore-dcd - Ignore DCD (yes / no)
line-protocol - Line protocol (cisco-hdlc / sync-ppp)
null-modem - Enable/Disable null-modem mode (ignore DCD signal) (yes / no)

You can monitor the status of the synchronous interface:

[MikroTik] interface synchronous> monitor 0
    dtr: yes
    rts: yes
    cts: no 
    dsr: no 
    dcd: no
[MikroTik] interface synchronous>

If you purchased the MOXA C101 Synchronous card from MikroTik, you have received a V.35 cable with it. This cable should work for all standard modems, which have a V.35 connections. For synchronous modems, which have a DB-25 connection, you should use a standard DB-25 cable.

Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on. If the link is working properly the status of the interface is:

[MikroTik] interface synchronous> monitor 0
    dtr: yes
    rts: yes
    cts: yes
    dsr: yes
    dcd: yes
[MikroTik] interface synchronous>

The MikroTik driver for the MOXA C101 Synchronous adapter allows you to unplug the V.35 cable from one modem and plug it into another modem with a different clock speed, and you do not need to restart the interface or router.

Troubleshooting

The synchronous interface does not show up under the interfaces list
Obtain the required license for synchronous feature.
The synchronous link does not work
Check the V.35 cabling and the line between the modems. Read the modem manual.

Synchronous Line Applications

Two possible synchronous line configurations are discussed in the following examples:

MikroTik Router to MikroTik Router
MikroTik Router to CISCO Router

MikroTik Router to MikroTik Router

Let us consider the following network setup with two MikroTik Routers connected to a leased line with baseband modems:

MT-to-MT

The driver for MOXA C101 card should be loaded and the interface should be enabled according to the instructions given above. The IP addresses assigned to the synchronous interface should be as follows:

[MikroTik] ip address> add address 1.1.1.1/32 interface wan \
network 1.1.1.2 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.254      255.255.255.0   10.0.0.254      10.0.0.255      ether2
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
  2 1.1.1.1         255.255.255.255 1.1.1.2         255.255.255.255 wan
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27/27.0/27 ms
[MikroTik] ip address>

Note, that for the point-to-point link the network mask is set to 32 bits, the argument 'network' is set to the IP address of the other end, and the broadcast address is set to 255.255.255.255. The default route should be set to the gateway router 1.1.1.2:

[MikroTik] ip route> add gateway 1.1.1.2 interface wan 
[MikroTik] ip route> pr
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.0   0.0.0.0         10.0.0.213      ether2  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 1.1.1.2         255.255.255.255 0.0.0.0         1.1.1.1         wan     D K
  3 0.0.0.0         0.0.0.0         1.1.1.2         0.0.0.0         wan
[MikroTik] ip route>

The configuration of the Mikrotik router at the other end is similar:

[MikroTik] ip address> add address 1.1.1.2/32 interface moxa \
network 1.1.1.1 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
  1 1.1.1.2         255.255.255.255 1.1.1.1         255.255.255.255 moxa
[MikroTik] ip address> /ping 1.1.1.1
1.1.1.1 pong: ttl=255 time=27 ms
1.1.1.1 pong: ttl=255 time=27 ms
1.1.1.1 pong: ttl=255 time=27 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27/27.0/27 ms
[MikroTik] ip address>

MikroTik Router to CISCO Router

Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end:

MT-to-CISCO

[MikroTik] ip address> add address 1.1.1.1/32 interface wan \
network 1.1.1.2 broadcast 255.255.255.255
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.254      255.255.255.0   10.0.0.254      10.0.0.255      ether2
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
  2 1.1.1.1         255.255.255.255 1.1.1.2         255.255.255.255 wan
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
1.1.1.2 pong: ttl=255 time=27 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27/27.0/27 ms
[MikroTik] ip address>

[MikroTik] ip route> add gateway 1.1.1.2 interface wan 
[MikroTik] ip route> pr
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.0   0.0.0.0         10.0.0.213      ether2  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 1.1.1.2         255.255.255.255 0.0.0.0         1.1.1.1         wan     D K
  3 0.0.0.0         0.0.0.0         1.1.1.2         0.0.0.0         wan
[MikroTik] ip route>

The configuration of the CISCO router at the other end (part of the configuration) is:

CISCO#show running-config 
Building configuration...

Current configuration:
...
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.1.1.12 255.255.255.0
!
interface Serial0
 description connected to MikroTik
 ip address 1.1.1.2 255.255.255.252
 serial restart-delay 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
...
end

CISCO#

Send ping packets to the MikroTik router:

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
CISCO#

PPTP

Overview

PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The Mikrotik RouterOS implementation includes a PPTP client, a PPTP dynamic server, and a PPTP static server. The following tunnels are supported:

MikroTik RouterOS client to any PPTP server – for example Windows 2000
MikroTik RouterOS client to MikroTik RouterOS static or dynamic server
MikroTik RouterOS dynamic server to multiple MikroTik RouterOS clients and any clients with PPTP support
MikroTik RouterOS static server to MikroTik RouterOS client or any PPTP client

General usage of PPTP tunnels:

For secure router-to-router tunnels over the Internet to link local Intranets or LANs (when EoIP is also used)
For Windows clients to remotely access an Intranet/LAN of a company (see PPTP setup for Windows for more information)
For “Mobile IP” – get your company IP when connected to third party Internet connections

Topics covered in this section:

Installation
Hardware resource usage
PPTP protocol description
PPTP client setup
PPTP dynamic server setup
PPTP static server setup
PPTP monitoring
PPTP setup for Windows
PPTP router-to-router secure tunnel example
PPTP resources

PPTP Installation on the MikroTik RouterOS v2.3

The “pptp-2.3.0.npk”(less than 160KB) package and the “ppp-2.3.0.npk”(less than 370KB) are required. The package can be downloaded from MikroTik’s web page www.mikrotik.com . To install the packages, please upload them to the router with ftp and reboot. You may check to see if the PPTP and PPP packages are installed with the command:

[mikrotik]> system package print

  # NAME                                             VERSION    BUILD UNINSTALL
  0 routing                                          2.3.6      5     no
  1 aironet                                          2.3.6      5     no
  2 wavelan                                          2.3.6      5     no
  3 system                                           2.3.6      5     no
  4 snmp                                             2.3.6      5     no
  5 option                                           2.3.6      5     no
  6 ppp                                              2.3.6      5     no
  7 pptp                                             2.3.6      5     no
  8 pppoe                                            2.3.6      5     no
  9 radiolan                                         2.3.6      5     no
 10 ssh                                              2.3.6      5     no

[mikrotik]>

Lines six and seven show that the PPTP and PPP packages are installed.

Hardware resource usage

PPTP uses a minimum amount of memory. The current version of PPTP on RouterOS v2.3 uses a CPU intensive system which will run 5.6Mb/s on a Celeron 600MHz CPU. RouterOS v2.4 has a re-written PPTP engine that will run approximately 60Mb/s on a Celeron 600MHz CPU.

PPTP protocol description

Though the following may sound complex, our implementation of PPTP is easy to setup and manage. PPTP, together with PPP, is a secure tunnel for transporting IP traffic. PPTP encapsulates PPP in virtual lines that run over IP. PPTP incorporates PPP and MPPE (Microsoft point to point encryption) to make encrypted links. The purpose of this protocol is to make well-managed secure connections between 1) routers and routers 2) routers and Windows clients (or other OS with PPTP support). PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally. There are also additional PPP configurations for management of users and connections. MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported. PPTP traffic uses TCP port 1723 and IP protocol ID 47, as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for port 1723 to be routed through the firewall or router. PPTP connections cannot be setup though a masqueraded/NAT IP connection. Please see the Microsoft and RFC links at the end of this section for more information.

PPTP client setup

Each PPTP connection is composed of a server and a client. The MikroTik RouterOS may function as a server or client – or for various configurations, it may be the server for some connections and client for other connections. For example, the client created below could connect to a Windows 2000 server, another MikroTik Router, or another router which supports a PPTP server. To add a PPTP client to the router:

[Rack1u] interface pptp-client> add name rack2u pap no chap no ms-chapv2 yes encryption required user test 
connect-to 10.5.8.171 idle-timeout 0 session-timeout 0
[Rack1u] interface pptp-client> print
(0) name: rack2u mtu: 1460 mru: 1460 pap: no chap: no ms-chapv2: yes
    encryption: required user: test connect-to: 10.5.8.171 idle-timeout: 0
    session-timeout: 0

Descriptions of settings:

name

For a reference.

Pap, chap, ms-chapv2

Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to no, unless there is a special situation which requires an unencrypted link.

encryption

Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to required.

none – no encryption

optional – 40bit or 128bit if server requests this

required – 40bit or 128bit if server agrees, link will be shut down if no agreement

non-stateless (description) – key is changed approximately every hour or depending on traffic

stateless – same as required plus key is changed for every packet

user

A user name and password must be added to the client router’s user database. The user must be added with the attribute of group PPP. When the client is being authenticated by the server, the client will send this user and the password from the client router’s user database. The server user database must have the same user and password and PPP group attribute to authenticate the link.

Connect-to

The IP address of the PPTP server.

idle-timeout

The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.

session-timeout

The maximum time the connection can stay up. When set to “0,” there is no timeout.

client-address

IP address of client connecting to the PPTP static server

PPTP dynamic server setup

The router supports one PPTP dynamic server. This server supports unlimited connections from clients. For each current connection, a dynamic interface is created. While the PPTP dynamic server supports multiple clients, it does not support static routes, filters, and other IP level features that need to be attached to static interfaces. The PPTP static server supports routes and other IP level features.

To add a dynamic server:

[Rack2u] interface pptp-dynamic-server server> set enabled yes pap no chap no ms-chapv2 yes encryption required 
local-address-from 10.9.0.1 local-address-to 10.9.0.1 remote-address-from 10.9.0.1 remote-address-to 10.9.0.100
[Rack2u] interface pptp-dynamic-server server> print

                enabled: yes
                    pap: no
                   chap: no
              ms-chapv2: yes
             encryption: required
                    mtu: 1460
                    mru: 1460
           idle-timeout: 0
        session-timeout: 0
     local-address-from: 10.9.0.1
       local-address-to: 10.9.0.1
    remote-address-from: 10.9.0.2
      remote-address-to: 10.9.0.100

Descriptions of settings:

enabled

        Yes or No

Pap, chap, ms-chapv2

Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggest that pap and chap always be set to no, unless there is a special situation which requires an unencrypted link.

encryption

Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to required.

none – no encryption

optional – 40bit or 128bit if client agrees to this

required – 40bit or 128bit if client agrees, link will be shut down if no agreement

non-stateless (description) – key is changed approximately every hour or depending on traffic

stateless – same as required plus key is changed for every packet

mtu

The default mtu is set to 1460 because of the PPTP overhead. It may be changed for special situations.

mru

The default mru is set to 1460 because of the PPTP overhead. It may be changed for special situations.

idle-timeout

The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.

session-timeout

The maximum time the connection can stay up. When set to “0,” there is no timeout.

local-address-from and local-address-to

The IP address of the PPTP local server. Both the -from and –to can be the same. The same local server address will be used on all connections that are created.

remote-address-from and remote-address-to

This should be set to an IP range. This may limit the number of current connections if there are no free IPs available when a new connection is initiated.

PPTP static server setup

The PPTP static server is made for permanent connections between two routers. One side of the PPTP tunnel must be set up as a static server and the other side as a client. On both the static server side and the client side, it will be possible to add static routes, filters, and any other IP level features – for example an EoIP tunnel may be put on top of the PPTP encrypted tunnel to make an encrypted LAN-to-LAN bridge.

