MikroTik RouterOS™ V2.5 Reference Manual

Document revision 06-Aug-2002
This document applies to the MikroTik RouterOS™ V2.5

If you want to see all sections together,
view this Manual as one file

Basic Software Reference

Software Technical Reference and Application Examples

If you want to see all sections together,
view this Manual as one file


© Copyright 1999-2002, MikroTik MikroTik RouterOS V2.5 Basic Setup Guide

MikroTik RouterOS V2.5 Basic Setup Guide

Document revision 28-Mar-2002
This document applies to the MikroTik RouterOS V2.5

The Guide describes the basic steps of installing and configuring a dedicated PC router running MikroTik RouterOS. The following sections are included in this Guide:

Downloading and Installing the MikroTik RouterOS

The download and installation process of the MikroTik RouterOS is described in the following diagram:

1. Download the basic installation archive file.

Depending on the desired media to be used for installing the MikroTik RouterOS please chose one of the following archive types for downloading:

Note! The installation from CD requires Full (paid) License. If you intend to obtain the Free Demo License, you should use the floppy installation media.

2. Create the installation media

Use the appropriate installation archive to create the Installation CD or floppies.

3. Install the MikroTik RouterOS software.

Your dedicated PC router hardware should have: Boot up your dedicated PC router from the Installation Media you created and follow the instructions on the console screen while the HDD is reformatted and MikroTik RouterOS installed on it.

After successful installation please remove the installation media from your CD or floppy disk drive and hit 'Enter' to reboot the router. While the router will be starting up for the first time you will be given a Software ID for your installation and asked to supply a valid software license key (Software Key) for it. Write down the Software ID. You will need it to obtain the Software License through the MikroTik Account Server.

If you need extra time to obtain the Software License Key, you may want to power off the router. Press Ctrl-Alt-Del keys to properly shut down and reboot the router. Power the router off while the BIOS is doing memory check.

Obtaining the Software License

The MikroTik RouterOS Software licensing process is described in the following diagram:

After installing the router and starting it up for the first time you will be given a Software ID.

  1. Write down the Software ID reported by the RouterOS.
  2. If you have an account with MikroTik, follow to the next step.
    If you do not have an account at www.mikrotik.com, just press the 'New' button on the upper right-hand corner of the MikroTik's web page to create your account.

    You will be presented with the Account Sign-Up Form where you chose your account name and fill in the required information.

  3. To obtain the Software License Key, log on to your account at www.mikrotik.com entering your account name and password (upper right-hand corner on this webpage), for example:

  4. After logging on to the Account Server select "Free Demo License" or "Order Software License" in the Account Menu.
    Note! The CD installation cannot be 'unlocked' with the Free Demo Key. Use the Floppy installation, or, purchase the License Key.
  5. The Software Key will be sent to the email address, which has been specified in your account setup.
  6. Read your email and enter the Software Key at the router's console, for example:
    Software ID: 5T4V-IUT
    Software key: 4N7X-UZ8-6SP
    

Instead of entering the license key you can enter 'shutdown' to shut down the router and enter the license key later, or enter 'display' to read the License Agreement, or 'help' to see a help message.

After entering the correct Software License Key you will be presented with the MikroTik Router's login prompt.

Logging into the MikroTik Router

When logging into the router via terminal console, you will be presented with the MikroTik RouterOS login prompt. Use 'admin' and no password (hit 'Enter') for logging on to the router for the first time, for example:

MikroTik v2.5
Login: admin
Password: 

The password can be changed with the '/password' command.

Navigating the Terminal Console

After logging into the router you will be presented with the MikroTik RouterOS Welcome Screen and command prompt, for example:


  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

Mikrotik RouterOS v2.5 (c) 1999-2001       http://www.mikrotik.com/
[MikroTik] >                                                                   

The command prompt shows the identity name of the router and the current menu level, for example:

[MikroTik] >                Base level menu
[MikroTik] interface>       Interface configuration
[MikroTik] ip address>      IP Address management                                         

The list of available commands at any menu level can be obtained by entering the question mark '?', for example:

[MikroTik] > ?
     bridge  Bridge settings
     driver  Driver management
     export  print configuration as set of router commands
       file  Local router file storage.
     import  Run exported configuration script
  interface  Interface configuration
         ip  IP protocol settings
        log  System logs
   password  Change password
       ping  Send ICMP Echo packets
       port  Serial ports
      queue  Bandwidth management
       quit  Quit console
       redo  Redo previously undone action
    routing  Routing protocol configuration
      setup  Do basic setup of system
       snmp  snmp settings
     system  System information and utilities
       tool  Diagnostics tools
       undo  Undo previous action
       user  User management

[MikroTik] > ip ?
      accounting  Traffic accounting
         address  Address management
             arp  ARP entries management
     dhcp-client  DHCP client settings
     dhcp-server  DHCP server settings
             dns  DNS settings
          export  print configuration as set of router commands
        firewall  Firewall management
        neighbor  Neighbour discovery
         packing  IP Packet Packing setup
  policy-routing  Policy routing setup
             ppp  PPP general settings
           queue  Bandwidth management
           route  Route management
         service
[MikroTik] >

The list of available commands and menus has short descriptions next to the items. You can move to the desired menu level by typing its name and hitting the [Enter] key, for example:

[MikroTik]>                      Base level menu
[MikroTik]> driver               Enter 'driver' to move to the driver level menu
[MikroTik] driver> /             Enter '/' to move to the base level menu from any level 
[MikroTik]> interface            Enter 'interface' to move to the interface level menu
[MikroTik] interface> /ip        Enter '/ip' to move to the IP level menu from any level
[MikroTik] ip>

A command or an argument does not need to be completed, if it is not ambiguous. For example, instead of typing 'interface' you can type just 'in' or 'int'. To complete a command use the [Tab] key.

The commands may be invoked from the menu level, where they are located, by typing its name. If the command is in a different menu level than the current one, then the command should be invoked using its full or relative path, for example:

[MikroTik] ip route> print                  Prints the routing table
[MikroTik] ip route> .. address print       Prints the IP address table           
[MikroTik] ip route> /ip address print      Prints the IP address table       

The commands may have arguments. The arguments have their names and values. Some arguments, that are required, may have no name. Below is a summary on executing the commands and moving between the menu levels:

       Command                               Action
command [Enter]      Execute the command
[?]                  Show the list of all available commands
command [?]          Display help on the command and the list of arguments
command argument [?] Display help on the command's argument
[Tab]                Complete the command/word. If the input is ambiguous, a
                     second [Tab] gives possible options
/                    Move up to the base level
/command             Execute the base level command
..                   Move up one level
""                   Enter an empty string
"word1 word2"        Enter 2 words that contain a space

You can abbreviate names of levels, commands and arguments.

For the IP address configuration, instead of using the 'address' and 'netmask' arguments, in most cases you can specify the address together with the number of bits in the network mask, i.e., there is no need to specify the 'netmask' separately. Thus, the following two entries would be equivalent:

/ip address add address 10.0.0.1/24 interface ether1
/ip address add address 10.0.0.1 netmask 255.255.255.0 interface ether1

However, if the netmask argument is not specified, you must specify the size of the network mask in the address argument, even if it is the 32-bit subnet, i.e., use 10.0.0.1/32 for address 10.0.0.1 and netmask 255.255.255.255

Working with Interfaces

Before configuring the IP addresses and routes please check the '/interface' menu to see the list of available interfaces. If you have PCI Ethernet cards installed in the router, it is most likely that the device drivers have been loaded for them automatically, and the relevant interfaces appear on the '/interface print' list, for example:

[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 TYPE             MTU  
  0 X ether1               ether            1500 
[MikroTik] interface>                                                          

The device drivers for NE2000 compatible ISA cards need to be loaded using the 'add' command under the /drivers menu. For example, to load the driver for a card with IO address 0x280 and IRQ 5, it is enough to issue the command:

[MikroTik] driver> add name=ne2k-isa io=0x280                                       
[MikroTik] driver> print                                                       
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D PCI NE2000                                                               
  1   ISA NE2000                            280                                
[MikroTik] driver>                                                             

The interfaces need to be enabled, if you want to use them for communications. Use the '/interface enable name' command to enable the interface with a given name, for example:

[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 TYPE             MTU  
  0 X ether1               ether            1500 
  0 X ether2               ether            1500 
[MikroTik] interface> enable 0                                                  
[MikroTik] interface> enable ether2                                             
[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               ether            1500 
  0   ether2               ether            1500 
[MikroTik] interface>

You can use the number or the name of the interface in the 'enable' command.

The interface name can be changed to a more descriptive one by using the '/interface set' command:

[MikroTik] interface> set 0 name=Public                                            
[MikroTik] interface> set 1 name=Local                                         
[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   Public               ether            1500 
  0   Local                ether            1500 
[MikroTik] interface> 

Use of the 'setup' Command

The initial setup of the router can be done by using the '/setup' command which enables an interface, assigns an address/netmask to it, and configures the default route. If you do not use the setup command, or need to modify/add the settings for addresses and routes, please follow the steps described below.

Adding Addresses

Assume you need to configure the MikroTik router for the following network setup:

Please note that the addresses assigned to different interfaces of the router should belong to different networks. In the current example we use two networks:

The addresses can be added and viewed using the following commands:

[MikroTik] ip address> add address 192.168.0.254/24 interface Local
[MikroTik] ip address> add address 10.0.0.217/24 interface Public
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.217/24      10.0.0.217      10.0.0.255      Public                
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
[MikroTik] ip address>                                                         

Here, the network mask has been specified in the value of the address argument. Alternatively, the argument 'netmask' could have been used with the value '255.255.255.0'. The network and broadcast addresses were not specified in the input since they could be calculated automatically.

Configuring the Default Route

You can see two dynamic (D) and connected (C) routes, which have been added automatically when the addresses were added:

[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0 DC 192.168.0.0/24     r 0.0.0.0         0        Local                   
    1 DC 10.0.0.0/24        r 0.0.0.0         0        Public                  
[MikroTik] ip route> print detail                                              
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    0 DC dst-address=192.168.0.0/24 preferred-source=192.168.0.254 
         gateway=0.0.0.0 distance=0 interface=Local gateway-state=reachable 

    1 DC dst-address=10.0.0.0/24 preferred-source=10.0.0.217 gateway=0.0.0.0 
         distance=0 interface=Public gateway-state=reachable 

[MikroTik] ip route>

These routes show, that IP packets with destination to 10.0.0.0/24 would be sent through the interface Public, whereas IP packets with destination to 192.168.0.0/24 would be sent through the interface Local. However, you need to specify where the router should forward packets, which have destination other than networks connected directly to the router. This is done by adding the default route (destination 0.0.0.0, netmask 0.0.0.0). In this case it is the ISP's gateway 10.0.0.1, which can be reached through the interface Public:

[MikroTik] ip route> add gateway=10.0.0.1       
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 0.0.0.0/0          r 10.0.0.1        1        Public                  
    1 DC 192.168.0.0/24     r 0.0.0.0         0        Local                   
    2 DC 10.0.0.0/24        r 0.0.0.0         0        Public                  
[MikroTik] ip route>  

Here, the default route is listed under #0. As we see, the gateway 10.0.0.1 can be reached through the interface 'Public'. If the gateway would have been specified incorrectly, the value for the argument 'interface' would be unknown. Note, that you cannot add two routes to the same destination, i.e., destination-address/netmask! It applies to the default routes as well. Instead, you can enter multiple gateways for one destination. For more information on IP routes, please read the relevant topic in the Manual.

If you have added an unwanted static route accidentally, use the 'remove' command to delete the unneeded one. Do not remove the dynamic (D) routes! They are added automatically and should not be deleted 'by hand'. If you happen to, then reboot the router, the route will show up again.

Testing the Network Connectivity

From now on, the '/ping' command can be used to test the network connectivity on both interfaces. You can reach any host on both connected networks from the router:

[MikroTik] ip route> /ping 10.0.0.4                                            
10.0.0.4 64 byte pong: ttl=255 time=7 ms
10.0.0.4 64 byte pong: ttl=255 time=5 ms
10.0.0.4 64 byte pong: ttl=255 time=5 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 5/5.6/7 ms
[MikroTik] ip route> 
[MikroTik] ip route> /ping 192.168.0.1
192.168.0.1 64 byte pong: ttl=255 time<1 ms
192.168.0.1 64 byte pong: ttl=255 time<1 ms
192.168.0.1 64 byte pong: ttl=255 time<1 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0/0.0/0 ms
[MikroTik] ip route> 

The workstation and the laptop can reach (ping) the router at its local address 192.168.0.254, If the router's address 192.168.0.254 is specified as the default gateway in the TCP/IP configuration of both the workstation and the laptop, then you should be able to ping the router:

C:\>ping 192.168.0.254
Reply from 192.168.0.254: bytes=32 time=10ms TTL=253
Reply from 192.168.0.254: bytes=32 time<10ms TTL=253
Reply from 192.168.0.254: bytes=32 time<10ms TTL=253

C:\>ping 10.0.0.217
Reply from 10.0.0.217: bytes=32 time=10ms TTL=253
Reply from 10.0.0.217: bytes=32 time<10ms TTL=253
Reply from 10.0.0.217: bytes=32 time<10ms TTL=253

C:\>ping 10.0.0.4
Request timed out.
Request timed out.
Request timed out.

C:\>

You cannot access anything beyond the router (network 10.0.0.0/24 and the Internet), unless you do the following:

To set up routing, it is required that you have some knowledge of configuring TCP/IP networks. There is a comprehensive list of IP resources compiled by Uri Raz at http://www.private.org.il/tcpip_rl.html We strongly recommend that you obtain more knowledge, if you have difficulties configuring your network setups.

Next will be discussed situation with 'hiding' the private LAN 192.168.0.0/24 'behind' one address 10.0.0.217 given to you by the ISP.

Application Example with Masquerading

If you want to 'hide' the private LAN 192.168.0.0/24 'behind' one address 10.0.0.217 given to you by the ISP, you should use the source network address translation (masquerading) feature of the MikroTik router. Masquerading is useful, if you want to access the ISP's network and the Internet appearing as all requests coming from the host 10.0.0.217 of the ISP's network. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.0.0.217 of the router when the packet is routed through it.

Masquerading conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.

To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:

[MikroTik] ip firewall src-nat> add action=masquerade out-interface=Public     
[MikroTik] ip firewall src-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535 
      out-interface=Public protocol=all icmp-options=any:any flow="" 
      limit-count=0 limit-burst=0 limit-time=0s action=masquerade 
      to-src-address=0.0.0.0 to-src-port=0-65535 bytes=0 packets=0 

[MikroTik] ip firewall src-nat>                                                

Please consult the Firewall Manual for more information on masquerading.

Note! In MikroTik RouterOS V2.3 and 2.4, masquerading was implemented as a firewall rule with action 'masq' in the forward chain.

Application Example with Bandwidth Management

Mikrotik RouterOS V2.5 offers more extensive queue management as compared to V2.4. However, the 'V2.4 type' queue setup is still there, and it will be discussed in the example below. For information on extensive queue management, please refer to the relevant manual.

Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all hosts on the LAN. Bandwidth limitation is done by applying queues for outgoing interfaces regarding the traffic flow. It is enough to add two queues at the MikroTik router:

[MikroTik] queue simple>
add interface Local limit-at 128000
add interface Public limit-at 64000                   
[MikroTik] queue simple> print                                                 
Flags: X - disabled, I - invalid 
  0   name="" src-address=0.0.0.0/0 dst-address=0.0.0.0/0 limit-at=128000 
      queue=default priority=8 bounded=yes interface=Local 

  1   name="" src-address=0.0.0.0/0 dst-address=0.0.0.0/0 limit-at=64000 
      queue=default priority=8 bounded=yes interface=Public 

[MikroTik] queue simple> 

Leave all other parameters as set by default. The limit is approximately 128kbps going to the LAN and 64kbps leaving the client's LAN. Please note, that the queues have been added for the outgoing interfaces regarding the traffic flow.

Please consult the Queues Manual for more information on bandwidth management and queuing.

Application Example with NAT

Assume we have moved the server in our previous examples from the public network to our local one:

The server's address now is 192.168.0.4, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80. This can be done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port 192.168.0.4:80. One destination NAT rule is required for translating the destination address and port:

[MikroTik] ip firewall dst-nat> 
add action=nat protocol=tcp \
dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4
[MikroTik] ip firewall dst-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=10.0.0.217/32:80 protocol=tcp icmp-options=any:any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=nat to-dst-address=192.168.0.4 to-dst-port=0-65535 
      bytes=0 packets=0 

[MikroTik] ip firewall dst-nat> 

Please consult the Firewall Manual for more information on NAT.

Accessing the Router Remotely using Web Browser and WinBox Console

The MikroTik router can be accessed remotely using When connecting to the MikroTik router via http (TCP port 80), the router's Welcome Page is displayed in the web browser, for example:

By clicking on the Winbox Console link you can start the winbox.exe download. When you run the winbox.exe program, it opens the Winbox login window. Login to the router by specifying the IP address, user name, and password, for example:

The Winbox console is opened after logging in to the router:

The Winbox Console uses TCP port 3986. After logging on to the router you can work with the MikroTik router's configuration through the Winbox console and perform the same tasks as using the regular console.

You can use the menu bar to navigate through the router's configuration menus, open configuration windows. By double clicking on some list items in the windows you can open configuration windows for the specific items, and so on. Please consult the MikroTik RouterOS WinBox Console Manual for more detailed description of using the WinBox Console.

Adding Software Packages

The basic installation comes with only the "system" package and few other packages. This includes basic IP routing and router administration. To have additional features such as IP Telephony, OSPF, wireless, and so on, you will need to download additional software packages.

The additional software packages should have the same version as the system package. If not, the package wont be installed. Please consult the MikroTik RouterOS Software Package Installation and Upgrading Manual for more detailed information about installing additional software packages.

Software Licensing Issues

If you want to upgrade to a 'paid' version of your MikroTik RouterOS installation, please purchase the new Software License KEY for the Software ID you used when getting the 'free' demo license. Similarly, if additional license is required to enable the functionality of a software package, the license should be obtained for the Software ID of your system. The new key should be entered using the /system license set key command, and the router should be rebooted afterwards:

[MikroTik] system license> print                                               
      software-id: TPNG-SXN
              key: 2C6A-YUE-3H2
   upgradeable-to: jan/01/2003
[MikroTik] system license> feature print                                       
Flags: X - disabled 
  #   FEATURE                                                                  
  0 X AP                                                                       
  1 X synchronous                                                              
  2 X radiolan                                                                 
  3 X wireless-2.4gHz                                                          
  4   licensed                                                                 
[MikroTik] system license> set key=D45G-IJ6-QM3                                
[MikroTik] system license> /system reboot
Reboot, yes? [y/N]: y
system will reboot shortly

If there is no appropriate license, the appropriate interfaces wont show up under the interface list, even though the packages can be installed on the MikroTik RouterOS and corresponding drivers loaded.


© Copyright 1999-2002, MikroTik MikroTik RouterOS V2.5 Winbox Console Manual

MikroTik RouterOS V2.5 Winbox Console Manual

Document revision 13-Jun-2002
This document applies to the V2.5 of the MikroTik RouterOS

Overview

The Winbox Console is used for accessing the MikroTik Router configuration and management features using graphical user interface. The Winbox Console plugin loader, the winbox.exe program, can be retrieved from the MikroTik router, the URL is http://router_address/winbox/winbox.exe Use any web browser on Windows 95/98/ME/NT4.0/2000/XP to retrieve the router's web page with the mentioned link.

The winbox plugins are cached on the local disk for each MikroTik RouterOS version. The plugins are not downloaded, if they are in the cache, and the router has not been upgraded since the last time it has been accessed.

This manual describes the general Winbox console operation principles.

Contents of the Manual

The following topics are covered in this manual:

Starting the Winbox Console

When connecting to the MikroTik router via http (TCP port 80), the router's Welcome Page is displayed in the web browser, for example:

By clicking on the Winbox Console link you can start the winbox.exe download. Choose the option "Run this program from its current location" and click "OK":

Accept the security warning, if any:

Alternatively, you can save the winbox.exe program to your disk and run it from there.

The winbox.exe program opens the Winbox login window. Login to the router by specifying the IP address, user name, and password, for example:

Watch the download process of Winbox plugins:

The Winbox console is opened after the plugins have been downloaded:

The Winbox Console uses TCP port 3986. After logging on to the router you can work with the MikroTik router's configuration through the Winbox console and perform the same tasks as using the regular console.

Overview of Common Functions

You can use the menu bar to navigate through the router's configuration menus, open configuration windows. By double clicking on some list items in the windows you can open configuration windows for the specific items, and so on.

There are some hints for using the Winbox Console:

Troubleshooting for Winbox Console


© Copyright 1999-2001, MikroTik MikroTik RouterOS Terminal Console Manual

MikroTik RouterOS Terminal Console Manual

Document revision 21-Mar-2002
This document applies to the MikroTik RouterOS v2.5

Overview

The Terminal Console is used for accessing the MikroTik Router configuration and management features using text terminals, i.e., remote terminal clients, as well as local monitor and keyboard. The Terminal Console is used for writing scripts. This manual describes the general console operation principles. Please consult the Scripting Manual on how to write scripts.

Contents of the Manual

The following topics are covered in this manual:

Overview of Common Functions

The console allows configuration of the router settings using text commands. The command structure is similar to the Unix shell. Since there's a whole lot of available commands, they're split into hierarchy. For example, all (well, almost all) commands that work with routes start with "ip route":

[drax]> ip route print
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    ;;; test multihop route
       static      0.0.0.0/0          A          10.0.0.1   1        ether2    
                                      I          1.1.1.1             (unknown) 
  1 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether2    
  2 D  connect     7.7.7.0/24         A          0.0.0.0    0        tunl        
[drax]> ip route set 0 gateway=10.0.0.1
[drax]> ip route print
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    ;;; test multihop route
       static      0.0.0.0/0          A          10.0.0.1   1        ether2    
  1 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether2    
  2 D  connect     7.7.7.0/24         A          0.0.0.0    0        tunl        

Instead of typing "ip route" before each command, "ip route" can be typed once to "change into" that particular branch of command hierarchy. Thus, the example above could also be executed like this:

[drax]> ip route
[drax] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    ;;; test multihop route
       static      0.0.0.0/0          A          10.0.0.1   1        ether2    
  1 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether2    
  2 D  connect     7.7.7.0/24         A          0.0.0.0    0        tunl        

...etc

Notice that prompt changes to show where in the command hierarchy you are located at the moment. To change to top level, type "/"

[drax] ip route> /
[drax]>

To move up one command level, type ".."

[drax] ip route> ..
[drax] ip>

You can also use "/" and ".." to execute commands from other levels without changing the current level:

[drax] ip route> /ping 10.0.0.10
timeout: ping reply not recieved after 1000 mss
timeout: ping reply not recieved after 1000 mss
2 packets transmitted, 0 packets received, 100% packet loss

Or alternatively, to go back to the base level you could use the ".." twice:

[drax] ip route> .. .. ping 10.0.0.10
10.0.0.10 pong: ttl=128 time=1 ms
10.0.0.10 pong: ttl=128 time<1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0/0.5/1 ms
[drax] ip route>

Lists

Many of the command levels operate with arrays of items: interfaces, routes, users etc. Such arrays are displayed in similarly looking lists. All items in the list have an item number followed by its parameter values. For example:

[drax]> interface print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0 X ether1               1500  ether                                         
  1   ether2               1500  ether                                         
  2 X pptp-in1                   pptp-in                                       
  3   tunl                 1500  eoip-tunnel                                   

To change parameters of an item (interface settings in this particular case), you have to specify it's number to the "set" command:

[drax]> interface set 1 mtu=1460
[drax]> interface print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0 X ether1               1500  ether                                         
  1   ether2               1460  ether                                         
  2 X pptp-in1                   pptp-in                                       
  3   tunl                 1500  eoip-tunnel                                   

Numbers are assigned by "print" command and are not constant - it is possible that two successive "print" commands will order items differently. Thus, you must use the print command before any other command that works with list items, to assign numbers.

Note: Although numbers can change each time you use the "print" command, they don't change between these uses. Once assigned, they will remain the same until you quit the console or until the next "print" command is executed. Also, numbers are assigned separately for every item list, so "ip address print" won't change numbers for interface list.

Let's assume "ip address print" hasn't been executed already. In this case:

[drax]> ip address set 1 netmask=255.255.0.0
ERROR: item numbers not assigned

Console is telling that there has been no "ip address print" command, and thus, it cannot know which address number 1 corresponds to.

To understand better how do item numbers work, you can play with "from" argument of "print" commands:

[drax]> interface print from=1
  #   NAME                 MTU   TYPE                                          
  0   ether2               1460  ether                                         

The "from" argument specifies what items to show. Numbers are assigned by every "print" command, thus, after executing command above there will be only one item accessible by number - interface "ether2" by number 0.

Item Names

Some lists have items that have specific names assigned to each. Examples are "interface" or "user" levels. There you can use item names instead of numbers:

[drax]> interface set ether2 mtu 1500

You don't have to use the "print" command before accessing items by name. As opposed to numbers, names are not assigned by the console internally, but are one of the items' parameters. Thus, they won't change on their own. However, there are all kinds of obscure situations possible when several users are changing router configuration at the same time. Generally, item names are more "stable" than numbers, and also more informative, so you should prefer them to numbers when writing console scripts. Also, [tab] completions work on item names, making them easy to type.

Quick Typing

There are two features in router console that help entering commands much quicker and easier - the [Tab] key completions, and abbreviations of command names. Completions work similarly to the bash shell in UNIX. If you press the [Tab] key after part of a word, console tries to find the command in current context that begins with this word. If there's only one match, it is automatically appended, followed by space character:

/inte_ becomes /interface _

Here, "_" is the cursor position.

If there's more than one match, but they all have a common beginning, which is longer than that what you have typed, then the word is completed to this common part, and no space is appended:

/interface set e_

becomes

/interface set ether_ 

because "e" matches both "ether5" and "ether1" in this example)

If you've typed just the common part, pressing the tab key once has no effect. However, pressing it for the second time shows all possible completions in compact form:

[drax]> /interface set e_
[drax]> /interface set ether_
[drax]> /interface set ether
ether1 ether5
[drax]> /interface set ether_

The tab key can be used almost in any context where the console might have a clue about possible values - command names, argument names, arguments that have only several possible values (like names of items in some lists or name of protocol in firewall and NAT rules). You can't complete numbers, IP addresses and similar values.

New in V2.4: It is now possible to complete not only beginning, but also any distinctive substring of name. When is pressed, console builds list of all possible words that can be entered at current cursor position. It then looks for words that begin with string immediately before cursor. If there is more that one match, then second key will display them in a compact table form. If there's a single match, then it is completed at cursor position. Otherwise, console starts to look for words that have string being completed as first letters of a multiple word name, or that simply contain letters of this string in the same order. If single such word is found, it is completed at cursor position. For example:

[drax]> /interface x_
[drax]> /interface export _

"x" is completed to "export", because no other word in this context contains 'x'.

[drax]> /interface mt_
[drax]> /interface monitor-traffic _

No word begins with letters "mt", but it is an abbreviation of "monitor-traffic".

Another way to press fewer keys while typing is to abbreviate command and argument names. You can type only beginning of command name, and, if it is not ambiguous, console will accept it as a full name. So typing:

[drax]> ip f st r 1

equals to typing:

[drax]> ip firewall static-nat remove 1

and:

[drax]> pi 10.1 c 3 s 100

equals to:

[drax]> ping 10.0.0.1 count 3 size 100

Help

The console has a built-in help, which can be accessed by typing '?'. General rule is that help shows what you can type in position where the '?' was pressed (similarly to pressing tab key twice, but in verbose form and with explanations).

Internal Item Numbers

Items can also be addressed by their internal numbers. These numbers are generated by console for scripting purposes and, as the name implies, are used internally. Although you can see them if you print return values of some commands (internal numbers look like hex number preceded by '*' - for example "*100A"), there's no reason for you to type them in manually. Use of invalid internal numbers can result in severe injury of your router configuration.

Multiple Items

You can specify multiple items as targets of some commands. Almost everywhere, where you can write the number of items, you can also write a list of numbers:

[drax]> interface print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   ether2               1500  ether                                         
[drax]> interface set "0 1" mtu=1600
[drax]> interface print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1600  ether                                         
  1   ether2               1600  ether                                         

Note: In the example above, "0 1" could be substituted with "0,1". Lists can be entered either whitespace separated, in quotes, or comma separated. In later case quotes are not required.

This is handy when you want to perform same action on several items, or do a selective export. However, this feature becomes really useful when combined with scripting.

Return Values

The router console has limited scripting capability. The syntax is simple and similar to TCL. The commands "find" and "get" can be found in many command levels. These commands do not print anything on screen, but create return values that can be used by other console commands. The "find" command creates a return value that contains internal numbers of all items that match parameters of the "find" command. This return value can be used in another command, by placing "find" in square brackets:

[drax]> interface
[drax] interface> print from=[find name=ether2]
  #   NAME                 MTU   TYPE
  0   ether2               1600  ether
[drax] interface> set 0 mtu 1460
[drax] interface> print from=[find mtu=1460]
  #   NAME                 MTU   TYPE
  0   ether2               1460  ether

If you don't give "find" any arguments, it returns internal numbers of all items:

[drax] interface> set [find] mtu=1500
[drax] interface> print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   ether2               1500  ether                                         

You can see the return value of "find" command (and other router commands) using ":put" command:

[drax] interface> :put [find]
*1 *2 

These are internal numbers of all router interfaces. Also, there's a trailing space after last number, so you can concatenate results of several "find" commands:

[drax] interface> print from [find][find]
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   ether2               1500  ether                                         
  3   ether1               1500  ether                                         
  4   ether2               1500  ether                                         

The "get" command allows to access item values that can be seen with "print" command from scripts. It takes two arguments - item number and name of property:

[drax] interface> :put [get 0 name]
ether1

Item numbers cannot be used in scripts, instead use item names or result of "find" command:

[drax] interface> :put [get ether2 type]
ether

Time Setting

In the console time can be entered in various ways. You can use either hours:minutes:seconds form, or a number followed by: If there is no number before the letters, it will be one unit. You also can use numbers with decimal point. Multiple time intervals can be written consequently - they will be summed.

Variables

The console has variables that can store string values. Assigning such a variable is done by ":set" command:

[drax]> :set var1 J.Random.String

If the value is assigned to a non-existing variable, then the variable is created, otherwise current value is replaced. To access the value of variable, you have to type "$" followed by the name of the variable, and it will be replaced by the value of the variable:

[drax]> :put $var1
J.Random.String
[drax]> :put $var1-$var1-yo-ho-ho-$var1
J.Random.String-J.Random.String-yo-ho-ho-J.Random.String

Magic Variable

The magic variable is the "^" (caret). It contains the return value of the last executed command. Not all commands set this value. Commands like "print" or "telnet" don't have any meaningful way to define return value, so they don't modify it. "add" returns internal number of new item. It is used in some export scripts:

[bainug] interface> /ip route 
[bainug] ip route> export 
/ ip route 
add dst-address=0.0.0.0/0 gateway=10.0.0.1,1.1.1.1 prefered-source=0.0.0.0 
comment $^ "test multihop route"
enable $^ 

This script could also be rewritten so that it does not use "^" variable, at the expense of clarity:

/ ip route
set item [add dst-address=0.0.0.0/0 gateway=10.0.0.1,1.1.1.1 \
    prefered-source=0.0.0.0]
comment $item "test multihop route"
enable $item

General Layout of Command Levels

There are two different kinds of command levels. First, there are levels that allow you to work with lists of similar items - routes, interfaces, users and the like. Second, there are levels that allow you to change some general parameters - time, bridge settings etc.

Most command groups have some or all of these commands: print, set remove, add, find, get, export, enable, disable, comment. These commands have similar behavior in all hierarchy.

print

The "print" command shows all information that's accessible from particular command level. Thus, "/system clock print" shows system date and time, "/ip route print" shows all routes etc. If there's a list of items in this level and they are not read-only, i.e. you can change/remove them (example of read-only item list is "/system history", which shows history of executed actions), then "print" command also assigns numbers that are used by all commands that operate on items in this list. Thus, "print" usually must be executed before any other commands in the same command level.

If there's list of items then "print" usually can have a "from" argument. The "from" argument accepts space separated list of item numbers, names (if items have them), and internal numbers. The action (printing) is performed on all items in this list in the same order in which they're given.

Output can be formatted either as a table, with one item per line, or as a list with "property=value" pairs for each item. By default "print" uses one of these forms, but it can be set explicitly with "brief" and "detail" arguments. In "brief" (table) form, "columns" argument can be set to a list of property names that should be shown in the table. The "without-paging" argument suppresses prompting after each screen of output.

New in V2.5: You can specify interval for repeating the command until Ctrl-C is pressed. Thus, you do not need to repeatedly press the 'Up-Arrow' and 'Enter' buttons to see repeated printouts of a changing list you want to monitor. Instead, you use the argument 'interval=2s' for 'print'.

set

The "set" command allows you to change values of general parameters or item parameters. The "set" command has arguments with names corresponding to values you can change. Use "?" or double tab to see list of all arguments. If there is list of items in this command level, then set has one unnamed argument that accepts the number of item (or list of numbers) you wish to set up. Values for unnamed arguments must follow right after the name of the command, and their order can't be changed. Example: in firewall rules, the "set" command has two unnamed arguments - first is the name of chain and second is the number of rule in this chain. "set" returns internal numbers of items it has set up.

remove

The "remove" command has one unnamed argument, which contains number(s) of item(s) to remove.

add

The "add" command usually has the same arguments as "set", minus the unnamed number argument. It adds new item with values you've specified, usually to the end of list (in places where order is relevant). There are some values that you have to supply (like interface for new route), and other values that are set to defaults if you don't supply them. The "add" command returns internal number of item it has added.

New in V2.4: You can create a copy of an existing item by using "copy-from" argument. It takes default values of new item's properties from another item. If you don't want exact copy, you can specify new values for some properties. When copying items that have names, you will usually have to give new name to a copy.

New in V2.5: You can place a new item before an existing item by using "place-before" argument. Thus, you do not need to use the 'move' command after adding an item to the list.

find

The "find" command has the same arguments as "set", and an additional "from" argument which works like the "from" argument with the "print" command. The "find" command returns internal numbers of all items that have the same values of arguments as specified.

export

The "export" command prints a script that can be used to restore configuration. If it has the argument "from", then it is possible to export only specified items. Also, if the "from" argument is given, "export" does not descend recursively through the command hierarchy. The "export" command also has the argument "file", which allows you to save the script in file on router to retrieve it later via ftp. Argument "noresolve" is used to disable reverse resolving of IP addresses if it proves to be problem.

enable/disable

You can enable/disable some items (like ip address or default route). If an item is disabled, it is marked with the "X" flag. If an item is invalid, but not disabled, it is marked with the "I" flag:

[MikroTik] ip route>                                                           
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    static      0.0.0.0/0          A          10.0.0.1   1        ether1    
  1 X  static      192.168.0.0/16     I          159.148... 1        (unknown) 
  2 I  static      10.1.1.0/24        I          10.0.1.3   1        (unknown) 
  3 D  connect     159.148.24.0/24    A          0.0.0.0    0        ether1    
  4 D  connect     10.0.0.0/24        A          0.0.0.0    0        ether1    
[MikroTik] ip route>

comment

You can add comments to some items. If the item is commented, comments are shown next to the item number before all parameters and prefixed with ";;;":

[Main_GW] ip route> print                                                          
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE        DST-ADDRESS        NEXTHOP... GATEWAY    DISTANCE INTERFACE 
  0    ;;; our default gateway
       static      0.0.0.0/0          A          192.168... 1        ispnet    
  1    ;;; to-pptp-client in the branch office
       static      192.168.223.55/32  A          192.168... 1        ispnet    
  3 D  ospf        159.148.36.0/24    A          10.1.0.2   110      rlan      
  4 D  connect     192.168.248.128/25 A          0.0.0.0    0        ispnet    
...


© Copyright 1999-2001, MikroTik MikroTik RouterOS V2.4 Scripting Manual

MikroTik RouterOS Scripting Manual

Document revision 22-Mar-2002
This document applies to the MikroTik RouterOS V2.5

Overview

Scripting gives the administrator a way to execute console commands by writing a script for the router which is executed on the basis of time or events that can be monitored on the router. Some examples of uses of scripting could be: setting bandwidth settings according to time. In RouterOS v2.4, a script may be started in three ways. A script may be started according to a specific time or an interval of time. A script may also be started on an event - for example, if the netwatch tool sees that an address does not respond to pings. Also, a script may be started by another script.

To write a script, the writer must learn all of the console commands described in the relevant documentation. Scripts may be written for the System Scheduler, the Traffic Monitoring Tool, and for the Netwatch Tool.

Contents of the Manual

The following topics are covered in this manual:

What's New in V2.5?

Scripts

The scripts are stored under '/system script'. Use the 'add' command to add a new script. The following example is a script for writing message "kuku" to the system log:

[MikroTik] system script> add name=log-test source={:log message=kuku}
[MikroTik] system script> print                                                
  0 name=log-test source=:log message=kuku owner=admin run-count=0 

[MikroTik] system script>  

Argument description:

name - name of the script to be referenced when invoking it. If not specified, the name is generated automatically as "scriptX", X=1,2,...
source - the script itself
owner - user's name who created the script
run-count - usage counter. This counter is incremented each time the script is executed, it can be reset to zero by setting 'run-counter=0'
last-started - date and time when the script has been last invoked. The argument is shown only if the 'run-count=0'.

You can execute a script by using the 'run' command.

To manage the active or scheduled tasks, use the '/system script job' menu. You can see the status of all currently active tasks using the 'print' command. For example, we have a script that delays some process for 10 minutes:

[MikroTik] system script> add name=DelayeD source={:delay 10m}                 
[MikroTik] system script> print                                                
  0 name=log-test source=:log message=kuku owner=admin 
    last-started=may/09/2001 03:22:19 run-count=1 

  1 name=DelayeD source=:delay 10m owner=admin run-count=0 

[MikroTik] system script> run DelayeD                                          
[MikroTik] system script> job print                                            
  # SCRIPT                                                 STARTED             
  0 DelayeD                                                may/09/2001 03:32:18
[MikroTik] system script> 

You can cancel execution of a script by removing it from the jobs list:

[MikroTik] system script> job remove 0 
[MikroTik] system script> job print                                            
[MikroTik] system script> print                                                
  0 name=log-test source=:log message=kuku owner=admin 
    last-started=may/09/2001 03:36:44 run-count=3 

  1 name=DelayeD source=:delay 10m owner=admin 
    last-started=may/09/2001 03:32:18 run-count=1 

[MikroTik] system script>    

System Scheduler

The scheduler is used to execute scripts at certain times. It has an ordered list of tasks. To add a task, use the 'add' command. For example, we add a task that executes the script 'log-test' every hour:

[MikroTik] system scheduler> add name=run-1h interval=1h script=log-test       
[MikroTik] system scheduler> print                                             
Flags: X - disabled 
  #   NAME      SCRIPT   START-DATE  START-TIME INTERVAL             RUN-COUNT 
  0   run-1h    log-test may/09/2001 03:45:02   1h                   1         
[MikroTik] system scheduler> .. script print                                   
  0 name=log-test source=:log message=kuku owner=admin 
    last-started=may/09/2001 03:45:02 run-count=4 

[MikroTik] system scheduler>

Argument description:

name - name of the task
delay - delay time before starting the task after it has been added. Should be used instead of start-time and start-date.
start-time and start-date - time and date of first execution
interval - interval between two script executions, if time "interval" is set to zero, the script is only executed at it's start time, otherwise it is executed repeatedly at the time interval specified
run-count - to monitor script usage, this counter is incremented each time the script is executed, it can be reset to zero
script - name of the script. The script must be present at '/system script'.

System Scheduler Examples

Here are two scripts that will change the bandwidth setting of a queue rule "Cust0". Everyday at 9AM the queue will be set to 64Kb/s and at 5PM the queue will be set to 128Kb/s. The queue rule, the scripts, and the scheduler tasks are below:

[MikroTik] queue simple>
add name=Cust0 interface=Local dst-address=192.168.0.0/24 limit-at=64000
[MikroTik] queue simple> print                                                 
Flags: X - disabled, I - invalid 
  0   name=Cust0 src-address=0.0.0.0/0 dst-address=192.168.0.0/24 
      interface=Local limit-at=64000 queue=default priority=8 bounded=yes 

[MikroTik] queue simple> /system script
[MikroTik] system script> 
add name=start_limit source={/queue simple set Cust0 limit-at=64000}
add name=stop_limit source={/queue simple set Cust0 limit-at=128000}
[MikroTik] system script> print                                                
  0 name=start_limit source=/queue simple set Cust0 limit-at=64000 
    owner=admin run-count=0 

  1 name=stop_limit source=/queue simple set Cust0 limit-at=128000 
    owner=admin run-count=0 

[MikroTik] system script> .. scheduler
[MikroTik] system scheduler> 
add interval=24h name="set-64k" start-time=9:00:00 script=start_limit
add interval=24h name="set-128k" start-time=17:00:00 script=stop_limit
[MikroTik] system scheduler> print                                             
Flags: X - disabled 
  #   NAME      SCRIPT   START-DATE  START-TIME INTERVAL             RUN-COUNT 
  0   set-64k   start... may/09/2001 09:00:00   1d                   0         
  1   set-128k  stop_... may/09/2001 17:00:00   1d                   0         
[MikroTik] system scheduler>

The following setup schedules script that sends each week backup of router configuration by e-mail.

[MikroTik] system script>
add name=e-backup source={/system backup save name=email;
    /tool e-mail send to="root@host.com" \
        subject=[/system identity get name]" Backup" \
        file=email.backup}
[MikroTik] system script> .. scheduler                                         
[MikroTik] system scheduler>
add interval=7d name="email-backup" script=e-backup
[MikroTik] system scheduler> print                                             
Flags: X - disabled 
  #   NAME      SCRIPT   START-DATE  START-TIME INTERVAL             RUN-COUNT 
  0   email-... e-backup mar/21/2002 19:12:53   7d                   1         
[MikroTik] system scheduler> 

Do not forget to set the e-mail settings, i.e., the SMTP server and From: address under '/tool e-mail'. For example:

[MikroTik] tool e-mail>                                                        
set server=159.148.147.198 from=SysAdmin@host.com
[MikroTik] tool e-mail> print                                                  
    server: 159.148.147.198
      from: SysAdmin@host.com
[MikroTik] tool e-mail> 

If more than one script has to be executed at one time, they are executed in the order they appear in the scheduler configuration. This can be important if, for example, one scheduled script is used to disable another. The order of scripts can be changed with the "move" command.

If a more complex execution pattern is needed, it can usually be done by scheduling several scripts, and making them enable and disable each other. Example below will put 'x' in logs each hour from midnight till noon:

[MikroTik] system script>
add name=enable-x source={/system scheduler enable x}
add name=disable-x source={/system scheduler disable x}
add name=log-x source={:log message=x}
[MikroTik] system script> .. scheduler                                         
[MikroTik] system scheduler>
add name=x-up start-time=00:00:00 interval=24h script=enable-x
add name=x-down start-time=12:00:00 interval=24h script=disable-x
add name=x start-time=00:00:00 interval=1h script=log-x
[MikroTik] system scheduler> print                                             
Flags: X - disabled 
  #   NAME      SCRIPT   START-DATE  START-TIME INTERVAL             RUN-COUNT 
  0   x-up      enable-x mar/22/2002 00:00:00   1d                   0         
  1   x-down    disab... mar/22/2002 12:00:00   1d                   0         
  2   x         log-x    mar/22/2002 00:00:00   1h                   0         
[MikroTik] system scheduler>  

Traffic Monitoring Tool

The traffic monitor tool is used to execute console scripts on when interface traffic crosses some given thresholds.

Each item in traffic monitor list consists of its name (which is useful if you want to disable or change properties of this item from another script), some parameters specifying traffic condition and the pointer to a script or scheduled event to execute when this condition is met.

Argument description for traffic monitoring tool:

name - Name of traffic monitor item
interface - Interface to monitor
threshold - Traffic threshold, in bits per second.
trigger - ( above / always / below ) Condition on which to execute script.
traffic - ( transmitted / received ) Type of traffic to monitor.
on-event - Script source. Must be present under '/system script'.

You should specify the interface on which to monitor the traffic, the type of traffic to monitor (transmitted or received), the threshold (bits per second). The script is started, when traffic exceeds the threshold in direction given by the "trigger" argument. "above" means that script will be run each time traffic exceeds the threshold, i.e. goes from being less than threshold to being more than threshold value. "below" triggers script in the opposite condition, when traffic drops under the threshold. "always" triggers script on both "above" and "below" conditions.

Traffic Monitor Examples

The example monitor enables the interface ether2, if the received traffic exceeds 15kbps on ether1, and disables the interface ether2, if the received traffic falls below 12kbps on ether1.

[MikroTik] system script>
add name=eth-up source={/interface enable ether2}
add name=eth-down source={/interface disable ether2}
[MikroTik] system script> /tool traffic-monitor                                
[MikroTik] tool traffic-monitor>
add name=turn_on interface=ether1 on-event=eth-up \
threshold=15000 trigger=above traffic=received
add name=turn_off interface=ether1 on-event=eth-down \
threshold=12000 trigger=below traffic=received
[MikroTik] tool traffic-monitor> print                                         
Flags: X - disabled, I - invalid 
  #   NAME           INTERFACE     TRAFFIC     TRIGGER THRESHOLD  ON-EVENT     
  0   turn_on        ether1        received    above   15000      eth-up       
  1   turn_off       ether1        received    below   12000      eth-down     
[MikroTik] tool traffic-monitor> 

Network Watching Tool

Netwatch monitors state of hosts on the network. It does so by sending ICMP pings to list of specified IP addresses. For each entry in netwatch table you can specify IP address, ping interval and console scripts.

The main advantage of netwatch is ability to issue arbitrary console commands on host state changes. Here's an example configuration of netwatch. It will run the scripts gw_1 or gw_2 which change the default gateway depending on the status of one of the gateways:

[MikroTik] system script>
add name=gw_1 source={/ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.1}
add name=gw_2 source={/ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.217}
[MikroTik] system script> /tool netwatch
add host=10.0.0.217 interval=10s timeout=998ms up-script=gw_2 down-script=gw_1
[MikroTik] tool netwatch> print                                                
Flags: X - disabled 
  #   HOST            TIMEOUT              INTERVAL             STATUS 
  0   10.0.0.217      997ms                10s                  up     
[MikroTik] tool netwatch> print detail                                         
Flags: X - disabled 
  0   host=10.0.0.217 timeout=997ms interval=10s since=mar/22/2002 11:21:03 
      status=up up-script=gw_2 down-script=gw_1 

[MikroTik] tool netwatch>

Argument description:

host - IP address of host that should be monitored
interval - Time between pings. Lowering this will make state changes more responsive, but can create unnecessary traffic and consume system resources.
timeout - Timeout for each ping. If no reply from host is received in this time, host is considered unreachable ("down").
up-script - Console script that is executed once when state of host changes from "unknown" or "down" to "up".
down-script - Console script that is executed once when state of host changes from "unknown" or "up" to "down".
since - Time when state of host changed last time.
status - tells the current status of the host (up / down / unknown). State of host changes to "unknown" when any properties of this list entry are changed, or it is enabled or disabled. Also, any entry that is added has state "unknown" initially.

Hint: Scripts are not printed by default, to see them, type 'print detail'.

Without scripts, netwatch can be used just as an information tool to see which links are up, or which specific hosts are running at the moment.

Let's look at the example above - it changes default route if gateway becomes unreachable. How it's done? There are two scripts. The script "gw_2" is executed once when status of host changes to "up". In our case, it's equivalent to entering this console command:

[MikroTik] > /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.217

The "/ip route find dst 0.0.0.0" command returns list of all routes whose "dst-address" value is zero. Usually that's the default route. It is substituted as first argument to "/ip route set" command, which changes gateway of this route to 10.0.0.217

The script "gw_1" is executed once when status of host becomes "down". It does the following:

[MikroTik] > /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.1

It changes the default gateway if 10.0.0.217 address has become unreachable.

Here's another example, that sends email notification whenever the 10.0.0.215 host goes down:

[MikroTik] system script>
add name=e-down source={/tool e-mail send from="rieks@mt.lv" server=\
                 "159.148.147.198" body="Router down" subject="Router at \
                 second floor is down" to="rieks@latnet.lv"}
add name=e-up source={/tool e-mail send from="rieks@mt.lv" server=\
                 "159.148.147.198" body="Router up" subject="Router at \
                 second floor is up" to="rieks@latnet.lv"}
[MikroTik] system script>
[MikroTik] system script> /tool netwatch
[MikroTik] system script>
add host=10.0.0.215 timeout=999ms interval=20s \
up-script=e-up down-script=e-up
[MikroTik] tool netwatch> print detail                                         
Flags: X - disabled 
  0   host=10.0.0.215 timeout=998ms interval=20s since=mar/22/2002 14:07:36 
      status=up up-script=e-up down-script=e-up 

[MikroTik] tool netwatch> 


© Copyright 1999-2001, MikroTik MikroTik RouterOS SSH Installation and Usage

MikroTik RouterOS SSH Installation and Usage

Document revision 31-Jan-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The SSH feature can be used with various SSH Telnet clients to securely connect to and administrate the router.

The MikroTik RouterOS supports:

The MikroTik RouterOS has been tested with the following SSH telnet terminals:

Contents of the Manual

The following topics are covered in this manual:

Installation

The 'ssh-2.x.npk' (less than 1MB) package for installation of SSH is required. The package can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload it to the router with ftp and reboot. No additional settings are required. You may check to see if the SSH package is installed with the command:

[MikroTik] > system package print                                              
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   routing               2.5                  jan/30/2002 10:43:38 no       
  1   pppoe                 2.5                  jan/30/2002 10:37:47 no       
  2   ssh                   2.5                  jan/30/2002 10:33:52 no       
  3   system                2.5                  jan/30/2002 10:31:32 no       
  4   snmp                  2.5                  jan/30/2002 10:32:13 no       
  5   ppp                   2.5                  jan/30/2002 10:36:03 no       
  6   pptp                  2.5                  jan/30/2002 10:36:42 no       
  7   aironet               2.5                  jan/30/2002 10:39:05 no       
  8   prism                 2.5                  jan/30/2002 15:51:12 no       
[MikroTik] >    

Line 2 shows that the SSH package is installed.

Hardware Resource Usage

The uncompressed package will use approximately 1MB of additional Flash/HD IDE memory. A minimum amount of additional RAM is used. No hardware upgrades are suggested.

Suggested Windows Client Setup

PuTTY is a free Windows (all Windows) SSH client which needs no complex installation. It is one .exe file which can be downloaded and run.

Download this program from the MikroTik utilities download page or http://www.chiark.greenend.org.uk/~sgtatham/putty.html (suggested for the most recent program version).

Simple instructions:

  1. After downloading, run the program,
  2. Set the connection type to SSH,
  3. On the first connection to the router a Security Alert will notify that the server’s host is not in the registry. Answer 'YES' to trust this server.
  4. The normal router login will not be display. Instead, 'login as:' and 'name@xxx.xxx.xxx.xxx’s password:' will appear.

Suggested UNIX/Linux Client Setup

No client installation is needed on all standard Linux distributions. The command: ssh –l [username] [router address] will initiate a connection.

Additional Resources

Links for Windows Client:

http://www.zip.com.au/~roca/ttssh.html
http://www.chiark.greenend.org.uk/~sgtatham/putty.html
http://www.massconfusion.com/ssh/
http://telneat.lipetsk.ru/
http://support.jgaa.com/?cmd=ShowArticle&ID=11
http://akson.sgh.waw.pl/~chopin/ssh/index_en.html
http://cs.mscd.edu/MSSH/index.html
http://www.networksimplicity.com/openssh/

Other links:

http://www.openssh.com/
http://www.freessh.org/


© Copyright 1999-2002, MikroTik MikroTik RouterOS Software Package Installation and Upgrading

MikroTik RouterOS Software Package Installation and Upgrading

Document revision 31-Jan-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The MikroTik RouterOS consists of a formatted HDD specific to our installation and of software packages. The main package is the system software package, which provides the basic functionality of the router. Additional software packages can be installed that provide special support, e.g., PPPoE, PPTP, PPP, wireless, etc.

Features

The modular software package system of MikroTik RouterOS has following features:

Contents of the Manual

The following sections are included in this Manual:

Software Upgrade Instructions

Upgrading of the MikroTik RouterOS can be done by uploading the newer version software packages to the router and rebooting it.
Note! The Free Demo Licence does not allow software upgrades by ftp. You schould use complete reinstall from floppies, or purchase the license.
Before upgrading the router please check the current version of the system software and of the additional software packages. The version of the MikroTik RouterOS system software (and the build number) are shown before the console login prompt, for example:
MikroTik v2.5
Login:
Information about the version numbers and build time of the installed MikroTik RouterOS software packages can be obtained using the /system package print command, for example:

[MikroTik] > system package print                                              
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   routing               2.5rc4               jan/30/2002 10:43:38 no       
  1   pppoe                 2.5rc4               jan/30/2002 10:37:47 no       
  2   ssh                   2.5rc4               jan/30/2002 10:33:52 no       
  3   system                2.5rc4               jan/30/2002 10:31:32 no       
  4   snmp                  2.5rc4               jan/30/2002 10:32:13 no       
  5   ppp                   2.5rc4               jan/30/2002 10:36:03 no       
  6   pptp                  2.5rc4               jan/30/2002 10:36:42 no       
  7   aironet               2.5rc4               jan/30/2002 10:39:05 no       
  8   prism                 2.5rc4               jan/30/2002 15:51:12 no       
[MikroTik] >    

The list shows the number, name, version, and build time of the installed software packages. If the functions provided by a software package are not required for the router implementation, the package can be marked for uninstalling at the next shutdown/reboot of the router. Use the /system package set command to mark the packages for uninstallation:

[MikroTik] > system package set 0 uninstall=yes                                
[MikroTik] > system package print                                              
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   routing               2.5rc4               jan/30/2002 10:43:38 yes      
  1   pppoe                 2.5rc4               jan/30/2002 10:37:47 no       
  2   ssh                   2.5rc4               jan/30/2002 10:33:52 no       
  3   system                2.5rc4               jan/30/2002 10:31:32 no       
  4   snmp                  2.5rc4               jan/30/2002 10:32:13 no       
  5   ppp                   2.5rc4               jan/30/2002 10:36:03 no       
  6   pptp                  2.5rc4               jan/30/2002 10:36:42 no       
  7   aironet               2.5rc4               jan/30/2002 10:39:05 no       
  8   prism                 2.5rc4               jan/30/2002 15:51:12 no       
[MikroTik] >   

If a package is marked for uninstallation, but it is required for another (dependent) package, then the marked package cannot be uninstalled. For example, the ppp package wont be uninstalled, if the pptp package is installed. You should uninstall the depended package too. For package dependencies see the section about contents of the software packages below. The system package wont be uninstalled even if marked for uninstallation.

Software Package Installation Instructions

The software package files are compressed binary files, which can be downloaded from MikroTik's web page www.mikrotik.com Download section. The full name of the package file consists of a descriptive name, version number, and file extension '.npk'. For example, 'system-2.5.npk', 'ppp-2.5.npk'. 'pppoe-2.5.npk', etc. To install (upgrade) newer version of the MikroTik RouterOS system software please follow the upgrade instructions below: Example output of the /file print command:

[MikroTik] > file print                                                        
  # NAME                                TYPE    SIZE       CREATION-TIME       
  0 ssh_host_key.pub                    unknown 332        jan/23/2002 18:45:02
  1 ssh_host_dsa_key.pub                unknown 603        jan/23/2002 18:45:08
  2 cyclades-2.5rc4.npk                 package 114321     jan/31/2002 17:45:27
  3 framerelay-2.5rc4.npk               package 94632      jan/31/2002 17:45:29
[MikroTik] >  

The installation/upgrade process is shown on the console screen (monitor) attached to the router. After successful installation the software packages are shown on the output list of the /system package print command.

Note! The versions of packages should match the version number of the system software package.

Contents of the Software Packages

System Software Package

The system software package provides the basic functionality of the MikroTik RouterOS, namely: After installing the MikroTik RouterOS, a license should be obtained from MikroTik to enable the basic system functionality.

Additional Software Feature Packages

The table below shows additional software feature packages, the provided functionality, the required prerequisites and additional licenses, if any.
Name Contents Prerequisites Additional License
advanced-toolsProvides network monitor and support for other advanced tools--
aironetProvides support for CISCO Aironet IEEE 802.11 wireless PC/PCI/ISA cards-2.4GHz wireless
arlanProvides support for DSSS 2.4GHz 2mbps Aironet ISA cards-2.4GHz wireless
bgpProvides BGP support--
cycladesProvides support for PC300 synchronous interfaces-synchronous
ddnsProvides dynamic DNS support--
dhcpProvides DHCP server and client support--
farsyncProvides support FarSync interfaces-synchronous
framerelayProvides support for frame relay (used with Moxa C101, Cyclades PC300, or FarSync interfaces--
isdnProvides support for ISDNppp-
lcdProvides LCD monitor support--
lmc-wanProvides support for LMC synchronous cards-synchronous
moxa-c101Provides support for Moxa C101 synchronous card-synchronous
ntpProvides network time protocol support--
pppProvides asynchronous PPP support--
pppoeProvides PPPoE supportppp-
pptpProvides PPTP supportppp-
prismProvides support for Prism II chipset based IEEE 802.11 wireless cards as clients or as access points-2.4GHz wireless (station mode);
2.4GHz wireless and Prism II AP (AP mode)
radiolanProvides support for 5.8GHz RadioLAN ISA cards-radiolan
routingProvides RIP & OSPF support--
snmpProvides read only SNMP support--
sshProvides remote access via SSH--
telephonyProvides IP telephony support (H.323) for Quicknet cards--
upsProvides APC Smart Mode UPS support--
wavelanProvides support for Lucent WaveLAN IEEE 802.11 wireless cards-2.4GHz wireless
web-proxyprovides squid based web proxy support--

If additional license is required to enable the functionality of a software package, the license should be obtained for the Software ID of your system. The new key should be entered using the /system license set key command, and the router should be rebooted afterwards:

[MikroTik] system license> print                                               
      software-id: TPNG-SXN
              key: 2C6A-YUE-3H2
    upgradable-to: may/01/2002
[MikroTik] system license> feature print                                       
Flags: X - disabled 
  #   FEATURE                                                                  
  0 X AP                                                                       
  1 X synchronous                                                              
  2 X radiolan                                                                 
  3 X wireless-2.4gHz                                                          
  4   licensed                                                                 
[MikroTik] system license> set key=D45G-IJ6-QM3                                
[MikroTik] system license> /system reboot
Reboot, yes? [y/N]: y
system will reboot shortly

If there is no appropriate license, the appropriate interfaces wont show up under the interface list, even though the packages can be installed on the MikroTik RouterOS and corresponding drivers loaded.

Software Package Resource Usage

The following table shows the required resources of HDD storage and RAM for the various software packages. The total required storage space can be calculated by adding the together the required storage of all installed packages including the system software package.

Name Memory (RAM) usage, MB Storage (HDD) usage, MB
system 16.5 16.0
routing 0.6 1.2
snmp 0.6 0.5
ssh 1.0 1.2
lcd 0.4 0.1
ups 0.5 0.2
ppp 2.0 0.8
pptp 1.3 0.3
pppoe 1.2 0.4
isdn 2.4 1.0
telephony 4.8 4.5
framerelay 0.1 0.1
moxa-c101 0.8 0.1
lmc-wan 0.8 0.1
cyclades 0.8 0.1
aironet 1.1 0.2
arlan 0.8 0.1
wavelan 1.1 0.1
radiolan 0.8 0.2
prism 1.3 0.5

Troubleshooting


© Copyright 1999-2002, MikroTik MikroTik RouterOS Device Driver Management

MikroTik RouterOS Device Driver Management

Document revision 31-Jan-2002
This document applies to the MikroTik RouterOS V2.5

Overview

Device drivers represent the software interface part of installed network devices. For example, the MikroTik RouterOS includes device drivers for NE2000 compatible Ethernet cards and other network devices. Device drivers are included in the system software package and in the additional feature packages.

The device drivers for PCI and PC cards are loaded automatically. Other network interface cards (most ISA and ISDN PCI cards) require the device drivers loaded manually by using the /driver add command.

Users cannot add their own device drivers. Only drivers included in the Mikrotik RouterOS software packages can be used. If you need a device driver for a device, which is not supported by the MikroTik RouterOS, please suggest it at our suggestion page on our web site.

Contents of the Manual

The following topics are covered in this manual:

Loading Device Drivers

The drivers for PCI and PCMCIA cards (except the ISDN cards) are loaded automatically at the system startup. Use the /driver print command to see the list of loaded drivers:

[MikroTik] driver> print                                                       
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D RealTek RTL8129/8139                                                     
[MikroTik] driver>

As we see, the driver for the Realtek PCI card has been loaded automatically.

If the driver required to be loaded, use the /driver add command. The syntax of the command is:

[MikroTik] > driver add ?                                                        
Load driver name [irq IRQ] [io IO range start] [mem shared memory]. 

      copy-from  item number
             io  IO port base address
            irq  IRQ number
  isdn-protocol  ISDN line protocol
         memory  Shared Memory base address
           name  Driver name
[MikroTik] >

If hexadecimal values are used for the arguments, put 0x before the number. To see the list of available drivers, enter the /driver add name ? command:

[MikroTik] driver> add name=?
Name of driver to load. 

     3c509  3com 3c509 ISA
  ne2k-isa  ISA NE2000
[MikroTik] driver> add name=ne2k-isa io 0x280                                  
[MikroTik] driver> print                                                       
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D RealTek RTL8129/8139                                                     
  1   ISA NE2000                            280                                
[MikroTik] driver> 

To see the system resources occupied by the devices, use the '/system resource io print' and '/system resource irq print' commands:

[MikroTik] system resource> irq print                                          
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   no                                                                         
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   no                                                                         
 10  yes  Public                                                                
 11  yes  Local                                                                 
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
 15  yes  PCMCIA service                                                        
[MikroTik] system resource> io print                                           
 PORT-RANGE            OWNER                                                    
 20-3F                 APIC                                                     
 40-5F                 timer                                                    
 60-6F                 keyboard                                                 
 80-8F                 DMA                                                      
 A0-BF                 APIC                                                     
 C0-DF                 DMA                                                      
 F0-FF                 FPU                                                      
 1F0-1F7               IDE 1                                                    
 2F8-2FF               serial port                                              
 3C0-3DF               VGA                                                      
 3E0-3E1               PCMCIA service                                           
 3F6-3F6               IDE 1                                                    
 3F8-3FF               serial port                                              
 4000-4007             IDE 1                                                    
 4008-400F             IDE 2                                                    
 6300-631F             Local                                                    
 6700-67FF             Public                                                   
[MikroTik] system resource>  

Note, that the resource list shows only the interfaces, if they are enabled!

Removing Device Drivers

Use the '/driver remove' command to remove device drivers. Unloading of device driver is useful when changing network devices - this can be useful to save system resources in avoiding loading drivers for devices, which have been removed from the system. Device driver needs to be removed and loaded again, if some parameter (memory range, i/o base address) has been changed for the adapter card. The device drivers can be removed only if the appropriate interface has been disabled.

List of Drivers

The list of device drivers included in the system software package is given below:

ISA Drivers

Drivers for ISA cards should be loaded manually.

PCI Drivers

Drivers for PCI cards are loaded automatically, if the relevant interface card is installed, and it does not have hardware conflicts. The list of PCI drivers is below:

For the list of drivers included in additional feature software packages, please see the manual of the relevant software package.

Troubleshooting


© Copyright 1999-2002, MikroTik MikroTik RouterOS Ethernet Interfaces

MikroTik RouterOS Ethernet Interfaces

Document revision 31-Jan-2002
This document applies to the MikroTik RouterOS V2.5

Overview

MikroTik RouterOS supports the following types of Ethernet Network Interface Cards: The complete list of supported Ethernet NICs can be found in the Device Driver Management Manual.

Contents of the Manual

The following topics are covered in this manual:

Ethernet Adapter Hardware and Software Installation

Software Packages

The drivers for Ethernet NICs are included in the 'system' package. No installation of other packages is needed.

Software License

The license for Ethernet NICs is included in the Basic License. No additional license is needed.

System Resource Usage

Before installing the Ethernet adapter, please check the availability of free IRQ's and I/O base addresses:

[MikroTik] > system resource irq print                                         
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   yes  PCMCIA service                                                        
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   no                                                                         
 10  yes  [e1000]                                                               
 11  yes  ether3                                                                
 12  yes  ether1                                                                
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
[MikroTik] > system resource io print                                          
 PORT-RANGE            OWNER                                                    
 20-3F                 APIC                                                     
 40-5F                 timer                                                    
 60-6F                 keyboard                                                 
 80-8F                 DMA                                                      
 A0-BF                 APIC                                                     
 C0-DF                 DMA                                                      
 F0-FF                 FPU                                                      
 1F0-1F7               IDE 1                                                    
 2F8-2FF               serial port                                              
 3C0-3DF               VGA                                                      
 3F6-3F6               IDE 1                                                    
 3F8-3FF               serial port                                              
 9400-94FF             ether1                                                   
 F000-F007             IDE 1                                                    
 F008-F00F             IDE 2                                                    
[MikroTik] >      

Loading the Driver

PCI adapters do not require a 'manual' driver loading, since they are recognized automatically by the system and the driver is loaded at the system startup.

ISA adapters require the driver to be loaded by issuing the following command:

[MikroTik] driver> add name=ne2k-isa io=0x300                                       
[MikroTik] driver> print                                                       
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D RealTek RTL8129/8139                                                     
  1 D NationalSemiconductors 83820                                             
  2 D Intel PRO 1000 Server Adaper                                             
  3   ISA NE2000                            0x300
[MikroTik] driver> 

There can be several reasons for a failure to load the driver:

Ethernet Interface Configuration

If the driver has been loaded successfully (no error messages), then the Ethernet interface should appear under the interfaces list with the name etherX, where X is 1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] interface > print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0 X ether1               1500  ether                                         
  1   ether2               1500  ether                                         
  2 X ether3               1500  ether                                         
[MikroTik] interface> enable 0                                                  
[MikroTik] interface> enable ether3                                             
[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether1               1500  ether                                         
  1   ether2               1500  ether                                         
  2   ether3               1500  ether                                         
[MikroTik] interface> 

You can monitor the traffic passing through any interface using the /interface monitor command:

[MikroTik] interface> monitor-traffic ether2                                   
    received-packets-per-second: 271       
      received-bytes-per-second: 148.4kbps 
        sent-packets-per-second: 600       
          sent-bytes-per-second: 6.72Mbps  

[MikroTik] interface>  

For some Ethernet NICs it is possible to blink the LEDs for 10s. Type /interface ethernet blink ether1 and watch the NICs to see the one which has blinking LED.

For some Ethernet NICs it is possible to monitor the Ethernet status:

[MikroTik] interface ethernet> monitor ether3
              status: no-link  
    auto-negotiation: disabled 
                rate: 100Mbit  
          fullduplex: yes      

[MikroTik] interface ethernet> monitor ether1                                  
              status: no-link    
    auto-negotiation: incomplete 

[MikroTik] interface ethernet> monitor ether2                                  
              status: unknown 

[MikroTik] interface ethernet>  

Please see the IP Address manual on how to add IP addresses to the interfaces.


© Copyright 1999-2002, MikroTik MikroTik RouterOS IP over IP (IPIP) Tunnel Interface

MikroTik RouterOS IP over IP (IPIP) Tunnel Interface

Document revision 31-Jan-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The IPIP tunneling implementation on the MikroTik RouterOS is RFC 2003 compliant. IPIP tunnel is a simple protocol that encapsulates IP packets in IP to make a tunnel between two routers. The IPIP tunnel interface appears as an interface under the interfaces list. Many routers, including Cisco and Linux based, support this protocol. This protocol makes multiple network schemes possible.

Network setups with IPIP interfaces:

Contents of the Manual

The following topics are covered in this manual:

Installation

The IP over IP tunnel feature is included in the 'system' package. No installation is needed for this feature.

Hardware Resource Usage

This protocol uses a minimum of resources.

IPIP Interface and Protocol Description

An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are RFC 2003 compliant. The IPIP tunnel may run over any connection that transports IP. Each IPIP tunnel interface can connect with one remote router which has a corresponding interface configured. An unlimited number of IPIP tunnels may be added to the router. For more details on IPIP tunnels, see RFC 2003.

IPIP Setup IP over IP Interface management can be accessed under the /interface ipip submenu.

You can add an IPIP tunnel interface using the /interface ipip add command:

[MikroTik_1] interface ipip> add name test_IPIP mtu 1480 local-address 10.5.8.169 remote-address 10.5.8.171
[MikroTik_1] interface ipip> print                                               
Flags: X - disabled 
  0 X name: test_IPIP mtu=1480 local-address=10.5.8.169  remote-address=10.5.8.171

[MikroTik_1] interface ipip> enable 0                                              
[MikroTik_1] interface ipip> print                                               
Flags: X - disabled 
  0   name: test_IPIP mtu=1480 local-address=10.5.8.169  remote-address=10.5.8.171

[MikroTik_1] interface ipip> 

Descriptions of settings:

name - Interface name for reference
mtu - Maximum Transmit Unit. Should be set to 1480 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
local-address - Local address on router which sends IPIP traffic to the remote side.
remote-address - The IP address of the other side of the IPIP tunnel - may be any RFC 2003 compliant router.

Use /ip address add command to assign an IP address to the IPIP interface.

There is no authentication or 'state' for this interface. The bandwidth usage of the interface may be monitored with the 'monitor' feature from the 'interface' menu.

The router at the other end should have the remote-address set to [MikroTik_1].

IPIP CISCO Example Our IPIP implementation has been tested with Cisco 1005. Sample of the Cisco 1005 configuration:

interface Tunnel0
 ip address 10.3.0.1 255.255.255.0
 tunnel source 10.5.8.179
 tunnel destination 10.5.8.169
 tunnel mode ipip

Additional Resources

Links for IPIP documentation:

http://www.ietf.org/rfc/rfc1853.txt?number=1853
http://www.ietf.org/rfc/rfc2003.txt?number=2003
http://www.ietf.org/rfc/rfc1241.txt?number=1241


© Copyright 1999-2002, MikroTik MikroTik RouterOS Ethernet over IP (EoIP) Tunnel Interface

MikroTik RouterOS Ethernet over IP (EoIP) Tunnel Interface

Document revision 31-Jan-2002
This document applies to the MikroTik RouterOS V2.5

Overview

Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection. The EoIP interface appears as an Ethernet interface. When the bridging function of the router is enabled, all Ethernet level traffic (all Ethernet protocols) will be bridged just as if there where a physical Ethernet interface and cable between the two routers (with bridging enabled). This protocol makes multiple network schemes possible.

Network setups with EoIP interfaces:

Contents of the Manual

The following topics are covered in this manual:

Installation

The Ethernet over IP tunnel feature is included in the 'system' package. No installation is needed for this feature.

Hardware Resource Usage

There is no significant resource usage.

EoIP Interface and Protocol Description

An EoIP interface should be configured on two routers that have the possibility for an IP level connection. The EoIP tunnel may run over an IPIP tunnel, a PPTP 128bit encrypted tunnel, a PPPoE connection, or any connection that transports IP.

Specific Properties:

EoIP Setup

IP EoIP Interface management can be accessed under the /interface eoip submenu.

You can add an EoIP tunnel interface using the /interface eoip add command:

[MikroTik] interface eoip> add                                                 
Creates new item with specified property values.
             arp  Address Resolution Protocol
       copy-from  Item number
             mtu  Maximum Trasfer Unit
            name  New tunnel name
  remote-address  Remote address of tunnel
       tunnel-id  ID of tunnel
[MikroTik_1] interface eoip> add name to_mt2 tunnel-id 1 remote-address 10.5.8.1
[MikroTik_1] interface eoip> print                                               
Flags: X - disabled 
  0 X name=to_mt2 mtu=1500 arp=enabled tunnel-id=1 remote-address=10.5.8.1 

[MikroTik_1] interface eoip> enable 0                                              
[MikroTik_1] interface eoip> print                                               
Flags: X - disabled 
  0   name=to_mt2 mtu=1500 arp=enabled tunnel-id=1 remote-address=10.5.8.1
      mac-address=fe:fd:00:00:00:00

[MikroTik_1] interface eoip> 

Descriptions of settings:

name - Interface name for reference
mtu - Maximum Transmit Unit. Should be the default 1500 bytes.
mac-address - A default virtual MAC address is generated. It cannot be changed.
arp - Address resolution protocol (disabled / enabled / proxy-arp). Enabled by default.
tunnel-id - Should be a number from 0-16 which has not been used for another EoIP tunnel.
remote-address - The IP address of the other side of the EoIP tunnel – must be a MikroTik router.

For diagnostic purposes, you can assign an IP address to the EoIP interface.

The router at the other end should have the same tunnel-id value, and should have the remote-address set to [MikroTik_1].

There is no authentication or 'state' for this interface. The bandwidth usage of the interface may be monitored with the 'monitor' feature from the '/interface' menu.

EoIP Application Example

Let us assume we want to bridge two networks: 'Office LAN' and 'Remote LAN'. The networks are connected to an IP network through the routers [Our_GW] and [Remote]. The IP network can be a private intranet or the Internet. Both routers can communicate with each other through the IP network.

Our goal is to create a secure channel between the routers and bridge both networks through it. The network setup diagram is as follows:

To make a secure Ethernet bridge between two routers you should:

  1. Create a PPTP tunnel between them. Our_GW will be the static pptp server:

    [Our_GW] interface pptp-static-server>/user add name=joe group=ppp password=top_s3                                             
    [Our_GW] interface pptp-static-server>                                             
    add name="from_remote" client-address=192.168.2.1 mtu=1500 mru=1500 \
        local-address=10.0.0.1 remote-address=10.0.0.2 encryption=required 
    [Our_GW] interface pptp-static-server> enable from_remote
    [Our_GW] interface pptp-static-server> print                                              
    Flags: X - disabled 
      0   name=from_remote client-address=192.168.2.1 mtu=1500 mru=1500 pap=no chap=no 
          ms-chapv2=yes local-address=10.0.0.1 remote-address=10.0.0.2 idle-timeout=0s 
          session-timeout=0s encryption=required 
    
    [Our_GW] interface pptp-static-server>  
    

    The Remote router will be the pptp client:

    [Remote] interface pptp-client>                                                
    add name=pptp user=joe connect-to=192.168.1.1 mtu=1500 mru=1500 encryption=required
    [Remote] interface pptp-client> enable pptp
    [Remote] interface pptp-client> print                                                   
    Flags: X - disabled 
      0   name=pptp user=joe connect-to=192.168.1.1 mtu=1500 mru=1500 pap=no 
          chap=no ms-chapv2=yes idle-timeout=0s session-timeout=0s encryption=required 
          add-default-route=no 
    
    [Remote] interface pptp-client> monitor pptp                                       
          uptime: 39m19s              
        encoding: MPPE 128 bit, stateless 
          status: Connected               
    
    [Remote] interface pptp-client>                                                              
    

    See the PPTP Interface Manual for more details on setting up encrypted channels.

  2. Configure the EoIP tunnel by adding the eoip tunnel interfaces at both routers. Use the ip addresses of the pptp tunnel interfaces when specifying the argument values for the EoIP tunnel:

    [Our_GW] interface eoip>
    add name="eoip-remote" tunnel-id=0 remote-address=10.0.0.2 
    enable eoip-remote 
    [Our_GW] interface eoip> print                                                            
    Flags: X - disabled 
      0   name=eoip-remote mtu=1500 arp=enabled tunnel-id=0 remote-address=10.0.0.2 
    [Our_GW] interface eoip>                                                                  
    
    [Remote] interface eoip>
    add name="eoip" tunnel-id=0 remote-address=10.0.0.1
    enable eoip-main 
    [Remote] interface eoip> print                                                          
    Flags: X - disabled 
      0   name=eoip mtu=1500 arp=enabled tunnel-id=0 remote-address=10.0.0.1 
    
    [Remote] interface eoip>                                                                
    
  3. Enable bridging between the EoIP and Ethernet interfaces on both routers.

    [Our_GW] > /bridge print                                                                  
               ip: forward
              ipx: discard
        appletalk: discard
             ipv6: discard
              arp: forward
            other: forward
         priority: 1
    [Our_GW] > /bridge interface print                                                        
      # INTERFACE                                                 FORWARD
      0 eoip-remote                                               yes    
      1 office-eth                                                yes    
      2 isp                                                       no     
    [Our_GW] > interface print                                                                
    Flags: X - disabled, D - dynamic 
      #   NAME                 MTU   TYPE                                                    
      0   from_remote          1500  pptp-in                                                 
      1   eoip-remote          1500  eoip-tunnel                                             
      2   office-eth           1500  ether                                                   
      3   isp                  1500  ether                                                   
      4   bridge1              1500  bridge                                                  
    [Our_GW] >                                                                                
    
    [Remote] > bridge print                                                                 
               ip: forward
              ipx: discard
        appletalk: discard
             ipv6: discard
              arp: forward
            other: forward
         priority: 1
    [Remote] > bridge interface print                                                       
      # INTERFACE                                            FORWARD
      0 ether1                                               yes    
      1 adsl                                                 no     
      2 eoip-main                                            yes    
    [Remote] > interface print                                                              
    Flags: X - disabled, D - dynamic 
      #   NAME                 MTU   TYPE                                                    
      0   ether1               1500  ether                                                   
      1   isp1                 1500  ether                                                   
      2   pptp                 1500  pptp-out                                                
      3   bridge1              1500  bridge                                                  
      4   eoip                 1500  eoip-tunnel                                             
    [Remote] > 
    

  4. Addresses from the same network can be used both in the Office LAN and in the Remote LAN


© Copyright 1999-2002, MikroTik MikroTik RouterOS PPP Client and PPP Server Interfaces

MikroTik RouterOS PPP Client and PPP Server Interfaces

Document revision 08-Apr-2002
This document applies to the MikroTik RouterOS V2.5

Overview

PPP (or Point-to-Point Protocol) provides a method for transmitting datagrams over serial point-to-point links. The 'com1' and 'com2' ports from standard PC hardware configurations will appear as 'serial0' and 'serial1' automatically. It is possible to add thirty-two additional serial ports with the Moxa C168 PCI multiport asynchronous card (eight ports each) to use the router for a modem pool.

General PPP settings are used for PPP, PPTP, and PPPoE connections.

Contents of the Manual

The following topics are covered in this manual:

Installation

The 'ppp-2.x.npk' (less than 470KB) are required. The package can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload them to the router with ftp and reboot. You may check to see if the PPP package are installed with the command:

[MikroTik] > system package print                                              
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   routing               2.5rc4               jan/30/2002 10:43:38 no       
  1   pppoe                 2.5rc4               jan/30/2002 10:37:47 no       
  2   ssh                   2.5rc4               jan/30/2002 10:33:52 no       
  3   system                2.5rc4               jan/30/2002 10:31:32 no       
  4   snmp                  2.5rc4               jan/30/2002 10:32:13 no       
  5   ppp                   2.5rc4               jan/30/2002 10:36:03 no       
  6   pptp                  2.5rc4               jan/30/2002 10:36:42 no       
  7   aironet               2.5rc4               jan/30/2002 10:39:05 no       
  8   prism                 2.5rc4               jan/30/2002 15:51:12 no       
[MikroTik] >   

The RADIUS client and RADIUS accounting features are included in the "PPP" package.

Hardware Resource Usage

PPP uses a minimum amount of memory.

To see the list of available serial ports, use the command /ports print, for example:

[MikroTik] > port print                                                        
  # NAME                             USED-BY                          BAUD-RATE
  0 serial0                          Serial Console                   9600     
  1 serial1                                                           9600     
[MikroTik] > 

PPP Server

The PPP server management is done in the /interface ppp-serversubmenu.

You can add a PPP server using the add command:

[MikroTik] interface ppp-server>
add name=test local-address=1.1.1.1 remote-address=1.1.1.254 port serial1
[MikroTik] interface ppp-server> print
Flags: X - disabled 
  0 X port=serial1 pap=yes chap=yes ms-chapv2=yes local-address=1.1.1.1
      remote-address=1.1.1.254 mtu=1500 mru=1500 idle-timeout=0s session-timeout=0s
	  null-modem=no modem-init="" ring-count=3 port-id=0 encryption=none name=test 

[MikroTik] interface ppp-server> enable 0
[MikroTik] interface ppp-server> monitor test
        user:                     
      uptime: 0s                  
    encoding:                     
      status: Waiting for call... 

[MikroTik] interface ppp-server>

Description of settings:

port - Serial port
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
local-address - Assigns an individual address to the PPP-Server
remote-address - Assigns an individual address to the PPP-Client.
mtu - Maximum Transmit Unit. Maximum packet size to be transmitted.
mru - Maximum Receive Unit.
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.
null-modem - Enable/Disable null-modem mode (when enabled, no modem initialization strings are sent). Default value is "off" (for COM1 and COM2 only). So by default null-modem is turned off.
modem-init - Modem Initialization String.
ring-count - Number of rings to wait before answering phone.
port-id - number to be used for identification in Radius server. Should be 0..65535.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'. name - Interface name for reference.

When dialing in, the users can be authenticated locally using the local user database in the /user menu, or at the RADIUS server specified in the /ip ppp settings.

PPP Client Setup

When dialing out, the user mast be set up in the local user database. The user name and password schould match the values in the remote server for that user, for example:

[MikroTik] > user add name=test group=ppp password=kuku                        

The PPP client management can be accessed under the /interface ppp-client submenu.

You can add a PPP client using the add command:

[MikroTik] interface ppp-client>
add name=test local-address=1.1.1.254 remote-address=1.1.1.1 \
user=test add-default-route=yes port serial1 encryption=optional
[MikroTik] interface ppp-client> print
Flags: X - disabled 
  0 X name=test port=serial1 user=test pap=yes chap=yes ms-chapv2=yes 
      phone="" tone-dial=yes mtu=1500 mru=1500 local-address=1.1.1.254 
      remote-address=1.1.1.1 idle-timeout=0s session-timeout=0s null-modem=no
       modem-init="" dial-on-demand=no add-default-route=yes encryption=optional 

[MikroTik] interface ppp-client> enable 0
[MikroTik] interface ppp-client> monitor test2
      uptime: 0s
    encoding:
      status: Logging in to network...

[MikroTik] interface ppp-client>

Descriptions of settings:

name - New interface name.
port - Serial port
user - User name to use for dialout.
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
phone - Phone number for dialout.
tone-dial - Enable/Disable tone dial.
mtu - Maximum Transmit Unit. Maximum packet size to be transmitted.
mru - Maximum Receive Unit.
local-address - Local IP Address
remote-address - Remote IP Address.
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.
null-modem - Enable/Disable null-modem mode (when enabled, no modem initialization strings are sent). Default value is "off" (for COM1 and COM2 only). So by default null-modem is turned off.
modem-init - Modem Initialization String.
dial-on-demand - Enable/Disable dial on demand.
add-default-route - Add PPP remote address as a default route.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'.

If the PPP client is configured properly and it has established a connection to the server, you can:

  1. Monitor the connection using the /interface ppp-client monitor command
  2. See the ppp-out interface under the /interface print list
  3. See the dynamic IP address under the /ip address print list
  4. (Optionally) See the dynamic default route under the /ip route print list
Example of an estableshed connection:

[MikroTik] interface ppp-client> monitor test
      uptime: 4h35s
    encoding: none
      status: Connected
[MikroTik] interface ppp-client>

Description of display:

uptime - Connection time displayed in days, hours, minutes, and seconds.
encoding - Encryption being used in this connection.
status - The status of this client may be:

PPP Authentication and Accounting

Overview

PPP (point to point protocol) authentication on the MikroTik RouterOS is supported by a local authentication database or a RADIUS client. Authentication is supported for PPP asynchronous connections, PPPoE, PPTP, and ISDN PPP (local only). Authentication protocols supported are PAP, CHAP, and MS-CHAPv2. The authentication process is as follows: PPP sends a user authentication request, the user ID is first checked against the local user database for any users which have the PPP attribute, if no matching user is found then the RADIUS client (if enabled) will request authentication from the RADIUS server. Note that the users will first be checked against the local database and then only against the RADIUS server. Be careful not to have the same user with PPP on the local database and the RADIUS server – the authentication will finish at the local database in this case.

The following topics are discussed below:

Local Authentication Overview

Local PPP authentication is part of the general user database stored on the router – this database is also responsible for administration authentication for the router. Certain PPP specific attributes are supported for PPP user group:

Local Authentication Management of PPP Users

Only users which are in a group with the PPP attribute can be authenticated for PPP access. To add a user:

[MikroTik] > user add name=test group=ppp password=kuku                        
[MikroTik] > user print                                                        
Flags: X - disabled 
  0   ;;; system default user
      name=admin group=full address=0.0.0.0/0 caller-id="" tx-bit-rate=0 
      rx-bit-rate=0 only-one=no max-session-time=0s 

  1   name=rieks group=ppp address=0.0.0.0/0 caller-id="" tx-bit-rate=0 
      rx-bit-rate=0 only-one=no max-session-time=0s 

  2   name=test group=ppp address=0.0.0.0/0 caller-id="" tx-bit-rate=0 
      rx-bit-rate=0 only-one=no max-session-time=0s 

[MikroTik] >  

Descriptions of settings:

full address: 0.0.0.0 netmask: 0.0.0.0 - This is used to determine the address to be given to the remote site, if full address is set to a specific IP (for example: full address: 10.25.0.3 netmask: 255.255.255.255), then only 10.25.0.3 will be given to the remote site. If the remote site will not accept this, then the connection will fail. If a subnet were set (for example: full address: 10.25.0.3 netmask: 255.255.255.240), then an address in the subnet 10.25.0.0/28 would be allowed if the server gives an address in that range – or the server has no addresses set to give, and the client request an address in that range. If no specific address or subnet is given (for example: full address: 0.0.0.0 netmask: 0.0.0.0.), then an address from the PPP server setup of "remote-address-from" and "remote-address-to" will be given.
caller-id: "" - For PPTP, this may be set the IP address which a client must connect from in the form of “a.b.c.d”. For PPPoE, the MAC address which the client must connect from can be set in the form or “xx:xx:xx:xx:xx:xx”. When this is not set, there are no restrictions on from where clients may connect.
tx-bit-rate - Transmit bitrate in bits/s for the PPPoE connection.
rx-bit-rate - Receive bitrate in bits/s for the PPPoE connection.
only-one: no - (Only for PPP connections) If this is set to “yes”, then there may be only one connection at a time.
max-session-time: 0 - (Only for PPP connections) If set to >0, then this is the max number of seconds this session can stay up. "0" indicates no session limit.

Local Accounting of PPP Users

To enable local authentication and accounting, set "[MikroTik] ip ppp> set accounting yes authentication local". If the "authentication" is set to "radius", then no local accounting logs will be made. The following is an example of the local accounting when a PPPoE connection is made to the PPPoE server (access concentrator).

[Mikrotik]> log print

apr/04/2001 17:19:14     pppoe-in7: waiting for authentication
apr/04/2001 17:19:14     pppoe-in7: test logged in
apr/04/2001 17:19:14     pppoe-in7: connection established
apr/04/2001 17:19:20     pppoe-in7: using encoding - none
apr/04/2001 17:25:08     pppoe-in7: connection terminated by peer
apr/04/2001 17:25:08     pppoe-in7: modem hanged up
apr/04/2001 17:25:08     pppoe-in7: connection terminated
apr/04/2001 17:25:08     pppoe-in7: test logged out, 354 4574 1279 101 83
The last line is the accounting which is printed when the connection is terminated. This line indicates that the user "test" connection has terminated at "apr/04/2001 17:25:08". The numbers following the "test logged out" entry represent the following:

354         session connection time in seconds
4574        bytes-in (from client)
1279        bytes-out (to client)
101         packets-in (from client)
83          packets-out (to client)

RADIUS Overview

RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, and PPTP connections – no ISDN remote access support currently. Features supported:

RADIUS Client Setup

To set RADIUS client, use the following line:

[MikroTik] ip ppp> set authentication radius auth-server 10.10.1.1 shared-secret users

Example output of the print command:

[MikroTik] ip ppp> print
            primary-dns: 159.148.60.3
          secondary-dns: 0.0.0.0
         authentication: radius
            auth-server: 10.10.1.1
          shared-secret: users
             accounting: no
        accounting-port: 1646
    authentication-port: 1645

Description of the output:

primary-dns - ppp setting for remote site.
secondary-dns - ppp setting for remote site.
authentication - Can be set to "radius" or "local".
auth-server - IP address of the server in a.b.c.d.
shared-secret - corresponding text string from RADIUS server.
accounting - enable by setting "yes" or "no".
accounting-port - accounting-port.
authentication-port - default port 1645 according to RFC.

RADIUS Parameters

Authentication data sent to server Data received from server Accounting information sent to server:

PW_SERVICE_TYPE       = PW_FRAMED     
PW_FRAMED_PROTOCOL    = PW_FRAME_PPP
PW_NAS_IDENTIFIER     = system identity
PW_NAS_IP_ADDRESS     = local PPP interface address
PW_NAS_PORT           = unique PPP port identifier number
PW_NAS_PORT_TYPE      = async or virtual in number form
PW_CALLING_STATION_ID = for PPTP, remote IP reported
                for PPPoE, remote MAC reported
                in form of xx:xx:xx:xx:xx:xx

Data received from serve:

PW_ACCT_INTERIM_INTERVAL  = if non-zero then interval to update accouting data in seconds 
PW_FRAMED_IP_ADDRESS      = PPP remote address
PW_IDLE_TIMEOUT           = if no traffic in that time, connection is closed
PW_SESSION_TIMEOUT        = connection time allowed

Accounting information sent to server:

PW_USER_NAME
PW_ACCT_INPUT_OCTETS      = octets signifies bytes
PW_ACCT_INPUT_PACKETS
PW_ACCT_OUTPUT_OCTETS 
PW_ACCT_OUTPUT_PACKETS
ACCT_SESSION_TIME         = in the form of seconds

RADIUS Servers Suggested

Our RADIUS CLIENT should work well with all RFC complient servers. Our software has been tested with:

http://www.vircom.com/

PPPoE Bandwidth Setting

For local authentication, this can be set in the [MikroTik] user> menu with the tx-bit-rate and rx-bit-rate values (identical to bits/s). For Radius authentication, the account of each user in the radius server should be set with: Paramater: Ascend-Data-Rate (with parameter ID 197 -- in bits/s)

Additional Resources

Links for PPP documentation:

http://www.ietf.org/rfc/rfc2138.txt?number=2138
http://www.ietf.org/rfc/rfc2138.txt?number=2139

PPP Troubleshooting


© Copyright 1999-2002, MikroTik MikroTik RouterOS PPPoE Interface

MikroTik RouterOS PPPoE (Point to Point Protocol over Ethernet) Interfaces

Document revision 15-May-2002
This document applies to MikroTik RouterOS V2.5

Overview

The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management, and accounting benefits to ISPs and network administrators. Currently, PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems. PPPoE is an extension of the standard dial-up and synchronous protocol PPP. The transport is over Ethernet – as opposed to modem transport.

Generally speaking, the PPPoE is used to hand out IP addresses to clients based on the user (and workstation, if desired) authentication as opposed to workstation only authentication, when static IP addresses or DHCP is used. Do not use static IP addresses or DHCP on interfaces, on which the PPPoE is used.

A PPPoE connection is composed of a client and an access concentrator (server). The client may be a Windows computer that has the PPPoE client protocol installed. The MikroTik RouterOS supports both the client and access concentrator implementations of PPPoE. The PPPoE client and server work over any Ethernet level interface on the router – wireless 802.11 (Aironet, Cisco, WaveLAN), 10/100/1000 Mb/s Ethernet, RadioLAN, and EoIP (Ethernet over IP tunnel). No encryption, MPPE 40bit RSA, and MPPE 128bit RSA encryption are supported.

Our RouterOS has a RADIUS client that can be used for authentication of all PPP type connections – including PPPoE. For more information on PPP authentication, see the “PPP Authentication and Accounting” section of the PPP Client and Server Interfaces Manual.

Supported connections:

Topics covered in this manual:

PPPoE Installation on the MikroTik RouterOS

The “pppoe-2.x.npk” (less than 230KB) package and the “ppp-2.x.npk” (less than 470KB) are required. The packages can be downloaded from MikroTik’s web page www.mikrotik.com . To install the packages, please upload them to the router with ftp and reboot. You may check to see if the packages are installed with the command:

[MikroTik] > system package print                                              
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   routing               2.5rc4               jan/30/2002 10:43:38 no       
  1   pppoe                 2.5rc4               jan/30/2002 10:37:47 no       
  2   ssh                   2.5rc4               jan/30/2002 10:33:52 no       
  3   system                2.5rc4               jan/30/2002 10:31:32 no       
  4   snmp                  2.5rc4               jan/30/2002 10:32:13 no       
  5   ppp                   2.5rc4               jan/30/2002 10:36:03 no       
  6   pptp                  2.5rc4               jan/30/2002 10:36:42 no       
  7   aironet               2.5rc4               jan/30/2002 10:39:05 no       
  8   prism                 2.5rc4               jan/30/2002 15:51:12 no
[MikroTik] > 

Lines one and five show that the PPPoE and PPP packages are installed.

PPPoE hardware resource usage

The PPPoE client uses a minimum amount of memory.

The PPPoE server (access concentrator) uses a minimum amount of memory for the basic setup. Each current PPPoE server connection uses approximately 100-200KB of memory. For PPPoE servers (access concentrators) designed for a large number of PPPoE connections, additional RAM should be added. In version 2.5, there is currently a maximum of 5000 connections. For example, a 1,000 user system should have 200MBs of free RAM above the normal operating RAM. For large number of clients a faster processor system is required. We recommend to use a Celeron 600MHz processor or higher. A future rewrite of parts of PPP is expected to significantly reduce the requirements.

PPPoE client setup

The PPPoE client supports high-speed connections. It is fully compatible with the MikroTik PPPoE server (access concentrator). Test with different ISPs and access concentrators are currently underway.

Note for Windows: Some connection instructions may use the form where the “phone number” is “MikroTik_AC\mt1” to indicate that “MikroTik_AC” is the access concentrator name and “mt1” is the service name.

An example of a PPPoE client on the MikroTik RouterOS:

[RemoteOffice] interface pppoe-client> print 
  0   name=pppoe-out1 interface=gig service-name=testSN user=john pap=no
      chap=yes ms-chapv2=no mtu=1492 mru=1492 idle-timeout=0s
      session-timeout=0s add-default-route=yes dial-on-demand=no
      use-peer-dns=no encryption=none compression=no local-address=0.0.0.0
      remote-address=0.0.0.0 ac-name="" mss-update=1452

Descriptions of settings:

name - This settable name will appear in interface and IP address list when the PPPoE session is active.
interface - The PPPoE client can be attached to any Ethernet like interface – for example: wireless, 10/100/1000 Ethernet, and EoIP tunnels.
mtu and mru - Represents the MTU and MRU when the 8 byte PPPoE overhead is subtracted from the standard 1500 byte Ethernet packet. For encryption, subtract four more bits and set the MTU and MRU to 1488.
Pap, chap, ms-chapv2 - It is suggested that chap be set to yes to have encrypted authentication. If there is a special situation that requires an encrypted link, only ms-chapv2 should be set to yes. Encrypted links are only supported when ms-chapv2 is selected. This is a requirement of the protocol.
encryption Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to none. user - A user name and password must be added to the client router’s user database. The user must be added with the attribute of group PPP. When the server is authenticating the client, the client will send this user and the password from the client router’s user database. The server user database must have the same user and password and PPP group attribute to authenticate the link – unless the RADIUS client is enabled.
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to “0,” there is no timeout.
dial-on-demand - Connects to AC only when outbound traffic is generated and disconnects when there is no traffic for the period set in the idle-timeout value.
use-peer-dns - Sets the router default DNS to the PPP peer DNS.
compression - May be selected if encryption is not used. The default setting of “no compression” is suggested.
local-address - If the ppp server allows, a local-address may be set. The default setting of 0.0.0.0 is suggested. In this case, the address set by the server will be used.
session-timeout - The maximum time the connection can stay up set in seconds. When set to “0,” there is no timeout.
remote-address - If the ppp server allows, a remote-address may be set. The default setting of 0.0.0.0 is suggested.
service - The service name set on the access concentrator. Many ISPs give user-name and address in the form of “user-name@service-name”
ac-name - This may be left blank and the client will connect to any access concentrator that offers the “service” name selected.
Add-default-route - Select yes to have a default route added automatically. Note, the dynamic default route will not be added if there is already a default route set.
mss-update - This setting changes the mss (maximum segment size) setting of each packet to the selected size. The default of 1452 is suggested. This fixes a common problem for PPPoE when mis-configured servers or networks do not let the IP protocol work properly. The common symptom is a partial download of a web page.

PPPoE Server Setup (Access Concentrator)

The PPPoE server (access concentrator) supports multiple servers for each interface – with differing service names. Currently, a maximum of 5000 PPPoE connections are supported. Currently the throughput of the PPPoE server has been tested to 160Mb/s on a Celeron 600 CPU. Using higher speed CPUs should increase the throughput proportionately.

The setting below is the optimal setting to work with Windows clients such as RASPPPoE client for Win98/2000/ME. The password authentication and encryption are set to “pap no chap yes ms-chapv2 no encryption none” specifically to ensure a quick login by the windows client. In the example below, the login is encrypted with PAP. Currently it is possible to make encrypted links to Windows clients, but usually they quit passing IP after five minutes but remain connected and do show that data is passed – this is a bug which is being worked on. There are no problems with encryption between MikroTik PPPoE client and server.