To add a PPTP static server interface:

[Rack2u] interface pptp-static-server> add name rack1u client-address 10.5.8.169 pap no chap no ms-chapv2 yes 
encryption required local-address 10.7.0.1 remote-address 10.7.0.2
[Rack2u] interface pptp-static-server> print
(0) name: rack1u client-address: 10.5.8.169 pap: no chap: no ms-chapv2: yes encryption: required 
mtu: 1460 mru: 1460 idle-timeout: 0 session-timeout: 0 local-address: 10.7.0.1 remote-address: 10.7.0.2

Descriptions of settings:

Pap, chap, ms-chapv2

encryption

Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to required.

none – no encryption

optional – 40bit or 128bit if client agrees to this

required – 40bit or 128bit if client agrees, link will be shut down if no agreement

non-stateless (description) – key is changed approximately every hour or depending on traffic

stateless – same as required plus key is changed for every packet

mtu

The default mtu is set to 1460 because of the PPTP overhead. It may be changed for special situations.

mru

The default mru is set to 1460 because of the PPTP overhead. It may be changed for special situations.

idle-timeout

A standard PPP setting. The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.

session-timeout

The maximum time the connection can stay up. When set to “0,” there is no timeout.

local-address

The IP address of the PPTP local server. The same local server address can be used on multiple static sever interfaces.

remote-address

This should be set to an IP address of the remote client. PPTP connections for this static server will only be accepted from this address.

PPTP monitoring

To monitor a PPTP client:

[Rack1u] interface pptp-client> mon 0
      uptime: 2s
    encoding: MPPE 128 bit, stateless
      status: Connected

Descriptions of display:

uptime



Connection time displayed in days, hours, minutes, and seconds.

encoding

Encryption being used in this connection.

status

The status of this client may be:

Dialing – attempting to make a connection

Connected – self-explanatory

Terminated – interface is not enabled or the other side will not establish a connection

PPTP router-to-router secure tunnel example

The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet.

There are three routers in this example:

HomeOffice

Interface LocalHomeOffice 10.150.2.254/24
Interface ToInternet 192.168.80.1/24

Internet

Interface ToHomeOffice 192.168.80.254/24
Interface ToRemoteOffice 192.168.81.254/24

RemoteOffice

Interface ToInternet 192.168.81.1/24
Interface LocalRemoteOffice 10.150.1.254/24

To add a secure Tunnel between the HomeOffice and RemoteOffice local Intranet, add an identical user and password with the group “ppp” to both the HomeOffice and RemoteOffice router.

[RemoteOffice] user> add name remote password remote group ppp
[HomeOffice] user> add name remote password remote group ppp

Add a PPTP static server interface to the HomeOffice router -

[HomeOffice] interface pptp-static-server> print

0   name: FromRemoteOffice client-address: 192.168.81.1 pap: no chap: no
    ms-chapv2: yes encryption: required mtu: 1460 mru: 1460 idle-timeout: 0
    session-timeout: 0 local-address: 10.0.103.1 remote-address: 10.0.103.2

Add a PPTP client to the RemoteOffice router –

[RemoteOffice] interface pptp-client> pr

0   name: Tunnel_To_HomeOffice mtu: 1460 mru: 1460 pap: no chap: no
    ms-chapv2: yes encryption: required user: remote connect-to: 192.168.80.1 
    idle-timeout: 0 session-timeout: 0

To route the local Intranets over the PPTP tunnel – add these routes

To the HomeOffice router

  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  4 10.150.2.0      255.255.255.0   10.0.103.1      0.0.0.0         Tunn...

To the RemoteOffice router

  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  7 10.150.1.0      255.255.255.0   10.0.103.2      0.0.0.0         From...

Test the PPTP tunnel connection

[RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Test the connection through the PPTP tunnel to the Intranet interface

[RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

To bridge a LAN over this secure tunnel, please the “EoIP” section of the manual. To set the maximum speed for traffic over this tunnel, please the “Queues” section.

PPTP Windows setup

Microsoft provides PPTP client support for Windows NT, 2000, ME, 98se, and 98. Windows 98se, 2000, and ME include support in the Windows setup or automatically install PPTP. For 95, NT, and 98, installation requires a download from Microsoft. Many ISPs have made help pages to assist clients with Windows PPTP installation. A zipped download of an instructional web page is available in PPTP_client_files.zip – this can be found in the utilities section of the download section. This zipped file also includes files needed from Microsoft for upgrading Windows 95 and 98 to support PPTP.

Links:

http://www.real-time.com/Customer_Support/PPTP_Config/pptp_config.html
http://www.microsoft.com/windows95/downloads/contents/WUAdminTools/S_WUNetworkingTools/W95WinsockUpgrade/Default.asp

Sample instructions for PPTP (VPN) installation and client setup – Windows 98se:

If the VPN (PPTP) support is installed, select “Dial-up networking” and “create a new connection.” The option to create a “VPN” should be selected. If there is no “VPN” options, then follow the installation instructions below. When asked for the “Host name or IP address of the VPN server,” type the IP address of the router. Double-click on the new icon and type the correct user name and password (must also be in the user database on the router or RADIUS server used for authentication). The setup of the connections takes nine seconds after selection the “connect” button. It is suggested that the connection properties be edited so that “NetBEUI,” “IPX/SPX compatible,” and “Log on to network,” are unselected. The setup time for the connection will then be two seconds after the “connect” button is selected.
To install the “Virtual Private Networking” support for Windows 98se, go to the “Setting” menu from the main “Start” menu. Select “Control Panel,” select “Add/Remove Program,” select the “Windows setup” tab, select the “Communications” software for installation and “Details.” Go to the bottom of the list of software and select “Virtual Private Networking” to be installed.

Additional Resources

Links for PPTP documentation:

http://msdn.microsoft.com/library/backgrnd/html/understanding_pptp.htm
http://support.microsoft.com/support/kb/articles/q162/8/47.asp
http://www.ietf.org/rfc/rfc2637.txt?number=2637
http://www.ietf.org/rfc/rfc3078.txt?number=3078
http://www.ietf.org/rfc/rfc3079.txt?number=3079

PPPoE – Point to Point Protocol over Ethernet

Document revision 3-August-2001
This document applies to MikroTik RouterOS V2.4

Overview

The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management, and accounting benefits to ISPs and network administrators. Currently, PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems. PPPoE is an extension of the standard dial-up and synchronous protocol PPP. The transport is over Ethernet – as opposed to modem transport. A PPPoE connection is composed of a client and an access concentrator (server). The client may be a Windows computer that has the PPPoE client protocol installed. The MikroTik RouterOS supports both the client and access concentrator implementations of PPPoE. The PPPoE client and server work over any Ethernet level interface on the router – wireless 802.11 (Aironet, Cisco, WaveLAN), 10/100/1000 Mb/s Ethernet, RadioLAN, and EoIP (Ethernet over IP tunnel). No encryption, MPPE 40bit RSA, and MPPE 128bit RSA encryption are supported. Our RouterOS has a RADIUS client that can be used for authentication of all PPP type connections – including PPPoE. For more information on PPP authentication, see the “PPP Authentication and Accounting” section of the manual.

Supported connections:

· MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator)

· MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are available for all OSs and some routers)

Topics covered in this manual:

· Installation

· Hardware resource usage

· PPPoE client setup

· PPPoE server setup (access concentrator)

· PPPoE bandwidth settings

· PPPoE in a multipoint wireless 802.11b network

PPPoE Installation on the MikroTik RouterOS v2.3

The “pppoe-2.4.0.npk”(less than 160KB) package and the “ppp-2.4.0.npk”(less than 370KB) are required. The package can be downloaded from MikroTik’s web page www.mikrotik.com . To install the packages, please upload them to the router with ftp and reboot. You may check to see if the packages are installed with the command:


[mikrotik]> system package print
  # NAME                                             VERSION    BUILD UNINSTALL
  0 routing                                          2.4.0      1     no
  1 aironet                                          2.4.0      1     no
  2 wavelan                                          2.4.0      1     no
  3 system                                           2.4.0      1     no
  4 snmp                                             2.4.0      1     no
  5 option                                           2.4.0      1     no
  6 ppp                                              2.4.0      1     no
  7 pptp                                             2.4.0      1     no
  8 pppoe                                            2.4.0      1     no
  9 radiolan                                         2.4.0      1     no
 10 ssh                                              2.4.0      1     no

[mikrotik]>

Lines six and eight show that the PPP and PPPoE packages are installed.

PPPoE hardware resource usage

The PPPoE client uses a minimum amount of memory. The PPPoE server (access concentrator) uses a minimum amount of memory for the basic setup. Each current PPPoE server connection uses approximately 100-200KB of memory. For PPPoE servers (access concentrators) designed for a large number of PPPoE connections, additional RAM should be added. In version 2.4, there is currently a maximum of 5000 connections. For example, a 1,000 user system should have 200MBs of free RAM above the normal operating RAM. A future rewrite of parts of PPP should significantly reduce this – perhaps to less than 10KB per connection.

PPPoE client setup

The PPPoE client supports high-speed connections. It is fully compatible with the MikroTik PPPoE server (access concentrator). Test with different ISPs and access concentrators are currently underway.

Some connection instructions may use the form where the “phone number” is “MikroTik_AC\mt1” to indicate that “MikroTik_AC” is the access concentrator name and “mt1” is the service name.

[RemoteOffice] interface pppoe-client> print

  0   name=pppoe-out1 interface=gig service-name=testSN user=john pap=no

      chap=yes ms-chapv2=no mtu=1492 mru=1492 idle-timeout=0s

      session-timeout=0s add-default-route=yes dial-on-demand=no

      use-peer-dns=no encryption=none compression=no local-address=0.0.0.0

      remote-address=0.0.0.0 ac-name="" mss-update=1452

Descriptions of settings:

name

This settable name will appear in interface and IP address list when the PPPoE session is active.

interface

The PPPoe client can be attached to any Ethernet like interface – for example: wireless, 10/100/1000 Ethernet, and EoIP tunnels.

mtu and mru

Represents the MTU and MRU when the 8 byte PPPoE overhead is subtracted from the standard 1500 byte Ethernet packet

Pap, chap, ms-chapv2

It is suggested that chap be set to yes to have encrypted authentication. If there is a special situation that requires an encrypted link, only ms-chapv2 should be set to yes. Encrypted links are only supported when ms-chapv2 is selected. This is a requirement of the protocol.

encryption

Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to none.

        none – no encryption

        optional – 40bit or 128bit if server requests this

        required – 40bit or 128bit if server agrees, link will be shut down if no agreement

        non-stateless (description) – key is changed approximately every hour or depending on traffic

        stateless – same as required plus key is changed for every packet

user

A user name and password must be added to the client router’s user database. The user must be added with the attribute of group PPP. When the server is authenticating the client, the client will send this user and the password from the client router’s user database. The server user database must have the same user and password and PPP group attribute to authenticate the link – unless the RADIUS client is enabled.

idle-timeout

The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.

session-timeout

The maximum time the connection can stay up. When set to “0,” there is no timeout.

dial-on-demand

Connects to AC only when outbound traffic is generated. The client will not stay permanently connected.

use-peer-dns

Sets the router default DNS to the PPP peer DNS.

compression

May be selected if encryption is not used. The default setting of “no compression” is suggested.

local-address

If the ppp server allows, a local-address may be set. The default setting of 0.0.0.0 is suggested. In this case, the address set by the server will be used.

session-timeout

The maximum time the connection can stay up set in seconds. When set to “0,” there is no timeout.

remote-address

If the ppp server allows, a remote-address may be set. The default setting of 0.0.0.0 is suggested.

service

The service name set on the access concentrator. Many ISPs give user-name and address in the form of “user-name@service-name”

ac-name

This may be left blank and the client will connect to any access concentrator that offers the “service” name selected.

Add-default-route

Select yes to have a default route added automatically.

mss-update

This setting changes the mss (maximum segment size) setting of each packet to the selected size. The default of 1452 is suggested. This fixes a common problem for PPPoE when mis-configured servers or networks do not let the IP protocol work properly. The common symptom is a partial download of a web page.

PPPoE server setup (access concentrator)

The PPPoE server (access concentrator) supports multiple servers for each interface – with differing service names. Currently, a maximum of 5000 PPPoE connections are supported. Currently the throughput of the PPPoE server has been tested to 160Mb/s on a Celeron 600 CPU. Using higher speed CPUs should increase the throughput proportionately.

The setting below is the optimal setting to work with Windows clients such as RASPPPoE client for Win98/2000/ME. The password authentication and encryption are set to “pap no chap yes ms-chapv2 no encryption none” specifically to ensure a quick login by the windows client. In the example below, the login is encrypted with PAP. Currently it is possible to make encrypted links to Windows clients, but usually they quit passing IP after five minutes but remain connected and do show that data is passed – this is a bug which is being worked on. There are no problems with encryption between MikroTik PPPoE client and server.