The access concentrator has a hard limit of 5000 current connections. The user setting for the connections limit is done by setting the 'remote-address' range For example, For a limit of 1020 users, use 'remote-address=10.0.0.1-10.0.4.255'. Even if you are using a RADIUS server for client addresses, the 'remote-address' argument must include an IP address range which will limit/enable the number of current connections.

The “access concentrator name” and PPPoE “service name” are used by clients to identify the access concentrator to register with. The “access concentrator name” is the same as the “identity” of the router displayed before the command prompt. The identity may be set with the command /system identity set xxxxx.

[MikroTik] interface pppoe-server server>
add service-name="office" interface=prism1 \
    local-address=10.0.0.217 remote-address=10.0.0.130-10.0.0.135
[MikroTik] interface pppoe-server server> print                                
Flags: X - disabled 
  0   service-name=office interface=prism1 mtu=1492 mru=1492 idle-timeout=0s 
      session-timeout=0s local-address=10.0.0.217 
      remote-address=10.0.0.130-10.0.0.135 pap=no chap=yes ms-chapv2=no 
      compression=no encryption=none 

[MikroTik] interface pppoe-server server>

Descriptions of settings:

pap, chap, ms-chapv2 - It is suggested that chap always be set to yes. PAP is best disabled because it sends the user-name and password in clear text. ms-chapv2 should be disable as it is not needed unless there is a special situation that requires an encrypted link. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol.
encryption - Will only work in encrypted mode when ms-chapv2 authentication is used. For most setups, it should be set to none. interface - The PPPoe server can be attached to any Ethernet like interface – for example: wireless, 10/100/1000 Ethernet, and EoIP tunnels.
compression - Standard PPP level compression.
service - The PPPoE service name.
mtu, mru - The default MTU nad MRU is set to 1492 because of the PPPoE overhead. For encryption, subtract four more bits and set the MTU and MRU to 1488.

idle-timeout - A standard PPP setting. The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.
session-timeout - The maximum time the connection can stay up in the format of Xh or Xm or Xs. When set to “0,” there is no timeout.
local-address - The IP address or address range of the PPPoE local server for each new PPPoE connection. One local address can be used on multiple static sever interfaces. Usually, it is best that this is not a real IP address. Only the client could have a use for a real IP address. If the IP address range is used, it should include the same number of addresses as used in the 'remote-address' range.
remote-address - The IP address or address range for the PPPoE remote client for each new PPPoE connection. One address must be available for each current connection – the number in the range selected will be the maximum number of current connections. If radius authentication is used to give addresses, it is still required to have a range of addresses set in this server setup.

DO NOT assign an IP address to the Interface you will be receiving the PPPoE requests on. The PPPoE server will create point-to-point connection for each individual client. Each connection will have individual dynamic (virtual) p2p interface. The local-address will be set on its server side, and the remote-address will be given to the client. The addresses do not need to be from 'the same network', since the p2p connections have addresses with 32 bit netmasks anyway. What you set on the server side does not matter so much - it can be address of router's another interface, or some arbitrary address.

Please see the IP Addresses and Address Resolution Protocol (ARP) Manual how to give out addresses to PPPoE clients from the same address space you are using on your local network.

PPPoE bandwidth setting

For local authentication, this can be set in the “[MikroTik] user>” menu with the “tx-bit-rate” and “rx-bit-rate” values (identical to bits/s). For Radius authentication, the account of each user in the radius server should be set with:

Parameter: Ascend-Data-Rate (with parameter ID 197 -- in bits/s) 

PPPoE in a multipoint wireless 802.11b network

In a wireless network, the PPPoE server may be attached to our PRISMII 2.4GHz Access Point (infrastructure mode) interface. Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment.

PPPoE Troubleshooting

Additional Resources

Links for PPPoE documentation:

PPPoE Clients:


© Copyright 1999-2002, MikroTik MikroTik RouterOS Point to Point Tunnel Protocol (PPTP)

MikroTik RouterOS Point to Point Tunnel Protocol (PPTP)

Document revision 27-Apr-2002
This document applies to the MikroTik RouterOS V2.4 and 2.5

Overview

PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik RouterOS implementation includes a PPTP client, a PPTP dynamic server, and a PPTP static server. The following tunnels are supported: General usage of PPTP tunnels:

Contents of the Manual

The following topics are covered in this manual:

Installation

The 'pptp-2.x.x.npk' (less than 160KB) package and the 'ppp-2.x.x.npk' (less than 370KB) are required. The package can be downloaded from MikroTik’s web page www.mikrotik.com. To install the packages, please upload them to the router with ftp and reboot. You may check to see if the PPTP and PPP packages are installed with the command:

[MikroTik] > system package print
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 aironet                2.4                   sep/25/2001 05:08:05 no
  1 pptp                   2.4                   sep/25/2001 05:06:44 no
  2 ppp                    2.4                   sep/25/2001 05:06:35 no
  3 pppoe                  2.4                   sep/25/2001 05:06:45 no
  4 ssh                    2.4                   sep/25/2001 05:08:11 no
  5 routing                2.4                   sep/25/2001 05:06:07 no
  6 snmp                   2.4                   sep/25/2001 05:06:09 no
  7 moxa-c101              2.4                   sep/25/2001 05:08:08 no
  8 framerelay             2.4                   sep/25/2001 05:08:56 no
  9 system                 2.4                   sep/25/2001 05:05:48 no
[MikroTik] >

Lines one and two show that the PPP and PPTP packages are installed.

Hardware Resource Usage

PPTP uses a minimum amount of memory. RouterOS V2.4 and V2.5 have a re-written PPTP engine that encrypted throughput approximately 60Mb/s on a Celeron 600MHz CPU.

PPTP Protocol Description

Though the following may sound complex, our implementation of PPTP is easy to setup and manage. PPTP, using PPP, is a secure tunnel for transporting IP traffic. PPTP encapsulates PPP in virtual lines that run over IP. PPTP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The purpose of this protocol is to make well-managed secure connections between 1) routers and routers 2) routers and Windows clients (or other OS with PPTP support).

PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally. There are also additional PPP configurations for management of users and connections.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

PPTP traffic uses TCP port 1723 and IP protocol ID 47, as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router.

PPTP connections may be limited or impossible to setup though a masqueraded/NAT IP connection. Please see the Microsoft and RFC links at the end of this section for more information.

PPTP Client Setup

Each PPTP connection is composed of a server and a client. The MikroTik RouterOS may function as a server or client – or for various configurations, it may be the server for some connections and client for other connections. For example, the client created below could connect to a Windows 2000 server, another MikroTik Router, or another router which supports a PPTP server.

The PPTP client management can be accessed under the /interface pptp-client submenu.

You can add a PPTP client using the add command:

[MikroTik] interface pptp-client>
add name=test2 connect-to=10.1.1.12 encryption=required \
user=john add-default-route=yes
[MikroTik] interface pptp-client> print
Flags: X - disabled
  0 X name=test2 user=john connect-to=10.1.1.12 mtu=1460 mru=1460 pap=no
      chap=no ms-chapv2=yes idle-timeout=0s session-timeout=0s
      encryption=required add-default-route=yes

[MikroTik] interface pptp-client> enable 0
[MikroTik] interface pptp-client> monitor test2
      uptime: 0s
    encoding:
      status: Terminated

[MikroTik] interface pptp-client>

Descriptions of settings:

name - Interface name for reference
mtu - Maximum Transmit Unit. Should be set to the default 1460 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
mru - Maximum Receive Unit. Should be set to the default 1460 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
connect-to - The IP address of the PPTP server to connect to.
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'. user - User name to use when logging on to the remote server. The user with ppp group privileges and a password must be added to the client router’s user database. When the client is being authenticated by the server, the client will send this user and the password from the client router’s user database. The server user database must have the same user and password and PPP group attribute to authenticate the link.
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.
add-default-route - When the PPTP connection is up, the default route (gateway) will be added using as gateway the other side of the PPP link.

If the PPTP client is configured properly and it has established a connection to the server, you can:

  1. Monitor the connection using the /interface pptp-client monitor command
  2. See the pptp-out interface under the /interface print list
  3. See the dynamic IP address under the /ip address print list
  4. (Optionally) See the dynamic default route under the /ip route print list
Example of an established connection:

[MikroTik] interface pptp-client> monitor test2
      uptime: 4h35s
    encoding: MPPE 128 bit, stateless
      status: Connected
[MikroTik] interface pptp-client>

Description of display:

uptime - Connection time displayed in days, hours, minutes, and seconds.
encoding - Encryption being used in this connection.
status - The status of this client may be:

PPTP Dynamic Server Setup

The router supports one PPTP dynamic server. This server supports unlimited connections from clients. For each current connection, a dynamic interface is created. While the PPTP dynamic server supports multiple clients, it does not support static routes, filters, and other IP level features that need to be attached to static interfaces. The PPTP static server supports routes and other IP level features.

The PPTP dynamic server management can be accessed under the /interface pptp-dynamic-server server submenu.

You can enable the PPTP dynamic server using the set command:

[MikroTik] interface pptp-dynamic-server server>
set enabled=yes encryption=required \
local-address=10.5.17.254 remote-address=10.5.17.1-10.5.17.50
[MikroTik] interface pptp-dynamic-server server> print
            enabled: yes
                mtu: 1460
                mru: 1460
                pap: no
               chap: no
          ms-chapv2: yes
      local-address: 10.5.17.254
     remote-address: 10.5.17.1-10.5.17.50
       idle-timeout: 0s
    session-timeout: 0s
         encryption: required
[MikroTik] interface pptp-dynamic-server server>

Descriptions of settings:

enabled - (yes / no). Enable or disable the server.
mtu - Maximum Transmit Unit. Should be set to the default 1460 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
mru - Maximum Receive Unit. Should be set to the default 1460 bytes to avoid fragmentation of packets. May be set to 1500bytes if mtu path discovery is not working properly on links.
local-address - The IP address or range of the PPTP local server. If address, the same local server address will be used on all connections that are created.
remote-address - This should be set to an IP range. This may limit the number of current connections if there are no free IPs available when a new connection is initiated.
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'. idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.

If the PPTP dynamic server is configured properly and it has established connections with the clients, you can:

  1. See the list of connected clients using the /interface pptp-dynamic-server print command
  2. Monitor the connected clients using the /interface pptp-dynamic-server monitor command
  3. See the pptp-in-dyn interfaces under the /interface print list
  4. See the dynamic IP addresses under the /ip address print list
  5. See the dynamic routes under the /ip route print list
See the example below on more information how to monitor the PPTP links.

PPTP Static Server Setup

The PPTP static server is made for permanent connections between two routers. One side of the PPTP tunnel must be set up as a static server and the other side as a client. On both the static server side and the client side, it will be possible to add static routes, filters, and any other IP level features – for example an EoIP tunnel may be put on top of the PPTP encrypted tunnel to make an encrypted LAN-to-LAN bridge.

The PPTP static server management can be accessed under the /interface pptp-static-server submenu.

To add a PPTP static server interface use the add command:

[MikroTik] interface pptp-static-server>
add name=test remote-address=1.1.1.2 local-address=1.1.1.1 \
client-address=10.1.1.13 mtu=1500 mru=1500 encryption=required 
[MikroTik] interface pptp-static-server> print
Flags: X - disabled
  0 X name=test client-address=10.1.1.13 mtu=1500 mru=1500 pap=no chap=no
      ms-chapv2=yes local-address=1.1.1.1 remote-address=1.1.1.2
      idle-timeout=0s session-timeout=0s encryption=required

[MikroTik] interface pptp-static-server> enable test
[MikroTik] interface pptp-static-server> monitor test
        user: john
      uptime: 5s
    encoding: MPPE 128 bit, stateless
[MikroTik] interface pptp-static-server>

Descriptions of settings:

name - Interface name for reference
client-address - This should be set to the IP address of the client that will attempt to make a PPTP connection.
mtu - Maximum Transmit Unit. Should be set to the default 1460 bytes because of the PPTP overhead, since packet fragmentation is avoided. May be set to 1500 bytes when working with MikroTik clients, if mtu path discovery is not working properly on links. Should be set to 1460 to work with non-MikroTik clients. When set to 1500, there will be no MTU problems which can come up when communicating with mis-configured networks.
mru - Maximum Receive Unit. Should be set to the default 1460 bytes because of the PPTP overhead, since packet fragmentation is avoided. May be set to 1500 bytes when working with MikroTik clients, if mtu path discovery is not working properly on links. Should be set to 1460 to work with non-MikroTik clients. When set to 1500, there will be no MTU problems which can come up when communicating with mis-configured networks.
local-address - The IP address of the PPTP local server. The same local server address can be used on multiple static sever interfaces.
remote-address - This should be set to an IP address that will be given to the remote client.
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'. idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.

If the PPTP static server is configured properly and it has established a connection with the client, you can:

  1. Monitor the connection using the /interface pptp-static-server monitor command
  2. See the pptp-in interface under the /interface print list
  3. See the dynamic IP address under the /ip address print list
  4. See the dynamic route under the /ip route print list
See the example below on more information how to monitor the PPTP links.

Troubleshooting

PPTP Router-to-Router Secure Tunnel Example

The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet.

There are two routers in this example:

Each router is connected to a different ISP. One router can access another router through the Internet.

To add a secure Tunnel between the HomeOffice and RemoteOffice routers, add an identical user and password with the group 'ppp' to both the HomeOffice and RemoteOffice router:

[RemoteOffice] user> add name remote password remote group ppp
[HomeOffice] user> add name remote password remote group ppp

Add a PPTP static server interface to the HomeOffice router:

[HomeOffice] interface pptp-static-server> print
0   name: FromRemoteOffice client-address: 192.168.81.1 pap: no chap: no
    ms-chapv2: yes encryption: required mtu: 1460 mru: 1460 idle-timeout: 0
    session-timeout: 0 local-address: 10.0.103.1 remote-address: 10.0.103.2

Add a PPTP client to the RemoteOffice router:

[RemoteOffice] interface pptp-client> print
0   name: Tunnel_To_HomeOffice mtu: 1460 mru: 1460 pap: no chap: no
    ms-chapv2: yes encryption: required user: remote connect-to: 192.168.80.1 
    idle-timeout: 0 session-timeout: 0

Thus, a PPTP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It enables 'direct' communication between the routers over third party networks.

To route the local Intranets over the PPTP tunnel – add these routes:

[HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

Test the PPTP tunnel connection:

[RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Test the connection through the PPTP tunnel to the LocalHomeOffice interface:

[RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Note for OSPF and RIP users! Router can lock up, if using OSPF or RIP with the PPTP. It is caused by internal loop, which results from the new routing information, which is obtained through the OSPF or RIP, when the PPTP connection is established.

To avoid this, two static routes should be added to each of the routers before creating the PPTP tunnel:

[HomeOffice] > ip route add dst-address 192.168.81.1/32 gateway 192.168.80.254
[RemoteOffice] > ip route add dst-address 192.168.80.1/32 gateway 192.168.81.254

To bridge a LAN over this secure tunnel, please read the 'EoIP' section of the manual. To set the maximum speed for traffic over this tunnel, please the 'Queues' section.

PPTP Setup for Windows

Microsoft provides PPTP client support for Windows NT, 2000, ME, 98se, and 98. Windows 98se, 2000, and ME include support in the Windows setup or automatically install PPTP. For 95, NT, and 98, installation requires a download from Microsoft. Many ISPs have made help pages to assist clients with Windows PPTP installation. A zipped download of an instructional web page is available in PPTP_client_files.zip – this can be found in the utilities section of the download section. This zipped file also includes files needed from Microsoft for upgrading Windows 95 and 98 to support PPTP.

Links:

http://www.real-time.com/Customer_Support/PPTP_Config/pptp_config.html
http://www.microsoft.com/windows95/downloads/contents/WUAdminTools/S_WUNetworkingTools/W95WinsockUpgrade/Default.asp

Sample instructions for PPTP (VPN) installation and client setup – Windows 98se

If the VPN (PPTP) support is installed, select 'Dial-up Networking' and 'Create a new connection'. The option to create a 'VPN' should be selected. If there is no 'VPN' options, then follow the installation instructions below. When asked for the 'Host name or IP address of the VPN server', type the IP address of the router. Double-click on the 'new' icon and type the correct user name and password (must also be in the user database on the router or RADIUS server used for authentication).

The setup of the connections takes nine seconds after selection the 'connect' button. It is suggested that the connection properties be edited so that 'NetBEUI', 'IPX/SPX compatible', and 'Log on to network' are unselected. The setup time for the connection will then be two seconds after the 'connect' button is selected.

To install the 'Virtual Private Networking' support for Windows 98se, go to the 'Setting' menu from the main 'Start' menu. Select 'Control Panel', select 'Add/Remove Program', select the 'Windows setup' tab, select the 'Communications' software for installation and 'Details'. Go to the bottom of the list of software and select 'Virtual Private Networking' to be installed.

Additional Resources

Links for PPTP documentation:

http://msdn.microsoft.com/library/backgrnd/html/understanding_pptp.htm
http://support.microsoft.com/support/kb/articles/q162/8/47.asp
http://www.ietf.org/rfc/rfc2637.txt?number=2637
http://www.ietf.org/rfc/rfc3078.txt?number=3078
http://www.ietf.org/rfc/rfc3079.txt?number=3079


© Copyright 1999-2002, MikroTik MikroTik RouterOS V2.5 ISDN Interface

MikroTik RouterOS V2.5 ISDN Interface

Document revision 28-Jan-2002
This document applies to MikroTik RouterOS V2.5

Overview

The MikroTik router can act as an ISDN client for dialing out, or as an ISDN server for accepting incoming calls. The dial-out connections may be set as dial-on-demand or as permanent connections (simulating a leased line). The remote IP address (provided by the ISP) can be used as the default gateway for the router.

MikroTik Router OS supports following ISDN adapters (ISDN ISA adapters are not supported):

Topics covered in this manual:

ISDN Hardware and Software Installation

Please install the ISDN adapter into the PC accordingly the instructions provided by the adapter manufacturer.

The 'ppp-2.5.x.npk' (less than 310KB) and the 'isdn-2.5.x.npk' (less than 390KB) packages are required. The packages can be downloaded from MikroTik’s web page www.mikrotik.com. To install the packages, please upload them to the router with ftp and reboot. You may check to see if the packages are installed with the command:

[MikroTik] system package> print
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   ppp                   2.5rc1               jan/09/2002 07:54:33 no
  1   system                2.5rc1               jan/09/2002 07:54:10 no
  2   isdn                  2.5rc1               jan/09/2002 07:55:42 no
[MikroTik] system package> 

Loading the ISDN Driver

The ISDN driver should be loaded using the '/driver add' command:

 [MikroTik] driver> add name="driver_name"

Argument description:

driver_name - name of the driver. The list of available drivers can be obtained by entering '/driver load [Tab][Tab]'
isdn-protocol - data channel protocol, the default is 'euro'

Complete list of all supported ISDN adapters and their driver names:

For example, for the HFC based PCI card, it is enough to use '/driver add name=hfc' command to get the driver loaded.

Check the loaded drivers by using the '/driver print' command. Example output looks like here:

[MikroTik] driver> print 
Flags: I - invalid, D - dynamic 
  #   DRIVER                                IRQ IO       MEMORY   ISDN-PROTOCOL
  0 D PCI NE2000
  1   HFC 2BDS0 PCI
[MikroTik] driver>

ISDN Channels

ISDN channels are added to the system automatically when the ISDN card driver is loaded. Each channel corresponds to one physical 64K ISDN data channel.

The list of available ISDN channels can be viewed using the '/isdn-channels print' command. The channels are named 'CH0', 'CH1', and so on. E.g., if you have two ISDN channels, and one of them currently used by an ISDN interface, but the other available, the output should look like this:

[MikroTik] isdn-channels> print 
  # NAME                  USED-BY              DIR.. TYPE  PHONE
  0 CH0                   backup               in    data  137
  1 CH1
[MikroTik] isdn-channels> 

ISDN channels are very similar to PPP serial ports. Any number of ISDN interfaces can be configured on a single channel, but only one interface can be enabled for that channel at a time. It means that every ISDN channel is either available or used by an ISDN interface.

MSN and EAZ numbers

In Euro-ISDN a subscriber can assign more than one ISDN number to an ISDN line. For example, an ISDN line could have the numbers 1234067 and 1234068. Each of these numbers can be used to dial the ISDN line. These numbers are referred to as Multiple Subscriber Numbers (MSN).

A similar, but separate concept is EAZ numbering, which is used in German ISDN networking. EAZ number can be used in addition to dialed phone number to specify the required service.

For dial-out ISDN interfaces, MSN/EAZ number specifies the outgoing phone number (the calling end). For dial-in ISDN interfaces, MSN/EAZ number specifies the phone number which will be answered. If you are unsure about your MSN/EAZ numbers, leave them blank (it is the default).

For example, if your ISDN line has numbers 1234067 and 1234068, you could configure your dial-in server to answer only calls to 1234068, by specifying "1234068" as your MSN number. In a sense, MSN is just your phone number.

ISDN Client Interface Configuration

The ISDN client is used to connect to remote dial-in server (probably ISP) via ISDN. To set up an ISDN dial-out connection, use the ISDN dial-out configuration menu under the /interface isdn-client submenu.

ISDN client interfaces can be added using the add command:

[MikroTik] interface isdn-client> 
    add name="backup" mtu=1500 mru=1500 user="backup" idle-timeout=0s \
    local-address=0.0.0.0 remote-address=0.0.0.0 phone="136" l2-protocol=hdlc \
    msn="137" max-retries=5 bundle-128K=yes dial-on-demand=no \
    add-default-route=no disabled=no 
[MikroTik] interface isdn-client>

Argument description:

name - Interface name
mtu - Maximum Transmit Unit
mru Maximum Receive Unit
idle-timeout - Idle timeout, when no activity (set to '0' to never disconnect)
max-retries - Maximum redialing retry count
phone - Phone number to dial
msn - MSN/EAZ of ISDN line provided by the line operator
dial-on-demand - Use dialing on demand
l2-protocol - Level 2 protocol to be used
user - User name that will be provided to the remote server. Information about the user has to exist in the router's user database.
add-default-route - Add default route to remote host on connect
local-address - Local IP address of interface
bundle-128K - Use Both channels instead of just one.
remote-address - Remote IP address of interface
disabled - The current status of the interface (enabled/disabled)

Example of a printout of configured ISDN client interface is here:

[MikroTik] interface isdn-client> print
Flags: X - disabled 
  0   name=backup mtu=1500 mru=1500 user=backup idle-timeout=0s 
      local-address=0.0.0.0 remote-address=0.0.0.0 phone=136 l2-protocol=hdlc 
      msn=137 max-retries=5 bundle-128K=yes dial-on-demand=no 
      add-default-route=no 
[MikroTik] interface isdn-client>

ISDN Server Interface Configuration

ISDN server is used to accept remote dial-in connections from ISDN clients via ISDN. To set up an ISDN dial-in connection, use the ISDN dial-in configuration menu under /interface isdn-server submenu.

ISDN server interfaces can be added using the add command:

[MikroTik] interface isdn-server>
add bundle-128K=yes chap=yes disabled=no idle-timeout=0s l2-protocol=hdlc \
    local-address=10.99.8.1 mru=1500 msn="136" mtu=1500 name="backup" pap=yes \
    remote-address=10.9.88.1
[MikroTik] interface isdn-server>

Argument description:

name - Interface name
mtu - Maximum Transmit Unit
mru Maximum Receive Unit
idle-timeout - Idle timeout, when no activity
msn - MSN/EAZ of ISDN line provided by the line operator
l2-protocol - Level 2 protocol to be used
pap - Use PAP authentication
chap - Use CHAP authentication
bundle-128K - Use Both channels instead of just one.
local-address - Local IP address of interface
remote-address - Remote IP address of interface
disabled - The current status of the interface (enabled/disabled)

Example of a printout of configured ISDN server interface is here:

[MikroTik] interface isdn-server> print
Flags: X - disabled 
  0   name=backup mtu=1500 mru=1500 pap=yes chap=yes idle-timeout=0s 
      local-address=10.99.8.1 remote-address=10.9.88.1 l2-protocol=hdlc msn=136 
      bundle-128K=yes 
[MikroTik] interface isdn-server>

Troubleshooting

ISDN Examples

The following examples of ISDN applications are discussed below:

ISDN Dial-out

Dial-out ISDN connections allow a local router to connect to a remote dial-in server (ISP's) via ISDN.

Let's assume you would like to set up a router that connects your local LAN with your ISP via ISDN line. First you should load the corresponding ISDN card driver. Supposing you have an ISDN card with an HFC chip:

[MikroTik]> /driver add name=hfc

Now additional channels should appear. Assuming you have only one ISDN card driver loaded, you should get following:

[MikroTik] isdn-channels> print
  # NAME                  USED-BY              DIR.. TYPE  PHONE
  0 CH0
  1 CH1
[MikroTik] isdn-channels>

Suppose you would like to use dial-on-demand to dial your ISP and automatically add a default route to it. Also, you would like to disconnect when there is more than 30s of network inactivity. Your ISP's phone number is 12345678 and the user name for authentication is 'john'. Your ISP assigns IP addresses automatically. Add an outgoing ISDN interface and configure it in the following way:

[mikrotik]> /interface isdn-client add name="isdn-isp" phone="12345678"
user="john" idle-timeout=30s add-default-route=yes dial-on-demand=yes 

[MikroTik] > /interface isdn-client print
Flags: X - disabled 
  0 X name=isdn-isp mtu=1500 mru=1500 user=john idle-timeout=30s 
      local-address=0.0.0.0 remote-address=0.0.0.0 phone=12345678 l2-protocol=hdlc 
      msn="" max-retries=5 bundle-128K=no dial-on-demand=yes 
      add-default-route=yes 

(If you would like to remain connected all the time, i.e., as a leased line, then set the 'idle-timeout' to 0s.)

Add the user 'john' to the router user database. Assuming that the password is '31337!)':

[MikroTik]> /user add name=john password="31337!)" group=ppp

All that remains is to enable the interface:

[MikroTik] /interface set isdn-isp disabled=no

You can monitor the connection status with

[mikrotik] /interface isdn-client monitor isdn-isp

ISDN Dial-in

Dial-in ISDN connections allow remote clients to connect to your router via ISDN.

Let us assume you would like to set up a router for accepting incoming ISDN calls from remote clients. You have an ethernet card connected to the LAN, and an ISDN card connected to the ISDN line. First you should load the corresponding ISDN card driver. Supposing you have an ISDN card with an HFC chip:

[mikrotik] /driver add name=hfc

Now additional channels should appear. Assuming you have only one ISDN card driver loaded, you should get the following:

[MikroTik] isdn-channels> print
  # NAME                  USED-BY              DIR.. TYPE  PHONE
  0 CH0
  1 CH1
[MikroTik] isdn-channels>

Add an incoming ISDN interface and configure it in the following way:

[MikroTik] /interface isdn-server
add name=isdn-in1 idle-timeout=5s msn="7542159" pap=yes chap=yes \
local-address=10.99.8.1 remote-address=10.9.88.1

[MikroTik] interface isdn-server> print
Flags: X - disabled 
  0 X name=isdn-in1 mtu=1500 mru=1500 pap=yes chap=yes idle-timeout=5s 
      local-address=10.99.8.1 remote-address=10.9.88.1 l2-protocol=hdlc msn=7542159 
      bundle-128K=no 

Add user 'john' to the router user database. Assuming that the password is '31337!)':

/user add name=john password="31337!)" group ppp

Check the status of the ISDN server interface and wait for the call:

[MikroTik] interface isdn-server> monitor isdn-in1
    uptime: 0
    status: Waiting for call...

ISDN Backup

Backup systems are used in specific cases, when you need to maintain a connection, even if something fails. For example, if someone cuts the wires, the router can automatically connect to a different interface to continue it's work. This backup is based on a utility that monitors the status of the connection - netwatch, and a script, which runs the netwatch.

ISDN Backup Description

This is an example of how to make a router backup system. In this example we use a ISDN connection to backup a standart ethernet connection. Use can, of course, use anything instead of the ISDN connecion - PPP, for example. When the ethernet fails (the router nr.1 cannot ping the router nr.2 to 2.2.2.2 (see picture) the router establishes a ISDN connection - a so-called backup link - to continue comunicating with the nr.2 .

Note, that in our case there are just two routers, but this system can be also used to connect two or more different networks.

The backup system example is described in the following diagram:

In this case the ‘backup’ interface is a ISDN connection, but it can be anything. Follow the instructions below on how to set up the backup link:

Setting up ISDN Connection

To use ISDN, the ISDN card driver must be loaded:

[MikroTik] driver> add name=hfc

The PPP connection must have the following configuration: A new user must be added to the routers one and two:

Mikrotik] user> add name=backup password=backup group=ppp

A ISDN server must be set up on the second router:

[MikroTik] interface isdn-server>
add name=backup local-address=3.3.3.254 \
remote-address=3.3.3.1 msn=7801032"

A ISDN client must be added to the first router:

[MikroTik] interface isdn-client>
add name=backup user=backup local-address=0.0.0.0 \
remote-address=0.0.0.0 phone=7801032 msn=7542159"

Setting up Static Routes

Use the /ip route add command to add the required static routes and comments to them. Comments are required for references in scrips.

The First router:

[Mikrotik] ip route> add gateway 2.2.2.2 comment "route1"

The Second router:

[Mikrotik] ip route> add gateway 2.2.2.1 comment "route1"

Adding Scripts

Add scripts in the submenu ‘[Mikrotik] system script’ using the following commands:

The First Router:

[Mikrotik] system script >
add name=connection_down \
source={/interface enable backup; /ip route set route1 gateway 3.3.3.254}
add name=connection_up \
source={/interface disable backup; /ip route set route1 gateway 2.2.2.2}

The Second Router:

[Mikrotik] system script >
add name=connection_down \
source={/ip route set route1 gateway 3.3.3.1}
add name=connection_up \
source={/ip route set route1 gateway 2.2.2.1}

Setting up Netwatch

To use netwatch, you need the advanced tools feature package installed. Please upload it to the router and reboot. When installed, the advanced-tools package should be listed under the /system package print list.

Add the following settings to the first router:

[Mikrotik] tool netwatch>
add host=2.2.2.1 interval=5s \
up-script=connection_up down-script=connection_down

Add the following settings to the second router:

[Mikrotik] tool netwatch>
add host=2.2.2.2 interval=5s \
up-script=connection_up down-script=connection_down


© Copyright 1999-2002, MikroTik MikroTik RouterOS CISCO/Aironet 2.4GHz 11Mbps Wireless Interface

CISCO/Aironet 2.4GHz 11Mbps Wireless Interface

Document revision 22-Mar-2002
This document applies to the MikroTik RouterOS V2.4 and V2.5

Overview

The MikroTik RouterOS supports the following CISCO/Aironet 2.4GHz Wireless ISA/PCI/PC Adapter hardware:

For more information about the CISCO/Aironet PCI/ISA adapter hardware please see the relevant User’s Guides and Technical Reference Manuals in .pdf format:

Documentation about CISCO/Aironet Wireless Bridges and Access Points can be found in archives:

Contents of the Manual

The following topics are covered in this manual:

Wireless Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the aironet software package installed. The software package file aironet-2.x.y.npk can be downloaded from MikroTik’s web page www.MikroTik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] > /sys package print                                                 
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 aironet                2.4                   sep/25/2001 05:08:05 no       
  1 routing                2.4                   sep/25/2001 05:06:07 no       
  2 system                 2.4                   sep/25/2001 05:05:48 no       
  3 ppp                    2.4                   sep/25/2001 05:06:35 no       
  4 ssh                    2.4                   sep/25/2001 05:08:11 no       
  5 pptp                   2.4                   sep/25/2001 05:06:44 no       
[MikroTik] >  

Software License

The 2.4GHz wireless adapters require the 2.4GHz wireless feature license. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The wireless feature is not included in the Free Demo or Basic Software License. The 2.4GHz Wireless Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the wireless adapter, please check the availability of free IRQ's and I/O base addresses:

[MikroTik] > /sys resource irq print                                            
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   no
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   no                                                                         
 10  no                                                                         
 11  yes  backbone                                                              
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
 15  yes  PCMCIA service                                                        
[MikroTik] > /sys resource io print                                             
 PORT-RANGE            OWNER                                                    
 20-3F                 APIC                                                     
 40-5F                 timer                                                    
 60-6F                 keyboard                                                 
 80-8F                 DMA                                                      
 A0-BF                 APIC                                                     
 C0-DF                 DMA                                                      
 F0-FF                 FPU                                                      
 1F0-1F7               IDE 1                                                    
 2F8-2FF               serial port                                              
 3C0-3DF               VGA                                                      
 3E0-3E1               PCMCIA service                                           
 3F6-3F6               IDE 1                                                    
 3F8-3FF               serial port                                              
 4000-4007             IDE 1                                                    
 4008-400F             IDE 2                                                    
 6300-631F             backbone                                                 
[MikroTik] >  

Installing the Wireless Adapter

The basic installation steps of the wireless adapter should be as follows:
  1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
  2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
  3. Set the DIP switches on the ISA board according to the following plan:
    DIP switch #6 to 'on' (non-PnP mode)
    Use the DIP switches #1,2,3 to select the IRQ number Use the DIP switches #4,5 to select the I/O Base Address
Please note, that not all combinations of I/O base addresses and IRQ's may work on your motherboard. It is recommended that you choose one IRQ that is not used in your system, and then try an acceptable I/O base address setting. As it has been observed, the IRQ 5 and I/O 0x300 or 0x180 work in most cases.

Loading the Driver for the Wireless Adapter

PCI and PC (PCMCIA) cards do not require a 'manual' driver loading, since they are recognized automatically by the system and the driver is loaded at the system startup.

The ISA card requires the driver to be loaded by issuing the following command:

[MikroTik]> driver add name=pc-isa io=0x180
[MikroTik]> driver print
Flags: I - invalid, D - dynamic 
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D PCI NE2000                                                               
  1   Aironet ISAxx00                       0x180
[MikroTik] driver>

There can be several reasons for a failure to load the driver:

Wireless Interface Configuration

If the driver has been loaded successfully (no error messages), and you have the required 2.4GHz Wireless Software License, then the CISCO/Aironet 2.4GHz Wireless interface should appear under the interfaces list with the name pcn, where n is 1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] interface> print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   backbone             1500  ether                                         
  1 X pc1                  1500  pc                                            
[MikroTik] interface> set 1 name aironet
[MikroTik] interface> enable aironet
[MikroTik] interface> print
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   backbone             1500  ether                                         
  1   aironet              1500  pc                                            

More configuration and statistics parameters can be found under the '/interface pc' menu:

[MikroTik] interface> pc
[MikroTik] interface pc> print
Flags: X - disabled 
  0   name=aironet mtu=1500 mac-address=00:40:96:37:70:68 arp=enabled 
      mode=infrastructure rts-threshold=2312 fragmentation-threshold=2312 
      tx-power=100 rx-diversity=right tx-diversity=right long-retry-limit=16 
      short-retry-limit=16 frequency=2427MHz bitrate=auto ap1=00:40:96:25:83:63 
      ap2=00:40:96:25:83:63 ap3=00:40:96:25:83:63 ap4=00:40:96:25:83:63 
      ssid1=tsunami ssid2="" ssid3="" modulation=cck 
      client-name=MikroTik_0 beacon-period=100 join-net=10s 
      firmware-version=PC4800A 3.85 

[MikroTik] interface pc>

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (256...2048 bytes). Default value is 1500 bytes.
mode - Operation mode of the card (infrastructure / ad-hoc)
rts-threshold - RTS threshold
fragmentation-threshold - Fragmentation threshold
tx-power - Transmit power in mW
rx-diversity - Receive diversity (both / default / left / right)
tx-diversity - Transmit diversity (both / default / left / right)
long-retry-limit - Long retry limit
short-retry-limit - Short retry limit
frequency - Channel frequency (2412MHz / 2422MHz / ... / 2484MHz)
bitrate - Data rate (11Mbit/s / 1Mbit/s / 2Mbit/s / 5.5Mbit/s / auto)
ap1 - Access Point 1
ap2 - Access Point 2
ap3 - Access Point 3
ap4 - Access Point 4
ssid1 - Service Set Identifier 1
ssid2 - Service Set Identifier 2
ssid3 - Service Set Identifier 3
modulation - Modulation mode (cck / default / mbok)
client-name - Client name
join-net - Beaconing period
arp - Address Resolution Protocol (disabled / enabled / proxy-arp)

You can monitor the status of the wireless interface:

[MikroTik] interface pc> monitor 0
              quality: 0
             strength: 0
         current-rate: 11Mbit/s
    current-frequency: 2437MHz
         synchronized: no
           associated: no
                 ssid: tsunami
         access-point: FF:FF:FF:FF:FF:FF
    access-point-name:
         error-number: 0                 

[MikroTik] interface pc>

If the wireless interface card is not registered to an AP, the green status led is blinking fast.

To set the wireless interface for working with an IEEE 802.11b access point (register to the AP), you should set the following parameters:

All other parameters can be left as default. To configure the wireless interface for registering to an AP with ssid "mt", it is enough to change the argument value of ssid1 to "mt":

[MikroTik] interface pc> set 0 ssid1 mt
[MikroTik] interface pc> monitor 0
              quality: 63
             strength: 131
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: yes
                 ssid: mt
         access-point: 00:40:96:00:06:72
    access-point-name: Gulf
         error-number: 0                 

[MikroTik] interface pc>

If the wireless interface card is registered to an AP, the green status led is blinking slow.

Wireless Troubleshooting

Wireless Network Applications

Two possible wireless network configurations are discussed in the following examples:

Point-to-Multipoint Wireless LAN

Let us consider the following network setup with CISCO/Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client:

Point-to-Multipoint

The access point is connected to the wired network's HUB and has IP address from the network 10.1.1.0/24. The minimum configuration required for the AP is:

  1. Setting the Service Set Identifier (up to 32 alphanumeric characters). In our case we use ssid "mt".
  2. Setting the allowed data rates at 1-11Mbps, and the basic rate at 1Mbps.
  3. Choosing the frequency, in our case we use 2442MHz.
  4. (For CISCO/Aironet Bridges only) Set Configuration/Radio/Extended/Bridge/mode=access_point. If you leave it to 'bridge_only', it wont register clients.
  5. Setting the identity parameters Configuration/Ident: Inaddr, Inmask, and Gateway. These are required if you want to access the AP remotely using telnet or http.

Reminder! Please note, that the AP is not a router! It has just one network address, and is just like any host on the network. It resembles a wireless-to-Ethernet HUB or bridge. The AP does not route the IP traffic! There is no need to set up the routing table under Configuration/Ident/Routing.

The minimum configuration for the MikroTik router's CISCO/Aironet wireless interface is:

  1. Setting the Service Set Identifier to that of the AP, i.e., "mt"
  2. Setting the Operation Mode to "infrastructure"

[MikroTik] interface pc> set 0 ssid1 mt mode infrastructure
[MikroTik] interface pc> monitor 0
              quality: 62
             strength: 129
         current-rate: 11Mbit/s
    current-frequency: 2442MHz
         synchronized: yes
           associated: yes
                 ssid: mt
         access-point: 00:40:96:00:06:72
    access-point-name: Gulf
         error-number: 0                 
[MikroTik] interface pc>

The frequency argument does not have any meaning, since the frequency of the AP is used. The IP addresses assigned to the wireless interface should be from the network 10.1.1.0/24, e.g.:

[MikroTik] ip address> add address 10.1.1.12/24 interface aironet
[MikroTik] ip address> print                                                        
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.1.12/24       10.1.1.0        10.1.1.255      aironet               
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
[MikroTik] ip address>

The default route should be set to the gateway router 10.1.1.254 (not the AP 10.1.1.250 !):

[MikroTik] ip route> add gateway=10.1.1.254
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.1.1.254  1        aironet    
  1 D  connect 192.168.0.0/24     A            0.0.0.0     0        Local      
  2 D  connect 10.1.1.0/24        A            0.0.0.0     0        aironet    
[MikroTik] ip route> 

Point-to-Point Wireless LAN

Point-to-point connections using two wireless clients require the wireless cards to operate in ad-hoc mode. This mode does not provide the required timing for the cases of long distance (over 20km) links. Thus, the performance of such links is very poor on long distances, and use of infrastructure mode is required, where a wireless client registers to an access point or bridge.

Let us consider the following point-to-point wireless network setup with two MikroTik Wireless Routers:

Point-to-Point

To establish a point-to-point link, the configuration of the wireless interface should be as follows:

The following command should be issued to change the settings for the pc interface of the master unit:

[MikroTik] interface pc> set 0 mode ad-hoc ssid1 b_link frequency 2442MHz bitrate auto
[MikroTik] interface pc> monitor 0
              quality: 0
             strength: 0
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: no
           associated: no
                 ssid: b_link
         access-point: FF:FF:FF:FF:FF:FF
    access-point-name:
         error-number: 0                 
[MikroTik] interface pc>

For 10 seconds (this is set by the argument join-net) the wireless card is looking for a network to join. The status of the card is not synchronized, and the green status light is blinking fast. If the card cannot find a network, the card creates its own network. The status of the card becomes 'synchronized', and the green status led becomes solid. The monitor command shows the new status and the MAC address generated:

[MikroTik] interface pc> monitor 0
              quality: 62
             strength: 129
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: no
                 ssid: b_link
         access-point: 16:01:0B:02:17:00
    access-point-name:
         error-number: 0                 
[MikroTik] interface pc>

The other router of the point-to-point link requires the operation mode set to 'ad-hoc', the System Service Identificator set to "b_link", and the channel frequency set to 2412MHz. If the radios are able to establish RF connection, the status of the card should become 'synchronized', and the green status led become solid immediately after entering the command:

[wnet_gw] interface pc> set 0 mode ad-hoc ssid1 b_link frequency 2412MHz bitrate auto
[wnet_gw] interface pc> monitor 0
              quality: 58
             strength: 122
         current-rate: 11Mbit/s
    current-frequency: 2412MHz
         synchronized: yes
           associated: no
                 ssid: b_link
         access-point: 16:01:0B:02:17:00
    access-point-name:
         error-number: 0                 
[wnet_gw] interface pc> 

As we see, the MAC address under the 'access-point' parameter is the same as generated on the first router.

If desired, IP addresses can be assigned to the wireless interfaces of the pint-to-point link routers using a smaller subnet, say 30-bit one:

[MikroTik] ip address> add address 192.168.11.1/30 interface aironet
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.11.1/30    192.168.11.0    192.168.11.3    aironet               
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
[MikroTik] ip address>

The second router will have address 192.168.11.2. The network connectivity can be tested by using ping or bandwidth test:

[wnet_gw] ip address> add address 192.168.11.2/30 interface pc1 
[wnet_gw] ip address> print 
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.11.2/30    192.168.11.0    192.168.11.3    pc1
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      Public
[wnet_gw] ip address> /ping 192.168.11.1
192.168.11.1 pong: ttl=255 time=3 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 ping interrupted
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1/1.5/3 ms
interrupted
[wnet_gw] ip address> /tool btest 192.168.11.1 protocol tcp 
connecting
current = 4.6Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.7Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.7Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.3Mbps   10secavg = 4.6Mbps   totalavg = 4.6Mbps
current = 4.5Mbps   10secavg = 4.5Mbps   totalavg = 4.5Mbps
current = 4.6Mbps   10secavg = 4.5Mbps   totalavg = 4.5Mbps
[wnet_gw] ip address> /tool btest 192.168.12.1 protocol udp size 1500
connecting
current = 1500.0kbps   10secavg = 1500.0kbps   totalavg = 1500.0kbps
current = 2.0Mbps   10secavg = 1775.3kbps   totalavg = 1775.3kbps
current = 2.9Mbps   10secavg = 2.1Mbps   totalavg = 2.1Mbps
current = 4.4Mbps   10secavg = 2.7Mbps   totalavg = 2.7Mbps
current = 5.6Mbps   10secavg = 3.3Mbps   totalavg = 3.3Mbps
current = 5.6Mbps   10secavg = 3.6Mbps   totalavg = 3.6Mbps
current = 5.6Mbps   10secavg = 3.9Mbps   totalavg = 3.9Mbps
current = 5.6Mbps   10secavg = 4.1Mbps   totalavg = 4.1Mbps
[wnet_gw] ip address> 


© Copyright 1999-2002, MikroTik
MikroTik RouterOS WaveLAN/ORiNOCO 2.4GHz 11Mbps Wireless Interface

WaveLAN/ORiNOCO 2.4GHz 11Mbps Wireless Interface

Document revision 22-Mar-2002
This document applies to the MikroTik RouterOS V2.4 and V2.5

Overview

The MikroTik RouterOS supports the following WaveLAN/ORiNOCO 2.4GHz 11Mbps Wireless Adapter hardware:

For more information about the WaveLAN / ORiNOCO adapter hardware please see the relevant User’s Guides and Technical Reference Manuals in .pdf format from the manufacturer:

Information about configuring the ORiNOCO wireless access point can be found there:

Contents of the Manual

The following topics are covered in this manual:

Wireless Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the wavelan software package installed. The software package file wavelan-2.x.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 wavelan                2.4                   sep/25/2001 05:08:09 no       
  1 routing                2.4                   sep/25/2001 05:06:07 no       
  2 ssh                    2.4                   sep/25/2001 05:08:11 no       
  3 system                 2.4                   sep/25/2001 05:05:48 no       
  4 ppp                    2.4                   sep/25/2001 05:06:35 no       
  5 pppoe                  2.4                   sep/25/2001 05:06:45 no       
  6 pptp                   2.4                   sep/25/2001 05:06:44 no       
[MikroTik] > 

Software License

The 2.4GHz wireless adapters require the 2.4GHz wireless feature license. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The wireless feature is not included in the Free Demo or Basic Software License. The 2.4GHz Wireless Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the wireless adapter, please check the availability of free IRQ's and I/O base addresses:

[MikroTik] > system resource irq print                                         
 IRQ USED OWNER                                                                 
 1   yes  keyboard                                                              
 2   yes  APIC                                                                  
 3   no                                                                         
 4   yes  serial port                                                           
 5   yes  Wavelan 802.11                                                        
 6   no                                                                         
 7   no                                                                         
 8   no                                                                         
 9   no                                                                         
 10  yes  Public                                                                
 11  yes  Local                                                                 
 12  no                                                                         
 13  yes  FPU                                                                   
 14  yes  IDE 1                                                                 
 15  yes  PCMCIA service                                                        
[MikroTik] > system resource io print                                          
 PORT-RANGE            OWNER                                                    
 20-3F                 APIC                                                     
 40-5F                 timer                                                    
 60-6F                 keyboard                                                 
 80-8F                 DMA                                                      
 A0-BF                 APIC                                                     
 C0-DF                 DMA                                                      
 F0-FF                 FPU                                                      
 100-13F               Wavelan 802.11                                           
 1F0-1F7               IDE 1                                                    
 2F8-2FF               serial port                                              
 3C0-3DF               VGA                                                      
 3E0-3E1               PCMCIA service                                           
 3F6-3F6               IDE 1                                                    
 3F8-3FF               serial port                                              
 4000-4007             IDE 1                                                    
 4008-400F             IDE 2                                                    
 6300-631F             Local                                                    
 6700-67FF             Public                                                   
[MikroTik] >                                                                   

Installing the Wireless Adapter

The basic installation steps of the wireless adapter should be as follows:
  1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
  2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
Please note, that not all combinations of I/O base addresses and IRQ's may work on your motherboard.

Special Notice for PCMCIA-PCI adapter users! The IRQ is not being reported back correctly on some MB for PCMCIA-PCI adapters. As a result, the wireless interface appears to be operational, but there can be no data transmitted over the wireless link. For example, when pinging the AP or GW form the router, there is no response to the ping, although the other end gets the MAC address of the WaveLAN interface of the router. To solve this, try using another MB, or use PCMCIA-ISA adapter.

Loading the Driver for the Wireless Adapter

The WaveLAN / Orinoco PC (PCMCIA) cards do not require a 'manual' driver loading, since they are recognized automatically by the system and the driver is loaded at the system startup. If the driver has loaded successfully, there should be two beeps of equal tone, which should be heard through the PC's speaker while the system startup. If the second beep has a lower tone than the first one, then the driver could not be loaded, or, there is no wavelan package installed.
Note! The PC card can be inserted in the PCMCIA-ISA or PCI adapter when the system is running. The wavelan driver is not listed under the list of loaded drivers.