The access concentrator has a hard limit of 5000 current connections. The user setting for the connections limit is done by setting the “remote-to” and “remote-from” IP addresses range. For example, For a limit of 1020 users: remote-from=10.0.0.1 remote-to=10.0.4.255 . Even if you are using a RADIUS server for client addresses, the remote-from and remote-to arguments must include an IP range which will limit/enable the number of current connections.

The “access concentrator name” and PPPoE “service name” are used by clients to identify the access concentrator to register with. The “access concentrator name” name is the same as the “identity” of the router. The identity many be set with the command: /system identity set xxxxx .

  0   service-name=testSN interface=gig local-from=5.5.5.1 local-to=5.5.5.1

      remote-from=6.6.6.1 remote-to=6.6.6.250 mtu=1492 mru=1492 pap=no chap=yes

      ms-chapv2=no idle-timeout=0s session-timeout=0s compression=no

      encryption=none

Descriptions of settings:

 

Pap, chap, ms-chapv2

It is suggest that chap always be set to yes. PAP is best disabled because it sends the user-name and password in clear text. ms-chapv2 should be disable as it is not needed unless there is a special situation that requires an encrypted link. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol.

encryption
        Will only work in encrypted mode when ms-chapv2 authentication is used.  For most setups, it should be set to none. 
        none – no encryption
        optional – 40bit or 128bit if client agrees to this
        required – 40bit or 128bit if client agrees, link will be shut down if no agreement
        non-stateless (description) – key is changed approximately every hour or depending on traffic
        stateless – same as required (non-stateless) plus key is changed for every packet 
interface

The PPPoe server can be attached to any Ethernet like interface – for example: wireless, 10/100/1000 Ethernet, and EoIP tunnels.

compression

Standard PPP level compression.

service

The PPPoE service name.

mtu

The default mtu is set to 1492 because of the PPPoE overhead. It may be changed for special situations.

mru

The default mru is set to 1492 because of the PPPoE overhead. It may be changed for special situations.

idle-timeout

A standard PPP setting. The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.

session-timeout

The maximum time the connection can stay up in the format of Xh or Xm or Xs. When set to “0,” there is no timeout.

local-address-from and local-address-to

The IP address pool of the PPPoE local server for each new PPPoE connection. One local address can be used on multiple static sever interfaces. Usually, it is best that this is not a real IP address. Only the client could have a use for a real IP address. Example: local-address-from 10.0.0.1 local-address-to 10.0.0.1 .

remote-address-from and remote-address-to

The IP address pool for the PPPoE remote client for each new PPPoE connection. One address must be available for each current connection – the number in the range selected will be the maximum number of current connections. If radius authentication is used to give addresses, it is still required to have a range of addresses set in this server setup.

PPPoE bandwidth setting

This feature is currently available only version 2.4RC (release candidate). For local authentication, this can be set in the “[MikroTik] user>” menu with the “baud-rate” value (identical to bits/s).

For Radius authentication, the account of each user in the radius server should be set with:

Paramater: Ascend-Data-Rate (with parameter ID 197 -- in bits/s)

PPPoE in a multipoint wireless 802.11b network

In a wireless network, the PPPoE server may be attached to our PRISMII 2.4GHz Access Point (infrastructure mode) interface. Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment.

Additional Resources

Links for PPPoE documentation:

http://www.ietf.org/rfc/rfc2516.txt

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120dc/120dc3/pppoe.htm

http://www.nts.com/products/enternet_overvw.html

http://www.carricksolutions.com/

http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/6400_ds.htm

IPIP Tunnels

Overview

The IPIP tunneling implementation on the MikroTik RouterOS is RFC 2003 compliant. IPIP tunnel is a simple protocol that encapsulates IP packets in IP to make a tunnel between two routers. The IPIP interface appears as an interface. Many routers, including Cisco and Linux based, support this protocol. This protocol makes multiple network schemes possible.

Network setups with IPIP interfaces:

Possibility to tunnel Intranets over the Internet
Possibility to avoid using source routing

Topics covered in this section:

Installation
Hardware resource usage
IPIP interface and protocol description
IPIP setup
IPIP Cisco example

IPIP installation on the MikroTik RouterOS v2.3

The IPIP tunnel feature is included in the “system” package.

Hardware resource usage

This protocol uses a minimum of resources.

IPIP interface and protocol description

An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are RFC 2003 compliant. The IPIP tunnel may run over any connection that transports IP. Each IPIP tunnel interface can connect with one remote router which has a corresponding interface configured. An unlimited number of IPIP tunnels may be added to the router. For more details on IPIP tunnels, see RFC 2003.

IPIP setup

To add an IPIP interface:

[Rack1u] interface ipip> add name test_IPIP mtu 1480 local-address 10.5.8.169 remote-address 10.5.8.171
[Rack1u] interface ipip> print

(0) name: test_IPIP mtu: 1480 local-address: 10.5.8.169
    remote-address: 10.5.8.171

Descriptions of settings:

name

Interface name for reference

mtu

Should be set to 1480 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.

local-address

Local address on router which send IPIP traffic to the remote side.

remote-address

The IP address of the other side of the IPIP tunnel – may be any RFC 2003 compliant router.

There is no authentication or “state” for this interface. The bandwidth usage of the interface may be monitored with the “monitor” feature from the “interface” menu.

IPIP Cisco example

Our IPIP implementation has been tested with Cisco 1005. Sample of the Cisco 1005 configuration:

interface Tunnel0

 ip address 10.3.0.1 255.255.255.0
tunnel source 10.5.8.179
tunnel destination 10.5.8.169
tunnel mode ipip

Additional Resources

Links for IPIP documentation:

http://www.ietf.org/rfc/rfc1853.txt?number=1853
http://www.ietf.org/rfc/rfc2003.txt?number=2003
http://www.ietf.org/rfc/rfc1241.txt?number=1241

Ethernet over IP Tunnels (EoIP)

Overview

Ethernet over IP (EoIP) Tunneling is a RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection. The EoIP interface appears as an Ethernet interface. When the bridging function of the router is enabled, all Ethernet level traffic (all Ethernet protocols) will be bridged just as if there where a physical Ethernet interface and cable between the two routers (with bridging enabled). This protocol makes multiple network schemes possible.

Network setups with EoIP interfaces:

Possibility to bridge LANs over the Internet
Possibility to bridge LANs over encrypted tunnels
Possibility to bridge LANs over 802.11b “ad-hoc” wireless networks

Topics covered in this section:

Installation
Hardware resource usage
EoIP interface and protocol description
EoIP setup

EoIP installation on the MikroTik RouterOS v2.3

The Ethernet over IP tunnel feature is included in the “system” package.

Hardware resource usage

To achieve 100Mb/s Ethernet level wire speed (85Mb/s), it is suggested that Celeron 600MHz and higher CPUs be used on each router – in this situation, the CPU usage was ~60%. Optimization of this implementation will soon decrease the usage of resource usage.

EoIP interface and protocol description

An EoIP interface should be configured on two routers that have the possibility for an IP level connection. The EoIP tunnel may run over an IPIP tunnel, a PPTP 128bit encrypted tunnel, a PPPoE connection, or any connection that transports IP. Each EoIP tunnel interface can connect with one remote router which has a corresponding interface configured with the same “Tunnel ID.” Up to sixteen (numbered 0-15) EoIP tunnels may be created on a router (please contact us if there is an important reason to increase the number of EoIP tunnels per router). The EoIP interface appears as an Ethernet interface under the interface list. This interface supports all features of and Ethernet interface. IP addresses and other tunnels may be run over the interface. The EoIP protocol encapsulates Ethernet frames in UDP packets and sends them to the remote side of the EoIP tunnel. The tunnel transmits and listens to the UDP port 4444 + tunnel ID.

EoIP setup

To add an EoIP interface:

[Rack1u] interface eoip> add name to_2u tunnel-id 1 remote-address 10.5.8.171

0 name: to_2u mtu: 1500 mac-address: FE:FD:00:00:00:00 arp: enabled
tunnel-id: 1 remote-address: 10.111.0.1

Descriptions of settings:

name

Interface name for reference

mtu

Should be set to 1500bytes.

mac-address

A default virtual MAC address is generated. It may be changed if there is a conflict.

arp

Enabled by default.

tunnel-id

Should be a number from 0-16 which has not been used for another EoIP tunnel.

remote-address

The IP address of the other side of the EoIP tunnel – must be a MikroTik router.

To make an Ethernet bridge between two routers with EoIP tunnels, bridging should be enabled on both routers. There is no authentication or “state” for this interface. The bandwidth usage of the interface may be monitored with the “monitor” feature from the “interface” menu.

ISDN Server

Managing ISDN Server from Console

It is done from "interface isdn-server" submenu.

Command Syntax	Description
print	Print ISDN Server information
set <number> [name <interface name>] [enable] [disable] [mtu <MTU>] [mru <MRU>] [idle-timeout <time>] [msn] [l2-protocol <hdlc \| x75bui \| x75i \| x75ui>] [callback <no \| yes>] [callback-delay <time>] [local-address <address>] [remote-address <address>]	Configure ISDN Server
remove <number>	Remove ISDN Server
find	Find
export	Export ISDN Server settings
monitor <interface>	Monitor ISDN server in real time

Where <interface> is an interface name or number obtained from "print" command.

ISDN Client

Managing ISDN Client from JAVA

It is done from Interfaces list. To add isdn client you have to choose add and then ISDN client. If you want to change isdn client settings you have to double click on added isdn client interface in Interace list.

Managing ISDN Client from Console

It is done from "interface isdn-client" submenu.

Command Syntax	Description
print	Print ISDN Client information
set <number> [name <interface name>] [enable] [disable] [mtu <MTU>] [mru <MRU>] [idle-timeout <time>] [msn] [max-retries <number>] [phone <number>] [dial-on-demand <yes\|no>] [l2-protocol <hdlc \| x75bui \| x75i \| x75ui>] [callback <no \| yes>] [callback-delay <time>] [user <name>] [local-address <address>] [remote-address <address>]	Configure ISDN Client
remove <number>	Remove ISDN Client
find	Find
export	Export ISDN Client settings
monitor <interface>	Monitor ISDN Client in real time

Where <interface> is an interface name or number obtained from "print" command.

LMC- WAN

Managing LMC- WAN from Console

It is done from "lmc-wan" submenu.

Command Syntax	Description
print	Print LMC-WAN information
set <number> [name <interface name>] [enable] [disable] [mtu <MTU>] [external-clock <enable\|disable>] [long-cable <enable\|disable>] [scrambler <enable\|disable>] [crc <length>] [circuit-type <type>] [line-protocol <protocol>]	Configure LMC-WAN
find	Find
export	Export LMC-WAN settings
monitor <interface>	Monitor LMC-WAN in real time

Where <interface> is an interface name or number obtained from "print" command.