There can be several reasons for a failure to load the driver:

Wireless Interface Configuration

If the driver has been loaded successfully (no error messages), and you have the required 2.4GHz Wireless Software License, then the WaveLAN/ORiNOCO 2.4GHz Wireless interface should appear under the interfaces list with the name wavelanX, where X is 1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   Public               1500  ether                                         
  1   Local                1500  ether                                         
  2 X wavelan1             1500  wavelan                                       
[MikroTik] interface> enable 2                                                  
[MikroTik] interface> print                                                    
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   Public               1500  ether                                         
  1   Local                1500  ether                                         
  2   wavelan1             1500  wavelan                                       
[MikroTik] interface>                                                          

More configuration and statistics parameters can be found under the '/interface wavelan' menu:

[MikroTik] interface> wavelan                                                  
[MikroTik] interface wavelan> print                                            
Flags: X - disabled 
  0   name=wavelan1 mtu=1500 mac-address=00:02:2D:07:D8:44 arp=enabled 
      frequency=2412MHz data-rate=11Mbit/s mode=ad-hoc ssid="" client-name="" 
      key1="" key2="" key3="" key4="" tx-key=key1 encryption=no 

[MikroTik] interface wavelan>  

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (256...2296 bytes). The default value is 1500 bytes.
mac-address - MAC address of the card. Cannot be changed.
frequency - Channel frequency (2412MHz / 2422MHz / ... / 2484MHz)
data-rate - Data rate (11Mbit/s / 1Mbit/s / 2Mbit/s / 5.5Mbit/s / auto)
mode - Operation mode of the card (infrastructure / ad-hoc)
ssid - Service Set Identifier
client-name - Client name
key1 - Encryption key #1
key2 - Encryption key #2
key3 - Encryption key #3
key4 - Encryption key #4
tx-key - Transmit key (key1 / key2 / key3 / key4)
encryption - Encryption (no / yes)
arp - Address Resolution Protocol (disabled / enabled / proxy-arp)

You can monitor the status of the wireless interface:

[MikroTik] interface wavelan>                                                  
             bssid: 44:44:44:44:44:44 
         frequency: 2422MHz           
         data-rate: 11Mbit/s          
              ssid: tsunami                
    signal-quality: 0                 
      signal-level: 0               
             noise: 0               

[MikroTik] interface wavelan>

To set the wireless interface for working with an IEEE 802.11b access point (register to the AP), you should set the following parameters:

All other parameters can be left as default. To configure the wireless interface for registering to an AP with ssid "MT_w_AP", it is enough to change the argument value of ssid to "MT_w_AP":

[MikroTik] interface wavelan> set 0 ssid MT_w_AP mode infrastructure           
[MikroTik] interface wavelan> monitor wavelan1                                 
             bssid: 00:40:96:42:0C:9C 
         frequency: 2437MHz           
         data-rate: 11Mbit/s          
              ssid: MT_w_AP           
    signal-quality: 65                
      signal-level: 228               
             noise: 163               

[MikroTik] interface wavelan>  

Wireless Troubleshooting

Wireless Network Applications

Two possible wireless network configurations are discussed in the following examples:

Point-to-Multipoint Wireless LAN

Let us consider the following network setup with WaveLAN / ORiNOCO or CISCO/Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client:

Point-to-Multipoint

The access point is connected to the wired network's HUB and has IP address from the network 10.1.1.0/24. The minimum configuration required for the AP is:

  1. Setting the Service Set Identifier (up to 32 alphanumeric characters). In our case we use ssid "mt".
  2. Setting the allowed data rates at 1-11Mbps, and the basic rate at 1Mbps.
  3. Choosing the frequency, in our case we use 2452MHz.
  4. Setting the identity parameters: ip address/mask and gateway. These are required if you want to access the AP remotely.

Reminder! Please note, that the AP is not a router! It has just one network address, and is just like any host on the network. It resembles a wireless-to-Ethernet HUB or bridge. The AP does not route the IP traffic!

The minimum configuration for the MikroTik router's wavelan wireless interface is:

  1. Setting the Service Set Identifier to that of the AP, i.e., "mt"
  2. Setting the Operation Mode to "infrastructure"

[MikroTik] interface wavelan> set wavelan1 ssid mt mode infrastructure
[MikroTik] interface wavelan>                                                  
             bssid: 00:40:96:42:0C:9C 
         frequency: 2437MHz           
         data-rate: 11Mbit/s           
              ssid: mt                
    signal-quality: 64                
      signal-level: 228               
             noise: 163               

[MikroTik] interface wavelan>   

The channel frequency argument does not have any meaning, since the frequency of the AP is used.

IP Network Configuration

The IP addresses assigned to the wireless interface should be from the network 10.1.1.0/24, e.g.:

[MikroTik] ip address> add address 10.1.1.12/24 interface wavelan1 
[MikroTik] ip address> add address 192.168.0.254/24 interface ether1 
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   ether1                
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      wavelan1              
[MikroTik] ip address>

The default route should be set to the gateway router 10.1.1.254 (not the AP 10.1.1.250 !):

[MikroTik] ip route> add gateway 10.1.1.254
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.1.1.254  1        wavelan1   
  1 D  connect 192.168.0.0/24     A            0.0.0.0     0        ether1     
  2 D  connect 10.1.1.0/24        A            0.0.0.0     0        wavelan1   
[MikroTik] ip route>   

Point-to-Point Wireless LAN

Let us consider the following point-to-point wireless network setup with two MikroTik Wireless Routers:

Point-to-Point

To establish a point-to-point link, the configuration of the wireless interface should be as follows:

The following command should be issued to change the settings for the wavelan interface:

[MikroTik] interface wavelan> set 0 ssid b_link mode ad-hoc frewency 2412MHz 
[MikroTik] interface wavelan> monitor wavelan1 
             bssid: 00:02:2D:07:17:23
         frequency: 2412MHz
         data-rate: 11Mbit/s
              ssid: b_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[MikroTik] interface wavelan> 

The other router of the point-to-point link requires the same parameters to be set:

[wnet_gw] interface wavelan> set 0 ssid b_link mode ad-hoc frequency 2412MHz 
[wnet_gw] interface wavelan> enable 0
[wnet_gw] interface wavelan> monitor 0
             bssid: 00:02:2D:07:17:23
         frequency: 2412MHz
         data-rate: 11Mbit/s
              ssid: b_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[wnet_gw] interface wavelan> 

As we see, the MAC address under the 'bssid' parameter is the same as generated on the first router.

IP Network Configuration

If desired, IP addresses can be assigned to the wireless interfaces of the pint-to-point link routers using a smaller subnet, say 30-bit one:

[MikroTik] ip address> add address 10.0.0.1/30 interface wavelan1 
[MikroTik] ip address> add address 192.168.0.254/24 interface ether1 
[MikroTik] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.1        255.255.255.252 10.0.0.1        10.0.0.3        wavelan1
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   ether1
[MikroTik] ip address> /ip route add gateway 10.0.0.2 
[MikroTik] ip address> /ip route print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.252 0.0.0.0         10.0.0.1        wave... D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   ether1  D K
  2 0.0.0.0         0.0.0.0         10.0.0.2        0.0.0.0         wave...
[MikroTik] ip address>

The second router will have address 10.0.0.2, the default route to 10.1.1.254, and a static route for network 192.168.0.0/24 to 10.0.0.1:

[wnet_gw] ip address> add address 10.0.0.2/30 interface wl1 
[wnet_gw] ip address> add address 10.1.1.12/24 interface Public 
[wnet_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.0.0.2        255.255.255.252 10.0.0.2        10.0.0.3        wl1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
[wnet_gw] ip address> /ip route 
[wnet_gw] ip route> add gateway 10.1.1.254 interface Public 
[wnet_gw] ip route> add gateway 10.0.0.1 interface wl1 \
                    dst-address 192.168.0.0/24
[wnet_gw] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.0.0.0        255.255.255.252 0.0.0.0         10.0.0.2        wl1     D K
  1 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       Public  D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         Public
  3 192.168.0.0     255.255.255.0   10.0.0.1        0.0.0.0         wl1
[wnet_gw] ip route> 

Testing the Network Connectivity

The network connectivity can be tested by using ping or bandwidth test:

[MikroTik]> ping 10.0.0.2
10.0.0.2 pong: ttl=255 time=2 ms
10.0.0.2 pong: ttl=255 time=2 ms
10.0.0.2 pong: ttl=255 time=2 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/2.0/2 ms
interrupted
[MikroTik]> tool btest 10.0.0.2 protocol udp size 1500
connecting
current = 1500.0kbps   10secavg = 1500.0kbps   totalavg = 1500.0kbps
current = 2039.0kbps   10secavg = 1769.5kbps   totalavg = 1769.5kbps
current = 2.8Mbps   10secavg = 2.1Mbps   totalavg = 2.1Mbps
current = 4.1Mbps   10secavg = 2.6Mbps   totalavg = 2.6Mbps
current = 4.1Mbps   10secavg = 2.9Mbps   totalavg = 2.9Mbps
current = 4.1Mbps   10secavg = 3.1Mbps   totalavg = 3.1Mbps
current = 4.2Mbps   10secavg = 3.2Mbps   totalavg = 3.2Mbps
[MikroTik]> 

Point-to-Point Wireless LAN with Windows Client

Let us consider the following point-to-point wireless network setup with one MikroTik Wireless Router and a laptop computer with Wavelan card:

Point-to-Point with Windows

It is very important, that the MikroTik Router is configured prior turning on and configuring the wireless client. The MikroTik router should be up and running, so the client could join its network.

The configuration of the wireless interface of the MikroTik Router should be as follows:

The following command should be issued to change the settings for the wavelan interface:

[home_gw] interface wavelan> set wl-home frequency 2447MHz \
          mode ad-hoc ssid home_link
[home_gw] interface wavelan> enable wl-home 
[home_gw] interface wavelan> print 
0   name: wl-home mtu: 1500 mac-address: 00:02:2D:07:D8:44 frequency: 2447MHz
    date-rate: 11Mbit/s mode: ad-hoc ssid: home_link client-name: "" key1: ""
    key2: "" key3: "" key4: "" tx-key: key1 encryption: no arp: arp

[home_gw] interface wavelan> monitor 0
             bssid: 02:02:2D:07:D8:44
         frequency: 2447MHz
         data-rate: 11Mbit/s
              ssid: home_link
    signal-quality: 0
      signal-level: 154
             noise: 154
[home_gw] interface wavelan> 

Configure the laptop computer with the Wavelan card following the manufacturer's instructions.

Note! In Ad-Hoc (Peer-to-Peer) mode the V1.76 ORiNOCO Client Manager program allows setting only the Network Name (ssid) parameter. The channel (frequency) parameter is chosen that of the other peer. Therefore, the MikroTik Router should be configured for the ad-hoc mode operation prior turning on the laptop Wavelan client.

If the laptop Wavelan client has established the wireless link with the MikroTik router, it should report the same parameters as set on the MikroTik router's wavelan interface:

Client Manager

Here, we see the channel #8, which is 2447MHz frequency.

IP Network Configuration

The IP addresses assigned to the wireless interface of the MikroTik Router should be from the network 192.168.0.0/24:

[home_gw] ip address> add interface Public address 10.1.1.12/24
[home_gw] ip address> add interface wl-home address 192.168.0.254/24
[home_gw] ip address> print 
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      Public
  1 192.168.0.254   255.255.255.0   192.168.0.254   192.168.0.255   wl-home
[home_gw] ip address> /ip route 
[home_gw] ip route> add gateway 10.1.1.254
[home_gw] ip route> print 
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       Public  D K
  1 192.168.0.0     255.255.255.0   0.0.0.0         192.168.0.254   wl-home D K
  2 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         Public
[home_gw] ip route>

The DHCP server can be enabled on the wireless interface:

[home_gw] ip dhcp-server> print
0   interface: Public enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

1   interface: wl-home enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

[home_gw] ip dhcp-server> set 1 enabled yes from-address 192.168.0.1 to-address
192.168.0.200 netmask 255.255.255.0 gateway 192.168.0.254 src-address 192.168.0.
254 dns-server 159.148.147.194 domain myhome.com
[home_gw] ip dhcp-server> print
0   interface: Public enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""

1   interface: wl-home enabled: yes from-address: 192.168.0.1
    to-address: 192.168.0.200 lease-time: 0:10:00 netmask: 255.255.255.0
    gateway: 192.168.0.254 src-address: 192.168.0.254
    dns-server: 159.148.147.194 domain: myhome.com

[home_gw] ip dhcp-server> 

Testing the Network Connectivity

The network connectivity can be tested by monitoring the obtained leases:

[home_gw] ip dhcp-server> lease print 
  # ADDRESS         MAC-ADDRESS       INTERFACE            EXPIRES-AT
  0 192.168.0.1     00:02:2D:07:17:23 wl-home              sep/14/2001 10:58:23
[home_gw] ip dhcp-server>

Note! You may need to perform the 'renew lease' on the client to obtain the IP address from the router, if the DHCP-server has been configured after turning on the Wavelan client.

Use the ping command to test the connectivity from the router:

[home_gw] ip dhcp-server> /ping 192.168.0.1
192.168.0.1 pong: ttl=32 time=3 ms
192.168.0.1 pong: ttl=32 time=2 ms
192.168.0.1 pong: ttl=32 time=2 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/2.3/3 ms
interrupted
[home_gw] ip dhcp-server> 

You may want to turn on masquerading for the local addresses 192.168.0.0/24 when going out to the Internet:

[home_gw] ip firewall rule> add forward action masq src-address 192.168.0.0/24 i
nterface Public 
[home_gw] ip firewall rule> print forward 
0   action: masq protocol: all src-address: 192.168.0.0
    src-netmask: 255.255.255.0 src-ports: 0-65535 dst-address: 0.0.0.0
    dst-netmask: 0.0.0.0 dst-ports: 0-65535 interface: Public log: no

[home_gw] ip firewall rule> 

Thus, the IP address of the router 10.1.1.12 will be used as a source when accessing other networks through the Public interface. More about IP network and firewall configuration can be found in the relevant sections of the MikroTik RouterOS Manual.


© Copyright 1999-2002, MikroTik
MikroTik RouterOS RadioLAN 5.8GHz Wireless Interface

RadioLAN 5.8GHz Wireless Interface

Document revision 22-Mar-2001
This document applies to the MikroTik RouterOS V2.4 and V2.5

Overview

The MikroTik RouterOS supports the following RadioLAN 5.8GHz Wireless Adapter hardware:

For more information about the RadioLAN adapter hardware please see the relevant User’s Guides and Technical Reference Manuals.

Contents of the Manual

The following topics are covered in this manual:

Wireless Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the radiolan software package installed. The software package file radiolan-2.x.x.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] system package> print
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 radiolan               2.4                   sep/25/2001 05:08:05 no
  1 pptp                   2.4                   sep/25/2001 05:06:44 no
  2 ppp                    2.4                   sep/25/2001 05:06:35 no
  3 pppoe                  2.4                   sep/25/2001 05:06:45 no
  4 ssh                    2.4                   sep/25/2001 05:08:11 no
  5 routing                2.4                   sep/25/2001 05:06:07 no
  6 snmp                   2.4                   sep/25/2001 05:06:09 no
  7 system                 2.4                   sep/25/2001 05:05:48 no
[MikroTik] system package>

Software License

The RadioLAN 5.8GHz wireless adapters require the RadioLAN 5.8GHz wireless feature license. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The wireless feature is not included in the Free Demo or Basic Software License. The RadioLAN 5.8GHz Wireless Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the wireless adapter, please check the availability of free IRQ's and I/O base addresses:

[MikroTik] system resource> irq print
 IRQ USED OWNER
 1   yes  keyboard
 2   yes  APIC
 3   no
 4   yes  serial port
 5   no
 6   no
 7   no
 8   no
 9   yes  ether1
 10  no
 11  yes  pc1
 12  no
 13  yes  FPU
 14  yes  IDE 1
 [MikroTik] system resource> io print
 PORT-RANGE            OWNER
 20-3F                 APIC
 40-5F                 timer
 60-6F                 keyboard
 80-8F                 DMA
 A0-BF                 APIC
 C0-DF                 DMA
 F0-FF                 FPU
 1F0-1F7               IDE 1
 2F8-2FF               serial port
 3C0-3DF               VGA
 3F6-3F6               IDE 1
 3F8-3FF               serial port
 EE00-EEFF             ether1
 EF40-EF7F             pc1
 FC00-FC07             IDE 1
 FC08-FC0F             IDE 2
 FC10-FC7F             [CS5530]
[MikroTik] system resource>

Installing the Wireless Adapter

The basic installation steps of the wireless adapter should be as follows:
  1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
  2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
  3. Use the RLProg.exe to set the IRQ and Base Port address of the RadioLAN ISA card (Model 101). RLProg must be run from a DOS window. Use a separate computer or a bootable floppy] to run the RLProg utility and set the hardware parameters. The factory default values of I/O 0x300 and IRQ 10 might conflict with other devices.
Please note, that not all combinations of I/O base addresses and IRQ's may work on your motherboard. As it has been observed, the IRQ 5 and I/O 0x300 work in most cases.

Loading the Driver for the Wireless Adapter

The ISA card requires the driver to be loaded by issuing the following command:

[MikroTik] > driver add name=radiolan io=0x300
[MikroTik] > driver print
Flags: I - invalid, D - dynamic
  #   DRIVER                            IRQ IO         MEMORY     ISDN-PROTOCOL
  0 D RealTek RTL8129/8139
  1   ISA RadioLAN                          0x300
[MikroTik] >

There can be several reasons for a failure to load the driver:

Wireless Interface Configuration

If the driver has been loaded successfully (no error messages), and you have the required RadioLAN 5.8GHz Wireless Software License, then the RadioLAN 5.8GHz Wireless interface should appear under the interfaces list with the name radiolanX, where X is 1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 MTU   TYPE
  0   ether1               1500  ether
  1 X radiolan1            1500  radiolan
[MikroTik] interface>
[MikroTik] interface> enable radiolan1
[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 MTU   TYPE
  0   ether1               1500  ether
  1   radiolan1            1500  radiolan
[MikroTik] interface>

More configuration and statistics parameters can be found under the '/interface radiolan' menu:

[MikroTik] interface> radiolan
[MikroTik] interface radiolan> print
0   name: radiolan1 mtu: 1500 mac-address: 00:A0:D4:20:42:EE distance: 0-150m
    tx-diversity: disabled rx-diversity: disabled default-dst: firstclient
    max-retries: 15 sid: bbbb card-name: 00A0D42042EE
    cfg-destination: 00:00:00:00:00:00 arp: enabled

[MikroTik] interface radiolan>

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (68...1900 bytes). Default value is 1500 bytes.
mac-address - MAC address. Cannot be changed.
distance - distance setting for the link (0-10.2km)
rx-diversity - Receive diversity (disabled / enabled)
tx-diversity - Transmit diversity (disabled / enabled)
default-dst - deafault destination (alone / ap / cfg / firstap / firstclient). It sets the destination where to send the packet if it is not for a clinet in the radio network.
max-retries - maximum retries before dropping the packet
sid - Service Set Identifier
card-name - Card name
cfg-destination - MAC address of a host in the radio network where to send the packet, if it is for none of the radio clients.
arp - Address Resolution Protocol (disabled / enabled / proxy-arp)

You can monitor the status of the wireless interface:

[MikroTik] interface radiolan> monitor radiolan1
    default: 00:00:00:00:00:00
      valid: no
[MikroTik] interface radiolan>

Here, the wireless interface card has not found any neighbour.

To set the wireless interface for working with another wireless card in a point-to-point link, you should set the following parameters:

All other parameters can be left as default:

[MikroTik] interface radiolan> set 0 sid ba72 distance 4.7km-6.6km
[MikroTik] interface radiolan> print
0   name: radiolan1 mtu: 1500 mac-address: 00:A0:D4:20:42:EE
    distance: 4.7km-6.6km tx-diversity: disabled rx-diversity: disabled
    default-dst: firstclient max-retries: 15 sid: ba72 card-name: 00A0D42042EE
    cfg-destination: 00:00:00:00:00:00 arp: enabled

[MikroTik] interface radiolan> monitor 0
    default: 00:A0:D4:20:42:47
      valid: yes

[MikroTik] interface radiolan>

You can monitor the list of neighbours having the same sid and being within the radio range:

[MikroTik] interface radiolan> neighbours print radiolan1
NAME             MAC-ADDRESS       FLAGS ACCESS-POINT
00A0D4204247     00:A0:D4:20:42:47    D
[MikroTik] interface radiolan>
You can test the link by pinging the neighbour by its MAC address:

[MikroTik] interface radiolan> ping radiolan1 \
mac-address 00:A0:D4:20:42:47 size 1500 count 50
Sent: 2/50 (4%), Ok: 2/2 (100%) max/avg/min retries: 0/0.0/0
Sent: 12/50 (24%), Ok: 12/12 (100%) max/avg/min retries: 0/0.0/0
Sent: 22/50 (44%), Ok: 22/22 (100%) max/avg/min retries: 0/0.0/0
Sent: 32/50 (64%), Ok: 32/32 (100%) max/avg/min retries: 0/0.0/0
Sent: 42/50 (84%), Ok: 42/42 (100%) max/avg/min retries: 0/0.0/0
Sent: 50/50 (100%), Ok: 50/50 (100%) max/avg/min retries: 0/0.0/0
[MikroTik] interface radiolan>

Wireless Troubleshooting

Wireless Network Applications

Two possible wireless network configurations are discussed in the following examples:

Point-to-Point Setup with Routing

Let us consider the following network setup with two MikroTik Routers having RadioLAN interfaces: The minimum configuration required for the RadioLAN interfaces of both routers is:
  1. Setting the Service Set Identifier (up to alphanumeric characters). In our case we use ssid "ba72".
  2. Setting the distance parameter, in our case we have 6km link.

The IP addresses assigned to the wireless interface of Router#1 should be from the network 10.1.0.0/30, e.g.:

[MikroTik] ip address> add address 10.1.0.1/30 interface radiolan1
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.0.1        255.255.255.252 10.1.0.1        10.1.0.3        radiolan1
  1 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      ether1
[MikroTik] ip address>

The default route should be set to the gateway router 10.1.1.254. A static route should be added for the network 192.168.0.0/24:

[MikroTik] ip route> add gateway 10.1.1.254 interface ether1
[MikroTik] ip route> add dst-address 192.168.0.0/24 gateway 10.1.0.2 \
interface radiolan1
[MikroTik] ip route> print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       ether1  D K
  1 10.1.0.0        255.255.255.252 0.0.0.0         10.1.0.1        radi... D K
  2 192.168.0.0     255.255.255.0   10.1.0.2        0.0.0.0         radi...
  3 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         ether1
[MikroTik] ip route>

The Router#2 should have addresses 10.1.0.2/30 and 192.168.0.254/24 assigned to the radiolan and Ethernet interfaces respectively. The default route should be set to 10.1.0.1

Point-to-Point Setup with Bridging

The radiolan interface setup is similar to that in the previous example. However, briding of the desired protocols should be enabled for the radiolan and ethernet interfaces:

[MikroTik] bridge> set ip forward arp forward other forward
[MikroTik] bridge> print
           ip: forward
          arp: forward
          ipx: discard
    appletalk: discard
         ipv6: discard
        other: forward
     priority: 1
[MikroTik] bridge> interface
[MikroTik] bridge interface> print
  # INTERFACE                                                           FORWARD
  0 ether1                                                              no
  1 radiolan1                                                           no
[MikroTik] bridge interface> set 0 forward yes
[MikroTik] bridge interface> set 1 forward yes
[MikroTik] bridge interface> pr
  # INTERFACE                                                           FORWARD
  0 ether1                                                              yes
  1 radiolan1                                                           yes
[MikroTik] bridge interface>

Enable the bridge interface and assign the IP address to it, as well as set the default gateway:

[MikroTik] interface> print
  # NAME                                                    TYPE        MTU
  0 ether1                                                  ether       1500
  1 radiolan1                                               radiolan    1500
( 2)bridge1                                                 bridge      1500
[MikroTik] interface> enable 2
[MikroTik] interface> /ip address
[MikroTik] ip address> add address 10.1.1.12/24 interface bridge1
[MikroTik] ip address> print
  # ADDRESS         NETMASK         NETWORK         BROADCAST       INTERFACE
  0 10.1.1.12       255.255.255.0   10.1.1.12       10.1.1.255      bridge1
[MikroTik] ip address> .. route add gateway 10.1.1.254 interface bridge1
[MikroTik] ip address> .. route print
  # DST-ADDRESS     NETMASK         GATEWAY         PREF-ADDRESS    INTE...
  0 10.1.1.0        255.255.255.0   0.0.0.0         10.1.1.12       bridge1 D K
  1 0.0.0.0         0.0.0.0         10.1.1.254      0.0.0.0         bridge1
[MikroTik] ip address>

The Router#2 should be set similarly, a different IP address assignet to it, e.g., 10.1.1.13/24, the default gateway is 10.1.1.254. Thus, the Ethernet networks are bridged over the RadioLAN point-to-point link.


© Copyright 1999-2002, MikroTik
MikroTik RouterOS PrismII Wireless Client and Wireless Access Point Manual

PrismII Wireless Client and Wireless Access Point

Document revision 03-Oct-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The MikroTik RouterOS supports the PrismII chipset based wireless adapter cards for working both as wireless clients (station mode) and wireless access points (ap-bridge or bridge mode). See the list of supported Pirsm II chipset based hardware at the end of the document.

For more information about adapter hardware please see the relevant User’s Guides and Technical Reference Manuals of the hardware manufacturers.

Notice about PCMCIA Adapters: Currently only the following PCMCIA-ISA and PCMCIA-PCI adapters are recognized properly by the MikroTik RouterOS: All other PCMCIA-ISA and PCMCIA-PCI adapters might not function properly.

The Ricon adapter might not work properly with some older motherboards. When recognized properly by the BIOS during the boot up of the router, it should be reported under the PCI device listing as "PCI/CardBus bridge". Try using another motherboard, if the adapter or the Prism card are not recognized properly.

Contents of the Manual

The following topics are covered in this manual:

Supported Network Topologies

Wireless Client

The Prism interface can be configured to act as an IEEE 802.11b wireless client (station) to associate with an access point. The station mode has been tested with MikroTik RouterOS PrismII based Access Points and CISCO/Aironet Wireless Ethernet Bridges and Access points. The station mode has been tested on a 23km link with CISCO/Aironet Bridge as a base station.

Wireless Access Point

The Prism interface can be configured to act as an IEEE 802.11b wireless access point. It requires the Prism AP Feature License. The access pint can register up to 2007 wireless clients. The access point mode has been tested with PrismII, CISCO/Aironet and ORiNOCO/WaveLAN clients.

The PrismII Access Point interface can register other access points. Thus, it is possible to bridge networks over wireless links.

Wireless Bridge (new in V2.5.3 and up)

This is limited version of the Access Point mode which allows only one client to be registered but does not require the Prism AP feature license, only the 2.4GHz Wireless license. Thus, it is possible to create point-to-point links and bridge networks over wireless links.

Installation

The MikroTik Router should have the prism software package installed. The software package file prism-2.x.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] > system package print                                              
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   advanced-tools        2.5.4                may/08/2002 17:42:32 no       
  1   pptp                  2.5.4                may/08/2002 17:17:22 no       
  2   prism                 2.5.4                may/08/2002 17:21:12 no       
  3   routing               2.5.4                may/08/2002 17:24:16 no       
  4   ssh                   2.5.4                may/08/2002 17:14:31 no       
  5   thinrouter-pcipc      2.5.4                may/08/2002 17:22:32 no       
  6   system                2.5.4                may/08/2002 17:12:09 no       
  7   ppp                   2.5.4                may/08/2002 17:16:44 no       
  8   pppoe                 2.5.4                may/08/2002 17:18:26 no       
[MikroTik] >   

License

The PrismII chipset based adapters, like other 2.4GHz wireless adapters, require the 2.4GHz wireless feature license. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The wireless feature is not included in the Free Demo or Basic Software License. The 2.4GHz Wireless Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

Note! The 2.4GHz Wireless Feature License enables only the station or bridge (new in V2.5.3 and up) mode of the Prism II card.
To enable the access point mode, additionally the Wireless AP Feature License is required.

The MikroTik RouterOS supports as many PrismII chipset based cards as many free resources are on your system, i.e., IRQs and adapter slots. One license is valid for all cards on your system.

System Resource Usage

Before installing the wireless adapter, please check the availability of free IRQ's and I/O base addresses. A system with installed PrismII card and Ricon PCMCIA-PCI adapter reports, for example, the following:

[MikroTik] > system resource irq print                                         
Flags: U - unused 
   IRQ OWNER                                                                    
   1   keyboard                                                                 
   2   APIC                                                                     
 U 3                                                                            
   4   serial port                                                              
 U 5                                                                            
 U 6                                                                            
 U 7                                                                            
 U 8                                                                            
   9   ether1                                                                   
 U 10                                                                           
   11  PCMCIA service                                                           
   11  [prism2_cs]                                                              
 U 12                                                                           
 U 13                                                                           
   14  IDE 1                                                                    
[MikroTik] > system resource io print                                          
 PORT-RANGE        OWNER                                                        
 20-3F             APIC                                                         
 40-5F             timer                                                        
 60-6F             keyboard                                                     
 80-8F             DMA                                                          
 A0-BF             APIC                                                         
 C0-DF             DMA                                                          
 F0-FF             FPU                                                          
 100-13F           [prism2_cs]                                                  
 1F0-1F7           IDE 1                                                        
 2F8-2FF           serial port                                                  
 3C0-3DF           VGA                                                          
 3F6-3F6           IDE 1                                                        
 3F8-3FF           serial port                                                  
 CF8-CFF           [PCI conf1]                                                  
 EF00-EFFF         [Realtek Semiconductor Co., Ltd. RTL-8139]                   
 EF00-EFFF         [8139too]                                                    
 FC00-FC7F         [Cyrix Corporation 5530 IDE [Kahlua]]                        
 FC00-FC07         IDE 1                                                        
 FC08-FC0F         IDE 2                                                        
[MikroTik] >     

Installing the Wireless Adapter

The basic installation steps of the wireless adapter should be as follows:
  1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
  2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.

Loading the Driver for the Wireless Adapter

PCI and PC (PCMCIA) cards do not require a 'manual' driver loading, since they are recognized automatically by the system and the driver is loaded at the system startup.

There can be several reasons for a failure to load the driver, for example:

Usually two consecutive beeps of high tone can be heard during the startup of the MikroTik RouterOS router with PCMCIA PrismII card. If the second beep has a lower tone, or there is only one lower tone beep, most likely there is a compatibility problem with the motherboard. Try to use another type of motherboard.

Wireless Interface Configuration

If the driver has been loaded successfully, and you have the required 2.4GHz Wireless Software License, then the Prism II 2.4GHz Wireless interface should appear under the /interface list with the name prismX, where X is 1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 TYPE             MTU  
  0   ether1               ether            1500 
  1 X prism1               prism            1500 
[MikroTik] > interface enable 1
[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 TYPE             MTU  
  0   ether1               ether            1500 
  1   prism1               prism            1500 
[MikroTik] > 

More configuration and statistics parameters can be found under the /interface prism menu:

[MikroTik] interface prism> print                                              
Flags: X - disabled 
  0   name="prism1" mtu=1500 mac-address=00:90:4B:03:F1:88 arp=enabled 
      mode=station root-ap=00:00:00:00:00:00 frequency=2442MHz ssid="abc46" 
      default-authentication=yes default-forwarding=yes max-clients=2007 
      supported-rates=1-11 basic-rates=1 

[MikroTik] interface prism>  

Argument description:

name - Interface name (same as for other interfaces)
mtu - Maximum transfer unit (same as for other interfaces)
mac-address - MAC address of card. In AP mode this will also be BSSID of BSS.
arp - ARP mode (same as for ethernet interfaces)
mode - Mode of the interface (station / bridge / ap-bridge).
If station, card works as station (client) for the wireless infrastructure),
if bridge, card works as access point, but can register only one client or access point,
if ap-bridge, card works as access point, i.e., it creates wireless infrastructure.
root-ap - (only ap-bridge or bridge) MAC address of the root access point to register to.
frequency - (only ap-bridge or bridge) Frequency that AP will use to create BSS
ssid - Service Set Identifier. In station mode - ssid to connect to, in AP and P2P mode - ssid to use when creating BSS (this can not be left blank).
client-name - Client name
max-clients - (only ap-bridge or bridge) Maximum number of clients (including other access points), that is allowed to associate with this access point (1...2007).
supported-rates - Rates at which this node will work.
basic-rates - (only ap-bridge or bridge) Rates that every client that plans to connect to this AP should be able to work at. It is recommended to set it to '1', since not all clients might support rates 1-11.
default-authentication - (only ap-bridge or bridge) What to do with client that wants to associate, but it is not in the access-list.
default-forwarding - (only ap-bridge or bridge) What to do with client that wants to send packets to other wireless clients, but it is not in the access-list.

Station Mode Configuration

To set the wireless interface for working with an IEEE 802.11b access point (register to the AP), you should set the following parameters: All other parameters can be left as default. To configure the wireless interface for registering to an AP with ssid "testing", it is enough to change the argument value of ssid to "testing" and to enable the interface:

[MikroTik] interface prism> set prism1 ssid=testing                            
[MikroTik] interface prism> enable prism1                                      
[MikroTik] interface prism> print                                              
Flags: X - disabled 
  0   name=prism1 mtu=1500 mac-address=00:90:4B:04:66:D6 arp=enabled 
      mode=station root-ap=00:00:00:00:00:00 frequency=2412MHz ssid=testing 
      default-authentication=yes default-forwarding=yes supported-rates=1-11 
      basic-rates=1-11 

[MikroTik] interface prism> 

Note for CISCO/Aironet Wireless Bridge and Access Point users
When working with Prism II chipset based clients, the CISCO/Aironet Wireless Bridge or AP should have the following settings:
- the Proprietary Extensions should be turned 'off' under Configuration/Radio/802.11 menu
- the Encapsulation Protocol should be RFC1042 under Configuration/Radio/802.11/Encapsulation menu

Monitoring the Interface Status

In station mode, the prism interface status can be monitored using the /interface prism monitor command:

[MikroTik] interface prism> monitor 0                                          
            status: connected-to-ess  
         data-rate: 11Mbps            
              ssid: testing           
             bssid: 00:90:4B:03:F1:84 
    signal-quality: 92                
      signal-level: 154               
       noise-level: 2                 

[MikroTik] interface prism>

Argument description:

status - status of the interface
'searching-for-network' - the card has not registered to an AP and is searching for one to register to;
'connected-to-ess' - the card has registered to an AP.
data-rate - the actual data rate of the connection.
ssid - the Service Set Identifier.
bssid - the Basic Service Set Identifier (actually, the MAC address) of the access point.
signal-quality - the signal quality (0-92).
signal-level - the average signal level (27-154).
noise-level - the average noise level (27-154).

The monitor command does not work, if the interface is disabled, or the mode is 'ap-bridge' or 'bridge'.

Access Point Mode Configuration

To set the wireless interface for working as an IEEE 802.11b access point (register clients), you need both the 2.4GHz Wireless Feature License and the Prism AP Feature Licenses. You should set the following parameters:

All other parameters can be left as default. However, you should make sure, that all clients support the basic rate of your access point, i.e., the supported-rates of the client should cove the basic-rates of the access point.

To configure the wireless interface for working as an access point with ssid "testing" and use the frequency 2442MHz, it is enough to enter the command:

[MikroTik] interface prism> set prism1 mode=ap-bridge frequency=2442MHz \   
\... ssid=testing                                                              
[MikroTik] interface prism> print                                              
Flags: X - disabled 
  0   name=prism1 mtu=1500 mac-address=00:90:4B:03:F1:84 arp=enabled 
      mode=ap-bridge root-ap=00:00:00:00:00:00 frequency=2442MHz 
      ssid=testing default-authentication=yes default-forwarding=yes 
      supported-rates=1-11 basic-rates=1 

[MikroTik] interface prism> 

Use the registration table to see the associated clients.

Registration Table

The registration table shows all clients currently associated with the access point, for example:

[MikroTik] interface prism> registration-table print                           
  # INTERFACE                     MAC-ADDRESS       TYPE      PARENT           
  0 prism1                        00:60:F5:04:03:39 local                      
  1 prism1                        00:00:E8:69:69:F0 local                      
  2 prism1                        00:40:96:37:A3:39 client                     
  3 prism1                        00:E0:C5:6E:23:5B local                      
[MikroTik] interface prism>

Argument description for the registration-table entry:

interface - interface that client is registered to
mac-address - mac address of the registered client
type - type of the client:
'client' - client registered to the interface
'local' - client learned from bridged interface
'ap' - client is an access point
'forward' - client is forwarded from another access point
parent - parent access point's MAC address, if forwarded from another access point

The print stats or print detail commands give additional per-client statistics:

[MikroTik] interface prism registration-table> print stats                     
  0 interface=prism1 mac-address=00:60:F5:04:03:39 type=local 

  1 interface=prism1 mac-address=00:00:E8:69:69:F0 type=local 

  2 interface=prism1 mac-address=00:40:96:37:A3:39 type=client 
    packets=4338,5611 bytes=2661200,577450 signal-level=18/20/24 
    noise-level=3/9/26 data-rate=10/110/110 tx-rate=110 
    last-update=00:00:00.320 uptime=03:09:38.980 

  3 interface=prism1 mac-address=00:E0:C5:6E:23:5B type=local 

[MikroTik] interface prism registration-table> 

Argument description (only for wireless clients):

packets - number of received and sent packets
bytes - number of received and sent bytes
signal-level - min/average/max signal level
noise-level - min/average/max noise level
data-rate - min/average/max receive data rate
tx-rate - transmit data rate
last-update - time since the last update
uptime - time the client is associated with the access point

Access List

The access list is used by the access point to restrict authentications (associations) of clients. This list contains MAC address of client and associated action to take when client attempts to connect. Also, the forwarding of frames sent by the client is controlled.

The association procedure is as follows: when a new client wants to associate to the AP that is configured on interface prismX, entry with client's MAC address and interface prismX is looked up in the access-list. If such entry is found, action specified in it is taken. Otherwise 'default-authentication' and 'default-forwarding' of interface prismX is taken.

To add an access list entry, use the 'add' command, for example:

[MikroTik] interface prism access-list>
add mac-address=00:40:96:37:A3:39 interface=prism1
[MikroTik] interface prism access-list> print                                  
Flags: X - disabled, I - invalid 
  0   mac-address=00:40:96:37:A3:39 interface=prism1 authentication=yes 
      forwarding=yes 

[MikroTik] interface prism access-list>

Argument description:

mac-address - MAC address of the client
interface - AP interface
authentication - (yes / no) - accept this client when it tries to connect or not
forwarding - (yes / no) - forward the client's frames to other wireless clients or not

If you have default authentication action for the interface set to 'yes', you can disallow this node to register at the AP's interface 'prism1' by setting 'authentication=no' for it. Thus, all nodes except this one will be able to register to the interface 'prism1'.

If you have default authentication action for the interface set to 'no', you can allow this node to register at the AP's interface 'prism1' by setting 'authentication=yes' for it. Thus, only the specified nodes will be able to register to the interface 'prism1'.

Registering the Access Point to another Access Point

You can configure the access point to registering to another (root) access point by specifying the MAC address of the root access point:

[MikroTik] interface prism> set prism1 root-ap=00:90:4B:03:F1:71               
[MikroTik] interface prism> print
Flags: X - disabled 
  0   name=prism1 mtu=1500 mac-address=00:90:4B:03:F1:84 arp=enabled 
      mode=ap-bridge root-ap=00:90:4B:03:F1:71 frequency=2442MHz 
      ssid=testing default-authentication=yes default-forwarding=yes 
      supported-rates=1-11 basic-rates=1 

[MikroTik] interface prism>

The 'non-root' access point will register the clients only if it is registered to the 'root' access point.

Having one access point registered to another one enables bridging the networks, if the bridging mode between the prism and the ethernet interfaces is used. Note, that in the station mode, the bridging cannot be used between the prism and the ethernet interfaces.

Network Scan

The prism interface has feature which allows scanning for available networks. While scanning, the card unregisters itself from the access point (in station mode), or unregisters all clients (in bridge or ap-bridge mode). Thus, network connections are lost while scanning.

Use the /interface prism scan command to scan for available networks, for example:

[MikroTik] interface prism> scan                                               
Scan for wireless networks
  _interface_
  frequencies  List of frequencies to scan
         time  Time to scan one frequency
[MikroTik] interface prism> scan prism1                                        
00:90:4b:02:17:d3 fequency=2412MHz ssid=rm223AP signal-level=3
00:90:4b:02:17:e2 fequency=2412MHz ssid=john signal-level=38
00:90:4b:03:f1:6d fequency=2427MHz ssid=StarWind signal-level=36
00:50:18:0a:bd:c0 fequency=2437MHz ssid=dlink signal-level=23
[MikroTik] interface prism> 

Argument description:

_interface_ - interface name to use for scanning
frequencies - list of frequencies to scan for, e.g., "2412MHz 2427MHz "
time - time to scan for one frequency. The total time used for scanning is multiplier of this value and the number of frequencies to scan.

The result of scanning contains a list of discovered access points along with their MAC addresses, channel frequencies, service set identificators, and the measured signal level.

Logging of Prism Interface

The prism interface status changes can bo logged locally or to a remote syslog daemon by enabling the logging facility, for example:

[MikroTik] system logging facility> set Prism-Info logging=local               
[MikroTik] system logging facility> print                                      
  # FACILITY            LOGGING PREFIX              REMOTE-ADDRESS  REMOTE-PORT
  0 Firewall-Log        none                                                   
  1 PPP-Account         none                                                   
  2 PPP-Info            none                                                   
  3 PPP-Error           none                                                   
  4 System-Info         local                                                  
  5 System-Error        local                                                  
  6 System-Warning      local                                                  
  7 Prism-Info          local                                                  
[MikroTik] system logging facility>  

The local logs can be viewed using the /log print command.

Troubleshooting

Wireless Network Applications

Two possible wireless network configurations are discussed in the following examples:

Wireless Client

Let us consider the following point-to-multipoint network setup with CISCO/Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client:

Wireless Client

The access point is connected to the wired network's HUB and has IP address from the network 10.0.0.0/24. The minimum configuration required for the AP is:

  1. Setting the Service Set Identifier (up to 32 alphanumeric characters). In our case we use ssid "mt".
  2. Setting the allowed data rates at 1-11Mbps, and the basic rate at 1Mbps.
  3. Choosing the frequency, in our case we use 2442MHz.
  4. Setting the identity parameters: ip address/mask and gateway. These are required if you want to access the AP remotely using telnet or http.
  5. If you use CISCO/Aironet Wireless Ethernet Bridge or Access Point, you should set the Configuration/Radio/I80211/Extended (Allow proprietary extensions) to off, and the Configuration/Radio/I80211/Extended/Encapsulation (Default encapsulation method) to RFC1042. If left to the default on and 802.1H, respectively, you won't be able to pass traffic through the bridge.

Reminder! Please note, that the AP is not a router! It has just one network address, and is just like any host on the network. It resembles a wireless-to-Ethernet HUB or bridge. The AP does not route the IP traffic!

The minimum configuration for the MikroTik router's prism wireless interface is:

  1. Setting the Service Set Identifier to that of the AP, i.e., "mt"
  2. The Operation Mode should be "station".

[MikroTik] interface prism> set 0 ssid=mt                                      
[MikroTik] interface prism> monitor 0
                bssid: 00:40:96:37:71:1E 
    current-frequency: 2442MHz           
       signal-quality: 92                
         signal-level: 195               
          noise-level: 0                 
         current-rate: 11                 
               status: connected         

[MikroTik] interface prism>                                                    

The IP addresses assigned to the wireless interface should be from the network 10.0.0.0/24, e.g.:

[MikroTik] ip address> add address=10.0.0.217/24 interface=prism1               
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.217/24      10.0.0.0        10.0.0.255      prism1                
  1   192.168.0.254/24   192.168.0.254   192.168.0.254   ether1                
[MikroTik] ip address>

The default route should be set to the gateway router 10.0.0.1 (not to the AP 10.1.1.250 !):

[MikroTik] ip route> add gateway=10.0.0.1
[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE     
  0    static         0.0.0.0/0          10.0.0.1       1        prism1        
  1 D  connect        10.0.0.0/24        0.0.0.0        0        prism1        
  2 D  connect        192.168.0.254/24   0.0.0.0        0        ether1        
[MikroTik] ip route>   

Note! You cannot use the bridging function between the prism and ethernet interfaces, if the prism interface is in the station mode. The bridge does not work in this case!

Wireless Access Point

Let us consider the following point-to-point wireless network setup with two MikroTik Wireless Routers:

Access Point

You need both the 2.4GHz Wireless and the Prism AP Feature Licenses to enable the AP mode. To make the MikroTik router work as an access point, the configuration of the prism wireless interface should be as follows:

The following command should be issued to change the settings for the prism interface:

[MT_Prism_AP] interface prism> set 0 mode=ap-bridge \
                               frequency=2442MHz ssid=mt      
[MT_Prism_AP] interface prism> print                                           
Flags: X - disabled 
  0   name=prism1 mtu=1500 mac-address=00:03:C0:00:06:72 arp=enabled 
      mode=ap-bridge frequency=2442MHz ssid=mt client-name= 
      max-associations=250 hide-ssid=no supported-rates=1-11 basic-rates=1-2 
      fragmentation-threshold=2346 rts-threshold=2432 
      default-access-action=allow 

[MT_Prism_AP] interface prism> monitor 0                                       
                bssid: 00:03:C0:00:06:72 
    current-frequency: 2442MHz           
               status: ap-mode           

[MT_Prism_AP] interface prism> 

The list of registered clients looks like follows:

[MT_Prism_AP] interface prism> registration-table print                        
  # INT MAC-ADDRESS       SIGNAL     SILENCE    RATE       UPTIME              
  0 pri 00:40:96:29:02:88 210        0          11         00:12:50            
  1 pri 00:40:96:37:71:1E 192        0          11         00:00:35            
[MT_Prism_AP] interface prism>   

There are two possible ways of implementing the wireless access point feature:

To enable bridging between the ethernet and prism interfaces, do the following:
  1. Change the bridge settings for the desired protocols:
    [MT_Prism_AP] bridge> set ip=forward arp=forward other=forward 
    [MT_Prism_AP] bridge> print                                                    
               ip: forward
              ipx: discard
        appletalk: discard
             ipv6: discard
              arp: forward
            other: forward
         priority: 1
    [MT_Prism_AP] bridge> 
      
  2. Enable bridging for the desired interfaces:
    [MT_Prism_AP] bridge interface> print                                          
    Flags: X - disabled 
      #   INTERFACE                                                                
      0 X ether1
      1 X prism1
    [MT_Prism_AP] bridge interface> enable ether1,prism1                       
    [MT_Prism_AP] bridge interface> print                                      
    Flags: X - disabled 
      #   INTERFACE                                                                
      0   ether1
      1   prism1
    [MT_Prism_AP] bridge interface>                
      
  3. Enable the bridge interface:
    [MT_Prism_AP] interface> print                                                 
    Flags: X - disabled, D - dynamic 
      #   NAME                 MTU   TYPE                                          
      0   ether1               1500  ether                                         
      1 X bridge1              1500  bridge                                        
      2   prism1               1500  prism                                         
    [MT_Prism_AP] interface> enable 1                                              
    [MT_Prism_AP] interface> print                                                 
    Flags: X - disabled, D - dynamic 
      #   NAME                 MTU   TYPE                                          
      0   ether1               1500  ether                                         
      1   bridge1              1500  bridge                                        
      2   prism1               1500  prism                                         
    [MT_Prism_AP] interface>                                                       
      
  4. Assign an IP address to the bridge interface and specify the default gateway for the access point:
    [MT_Prism_AP] ip address> add address=10.0.0.250/24 interface=bridge1
    [MT_Prism_AP] ip address> print                                                
    Flags: X - disabled, I - invalid, D - dynamic 
      #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
      0   10.0.0.250/24      10.0.0.0        10.0.0.255      bridge1               
    [MT_Prism_AP] ip address> .. route add gateway=10.0.0.1
    [MT_Prism_AP] ip address> .. route print                                       
    Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
      #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE     
      0    static         0.0.0.0/0          10.0.0.1       1        bridge1       
      1 D  connect        10.0.0.0/24        0.0.0.0        0        bridge1       
    [MT_Prism_AP] ip address>   
      

The client router requires the System Service Identificator set to "mt". The IP addresses assigned to the interfaces should be from networks 10.0.0.0/24 and 192.168.0.0./24:

[mikrotik] ip address> print                                                
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.217/24      10.0.0.0        10.0.0.255      aironet                
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                
[mikrotik] ip address>   
The default route should be set to gateway 10.0.0.1 for the router [mikrotik]:

[mikrotik] ip route> add gateway=10.0.0.254
[mikrotik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE           DST-ADDRESS        GATEWAY        DISTANCE INTERFACE     
  0    static         0.0.0.0/0          10.0.0.1       1        aironet        
  1 D  connect        10.0.0.0/24        0.0.0.0        0        aironet       
  2 D  connect        192.168.0.254/24   0.0.0.0        0        Local       
[mikrotik] ip route>   

Wireless Bridge

To set up a wireless bridge between two networks, you need to have a "wireless 2.4GHz" or "AP" license. Configure one access point to register to another one. Both access points should be configured to bridge the ethernet and prism interfaces.