CISCO/Aironet 2.4GHz DS Wireless Interaces

Document revision 25-July-2001
This document applies to the V2.3 of the MikroTik RouterOS

Overview

The MikroTik RouterOS supports the following CISCO/Aironet 2.4GHz Wireless ISA/PCI/PC Adapter hardware:

Aironet ISA/PCI/PC4800 2.4GHz DS 11Mbps Wireless LAN Adapters (100mW)
Aironet ISA/PCI/PC4500 2.4GHz DS 2Mbps Wireless LAN Adapters (100mW)
CISCO AIR-PCI340 2.4GHz DS 11Mbps Wireless LAN Adapters (30mW)
CISCO AIR-PCI/PC350/352 2.4GHz DS 11Mbps Wireless LAN Adapters (100mW)

For more information about the CISCO/Aironet PCI/ISA adapter hardware please see the relevant User’s Guides and Technical Reference Manuals in .pdf format:

710-003638a0.pdf for PCI/ISA 4800 and 4500 series adapters
710-004239B0.pdf for PC 4800 and 4500 series adapters

Documentation about CISCO/Aironet Wireless Bridges and Access Points can be found in archives:

AP48MAN.exe for AP4800 Wireless Access Point
BR50MAN.exe for BR500 Wireless Bridge

Contents of the Manual

The following topics are covered in this manual:

Wireless Adapter Hardware and Software Installation
Wireless Interface Configuration
Troubleshooting
Wireless Network Applications

Wireless Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the aironet software package installed. The software package file aironet-2.x.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[mikrotik]> system package print 
  # NAME                                                VERSION    BUILD UNINSTALL
  0 system                                              2.3.7      8     no
  1 ppp                                                 2.3.7      6     no
  2 pppoe                                               2.3.7      10    no
  3 pptp                                                2.3.7      6     no
  4 routing                                             2.3.7      7     no
  5 ssh                                                 2.3.6      7     no
  6 aironet                                             2.3.7      6     no
[mikrotik]>

Software License

The 2.4GHz wireless adapters require the 2.4GHz wireless feature license. One licence is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The wireless feature is not included in the Free Demo or Basic Software License. The 2.4GHz Wireless Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the wireless adapter, please check the availability of free IRQ's and I/O base addresses:

[mikrotik]> system resource irq print
IRQ OWNER
1   keyboard                                                                  U
2   APIC                                                                      U
3   Local                                                                     U
4   serial port                                                               U
5
6
7
8
9
10
11  Public                                                                    U
12
13  FPU                                                                       U
14  IDE 1                                                                     U
[mikrotik]> system resource io print
IO        OWNER
0020-003f APIC
0040-005f timer
0060-006f keyboard
0080-008f DMA
00a0-00bf APIC
00c0-00df DMA
00f0-00ff FPU
01f0-01f7 IDE 1
0300-031f Local
03c0-03df VGA
03f6-03f6 IDE 1
03f8-03ff serial port
6100-61ff Public
f000-f007 IDE 1
f008-f00f IDE 2

Installing the Wireless Adapter

The basic installation steps of the wireless adapter should be as follows:

Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
Set the DIP switches on the ISA board according to the following plan:
DIP switch #6 to 'on' (non-PnP mode)
Use the DIP switches #1,2,3 to select the IRQ number Use the DIP switches #4,5 to select the I/O Base Address

Please note, that not all combinations of I/O base addresses and IRQ's may work on your motherboard. It is recommended that you choose one IRQ that is not used in your system, and then try an acceptable I/O base address setting. As it has been observed, that the IRQ 5 and I/O 0x300 or 0x180 work in most cases.

Loading the Driver for the Wireless Adapter

PCI and PC (PCMCIA) cards do not require a 'manual' driver loading, since they are recognized automatically by the system and the driver is loaded at the system startup.

The ISA card requires the driver to be loaded by issuing the following command:

[mikrotik]> driver load pc-isa io 0x180
[mikrotik]> driver print
  # DRIVER                                       IRQ IO     MEMORY     ISD...
  0 RealTek RTL8129/8139                                                      D
  1 ISA NE2000                                       0x300
  2 Aironet ISAxx00                                  0x180
[mikrotik] driver>

There can be several reasons for a failure to load the driver:

The driver cannot be loaded because other device uses the requested IRQ.
Try to set different IRQ using the DIP switches.
The requested I/O base address cannot be used on your motherboard.
Try to change the I/O base address using the DIP switches.

Wireless Interface Configuration

If the driver has been loaded successfully (no error messages), and you have the required 2.4GHz Wireless Software License, then the CISCO/Aironet 2.4GHs Wireless interface should appear under the interfaces list with the name pcn, where n is 0,1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[mikrotik] interface> print
  # NAME                                                    TYPE        MTU
  0 Public                                                  ether       1500
  1 Local                                                   ether       1500
 (2)pc0                                                     pc          1500
[mikrotik] interface> set 2 name aironet
[mikrotik] interface> enable aironet
[mikrotik] interface> print
  # NAME                                                    TYPE        MTU
  0 Public                                                  ether       1500
  1 Local                                                   ether       1500
  2 aironet                                                 pc          1500

More configuration and statistics parameters can be found under the '/interface pc' menu:

[mikrotik] interface> pc
[mikrotik] interface pc> print
0   name: aironet mtu: 1500 mac-address: 00:40:96:29:02:88
    mode: infrastructure rts-threshold: 2312 fragmentation-threshold: 2312
    tx-power: 100 rx-diversity: right tx-diversity: right long-retry-limit: 16
    short-retry-limit: 16 channel: 2437MHz data-rate: auto
    ap1: 00:00:00:00:00:00 ap2: 00:00:00:00:00:00 ap3: 00:00:00:00:00:00
    ap4: 00:00:00:00:00:00 ssid1: tsunami ssid2: "" ssid3: "" modulation: cck
    client-name: "" beacon-period: 100 join-net: 10s arp: enabled
    firmware-version: PC4800A(3.65)

[mikrotik] interface pc>

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit
mode - Operation mode of the card (infrastructure / ad-hoc)
rts-threshold - RTS threshold
fragmentation-threshold - Fragmentation threshold
tx-power - Transmit power in mW
rx-diversity - Receive diversity (both / default / left / right)
tx-diversity - Transmit diversity (both / default / left / right)
long-retry-limit - Long retry limit
short-retry-limit - Short retry limit
channel - Channel frequency (2412MHz / 2422MHz / ... / 2484MHz)
data-rate - Data rate (11Mbit/s / 1Mbit/s / 2Mbit/s / 5.5Mbit/s / auto)
ap1 - Access Point 1
ap2 - Access Point 2
ap3 - Access Point 3
ap4 - Access Point 4
ssid1 - Service Set Identifier 1
ssid2 - Service Set Identifier 2
ssid3 - Service Set Identifier 3
modulation - Modulation mode (cck / default / mbok)
client-name - Client name
join-net - Beaconing period
arp - Address Resolution Protocol (disabled / enabled / proxy-arp)

You can monitor the status of the wireless interface:

[mikrotik] interface pc> monitor 0
              quality: 0
             strength: 0
         current-rate: 11Mbit/s
    current-frequency: 2437MHz
         synchronized: no
           associated: no
                 ssid: tsunami
         access-point: FF:FF:FF:FF:FF:FF
    access-point-name:

[mikrotik] interface pc>

If the wireless interface card is not registered to an AP, the green status led is blinking fast.

To set the wireless interface for working with an IEEE 802.11b access point (register to the AP), you should set the following parameters:

The Service Set Identifier. It should match the ssid of the AP. Can be blank, if you want the wireless interface card to register to an AP with any ssid. The ssid will be received from the AP, if the AP is broadcasting its ssid.
The Operation Mode of the card should be set to 'infrastructure'.
The Data Rate of the card should match one of the supported data rates of the AP. Data rate 'auto' should work for most of the cases.

All other parameters can be left as default. To configure the wireless interface for registering to an AP with ssid "mt", it is enough to change the argument value of ssid1 to "mt":

[mikrotik] interface pc> set 0 ssid1 mt
[mikrotik] interface pc> monitor 0
              quality: 63
             strength: 131
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: yes
                 ssid: mt
         access-point: 00:40:96:00:06:72
    access-point-name: Gulf
[mikrotik] interface pc>

If the wireless interface card is registered to an AP, the green status led is blinking slow.

Wireless Troubleshooting

The pc interface does not show up under the interfaces list
Obtain the required license for 2.4GHz wireless feature.
The wireless card does not register to the AP
Check the cabling and antenna alignment.

Wireless Network Applications

Two possible wireless network configurations are discussed in the following examples:

Point-to-Multipoint (Wireless Infrastructure)
Point-to-Point (Peer-to-Peer, or Ad-Hoc Wireless LAN)

Point-to-Multipoint Wireless LAN

Let us consider the following network setup with CISCO/Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client:

Point-to-Multipoint

The access point is connected to the wired network's HUB and has IP address from the network 10.1.1.0/24. The minimum configuration required for the AP is:

Setting the Service Set Identifier (up to 32 alphanumeric characters). In our case we use ssid "mt".
Setting the allowed data rates at 1-11Mbps, and the basic rate at 1Mbps.
Choosing the frequency, in our case we use 2442MHz.
Setting the identity parameters: ip address/mask and gateway. These are required if you want to access the AP remotely using telnet or http.

Reminder! Please note, that the AP is not a router! It has just one network address, and is just like any host on the network. It resembles a wireless-to-Ethernet HUB or bridge. The AP does not route the IP traffic!

The minimum configuration for the MikroTik router's CISCO/Aironet wireless interface is:

Setting the Service Set Identifier to that of the AP, i.e., "mt"
Setting the Operation Mode to "infrastructure"

[mikrotik] interface pc> set 0 ssid1 mt mode infrastructure
[mikrotik] interface pc> monitor 0
              quality: 62
             strength: 129
         current-rate: 11Mbit/s
    current-frequency: 2442MHz
         synchronized: yes
           associated: yes
                 ssid: mt
         access-point: 00:40:96:00:06:72
    access-point-name: Gulf
[mikrotik] interface pc>

The channel frequency argument does not have any meaning, since the frequency of the AP is used. The IP addresses assigned to the wireless interface should be from the network 10.1.1.0/24, e.g.:

[mikrotik] ip address> add address 10.1.1.12/24 interface aironet
[mikrotik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   Local
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      aironet
[mikrotik] ip address>

The default route should be set to the gateway router 10.1.1.254 (not the AP 10.1.1.250 !):

[mikrotik] ip route> add gw 10.1.1.254 interface aironet
[mikrotik] ip route> print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   Local   D K
  1 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       aironet D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         aironet
[mikrotik] ip route>

Point-to-Point Wireless LAN

Let us consider the following point-to-point wireless network setup with two MikroTik Wireless Routers:

To establish a pint to-to-point link, the configuration of the wireless interface should be as follows:

A unique Service Set Identificator should be chosen for both ends, say "b_link"

A channel frequency should be selected for the link, say 2412MHz

The operation mode should be set to 'ad-hoc'

The following command should be issued to change the settings for the pc interface:

[mikrotik] interface pc> set 0 mode ad-hoc ssid1 b_link channel 2442MHz data-rate auto
[mikrotik] interface pc> monitor 0
              quality: 0
             strength: 0
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: no
           associated: no
                 ssid: b_link
         access-point: FF:FF:FF:FF:FF:FF
    access-point-name:
[mikrotik] interface pc>

For 10 seconds (this is set by the argument join_net) the wireless card is looking for a network to join. The status of the card is not synchronized, and the green status light is blinking fast. If the card cannot find a network, the card creates its own network. The status of the card becomes 'synchronized', and the green status led becomes solid. The monitor command shows the new status and the MAC address generated:

[mikrotik] interface pc> monitor 0
              quality: 62
             strength: 129
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: no
                 ssid: b_link
         access-point: 16:01:0B:02:17:00
    access-point-name:
[mikrotik] interface pc>

The other router of the point-to-point link requires only the operation mode set to 'ad-hoc' and the System Service Identificator set to "b_link". The channel frequency will be used the same as on the first router, which has created the wireless network. If the radios are able to establish RF connection, the status of the card should become 'synchronized', and the green status led become solid immediately after entering the command:

[wnet_gw] interface pc> set 0 mode ad-hoc ssid1 b_link channel 2412MHz data-rate auto
[wnet_gw] interface pc> monitor 0
              quality: 58
             strength: 122
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: no
                 ssid: b_link
         access-point: 16:01:0B:02:17:00
    access-point-name:
[wnet_gw] interface pc>

As we see, the MAC address under the 'access-point' parameter is the same as generated on the first router.

If desired, IP addresses can be assigned to the wireless interfaces of the pint-to-point link routers using a smaller subnet, say 30-bit one:

[mikrotik] ip address> add address 192.168.11.1/30 interface aironet
[mikrotik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   Local
  1 192.168.11.1    255.255.255.252 192.168.11.1    192.168.11.3    aironet
[mikrotik] ip address>

The second router will have address 192.168.11.2. The network connectivity can be tested by using ping or bandwidth test:

[wnet_gw] ip address> add address 192.168.11.2/30 interface pc1 
[wnet_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 192.168.11.2    255.255.255.252 192.168.11.2    192.168.11.3    pc1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
[wnet_gw] ip address> /ping 192.168.11.1
192.168.11.1 pong: ttl=255 time=3 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 ping interrupted
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1/1.5/3 ms
interrupted
[wnet_gw] ip address> /tool btest 192.168.11.1 protocol tcp 
connecting
current = 4.6Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.7Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.7Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.3Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.5Mbps   10secavg = 4.5Mbps   totalavg = 4.5Mbps
current = 4.6Mbps   10secavg = 4.5Mbps   totalavg = 4.5Mbps
[wnet_gw] ip address> /tool btest 192.168.12.1 protocol udp size 1500
connecting
current = 1500.0kbps   10secavg = 1500.0kbps   totalavg = 1500.0kbps
current = 2.0Mbps   10secavg = 1775.3kbps   totalavg = 1775.3kbps
current = 2.9Mbps   10secavg = 2.1Mbps   totalavg = 2.1Mbps
current = 4.4Mbps   10secavg = 2.7Mbps   totalavg = 2.7Mbps
current = 5.6Mbps   10secavg = 3.3Mbps   totalavg = 3.3Mbps
current = 5.6Mbps   10secavg = 3.6Mbps   totalavg = 3.6Mbps
current = 5.6Mbps   10secavg = 3.9Mbps   totalavg = 3.9Mbps
current = 5.6Mbps   10secavg = 4.1Mbps   totalavg = 4.1Mbps
[wnet_gw] ip address>

Arlan IC2200 Interfaces

Arlan IC2200 interfaces include Aironet’s Arlan IC2200 (655) 2.4GHz 2Mbps ISA Client Cards. This hardware line has been discontinued.

Managing Arlan IC2200 Interfaces from Java

Arlan IC2200 specific parameters can be controlled from the “Radio” tab in interface details window. Current status (registration status and registered router and backbone) can be monitored in real time on “Status” tab in interface details window.

Managing Arlan IC2200 Interfaces from Console

Arlan IC2200 interface management is done in the submenu “interface arlan”.

Command syntax	Description
print [<interface>]	Show interface(s) information
set <interface> [enable] [disable] [name <new name>] [mtu <MTU>] [sid <SID>] [card-name <name>] [frequency <channel frequency>] [bitrate <bitrate>] [arp disabled\|enabled\|proxy-arp] [tma-mode no\|yes]	Change interface properties
monitor <interface>	Monitor interface status in real time
find
export

Where <interface> is interface name or number obtained from “print“ command.

Interface status includes registration status and registered router and backbone.

Arlan IC2200 Parameter Description

Name in Console	Name in Java	Description
frequency	Frequency	Channel frequency in MHz.
bitrate	Bitrate	Data Transmission speed in Mbits
card-name	Card Name	Name of the client to be shown in the registration table of the Access Point or Bridge. Maximum 15 characters.
sid	SID	Value of System Identifier. Should be the same for all nodes on the radio network. Maximum 31 character.
mac-address	MAC Address	Medium Access Control Address
tma-mode	TMA mode	Enable/Disable registration mode when client has to register to an AP2000 Access Point or BR2000-E Bridge.
arp	ARP	Address Resolution Protocol settings

RadioLAN Interfaces

RadioLAN 5.8GHz Wireless Adapters

Document revision 14-Sep-2001
This document applies to the V2.3 of the MikroTik RouterOS

Overview

The MikroTik RouterOS supports the following RadioLAN 5.8GHz Wireless Adapter hardware:

RadioLAN ISA card (Model 101).

For more information about the RadioLAN adapter hardware please see the relevant User’s Guides and Technical Reference Manuals.

Contents of the Manual

The following topics are covered in this manual:

Wireless Adapter Hardware and Software Installation
Wireless Interface Configuration
Troubleshooting
Wireless Network Applications

Wireless Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the radiolan software package installed. The software package file radiolan-2.3.x.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik]> system package print
  # NAME                                             VERSION    BUILD UNINSTALL
  0 routing                                          2.3.15     21    no
  1 snmp                                             2.3.15     15    no
  2 ppp                                              2.3.15     20    no
  3 pptp                                             2.3.15     21    no
  4 pppoe                                            2.3.15     22    no
  5 ssh                                              2.3.15     26    no
  6 system                                           2.3.15     32    no
  7 radiolan                                         2.3.15     16    no
[MikroTik]>

Software License

The RadioLAN 5.8GHz wireless adapters require the RadioLAN 5.8GHz wireless feature license. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The wireless feature is not included in the Free Demo or Basic Software License. The RadioLAN 5.8GHz Wireless Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the wireless adapter, please check the availability of free IRQ's and I/O base addresses:

[MikroTik]> system resource irq print
IRQ OWNER
1   keyboard                                                                  U
2   APIC                                                                      U
3
4   serial port                                                               U
5
6
7
8
9   ether1                                                                    U
10
11
12
13  FPU                                                                       U
14  IDE 1                                                                     U
[MikroTik]> system resource io print
IO        OWNER
0020-003f APIC
0040-005f timer
0060-006f keyboard
0080-008f DMA
00a0-00bf APIC
00c0-00df DMA
00f0-00ff FPU
01f0-01f7 IDE 1
02f8-02ff serial port
03c0-03df VGA
03f6-03f6 IDE 1
03f8-03ff serial port
ef00-efff ether1
fc00-fc07 IDE 1
fc08-fc0f IDE 2
fc10-fc7f [CS5530]
[MikroTik]>

Installing the Wireless Adapter

The basic installation steps of the wireless adapter should be as follows:

Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
Use the RLProg.exe to set the IRQ and Base Port address of the RadioLAN ISA card (Model 101). RLProg must be run from a DOS window. Use a separate computer or a bootable floppy] to run the RLProg utility and set the hardware parameters. The factory default values of I/O 0x300 and IRQ 10 might conflict with other devices.

Please note, that not all combinations of I/O base addresses and IRQ's may work on your motherboard. As it has been observed, the IRQ 5 and I/O 0x300 work in most cases.

Loading the Driver for the Wireless Adapter

The ISA card requires the driver to be loaded by issuing the following command:

[MikroTik]> driver load radiolan io 0x300
[MikroTik]> driver print
  # DRIVER                                       IRQ IO     MEMORY     ISD...
  0 RealTek RTL8129/8139                                                      D
  1 ISA RadioLAN                                     0x300
[MikroTik]>

There can be several reasons for a failure to load the driver:

The driver cannot be loaded because other device uses the requested IRQ.
Try to set different IRQ using the DIP switches.
The requested I/O base address cannot be used on your motherboard.
Try to change the I/O base address using the configuration utility.

Wireless Interface Configuration

If the driver has been loaded successfully (no error messages), and you have the required RadioLAN 5.8GHz Wireless Software License, then the RadioLAN 5.8GHz Wireless interface should appear under the interfaces list with the name radiolanX, where X is 1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] interface> print
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
( 1)radiolan1                                               radiolan    1500
[MikroTik] interface> enable radiolan1
[MikroTik] interface> print
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 radiolan1                                               radiolan    1500
[MikroTik] interface>

More configuration and statistics parameters can be found under the '/interface radiolan' menu:

[MikroTik] interface> radiolan
[MikroTik] interface radiolan> print
0   name: radiolan1 mtu: 1500 mac-address: 00:A0:D4:20:42:EE distance: 0-150m
    tx-diversity: disabled rx-diversity: disabled default-dst: firstclient
    max-retries: 15 sid: bbbb card-name: 00A0D42042EE
    cfg-destination: 00:00:00:00:00:00 arp: enabled

[MikroTik] interface radiolan>

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit
mac-address - MAC address
distance - distance setting for the link (0-10.2km)
rx-diversity - Receive diversity (disabled / enabled)
tx-diversity - Transmit diversity (disabled / enabled)
default-dst - deafault destination (alone / ap / cfg / firstap / firstclient). It sets the destination where to send the packet if it is not for a clinet in the radio network.
max-retries - maximum retries before dropping the packet
sid - Service Set Identifier
card-name - Card name
cfg-destination - MAC address of a host in the radio network where to send the packet, if it is for none of the radio clients.
arp - Address Resolution Protocol (disabled / enabled / proxy-arp)

You can monitor the status of the wireless interface:

[MikroTik] interface radiolan> monitor radiolan1
    default: 00:00:00:00:00:00
      valid: no
[MikroTik] interface radiolan>

Here, the wireless interface card has not found any neighbour.

To set the wireless interface for working with another wireless card in a point-to-point link, you should set the following parameters:

The Service Set Identifier. It should match the sid of the other card.
The Distance should be set to that of the link. For example, if you have 6km link, use distance 4.7km-6.6km.

All other parameters can be left as default:

[MikroTik] interface radiolan> set 0 sid ba72 distance 4.7km-6.6km
[MikroTik] interface radiolan> print
0   name: radiolan1 mtu: 1500 mac-address: 00:A0:D4:20:42:EE
    distance: 4.7km-6.6km tx-diversity: disabled rx-diversity: disabled
    default-dst: firstclient max-retries: 15 sid: ba72 card-name: 00A0D42042EE
    cfg-destination: 00:00:00:00:00:00 arp: enabled

[MikroTik] interface radiolan> monitor 0
    default: 00:A0:D4:20:42:47
      valid: yes

[MikroTik] interface radiolan>

You can monitor the list of neighbours having the same sid and being within the radio range:

[MikroTik] interface radiolan> neighbours print radiolan1
NAME             MAC-ADDRESS       FLAGS ACCESS-POINT
00A0D4204247     00:A0:D4:20:42:47    D
[MikroTik] interface radiolan>

You can test the link by pinging the neighbour by its MAC address:

[MikroTik] interface radiolan> ping radiolan1 \
mac-address 00:A0:D4:20:42:47 size 1500 count 50
Sent: 2/50 (4%), Ok: 2/2 (100%) max/avg/min retries: 0/0.0/0
Sent: 12/50 (24%), Ok: 12/12 (100%) max/avg/min retries: 0/0.0/0
Sent: 22/50 (44%), Ok: 22/22 (100%) max/avg/min retries: 0/0.0/0
Sent: 32/50 (64%), Ok: 32/32 (100%) max/avg/min retries: 0/0.0/0
Sent: 42/50 (84%), Ok: 42/42 (100%) max/avg/min retries: 0/0.0/0
Sent: 50/50 (100%), Ok: 50/50 (100%) max/avg/min retries: 0/0.0/0
[MikroTik] interface radiolan>

Wireless Troubleshooting

The radiolan interface does not show up under the interfaces list
Obtain the required license for RadioLAN 5.8GHz wireless feature.
The wireless card does not obtain the MAC address of the default destination
Check the cabling and antenna alignment.

Wireless Network Applications

Two possible wireless network configurations are discussed in the following examples:

Point-to-Point Setup with Routing
Point-to-Point Setup with Bridging

Point-to-Point Setup with Routing Let us consider the following network setup with two MikroTik Routers having RadioLAN interfaces:

The Router#1 has IP address/netmask 10.1.1.12/24 on the Ethernet interface ether1, and 10.1.0.1/30 on the RadioLAN interface radiolan1.
The Router#2 has IP address/netmask 192.168.0.254/24 on the Ethernet interface ether1, and 10.1.0.2/30 on the RadioLAN interface radiolan1.

The minimum configuration required for the RadioLAN interfaces of both routers is:

Setting the Service Set Identifier (up to alphanumeric characters). In our case we use ssid "ba72".
Setting the distance parameter, in our case we have 6km link.