The basic setup is as follows:

Bridge

The prism interfaces of both MikroTik RouterOS routers should be configured for the 'ap-bridge' or 'bridge' mode, the same ssid and the same frequency. The 'root' access point should have 'root-ap=00:00:00:00:00:00', whereas the 'slave' access point should have the 'root-ap' set to the MAC address of the root access point, i.e., to 'root-ap=00:90:4B:03:F1:7D' in our case:

[MT_root-ap] interface prism> print                                            
Flags: X - disabled 
  0   name=prism1 mtu=1500 mac-address=00:90:4B:03:F1:7D arp=enabled 
      mode=ap-bridge root-ap=00:00:00:00:00:00 frequency=2447MHz ssid=br8 
      default-authentication=yes default-forwarding=yes supported-rates=1-11 
      basic-rates=1 

[MT_root-ap] interface prism>  
====================================================
[MT_slave-ap] interface prism> print                                           
Flags: X - disabled 
  0   name=prism1 mtu=1500 mac-address=00:90:4B:04:66:D6 arp=enabled 
      mode=ap-bridge root-ap=00:90:4B:03:F1:7D frequency=2447MHz ssid=br8 
      default-authentication=yes default-forwarding=yes supported-rates=1-11 
      basic-rates=1 

[MT_slave-ap] interface prism> 

If set correctly, and if within the radio range, the slave access point should be listed in the registration table of the root access point:

[MT_root-ap] interface prism> registration-table print                         
  # INTERFACE                     MAC-ADDRESS       TYPE      PARENT           
  1 prism1                        00:C0:DF:03:87:46 local                      
  2 prism1                        00:E0:4C:39:06:E2 local                      
  3 prism1                        00:90:4B:04:66:D6 ap                         
  4 prism1                        00:E0:C5:6E:23:0A forward   00:90:4B:04:66:D6
  5 prism1                        00:00:B4:5B:A6:58 forward   00:90:4B:04:66:D6
[MT_root-ap] interface prism>     

The registration table of the slave access point looks as follows:

[MT_slave-ap] interface prism> registration-table print                        
  # INTERFACE                     MAC-ADDRESS       TYPE      PARENT           
  0 prism1                        00:90:4B:03:F1:7D parent-ap                  
  1 prism1                        00:C0:DF:03:87:46 forward   00:90:4B:03:F1:7D
  2 prism1                        00:E0:4C:39:06:E2 forward   00:90:4B:03:F1:7D
  3 prism1                        00:E0:C5:6E:23:0A local                      
  4 prism1                        00:00:B4:5B:A6:58 local                      
[MT_slave-ap] interface prism>  

The bridging of at least ip and arp protocols should be enabled between the prism and ethernet interfaces on both access points. See the Bridge Interface Manual for details. The IP addresses should be assigned to the bridge interfaces:

[MT_root-ap] > interface print                                                 
Flags: X - disabled, D - dynamic 
  #   NAME                 TYPE             MTU  
  0   ether1               ether            1500 
  1   prism1               prism            1500 
  2   bridge1              bridge           1500 
[MT_root-ap] > ip address print                                                
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.217/24      10.0.0.0        10.0.0.255      bridge1               
[MT_root-ap] > 
===============================================
[MT_slave-ap] > interface print                                                
Flags: X - disabled, D - dynamic 
  #   NAME                 TYPE             MTU  
  0   ether1               ether            1500 
  1   prism1               prism            1500 
  2   bridge1              bridge           1500 
[MT_slave-ap] > ip address print                                               
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.216/24      10.0.0.216      10.0.0.255      bridge1               
[MT_slave-ap] > 

The networks LAN1 and LAN2 should use IP addresses from the same network 10.0.0.0/24. You should be able to ping through the wireless bridge from any host on LAN1 to any host on LAN2.

Supported Prism II Hardware

Many wireless cards based on the Prism 2 and above chipset use the prism reference design PCI identifier or PCI identifier of the OEM producer of the card. They do not have a unique identifier based on the brand name or company name on the PCI card. So, for many cards, it is needed to simply test and see if it is recognized.

MikroTik RouterOS supports the following PCI identifiers for the Prism 2 and above chipset based hardware:

card "Intersil PRISM2 Reference Design 11Mb/s 802.11b WLAN Card"
   version "INTERSIL", "HFA384x/IEEE"

card "GemTek WL-211 Wireless LAN PC Card"
   version "Wireless LAN", "11Mbps PC Card"

card "Compaq WL100/200 11Mb/s 802.11b WLzAN Card"
   manfid 0x0138, 0x0002

card "Compaq iPaq HNW-100 11Mb/s 802.11b WLAN Card"
   manfid 0x028a, 0x0002

card "Samsung SWL2000-N 11Mb/s 802.11b WLAN Card"
   manfid 0x0250, 0x0002

card "Z-Com XI300 11Mb/s 802.11b WLAN Card"
   manfid 0xd601, 0x0002

card "ZoomAir 4100 11Mb/s 802.11b WLAN Card"
   version "ZoomAir 11Mbps High", "Rate wireless Networking"

card "Linksys WPC11 11Mbps 802.11b WLAN Card"
   version "Instant Wireless ", " Network PC CARD", "Version 01.02"

card "Addtron AWP-100 11Mbps 802.11b WLAN Card"
   version "Addtron", "AWP-100 Wireless PCMCIA", "Version 01.02"

card "D-Link DWL-650 11Mbps 802.11b WLAN Card"
   version "D", "Link DWL-650 11Mbps WLAN Card", "Version 01.02"

card "SMC 2632W 11Mbps 802.11b WLAN Card"
   version "SMC", "SMC2632W", "Version 01.02"

card "BroMax Freeport 11Mbps 802.11b WLAN Card"
  version "Intersil", "PRISM 2_5 PCMCIA ADAPTER", "ISL37300P", "Eval-RevA"

card "Intersil PRISM2 Reference Design 11Mb/s WLAN Card"
   manfid 0x0156, 0x0002

card "Bromax OEM 11Mbps 802.11b WLAN Card (Prism 2.5)"
   manfid 0x0274, 0x1612

card "Bromax OEM 11Mbps 802.11b WLAN Card (Prism 3)"
   manfid 0x0274, 0x1613

card "corega K.K. Wireless LAN PCC-11"
   version "corega K.K.", "Wireless LAN PCC-11"

card "corega K.K. Wireless LAN PCCA-11"
   version "corega K.K.", "Wireless LAN PCCA-11"

card "CONTEC FLEXSCAN/FX-DDS110-PCC"
   manfid 0xc001, 0x0008

card "PLANEX GeoWave/GW-NS110"
   version "PLANEX", "GeoWave/GW-NS110"

card "Ambicom WL1100 11Mbps 802.11b WLAN Card"
   version "OEM", "PRISM2 IEEE 802.11 PC-Card", "Version 01.02"

card "LeArtery SYNCBYAIR 11Mbps 802.11b WLAN Card"
   version "LeArtery", "SYNCBYAIR 11Mbps Wireless LAN PC Card", "Version 01.02"

card "Intermec MobileLAN 11Mbps 802.11b WLAN Card"
   manfid 0x01ff, 0x0008

card "NETGEAR MA401 11Mbps 802.11 WLAN Card"
   version "NETGEAR MA401 Wireless PC", "Card", "Version 01.00"

card "Intersil PRISM Freedom 11mbps 802.11 WLAN Card"
   version "Intersil", "PRISM Freedom PCMCIA Adapter", "ISL37100P", "Eval-RevA"

card "OTC Wireless AirEZY 2411-PCC 11Mbps 802.11 WLAN Card"
   version "OTC", "Wireless AirEZY 2411-PCC WLAN Card", "Version 01.02"


© Copyright 1999-2002, MikroTik Cyclades PC300 PCI Adapters

Cyclades PC300 PCI Adapters

...Draft...

Document revision 17-May-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

The MikroTik RouterOS supports the following Cyclades PC300 Adapter hardware:

For more information about the Cyclades PCI Adapter hardware please see the relevant documentation:

Contents of the Manual

The following topics are covered in this manual:

Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the cyclades software package installed. The software package file cyclades-2.5.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] > system package print
Flags: I - invalid
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   system                2.5.5                may/16/2002 12:13:14 no
  1   ppp                   2.5.5                may/16/2002 12:13:33 no
  2   pppoe                 2.5.5                may/16/2002 12:13:39 no
  3   pptp                  2.5.5                may/16/2002 12:13:38 no
  4   prism                 2.5.5                may/16/2002 12:14:31 no
  5   routing               2.5.5                may/16/2002 12:17:36 no
  6   thinrouter-pcipc      2.5.5                may/16/2002 12:15:54 no
  7   advanced-tools        2.5.5                may/16/2002 12:35:53 no
  8   cyclades              2.5.5                may/16/2002 12:34:06 no
  9   framerelay            2.5.5                may/16/2002 12:34:18 no
 10   moxa-c101             2.5.5                may/16/2002 12:36:05 no
 11   option                2.5.5                may/16/2002 12:13:25 no
[MikroTik] >

Software License

The Cyclades PC300 PCI Adapter requires the Synchronous Feature License. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The Synchronous Feature is not included in the Free Demo or Basic Software License. The Synchronous Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the synchronous adapter, please check the availability of free resources:

[MikroTik] >system resource irq print
Flags: U - unused
   IRQ OWNER
   1   keyboard
   2   APIC
 U 3
   4   serial port
 U 5
 U 6
 U 7
 U 8
   9   ether1
 U 10
   11  [Cyclades-PC300]
 U 12
 U 13
   14  IDE 1
[MikroTik] >system resource io print
 PORT-RANGE        OWNER
 20-3F             APIC
 40-5F             timer
 60-6F             keyboard
 80-8F             DMA
 A0-BF             APIC
 C0-DF             DMA
 F0-FF             FPU
 1F0-1F7           IDE 1
 2F8-2FF           serial port
 3C0-3DF           VGA
 3F6-3F6           IDE 1
 3F8-3FF           serial port
 CF8-CFF           [PCI conf1]
 EE00-EEFF         [Realtek Semiconductor Co., Ltd. RTL-8139]
 EE00-EEFF         [8139too]
 EF80-EFFF         [Cyclades Corporation PC300 TE 1]
 EF80-EFFF         [PLX Registers]
 FC00-FC7F         [Cyrix Corporation 5530 IDE [Kahlua]]
 FC00-FC07         IDE 1
 FC08-FC0F         IDE 2
[MikroTik] >

Installing the Synchronous Adapter

You can install up to four Cyclades PC300 PCI Adapters in one PC box, if you have so many adapter slots and IRQs available.

The basic installation steps of the PCI adapter should be as follows:

  1. Check the system BIOS settings and make sure you do not have the 'PnP OS Installed' set to 'Yes'. If you have this setting, make sure it is set to 'No'.
  2. Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.

The Cyclades PC300 PCI Adapter should be recognized by your motherboard automatically and appear on the list of PCI devices as "Simple COMM Controller" with the IRQ assigned to it.

Loading the Driver for the Cyclades PC300 PCI Adapter

The driver for the Cyclades PC300 PCI Adapter is loaded automatically at the system startup. You can check if the driver has bean loaded by issuing the following command:

[MikroTik] >driver print
Flags: I - invalid, D - dynamic
  #   DRIVER                                IRQ IO       MEMORY   ISDN-PROTOCOL
  0 D Cyclades
  1 D RealTek 8139
[MikroTik] >

There can be several reasons for a failure to load the driver, for example:

Interface Configuration

If the driver has been loaded successfully (no error messages), and you have the required Synchronous Software License, then the cyclades interface should appear under the interfaces list with the name cycladesX, where X is 1,2,... To enable the interface, use the 'enable' command:

[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 TYPE             MTU
  0   ether1               ether            1500
  1 X cyclades1            cyclades         1500
[MikroTik] interface> enable 1
[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 TYPE             MTU
  0   ether1               ether            1500
  1   cyclades1            cyclades         1500
[MikroTik] interface> 

More configuration and statistics parameters can be found under the '/interface cyclades' menu. For the Cyclades PC300/RSV Synchronous PCI Adapter you should set the mtu to 1500, and have other argument values as below:

[MikroTik] interface cyclades> print
Flags: X - disabled
  0   name="cyclades1" mtu=1500 line-protocol=cisco-hdlc media-type=V35
      clock-rate=64000 clock-source=external line-code=B8ZS framing-mode=ESF
      line-build-out=0dB rx-sensitivity=short-haul frame-relay-lmi-type=ansi
      frame-relay-dce=no chdlc-keepalive=10s
[MikroTik] interface cyclades>

Argument description:

number - Interface number in the list
name - Interface name
mtu - Maximum Transmit Unit (68...1500 bytes). Deafault value is 1500 bytes.
line-protocol - Line protocol (cisco-hdlc/ frame-relay /sync-ppp)
media-type - The hardware media used for this interface (E1 / T1 / V24 / V35 / X21)
clock-rate - The clock mode or clock rate in bps. If '0', the external clock mode is selected. For V.35 should be set to '0' to use the external clock from the modem. Valeus greater than '0' represent the clock speed (which implies an internal clock).
clock-source - (external / internal / tx-internal) Source of the clock
line-code - For T1/E1 channels only. The line code (AMI / B8ZS / HDB3 / NRZ)
framing-mode - For T1/E1 channels only. The frame mode (CRC4 / D4 / ESF / Non-CRC4 / Unframed)
line-build-out - For T1 channels only. Line Build Out Signal Level(0dB / 15dB / 22.5dB / 7.5dB)
rx-sensitivity - For T1/E1 channels only. Receiver sensitivity (long-haul / short-haul)

The Cyclades PC300/RSV Synchronous PCI Adapter comes with a V.35 cable. This cable should work for all standard modems, which have V.35 connections. For synchronous modems, which have a DB-25 connection, you should use a standard DB-25 cable.

Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on. The MikroTik driver for the Cyclades Synchronous PCI Adapter allows you to unplug the V.35 cable from one modem and plug it into another modem with a different clock speed, and you do not need to restart the interface or router.

Troubleshooting

RSV/V.35 Synchronous Link Applications

Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end:

MT-to-CISCO

The driver for the Cyclades PC300/RSV Synchronous PCI Adapter should load automatically. The interface should be enabled according to the instructions given above. The IP addresses assigned to the cyclades interface should be as follows:

[MikroTik] ip address> add address=1.1.1.1/32 interface=cyclades1
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.0.0.219/24      10.0.0.0        10.0.0.255      ether1
  1   1.1.1.1/32         1.1.1.1         1.1.1.1         cyclades1
  2   192.168.0.254/24   192.168.0.254   192.168.0.255   ether2
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=12 ms
1.1.1.2 64 byte pong: ttl=255 time=8 ms
1.1.1.2 64 byte pong: ttl=255 time=7 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 7/9.0/12 ms
[MikroTik] ip address> /tool flood-ping 1.1.1.2 size=1500 count=50
        sent: 50
    received: 50
     min-rtt: 1
     avg-rtt: 1
     max-rtt: 9

[MikroTik] ip address>

Note, that for the point-to-point link the network mask is set to 32 bits, the argument 'network' is set to the IP address of the other end, and the broadcast address is set to 255.255.255.255. The default route should be set to the gateway router 1.1.1.2:

[MikroTik] ip route> add gateway 1.1.1.2 interface cyclades1
[MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE 
    0 DC 10.0.0.0/24        r 0.0.0.0         0        ether1
    1 DC 192.168.0.0/24     r 0.0.0.0         0        ether2
    2 DC 1.1.1.2/32         r 0.0.0.0         0        cyclades1
    3  S 0.0.0.0/0          r 1.1.1.2         1        cyclades1
[MikroTik] ip route> 

The configuration of the CISCO router at the other end (part of the configuration) is:

CISCO#show running-config 
Building configuration...

Current configuration:
...
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.1.1.12 255.255.255.0
!
interface Serial0
 description connected to MikroTik
 ip address 1.1.1.2 255.255.255.252
 serial restart-delay 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
...
end

CISCO#

Send ping packets to the MikroTik router:

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
CISCO#


© Copyright 1999-2002, MikroTik MikroTik RouterOS MOXA C101 Synchronous Interface

MikroTik RouterOS MOXA C101 Synchronous Interface

Document revision 15-May-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The MikroTik RouterOS supports the MOXA C101 Synchronous 5Mb/s Adapter hardware. The V.35 synchronous interface is the standard for VSAT and other satellite modems. However, you must check with the satellite system supplier for the modem interface type.

For more information about the MOXA C101 Synchronous 5Mb/s Adapter hardware please see the relevant documentation:

Contents of the Manual

The following topics are covered in this manual:

Synchronous Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the moxa c101 synchronous software package installed. The software package file moxa-c101-2.5.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] > system package print                                              
Flags: I - invalid
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   routing               2.5.4                may/08/2002 19:24:16 no
  1   pppoe                 2.5.4                may/08/2002 19:18:26 no
  2   advanced-tools        2.5.4                may/08/2002 19:42:32 no
  3   prism                 2.5.4                may/08/2002 19:21:12 no
  4   thinrouter-pcipc      2.5.4                may/08/2002 19:22:32 no
  5   moxa-c101             2.5.4                may/08/2002 19:42:44 no
  6   system                2.5.4                may/08/2002 19:12:09 no
  7   ppp                   2.5.4                may/08/2002 19:16:44 no
  8   pptp                  2.5.4                may/08/2002 19:17:22 no
  9   option                2.5.4                may/08/2002 19:13:55 no
 10   ntp                   2.5.4                may/08/2002 19:41:42 no
[MikroTik] >

Software License

The MOXA C101 Synchronous Adapter requires the Synchronous Feature License. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The Synchronous Feature is not included in the Free Demo or Basic Software License. The Synchronous Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

System Resource Usage

Before installing the synchronous adapter, please check the availability of free IRQ's:

[MikroTik] > system resource irq print
Flags: U - unused
   IRQ OWNER
   1   keyboard
   2   APIC
 U 3
   4   serial port
 U 5
 U 6
 U 7
 U 8
   9   ether1
 U 10
   11  ether2
 U 12
 U 13
   14  IDE 1
[MikroTik] >

Installing the Synchronous Adapter

You can install up to four MOXA C101 synchronous cards in one PC box, if you have so many ISA slots and IRQs available. The basic installation steps of the adapter should be as follows:
  1. Check the system BIOS settings for peripheral devices, like, Parallel or Serial Communication ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
  2. Set the jumper of the IRQ to one, which is free on your system. Usually IRQ 5 is fine.
  3. Set the dip switches of the memory mapping base address. Each C101 Super-Sync Board will occupy 16KB memory window. Not all addresses might be available on your motherboard. Use, for example, switch #3 should be OFF, and 1,2,4,5 should be ON for address 0x0D0000. Consult the table in the C101 manual for these settings.
  4. Set the jumper of the transmit clock direction to 'in'
  5. Set the jumper of the communication interface to V.35
Please note, that not all combinations of memory mapping base addresses and IRQ's may work on your motherboard. It is recommended that you choose one IRQ that is not used in your system, and then try an acceptable memory base address setting.

Loading the Driver for the MOXA C101 Synchronous Adapter

The MOXA C101 ISA card requires the driver to be loaded by issuing the following command:

[MikroTik] driver> add name=c101 mem=0xd0000
[MikroTik] driver> print
Flags: I - invalid, D - dynamic
  #   DRIVER                                IRQ IO       MEMORY   ISDN-PROTOCOL
  0 D RealTek 8139
  1   Moxa C101 Synchronous                              0xd0000
[MikroTik] driver>

There can be several reasons for a failure to load the driver:

Synchronous Interface Configuration

If the driver has been loaded successfully (no error messages), and you have the required Synchronous Software License, then the synchronous interface should appear under the interfaces list with the name syncn, where n is 0,1,2,... You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] > interface print
Flags: X - disabled, D - dynamic
  #   NAME                 TYPE             MTU
  0   ether1               ether            1500
  1 X ether2               ether            1500
  2 X ether3               ether            1500
  3 X sync1                sync             1500

[MikroTik] >
[MikroTik] interface> set 1 name moxa
[MikroTik] interface> enable moxa
[MikroTik] > interface print
Flags: X - disabled, D - dynamic
  #   NAME                 TYPE             MTU
  0   ether1               ether            1500
  1 X ether2               ether            1500
  2 X ether3               ether            1500
  3   moxa                 sync             1500

[MikroTik] >

More configuration and statistics parameters can be found under the '/interface synchronous' menu:

[MikroTik] interface> synchronous 
[MikroTik] interface synchronous> print
Flags: X - disabled
  0   name="moxa" mtu=1500 line-protocol=cisco-hdlc clock-rate=64000
      clock-source=tx-from-rx frame-relay-lmi-type=ansi frame-relay-dce=no
      cisco-hdlc-keepalive-interval=10s ignore-dcd=no

[MikroTik] interface synchronous> set ?
changes properties of one or several items.

                      <numbers>  list of item numbers
  cisco-hdlc-keepalive-interval
                     clock-rate
                   clock-source
                       disabled
                frame-relay-dce  Operate in DCE mode
           frame-relay-lmi-type
                     ignore-dcd  Ignore DCD
                  line-protocol  Line protocol
                            mtu  Maximum Transmit Unit
                           name  New interface name
[MikroTik] interface synchronous> set 

Argument description:

numbers - Interface number in the list
cisco-hdlc-keepalive-interval - Keepalive period in seconds (0..32767)
clock-rate - Speed of internal clock
clock-source - (external / internal / tx-from-rx / tx-internal) Clock source
disabled - (yes / no) disable or enable the interface
frame-relay-dce - (yes / no) Operate in DCE mode
frame-relay-lmi-type - (ansi / ccitt) Frame-Relay Local Management Interface type
ignore-dcd - (yes / no) Ignore DCD
line-protocol - Line protocol (cisco-hdlc / frame-relay / sync-ppp)
mtu - Maximum Transmit Unit (68...1500 bytes). Default value is 1500 bytes.
name - New interface name

You can monitor the status of the synchronous interface:

[MikroTik] interface synchronous> monitor 0
    dtr: yes
    rts: yes
    cts: no 
    dsr: no 
    dcd: no
[MikroTik] interface synchronous> 

If you purchased the MOXA C101 Synchronous card from MikroTik, you have received a V.35 cable with it. This cable should work for all standard modems, which have V.35 connections. For synchronous modems, which have a DB-25 connection, you should use a standard DB-25 cable.

Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on. If the link is working properly the status of the interface is:

[MikroTik] interface synchronous> monitor 0
    dtr: yes
    rts: yes
    cts: yes
    dsr: yes
    dcd: yes
[MikroTik] interface synchronous>

The MikroTik driver for the MOXA C101 Synchronous adapter allows you to unplug the V.35 cable from one modem and plug it into another modem with a different clock speed, and you do not need to restart the interface or router.

Troubleshooting

Synchronous Link Applications

Two possible synchronous line configurations are discussed in the following examples:

MikroTik Router to MikroTik Router

Let us consider the following network setup with two MikroTik Routers connected to a leased line with baseband modems:

MT-to-MT

The driver for MOXA C101 card should be loaded and the interface should be enabled according to the instructions given above. The IP addresses assigned to the synchronous interface should be as follows:

[MikroTik] ip address> add address 1.1.1.1/32 interface wan \
network 1.1.1.2 broadcast 255.255.255.255

[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.0.0.254/24      10.0.0.254      10.0.0.255      ether2
  1   192.168.0.254/24   192.168.0.254   192.168.0.255   ether1
  2   1.1.1.1/32         1.1.1.2         255.255.255.255 wan
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=31 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[MikroTik] ip address> 

Note, that for the point-to-point link the network mask is set to 32 bits, the argument 'network' is set to the IP address of the other end, and the broadcast address is set to 255.255.255.255. The default route should be set to the gateway router 1.1.1.2:

[MikroTik] ip route> add gateway 1.1.1.2 interface wan 
[MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0 DC 10.0.0.0/24        r 10.0.0.254      1        ether2 
    1 DC 192.168.0.0/24     r 192.168.0.254   0        ether1
    2 DC 1.1.1.2/32         r 0.0.0.0         0        wan
    3  S 0.0.0.0/0          r 1.1.1.2         1        wan

[MikroTik] ip route>

The configuration of the Mikrotik router at the other end is similar:

[MikroTik] ip address> add address 1.1.1.2/32 interface moxa \
network 1.1.1.1 broadcast 255.255.255.255
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.1.1.12/24       10.1.1.12       10.1.1.255      Public
  1   1.1.1.2/32         1.1.1.1         255.255.255.255 moxa
[MikroTik] ip address> /ping 1.1.1.1
1.1.1.1 64 byte pong: ttl=255 time=31 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[MikroTik] ip address> 

MikroTik Router to CISCO Router

Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end:

MT-to-CISCO

The driver for MOXA C101 card should be loaded and the interface should be enabled according to the instructions given above. The IP addresses assigned to the synchronous interface should be as follows:

[MikroTik] ip address> add address 1.1.1.1/32 interface wan \
network 1.1.1.2 broadcast 255.255.255.255
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.0.0.254/24      10.0.0.254      10.0.0.255      ether2
  1   192.168.0.254/24   192.168.0.254   192.168.0.255   ether1
  2   1.1.1.1/32         1.1.1.2         255.255.255.255 wan
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=31 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[MikroTik] ip address>

Note, that for the point-to-point link the network mask is set to 32 bits, the argument 'network' is set to the IP address of the other end, and the broadcast address is set to 255.255.255.255. The default route should be set to the gateway router 1.1.1.2:

[MikroTik] ip route> add gateway 1.1.1.2 interface wan 
[MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0 DC 10.0.0.0/24        r 10.0.0.254      0        ether2
    1 DC 192.168.0.0/24     r 192.168.0.254   0        ether1
    2 DC 1.1.1.2/32         r 1.1.1.1         0        wan
    3  S 0.0.0.0/0          r 1.1.1.2         1        wan
[MikroTik] ip route> 

The configuration of the CISCO router at the other end (part of the configuration) is:

CISCO#show running-config 
Building configuration...

Current configuration:
...
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.1.1.12 255.255.255.0
!
interface Serial0
 description connected to MikroTik
 ip address 1.1.1.2 255.255.255.252
 serial restart-delay 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
...
end

CISCO#

Send ping packets to the MikroTik router:

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
CISCO#


© Copyright 1999-2002, MikroTik MikroTik RouterOS FarSync X.21 Interface

MikroTik RouterOS FarSync X.21 Interface

Document revision 01-Jun-2002
This document applies to the MikroTik RouterOS v2.5

Overview

The MikroTik RouterOS supports FarSync T-Series X.21 synchronous adapter hardware. For more information about the adapter hardware please see the relevant documentation:

Contents of the Manual

The following topics are covered in this manual:

Synchronous Adapter Hardware and Software Installation

Software Packages

The MikroTik Router should have the FarSync X.21 synchronous software package installed. The software package file farsync-2.5.x.npk (about 110 Kb) can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload the correct version file to the router and reboot. Use BINARY mode ftp transfer. After successful installation the package should be listed under the installed software packages list, for example:

[MikroTik] > system package print
Flags: I - invalid
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   system                2.5.6                may/23/2002 12:26:27 no
  1   routing               2.5.6                may/23/2002 12:29:22 no
  2   thinrouter-pcipc      2.5.6                may/23/2002 12:27:28 no
  3   ntp                   2.5.6                may/23/2002 12:46:51 no
  4   prism                 2.5.6                may/23/2002 12:27:24 no
  5   ppp                   2.5.6                may/23/2002 12:27:00 no
  6   pppoe                 2.5.6                may/23/2002 12:27:04 no
  7   pptp                  2.5.6                may/23/2002 12:27:02 no
  8   advanced-tools        2.5.6                may/23/2002 12:47:47 no
  9   ddns                  2.5.6                may/23/2002 12:47:06 no
 10   dhcp                  2.5.6                may/23/2002 12:26:41 no
 11   farsync               2.5.6                may/23/2002 12:45:38 no
 12   framerelay            2.5.6                may/23/2002 12:46:06 no
[MikroTik] >

Software License

The FarSync X.21 Synchronous Adapter requires the Synchronous Feature License. One license is for one installation of the MikroTik RouterOS, disregarding how many cards are installed in one PC box. The Synchronous Feature is not included in the Free Demo or Basic Software License. The Synchronous Feature cannot be obtained for the Free Demo License. It can be obtained only together with the Basic Software License.

Synchronous Interface Configuration

You can change the interface name to a more descriptive one using the 'set' command. To enable the interface, use the 'enable' command:

[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 TYPE             MTU
  0   ether1               ether            1500
  1 X farsync1             farsync          1500
  2 X farsync2             farsync          1500
[MikroTik] interface>
[MikroTik] interface> enable 1 
[MikroTik] interface> enable farsync2
[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 TYPE             MTU
  0   ether1               ether            1500
  1   farsync1             farsync          1500
  2   farsync2             farsync          1500
[MikroTik] interface>

More configuration and statistics parameters can be found under the '/interface farsync' menu:

[MikroTik] interface farsync> print
Flags: X - disabled
  0   name="farsync1" mtu=1500 line-protocol=sync-ppp media-type=V35
      clock-rate=64000 clock-source=external chdlc-keepalive=10s
      frame-relay-lmi-type=ansi frame-relay-dce=no

  1   name="farsync2" mtu=1500 line-protocol=sync-ppp media-type=V35
      clock-rate=64000 clock-source=external chdlc-keepalive=10s
      frame-relay-lmi-type=ansi frame-relay-dce=no

[MikroTik] interface farsync>

Argument description:

numbers - Interface number in the list
hdlc-keepalive - Cisco HDLC keepalive period in seconds (0..32767)
clock-rate - Speed of internal clock
clock-source - (external / internal) Clock source
disabled - (yes / no) disable or enable the interface
frame-relay-dce - (yes / no) Operate in DCE mode
frame-relay-lmi-type - (ansi / ccitt) Frame-Relay Local Management Interface type
line-protocol - Line protocol (cisco-hdlc / frame-relay / sync-ppp)
media-type - (V24 / V35 / X21) Type of the media
mtu - Maximum Transmit Unit (68...1500 bytes). Default value is 1500 bytes.
name - New interface name

You can monitor the status of the synchronous interface:

[MikroTik] interface farsync> monitor 0
           card-type: T2P FarSync T-Series
               state: running
         firmware-id: 2
    firmware-version: 0.7.0
      physical-media: V35
               cable: detected
               clock: not-detected
       input-signals: CTS
      output-signals: RTS DTR

[MikroTik] interface farsync> 

Troubleshooting

Synchronous Link Applications

One possible synchronous line configurations is discussed in the following example:

MikroTik Router to MikroTik Router

Let us consider the following network setup with two MikroTik Routers connected to a leased line with baseband modems:

MT-to-MT

The interface should be enabled according to the instructions given above. The IP addresses assigned to the synchronous interface should be as follows:

[MikroTik] ip address> add address 1.1.1.1/32 interface farsync1 \
network 1.1.1.2 broadcast 255.255.255.255

[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.0.0.254/24      10.0.0.254      10.0.0.255      ether2
  1   192.168.0.254/24   192.168.0.254   192.168.0.255   ether1
  2   1.1.1.1/32         1.1.1.2         255.255.255.255 farsync1
[MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=31 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[MikroTik] ip address> 

Note, that for the point-to-point link the network mask is set to 32 bits, the argument 'network' is set to the IP address of the other end, and the broadcast address is set to 255.255.255.255. The default route should be set to the gateway router 1.1.1.2:

[MikroTik] ip route> add gateway 1.1.1.2
[MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0 DC 10.0.0.0/24        r 10.0.0.254      1        ether2 
    1 DC 192.168.0.0/24     r 192.168.0.254   0        ether1
    2 DC 1.1.1.2/32         r 0.0.0.0         0        farsync1
    3  S 0.0.0.0/0          r 1.1.1.2         1        farsync1

[MikroTik] ip route>

The configuration of the Mikrotik router at the other end is similar:

[MikroTik] ip address> add address 1.1.1.2/32 interface fsync \
network 1.1.1.1 broadcast 255.255.255.255
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.1.1.12/24       10.1.1.12       10.1.1.255      Public
  1   1.1.1.2/32         1.1.1.1         255.255.255.255 fsync
[MikroTik] ip address> /ping 1.1.1.1
1.1.1.1 64 byte pong: ttl=255 time=31 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[MikroTik] ip address> 


© Copyright 1999-2002, MikroTik
MikroTik RouterOS FrameRelay (PVC) Interfaces

MikroTik RouterOS FrameRelay (PVC) Interfaces

Document revision 16-May-2002
This document applies to MikroTik RouterOS v2.4 and v2.5

Overview

Frame Relay is a multiplexed interface to packet switched network. Frame Relay is a simplified form of Packet Switching similar in principle to X.25 in which synchronous frames of data are routed to different destinations depending on header information. Frame Relay uses the synchronous HDLC frame format.

Topics covered in this manual:

Frame Relay Installation on the MikroTik RouterOS

Configuring Frame Relay Interface

To configure frame relay, you should first set up the synchronous interface, and then the PVC interface.

Cyclades PC300 interface

[MikroTik] > interface cyclades print
Flags: X - disabled
  0   name="cyclades1" mtu=1500 line-protocol=sync-ppp media-type=V35
      clock-rate=64000 clock-source=external line-code=B8ZS framing-mode=ESF
      line-build-out=0dB rx-sensitivity=short-haul frame-relay-lmi-type=ansi
      frame-relay-dce=no chdlc-keepalive=10s

[MikroTik] >

Argument description:

MOXA C101 interface

[MikroTik] > interface synchronous print
Flags: X - disabled
  0   name="sync1" mtu=1500 line-protocol=sync-ppp clock-rate=64000
      clock-source=external frame-relay-lmi-type=ansi frame-relay-dce=no
      cisco-hdlc-keepalive-interval=10s ignore-dcd=no

[MikroTik] >

Argument description:

Frame Relay PVC interface

To add a PVC interface, use the /interface pvc add command. For example, for a Cyclades interface and DLCI equal to 42, we should use the command:

[MikroTik] interface pvc> add dlci=42 interface=cyclades1
[MikroTik] interface pvc> print
Flags: X - disabled
  #   NAME                 MTU  DLCI INTERFACE
  0   pvc1                 1500 42   cyclades1
[MikroTik] interface pvc>

Argument description:

Frame Relay Configuration Example with Cyclades Interface

Let us consider the following network setup with MikroTik Router with Cyclades PC300 interface connected to a leased line with baseband modems and a CISCO router at the other end.

[MikroTik] ip address> add interface=pvc1 address=1.1.1.1 netmask=255.255.255.0
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   1.1.1.1/24         1.1.1.0         1.1.1.255       pvc1
[MikroTik] ip address>

PVC and Cyclades interface configuration

Cyclades

[MikroTik] interface cyclades> print
Flags: X - disabled
  0   name="cyclades1" mtu=1500 line-protocol=frame-relay media-type=V35
      clock-rate=64000 clock-source=external line-code=B8ZS framing-mode=ESF
      line-build-out=0dB rx-sensitivity=short-haul frame-relay-lmi-type=ansi
      frame-relay-dce=no chdlc-keepalive=10s

[MikroTik] interface cyclades>

PVC

[MikroTik] interface pvc> print
Flags: X - disabled
  #   NAME                 MTU  DLCI INTERFACE
  0   pvc1                 1500 42   cyclades1
[MikroTik] interface pvc>

CISCO router setup

CISCO# show running-config

Building configuration...

Current configuration...

...
!
ip subnet-zero
no ip domain-lookup
frame-relay switching
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.0.0.254 255.255.255.0
!
interface Serial0
 description connected to Internet
 no ip address
 encapsulation frame-relay IETF
 serial restart-delay 1
 frame-relay lmi-type ansi
 frame-relay intf-type dce
!
interface Serial0.1 point-to-point
 ip address 1.1.1.2 255.255.255.0
 no arp frame-relay
 frame-relay interface-dlci 42
!
...
end.

Send ping to MikroTik router

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
CISCO#

Frame Relay Configuration Example with MOXA Interface

Let us consider the following network setup with MikroTik Router with MOXA C101 synchronous interface connected to a leased line with baseband modems and a CISCO router at the other end.

[MikroTik] ip address> add interface=pvc1 address=1.1.1.1 netmask=255.255.255.0
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   1.1.1.1/24         1.1.1.0         1.1.1.255       pvc1
[MikroTik] ip address>

PVC and Moxa interface configuration

Moxa

[MikroTik] interface synchronous> print
Flags: X - disabled
  0   name="sync1" mtu=1500 line-protocol=frame-relay clock-rate=64000
      clock-source=external frame-relay-lmi-type=ansi frame-relay-dce=no
      cisco-hdlc-keepalive-interval=10s ignore-dcd=no

[MikroTik] interface synchronous>

PVC

[MikroTik] interface pvc> print
Flags: X - disabled
  #   NAME                 MTU  DLCI INTERFACE
  0   pvc1                 1500 42   sync1
[MikroTik] interface pvc>

CISCO router setup

CISCO# show running-config

Building configuration...

Current configuration...

...
!
ip subnet-zero
no ip domain-lookup
frame-relay switching
!
interface Ethernet0
 description connected to EthernetLAN
 ip address 10.0.0.254 255.255.255.0
!
interface Serial0
 description connected to Internet
 no ip address
 encapsulation frame-relay IETF
 serial restart-delay 1
 frame-relay lmi-type ansi
 frame-relay intf-type dce
!
interface Serial0.1 point-to-point
 ip address 1.1.1.2 255.255.255.0
 no arp frame-relay
 frame-relay interface-dlci 42
!
...
end.

Send ping to MikroTik router

CISCO#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
CISCO#

Frame Relay Troubleshooting


© Copyright 1999-2002, MikroTik MikroTik RouterOS IP Addresses and Address Resolution Protocol (ARP)t

MikroTik RouterOS IP Addresses and Address Resolution Protocol (ARP)

Document revision 09-Apr-2002
This document applies to the MikroTik RouterOS V2.4 and V2.5

Overview

The following Manual discusses managing IP addresses and the Address Resolution Protocol (ARP). IP addresses serve as identification when communicating with other network devices using the TCP/IP protocol. It is possible to add multiple IP addresses to an interface or to leave the interface without addresses assigned to it. Leaving a physical interface without an IP address is useful when the bridging between interfaces is used. In case of bridging, the IP address is assigned to the bridge interface, which is created automatically when the bridging is enabled.

MikroTik RouterOS has following types of addresses:

Contents of the Manual

The following topics are covered in this manual:

Assigning IP Addresses

IP address management can be accessed under the /ip address submenu:

[MikroTik] ip address>
IP addresses are given to router to access it remotely and to specify it as a
gateway for other hosts/routers.

    print  Show IP addresses
      get  get value of item's property
     find  Find addresses
      set  Change IP address properties
      add  Add IP address
   remove  Remove IP address
   enable  Enable IP address
  disable  Disable IP address
  comment  Set comment for IP address
   export  Export list of IP addresses
[MikroTik] ip address>

Use the /ip address add command to add an IP address to an interface. In most cases, it is enough to specify the address, the netmask, and the interface arguments. The network prefix and the broadcast address are calculated automatically, for example:

[MikroTik] ip address> add address=192.168.0.254/24 interface=Local
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   Local
[MikroTik] ip address> 

Description of the arguments:

number - number assigned to the item in the list
flag - shows the status of the item
address - local IP address, can be in the form address/mask, where mask is number of bits in the subnet mask.
netmask - network mask to be used with the network prefix. Must be in the decimal form xxx.xxx.xxx.xxx
network - (optional) network prefix to be used with the address. It shows what network can be reached through the interface with the given IP address. If not specified, will be calculated from local address and network mask. For point-to-point links should be the address of the remote end.
broadcast - (optional) broadcast address to be used with the address. If not specified, will be calculated from local address and network mask.
interface - name of the interface the address will be used with

Address Resolution Protocol (ARP)

Address Resolution Protocol is used to map IP address to MAC layer address. Router has a table of currently used ARP entries. Normally table is built dynamically, but to increase network security, static entries can be added.

The ARP management can be accessed under the /ip arp submenu:

[MikroTik] ip arp> ?                                                            
      add  Add static ARP entry
  comment  Set comment for ARP entry
  disable  Disable static ARP entry
   enable  Enable static ARP entry
   export  Export list of ARP entries
     find  Find ARP entries
      get  Get value of item's property
    print  Show ARP entries
   remove  Remove ARP entry
      set  Change ARP entry properties
[MikroTik] ip arp>

To view the list of arp entries, use the /ip arp print command:

[MikroTik] ip arp> print                                                       
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS         MAC-ADDRESS       INTERFACE                              
  0 D 10.1.1.254      00:80:C8:C9:B0:45 Public                                 
  1 D 10.5.8.214      08:00:46:04:33:17 Local                           
  2 D 10.5.9.202      00:00:E8:69:65:5F sales                              
  3 D 10.5.9.204      00:00:E8:69:69:9F sales                              
  4 D 10.5.8.204      00:60:52:0B:B4:80 Local                           

[MikroTik] ip arp> 

If static arp entries are used for network security on an interface, you should disable arp on the relevant interface under the /interfaces menu and add the static arp entries:

[MikroTik] ip arp> /interface ethernet set Local arp=disabled                         
[MikroTik] ip arp>
add address=10.5.8.214 mac-address=08:00:46:04:33:17 interface=Local
[MikroTik] ip arp> print                                                       
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS         MAC-ADDRESS       INTERFACE                              
  0 D 10.1.1.254      00:80:C8:C9:B0:45 Public                                 
  1   10.5.8.214      08:00:46:04:33:17 Local                           
  2 D 10.5.9.202      00:00:E8:69:65:5F sales                              
  3 D 10.5.9.204      00:00:E8:69:69:9F sales                              

[MikroTik] ip arp> 

Since the ARP requests from the clients are not answered by the router, if the arp feature is turned off on the interface, static arp entry should be added to the clients as well. For example, the router's IP and MAC addresses should be added to the windows workstations using the 'arp' command, for example:

C:\> arp -s 10.5.8.254  00-aa-00-62-c6-09

See the relevant documentation on how to manage static arp entries on your system.

Using the Proxy-ARP Feature

All physical interfaces, like Ethernet, Prism, Aironet (PC), WaveLAN, etc., can be set for using the Address Resolution Protocol or not. By default, the arp feature is 'enabled'. However, it can be changed to 'proxy-arp'. The Proxy-ARP feature means that the router will be listening to arp requests received at the relevant interface and respond to them with it's own MAC address, if the requests matches any other IP address of the router. For example, you can assign IP addresses to dial-in (ppp, pppoe, pptp) clients from the same address space as used on the connected LAN, of you enable the 'proxy-arp' on the LAN interface. Let us consider the following setup:

The MikroTik router setup is as follows:

[MikroTik] > interface ethernet print
Flags: X - disabled
  #   NAME                 MTU   MAC-ADDRESS       ARP
  0   eth-LAN              1500  00:E0:C5:BC:12:1C proxy-arp
[MikroTik] > interface print
Flags: X - disabled, D - dynamic
  #   NAME                 TYPE             MTU
  0   eth-LAN              ether            1500
  1   prism1               prism            1500
  2 D pppoe-in25           pppoe-in
  3 D pppoe-in26           pppoe-in
[MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.0.0.217/24      10.0.0.0        10.0.0.255      eth-LAN
  1 D 10.0.0.217/32      10.0.0.230      0.0.0.0         pppoe-in25
  2 D 10.0.0.217/32      10.0.0.231      0.0.0.0         pppoe-in26
[MikroTik] > ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
    0  S 0.0.0.0/0          r 10.0.0.1        1        eth-LAN
    1 DC 10.0.0.0/24        r 0.0.0.0         0        eth-LAN
    2 DC 10.0.0.230/32      r 0.0.0.0         0        pppoe-in25
    3 DC 10.0.0.231/32      r 0.0.0.0         0        pppoe-in26
[MikroTik] >

Using Unnumbered Interfaces

The unnumbered interfaces can be used on serial point-to-point links, e.g., MOXA C101, Cyclades interfaces. A private address should be put on the interface with the "network" being the same as an address on the router on the other side of the p2p link (there may be no IP on that interface, but there is an ip for that router). For example:

[MikroTik] ip address>
add address=10.0.0.214/32 network=192.168.0.1 interface=pppsync                                                           
[MikroTik] ip address> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.214/32      192.168.0.1     192.168.0.1     pppsync                 
[MikroTik] ip address>   
[MikroTik] ip address> .. route print detail                                   
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    0  S dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=192.168.0.1 
         gateway-state=reachable distance=1 interface=pppsync 

    1 DC dst-address=192.168.0.1/32 preferred-source=10.0.0.214 
         gateway=0.0.0.0 gateway-state=reachable distance=0 interface=pppsync 

[MikroTik] ip address>   

Here, you can see, that a dynamic connected route has been automatically added to the routes list. If you want the default gateway be the other router of the p2p link, just add a static route for it. It is shown as #0 in the example above.

Troubleshooting


© Copyright 1999-2002, MikroTik MikroTik RouterOS Technical Reference Manual

MikroTik RouterOS IP Route Management

Document revision 02-Apr-2002
This document applies to the MikroTik RouterOS V2.4 and V2.5

Overview

The following Manual discusses managing the IP routes. MikroTik RouterOS has following types of routes:

Contents of the Manual

The following topics are covered in this manual:

Adding Static Routes

Any static route can be added using the 'add' command under the '/ip route' menu. You do not need to add routes to networks directly connected to the router, since they are added automatically when adding the IP addresses. However, unless you use some routing protocol (RIP or OSPF), you may want to specify static routes to specific networks, or the default route. For example, we can add two static routes to networks 192.168.0.0/16 and 0.0.0.0/0 (the default destination address) of a router with two interfaces and two IP addresses:

[MikroTik] ip route> /ip address print                                         
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.217/24      10.0.0.217      10.0.0.255      Public                
  1   192.168.0.254/24   192.168.0.254   192.168.0.255   Local                 
[MikroTik] ip route> add dst-address=192.168.1.0/24 gateway=192.168.0.50       
[MikroTik] ip route> add gateway=10.0.0.1

There are several ways of viewing the routes:

[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 192.168.1.0/24     r 192.168.0.50    1        Local                   
    1  S 0.0.0.0/0          r 10.0.0.1        1        Public                  
    2 DC 192.168.0.0/24     r 0.0.0.0         0        Local                   
    3 DC 10.0.0.0/24        r 0.0.0.0         0        Public                  
[MikroTik] ip route> print detail                                              
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    0  S dst-address=192.168.1.0/24 preferred-source=0.0.0.0 
         gateway=192.168.0.50 gateway-state=reachable distance=1 
         interface=Local 

    1  S dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=10.0.0.1 
         gateway-state=reachable distance=1 interface=Public 

    2 DC dst-address=192.168.0.0/24 preferred-source=192.168.0.254 
         gateway=0.0.0.0 gateway-state=reachable distance=0 interface=Local 

    3 DC dst-address=10.0.0.0/24 preferred-source=10.0.0.217 gateway=0.0.0.0 
         gateway-state=reachable distance=0 interface=Public 

[MikroTik] ip route> print column="dst-address gateway interface "             
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        GATEWAY         INTERFACE                          
    0  S 192.168.1.0/24     192.168.0.50    Local                              
    1  S 0.0.0.0/0          10.0.0.1        Public                             
    2 DC 192.168.0.0/24     0.0.0.0         Local                              
    3 DC 10.0.0.0/24        0.0.0.0         Public                             
[MikroTik] ip route>   

Description of the arguments:

number - number assigned to the item in the list
flag - shows the status of the item
type - type of the route shows "where it came from" (connected / static / RIP / OSPF)
dst-address/netmask - destination address and network mask, where mask is number of bits in the subnet mask.
gateway - gateway host, that can be reached directly through some of the interface. You can specify multiple gateways separated by period "," for equal cost multipath routes. See more information on that below.
gateway-state - shows the status of the next hop. Can be "r" (reachable).
preferred-source - source address of packets leaving the router via this route. Must be a valid address of the router, which is assigned to the router's interface, where the packet leaves. Default value is 0.0.0.0, i.e., it is determined at the time of sending the packet out through the interface.
interface - interface through which the gateway can be reached. If (unknown), then the gateway cannot be reached directly, or the route has been disabled.
distance - administrative distance of the route. When forwarding a packet the router will use the route with the lowest administrative distance and reachable gateway.

Equal Cost Multipath Routing

Equal cost multipath routing feature can be used for load balancing. It is implemented in the MikroTik RouterOS according to the RFC2328.

New gateway is chosen for new source/destination IP pair. This means that, for example, one FTP connection will use only one link, but new connection to different server will use other link. So on big backbones this should distribute traffic fine. Also this has another good feature - single connection packets do not get reordered and therefore do not kill TCP performance.

Equal cost multipath routes can be created by routing protocols (RIP or OSPF), or adding a static route with multiple gateways. The routing protocols may create routes with equal cost automatically, if the cost of the interfaces is adjusted properly. For more information on using the routing protocols, please read the corresponding section of the Manual.

To create a static multipath route, specify the gateway argument in the form "gateway=x.x.x.x,y.y.y.y", for example:

[MikroTik] ip route> print                                                     
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 192.168.1.0/24     r 192.168.0.50    1        Local                   
    1  S 0.0.0.0/0          r 10.0.0.1        1        Public                  
    2 DC 192.168.0.0/24     r 0.0.0.0         0        Local                   
    3 DC 10.0.0.0/24        r 0.0.0.0         0        Public     
[MikroTik] ip route> set 0 gateway=192.168.0.50,192.168.0.51,10.0.0.17         
[MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 192.168.1.0/24     r 192.168.0.50    1        Local                   
                            r 192.168.0.51             Local                   
                            r 10.0.0.17                Public                  
    1  S 0.0.0.0/0          r 10.0.0.1        1        Public                  
    2 DC 192.168.0.0/24     r 0.0.0.0         0        Local                   
    3 DC 10.0.0.0/24        r 0.0.0.0         0        Public                  
[MikroTik] ip route>

Policy Routing

Policy Routing is a new feature in the V2.4 of MikroTik RouterOS. Policy routing is implemented using multiple routing tables and list of rules that specify how these tables should be used.