The IP addresses assigned to the wireless interface of Router#1 should be from the network 10.1.0.0/30, e.g.:

[MikroTik] ip address> add address 10.1.0.1/30 interface radiolan1
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.0.1        255.255.255.252 10.1.0.1        10.1.0.3        radiolan1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      ether1
[MikroTik] ip address>

The default route should be set to the gateway router 10.1.1.254. A static route should be added for the network 192.168.0.0/24:

[MikroTik] ip route> add gateway 10.1.1.254 interface ether1
[MikroTik] ip route> add dst-address 192.168.0.0/24 gateway 10.1.0.2 \
interface radiolan1
[MikroTik] ip route> print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       ether1  D K
  1 10.1.0.0        255.255.255.252 0.0.0.0         10.1.0.1        radi... D K
  2 192.168.0.0     255.255.255.0   10.1.0.2        0.0.0.0         radi...
  3 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         ether1
[MikroTik] ip route>

The Router#2 should have addresses 10.1.0.2/30 and 192.168.0.254/24 assigned to the radiolan and Ethernet interfaces respectively. The default route should be set to 10.1.0.1

Point-to-Point Setup with Bridging

The radiolan interface setup is similar to that in the previous example. However, briding of the desired protocols should be enabled for the radiolan and ethernet interfaces:

[MikroTik] bridge> set ip forward arp forward other forward
[MikroTik] bridge> print
           ip: forward
          arp: forward
          ipx: discard
    appletalk: discard
         ipv6: discard
        other: forward
     priority: 1
[MikroTik] bridge> interface
[MikroTik] bridge interface> print
  # INTERFACE                                                           FORWARD
  0 ether1                                                              no
  1 radiolan1                                                           no
[MikroTik] bridge interface> set 0 forward yes
[MikroTik] bridge interface> set 1 forward yes
[MikroTik] bridge interface> pr
  # INTERFACE                                                           FORWARD
  0 ether1                                                              yes
  1 radiolan1                                                           yes
[MikroTik] bridge interface>

Enable the bridge interface and assign the IP address to it, as well as set the default gateway:

[MikroTik] interface> print
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 radiolan1                                               radiolan    1500
( 2)bridge1                                                 bridge      1500
[MikroTik] interface> enable 2
[MikroTik] interface> /ip address
[MikroTik] ip address> add address 10.1.1.12/24 interface bridge1
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      bridge1
[MikroTik] ip address> .. route add gateway 10.1.1.254 interface bridge1
[MikroTik] ip address> .. route print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       bridge1 D K
  1 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         bridge1
[MikroTik] ip address>

The Router#2 should be set similarly, a different IP address assignet to it, e.g., 10.1.1.13/24, the default gateway is 10.1.1.254. Thus, the Ethernet networks are bridged over the RadioLAN point-to-point link.

WaveLAN Interfaces Base Configuration

WaveLAN / ORiNOCO 2.4GHz 11Mbps PC Card (Silver/Gold)

Document revision 14-Sep-2001
This document applies to the V2.3 of the MikroTik RouterOS

Overview

The MikroTik RouterOS supports the following WaveLAN / ORiNOCO 2.4GHz Wireless Adapter hardware:

ORiNOCO 2.4GHz 11Mbps PC Card (Silver/Gold)
ORiNOCO ISA and PCI adapters for using the PC card in desktop computers.

For more information about the WaveLAN / ORiNOCO adapter hardware please see the relevant User’s Guides and Technical Reference Manuals in .pdf format from the manufacturer:

orinoco_pc_card_getting_started_guide.pdf ORiNOCO PC Card Getting Started Guide
orinoco_pc_card_user_guide.pdf ORiNOCO PC Card User's Guide
orinoco_isa_adapter.pdf ORiNOCO ISA Adapter Getting Started Guide
orinoco_pci_adapter.pdf ORiNOCO PCI Adapter Getting Started Guide

Information about configuring the ORiNOCO wireless access point can be found there:

orinoco_ap_1000_guide.pdf ORiNOCO Access Point 1000 (AP-1000) Getting Started Guide
orinoco_manager_suite_user_guide.pdf ORiNOCO Manager Suit User's Guide

Contents of the Manual

The following topics are covered in this manual:

Wireless Adapter Hardware and Software Installation
Wireless Interface Configuration
Troubleshooting
Wireless Network Applications

Wireless Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the wavelan software package installed. The software package file wavelan-2.3.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] system package> print 
  # NAME                                             VERSION    BUILD UNINSTALL
  0 routing                                          2.3.15     21    no
  1 snmp                                             2.3.15     15    no
  2 ppp                                              2.3.15     20    no
  3 pptp                                             2.3.15     21    no
  4 pppoe                                            2.3.15     22    no
  5 ssh                                              2.3.15     26    no
  6 system                                           2.3.15     32    no
  7 option                                           2.3.15     20    no
  8 wavelan                                          2.3.15     21    no
[MikroTik] system package>

Software License

The 2.4GHz wireless adapters require the 2.4GHz wireless feature license. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The wireless feature is not included in the Free Demo or Basic Software License. The 2.4GHz Wireless Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the wireless adapter, please check the availability of free IRQ's and I/O base addresses:

[[MikroTik] system resource> irq print 
IRQ OWNER
1   keyboard                                                                  U
2   APIC                                                                      U
3
4
5
6
7
8
9
10  ether1                                                                    U
11
12
13  FPU                                                                       U
14  IDE 1                                                                     U
[MikroTik] system resource> io print 
IO        OWNER
0020-003f APIC
0040-005f timer
0060-006f keyboard
0080-008f DMA
00a0-00bf APIC
00c0-00df DMA
00f0-00ff FPU
01f0-01f7 IDE 1
03c0-03df VGA
03e0-03e1 PCMCIA service
03f6-03f6 IDE 1
6100-611f ether1
[MikroTik] system resource>

Installing the Wireless Adapter

The basic installation steps of the wireless adapter should be as follows:

Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.

Please note, that not all combinations of I/O base addresses and IRQ's may work on your motherboard.

Loading the Driver for the Wireless Adapter

The WaveLAN / Orinoco PC (PCMCIA) cards do not require a 'manual' driver loading, since they are recognized automatically by the system and the driver is loaded at the system startup. If the driver has loaded successfully, there should be two beeps of equal tone, which should be heard through the PC's speaker while the system startup. If the second beep has a lower tone than the first one, then the driver could not be loaded, or, there is no wavelan package installed.

Note! The PC card can be inserted in the PCMCIA-ISA or PCI adapter when the system is running. The wavelan driver is not listed under the list of loaded drivers.

There can be several reasons for a failure to load the driver:

The driver cannot be loaded because other device uses the requested IRQ.
Try to set different IRQ to other devices.
The requested I/O base address cannot be used on your motherboard.
Change the motherboard.

Wireless Interface Configuration

If the driver has been loaded successfully (no error messages), and you have the required 2.4GHz Wireless Software License, then the WaveLAN / ORiNOCO 2.4GHz Wireless interface should appear under the interfaces list with the name wavelanX, where X is 1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] interface> print 
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
( 1)wavelan1                                                wavelan     1500
[MikroTik] interface> enable 1
[MikroTik] interface> print 
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 wavelan1                                                wavelan     1500
[MikroTik] interface>

More configuration and statistics parameters can be found under the '/interface wavelan' menu:

[MikroTik] interface> wavelan 
[MikroTik] interface wavelan> print 
0   name: wavelan1 mtu: 1500 mac-address: 00:02:2D:07:17:23 channel: 2412MHz
    date-rate: 11Mbit/s mode: ad-hoc ssid: "" client-name: "" key1: ""
    key2: "" key3: "" key4: "" tx-key: key1 encryption: no arp: arp

[MikroTik] interface wavelan>

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (256...2296 bytes). The default value is 1500 bytes.
mac-address - MAC address of the card. Cannot be changed.
channel - Channel frequency (2412MHz / 2422MHz / ... / 2484MHz)
data-rate - Data rate (11Mbit/s / 1Mbit/s / 2Mbit/s / 5.5Mbit/s / auto)
mode - Operation mode of the card (infrastructure / ad-hoc)
ssid - Service Set Identifier
client-name - Client name
key1 - Encryption key #1
key2 - Encryption key #2
key3 - Encryption key #3
key4 - Encryption key #4
tx-key - Transmit key (key1 / key2 / key3 / key4)
encryption - Encryption (no / yes)
arp - Address Resolution Protocol (disabled / enabled / proxy-arp)

You can monitor the status of the wireless interface:

[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:00:00:00:00:00
           channel: 2422MHz
         data-rate: 2Mbit/s
              ssid:
    signal-quality: 0
      signal-level: 154
             noise: 154
[MikroTik] interface wavelan>

If the wireless interface card is not registered to an AP, the green status led is blinking fast.

To set the wireless interface for working with an IEEE 802.11b access point (register to the AP), you should set the following parameters:

The Service Set Identifier. It should match the ssid of the AP.
The Operation Mode of the card should be set to 'infrastructure'.
The Data Rate of the card should match one of the supported data rates of the AP. Data rate 'auto' should work for most of the cases.

All other parameters can be left as default. To configure the wireless interface for registering to an AP with ssid "MT_w_AP", it is enough to change the argument value of ssid to "MT_w_AP":

[MikroTik] interface wavelan> set 0 ssid MT_w_AP
[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:60:B3:66:C7:40
           channel: 2452MHz
         data-rate: 11Mbit/s
              ssid: MT_w_AP
    signal-quality: 56
      signal-level: 213
             noise: 157
[MikroTik] interface wavelan>

Wireless Troubleshooting

The wavelan interface does not show up under the interfaces list
Obtain the required license for 2.4GHz wireless feature.
The wireless card does not register to the AP
Check the cabling and antenna alignment.

Wireless Network Applications

Two possible wireless network configurations are discussed in the following examples:

Point-to-Multipoint (Wireless Infrastructure)
Point-to-Point with MikroTik Client (Peer-to-Peer, or Ad-Hoc Wireless LAN)
Point-to-Point with Windows Client (Peer-to-Peer, or Ad-Hoc Wireless LAN)

Point-to-Multipoint Wireless LAN

Let us consider the following network setup with WaveLAN / ORiNOCO or CISCO/Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client:

Point-to-Multipoint

The access point is connected to the wired network's HUB and has IP address from the network 10.1.1.0/24. The minimum configuration required for the AP is:

Setting the Service Set Identifier (up to 32 alphanumeric characters). In our case we use ssid "mt".
Setting the allowed data rates at 1-11Mbps, and the basic rate at 1Mbps.
Choosing the frequency, in our case we use 2452MHz.
Setting the identity parameters: ip address/mask and gateway. These are required if you want to access the AP remotely.

The minimum configuration for the MikroTik router's wavelan wireless interface is:

Setting the Service Set Identifier to that of the AP, i.e., "mt"
Setting the Operation Mode to "infrastructure"

[MikroTik] interface wavelan> set wavelan1 ssid mt
[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:60:B3:66:C7:40
           channel: 2442MHz
         data-rate: 11Mbit/s
              ssid: mt
    signal-quality: 56
      signal-level: 214
             noise: 158
[MikroTik] interface wavelan>

The channel frequency argument does not have any meaning, since the frequency of the AP is used.

IP Network Configuration

The IP addresses assigned to the wireless interface should be from the network 10.1.1.0/24, e.g.:

[MikroTik] ip address> add address 10.1.1.12/24 interface wavelan1 
[MikroTik] ip address> add address 192.168.0.254/24 interface ether1 
[MikroTik] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      wavelan1
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
[MikroTik] ip address>

The default route should be set to the gateway router 10.1.1.254 (not the AP 10.1.1.250 !):

[MikroTik] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       wave... D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         wave...
[MikroTik] ip route>

Point-to-Point Wireless LAN

Let us consider the following point-to-point wireless network setup with two MikroTik Wireless Routers:

To establish a point-to-point link, the configuration of the wireless interface should be as follows:

A unique Service Set Identificator should be chosen for both ends, say "b_link"

A channel frequency should be selected for the link, say 2412MHz

The operation mode should be set to 'ad-hoc'

The following command should be issued to change the settings for the wavelan interface:

[MikroTik] interface wavelan> set 0 ssid b_link mode ad-hoc channel 2412MHz 
[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:02:2D:07:17:23
           channel: 2412MHz
         data-rate: 11Mbit/s
              ssid: b_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[MikroTik] interface wavelan>

The other router of the point-to-point link requires the same parameters to be set:

[wnet_gw] interface wavelan> set 0 ssid b_link mode ad-hoc channel 2412MHz 
[wnet_gw] interface wavelan> enable 0
[wnet_gw] interface wavelan> monitor 0
             bssid: 00:02:2D:07:17:23
           channel: 2412MHz
         data-rate: 11Mbit/s
              ssid: b_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[wnet_gw] interface wavelan>

As we see, the MAC address under the 'bssid' parameter is the same as generated on the first router.