The Policy Routing is implemented in the MikroTik RouterOS based on source and destination addresses of the packet and on the interface the packet arrives at the router.

Note! Policy routing will not function 'as desired' for packets originated from the router or masqueraded packets. It is because these packets have source address 0.0.0.0 at the moment when they are processed by the routing table. Therefore it is not possible to have masquerading with different source addresses.

When finding the route for a packet, the packet is matched against policy routing rules one after another, until some rule matches the packet. Then action specified in that rule is executed. If no rule matches the packet, it is assumed that there is no route to given host and appropriate action is taken (packet dropped and ICMP error sent back to the source).

If the routing table does not have a route for the packet, next rule after the one that directed to current table is examined, until either route is found, end of rule list is reached, or some rule with action drop or unreachable is hit.

This way it is good to have last rule say "from everywhere to everywhere, all interfaces, lookup main route table", because then gateways can be found (connected routes are entered in the main table only).

Action for the rule can be one of:

Note that the only way for packet to be forwarded is to have some rule direct to some routing table that contains route to packet destination.

Policy routing rules are configured in /ip policy-routing rule menu

[MikroTik] ip policy-routing rule> print                                       
Flags: X - disabled, I - invalid 
  #   SRC-ADDRESS        DST-ADDRESS        INTE... FLOW    ACTION      TABLE  
  0   0.0.0.0/0          0.0.0.0/0          all             lookup      main   
[MikroTik] ip policy-routing rule>    

After installation, there is one default rule, which says that routes for all packets should be looked up in the "main" table. Argument description:

src-address/mask - Source IP address/mask, where mask is number of bits in the subnet. For example, x.x.x.x/32 for the address x.x.x.x and the 32-bit netmask 255.255.255.255
dst-address/mask - Destination IP address/mask, where mask is number of bits in the subnet.
interface - Interface name through which the packet arrives. Should be 'all' for the rule that should match locally generated or masqueraded packets, since at the moment of processing the routing table these packets have interface name set to loopback.
flow - flow mask of the packet to be matched by this rule. The flow masks are set using '/ip firewall mangle'.

Routing tables can be created/deleted in the '/ip policy-routing' menu:

[MikroTik] ip policy-routing> print                                            
Flags: D - dynamic 
  #   NAME                                                                     
  0 D main                                                                     
[MikroTik] ip policy-routing>   

There is always the table "main" - this one can not be deleted and its name can not be changed. The "main" table is routing table that can be changed by issuing commands in the '/ip route' menu.

A new table can be added:

[MikroTik] ip policy-routing> add name=karlis                                  
[MikroTik] ip policy-routing> print                                            
Flags: D - dynamic 
  #   NAME                                                                     
  0   karlis                                                                   
  1 D main                                                                     
[MikroTik] ip policy-routing>

Routes in a routing table can be added/removed/changed in '/ip policy-routing table _table-name_' menu:

[MikroTik] ip policy-routing> table karlis 
[MikroTik] ip policy-routing table karlis>
add dst-address=10.5.5.0/24 gateway=10.0.0.22
[MikroTik] ip policy-routing table karlis> print                               
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE         
  0    static  10.5.5.0/24        r 10.0.0.22       1        Public            
[MikroTik] ip policy-routing table karlis>  

The "main" table is the same as one in '/ip route':

[MikroTik] ip policy-routing> table main                                       
[MikroTik] ip policy-routing table main> print                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE         
  0    static  192.168.1.0/24     r 192.168.0.50    1        Local             
  1    static  0.0.0.0/0          r 10.0.0.1        1        Public            
  2 D  connect 192.168.0.0/24     r 0.0.0.0         0        Local             
  3 D  connect 10.0.0.0/24        r 0.0.0.0         0        Public            
[MikroTik] ip policy-routing table main>
[MikroTik] ip policy-routing table main> /ip route print                       
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 192.168.1.0/24     r 192.168.0.50    1        Local                   
    1  S 0.0.0.0/0          r 10.0.0.1        1        Public                  
    2 DC 192.168.0.0/24     r 0.0.0.0         0        Local                   
    3 DC 10.0.0.0/24        r 0.0.0.0         0        Public                  
[MikroTik] ip policy-routing table main>

Application Example for Policy Routing

We want packets coming from 1.1.1.0/24 use gateway 10.0.0.1 and packets from 2.2.2.0/24 use gateway 10.0.0.2. And the rest of packets use gateway 10.0.0.254 (assuming we already have it so):

Commands to achieve this:

  1. Add 2 new routing tables:

    [MikroTik] ip policy-routing>
    add name=from_net1
    add name=from_net2
    [MikroTik] ip policy-routing> print
    Flags: X - disabled
      #   NAME
      0   from_net1
      1   from_net2
      2   main
    [MikroTik] ip policy-routing>
    
  2. Create the default route in each of the tables:

    [MikroTik] ip policy-routing>
    table from_net1 add gateway=10.0.0.1
    table from_net2 add gateway=10.0.0.2
    [MikroTik] ip policy-routing> table from_net1 print
    Flags: X - disabled, I - invalid, D - dynamic, R - rejected
      #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE
      0    static  0.0.0.0/0          A            10.0.0.1    1        Public
    [MikroTik] ip policy-routing> table from_net2 print
    Flags: X - disabled, I - invalid, D - dynamic, R - rejected
      #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE
      0    static  0.0.0.0/0          A            10.0.0.2    1        Public
    [MikroTik] ip policy-routing>
    
  3. Create rules that will direct traffic from sources to given tables, and arrange them in the desired order:

    [MikroTik] ip policy-routing> rule
    [MikroTik] ip policy-routing rule> print
    Flags: X - disabled, I - invalid
      #   SRC-ADDRESS        DST-ADDRESS        INTERFACE   ACTION      TABLE
      0   0.0.0.0/0          0.0.0.0/0          all         lookup      main
    [MikroTik] ip policy-routing rule>
    add src-address=1.1.1.1/32 action=lookup table=main
    add src-address=2.2.2.1/32 action=lookup table=main
    add src-address=1.1.1.0/24 action=lookup table=from_net1
    add src-address=2.2.2.0/24 action=lookup table=from_net2
    [MikroTik] ip policy-routing rule> print
    Flags: X - disabled, I - invalid
      #   SRC-ADDRESS        DST-ADDRESS        INTERFACE   ACTION      TABLE
      0   0.0.0.0/0          0.0.0.0/0          all         lookup      main
      1   1.1.1.1/32         0.0.0.0/0          all         lookup      main
      2   2.2.2.1/32         0.0.0.0/0          all         lookup      main
      3   1.1.1.0/24         0.0.0.0/0          all         lookup      from_net1
      4   2.2.2.0/24         0.0.0.0/0          all         lookup      from_net2
    [MikroTik] ip policy-routing rule> move 0 4
    [MikroTik] ip policy-routing rule> print
    Flags: X - disabled, I - invalid
      #   SRC-ADDRESS        DST-ADDRESS        INTERFACE   ACTION      TABLE
      0   1.1.1.1/32         0.0.0.0/0          all         lookup      main
      1   2.2.2.1/32         0.0.0.0/0          all         lookup      main
      2   1.1.1.0/24         0.0.0.0/0          all         lookup      from_net1
      3   2.2.2.0/24         0.0.0.0/0          all         lookup      from_net2
      4   0.0.0.0/0          0.0.0.0/0          all         lookup      main
    [MikroTik] ip policy-routing rule>
    

    Here the rules #0 and #1 are needed to pocess correctly connections from the local networks to the local addresses of the router. Namely, the 'connected' routes from the main table should be used instead of using the default routes from table from_net1 or from_net2. Rules #2 and #3 will handle packets with destination other than locally connected networks.

Additional Resources

Recommended readings for guidelines on routing issues:


© Copyright 1999-2002, MikroTik MikroTik RouterOS IP Traffic Accounting

MikroTik RouterOS IP Traffic Accounting

Document revision 19-Jun-2002
This document applies to the MikroTik RouterOS v2.4 and higher

Overview

The IP Traffic Accounting feature enables administrators to keep an accurate record of traffic passed through the router between IP level hosts. ISPs or network administrators can use this for traffic based billing or detailed monitoring of network activity. This feature generates simple traffic data. Additional utilities are required for useful analysis and calculation of the traffic data. Information on utilities and examples of scripts for collecting data are provided in this manual.

The MikroTik RouterOS supports:

Topics covered in this manual:

What's new in V2.5

The maximum number of records (threshold) has been increased to 16384. In case of using 16384 records, ~740kB of RAM are required. When setting the threshold value, the required amount of memory is allocated for the buffer whether it is used or not. The approximate amount of memory is 44bytes per buffer line.

In V2.6, the username is accounted as well, therefore the maximum number of records is limited to 8192, which requires ~1.5MB.

Installation

The Traffic Accounting feature is included in the "system" package. No installation is needed for this feature.

Hardware Resource Usage

The maximum number [threshold] of "IP pairs" stored may require additional RAM installation. Each IP pair uses approximately 40 bytes. The system uses a "current" table which accounts for current data. The system also keeps the "snapshot" table for retrieval. Therefore, the memory usage for the IP pairs can be calculated with "number of IP pairs" x "40 bytes" x 2 (for the two tables). The default threshold of IP pairs is set to 1000 (80KB). When using the default threshold setting of 1000, no additional memory is suggested. For threshold settings higher than 12,500(1MB), memory usage estimates should be made, system resources should be monitored, and RAM should be increased accordingly. The maximum setting is 100,000 IP pairs.

Traffic accounting setup

[MikroTik] ip accounting> set enabled yes
[mikrotik] ip accounting> print
    threshold: 256
      enabled: yes

Description of arguments:

enabled - Traffic accounting is disabled by default. Settings are 'enabled yes' and 'enabled no'
threshold - The threshold setting sets the maximum number of IP pairs for the traffic accounting table – see "Threshold settings" for more information on the optimal settings. The default setting is for 1000 IP pairs.

Traffic data description

Only IP traffic is accounted. As each packet passes through the router, the packet source and destination is matched to an IP pair in the accounting table and the traffic for that pair is increased. If no matching IP pair exists, a new entry to the table will be created. Both the number of packets and number of bytes are accounted. Only packets that enter and leave the router are counted. Packets that are dropped in the router are not counted. Packets that are sent from the router itself are not counted – such as packets used for administration connections (i.e. web and telnet connections to the router). Packets that are masqueraded with the router will be accounted for with the actual IP hosts addresses on each side.

See Traffic Display and collection for a printout of a snapshot.

For example, a TCP connection between two computers with traffic going through the router will cause two IP pairs to be added to the traffic accounting table. One IP pair will have computer A as the source and computer B as the destination. Another IP pair will have computer B as the source and computer A as the destination.

Threshold settings

The threshold setting limits the maximum number of IP pairs in the accounting table. When the limit is reached, no new IP pairs will be added to the accounting table. Each packet that is not accounted for in the accounting table will then be added to the "uncounted" counter. To see if the limit on pairs has been reached, check the "uncounted" counter:

[MikroTik] ip accounting uncounted> print
    packets: 0
      bytes: 0

When a snapshot is made for data collection, the accounting table is cleared and new IP pairs and traffic data are added. The more frequently traffic data is collected, the less likelihood that the IP pairs threshold limit will be reached. It is suggested that traffic data be collected every 15 minutes.

Traffic data display and collection

The traffic data can be viewed by both the telnet/terminal console and WinBox. The traffic data can be collected manually or by using standard Unix/Linux utilities and MikroTik’s shareware MT_Syslog Daemon. This manual section will cover:

The traffic accounting system consists of a "current" accounting table and a "snapshot" image. When the "snapshot" image is made of the "current" accounting table, the "current" accounting table is cleared and starts accounting data anew. The "snapshot" image can be made in two ways.

An image of traffic data can be made manually by issuing the "/ip accounting snapshot take" command from the terminal/console or WinBox. The "snapshot" can then be viewed with the "/ip accounting snapshot print" command. The traffic data from the telnet/terminal console will appear:

[mikrotik] ip accounting snapshot> print

# SRC-ADDRESS     DST-ADDRESS       PACKETS            BYTES
0 10.9.5.88       10.8.0.4          408534             39822596
1 10.8.0.4        10.9.5.88         103944             12874447
2 19.11.254.136   10.0.0.144        15191              1243118
3 10.7.0.105      159.148.147.194   33239              2526124
4 159.148.147.194 10.7.0.105        33237              2526012

The web page report makes it possible to use the standard Unix/Linux tool wget to collect the traffic data and save it to a file. If the web report is enabled and the web page is "viewed", the snapshot will be made when the wget (or standard browser) connection is initiated to the web page. The "snapshot" will then be displayed on the web page. TCP protocol used by http connections with the wget tool guarantees that none of the traffic data will be lost. The "snapshot" image will be made when the connection from wget is initiated. Web browsers or wget should connect to URL http://routerIP/accounting/ip.cgi

[MikroTik] ip accounting web-access> print

    accessible-via-web: yes
               address: 0.0.0.0/0

For security purposes, an IP address or IP subnet can be limited to the collection of the web report. The above example of address: 0.0.0.0/0 allows all IP hosts to access the web reports. With the settings address: 10.1.0.3/32 - only IP host 10.1.0.3 is allowed to access the web reports.

A simple script can be run with crond and wget to periodically collect traffic data. Timestamps can be added to the traffic data file as well as other features.

MikroTik Download Utilities Page

Traffic data analysis

There are many tools and systems to analyze traffic data. Useful common tools are:

Additional Resources

Links for documentation:

http://www.gnu.org/manual/wget/
http://www.gnu.org/manual/grep-2.4/


© Copyright 1999-2002, MikroTik MikroTik RouterOS Firewall Filters and Network Address Translation (NAT)

MikroTik RouterOS Firewall Filters and Network Address Translation (NAT)

Document revision 14-Jul-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The firewall supports filtering and security functions that are used to manage data flows to the router, through the router, and from the router. Along with the Network Address Translation they serve as security tools for preventing unauthorized access to networks.

Contents of the Manual

The following topics are covered in this manual:

What's New in V2.5.3?

IP Firewall mangle rules are marking packets and/or changing the MSS if the 'flow' or 'tcp-mss' arguments are specified. The 'action' argument can heve following values:
- 'action=accept' - packet is mangled and no more mangle rules are processed after packet matches this rule;
- 'action=passthrough' - packet is mangled and the remaining mangle rules are processed.

What's New in V2.5?

The MikroTik RouterOS V2.5 has a different firewall feature compared to the previous versions. Stateful firewall feature is implemented by means of connection tracking. V2.5 has ability to maintain state information about a connection in memory tables, such as source and destination ip address and port number pairs (known as socket pairs), protocol types, connection state and timeouts. Firewalls that do this are known as stateful. Stateful firewalling is inherently more secure than its "stateless" counterpart, i.e., simple packet filtering as in V2.4.

When migrating from V2.4 to V2.5, please note that:

Firewall Installation

The firewall feature is included in the "system" software package. No additional software package installation is needed for this feature.

Packet Flow through the Router

The firewall rules are applied in the following order:

IP packet flow through the router is given in the following diagram:

IP Packet Flow

IP Firewall Configuration

The IP firewall management can be accessed under the /ip firewall menu. Firewall can be managed through the WinBox Console as well. Go to IP Firewall and select the desired chain. Press the 'List' button to access the rules of the selected chain.

IP Firewall Common Arguments

The common arguments used in the firewall rules are:

action - Action to undertake if the packet matches the rule (see below). The choice of the available action is different for firewall filter, mangle and NAT rules.
mark-flow - (MANGLE only) Flow mark string.
dst-address - Destination IP address. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
dst-netmask - Destination netmask in decimal form x.x.x.x
dst-port - Destination port number or range (0-65535). 0 means all ports 1-65535.
icmp-options - "any:any". ICMP options.
out-interface - interface the packet is leaving the router. If the default value 'all' is used, it may include the local loopback interface for packets with destination to the router.
limit-burst - allowed burst regarding the limit-count/limit-time
limit-count - how many times to use the rule during the 'limit-time' period
limit-time - time interval, used in limit-count
protocol - Protocol (all / egp / ggp / icmp / igmp / ip-encap / ip-sec / tcp / udp). 'all' cannot be used, if you want to specify ports.
src-address - Source IP address. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
src-mac-address - host's MAC address the packet has been received from.
src-netmask - Source netmask in decimal form x.x.x.x
src-port - Source port number or range (0-65535). 0 means all ports 1-65535.
in-interface - interface the packet has entered the router through. If the default value 'all' is used, it may include the local loopback interface for packets originated from the router.
tcp-mss - (MANGLE only) The new TCP Maximum Segment Size (MSS) value, MTU minus 40, or 'dont-change'.
tcp-options - ( all / syn-only / non-syn-only ). 'non-syn-only' is for all other options than 'syn-only'.
connection-state - (any / established / invalid / new / related). The connection state.
flow - Flow mark to match. Only packets marked in the MANGLE would be matched.
jump-target - Name of the target chain, if the action=jump is used.
log - Log the action ( yes / no ).
bytes - (cannot be set) Number of bytes processed by this rule.
packets - (cannot be set) Number of packets processed by this rule.

To reset the byte and packet counters, use the command 'reset-counters'.

Please note, that 'src-nat' and 'dst-nat' rules are processing and counting only packets that are opening connections (for tcp only SYN, for icmp/udp only first packet). Thus, the counters rather show how many connections have been opened, than how many packets have been changed.

If the packet matches the criteria of the rule, then the performed ACTION can be:

Logging the Firewall Actions

To enable logging of the firewall actions you should set the value of the rule argument 'log' to 'yes'. Also, the logging facility should be enabled for firewall logs:

[MikroTik] system logging facility> set Firewall-Log logging=local 
[MikroTik] system logging facility> print                                      
  # FACILITY            LOGGING PREFIX              REMOTE-ADDRESS  REMOTE-PORT
  0 Firewall-Log        local                                                  
  1 PPP-Account         none                                                   
  2 PPP-Info            none                                                   
  3 PPP-Error           none                                                   
  4 System-Info         local                                                  
  5 System-Error        local                                                  
  6 System-Warning      local                                                  
  7 Prism-Info          local                                                  
[MikroTik] system logging facility> 

You can send UDP log messages to a remote syslog host by specifying the remote address and port (usually 514). Local logs can be viewed using the /log print command:

[MikroTik] > log print detail without-paging
...
 time=feb/24/2002 19:37:08 
    message=router->REJECT, in:ether1, out:(local), src-mac \
             00:30:85:95:67:2b, prot TCP (SYN), \
             213.67.20.9:4164->195.13.162.195:21, len 60 
                     
(The format of the log is:
DATE TIME Chain -> ACTION, in:interface, out:interface, \
             src-mac ADDRESS, protocol (protocol option), \
             src-address:port->dst-address:port, packet_length )

Marking the Packets (Mangle) and Changing the MSS

Packets entering the router can be marked for further processing them against the rules of firewall chains, source or destination NAT rules, as well as for applying queuing to them. Use the /ip firewall mangle to manage the packet marking. Specify the value for the 'mark-flow' argument and use 'action=passthrough', for example:

[MikroTik] ip firewall mangle> add action=passthrough mark-flow=abc-all        
[MikroTik] ip firewall mangle> print                                           
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 protocol=all tcp-options=any 
      icmp-options=any:any flow="" src-mac-address=00:00:00:00:00:00 
      limit-count=0 limit-burst=0 limit-time=0s action=passthrough 
      mark-flow=abc-all tcp-mss=dont-change bytes=9091 packets=61 

[MikroTik] ip firewall mangle>

Note, that the packets originated from the router cannot be mangled!

To change the TCP Maximum Segment Size (MSS), set the 'tcp-mss' argument to a value which is your desired MTU value less 40, for example, if your connection MTU is 1500, you can set 'tcp-mss=1460' or lower. The MSS can be set only for TCP SYN packets.

For example, if you have encrypted PPPoE link with MTU=1492, set the mangle rule as follows:

[MikroTik] ip firewall mangle>
add protocol=tcp tcp-options=syn-only action=passthrough tcp-mss=1448 
[MikroTik] ip firewall mangle> print                                           
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 protocol=tcp tcp-options=syn-only 
      icmp-options=any:any flow="" src-mac-address=00:00:00:00:00:00 
      limit-count=0 limit-burst=0 limit-time=0s action=passthrough 
      mark-flow="" tcp-mss=1448 bytes=0 packets=0 

[MikroTik] ip firewall mangle>

Firewall Chains

The firewall filtering rules are grouped together in chains. It is very advantageous, if packets can be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. Let us assume that, for example, packets must be matched against the IP addresses and ports. Then matching against the IP addresses can be done in one chain without specifying the protocol ports. Matching against the protocol ports can be done in a separate chain without specifying the IP addresses.

The Input Chain is used to process packets entering the router through one of the interfaces with the destination of the router. Packets passing through the router are not processed against the rules of the input chain.

The Forward Chain is used to process packets passing through the router.

The Output Chain is used to process originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain.

Note, that the packets passing through the router are not processed against the rules of neither the input, nor output chains!
When processing a chain, rules are taken from the chain in the order they are listed there from the top to the bottom. If it matches the criteria of the rule, then the specified action is performed on the packet, and no more rules are processed in that chain. If the packet has not matched any rule within the chain, then the default policy action of the chain is performed.

The list of currently defined chains can be viewed using the /ip firewall print command:

[MikroTik] ip firewall> print                                                  
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
[MikroTik] ip firewall>                                                    

These three chains cannot be deleted. The available policy actions are:

You can change the chain policies by using the /ip firewall set command.
Note! Be careful about changing the default policy action to these chains! You may lose the connection to the router, if you change the policy to drop, and there are no rules in the chain, that allow connection to the router.

Usually packets should be matched against several criteria. More general filtering rules can be grouped together in a separate chain. To process the rules of additional chains, the 'jump' action should be used to this chain from another chain.

To add a new chain, use the /ip firewall add command:

[MikroTik] ip firewall> add name=router                                        
[MikroTik] ip firewall> print                                                  
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
  3 router                                                               none  
[MikroTik] ip firewall> 

The policy of user added chains is 'none', and it cannot be changed. Chains cannot be removed, if they contain rules (are not empty).

Firewall Rules

Management of the firewall rules can be accessed by selecting the desired chain. If you use the WinBox console, select the desired chain and then press the 'List' button on the toolbar to open the window with the rules. In the terminal console, use the /ip firewall rule command with the argument value that specifies a chain, for example:

[MikroTik] ip firewall> rule input                                             
[MikroTik] ip firewall rule input>                                         

To add a rule, use the add command, for example:

[MikroTik] ip firewall rule input> add dst-port=8080 protocol=tcp action=reject
[MikroTik] ip firewall rule input> print                                       
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:8080 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=reject log=no bytes=0 packets=0 

[MikroTik] ip firewall rule input> 

Here, the available values for the argument 'action' are:
(accept / drop / jump / passthrough / reject / return)
See the argument description above.

Masquerading and Source NAT

Masquerading is a firewall function that can be used to 'hide' private networks behind one external IP address of the router. For example, masquerading is useful, if you want to access the ISP's network and the Internet appearing as all requests coming from one single IP address given to you by the ISP. The masquerading will change the source IP address and port of the packets originated from the private network to the external address of the router, when the packet is routed through it.

Masquerading helps to ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. Masquerading also conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.

To use masquerading, a source NAT rule with action 'masquerade' should be added to the src-nat rule set:

[MikroTik] ip firewall src-nat>
add src-address=10.5.91.0/24:0-65535 out-interface=ether1 action=masquerade
[MikroTik] ip firewall src-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=10.5.91.0/24:0-65535 dst-address=0.0.0.0/0:0-65535 
      out-interface=ether1 protocol=all icmp-options=any:any flow="" 
      limit-count=0 limit-burst=0 limit-time=0s action=masquerade 
      to-src-address=0.0.0.0 to-src-port=0-65535 bytes=0 packets=0 

[MikroTik] ip firewall src-nat>       

If the packet matches the 'masquerading' rule, then the router opens a connection to the destination, and sends out a modified packet with its own address and a port allocated for this connection. The router keeps track about masqueraded connections and performs the 'demasquerading' of packets, which arrive for the opened connections. For filtering purposes, you may want to specify 'the to-src-ports' argument value, say, to 60000-65535, as it was in V2.4 by default.

If you want to change the source address:port to specific adress:port, use the 'action=nat' instead of 'action=masquerade':

[MikroTik] ip firewall src-nat> add src-address=192.168.0.1/32 \
out-interface=ether1 action=nat to-src-address=10.0.0.217
[MikroTik] ip firewall src-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=192.168.0.1/32:0-65535 dst-address=0.0.0.0/0:0-65535 
      out-interface=ether1 protocol=all icmp-options=any:any flow="" 
      limit-count=0 limit-burst=0 limit-time=0s action=nat 
      to-src-address=10.0.0.217 to-src-port=0-65535 bytes=120 packets=2 

[MikroTik] ip firewall src-nat> 

Here, the

src-address - can be IP host's address, for example, 192.168.0.1/32, or network address 192.168.0.0/24
to-src-address - can be one address, or a range, say 10.0.0.217-10.0.0.219. The addresses should be added to the router's interface, or should be routed to it from the gateway router.

The source nat can masquerade several private networks, and use individual to-src-address for each of them.

Redirection and Destination NAT

Redirection and destination NAT should be used when you need to give access to services located on a private network from the outside world. To add a destination NAT rule that gives access to the http server 192.168.0.4 on the local network via external address 10.0.0.217, use the following command:

[MikroTik] ip firewall dst-nat> 
add action=nat protocol=tcp \
dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4
[MikroTik] ip firewall dst-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=10.0.0.217/32:80 protocol=tcp icmp-options=any:any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=nat to-dst-address=192.168.0.4 to-dst-port=0-65535 
      bytes=0 packets=0 

[MikroTik] ip firewall dst-nat> 

Here, if you want to redirect to the router's local address, use 'action=redirect' and do not specify the 'to-dst-address'.

Note on 'redirect' and 'masquerade'

REDIRECT is similar to regular destination NAT in the same way as MASQUERADING is similar to source NAT - masquerading is source NAT, except you do not have to specify to-src-address - outgoing interface address is used automatically. The same with REDIRECT - it is destination NAT where to-dst-address is not used - incoming interface address is used instead. So there is no use of specifying to-src-address for src-nat rules with action=masquerade, and no use of specifying to-dst-address for dst-nat rules with action=redirect. Note that to-dst-port is meaningful for REDIRECT rules - this is port on which service _on router_ that will handle these requests is sitting (e.g. web proxy).

When packet is dst-natted (no matter - action=nat or action=redirect), dst address is changed. Information about translation of addresses (including original dst address) is kept in router's internal tables. Transparent web proxy working _on router_ (when web requests get redirected to proxy port on router) can access this information from internal tables and get address of web server from them. If you are dst-natting to some different proxy server, it has no way to find web server's address from IP header (because dst address of IP packet that previously was address of web server has changed to address of proxy server). Starting from HTTP/1.1 there is special header in HTTP request which tells web server address, so proxy server can use it, instead of dst address of IP packet. If there is no such header (older HTTP version on client), proxy server can not determine web server address and therefore can not work.

It means, that it is impossible to correctly transparently redirect HTTP traffic from router to some other transparent-proxy box. Only correct way is to add transparent proxy on the router itself, and configure it so that your "real" proxy is parent-proxy. In this situation your "real" proxy does not have to be transparent any more, as proxy on router will be transparent and will forward proxy-style requests (according to standard; these requests include all necessary information about web server) to "real" proxy.

Connection Tracking

Connections through the router and their states can be monitored at 'ip firewall connection', for example:

[MikroTik] ip firewall connection> print                                       
Flags: U - unreplied, A - assured 
  #    SRC-ADDRESS           DST-ADDRESS           PR.. TCP-STATE   TIMEOUT    
  0  A 10.5.91.205:1361      10.5.0.23:22          tcp  established 4d23h59m55s
  1  A 10.5.91.205:1389      10.5.5.2:22           tcp  established 4d23h59m21s
  2  A 10.5.91.205:1373      10.5.91.254:3986      tcp  established 4d23h59m56s
  3  A 10.5.91.205:1377      159.148.172.3:23      tcp  established 4d23h35m14s
  4  A 80.232.241.3:1514     159.148.172.204:1723  tcp  established 4d23h59m53s
  5    159.148.172.204       80.232.241.3          47               9m21s      
[MikroTik] ip firewall connection>                                             

Connection timeouts are as follows:

TCP SYN sent (First stage in establishing a connection) = 2min.
TCP SYN recvd (Second stage in establishing a connection) = 60sec.
Established TCP connections (Third stage) = 5 days.

TCP FIN wait (connection termination) = 2min.
TCP TIME wait (connection termination) = 2min.
TCP CLOSE (remote party sends RTS) = 10sec.
TCP CLOSE wait (sent RTS) = 60sec.
TCP LAST ACK (received ACK) = 30sec.
TCP Listen (ftp server waiting for client
    to establish data connection) = 2min.

UDP timeout = 30sec.
UDP with reply timeout (remote party has responded) = 180sec.
ICMP timeout = 30sec.
All other =  10min.

Troubleshooting

Additional Resources

Read about connection tracking at
http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html

IP Firewall Applications

Further on, the following examples of using firewall rules are given:

Basic Firewall Building Principles

Assume we have router that connects a customer's network to the Internet. The basic firewall building principles can be grouped as follows: Filtering has some impact on the router's performance. To minimize it, the filtering rules that match packets for established connections should be placed on top of the chain. These are TCP packets with options 'non-syn-only'.

Examples of setting up firewalls are discussed below.

Example of Firewall Filters

Assume we want to create a firewall, that The basic network setup is in the following diagram:

Firewall

The IP addresses and routes of the MikroTik router are as follows:

[MikroTik] > ip address print                                                  
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.217/24      10.0.0.217      10.0.0.255      Public                
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
[MikroTik] > ip route print                                                    
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 0.0.0.0/0          r 10.0.0.1        1        Public                  
    1 DC 192.168.0.0/24     r 0.0.0.0         0        Local                   
    2 DC 10.0.0.0/24        r 0.0.0.0         0        Public                  
[MikroTik] >

Protecting the Router

To protect the router from unauthorized access, we should filter out all packets with the destination addresses of the router, and accept only what is allowed. Since all packets with destination to the router's address are processed against the input chain, we can add the following rules to it:

[MikroTik] > ip firewall rule input
[MikroTik] ip firewall rule input> 
add protocol tcp tcp-option non-syn-only connection-state=established \
    comment="Allow established TCP connections"
add protocol udp \
    comment="Allow UDP connections"
add protocol icmp \
    comment="Allow ICMP messages"
add src-addr 10.5.8.0/24 \
    comment="Allow access from 'trusted' network 10.5.8.0/24 of ours"
add action reject log yes \
    comment="Reject and log everything else"
[MikroTik] ip firewall rule input> print                                       
Flags: X - disabled, I - invalid 
  0   ;;; Allow established TCP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=non-syn-only 
      connection-state=established flow="" src-mac-address=00:00:00:00:00:00 
      limit-count=0 limit-burst=0 limit-time=0s action=accept log=no bytes=964 
      packets=17 

  1   ;;; Allow UDP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=udp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=46 packets=1 

  2   ;;; Allow ICMP messages
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=icmp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  3   ;;; Allow access from 'trusted' network 10.5.8.0/24 of ours
      src-address=10.5.8.0/24:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  4   ;;; Reject and log everything else
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=reject log=yes bytes=0 packets=0 

[MikroTik] ip firewall rule input>    

Thus, the input chain will accept the allowed connections and reject and log everything else.

Protecting the Customer's Network

To protect the customer's network, we should match all packets with destination address 192.168.0.0/24 that are passing through the router. This can be done in the forward chain. We can match the packets against the IP addresses in the forward chain, and then jump to another chain, say, 'customer'. We create the new chain and add rules to it:

[MikroTik] ip firewall> add name=customer                                      
[MikroTik] ip firewall> print                                                  
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
  3 router                                                               none  
  4 customer                                                             none  
[MikroTik] ip firewall> rule customer
[MikroTik] ip firewall rule customer> 
add protocol tcp tcp-option non-syn-only connection-state=established \
    comment="Allow established TCP connections"
add protocol udp \
    comment="Allow UDP connections"
add protocol icmp \
    comment="Allow ICMP messages"
add protocol tcp tcp-option syn-only dst-address 192.168.0.17/32:80 \
    comment="Allow http connections to the server at 192.168.0.17"
add protocol tcp tcp-option syn dst-address 192.168.0.17/32:25 \
    comment="Allow smtp connections to the server at 192.168.0.17"
add protocol tcp tcp-option syn src-port 20 dst-port 1024-65535 \
    comment="Allow ftp data connections from servers on the Internet"
add action reject log yes \
    comment="Reject and log everything else"
[MikroTik] ip firewall rule customer> print                                    
Flags: X - disabled, I - invalid 
  0   ;;; Allow established TCP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=non-syn-only 
      connection-state=established flow="" src-mac-address=00:00:00:00:00:00 
      limit-count=0 limit-burst=0 limit-time=0s action=accept log=no bytes=0 
      packets=0 

  1   ;;; Allow UDP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=udp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  2   ;;; Allow ICMP messages
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=icmp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  3   ;;; Allow http connections to the server at 192.168.0.17
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=192.168.0.17/32:80 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=syn-only connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  4   ;;; Allow smtp connections to the server at 192.168.0.17
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=192.168.0.17/32:25 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=syn-only connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  5   ;;; Allow ftp data connections from servers on the Internet
      src-address=0.0.0.0/0:20 in-interface=all 
      dst-address=0.0.0.0/0:1024-65535 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=syn-only connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  6   ;;; Reject and log everything else
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=reject log=yes bytes=0 packets=0 

[MikroTik] ip firewall rule customer>   

Note about the rule #5: active ftp data connections are made from the server's port 20 to the client's tcp port above 1024.

All we have to do now is to put rules in the forward chain, that match the IP addresses of the customer's hosts on the Local interface and jump to the customer chain:

[MikroTik] ip firewall rule forward>
add out-interface=Local action=jump jump-target=customer
[MikroTik] ip firewall rule forward> print                                     
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Local protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=jump jump-target=customer log=no bytes=0 packets=0 

[MikroTik] ip firewall rule forward> 

Thus, everything that passes the router and leaves the Local interface (destination of the customer's network) will be processed against the firewall rules of the customer chain.

Enforcing the 'Internet Policy'

To force the customer's hosts to access the Internet only through the proxy server at 192.168.0.17, we should put following rules in the forward chain:

[MikroTik] ip firewall rule forward>                                           
add protocol icmp out-interface Public \
    comment="Allow ICMP ping packets"
add src-address 192.168.0.17/32 out-interface Public \
    comment="Allow outgoing connections form the server at 192.168.0.17"
add action reject out-interface Public log yes \
    comment="Reject and log everything else"
[MikroTik] ip firewall rule forward> print                                     
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Local protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=jump jump-target=customer log=no bytes=0 packets=0 

  1   ;;; Allow ICMP ping packets
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=icmp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  2   ;;; Allow outgoing connections form the server at 192.168.0.17
      src-address=192.168.0.17/32:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  3   ;;; Reject and log everything else
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=reject log=yes bytes=0 packets=0 

[MikroTik] ip firewall rule forward>

Example of Source NAT (Masquerading)

If you want to 'hide' the private LAN 192.168.0.0/24 'behind' one address 10.0.0.217 given to you by the ISP (see the network diagram in the Application Example above), you should use the source network address translation (masquerading) feature of the MikroTik router. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.0.0.217 of the router when the packet is routed through it.

To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:

[MikroTik] ip firewall src-nat> add action=masquerade out-interface=Public
[MikroTik] ip firewall src-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535 
      out-interface=Public protocol=all icmp-options=any:any flow="" 
      limit-count=0 limit-burst=0 limit-time=0s action=masquerade 
      to-src-address=0.0.0.0 to-src-port=0-65535 bytes=0 packets=0 

[MikroTik] ip firewall src-nat> 

All outgoing connections from the network 192.168.0.0/24 will have source address 10.0.0.217 of the router and source port above 1024. No access from the Internet will be possible to the Local addresses. If you want to allow connections to the server on the local network, you should use Static Network Address Translation (NAT).

Example of Destination NAT

Assume you need to configure the MikroTik router for the following network setup, where the server is located in the private network area:

The server's address is 192.168.0.4, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80. This can be done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port 192.168.0.4:80. One destination NAT rule is required for translating the destination address and port:

[MikroTik] ip firewall dst-nat> 
add action=nat protocol=tcp \
dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4
[MikroTik] ip firewall dst-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=10.0.0.217/32:80 protocol=tcp icmp-options=any:any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=nat to-dst-address=192.168.0.4 to-dst-port=0-65535 
      bytes=0 packets=0 

[MikroTik] ip firewall dst-nat> 


© Copyright 1999-2002, MikroTik MikroTik RouterOS WEB Proxy

MikroTik RouterOS WEB Proxy

Document revision 19-Jun-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The MikroTik RouterOS has the squid proxy server implementation.

Proxy server features:

Contents of the Manual

The following topics are covered in this manual:

Installation

The MikroTik Web Proxy feature is included in the 'web-proxy' package. To install the web-proxy package, upload it to the router and reboot. After successful install of the web-proxy package it should be listed under the /system package print list:

[MikroTik] > system package print                                              
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   system                2.5.2                apr/24/2002 11:52:28 no       
  1   routing               2.5.2                apr/24/2002 12:04:34 no       
  2   web-proxy             2.5.2                apr/24/2002 12:02:52 no       
  3   ppp                   2.5.2                apr/24/2002 11:57:03 no       
  4   pptp                  2.5.2                apr/24/2002 11:57:43 no       
  5   pppoe                 2.5.2                apr/24/2002 11:58:46 no       
  6   ssh                   2.5.2                apr/24/2002 11:54:52 no       
  7   snmp                  2.5.2                apr/24/2002 11:53:10 no       
[MikroTik] >      

Hardware Resource Usage

The proxy cache can use as much disk space as there is allocated for it. When the system allocates the space for the proxy cache, 1/7th of the total partition (disk) size is reserved for the system, but not less than 30MB. The rest is left for the proxy cache. The system RAM size is considered as well when allocating the cache size. The cache size is limited so, that there are at least 11.1MB of RAM per 1GB of cache.

It is recommended, that at least 100MB HDD is used when running web proxy. Do not try to run web-proxy on a 32 or 48 MB FlashDisk!

MikroTik Web Proxy Description

The web proxy can be used as transparent and normal web proxy at the same time. In transparent mode it is possible to use it as standard web proxy, too. However, in this case, proxy users may have trouble to reach web pages which are accessed transparently.

MikroTik Web Proxy Setup

The Web Proxy management can be accessed under the /ip web-proxy submenu:

[MikroTik] ip web-proxy> ?                                                     
HTTP proxy
  clear-cache  Clear http cache
       access  Access list
        cache  Cache access list
        print  Print current configuration and status
          get  Get value of configuration property
          set  Change proxy configuration
       export  Export web proxy settings
[MikroTik] ip web-proxy>  

For web proxy setup, do the following:

Now it is possible to use this proxy, by setting it as proxy for IE or Netscape.

Web proxy will automatically detect any problems with cache and will try to solve them without loosing any cache data. But in case of a heavy damage to the file system, the web proxy can't rebuild cache data. Cache can be deleted and new cache directories created by the command '/ip web-proxy clear-cache'.

Monitoring the Web Proxy

Use the command /ip web-proxy print to see the current web proxy status:

[MikroTik] ip web-proxy> print                                                 
                enabled: yes
                address: 0.0.0.0:8080
       transparent-mode: no
           parent-proxy: 0.0.0.0:0
    cache-administrator: support@mt.lv
               hostname: proxy.mt.lv
                 status: running
     reserved-for-cache: 6782 MB
[MikroTik] ip web-proxy> 

Description of the status parameter value:

stopped - proxy is disabled and is not running
rebuilding-cache - proxy is enabled and running, existing cache is being verified
running - proxy is enabled and running
stopping - proxy is shutting down (max 10s)
clearing-cache - proxy is stopped, cache files are being removed
creating-cache - proxy is stopped, cache directory structure is being created
dns-missing - proxy is enabled, but not running because of unknown DNS server (please, specify it under /ip dns)
invalid-address - proxy is enabled, but not running because of invalid address (please, change address or port)
invalid-cache-administrator - proxy is enabled, but not running because of invalid cache-administrator's e-mail address
invalid-hostname - proxy is enabled, but not running because of invalid hostname (please, set valid hostname value)
error-logged - proxy is not running because of unknown error. This error is logged as System-Error. Please, send us this error and some description, how it happened.

Access logs are sent to Web-Proxy-Access logging facility. These logs can be disabled, logged locally or sent to remote address. To log locally:

/system logging facility set Web-Proxy-Access logging=local
Logs can be viewed using /log print command.

Access List

Access list is implemented in the same way as MikroTik firewall rules. Rules are processed from top to bottom. First matching rule specifies decision of what to do with this connection. Connections can be matched by its source address, destination address, destination port or substring of requested url. If none of these parameters is specified, every connection will match this rule.

If connection is matched by a rule, action property of this rule specifies whether connection will be allowed or not. If connection does not match any rule, it will be allowed.

For example:

[MikroTik] ip web-proxy access> print 
Flags: X - disabled 
  #   SRC-ADDRESS         DST-ADDRESS         DST-PORT     URL           ACTION
  0   0.0.0.0/0           0.0.0.0/0           0-65535      .mp3          deny  
  1   10.0.0.1/32         0.0.0.0/0           0-65535                    allow 
  2   0.0.0.0/0           0.0.0.0/0           0-65535      ftp://        deny  
  3   10.0.0.0/24         10.9.9.128/28       0-65535                    allow 
  4   0.0.0.0/0           0.0.0.0/0           0-65535                    deny  
[MikroTik] ip web-proxy access> 

Argument description:

src-address - source address of the request
dst-address - destination address of the request
dst-port - destination port of the request
url - the URL of the request. Can be regular expression.
action - (allow / deny) action to take.

Access list, shown above, disables access to any mp3 files for everyone.
Local gateway 10.0.0.1 has access to everything else (excluding mp3 files).
All other local network (10.0.0.0/24) users have access to servers located at 10.9.9.128/28, but, ftp protocol is not allowed for them.
Any other request is denied.

Managing the Cache

Cache access list specifies, which requests (domains, servers, pages) have to be cached locally by web proxy, and which not. The Web Proxy cache access list is located under the /ip web-proxy cache submenu.

Access list is implemented exactly the same way as web proxy access list. Default action is to cache object (if no matching rule is found). By default, one cache access rule is already added:

[MikroTik] ip web-proxy cache> print 
Flags: X - disabled 
  #   SRC-ADDRESS         DST-ADDRESS         DST-PORT     URL           ACTION
  0   0.0.0.0/0           0.0.0.0/0           0-65535      cgi-bin \?    deny  
[MikroTik] ip web-proxy cache> 
This rule defines, that all runtime generated pages (which are located within cgi-bin directories or contain '?' in url) has not to be cached.

NOTE: Objects, which are larger than 4MB, are not cached.

Transparent Mode

To enable the transparent mode, firewall rule in destination nat has to be added, specifying which connections (to which ports) should be transparently redirected to the proxy. For example, we have the following web-proxy settings:

[MikroTik] ip web-proxy> print                                               
                enabled: yes
                address: 0.0.0.0:8080
       transparent-mode: yes
           parent-proxy: 0.0.0.0:0
    cache-administrator: support@mt.lv
               hostname: proxy.mt.lv
                 status: running
     reserved-for-cache: 3398 MB
[MikroTik] ip web-proxy> 

If we want all connections coming from interface ether1 and going to port 80 to handle with web proxy transparently, and if our web proxy is listening on port 8080, then we add following destination nat rule:

[MikroTik] ip firewall dst-nat> add in-interface=ether1 protocol=tcp \
dst-address=!10.0.0.1/32:80 action=redirect to-dst-port=8080
[MikroTik] ip firewall dst-nat> print                                           
Flags: X - disabled, I - invalid 
  0   ;;; Transparent proxy
      src-address=0.0.0.0/0:0-65535 in-interface=ether1 
      dst-address=!10.0.0.1/32:80 protocol=tcp icmp-options=any:any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=redirect to-dst-address=0.0.0.0 to-dst-port=8080 
      bytes=118949 packets=2260 

[MikroTik] ip firewall dst-nat>                                              

Here, the router's address and port 80 (10.0.0.1/32:80) have been excluded from redirection to preserve the winbox functionality which uses TCP port 80 on the router. More than one redirect rule can be added to redirect more than one port.

NOTE: only HTTP traffic is supported by web proxy transparent mode. HTTPS and FTP are not going to work this way!

Troubleshooting


© Copyright 1999-2002, MikroTik MikroTik RouterOS DHCP Client and Server

MikroTik RouterOS V2.4 DHCP Client and Server

Document revision 12-Feb-2002
This document applies to the MikroTik RouterOS V2.5

Overview

DHCP (Dynamic Host Configuration Protocol) supports easy distribution of IP addresses for a network. The MikroTik RouterOS implementation includes both server and client modes and is compliant with RFC2131.

General usage of DHCP:

Contents of the Manual

The following topics are covered in this manual:

Installation

In V2.5, unlikely to the prior versions, the DHCP server and client are not included in the 'system' package. Please download the dhcp-2.x.npk package from the MikroTik's web site, upload the package to the router and reboot.

Use the /system package print command to see the list of installed packages.

Hardware Resource Usage

The DHCP server does not consume any significant resources. The DHCP client may consume high resource for five to ten seconds when acquiring an address or renewing an address.

DHCP Description

The DHCP protocol gives and allocates IP addresses to IP clients. DHCP is basically insecure and should only be used on secure networks. Port 67 is the DHCP listen port and port 68 is the DHPC transmit port.

DHCP Client Setup

The MikroTik RouterOS DHCP client may be attached to one Ethernet like interface. The client will accept an address, netmask, default gateway, and two dns server addresses. The IP address will be added to the interface with the netmask. The default gateway will be added to the routing table as a dynamic entry – when the DHCP client is disabled, the dynamic default route will be removed. If there is already a default route installed prior the DHCP client obtains one, the route obtained by the DHCP client would be shown as invalid.

The DNS-server from the DHCP server will be used as the router default DNS if the router DNS is set to 0.0.0.0 under the /ip dns settings.

To add a DHCP client to the router:

[MikroTik] ip dhcp-client> set enabled yes interface ether1 client-id test

Descriptions of arguments:

[MikroTik] - The text inside the brackets is the 'system identity' of the router. If the DHCP server requires a 'host name', then the MikroTik 'system identity' should be set to the same. This 'system identity' will be reported to the DHCP server as the 'host name'.
enabled - (yes / no). Enables or disables the DHCP client.
interface - Can be set to any Ethernet like interface – this includes wireless and EoIP tunnels.
client-id - (optional) If needed, it should correspond to the settings suggested by the network administrator or ISP.

To change the 'system identity', use the cammand:

[MikroTik]> system identity set name=Mikro2345 
[Mikro2345]>

DHCP Server Setup

The router supports an individual server for each Ethernet like interface. The MikroTik RouterOS DHCP server supports the basic functions of giving each requesting client an IP address lease, default gateway, and DNS-server information.

To add a DHCP server:

[MikroTik] ip dhcp-server>
set ether1 enabled yes lease-time 72h from-address 10.5.0.1 \
to-address 10.5.0.100 netmask 255.255.255.0 gateway 10.5.0.254 \
dns-server 10.5.0.254 domain rm219
[MikroTik] ip dhcp-server> print
0   interface: ether1 enabled: yes from-address: 10.5.0.1
    to-address: 10.5.0.100 lease-time: 3 days 0:00:00 netmask: 255.255.255.0
    gateway: 10.5.0.254 src-address: 0.0.0.0 dns-server: 10.5.0.254
    domain: ether1-area
1   interface: Local219 enabled: no from-address: 0.0.0.0 to-address: 0.0.0.0
    lease-time: 0:10:00 netmask: 0.0.0.0 gateway: 0.0.0.0 src-address: 0.0.0.0
    dns-server: 0.0.0.0 domain: ""
[MikroTik] ip dhcp-server>

Descriptions of arguments:

interface - All Ethernet like interfaces may run a DHCP server.
enabled - (yes / no) Enable or disable the DHCP server.
from-address - Beginning number of IP address range to give to requesting DHCP clients. This address must be in the range of a static address on the same interface.
to-address - Ending number of IP address range to give to requesting DHCP clients. This address must be in the range of a static address on the same interface.
lease-time - Dictates the time that a client may use an address. Suggested setting is three days 3d'. The client will request a new address' after this time limit expires.
netmask - The netmask to be given with the IP address coming from the range of addresses that can be given out.
gateway - The default gateway to be used by the DHCP client.
source-address - The address which the DHCP client must use to renew an IP address lease. If there is only one static address on the DHCP server interface and the source-address is left as 0.0.0.0, then the static address will be used. If there are multiple addresses on the interface, an address in the same subnet as the range of given addresses should be used.
dns-server - The DHCP client will use this as the default DNS server.
domain - The DHCP client will use this as the 'DNS domain' setting for the network adapter.

Additional DHCP Resources

Links for DHCP documentation:

http://www.ietf.org/rfc/rfc2131.txt?number=2131
http://www.isc.org/products/DHCP/
http://www1.fatbrain.com/asp/BookInfo/BookInfo.asp?theisbn=1578701376&from=xjb375
http://www.linuxdoc.org/HOWTO/mini/DHCP/
http://arsinfo.cit.buffalo.edu/FAQ/faq.cgi?pkg=ISC%20DHCP


© Copyright 1999-2002, MikroTik MikroTik RouterOS IP Packet Packer Protocol (M3P)

MikroTik RouterOS IP Packet Packer Protocol (M3P)

Document revision 28-Mar-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

The MikroTik Packet Packer Protocol (M3P) optimizes the bandwidth usage of links using protocols that have a high overhead per packet transmitted. The basic purpose of this protocol is to better enable wireless networks to transport VoIP traffic and other traffic that uses small packet sizes of around 100 bytes.

M3P features:

Contents of the Manual

The following topics are covered in this manual:

Installation

The MikroTik Packet Packer Protocol feature is included in the “system” package. No installation is needed for this feature.

Hardware Resource Usage

There is no significant resource usage.

MikroTik Packet Packer Protocol Description

The wireless protocol IEEE 802.11 and, to a lesser extent, Ethernet protocol have a high overhead per packet because for each packet it is necessary to access the media, check for errors, resend in case of errors, and send network maintenance messages (network maintenance is only for wireless). The MikroTik Packet Packer Protocol improves network performance by aggregating many small packets into a big packet, thereby minimizing the network per packet overhead cost. The M3P is useful when the average packet size is 50-300 bytes – the common size of VoIP packets.

Specific Properties:

MikroTik Packet Packer Protocol Setup

IP MikroTik Packet Packer Protocol management can be accessed under the /ip packing submenu:

[MikroTik] ip packing>            
  interface  Interface settings   
      print  Show packing settings                                          
        get  get value of property
        set
     export  display the configuration as a set of commands
[MikroTik] ip packing> print                               
    enable-unpacking: yes                    
       expected-size: 28
     aggregated-size: 1500
[MikroTik] ip packing>

Argument description:

enable-unpacking – enables unpacking feature of M3P for all Ethernet like interfaces on the router – should be enabled if you have any interface set to send M3P packets.
expected-size – the average size packet you expect for aggregation, i.e., if your VoIP generates 100 byte packets – this would be the expected size. This is used by the protocol to determine if it should wait for another packet to complete the aggregated packet – determined by the 'aggregated-size' setting – or send an aggregated packet immediately even though it has not reached the size of the “aggregated-size” setting.
aggregated-size – the maximum size of the aggregated packet – the suggested setting is 1000 bytes and the maximum setting is the MTU size of the interface (generally 1500 bytes)

To see the interface settings use:

[MikroTik] ip packing interface> print
Flags: X - disabled
  #   INTERFACE
  0 X bridge1
  1 X ether1
  2 X Local219
  3   wireless
[MikroTik] ip packing interface>


© Copyright 1999-2002, MikroTik MikroTik RouterOS Neighbor Discovery Protocol (MNDP)

MikroTik RouterOS Neighbor Discovery Protocol (MNDP)

Document revision 28-Mar-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

The MikroTik Neighbor Discovery Protocol (MNDP) eases configuration and management by enabling each MikroTik router to discover other connected MikroTik routers and learn information about the system and features which are enabled. The MikroTik routers can then automatically use set features with minimal or no configuration.

MNDP features:

Contents of the Manual

The following topics are covered in this manual:

Installation

The MikroTik Discovery Protocol feature is included in the 'system' package. No installation is needed for this feature.

Hardware Resource Usage

There is no significant resource usage.

MikroTik Discovery Protocol Description

MNDP basic function is to assist with automatic configuration of features that are only available between two MikroTik routers. Currently this is used for the 'Packet Packer' feature. The 'Packet Packer' may be enabled on a per interface basis. The MNDP protocol will then keep information about what routers have enabled the 'unpack' feature and the 'Packet Packer' will be used for traffic between these routers. The MikroTik routers must be connected by an Ethernet like interface.

Specific Properties:

MikroTik Discovery Protocol Setup

IP MikroTik Packet Packer Protocol management can be accessed under the /ip neighbor submenu:

[MikroTik] ip neighbour>   
      print  print values of item properties                                                     
       find  finds items by value
        get  get value of item's property
  interface  interfaces
     export  displey the configuration as a set of commands
[MikroTik] ip neighbour> print                                                  
  # INTERFACE  ADDRESS         MAC-ADDRESS       UNPACKING AGE                 
  0 Public     10.5.8.196      00:E0:C5:BC:12:07 yes       23s                 
  1 Public     10.5.8.167      00:E0:4C:39:23:31 yes       0s                  
  2 Public     10.5.8.1        00:80:C8:C9:B0:45 yes       3s                  
[MikroTik] ip neighbor>

Argument description:

INTERFACE – local interface to which the neighbor is connected
ADDRESS – IP address of the neighbor router
MAC-ADDRESS – MAC-address of the neighbor router
UNPACKING – identifies if the interface of the neighbor router is unpacking 'Packed Packets'
AGE – a counter (in seconds) that shows the age of the information

To see the interface settings use:

[MikroTik] ip neighbor interface> print                                        
  # NAME                 DISCOVER
  0 Public               yes     
  1 Local                yes     
[MikroTik] ip neighbor interface>

To change the interface settings, use /ip neighbor interface set command:

[MikroTik] ip neighbor interface> set Public discover=no                       
[MikroTik] ip neighbor interface> print                                        
  # NAME                 DISCOVER
  0 Public               no      
  1 Local                yes     
[MikroTik] ip neighbor interface>


© Copyright 1999-2002, MikroTik MikroTik RouterOS IP Telephony

MikroTik RouterOS IP Telephony

Document revision 28-Apr-2002
This document applies to the MikroTik RouterOS V2.5

The MikroTik RouterOS IP Telephony feature enables Voice over IP (VoIP) communications using routers equipped with the following voice port hardware:

Topics covered in this manual:

What's new in V2.5?

The following feature descriptions of V2.5 have been added to the Manual for V2.4:

IP Telephony Specifications

Supported Hardware

The MikroTik RouterOS V2.4 supports following telephony cards from Quicknet Technologies, Inc. (www.quicknet.net): For supported ISDN cards please see the ISDN Interface Manual.

The MikroTik RouterOS V2.5 supports the Voicetronix V4PCI card for connecting four (4) analog telephone lines following telephony cards from Voicetronix, Inc. (www.voicetronix.com.au):

Supported Standards

Implementation Options

The MikroTik IP Telephones and IP Telephony Gateways are interoperable with the following H.323 terminals:

IP Telephony Hardware and Software Installation

Software Packages

The MikroTik Router should have the telephony package installed. To install the package, please upload it to the router and reboot. The package can be downloaded from MikroTik’s web page www.mikrotik.com

The software package size is 1.2MB, after installation it requires 9.1MB of additional HDD space and 8.8MB of additional RAM. Please make sure you have the required capacity. Use /system resource print command to see the amount of available resources:

[MikroTik] > system resource print                                             
           uptime: 7m17s
     total-memory: 61240
      free-memory: 32756
         cpu-type: AMD-K6(tm)
    cpu-frequency: 300
        hdd-total: 46474
         hdd-free: 20900
[MikroTik] > 

You may want to increase the amount of RAM from 32MB to 48/64MB if you use telephony. Use the /system package print command to see the list of installed packages:

[MikroTik] > system package print
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 ppp                    2.4.1                 oct/12/2001 10:09:35 no
  1 pptp                   2.4.1                 oct/12/2001 10:10:17 no
  2 pppoe                  2.4.1                 oct/12/2001 10:11:17 no
  3 ssh                    2.4.1                 oct/12/2001 10:16:38 no
  4 isdn                   2.4.1                 oct/12/2001 10:19:04 no
  5 telephony              2.4.1                 oct/12/2001 10:35:03 no
  6 wavelan                2.4.1                 oct/12/2001 10:15:18 no
  7 system                 2.4.1                 oct/12/2001 10:05:27 no
  8 routing                2.4.1                 oct/12/2001 10:07:32 no
  9 snmp                   2.4.1                 oct/12/2001 10:07:58 no
[MikroTik] >

Software License

The telephony does not require any additional Software License. It works with the Basic License.

Hardware Installation

Please install the telephony hardware into the PC accordingly the instructions provided by card manufacturer. Each installed Quicknet card requires IO memory range in the following sequence: the first card occupies addresses 0x300-0x31f, the second card 0x320-0x33f, the third 0x340-0x35f, and so on. Make sure there is no conflict in these ranges with other devices, e.g., network interface cards, etc.

If the MikroTik router will be used as

Please consult the ISDN Manual for more information about installing the ISDN adapters.

IP Telephony Configuration

The IP Telephony requires IP network connection and configuration. The basic IP configuration can be done under the /ip address and /ip route menus.

Configuration of the IP telephony can be accessed under the /ip telephony menu:

[MikroTik] ip telephony> ?
       codec  Audio compression capability management
      export  Export IP Telephony settings
     numbers  Telephone numbers management
      region  Telephony voice port regional setting management
  voice-port  Telephony voice port management
[MikroTik] ip telephony>

Telephony Voice Ports

The management of all IP telephony voice ports (linejack, phonejack, isdn, voip) can be accessed under the /ip telephony voice-port menu. Use the print command to view the list of available telephony voice ports and their configuration.

[MikroTik] ip telephony voice-port> print
Flags: X - disabled
  #   NAME                          AUTODIAL                     TYPE
  0   PBX_Line                                                   linejack
  1   ISDN_GW                                                    isdn
  2   VoIP_GW                                                    voip
[MikroTik] ip telephony voice-port>

Description of arguments:

name - name assigned to the voice port by user.
type - ( phonejack / linejack / isdn / voip ) type of the installed telephony voice port, i.e., PhoneJack or LineJack.
autodial-number - number to be dialed automatically, if the voice port is to be used. The number should be present under the /ip telephony numbers list

Monitoring the Voice Ports

Monitoring of the voice ports is available for phonejack, linejack, and isdn voice ports. Use the monitor command under the corresponding menu to view the current state of the port, for example:

[MikroTik] ip telephony voice-port linejack> monitor PBX_Line
               status: connection
                 port: phone
            direction: port-to-ip
          line-status: unplugged
         phone-number: 26
    remote-party-name: pbx_20 [10.5.8.12]
                codec: G.723.1-6.4k/hw
             duration: 14s
			 
[MikroTik] ip telephony voice-port linejack>

Argument description:

status - current state of the port
'on-hook' - the handset is on-hook, no activity
'off-hook' - the handset is off-hook, the number is being dialed
'ring' - call in progress, direction of the call is shown by the argument 'direction'
'connection' - the connection has been established
'busy' - the connection has been terminated, the handset is still 'off-hook'
port - (only for linejack) the active port of the card
'phone' - telephone connected to the card (POTS)
'line' - line connected to the linejack card (PSTN)
direction - direction of the call
'ip-to-port' - call from the IP network to the voice card
'port-to-ip' - call from the voice card to an IP address
line-status - (only for linejack) state of the PSTN line
'plugged' - the telephone line is connected to the PSTN port of the linejack card
'unplugged' - ther is no working line connected to the PSTN port of the linejack card
phone-number - the number which is being dialed
remote-party-name - name and IP address of the remote party
codec - CODEC used for the audio connection
duration - duration of the audio call

Voice-Port Statistics

Voice-port statistics are available for phonejack, linejack, and isdn voice ports. Use the show-stats command under the corresponding menu to view the statistics of current audio connection. If there is no audio connection, all values are zero. For example:

[MikroTik] ip telephony voice-port linejack> show-stats PBX_Line
        round-trip-delay: 5ms
            packets-sent: 617
              bytes-sent: 148080
           max-send-time: 31ms
           avg-send-time: 30ms
           min-send-time: 29ms
        packets-received: 589
          bytes-received: 141360
        max-receive-time: 41ms 
        avg-receive-time: 30ms
        min-receive-time: 19ms
    average-jitter-delay: 59ms
            packets-lost: 0
    packets-out-of-order: 0
        packets-too-late: 2
		
[MikroTik] ip telephony voice-port linejack>

The average-jitter-delay shows the approximate delay time till the received voice packet is forwarded to the driver for playback. The value shown is never less than 30ms, although the actual delay time could be less. If the shown value is >40ms, then it is close (+/-1ms) to the real delay time.

The jitter buffer preserves quality of the voice signal against the loss or delay of packets while traveling over the network. The larger the jitter buffer, the larger the total delay, but fewer packets lost due to timeout. If the jitter-buffer=0, then it is adjusted automatically during the conversation to minimize the number of lost packets. The 'average-jitter-delay' is the approximate average time from the moment of receiving an audio packet from the IP network till it is played back over the telephony voice port.

The total delay from the moment of recording the voice signal till its playback is the sum of following three delay times:

A voice call can be terminated using the clear-call command in phonejack, linejack or isdn submenus. If the voiceport has an active connection, the command clear-call voiceport terminates it. The command is useful in the cases, when the termination of connection has not been detected by one of the parties, and there is an "infinite call". It can also be used to terminate someone's call, if it is using up the required line for another call.

Voice Port PhoneJack (phonejack) and LineJack (linejack)

All commands relating the PhoneJacks and LineJacks are listed under the /ip telephony voice-port phonejack and /ip telephony voice-port linejack menus respectively. For example:

[MikroTik] ip telephony voice-port linejack> print                                
Flags: X - disabled 
  0   name=linejack autodial="" playback-volume=-2 record-volume=-2 
      ring-cadence=++-++--- ++-++--- region=us echo-cancellation=yes 
      aec-tail-length=short aec-nlp-threshold=low aec-atten-scaling=4 
      aec-atten-boost=0 

  1   name=linejack_1 autodial="" playback-volume=-2 record-volume=-2 
      ring-cadence=++-++--- ++-++--- region=us echo-cancellation=yes 
      aec-tail-length=short aec-nlp-threshold=low aec-atten-scaling=4 
      aec-atten-boost=0 

[MikroTik] ip telephony voice-port linejack>                                   

Argument descriptions:

name - name given by the user or the default one (phonejack or phonejack_x)
type - (only for phonejack) type of the card (phonejack, phonejack-lite or phonejack-pci), cannot be changed
autodial - phone number which will be dialed immediately after the handset has been lifted. If this number is incomplete, then the remaining part has to be dialed on the dial-pad. If the number is incorrect, busy tone is played. If the number is correct, then the appropriate number is dialed. If it is an incoming call from the PSTN line (linejack), then the 'directcall' mode is used - the line is picked up only after the remote party answers the call.
playback-volume - playback volume in dB, 0dB means no change, possible values are -24...24dB.
record-volume - recording volume in dB, 0dB means no change, possible values are -24...24dB.
ring-cadence - a 16-symbol ring cadence for the phone, each symbol is 0.5 seconds, '+' means ringing, '-' means no ringing.
region - regional setting for the voice port. For phonejack, this setting is used for generating the tones. For linejacks, this setting is used for detecting the parameters of PSTN line, as well as for detecting and generating the tones.
echo-cancellation - echo detection and cancellation. Possible values are 'yes/no'.
If the echo cancellation is on, then the following parameters are used:
aec-tail-length - size of the buffer of echo detection. Possible values are 'short/medium/long'.
aec-nlp-threshold - level of cancellation of silent sounds. Possible values are 'off/low/medium/high'.
aec-atten-scaling - factor of additional echo attenuation. Possible values are 0...10.
aec-atten-boost - level of additional echo attenuation. Possible values are 0, 6, 12 ... 84, 90dB, i.e., should be multipliers of 6.

For linejacks, there is a command blink voiceport, which blinks the LEDs of the specified voiceport for five seconds after it is invoked. This command can be used to locate the respective card under several linejack cards.

Voice Port ISDN (isdn)

All commands relating the ISDN voice ports are listed under the /ip telephony voice-port isdn menu. In contrary to the phonejack and linejack voice ports, which are as many as the number of cards installed, the isdn ports can be added as many as desired.

[MikroTik] ip telephony voice-port isdn> print
Flags: X - disabled 
  0   name="isdn1" autodial="" region=us msn="136" playback-volume=0 
      record-volume=0 agc-on-playback=no agc-on-record=no software-aec=no 

[MikroTik] ip telephony voice-port isdn>

Argument descriptions:

name - Name given by the user or the default one.
msn - Telephone number of the ISDN voice port (ISDN MSN number). It determines which calls from the ISDN line this voice port should answer.
autodial - phone number which will be dialed immediately after the handset has been lifted. If this number is incomplete, then the remaining part has to be dialed on the dial-pad. If the number is incorrect, busy tone is played. If the number is correct, then the appropriate number is dialed. If it is an incoming call from the ISDN line, then the 'directcall' mode is used - the line is picked up only after the remote party answers the call.
playback-volume - playback volume in dB, 0dB means no change, possible values are -24...24dB.
record-volume - recording volume in dB, 0dB means no change, possible values are -24...24dB.
region - regional setting for the voice port (for generating tones only).
agc-on-playback - ( no / yes ) automatic gain control on playback
agc-on-record - ( no / yes ) automatic gain control on record
software-aec - ( no / yes ) software automatic echo cancellation

Note! Do not forget to load the driver for your ISDN card! Follow the instructions in the ISDN Manual.

Voice Port Voice over IP (voip)

The voip voice ports are virtual ports, which designate a voip channel to another host over the IP network. You mast have at least one voip voice port to be able to communicate with other H.323 devices over IP network.

[MikroTik] ip telephony voice-port voip> print detail
Flags: X - disabled
  0   name=VoIP_GW autodial="" address=10.5.8.12 jitter-buffer=50ms
      silence-detection=no prefered-codec=none fast-start=yes

[MikroTik] ip telephony voice-port voip>

Argument description:

name - Name given by the user or the default one.
address - IP address of the remote party (IP telephone or gateway) associated with this voice port. If the call has to be performed through this voice port, then the specified IP address is called. If there is an incoming call from the specified IP address, then the parameters of this voice port are used. If there is an incoming call from an IP address, which is not specified in any of the voip voice port records, then the default record with the address 0.0.0.0 is used. If there is no default record, then default values are used.
autodial - phone number which will be added in front of the telephone number received over the IP network. In most cases it should be blank.
jitter-buffer - size of the jitter buffer, 0...1000ms. The jitter buffer preserves quality of the voice signal against the loss or delay of packets while traveling over the network. The larger the jitter buffer, the larger the total delay, but fewer packets lost due to timeout. If the setting is jitter-buffer=0, the size of it is adjusted automatically during the conversation, to minimize the number of lost packets and the length of the jitter buffer.
silence-detection - if 'yes', then no silence is detected and no audio data is sent over the IP network during the silence period.
prefered-codec - the preferred codec to be used for this voip voice port. If possible, the specified codec will be used.
fast-start - allow or disallow the fast start. The fast start allows establishing the audio connection in a shorter time. However, not always it is possible. Therefore, it should be turned off, there are problems using the fast start mode.

Numbers

This is the so-called "routing table" for voice calls. This table assigns numbers to the voice ports.

[MikroTik] ip telephony numbers> print
Flags: I - invalid, X - disabled
  #    DESTINATION-PATTERN      VOICE-PORT              PREFIX
  0    26                       VoIP_GW                 26
[MikroTik] ip telephony numbers>

Argument description:

destination-pattern - pattern of the telephone number. Symbols '.' and '#' designate any digit. The telephone numbers should be unique.
voice-port - voice port to be used when calling the specified telephone number.
prefix - prefix, which will be used to substitute the known part of the 'destination-pattern', i.e., the part containing digits, when using this voice port. The 'destination-pattern' argument is used to determine which voice port to be used, whereas the 'prefix' argument designated the number to dial over the voice port (be sent over to the remote party). If the remote party is an IP telephony gateway, then the number will be used for making the call.

The main function of the number routing table is to determine:

  1. to which voice port route the call, and
  2. what number to send over to the remote party.
Let us consider the following example for the number table:

[MikroTik] ip telephony numbers> print
Flags: I - invalid, X - disabled
  #    DESTINATION-PATTERN      VOICE-PORT              PREFIX
  0    12345                    XX		     
  1    1111.                    YY		     
  2    22...                    ZZ                      333
  3    ...                      QQ                      55

[MikroTik] ip telephony numbers>

We will analyze the Number Received (nr) - number dialed at the telephone, or received over the line, the Voice Port (vp) - voice port to be used for the call, and the Number to Call (nc) - number to be called over the Voice Port.

If nr=55555, it does not match any of the destination patterns, therefore it is rejected.
If nr=123456, it does not match any of the destination patterns, therefore it is rejected.
If nr=1234, it does not match any of the destination patterns (incomplete for record #0, therefore it is rejected.
If nr=12345, it matches the record #0, therefore number "" is dialed over the voice port XX.
If nr=11111, it matches the record #1, therefore number "1" is dialed over the voice port YY.
If nr=22987, it matches the record #2, therefore number "333987" is dialed over the voice port ZZ.
If nr=22000, it matches the record #2, therefore number "333000" is dialed over the voice port ZZ.
If nr=444, it matches the record #3, therefore number "55444" is dialed over the voice port QQ.

Let us add a few more records:

[MikroTik] ip telephony numbers> print
Flags: I - invalid, X - disabled
  #    DESTINATION-PATTERN      VOICE-PORT              PREFIX
...
  4    222                      KK                      44444
  5    3..                      LL                      553

[MikroTik] ip telephony numbers>

If nr=222 => the best match is the record # 4=> nc=44444, vp=KK.
The 'best match' means that it has the most coinciding digits between the nr and destination-pattern.
If nr=221 => the best match is the record # 3 => nc=55221, vp=QQ
If nr=321 => the best match is the record # 5 => nc=55321, vp=LL
ja nr=421 => matches the record # 3 => nc=55421, vp=QQ
ja nr=335 => the best match is the record # 5 => nc=55321, vp=LL

Let us add a few more records:

[MikroTik] ip telephony numbers> print
Flags: I - invalid, X - disabled
  #    DESTINATION-PATTERN      VOICE-PORT              PREFIX
...
  6    33...                    MM                      33
  7    11.                      NN                      7711

[MikroTik] ip telephony numbers>

If nr=335 => incomplete record # 6 => the call is rejected.
Explanation of this case:

The nr=335 fits perfectly both the record # 3 and # 5. The # 5 is chosen as the 'best match' candidate at the moment. Furthermore, there is record # 6, which has two matching digits (more than for # 3 or # 5). Therefore the # 6 is chosen as the 'best match'. However, the record # 6 requires five digits, but the nr has only three. Two digits are missing, therefore the number is incomplete. Two additional digits would be needed to be entered on the dialpad. If the number is sent over from the network, it is rejected.
If nr=325 => matches the record # 5 => nc=55325, vp=LL
If nr=33123 => matches the record # 6 => nc=33123, vp=MM
If nr=123 => incomplete record # 0 => call is rejected
If nr=111 => incomplete record # 1 => call is rejected
If nr=112 => matches the record # 7 => nc=77112, vp=NN
If nr=121 => matches the record # 3 => nc=55121, vp=QQ

It is impossible to add the following records:

[MikroTik] ip telephony numbers> print
Flags: I - invalid, X - disabled
  #    DESTINATION-PATTERN      VOICE-PORT
...                                         reason:
       11                       DD          conflict with record # 7
       11.                      DD          conflict with record # 7
       11..                     DD          conflict with record # 7
       111                      DD          conflict with record # 1
       22.                      DD          conflict with record # 2
       .....                    DD          conflict with record # 3

Regional Settings

Regional settings are used to adjust the voice port properties to the PSTN system or the PBX. For example, to detect hang-up from line, there has to be correct regional setting for the LineJACK card: there must be correct busy-tone-filter frequency and busy-tone-cadence set for region which this LineJACK card uses.

Regional settings are managed under the /ip telephony region menu:

[MikroTik] ip telephony region> print
Flags: P - predefined 
  0 P name="us" data-access-arrangement=us dial-tone-frequency=350x0,440x0 
      dial-tone-filter=350-440 busy-tone-frequency=480x0,620x0 
      busy-tone-filter=480-620 busy-tone-cadence=500,500,500,500 
      ring-tone-frequency=480x0,440x0 ring-tone-filter=440-480 
      ring-tone-cadence=2000,4000 

  1 P name="uk" data-access-arrangement=uk dial-tone-frequency=350x0,440x0 
      dial-tone-filter=350-440 busy-tone-frequency=400x0 busy-tone-filter=400 
      busy-tone-cadence=375,375,375,375 ring-tone-frequency=400x0,450x0 
      ring-tone-filter=400-450 ring-tone-cadence=400,200,400,2000 

  2 P name="france" data-access-arrangement=france dial-tone-frequency=440x0 
      dial-tone-filter=440 busy-tone-frequency=440x0 busy-tone-filter=440 
      busy-tone-cadence=250,250,250,250 ring-tone-frequency=440x0 
      ring-tone-filter=440 ring-tone-cadence=1500,3500 
  ...

Argument description:

flag - (P) predefined, cannot be changed or removed. Users can add their own regional settings, which can be changed and removed.
name - Name of the regional setting
busy-tone-cadence - Busy tone cadence in ms (0 - end of cadence)
busy-tone-filter - Busy tone detection frequency Hz, or 'off'
busy-tone-frequency - Frequency and volume gain of busy tone Hz x dB
data-access-arrangement - ( australia / france / germany / japan / uk / us ) Ring voltage, impedance setting for line-jack card.
dial-tone-filter - Dial tone detection frequency Hz, or 'off'
dial-tone-frequency - Frequency and volume gain of dial tone Hz x dB
ring-tone-cadence - Ring tone cadence in ms (0 - end of cadence)
ring-tone-filter - Ring tone detection frequency Hz
ring-tone-frequency - Frequency and volume gain of ring tone Hz x dB

For generating the tone, the frequency and cadence arguments are used. For recognizing a tone, the filter and cadence parameters are used. If the filter is set to 'off', the tone is not being detected. The dialtone always is continuous signal, therefore it does not gave the cadence argument. When detecting the dialtone, it should be at least 100ms long.

Sometimes it is necessary to add an additional regional setting matching the properties of a particular PBX. Use the add command to add a new regional setting:

[MikroTik] ip telephony region> add
Creates new item with specified property values.
        busy-tone-cadence  Busy tone cadence in ms (0 - end of cadence)
         busy-tone-filter  Busy tone detection frequency Hz
      busy-tone-frequency  Frequency and volume gain of busy tone Hz x dB
                copy-from  Item number
  data-access-arrangement  Ring voltage, impedance setting for line-jack card
         dial-tone-filter  Dial tone detection frequency Hz
      dial-tone-frequency  Frequency and volume gain of dial tone Hz x dB
                     name  New regional setting name
        ring-tone-cadence  Ring tone cadence in ms (0 - end of cadence)
         ring-tone-filter  Ring tone detection frequency Hz
      ring-tone-frequency  Frequency and volume gain of ring tone Hz x dB
[MikroTik] ip telephony region>

To change, for example, the volume gain of both dial tone frequencies to -6dB for a user defined region 'office', you need to enter the command:

[MikroTik] ip telephony region> set office dial-tone-frequency=350x-6,440x-6

Audio CODEC

The available Audio Coding and Decoding Protocols (CODEC) are listed under /ip telephony codec menu:

[MikroTik] ip telephony codec> print
Flags: X - disabled
  #   NAME
  0   G.723.1-6.4k/hw
  1   G.728-16k/hw
  2   G.711-ALaw-64k/hw
  3   G.711-uLaw-64k/hw
  4   G.711-uLaw-64k/sw
  5   G.711-ALaw-64k/sw
  6   G.729A-8k/sw
  7   G.723.1-6.4k/sw
  8   GSM-06.10-13.2k/sw
  9   LPC-10-2.5k/sw
[MikroTik] ip telephony codec>

CODECs are listed according to their priority of use. The highest priority is at the top. CODECs can be enabled, disabled and moved within the list. When connecting with other H.323 systems, the protocol will negotiate the CODEC which both of them support according to the priority order.

The hardware codecs (/hw) are built-in CODECs supported by Quicknet cards. If an ISDN card is used, then the hardware CODECs are ignored, only software CODECs (/sw) are used.

The choice of the CODEC type is based on the throughput and speed of the network. Better audio quality can be achieved by using CODEC requiring higher network throughput. The highest audio quality can be achieved by using the G.711-uLaw CODEC requiring 64kb/s throughput for each direction of the call. It is used mostly within a LAN. The G.723.1 CODEC is the most popular one to be used for audio connections over the Internet. It requires only 6.4kb/s throughput for each direction of the call.

IP Telephony Troubleshooting

IP Telephony Applications

The following describes examples of some useful IP telephony applications using the MikroTik RouterOS Quicknet telephony cards or ISDN cards.

Let us consider the following example of IP telephony gateway, one MikroTik IP telephone, and one Welltech LAN Phone 101 setup:

Setting up the MikroTik IP Telephone

The QuickNet LineJACK or PhoneJACK card and the MikroTik RouterOS telephony package should be installed in the MikroTik router (IP telephone) 10.0.0.22. An analog telephone should be connected to the 'phone' port of the QuickNet card. If you pick up the handset, a busy tone (no telephony configuration yet) or a dialtone should be heard.

The basic telephony configuration should be as follows:

  1. Add a voip voice port to the /ip telephony voice-port voip for each of the devices you want to call, or want to receive calls from, i.e., (the IP telephony gateway 10.1.1.12 and the Welltech IP telephone 10.5.8.2):

    [Joe] ip telephony voice-port voip>
    add name=gw remote-address=10.1.1.12
    add name=robert remote-address=10.5.8.2
    [Joe] ip telephony voice-port voip> print                                      
    Flags: X - disabled, D - dynamic, R - registered 
      #    NAME      AUTODIAL REMOTE-ADDRESS  JITTER-BUFFER PREFERED-CODEC  SIL FAS
      0    gw                 10.1.1.12       100ms         none            no  yes
      1    robert             10.5.8.2        100ms         none            no  yes
    [Joe] ip telephony voice-port voip>  
    
    You should have three vioce ports now:
    [Joe] ip telephony voice-port> print                                    
    Flags: X - disabled 
      #   NAME                          TYPE           AUTODIAL                    
      0   linejack1                     linejack                                   
      1   gw                            voip                                       
      2   robert                        voip                                       
    [Joe] ip telephony voice-port>  
    
  2. Add a at least one unique number to the /ip telephony numbers for each voice port. This number will be used to call that port:

    [Joe] ip telephony numbers>
    add dst-pattern=31 voice-port=robert
    add dst-pattern=33 voice-port=linejack1
    add dst-pattern=1. voice-port=gw prefix=1
    [Joe] ip telephony numbers> print                                              
    Flags: I - invalid, X - disabled, D - dynamic, R - registered 
      #     DST-PATTERN             VOICE-PORT              PREFIX                 
      0     31                      robert                                         
      1     33                      linejack1                                      
      2     1.                      gw                      1                      
    [Joe] ip telephony numbers>  
    

    Here, the dst-pattern=31 is to call the Welltech IP Telephone, if the number '31' is dialed on the dialpad.
    The dst-pattern=33 is to ring the local telephone, if a call for number '33' is received over the network.
    Anything starting with digit '1' would be sent over to the IP Telephony gateway.

Making calls from the IP telephone 10.0.0.224:

Use the telephony logging feature to debug your setup.

Setting up the IP Telephony Gateway

The QuickNet LineJACK card and the MikroTik RouterOS telephony package should be installed in the MikroTik router (IP telephony gateway) 10.1.1.12. A pbx line should be connected to the 'line' port of the QuickNet LineJACK card. The LED next to the 'line' port should be green, not red.

The IP telephony gateway [voip_gw] requires the following configuration:

  1. Set the regional setting to match our PBX. The 'mikrotik' seems to be best suited:

    [voip_gw] ip telephony voice-port linejack> set linejack1 region=mikrotik   
    [voip_gw] ip telephony voice-port linejack> print                           
    Flags: X - disabled 
      0   name="linejack1" autodial="" region=mikrotik playback-volume=0 
          record-volume=0 ring-cadence="++-++--- ++-++---" agc-on-playback=no 
          agc-on-record=no aec=yes aec-tail-length=short aec-nlp-threshold=low 
          aec-attenuation-scaling=4 aec-attenuation-boost=0 software-aec=no 
    
    [voip_gw] ip telephony voice-port linejack>
    

  2. Add a voip voice port to the /ip telephony voice-port voip for each of the devices you want to call, or want to receive calls from, i.e., (the IP telephone 10.0.0.224 and the Welltech IP telephone 10.5.8.2):

    [voip_gw] ip telephony voice-port voip>
    add name=joe remote-address=10.0.0.224
    add name=robert remote-address=10.5.8.2 prefered-codec=G.723.1-6.4k/hw
    [voip_gw] ip telephony voice-port voip> print
    Flags: X - disabled, D - dynamic, R - registered 
      #    NAME      AUTODIAL REMOTE-ADDRESS  JITTER-BUFFER PREFERED-CODEC  SIL FAS
      0    joe                10.0.0.224      100ms         none            no  yes
      1    robert             10.5.8.2        100ms         G.723.1-6.4k/hw no  yes
    [voip_gw] ip telephony voice-port voip>
    
  3. Add number records to the /ip telephony numbers, so you are able to make calls:

    [voip_gw] ip telephony numbers>
    add dst-pattern=31 voice-port=robert prefix=31
    add dst-pattern=33 voice-port=joe prefix=33
    add dst-pattern=1. voice-port=linejack1 prefix=1
    [voip_gw] ip telephony numbers> print
    Flags: I - invalid, X - disabled, D - dynamic, R - registered 
      #     DST-PATTERN             VOICE-PORT              PREFIX                 
      0     31                      robert                  31                     
      1     33                      joe                     33                     
      2     1.                      linejack1               1                      
    [voip_gw] ip telephony numbers>
    

Making calls through the IP telephony gateway:

Setting up the Welltech IP Telephone

Please follow the documentation from www.welltech.com.tw on how to set up the Welltech LAN Phone 101. Here we give just brief recommendations:

  1. We recommend to upgrade the Welltech LAN Phone 101 with the latest application software. Telnet to the phone and check what you have, for example:

    usr/config$ rom -print
    
    Download Method  :  TFTP
     Server Address  :  10.5.8.1
    
       Hardware Ver. :  4.0
           Boot Rom  :  nblp-boot.102a
    Application Rom  :  wtlp.108h
            DSP App  :  48302ce3.127
         DSP Kernel  :  48302ck.127
      DSP Test Code  :  483cbit.bin
      Ringback Tone  :  wg-ringbacktone.100
          Hold Tone  :  wg-holdtone10s.100
      Ringing Tone1  :  ringlow.bin
      Ringing Tone2  :  ringmid.bin
      Ringing Tone3  :  ringhi.bin
    
    usr/config$ 
    

  2. Check if you have the codecs arranged in the desired order:

    usr/config$ voice -print
    Voice codec setting relate information
        Sending packet size  : 
                G.723.1      : 30 ms
                G.711A       : 20 ms
                G.711U       : 20 ms
                G.729A       : 20 ms
                G.729        : 20 ms
        Priority order codec : 
                g7231 g711a g711u g729a g729 
        Volume levels        : 
                voice volume : 54
                input gain   : 26
                 dtmf volume : 23
    Silence suppression & CNG: 
                G.723.1      : Off
        Echo canceller       : On 
     JitterBuffer Min Delay  : 90
     JitterBuffer Max Delay  : 150
    usr/config$ 
    
  3. Make sure you have set the H.323 operation mode to phone to phone (P2P), not gatekeeper (GK):

    usr/config$ h323 -print
    H.323 stack relate information
        RAS mode               : Non-GK mode
        Registered e164        : 31
        Registered H323 ID     : Robert
        RTP port               : 16384
        H.245 port             : 16640
        Allocated port range   :
                  start port   : 1024
                  end port     : 65535
        Response timeOut       : 5
        Connect  timeOut       : 5000
    usr/config$ 
    
  4. Add the gateway's address to the phonebook:

    usr/config$ pbook -add name gw ip 10.1.1.12      
    usr/config$ 
    This may take a few seconds, please wait....
    
    Commit to flash memory ok!
    
    usr/config$ pbook -print
    index   Name                 IP                    E164
    ======================================================================
    1       gw                   10.1.1.12                                 
    ----------------------------------------------------------------------
    usr/config$ 
    

Making calls from the IP telephone 10.5.8.2:

Use the telephony logging feature on the gateway to debug your setup.

Setting up the MikroTik Router and CISCO Router

Here are some hints on how to get working configuration for telephony calls between CISCO and MikroTik router.

Tested on:

Configuration on the MikroTik side:

Configuration on the CISCO side:

For reference, following is an exported CISCO configuration, that works:

!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
enable secret 5 $1$bTMC$nDGl9/n/pc3OMbtWxADMg1
enable password 123
!
memory-size iomem 25
ip subnet-zero
no ip finger
!
call rsvp-sync
voice rtp send-recv
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g723r63
!
interface FastEthernet0
 ip address 10.0.0.101 255.255.255.0
 no ip mroute-cache
 speed auto
 half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
voice-port 0/0
!
voice-port 0/1
!
voice-port 2/0
!
voice-port 2/1
!
dial-peer voice 1 pots
 destination-pattern 101
 port 0/0
!
dial-peer voice 97 voip
 destination-pattern 097
 session target ipv4:10.0.0.97
 codec g711ulaw
!
dial-peer voice 98 voip
 destination-pattern 098
 voice-class codec 1
 session target ipv4:10.0.0.98
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password 123
 login
!
end


© Copyright 1999-2002, MikroTik MikroTik RouterOS IPSec

MikroTik RouterOS IPSec

Document revision 16-Jul-2002
This document applies to the MikroTik RouterOS V2.6

Overview

IPSec (IP Security) supports secure communications over IP networks.

Contents of the Manual

The following topics are covered in this manual:

Installation

Please download the ipsec-2.x.npk package from the MikroTik's web site, upload the package to the router and reboot.

Use the /system package print command to see the list of installed packages.

Hardware Resource Usage

To be updated.

DHCP Description

Comes soon.

IPSec Setup

How IPsec works

TX:

After packet is src-natted, but before putting it into interface queue, 
IPsec policy database is consulted to find out if packet should be 
encrypted. Security Policy Database (SPD) consists of ordered list of 
rules that have to parts - packet matching part and action part. Packet 
source/destination, protocol and ports (for TCP and UDP) are compared to 
values in policy rules, one after another. If rule matches action 
specified in rule is performed.  Actions can be "accept" - to continue 
with packet as if there was no IPsec, "drop" to drop packet or "encrypt" 
to encrypt it.

Each SPD rule can have several security associations (SA) associated with 
it. SA tells exactly how packet should be encrypted (key, algorithm, SPI).

Note that packet can only be encrypted if there is usable SA for policy 
rule. By setting SPD rule security "level" user can control what happens 
when there is no valid SA for policy rule:
level "use" - if there is no valid SA, send packet unencrypted (like 
"accept" rule);
level "acquire" - send packet unencrypted, but ask IKE daemon to establish 
new SA
level "require" - drop packet, and ask IKE daemon to establish new SA.

If packet can be encrypted, it is encrypted and sent as LOCALLY 
ORIGINATED packet - i.e. it is processed with "output" firewall, src-nat 
again and IPsec SPD again (this way one packet can be encrypted several 
times if encrypted packet has to be sent over encrypted tunnel itself). If 
packet matches the same SPD rule that it matched before, it is sent out 
without encrypting (to avoid encryption loops).

RX:

When encrypted packet is received for local host (after dst-nat and
"input" filter", appropriate SA to decrypt it is looked up (using packet
source, destination, security protocol and SPI value). If no SA is found,
packet is dropped. If SA is found, packet is decrypted. Then decrypted
packets fields are compared to policy rule that SA is linked to. If packet
does not match policy rule it is dropped. If packet is decrypted fine (or 
authenticated fine) it is "received once more" - it goes through dst-nat 
and routing (which finds out what to do - either forward or deliver 
locally)again.

Note that right before "forwarding" and "input" firewall chains, packet
that was not decrypted on local host is compared against SPD to see if it
did not have to be encrypted. Note that to do this check, matching values
from SPD rule are reversed. If it had to be encrypted (there is valid SA
associated with matching SPD rule), packet is dropped. This is called
incoming policy check.

IKE traffic

To avoid problems with IKE packets hit some SPD rule and require to 
encrypt it with not yet established SA (that this packet perhaps is trying 
to establish), locally originated packets with UDP source port 500 are not 
processed with SPD. The same way packets with UDP destination port 500 
that are to be delivered locally are not processed in incoming policy 
check.


Configuring IPsec

  What configuration can be found under /ip ipsec: 

policy - set up security policies
installed-sa - look at currently installed security associations
manual-sa - templates for manual security associations
peer - IKE peer configuration
pre-shared-secret - to authenticate with IKE peers
key - keys for manual security associations
proposal - phase2 IKE proposal settings

  To get IPsec to work with automatic keying you will have to configure
policy, peer, pre-shared-secret and proposal entries. For manual keying you
will have to configure policy, manual-sa and key entries.

  Examples below assume following setup:

10.1.0.0/24 -------    1.0.0.0/24   ------- 10.2.0.0/24
-----------|1.0.0.1|---------------|1.0.0.2|-----------
            -------                 -------
              R1                       R2

Policy

src-address - A.B.C.D/M:P
dst-address - A.B.C.D/M:P
protocol - name or number of protocol
  These three settings form the matching part of policy. You allways configure
them to match outgoing packets. If you want to encrypt all UDP packets that
are sent from R1 to R2 you add to R1 policy:
  src-address=1.0.0.1/32 dst-address=1.0.0.2/32 protocol=udp
and it will match both outgoing 1.0.0.1->1.0.0.2 and incoming 1.0.0.2->1.0.0.1
udp packets on R1.

action - What to do with packet that matches policy. Choices are:
  accept - pass the packet. This is default action when no policies are
           configured.
  drop - drop the packet.
  encrypt - apply transormations specified by this policy and it's security
            associations (see below)

dont-fragment - default value works OK.
  This setting says what value DF bit will have in packet after encryption.
  It is good to have DF cleared so that encrypted packets that always are
  bigger than original packets can be fragmented if needed.

tunnel - 'yes' if you want to use tunnel mode. In tunnel mode all packets are
  IPIP encasulated, and their new IP header src and dst are set to sa-src and
  sa-dst values of this policy. If you don't use tunnel mode (i.e. you use
  transport mode), then only packets whose source and destination is the same
  as sa-src and sa-dst can be processed by this policy. Transport mode
  can only work with packets that originate at and are destined for IPsec
  peers (hosts that established security associations). To encrypt traffic
  between networks (or network and host) you have to use tunnel mode.

ipsec-protocols - One of "ah", "esp", "ah,esp". Specifies what combination of
  Authentication Header and Encapsulating Security Payload protocols you want
  to apply to matched traffic. AH is applied after ESP, and in case of tunnel
  mode ESP will be applied in tunel mode and AH - in transport mode.

level - What to do if some of the required SAs for this policy cannot be found:
  use - skip this transform, don't drop packet, don't acquire SA from IKE
        daemon.
  acquire - skip this transform, but acquire SA for it from IKE daemon.
  require - drop packet, acquire SA.

sa-src - SA source
sa-dst - SA destination
  These two fields are used by SA to construct header for encrypted package.
manual-sa - Name of manual-sa template that will be used to create SAs for
  this policy, or 'none' if you don't want to set up any manual keys.
proposal - Name of proposal info that will be sent by IKE daemon to
  establish SAs for this policy.

  If you are using IKE to establish SAs automatically, then policies on both
routers must be exactly matching, i.e. src-address=1.2.3.0/27 on one router and
dst-address=1.2.3.0/28 on another won't work. src values on one router must
be equal to dst values on the other one, and vice versa.

Peer

  There you configure settings that will be used to establish connections
between IKE daemons (phase1 configuration). This connection then will be used
to negotiate keys and algorithms for SAs. These parameters won't affect the
established SAs in any way.

address - address of remote 
auth-method - currenty only 'pre-shared-secret' supported
dh-group - choose 'modp1024', EC are not expected to work, others may fail.
enc-algorithm - leave it at '3des'.
exchange-mode - 'main', 'aggressive' or 'base'. See RFC 2408 for a nice
                overview of ISAKMP phase 1 exchange modes. Currently only main
                mode is tested.
hash-algorithm - 'md5' or 'sha'
nonce-size - 8...256 bytes. Default 16 is OK.
proposal-check - Lifetime check logic. This is for phase 2 lifetimes (note that
                 you cannot configure lifetimes for phase 1 proposals yet).
                 One of:
  claim - take shortest of proposed and configured lifetimes, notify initiator
          about it.
  exact - lifetimes must be the same.
  obey - accept whatever is sent by initiator.
  strict - If initiator proposes longer lifetime than default, reject proposal,
           otherwise accept proposed lifetimes. The default. Works well.
           Don't change it.
send-initial-contact - 'yes'

Pre-shared-secret

  For IKE peers to know each other they must have same pre-shared-secret
configured on them. It's kind of like passwords. For R1 and R2 it would be
like, on R1:
  #   ADDRESS         SECRET                                                  
  0   1.0.0.2         gwejimezyfopmekun
and on R2:
  #   ADDRESS         SECRET                                                  
  0   1.0.0.1         gwejimezyfopmekun

address - address of remote peer.
ident-string - identity string of remote peer.
  Secret is matched by either one, but is sent using only address identity
type.
secret - secret string. If it starts with '0x', it is parsed as a hexadecimal
         value.

Key

  Keys are kept separately only to spare you some typing. They are part of
manual-sa configuration.

algorithm - one of the following:
  3des - 192 bit key.
  aes - 128, 192 or 256 bit key.
  des - 64 bit key.
  md5 - 128 bit key.
  null - any key length.
  sha1 - 160 bit key.
length - length of key in bits. Must be valid value for chosen algorithm.
key - hexadecimal value of key (without leading '0x'). It might have more bits
      that specified in 'length' - it will be truncated.
name - name of this key, used to reference it from manual-sa.

Manual-sa

ah-key - incoming-authentication-key/outgoing-authentication-key
ah-spi - incoming-SA-SPI/outgoing-SA-SPI
esp-auth-key - incoming-authentication-key/outgoing-authentication-key
esp-enc-key - incoming-encryption-key/outgoing-encryption-key
esp-spi - incoming-SA-SPI/outgoing-SA-SPI
name - name of item for reference from policies.

  Example setup(assuming they both have the same key configuration),
on R1:
  1   name="sa1" ah-key=auth-key1 esp-enc-key=enc-key1/enc-key2
      esp-auth-key=none ah-spi=256/257 esp-spi=258/259 

on R2:
  1   name="sa1" ah-key=auth-key1 esp-enc-key=enc-key2/enc-key1
      esp-auth-key=none ah-spi=257/256 esp-spi=259/258 

  Notice that incoming SPI numbers on one router must match outgoing SPI
numbers on another, and vice versa. Same for keys.
  You can reference same manual-sa template from several policies, because
actual SAs are inserted based on info in policies (AH, ESP) as well as in
this template, as well as in key config. Also, each SA is distinguished by
its source (sa-src), destination (sa-dst), protocol (AH or ESP), SPI and
direction.

Proposal

algorithms - comma seprarated string of followings:
  enc-null, enc-des, enc-3des, enc-aes-128, enc-aes-192, enc-aes-256,
  auth-md5, auth-sha1, auth-null.
  It specifies what algorithms and key lengths to use for SAs that will be
acquired from IKE daemon by policy that references this proposal. It is wise
to specify one enc- and one auth- value.
lifebyte - how many bytes to encrypt using SA before throwing it out and making
  new one. 0 means SA won't expire based on byte count. Default.
lifetime - how long to use SA before throwing it out. See also proposal-check
           in peer config.
name - name of proposal for referencing it from policy.
pfs-group - Diffie-Helman group used for Perfect Forward Secrecy. Untested.
            Ignore this parameter for now.

  Proposals on both peers must (at least partially) match. The more they match
the better.
 
Installed-sa

  Prints a lot of pretty numbers about each installed SA. Including keys.

IPSec Setup Between MikroTik and CISCO Routers

Example of configuring IPsec between RouterOS and Cisco
-------------------------------------------------------

Network setup:

10.0.0.0/24 Ethernet
      |
RouterOS (IP: on eth 10.0.0.18, on sync 10.0.1.1)
      |
synchronous link (to be encrypted)
      |
Cisco (IP: on sync 10.0.1.2, on eth 10.0.2.254)
      |
10.0.2.0/254 Ethernet


Must configure IPsec encryption for traffic between 10.0.0.0/24 and 
10.0.2.0/24 subnets.