IP Network Configuration

If desired, IP addresses can be assigned to the wireless interfaces of the pint-to-point link routers using a smaller subnet, say 30-bit one:

[MikroTik] ip address> add address 10.0.0.1/30 interface wavelan1 
[MikroTik] ip address> add address 192.168.0.254/24 interface ether1 
[MikroTik] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.1        255.255.255.252 10.0.0.1        10.0.0.3        wavelan1
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
[MikroTik] ip address> /ip route add gateway 10.0.0.2 interface wavelan1 
[MikroTik] ip address> /ip route print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.252 0.0.0.0         10.0.0.1        wave... D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 0.0.0.0         0.0.0.0         10.0.0.2        0.0.0.0         wave...
[MikroTik] ip address>

The second router will have address 10.0.0.2, the default route to 10.1.1.254, and a static route for network 192.168.0.0/24 to 10.0.0.1:

[wnet_gw] ip address> add address 10.0.0.2/30 interface wl1 
[wnet_gw] ip address> add address 10.1.1.12/24 interface Public 
[wnet_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.2        255.255.255.252 10.0.0.2        10.0.0.3        wl1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
[wnet_gw] ip address> /ip route 
[wnet_gw] ip route> add gateway 10.1.1.254 interface Public 
[wnet_gw] ip route> add gateway 10.0.0.1 interface wl1 \
                    dst-address 192.168.0.0/24
[wnet_gw] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.252 0.0.0.0         10.0.0.2        wl1     D K
  1 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       Public  D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         Public
  3 192.168.0.0     255.255.255.0   10.0.0.1        0.0.0.0         wl1
[wnet_gw] ip route>

Testing the Network Connectivity

The network connectivity can be tested by using ping or bandwidth test:

[MikroTik]> ping 10.0.0.2
10.0.0.2 pong: ttl=255 time=2 ms
10.0.0.2 pong: ttl=255 time=2 ms
10.0.0.2 pong: ttl=255 time=2 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/2.0/2 ms
interrupted
[MikroTik]> tool btest 10.0.0.2 protocol udp size 1500
connecting
current = 1500.0kbps   10secavg = 1500.0kbps   totalavg = 1500.0kbps
current = 2039.0kbps   10secavg = 1769.5kbps   totalavg = 1769.5kbps
current = 2.8Mbps   10secavg = 2.1Mbps   totalavg = 2.1Mbps
current = 4.1Mbps   10secavg = 2.6Mbps   totalavg = 2.6Mbps
current = 4.1Mbps   10secavg = 2.9Mbps   totalavg = 2.9Mbps
current = 4.1Mbps   10secavg = 3.1Mbps   totalavg = 3.1Mbps
current = 4.2Mbps   10secavg = 3.2Mbps   totalavg = 3.2Mbps
[MikroTik]>

Point-to-Point Wireless LAN with Windows Client

Let us consider the following point-to-point wireless network setup with one MikroTik Wireless Router and a laptop computer with Wavelan card:

It is very important, that the MikroTik Router is configured prior turning on and configuring the wireless client. The MikroTik router should be up and running, so the client could join its network.

The configuration of the wireless interface of the MikroTik Router should be as follows:

A unique Service Set Identificator should be chosen, say "home_link"

A channel frequency should be selected for the link, say 2447MHz

The operation mode should be set to 'ad-hoc'

The following command should be issued to change the settings for the wavelan interface:

[home_gw] interface wavelan> set wl-home channel 2447MHz \
          mode ad-hoc ssid home_link
[home_gw] interface wavelan> enable wl-home 
[home_gw] interface wavelan> print 
0   name: wl-home mtu: 1500 mac-address: 00:02:2D:07:D8:44 channel: 2447MHz
    date-rate: 11Mbit/s mode: ad-hoc ssid: home_link client-name: "" key1: ""
    key2: "" key3: "" key4: "" tx-key: key1 encryption: no arp: arp

[home_gw] interface wavelan> monitor 0
             bssid: 02:02:2D:07:D8:44
           channel: 2447MHz
         data-rate: 11Mbit/s
              ssid: home_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[home_gw] interface wavelan>

Configure the laptop computer with the Wavelan card following the manufacturer's instructions.

Note! In Ad-Hoc (Peer-to-Peer) mode the V1.76 ORiNOCO Client Manager program allows setting only the Network Name (ssid) parameter. The channel (frequency) parameter is chosen that of the other peer. Therefore, the MikroTik Router should be configured for the ad-hoc mode operation prior turning on the laptop Wavelan client.

If the laptop Wavelan client has established the wireless link with the MikroTik router, it should report the same parameters as set on the MikroTik router's wavelan interface:

Client Manager

Here, we see the channel #8, which is 2447MHz.

IP Network Configuration

The IP addresses assigned to the wireless interface of the MikroTik Router should be from the network 192.168.0.0/24:

[home_gw] ip address> add interface Public address 10.1.1.12/24
[home_gw] ip address> add interface wl-home address 192.168.0.254/24
[home_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   wl-home
[home_gw] ip address> /ip route 
[home_gw] ip route> add gateway 10.1.1.254 interface Public
[home_gw] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       Public  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   wl-home D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         Public
[home_gw] ip route>

The DHCP server can be enabled on the wireless interface:

[home_gw] ip dhcp-server> print
0   interface: Public enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

1   interface: wl-home enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

[home_gw] ip dhcp-server> set 1 enabled yes from-address 192.168.0.1 to-address
192.168.0.200 netmask 255.255.255.0 gateway 192.168.0.254 src-address 192.168.0.
254 dns-server 159.148.147.194 domain myhome.com
[home_gw] ip dhcp-server> print
0   interface: Public enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

1   interface: wl-home enabled: yes from-address: 192.168.0.1
    to-address: 192.168.0.200 lease-time: 0:10:00 netmask: 255.255.255.0
    gateway: 192.168.0.254 src-address: 192.168.0.254
    dns-server: 159.148.147.194 domain: myhome.com

[home_gw] ip dhcp-server>

Testing the Network Connectivity

The network connectivity can be tested by monitoring the obtained leases:

[home_gw] ip dhcp-server> lease print 
  # ADDRESS         MAC-ADDRESS       INTERFACE            EXPIRES-AT
  0 192.168.0.1     00:02:2D:07:17:23 wl-home              sep/14/2001 10:58:23
[home_gw] ip dhcp-server>

Note! You may need to perform the 'renew lease' on the client to obtain the IP address from the router, if the DHCP-server has been configured after turning on the Wavelan client.

Use the ping command to test the connectivity from the router:

[home_gw] ip dhcp-server> /ping 192.168.0.1
192.168.0.1 pong: ttl=32 time=3 ms
192.168.0.1 pong: ttl=32 time=2 ms
192.168.0.1 pong: ttl=32 time=2 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/2.3/3 ms
interrupted
[home_gw] ip dhcp-server>

You may want to turn on masquerading for the local addresses 192.168.0.0/24 when going out to the Internet:

[home_gw] ip firewall rule> add forward action masq src-address 192.168.0.0/24 i
nterface Public 
[home_gw] ip firewall rule> print forward 
0   action: masq protocol: all src-address: 192.168.0.0
    src-netmask: 255.255.255.0 src-ports: 0-65535 dst-address: 0.0.0.0
    dst-netmask: 0.0.0.0 dst-ports: 0-65535 interface: Public log: no

[home_gw] ip firewall rule>

Thus, the IP address of the router 10.1.1.12 will be used as a source when accessing other networks through the Public interface. More about IP network and firewall configuration can be found in the relevant sections of the MikroTik RouterOS Manual.

PrismII Wireless Client and Wireless Access Point

...Draft...

This document applies to the V2.4 of the MikroTik RouterOS

Overview

The MikroTik RouterOS supports the following IEEE 802.11b standard PrismII chipset based wireless adapter hardware:

RF-LINK 1100N 2.4GHz DSSS 11Mbps Wireless LAN PC Card
Z-Com's LANEscape XI-300 Wireless PC Card

For more information about adapter hardware please see the relevant User’s Guides and Technical Reference Manuals of the hardware manufacturers.

The MikroTik RouterOS supports the PrismII chipset based wireless adapter cards for working both as wireless clients (station mode) and wireless access points (access point mode).

Contents of the Manual

The following topics are covered in this manual:

Wireless Adapter Hardware and Software Installation
Wireless Interface Configuration
Troubleshooting
Wireless Network Applications

Wireless Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the prism software package installed. The software package file prism-2.4.x.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] > sys package print                                                 
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4rc6                aug/06/2001 15:56:22 no       
  1 snmp                   2.4rc6                aug/06/2001 15:56:24 no       
  2 ppp                    2.4rc6                aug/06/2001 15:56:37 no       
  3 pptp                   2.4rc6                aug/06/2001 15:56:47 no       
  4 pppoe                  2.4rc6                aug/06/2001 15:56:53 no       
  5 ssh                    2.4rc6                aug/06/2001 15:58:11 no       
  6 system                 2.4rc6                aug/06/2001 15:56:04 no       
  7 prism                  2.4rc6                aug/06/2001 15:58:54 no       
[MikroTik] >

Software License

The 2.4GHz wireless adapters require the 2.4GHz wireless feature license. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The wireless feature is not included in the Free Demo or Basic Software License. The 2.4GHz Wireless Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

The 2.4GHz Wireless Feature License enables only the station mode of the Prism II card. To enable the access point mode, additionally the Wireless AP Feature License is required.

The MikroTik RouterOS supports as many PrismII chipset based cards as many free resources are on your system, i.e., IRQs and adapter slots. One license is valid for all cards on your system.

System Resource Usage

Before installing the wireless adapter, please check the availability of free IRQ's and I/O base addresses:

[MikroTik] > system resource irq print                                         
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   no
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   yes  ether1                                                                
 10  no                                                                         
 11  no                                                                         
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
[MikroTik] > system resource io print                                          
 PORT-RANGE            OWNER                                                    
 32-63                 APIC                                                     
 64-95                 timer                                                    
 96-111                keyboard                                                 
 128-143               DMA                                                      
 160-191               APIC                                                     
 192-223               DMA                                                      
 240-255               FPU                                                      
 496-503               IDE 1                                                    
 760-767               serial port                                              
 960-991               VGA                                                      
 992-993               PCMCIA service                                           
 1014-1014             IDE 1                                                    
 1016-1023             serial port                                              
 61184-61439           ether1                                                   
 64512-64519           IDE 1                                                    
 64520-64527           IDE 2                                                    
 64528-64639           [CS5530]                                                 
[MikroTik] >

Installing the Wireless Adapter

The basic installation steps of the wireless adapter should be as follows:

Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.

Loading the Driver for the Wireless Adapter

PCI and PC (PCMCIA) cards do not require a 'manual' driver loading, since they are recognized automatically by the system and the driver is loaded at the system startup.

There can be several reasons for a failure to load the driver, for example:

The driver cannot be loaded because other device uses the requested IRQ.
Try to set the IRQ assignment to PCI slots using the system BIOS configuration.

Wireless Interface Configuration

If the driver has been loaded successfully, and you have the required 2.4GHz Wireless Software License, then the Prism II 2.4GHz Wireless interface should appear under the interfaces list with the name prismn, where n is 0,1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  2 X prism1               1500  prism                                         
[MikroTik] > interface enable 1
[MikroTik] > interface set 1 name=wireless                                    
[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   wireless             1500  prism                                         
[MikroTik] >

More configuration and statistics parameters can be found under the '/interface prism' menu:

[MikroTik] interface prism> print                                              
Flags: X - disabled 
  0   name=wireless mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=station frequency=2412MHz ssid=abc client-name="" 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MikroTik] interface prism>

Argument description:

number - Interface number in the list
name - Interface name (same as for other interfaces)
mtu - Maximum transfer unit (same as for other interfaces)
mac-address - MAC address of card. In AP mode this will also be BSSID of BSS.
arp - ARP mode (same as for ethernet interfaces)
mode - (station|access-point). If station - card works as station, if access-point, card works as access point. After mode is changed from access-point to station, for station mode to activate, have to reboot (changing back to AP mode will work fine). Change from station to AP can be done without rebooting.
frequency - Frequency that AP will use to create BSS
ssid - Service Set Identifier. In station mode - ssid to connect to, in AP mode - ssid to use when creating BSS (this can not be left blank, because AP needs ssid to work, but in station mode cards hang up without ssid.
client-name - Client name
max-associations - meaningless for station. For AP means how many stations can be associated at the same time (min: 1, max: 500)
hide-ssid - meaningless for station. For AP tells that SSID should not be transmitted in beacon frames (so none can read ssid when sniffing radio), and that AP should not answer probe requests that do not have our ssid in them. Basically this means that if this setting is set to "yes", every client that wants to connect to this AP has to have correct ssid configured.
supported-rates - For both - station and AP - rates at which this node will work.
basic-rates - Meaningless for station. For AP - rates that every client that plans to connect to this AP should be able to work at.
fragmentation-threshold - for both STA and AP - bigger packets than this value will be fragmented before transmission (min: 256, max: 2346)
rts-threshold - for both STA and AP - bigger packets than this value will be transmitted using RTS/CTS medium reservation method. This medium reservation ensures that no other radios transmit at this time (min: 0, max: 2432)
default-access-action - (allow|deny) - meaningless for STA, for AP - what to do with client that wants to associate, but it is not in the access-list.

You can monitor the status of the wireless interface:

[MikroTik] interface prism> monitor 0                                            
       signal-quality: 0            
         signal-level: 27           
          noise-level: 27           
         current-rate: 2            
               status: disconnected 

[MikroTik] interface prism>

Station Mode Configuration

To set the wireless interface for working with an IEEE 802.11b access point (register to the AP), you should set the following parameters:

The Service Set Identifier. It should match the ssid of the AP.
The Operation Mode of the card should be set to 'station'.
The Supported Rate of the card should match one of the supported data rates of the AP.

All other parameters can be left as default. To configure the wireless interface for registering to an AP with ssid "mt", it is enough to change the argument value of ssid to "mt":

[MikroTik] interface prism> set 0 ssid=mt                                      
[MikroTik] interface prism> monitor 0                                          
                bssid: 00:40:96:37:71:1E 
    current-frequency: 2442MHz           
       signal-quality: 92                
         signal-level: 183               
          noise-level: 0                 
         current-rate: 8                 
               status: connected         

[MikroTik] interface prism>

If the wireless interface card is registered to an AP.

Access Point Mode Configuration

To set the wireless interface for working as an IEEE 802.11b access point (register clients), you should set the following parameters:

The Service Set Identifier. It should be unique for your system.
The Operation Mode of the card should be set to 'station'.
The Frequency of the card.

All other parameters can be left as default. To configure the wireless interface for working as an access point with ssid "mt" and use the frequency 2442MHz, it is enough to enter the command:

[MikroTik] interface prism> set 0 mode=access-point ssid=mt frequency=2442MHz          
[MikroTik] interface prism> monitor                                            
                bssid: 00:03:C0:00:06:72 
    current-frequency: 2442MHz           
               status: ap-mode           

[MikroTik] interface prism>

To see the list of all clients currently registered to all configured APs,

[MikroTik] interface prism> registration-table print                           
  # INT MAC-ADDRESS       SIGNAL     SILENCE    RATE       UPTIME              
  0 wir 00:40:96:37:71:1E 183        0          11         00:03:32            
  1 wir 00:40:96:29:02:88                                  00:01:15            
[MikroTik] interface prism>

Argument description for the registration-table entry:

mac-address - mac address of the registered client
interface - interface that client is registered to
signal - signal level
silence - silence level
rate - current rate
uptime - how long client is connected

The monitor command gives additional per-client statistics:

[MikroTik] interface prism> registration-table monitor 0                       
        packets: 13,2                          
          bytes: 0,616                         
            bps: 0.0bps/0.0bps,0.0bps/4.10kbps 
            pps: 0/1,0/1                       
         signal: 171/186/195                   
        silence: 0/0/0                         
           rate: 11/11/11                      
    last-update: 00:00:02                      
         uptime: 00:09:01                      

[MikroTik] interface prism>

Access List

The access list is used by the access point to restrict associations of clients. This list contains MAC address of client and associated action to take when client attempts to connect. Association procedure is as follows: when a new client wants to associate to AP that is configured on interface prismX, entry with clients MAC address and interface prismX is looked up in access-list. If such entry is found, action specified in it is taken. Otherwise default-access-action of interface prismX is taken.

Ta add an access list entry for MAC address 00:40:96:37:71:1E, use command:

[MikroTik] interface prism access-list> add allow=yes interface=wireless \
mac-address=00:40:96:37:71:1E
[MikroTik] interface prism access-list> print
Flags: X - disabled, I - invalid 
  #   MAC-ADDRESS       ALLOW INTERFACE                                        
  0   00:40:96:37:71:1E yes   wireless                                         
[MikroTik] interface prism access-list>

Argument description:

allow - (yes|no) - accept this client when it tries to connect or not
interface - AP interface
mac-address - MAC address of the client

If you have default access action for the interface set to 'allow', you can disallow this node to register at the AP's interface 'wireless' by changing the 'allow' argument value to 'no':

[MikroTik] interface prism access-list> .. print                               
Flags: X - disabled 
  0   name=wireless mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=access-point frequency=2442MHz ssid=mt client-name=MT_Prism 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MikroTik] interface prism access-list> set 0 allow=no                         
[MikroTik] interface prism access-list> print                                  
Flags: X - disabled, I - invalid 
  #   MAC-ADDRESS       ALLOW INTERFACE                                        
  0   00:40:96:37:71:1E no    wireless                                         
[MikroTik] interface prism access-list>

Thus, all nodes except this one will be able to register to the interface 'wireless'.

If you have default access action for the interface set to 'deny', you can allow this node to register at the AP's interface 'wireless' by changing the 'allow' argument value to back 'yes':

[MikroTik] interface prism access-list> .. print                               
Flags: X - disabled 
  0   name=wireless mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=access-point frequency=2442MHz ssid=mt client-name=MT_Prism 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=deny 

[MikroTik] interface prism access-list> set 0 allow=yes 
[MikroTik] interface prism access-list> print                                  
Flags: X - disabled, I - invalid 
  #   MAC-ADDRESS       ALLOW INTERFACE                                        
  0   00:40:96:37:71:1E yes   wireless                                         
[MikroTik] interface prism access-list>

Wireless Troubleshooting

The prism interface does not show up under the interfaces list
Obtain the required license for 2.4GHz wireless feature.
The access-list has entries restricting the registration, but the node is still registered.
Set some parameter of the prism interface to get all nodes re-register.
The wireless card does not register to the AP
Check the cabling and antenna alignment.

Wireless Network Applications

Two possible wireless network configurations are discussed in the following examples:

Wireless Client
Wireless Access Point

Wireless Client

Let us consider the following point-to-multipoint network setup with CISCO/Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client:

Wireless Client

The access point is connected to the wired network's HUB and has IP address from the network 10.1.1.0/24. The minimum configuration required for the AP is:

Setting the Service Set Identifier (up to 32 alphanumeric characters). In our case we use ssid "mt".
Setting the allowed data rates at 1-11Mbps, and the basic rate at 1Mbps.
Choosing the frequency, in our case we use 2442MHz.
Setting the identity parameters: ip address/mask and gateway. These are required if you want to access the AP remotely using telnet or http.

The minimum configuration for the MikroTik router's prism wireless interface is:

Setting the Service Set Identifier to that of the AP, i.e., "mt"
The Operation Mode should be "station". If it was previously 'access-point', you should reboot the router after setting it to 'station'!

[MikroTik] interface prism> set 0 ssid=mt                                      
[MikroTik] interface prism> monitor 0
                bssid: 00:40:96:37:71:1E 
    current-frequency: 2442MHz           
       signal-quality: 92                
         signal-level: 195               
          noise-level: 0                 
         current-rate: 8                 
               status: connected         

[MikroTik] interface prism>

The IP addresses assigned to the wireless interface should be from the network 10.1.1.0/24, e.g.:

[MikroTik] ip address> add address=10.1.1.12/24 interface=prism1               
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.1.12/24       10.1.1.0        10.1.1.255      prism1                
  1   192.168.0.254/24   192.168.0.254   192.168.0.254   ether1                
[MikroTik] ip address>

The default route should be set to the gateway router 10.1.1.254 (not the AP 10.1.1.250 !):

[MikroTik] ip route> add gateway=10.1.1.254
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE     
  0    static         0.0.0.0/0          10.1.1.254     1        prism1        
  1 D  connect        10.1.1.0/24        0.0.0.0        0        prism1        
  2 D  connect        192.168.0.254/24   0.0.0.0        0        ether1        
[MikroTik] ip route>

Note! You cannot use the bridging function between the prism and ethernet interfaces, if the prism interface is in the station mode. The bridge does not work in this case!

Wireless Access Point

Let us consider the following point-to-point wireless network setup with two MikroTik Wireless Routers:

Access Point

To make the MikroTik router work as an access point, the configuration of the prism wireless interface should be as follows:

A unique Service Set Identificator should be chosen, say "mt"
A frequency should be selected for the link, say 2442MHz
The operation mode should be set to 'access-point'

The following command should be issued to change the settings for the prism interface:

[MT_Prism_AP] interface prism> set 0 mode=access-point frequency=2442MHz       
[MT_Prism_AP] interface prism> print                                           
Flags: X - disabled 
  0   name=prism1 mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=access-point frequency=2442MHz ssid=mt client-name= 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MT_Prism_AP] interface prism> monitor 0                                       
                bssid: 00:03:C0:00:06:72 
    current-frequency: 2442MHz           
               status: ap-mode           

[MT_Prism_AP] interface prism>

The list of registered clients looks like follows:

[MT_Prism_AP] interface prism> registration-table print                        
  # INT MAC-ADDRESS       SIGNAL     SILENCE    RATE       UPTIME              
  0 pri 00:40:96:29:02:88 210        0          11         00:12:50            
  1 pri 00:40:96:37:71:1E 192        0          11         00:00:35            
[MT_Prism_AP] interface prism>

There are two possible ways of implementing the wireless access point feature:

Use it as a pure access point with bridging function enabled between the ethernet and prism interfaces. The IP address can be assigned to the bridge interface.
Use it as a wireless access point router with routing functionality between the ethernet and prism interfaces. It requires IP addresses assigned to both the ethernet and prism interfaces. The addresses should be from different networks!

To enable bridging between the ethernet and prism interfaces, do the following:

Change the bridge settings for the desired protocols:

[MT_Prism_AP] bridge> set ip=forward arp=forward other=forward 
[MT_Prism_AP] bridge> print                                                    
           ip: forward
          ipx: discard
    appletalk: discard
         ipv6: discard
          arp: forward
        other: forward
     priority: 1
[MT_Prism_AP] bridge>

Enable bridging for the desired interfaces:

[MT_Prism_AP] bridge interface> print                                          
  # INTERFACE                                                           FORWARD
  0 ether1                                                              no     
  1 prism1                                                              no     
[MT_Prism_AP] bridge interface> set ether1 forward=yes
[MT_Prism_AP] bridge interface> set prism1 forward=yes                         
[MT_Prism_AP] bridge interface> print                                      
  # INTERFACE                                                           FORWARD
  0 ether1                                                              yes     
  1 prism1                                                              yes    
[MT_Prism_AP] bridge interface>

Enable the bridge interface and assign an IP address to it:

[MT_Prism_AP] interface> print                                                 
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1 X bridge1              1500  bridge                                        
  2   prism1               1500  prism                                         
[MT_Prism_AP] interface> enable 1                                              
[MT_Prism_AP] interface> print                                                 
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   bridge1              1500  bridge                                        
  2   prism1               1500  prism                                         
[MT_Prism_AP] interface>

Assign an IP address to the bridge interface and specify the default gateway for the access point:

[MT_Prism_AP] ip address> add address=10.1.1.250/24 interface=bridge1
[MT_Prism_AP] ip address> print                                                
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.1.250/24      10.1.1.0        10.1.1.255      bridge1               
[MT_Prism_AP] ip address> .. route add gateway=10.1.1.254
[MT_Prism_AP] ip address> .. route print                                       
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE     
  0    static         0.0.0.0/0          10.1.1.254     1        bridge1       
  1 D  connect        10.1.1.0/24        0.0.0.0        0        bridge1       
[MT_Prism_AP] ip address>

The client router requires the System Service Identificator set to "mt". The IP addresses assigned to the interfaces should be from networks 10.1.1.0/24 and 192.168.0.0./24:

[MikroTik] ip address> print                                                
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.1.12/24       10.1.1.0        10.1.1.255      aironet                
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                
[MikroTik] ip address>

The default route should be set to gateway 10.1.1.254 for the router [MikroTik].

to the contents