Configuring RouterOS
--------------------

Add encryption proposal (phase2 proposal - settings that will be used to
encrypt actual data), we will use DES to encrypt data and SHA1 to
authenticate:

[admin@MikroTik] ip ipsec proposal> add name=to_cisco pfs-group=none 
algorithms=enc-des,auth-sha1

Add peer (with phase1 configuration parameters), DES and SHA1 will be used 
to protect IKE traffic:

[admin@MikroTik] ip ipsec peer> add address=10.0.1.2 enc-algorithm=des 
auth-method=pre-shared-key hash-algorithm=sha dh-group=modp1024

Add preshared secret to use when talking to Cisco:

[admin@MikroTik] ip ipsec pre-shared-secret> add secret=test_key 
address=10.0.1.2

Add policy rule that matches traffic between subnets and requires 
encryption with ESP in tunnel mode:

[admin@MikroTik] ip ipsec policy> add src-address=10.0.0.0/24 
dst-address=10.0.2.0/24 protocol=all action=encrypt ipsec-protocols=esp 
level=require tunnel=yes sa-src=10.0.1.1 sa-dst=10.0.1.2 proposal=to_cisco


Configuring Cisco:
------------------

Parts from Cisco configuration with comments follow...

! Configure ISAKMP policy (phase1 config, must match configuration 
! of "/ip ipsec peer" on RouterOS). Note that DES is default (and only)
! encryption algorithm on this Cisco. SHA1 is default authentication
! algorithm
crypto isakmp policy 10
 authentication pre-share
 group 2

! Add preshared key to be used when talking to RouterOS
crypto isakmp key test_key address 10.0.1.1       

! Create IPsec transform set - transformations that should be applied to
! traffic - ESP encryption with DES and ESP authentication with SHA1
! This must match "/ip ipsec proposal"
crypto ipsec transform-set myset esp-des esp-sha-hmac

! Create access list that matches traffic that should be encrypted
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.0.255

! Create crypto map that will use transform set "myset", use peer 10.0.1.1
! to establish SAs and encapsulate traffic and use access-list 101 to
! match traffic that should be encrypted
crypto map mymap 10 ipsec-isakmp   
 set peer 10.0.1.1
 set transform-set myset 
 match address 101

! And finally apply crypto map to serial interface:
interface Serial1
 crypto map mymap


Testing
-------

After this simply ping from some host in one network to some host in other 
network - after some time (~10sec) replies should start coming back 
because SAs are established and data is being encrypted.

On RouterOS we can see installed SAs:

[admin@MikroTik] > ip ipsec installed-sa print 
  0 spi=9437482 replay=4 state=mature auth-algorithm=sha1hmac 
    enc-algorithm=descbc flags="" src-address=10.0.1.1 dst-address=10.0.1.2 
    policy-id=1 xform-index=0 auth-key-length=160 
    auth-key="9cf2123b8b5add950e3e67b9eac79421d406aa09" enc-key-length=64 
    enc-key="ffe7ec65b7a385c3" sa-type=esp direction=out 
    current-addtime=jul/12/2002 16:13:21 current-usetime=jul/12/2002 16:13:21 
    current-bytes=71896 add-lifetime=24m/30m use-lifetime=0s/0s lifebytes=0/0 
    

  1 spi=319317260 replay=4 state=mature auth-algorithm=sha1hmac 
    enc-algorithm=descbc flags="" src-address=10.0.1.2 dst-address=10.0.1.1 
    policy-id=1 xform-index=0 auth-key-length=160 
    auth-key="7575f5624914dd312839694db2622a318030bc3b" enc-key-length=64 
    enc-key="633593f809c9d6af" sa-type=esp direction=in 
    current-addtime=jul/12/2002 16:13:21 current-usetime=jul/12/2002 16:13:21 
    current-bytes=0 add-lifetime=24m/30m use-lifetime=0s/0s lifebytes=0/0 


And on Cisco:
interface: Serial1
    Crypto map tag: mymap, local addr. 10.0.1.2

   local  ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer: 10.0.1.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1810, #pkts encrypt: 1810, #pkts digest 1810
    #pkts decaps: 1861, #pkts decrypt: 1861, #pkts verify 1861
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.1.2, remote crypto endpt.: 10.0.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 1308650C

     inbound esp sas:
      spi: 0x90012A(9437482)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4607891/1034)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x1308650C(319317260)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4607893/1034)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

Additional IPSec Resources

Links for IPSec documentation:

http://www.ietf.org/rfc/rfc2131.txt?number=2401
See also RFCs 2402...2408


© Copyright 1999-2002, MikroTik MikroTik RouterOS Queues and Bandwidth Management

MikroTik RouterOS Queues and Bandwidth Management

DRAFT

Document revision 15-May-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The MikroTik RouterOS has the following bandwidth management features: Queuing is a mechanism that controls bandwidth allocation, delay variability, timely delivery, and delivery reliability. The MikroTik RouterOS supports the following queuing mechanisms:

The queuing can be used for limiting the bandwidth for certain IP addresses, protocols or ports. The queuing is performed for packets leaving the router through an interface. It means that the queues should always be configured on the outgoing interface regarding the traffic flow. If there is a desire to limit the traffic arriving at the router, then it should be done at the outgoing interface of some other router.

References on Class-Based Queuing (CBQ) can be found at http://www.aciri.org/floyd/cbq.html

Contents of the Manual

The following topics are covered in this manual:

What's New in V2.5?

The MikroTik RouterOS V2.5 has different queue setup compared to the previous versions. When migrating from V2.4 to V2.5, please note that:

Installation

The queue management feature is included in the 'system' software package. No additional software package installation is needed for this feature.

Configuring Simple Queues

Simple queues can be used to set up bandwidth management for the whole traffic leaving an interface, or for certain source and/or destination addresses. For more sophisticated queue setup use the queue trees described further on.

To add simple queues, use the /queue simple add command:

[MikroTik] queue simple>
add dst-address=192.168.0.0/24 interface=ether1 limit-at=128000                                      
[MikroTik] queue simple> print                                                 
Flags: X - disabled, I - invalid 
  0   name="" src-address=0.0.0.0/0 dst-address=192.168.0.0/24 
      interface=ether1 limit-at=128000 queue=default priority=8 bounded=yes 

[MikroTik] queue simple>  

Argument description:

name - descriptive name for the queue
src-address - Source IP address. Can be in the form a.b.c.d/n, that consists of the IP address, and the number of bits in the network mask
src-netmask - Source netmask in decimal form xxx.xxx.xxx.xxx
dst-address - Destination IP address. Can be in the form a.b.c.d/n, that consists of the IP address, and the number of bits in the network mask
dst-netmask - Destination netmask in decimal form xxx.xxx.xxx.xxx
interface - Interface which packet leaves. Queues work only for packets leaving the interface.
limit-at - Maximum stream bandwidth (bits/s). '0' means no limit (default for the interface).
queue - queue type. If you specify the queue type other than 'default', then it overrides the default queue type set for the interface under '/queue interface'. See the '/queue type' for available types.
priority - Flow priority (1..8)
bounded - Queue is bounded. If set to 'yes', the queue can not occupy bandwidth of other queues. If set to 'no', the queue would use over the allocated bandwidth whenever possible. Only in case when other queues (the actual queues) are getting too long and a connection is not being satisfied, then the 'not-bounded' queues would be limited at their allocated bandwidth.

To track how the rules are processed, see the bytes and packets counters for the queues:

[MikroTik] queue simple> .. tree print                                         
Flags: X - disabled, I - invalid, D - dynamic 
  0  D name="" parent=ether1 flow="" limit-at=128000 max-burst=20 
       queue=default priority=8 weight=1 allot=1514 bounded=yes bytes=23543 
       packets=76 

[MikroTik] queue simple> 

Queue rules are processed in the order they appear in the /queue tree print list. If some packet matches the queue rule, then the queuing mechanism specified in that rule is applied to it, and no more rules are processed for that packet.

Queue Types

The queue types are used to specify some common argument values for queues. There are four default built-in queue types: default, ethernet-default, wireless-default, and synchronous-default. The built-in queue types cannot be removed. You can add your own queue types by specifying the argument values, for example:

[MikroTik] queue type>
add name=CUSTOMER-def kind=red red-min-threshold=0 red-burst=0                                      
[MikroTik] queue type> print                                                   
  0 name=default kind=none bfifo-limit=15000 pfifo-limit=10 red-limit=60 
    red-min-threshold=10 red-max-threshold=50 red-burst=20 sfq-perturb=5 
    sfq-allot=1514 

  1 name=ethernet-default kind=none bfifo-limit=15000 pfifo-limit=10 
    red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20 
    sfq-perturb=5 sfq-allot=1514 

  2 name=wireless-default kind=sfq bfifo-limit=15000 pfifo-limit=10 
    red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20 
    sfq-perturb=5 sfq-allot=1514 

  3 name=synchronous-default kind=red bfifo-limit=15000 pfifo-limit=10 
    red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20 
    sfq-perturb=5 sfq-allot=1514 

  4 name=CUSTOMER-def kind=red bfifo-limit=15000 pfifo-limit=10 red-limit=60 
    red-min-threshold=0 red-max-threshold=50 red-burst=0 sfq-perturb=5 
    sfq-allot=1514 

[MikroTik] queue type>  

Argument description:

name - (required) name for the queue type
kind - kind of the queuing algorithm used (bfifo / none / pfifo / red / sfq)
bfifo-limit - BFIFO queue limit. Maximum packet number that queue can hold.
pfifo-limit - PFIFO queue limit. Maximum byte number that queue can hold.
red-limit - RED queue limit
red-min-threshold - RED minimum threshold. Before this value is achieved no packets will be thrown away.
red-max-threshold - RED maximum threshold. When this value is achieved the queue will throw away the packets using maximum probability, where this probability is a function of the average queue size.
red-burst - RED burst. Number of packets allowed for bursts of packets when there are no packets in the queue. The minimum value that can be used here is equal to the value of 'red-min-threshold'.
sfq-perturb -
sfq-allot -

For small limitations (64kbps, 128kbps) RED is more preferable. For larger speeds PFIFO will be as good as RED. RED consumes more memory and consumes more CPU than PFIFO & BFIFO.

Setting Default Queue Type for the Interface

To change the default queue type for the interface, use the '/queue interface set' command, e.g.:

[MikroTik] queue interface> print                                              
  # INTERFACE                             QUEUE                                
  0 ether1                                ethernet-default                     
  1 prism1                                default                              
[MikroTik] queue interface> set prism1 queue=wireless-default                  
[MikroTik] queue interface> print                                              
  # INTERFACE                             QUEUE                                
  0 ether1                                ethernet-default                     
  1 prism1                                wireless-default                     
[MikroTik] queue interface>

Configuring Queue Trees

The queue trees should be used when you want to use sophisticated bandwidth allocation based on protocols, ports, groups of IP addresses, etc. If you have added a simple queue, it is listed as dynamic one under the '/queue tree print', e.g.:

[MikroTik] queue tree> .. simple print                                         
Flags: X - disabled, I - invalid 
  0   name=A_Simple src-address=0.0.0.0/0 dst-address=192.168.0.0/24 
      interface=ether1 limit-at=128000 queue=default priority=8 bounded=yes 

[MikroTik] queue tree> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  0  D name=A_Simple parent=ether1 flow="" limit-at=128000 max-burst=20 
       queue=default priority=8 weight=1 allot=1514 bounded=yes bytes=56234
       packets=634 

[MikroTik] queue tree>

Argument description:

name - descriptive name for the queue
parent - (required) name of the parent queue. The top-level parents are the available interfaces. Lower level parents can be other queues. Dynamic queues (created with the simple queue tool) cannot be used as parents.
flow - flow mark of the packets to be queued. Flow marks can be assigned to the packets under /ip firewall mangle when the packets enter the router through the incoming interface
limit-at - Maximum stream bandwidth (bits/s). '0' means no limit (default for the interface).
max-burst - Maximal number of packets allowed for bursts of packets when there are no packets in the queue. Set to '0' for no burst.
queue - queue type. See the '/queue type' for available types.
priority - Flow priority (1..8)
weight - Flow weight
allot - Number of bytes allocated for the bandwidth. Should not be less than the MTU for the interface.
bounded - Queue is bounded. If set to 'yes', the queue can not occupy bandwidth of other queues. If set to 'no', the queue would use over the allocated bandwidth whenever possible. Only in case when other queues (the actual queues) are getting too long and a connection is not being satisfied, then the 'not-bounded' queues would be limited at their allocated bandwidth.
bytes, packets - number of bytes and packets processed by this queue. The counters can be reset using the 'reset' command

IP packet flow through the router is given in the following diagram:

IP Packet Flow

As wee see from the diagram, we should use the /ip firwall mangle to mark the packets of the incoming flow, and then apply the queues on them when the packets leave the router through the outgoing interface.

To mark the packets, use the mangle feature:

[MikroTik] ip firewall mangle>
add action=mangle mark-flow=abc-http protocol tcp src-port=80
[MikroTik] ip firewall mangle> print                                           
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:80 in-interface=all dst-address=0.0.0.0/0:0-65535 
      protocol=tcp tcp-options=any icmp-options=any:any 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=mangle mark-flow=abc-http tcp-mss=dont-change 
      bytes=0 packets=0 

[MikroTik] ip firewall mangle>                                                 

See the Firewall Filters and Network Address Translation (NAT) Manual for details on how to mark the packets.

You can add queue using the /queue tree add command:

[MikroTik] ip queue tree>
add name=HTTP parent=ether1 flow=abc-http limit-at=128000 \
max-burst=0 bounded=yes
[MikroTik] queue tree> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  0  D name=A_Simple parent=ether1 flow="" limit-at=128000 max-burst=20 
       queue=default priority=8 weight=1 allot=1514 bounded=yes bytes=0 
       packets=0 

  1    name=HTTP parent=ether1 flow=abc-http limit-at=128000 max-burst=0 
       queue=default priority=8 weight=1 allot=1514 bounded=yes bytes=0 
       packets=0 

[MikroTik] queue tree>

Troubleshooting

Queue Applications

One of the ways to avoid network traffic ‘jams’ is usage of traffic shaping in large networks. Traffic shaping and bandwidth allocation is implemented in the MikroTik RouterOS as queuing mechanism. Thus, the network administrator is able to allocate a definite portion of the total bandwidth and grant it to a particular network segment or interface. Also the bandwidth of particular nodes can be limited by using this mechanism.

Further on, several examples of using bandwidth management are given arranged according to complexity:

Example of Emulating a 128k/64k Line

Assume we want to emulate a 128k download and 64k upload line connecting IP network 192.168.0.0/24. The network is served through the Local interface of customer's router. The basic network setup is in the following diagram:

128/64k Line

The IP addresses and routes of the MikroTik router are as follows:

[MikroTik] > ip address print                                                  
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.217/24      10.0.0.217      10.0.0.255      Public                
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
[MikroTik] > ip route print                                                    
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 0.0.0.0/0          r 10.0.0.1        1        Public                  
    1 DC 192.168.0.0/24     r 0.0.0.0         0        Local                   
    2 DC 10.0.0.0/24        r 0.0.0.0         0        Public                  
[MikroTik] > 

Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all hosts on the LAN. Bandwidth limitation is done by applying queues for outgoing interfaces regarding the traffic flow. It is enough to add two queues at the MikroTik router:

[MikroTik] queue simple>
add name=Down interface Local limit-at 128000
add name=UP interface Public limit-at 64000                   
[MikroTik] queue simple> print                                                 
Flags: X - disabled, I - invalid 
  0   name=Down src-address=0.0.0.0/0 dst-address=0.0.0.0/0 interface=Local 
      limit-at=128000 queue=default priority=8 bounded=yes 

  1   name=UP src-address=0.0.0.0/0 dst-address=0.0.0.0/0 interface=Public 
      limit-at=64000 queue=default priority=8 bounded=yes 

[MikroTik] queue simple> .. tree print                                         
Flags: X - disabled, I - invalid, D - dynamic 
  0  D name=Down parent=Local flow="" limit-at=128000 max-burst=20 
       queue=default priority=8 weight=1 allot=1514 bounded=yes bytes=60 
       packets=1 

  1  D name=UP parent=Public flow="" limit-at=64000 max-burst=20 
       queue=default priority=8 weight=1 allot=1514 bounded=yes bytes=4169 
       packets=30 

[MikroTik] queue simple> 

Leave all other parameters as set by default. The limit is approximately 128kbps going to the LAN and 64kbps leaving the client's LAN. Please note, that the queues have been added for the outgoing interfaces regarding the traffic flow.

To monitor the traffic flow through the interface while doing file transfer, use the '/interface monitor-traffic' command:

[MikroTik] interface> monitor-traffic Public                                   
    received-packets-per-second: 9         
       received-bits-per-second: 4.32kbps  
        sent-packets-per-second: 6         
           sent-bits-per-second: 65.58kbps 

    received-packets-per-second: 7         
       received-bits-per-second: 3.36kbps  
        sent-packets-per-second: 10        
           sent-bits-per-second: 65.15kbps 

    received-packets-per-second: 11        
       received-bits-per-second: 5.66kbps  
        sent-packets-per-second: 7         
           sent-bits-per-second: 52.70kbps 

[MikroTik] interface>    

If you want to exclude the server from being limited, add two queues for it with limit-at=0 (no limit) and move them to the top:

[MikroTik] queue simple>
add name=Serv_D interface=Local dst-address=192.168.0.17/32 limit-at=0
add name=Serv_U interface Public src-address=192.168.0.17/32 limit-at=0                
[MikroTik] queue simple> print                                                 
Flags: X - disabled, I - invalid 
  0   name=Down src-address=0.0.0.0/0 dst-address=0.0.0.0/0 interface=Local 
      limit-at=128000 queue=default priority=8 bounded=yes 

  1   name=UP src-address=0.0.0.0/0 dst-address=0.0.0.0/0 interface=Public 
      limit-at=64000 queue=default priority=8 bounded=yes 

  2   name=Serv_D src-address=0.0.0.0/0 dst-address=192.168.0.17/32 
      interface=Local limit-at=0 queue=default priority=8 bounded=yes 

  3   name=Serv_U src-address=192.168.0.17/32 dst-address=0.0.0.0/0 
      interface=Public limit-at=0 queue=default priority=8 bounded=yes 

[MikroTik] queue simple> move 2 0                                              
[MikroTik] queue simple> move 3 1                                              
[MikroTik] queue simple> print                                                 
Flags: X - disabled, I - invalid 
  0   name=Serv_D src-address=0.0.0.0/0 dst-address=192.168.0.17/32 
      interface=Local limit-at=0 queue=default priority=8 bounded=yes 

  1   name=Serv_U src-address=192.168.0.17/32 dst-address=0.0.0.0/0 
      interface=Public limit-at=0 queue=default priority=8 bounded=yes 

  2   name=Down src-address=0.0.0.0/0 dst-address=0.0.0.0/0 interface=Local 
      limit-at=128000 queue=default priority=8 bounded=yes 

  3   name=UP src-address=0.0.0.0/0 dst-address=0.0.0.0/0 interface=Public 
      limit-at=64000 queue=default priority=8 bounded=yes 

[MikroTik] queue simple>  

Example of Using Masquerading

If masquerading is used for the local address space 192.168.0.0/24 of the client computers in the previous example setup, then the outgoing traffic has masqueraded source address 10.0.0.217, i.e., the outgoing packets have external address of the router as the source.

If you use simple queues, as in the previous example, the queuing rule for incoming traffic should match the customer's local addresses, whereas the rule for outgoing traffic should match the router's external address as the source address. The previous example would work fine, but you cannot exclude the server from being limited.

To apply specific queuing for the server, use '/ip firewall mangle' to mark the packets originated from the server:

[MikroTik] ip firewall mangle>
add src-address=192.168.0.17/32 action=mangle mark-flow=Serv_Up                                      
add in-interface=Local action=mangle mark-flow=Local-all                                      
[MikroTik] ip firewall mangle> print                                           
Flags: X - disabled, I - invalid 
  0   src-address=192.168.0.17/32:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 protocol=all tcp-options=any 
      icmp-options=any:any src-mac-address=00:00:00:00:00:00 limit-count=0 
      limit-burst=0 limit-time=0s action=mangle mark-flow=Serv_Up 
      tcp-mss=dont-change bytes=0 packets=0 

  1   src-address=0.0.0.0/0:0-65535 in-interface=Local 
      dst-address=0.0.0.0/0:0-65535 protocol=all tcp-options=any 
      icmp-options=any:any src-mac-address=00:00:00:00:00:00 limit-count=0 
      limit-burst=0 limit-time=0s action=mangle mark-flow=Local-all 
      tcp-mss=dont-change bytes=0 packets=0 

[MikroTik] ip firewall mangle>  

Add a queue to the queue tree, which uses the flow mark:

[MikroTik] queue tree>
add name=Server parent=Public flow=Serv_Up 
add name=Workst parent=Public flow=Local-all \
limit-at=64000 bounded=yes max-burst=0 
[MikroTik] queue tree> print                                                   
Flags: X - disabled, I - invalid, D - dynamic 
  0    name=Server parent=Public flow=Serv_Up limit-at=0 max-burst=20 
       queue=default priority=8 weight=1 allot=1514 bounded=no bytes=0 
       packets=0 

  1    name=Workst parent=Public flow=Local-all limit-at=64000 max-burst=0 
       queue=default priority=8 weight=1 allot=1514 bounded=yes bytes=0 
       packets=0 

[MikroTik] queue tree> 

Thus, we used queue trees for limiting the upload. Use the same simple queues as in the previous example for limiting the download.


© Copyright 1999-2001, MikroTik MikroTik RouterOS OSPF Routing Protocol

MikroTik RouterOS OSPF Routing Protocol

Document revision 10-Jul-2002
This document applies to the MikroTik RouterOS V2.4 and 2.5

Overview

MikroTik RouterOS implements OSPF Version 2 (RFC 2328). The OSPF protocol is based on the link-state technology. It is also known as the shortest-path-first technology.

OSPF distributes routing information between routers belonging to a single autonomous system (AS). An AS is a group of routers exchanging routing information via a common routing protocol.

Contents of the Manual

The following topics are covered in this manual:

What's New in V2.5?

When migrating from V2.4 to V2.5, please note that:

Installation

The OSPF feature is included in the “routing” package. The package file routing-2.x.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload it to the router with ftp and reboot. You may check to see if the routing package is installed with the command:

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4.5                 dec/04/2001 14:54:29 no       
  1 snmp                   2.4.5                 dec/04/2001 14:54:41 no       
  2 ppp                    2.4.5                 dec/04/2001 14:55:36 no       
  3 pppoe                  2.4.5                 dec/04/2001 14:56:30 no       
  4 ssh                    2.4.5                 dec/04/2001 14:58:22 no       
  5 pptp                   2.4.5                 dec/04/2001 14:55:54 no       
  6 cyclades               2.4.5                 dec/04/2001 14:58:39 no       
  7 framerelay             2.4.5                 dec/04/2001 15:07:21 no       
  8 system                 2.4.5                 dec/04/2001 14:53:19 no       
[MikroTik] >                                                                   

Hardware Resource Usage

There is no significant resource usage.

OSPF Description

For OSPF description and implementation guidelines please refer to list of Additional Resources. Current document discusses OSPF configuration for MikroTik RouterOS.

When implementing the OSPF, all routers should be configured in a coordinated manner. Routers belonging to one area should have the same area ID configured.

OSPF Setup

The OSPF management can be accessed under the /routing ospf submenu.

After you have determined which routers belong to your OSPF area, you have to configure the following settings on each of the routers belonging to the selected area:

  1. Change the general OSPF settings for redistributing connected, static and default routes. Generally, the default route should be distributed only from one router of your area;
  2. Add an OSPF area record, if the area is not the backbone area;
  3. Add OSPF network records for each interface you want the OSPF to run on.
The OSPF is started after adding record to the ospf network list.
Note! The OSPF protocol is started only on interfaces configured under the /routing ospf network

Setting the Basic OSPF Argument Values

To view the argument settings for OSPF, use the /routing ospf print command, for example:
[MikroTik] routing ospf> print                                                 
                 router-id: 0.0.0.0
        distribute-default: never
    redistribute-connected: no
       redistribute-static: no
          redistribute-rip: no
[MikroTik] routing ospf>  
[MikroTik] routing ospf> set redistribute-static=yes redistribute-connected=yes

Argument description:

router-id – The Router ID. If not specified (default 0.0.0.0), OSPF uses the largest IP address configured on the interfaces as its router ID.
redistribute-connected – ( yes / no ) If set to yes, then the router will redistribute the information about all connected routes, i.e., routes to networks, that can be directly reached from the router.
redistribute-static – ( yes / no ) If set to yes, then the router will redistribute the information about all static routes added to its routing database, i.e., routes, that have been created using the /ip route add command of the router.
redistribute-rip – ( yes / no ) If set to yes, then the router will redistribute the information about all routes learned by the RIP protocol.
distribute-default – ( always / if-installed / never ). Controls how to propagate the default route to other routers.
never - do not send own default route to other routers;
if-installed - send the default route only if it has been installed (a static default route, or route added by DHCP, PPP, etc.);
always - always send the default route.
Note! Within an area, only the area gateway (border) router should have the propagation of the default route enabled.

Usually you want to redistribute connected and static routes, if any. Therefore change the settings for these arguments and proceed to the OSPF areas and networks.

OSPF Areas

The area management can be accessed under the /routing ospf area submenu. There is one area which is configured by default - the backbone area (area ID 0.0.0.0):

[MikroTik] routing ospf area> print detail
Flags: X - disabled 
  0 name=backbone area-id=0.0.0.0 stub-area=no default-cost=0 
    authentication=none 

[MikroTik] routing ospf area>
To define additional OSPF area(s) for the router, use the /routing ospf area add command:

[MikroTik] routing ospf area> add area-id=0.0.10.5 name=local_10               
[MikroTik] routing ospf area> print                                            
Flags: X - disabled 
  0 name=backbone area-id=0.0.0.0 stub-area=no default-cost=0 
    authentication=none 

  1 name=local_10 area-id=0.0.10.5 stub-area=no default-cost=0 
    authentication=none 

[MikroTik] routing ospf area>

Argument description:

name - area name. Cannot be changed for the backbone area.
area-id - area ID, must be in IP address notation. Cannot be changed for the backbone area.
default-cost - Cost for the default summary route used for a stub area. Only for area boundary router.
stub - ( yes / no ) Sets the area type.
authentication - ( md5 / none / simple ) authentication method for OSPF
none - no authentication;
simple - clear text authentication;
md5 - Keyed Message Digest 5 (MD5) authentication.

OSPF Network

To start the OSPF protocol, you have to define the interfaces on which OSPF runs and the area ID for those interfaces. Use the /routing ospf network add command:

[MikroTik] routing ospf network> add area=local_10 network=10.0.0.0/24         
[MikroTik] routing ospf network> print                                         
Flags: X - disabled 
  #   NETWORK            AREA                                                  
  0   10.0.0.0/24        local_10                                              
[MikroTik] routing ospf network>

Argument description:

area - Area to be associated with the address range. The area name should be from the /routing ospf area list.
network - the network address/mask that is associated with the area. The network argument allows defining one or multiple interfaces to be associated with a specific OSPF area. Only local address of the router should be covered by the network address/mask.

Note on using OSPF over point-to-point links:
Never include the remote address of a pint-to-point link (PPP, PPPoE, PPTP, IPIP) in to the network address/mask! OSPF will not function properly. Only the local address should be included! See the Application example below!

For OSPF to operate on the interface, any address of that interface must be covered by the network address specified in the network record. For example:

[MikroTik] routing ospf network> /ip address print                             
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.212/24      10.0.0.212      10.0.0.255      ether1                
  1   192.168.0.1/24     192.168.0.0     192.168.0.255   ether1                
  2   1.1.1.1/24         1.1.1.0         1.1.1.255       sync1                 
[MikroTik] routing ospf network> print                                         
Flags: X - disabled 
  #   NETWORK            AREA                                                  
  0   192.168.0.0/24     local_10                                              
[MikroTik] routing ospf network> /ip route print                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.0.0.1    1        ether1     
  1 I  ospf    192.168.0.0/24     A            0.0.0.0     110      ether1     
  2 D  connect 192.168.0.0/24     A            0.0.0.0     0        ether1     
  3 I  ospf    10.0.0.0/24        A            0.0.0.0     110      ether1     
  4 D  connect 10.0.0.0/24        A            0.0.0.0     0        ether1     
  5 D  connect 1.1.1.0/24         A            0.0.0.0     0        sync1      
[MikroTik] routing ospf network>  

The items #1 and #3 show, that OSPF protocol is running on the interface ether1, and two routes have been installed by the routing daemon. The routes are marked as invalid, because these routes match the connected routes, but there should not be two routes to the same destination. This is no malfunctioning of the program.

OSPF Interfaces

Normally you do not need to make any changes for the ospf interfaces, unless you want to adjust some interval settings for the OSPF messages, or change the interface cost or priority. To change the OSPF interface settings, go to the /routing ospf interface menu:

[MikroTik] routing ospf interface> set sync1 cost=50                               
[MikroTik] routing ospf interface> print                                       
Flags: X - disabled 
  0   interface=ether1 cost=1 priority=1 authentication-key="" 
      dead-interval=40s hello-interval=10s retransmit-interval=5s 
      transmit-delay=1s 

  1   interface=sync1 cost=50 priority=1 authentication-key="" 
      dead-interval=40s hello-interval=10s retransmit-interval=5s 
      transmit-delay=1s 

[MikroTik] routing ospf interface> 

Argument description:

authentication-key - Authentication key to be used by neighboring routers that are using OSPF's simple password authentication
cost - Interface cost (1..65535) expressed as the link state metric.
dead-interval - Interval after which a neighbor is declared dead. The interval is advertised in the router's hello packets. This value must be the same for all routers and access servers on a specific network.
hello-interval - The interval between hello packets that the router sends on the interface. The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers on a specific network.
priority - Router priority (0..255). It helps determine the designated router for the network. When two routers attached to a network both attempt to become the designated router, the one with the higher router priority takes precedence.
retransmit-interval - Time between retransmitting lost link state advertisements (3..65535 seconds). When a router sends a link state advertisement (LSA) to its neighbor, it keeps the LSA until it receives back the acknowledgment. If it receives no acknowledgment in seconds, it will retransmit the LSA.
transmit-delay - Link state transmit delay (1..65535 seconds) is the estimated time it takes to transmit a link state update packet on the interface

OSPF Troubleshooting

Additional Resources

Recommended readings for guidelines on building OSPF networks:

OSPF Application Examples

Let us consider the following examples of OSPF protocol used for backup links:

OSPF Backup without using Tunnel

This examples shows how to use OSPF for backup purposes, if you are controlling all the involved routers, and you can run OSPF on them.

Let us assume, that the link between the routers OSPF-Main and OSPF-peer-1 is the main one. If it goes down, we want the traffic switch over to the links going through the router OSPF-peer-2.

For this:

  1. We introduce an OSPF area with area ID=0.0.0.1, which includes all three routers shown on the diagram.
  2. Only the OSPF-Main router will have the default route configured. Its interfaces peer1 and peer2 will be configured for the OSPF protocol. The interface main_gw will not be used for distributing the OSPF routing information.
  3. The routers OSPF-peer-1 and OSPF-peer-2 will distribute their connected and static route information, and receive the default route using the OSPF protocol.

OSPF_Main Router Setup

The IP address configuration of the [OSPF_Main] router is as follows:

[OSPF-Main] interface> /ip address print                                            
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.214/24      10.0.0.0        10.0.0.255      main_gw               
  1   10.1.0.2/24        10.1.0.0        10.1.0.255      peer1                 
  2   10.2.0.2/24        10.2.0.0        10.2.0.255      peer2                 
[OSPF-Main] interface>
OSPF settings:

[OSPF-Main] > routing ospf print                                               
                 router-id: 0.0.0.0
    redistribute-connected: yes
       redistribute-static: yes
          redistribute-rip: no
        distribute-default: if-installed
[OSPF-Main] > routing ospf area print                                          
Flags: X - disabled 
  0   name=backbone area-id=0.0.0.0 default-cost=0 stub=no 
      authentication=none 

  1   name=local_10 area-id=0.0.0.1 default-cost=0 stub=no 
      authentication=none 

[OSPF-Main] > routing ospf network print                                       
Flags: X - disabled 
  #   NETWORK            AREA                                                  
  0   10.1.0.0/24        local_10                                              
  1   10.2.0.0/24        local_10                                              
[OSPF-Main] >  

OSPF-peer-1 Router Setup

The IP address configuration of the [OSPF-peer-1] router is as follows:

[OSPF-peer-1] > ip address print                                               
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.0.1/24        10.1.0.0        10.1.0.255      main_link             
  1   10.3.0.1/24        10.3.0.0        10.3.0.255      backup                
  2   192.168.0.1/24     192.168.0.0     192.168.0.255   local                 
[OSPF-peer-1] > 

OSPF settings:

[OSPF-peer-1] > routing ospf print                                             
                 router-id: 0.0.0.0
    redistribute-connected: yes
       redistribute-static: yes
          redistribute-rip: no
        distribute-default: never
[OSPF-peer-1] > routing ospf area print                                        
Flags: X - disabled 
  0   name=backbone area-id=0.0.0.0 default-cost=0 stub=no 
      authentication=none 

  1   name=local_10 area-id=0.0.0.1 default-cost=0 stub=no 
      authentication=none 

[OSPF-peer-1] > routing ospf network print                                     
Flags: X - disabled 
  #   NETWORK            AREA                                                  
  0   10.3.0.0/24        local_10                                              
  1   10.1.0.0/24        local_10                                              
[OSPF-peer-1] > 

OSPF-peer-2 Router Setup

The IP address configuration of the [OSPF-peer-2] router is as follows:

[OSPF-peer-2] > ip address print                                               
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.2.0.1/24        10.2.0.0        10.2.0.255      main                  
  1   10.3.0.2/24        10.3.0.0        10.3.0.255      to-peer2              
[OSPF-peer-2] > 

OSPF settings:

[OSPF-peer-2] > routing ospf print                                             
                 router-id: 0.0.0.0
    redistribute-connected: yes
       redistribute-static: yes
          redistribute-rip: no
        distribute-default: never
[OSPF-peer-2] > routing ospf area print                                        
Flags: X - disabled 
  0   name=backbone area-id=0.0.0.0 default-cost=0 stub=no 
      authentication=none 

  1   name=local_10 area-id=0.0.0.1 default-cost=0 stub=no 
      authentication=none 

[OSPF-peer-2] > routing ospf network print                                     
Flags: X - disabled 
  #   NETWORK            AREA                                                  
  0   10.2.0.0/24        local_10                                              
  1   10.3.0.0/24        local_10                                              
[OSPF-peer-2] >   

Routing Tables

After the three routers have been set up as described above, and the links between them are operational, the routing tables of the three routers should look as follows:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.0.0.1    1        main_gw    
  1 D  ospf    192.168.3.0/24     A            10.1.0.1    110      peer1      
  2 D  ospf    192.168.0.0/24     A            10.1.0.1    110      peer1      
  3 D  ospf    10.3.0.0/24        A            10.2.0.1    110      peer2      
                                  A            10.1.0.1             peer1      
  4 I  ospf    10.2.0.0/24        A            0.0.0.0     110      peer2      
  5 D  connect 10.2.0.0/24        A            0.0.0.0     0        peer2      
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      peer1      
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        peer1      
  8 D  connect 10.0.0.0/24        A            0.0.0.0     0        main_gw    
[OSPF-Main] >  
=============================================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  192.168.3.0/24     A            192.168.0.3 1        local      
  1 D  ospf    0.0.0.0/0          A            10.1.0.2    110      main_link  
  2 D  connect 192.168.0.0/24     A            0.0.0.0     0        local      
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      backup     
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        backup     
  5 D  ospf    10.2.0.0/24        A            10.1.0.2    110      main_link  
                                  A            10.3.0.2             backup     
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      main_link  
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        main_link  
  8 D  ospf    10.0.0.0/24        A            10.1.0.2    110      main_link  
[OSPF-peer-1] > 
=============================================================================
[OSPF-peer-2] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0 D  ospf    0.0.0.0/0          A            10.2.0.2    110      main       
  1 D  ospf    192.168.3.0/24     A            10.3.0.1    110      to-peer2   
  2 D  ospf    192.168.0.0/24     A            10.3.0.1    110      to-peer2   
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      to-peer2   
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        to-peer2   
  5 I  ospf    10.2.0.0/24        A            0.0.0.0     110      main       
  6 D  connect 10.2.0.0/24        A            0.0.0.0     0        main       
  7 D  ospf    10.1.0.0/24        A            10.3.0.1    110      to-peer2   
                                  A            10.2.0.2             main       
  8 D  ospf    10.0.0.0/24        A            10.2.0.2    110      main       
[OSPF-peer-2] >     

Please note the three equal cost multipath routes (multiple gateways for one destination) in this setup. They have been created by the OSPF, because there is equal cost to go, for example, from the router OSPF-peer-2 to the network 10.1.0.0/24.

The cost is calculated as the sum of costs over each hop to the destination. Unless this is not specially desired, we may want to avoid such situations, i.e., and adjust the cost settings for the interfaces (links) accordingly.

Routing Tables with Revised Link Cost

Lat as assume, that the link between the routers OSPF-peer-1 and OSPF-peer-2 has a higher cost (might be slower, we have to pay more for the traffic through it, etc.). Since we have left all ospf interface cost settings as default (cost=1), we need to change the following settings:

[OSPF-peer-1] > routing ospf interface set backup cost=50 
[OSPF-peer-2] > routing ospf interface set to-peer2 cost=50 

The revised network diagram:

After changing the cost settings, we have only one equal cost multipath route left - to the network 10.3.0.0/24 from the OSPF-Main router:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.0.0.1    1        main_gw    
  1 D  ospf    192.168.3.0/24     A            10.1.0.1    110      peer1      
  2 D  ospf    192.168.0.0/24     A            10.1.0.1    110      peer1      
  3 D  ospf    10.3.0.0/24        A            10.2.0.1    110      peer2      
                                  A            10.1.0.1             peer1      
  4 I  ospf    10.2.0.0/24        A            0.0.0.0     110      peer2      
  5 D  connect 10.2.0.0/24        A            0.0.0.0     0        peer2      
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      peer1      
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        peer1      
  8 D  connect 10.0.0.0/24        A            0.0.0.0     0        main_gw    
[OSPF-Main] > 
===========================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  192.168.3.0/24     A            192.168.0.3 1        local      
  1 D  ospf    0.0.0.0/0          A            10.1.0.2    110      main_link  
  2 D  connect 192.168.0.0/24     A            0.0.0.0     0        local      
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      backup     
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        backup     
  5 D  ospf    10.2.0.0/24        A            10.1.0.2    110      main_link  
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      main_link  
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        main_link  
  8 D  ospf    10.0.0.0/24        A            10.1.0.2    110      main_link  
[OSPF-peer-1] >  
===========================================================
[OSPF-peer-2] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0 D  ospf    0.0.0.0/0          A            10.2.0.2    110      main       
  1 D  ospf    192.168.3.0/24     A            10.2.0.2    110      main       
  2 D  ospf    192.168.0.0/24     A            10.2.0.2    110      main       
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      to-peer2   
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        to-peer2   
  5 I  ospf    10.2.0.0/24        A            0.0.0.0     110      main       
  6 D  connect 10.2.0.0/24        A            0.0.0.0     0        main       
  7 D  ospf    10.1.0.0/24        A            10.2.0.2    110      main       
  8 D  ospf    10.0.0.0/24        A            10.2.0.2    110      main       
[OSPF-peer-2] > 

Functioning of the Backup

If the link between routers OSPF-Main and OSPF-peer-1 goes down, we have the following situation:

The OSPF routing changes as follows:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  0.0.0.0/0          A            10.0.0.1    1        main_gw    
  1 D  ospf    192.168.3.0/24     A            10.2.0.1    110      peer2      
  2 D  ospf    192.168.0.0/24     A            10.2.0.1    110      peer2      
  3 D  ospf    10.3.0.0/24        A            10.2.0.1    110      peer2      
  4 I  ospf    10.2.0.0/24        A            0.0.0.0     110      peer2      
  5 D  connect 10.2.0.0/24        A            0.0.0.0     0        peer2      
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      peer1      
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        peer1      
  8 D  connect 10.0.0.0/24        A            0.0.0.0     0        main_gw    
[OSPF-Main] >  
==========================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0    static  192.168.3.0/24     A            192.168.0.3 1        local      
  1 D  ospf    0.0.0.0/0          A            10.3.0.2    110      backup     
  2 D  connect 192.168.0.0/24     A            0.0.0.0     0        local      
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      backup     
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        backup     
  5 D  ospf    10.2.0.0/24        A            10.3.0.2    110      backup     
  6 I  ospf    10.1.0.0/24        A            0.0.0.0     110      main_link  
  7 D  connect 10.1.0.0/24        A            0.0.0.0     0        main_link  
  8 D  ospf    10.0.0.0/24        A            10.3.0.2    110      backup     
[OSPF-peer-1] >  
==========================================================
[OSPF-peer-2] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0 D  ospf    0.0.0.0/0          A            10.2.0.2    110      main       
  1 D  ospf    192.168.3.0/24     A            10.3.0.1    110      to-peer2   
  2 D  ospf    192.168.0.0/24     A            10.3.0.1    110      to-peer2   
  3 I  ospf    10.3.0.0/24        A            0.0.0.0     110      to-peer2   
  4 D  connect 10.3.0.0/24        A            0.0.0.0     0        to-peer2   
  5 I  ospf    10.2.0.0/24        A            0.0.0.0     110      main       
  6 D  connect 10.2.0.0/24        A            0.0.0.0     0        main       
  7 D  ospf    10.1.0.0/24        A            10.2.0.2    110      main       
  8 D  ospf    10.0.0.0/24        A            10.2.0.2    110      main       
[OSPF-peer-2] > 

The change of the routing takes approximately 40 seconds (the hello-interval setting). If required, this setting can be adjusted, but it should be done on all routers within the OSPF area!

OSPF Backup using Encrypted Tunnel through a Third Party

(This example is based on V2.5 of the MikroTik RouterOS, which is very similar to V2.4)

This example shows how to use OSPF for backup purposes, if you have to use third party link for backup, and you are not controlling the routers on the backup link.

Let us assume that the link between the routers OSPF-Main and OSPF-peer-1 is the main one. When the main link goes down, the backup link should go through the ISP-2 router. Since we cannot control the ISP-2 router, we cannot run OSPF on the backup router like in the previous example with OSPF-peer-2. Therefore we have to create a tunnel between the routers OSPF-Main and OSPF-peer-1 that goes through the ISP-2 router. Thus, we will have two links between the routers, and the traffic should switch over to the backup when the main link goes down.

For this:

  1. We create a PPTP tunnel between our two routers, which goes over the ISP-2 router. Please consult the PPTP Interface Manual on how to create PPTP tunnels.
  2. We introduce an OSPF area with area ID=0.0.0.1, which includes our two routers OSPF-Main and OSPF-peer-1.
  3. Only the OSPF-Main router will have the default route configured. Its interfaces peer1 and pptp-in1 will be configured for the OSPF protocol. The interface main_gw will not be used for distributing the OSPF routing information.
  4. The router OSPF-peer-1 will distribute its connected and static route information, and receive the default route from OSPF-main using the OSPF protocol.

OSPF_Main Router Setup

The PPTP static server configuration is as follows:

[OSPF-Main] > ip route add dst-address=10.3.0.1/32 gateway=10.2.0.1 
[OSPF-Main] > user add name=ospf group=ppp password=asdf4                      
[OSPF-Main] > interface pptp-static-server \
add client-address=10.3.0.1 mtu=1500 mru=1500 \
    local-address=10.4.0.2 remote-address=10.4.0.1 \
    encryption=required 
[OSPF-Main] > interface pptp-static-server print                               
Flags: X - disabled 
  0   name=pptp-in1 client-address=10.3.0.1 mtu=1500 mru=1500 pap=no chap=no 
      ms-chapv2=yes local-address=10.4.0.2 remote-address=10.4.0.1 
      idle-timeout=0s session-timeout=0s encryption=required 

[OSPF-Main] > interface pptp-static-server monitor pptp-in1                    
      status: Connected               
      uptime: 51m56s                  
    encoding: MPPE 128 bit, stateless 
        user: ospf                    

[OSPF-Main] > 

The IP address configuration of the [OSPF_Main] router is as follows:

[OSPF-Main] > ip address print                                                 
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.214/24      10.0.0.0        10.0.0.255      main_gw               
  1   10.2.0.2/24        10.2.0.0        10.2.0.255      isp2                  
  2   10.1.0.2/24        10.1.0.0        10.1.0.255      peer1                 
  3 D 10.4.0.2/32        10.4.0.1        0.0.0.0         pptp-in1              
[OSPF-Main] > 

OSPF settings:

[OSPF-Main] routing ospf> print                                                
                 router-id: 0.0.0.0
        distribute-default: if-installed
    redistribute-connected: yes
       redistribute-static: no
          redistribute-rip: no
[OSPF-Main] routing ospf> interface set pptp-in1 cost=50                       
[OSPF-Main] routing ospf> interface print                                      
  # INTERFACE                      COST  PRIORITY AUTHENTICATION-KEY           
  0 main_gw                        1     1                                     
  1 isp2                           1     1                                     
  2 peer1                          1     1                                     
  3 pptp-in1                       50    1                                     
[OSPF-Main] routing ospf> area print                                           
  # NAME                               AREA-ID         ST.. DEFAULT-COST AUT...
  0 backbone                           0.0.0.0         no   0            none  
  1 local_10                           0.0.0.1         no   0            none  
[OSPF-Main] routing ospf> network print                                        
Flags: X - disabled 
  #   NETWORK            AREA                                                  
  0   10.1.0.0/24        local_10                                              
  1   10.4.0.1/32        local_10                                              
[OSPF-Main] routing ospf>  

Note, that the OSPF is configured only for the peer1 and pptp-in1 interfaces. Since the pptp-in1 is a point-to-point interface, the network address has 32 bits.

OSPF-peer-1 Router Setup

The PPTP client configuration is as follows:

[OSPF-peer-1] > ip route add dst-address=10.2.0.2/32 gateway=10.3.0.2 
[OSPF-peer-1] > user add name=ospf group=ppp password=asdf4                      
[OSPF-peer-1] > in pptp-client \
add mtu=1500 mru=1500 user=ospf connect-to=10.2.0.2 encryption=required
[OSPF-peer-1] > in pptp-client print                                           
Flags: X - disabled 
  0   name=pptp-out1 mtu=1500 mru=1500 pap=no chap=no ms-chapv2=yes 
      idle-timeout=0s session-timeout=0s encryption=required 
      add-default-route=no user=ospf connect-to=10.2.0.2 

[OSPF-peer-1] > in pptp-client monitor pptp-out1                               
      status: Connected               
      uptime: 20s                     
    encoding: MPPE 128 bit, stateless 

[OSPF-peer-1] > 

The IP address configuration of the [OSPF-peer-1] router is as follows:

[OSPF-peer-1] > ip address print                                               
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.1.0.1/24        10.1.0.0        10.1.0.255      main_link             
  1   10.3.0.1/24        10.3.0.0        10.3.0.255      backup                
  2   192.168.0.1/24     192.168.0.0     192.168.0.255   local                 
  3 D 10.4.0.1/32        10.4.0.2        0.0.0.0         pptp-out1             
[OSPF-peer-1] > 

OSPF settings:

[OSPF-peer-1] routing ospf> print                                              
                 router-id: 0.0.0.0
        distribute-default: never
    redistribute-connected: yes
       redistribute-static: yes
          redistribute-rip: no
[OSPF-peer-1] routing ospf> interface set pptp-out1 cost=50                    
[OSPF-peer-1] routing ospf> interface print                                    
  # INTERFACE                      COST  PRIORITY AUTHENTICATION-KEY           
  0 backup                         1     1                                     
  1 local                          1     1                                     
  2 pptp-out1                      50    1                                     
  3 main_link                      1     1                                     
[OSPF-peer-1] routing ospf> area print                                         
  # NAME                               AREA-ID         ST.. DEFAULT-COST AUT...
  0 backbone                           0.0.0.0         no   0            none  
  1 local_10                           0.0.0.1         no   0            none  
[OSPF-peer-1] routing ospf> network print                                      
Flags: X - disabled 
  #   NETWORK            AREA                                                  
  0   10.4.0.2/32        local_10                                              
  1   10.1.0.0/24        local_10                                              
[OSPF-peer-1] routing ospf>  

Routing Tables

After the PPTP tunnel and OSPF protocol between two routers has been set up as described above, and the links between them are operational, the routing tables of the two routers should look as follows:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 0.0.0.0/0          r 10.0.0.1        1        main_gw                 
    1  S 10.3.0.1/32        r 10.2.0.1        1        isp2                    
    2 DO 192.168.3.0/24     r 10.1.0.1        110      peer1                   
    3 DO 192.168.0.0/24     r 10.1.0.1        110      peer1                   
    4 DO 10.4.0.2/32        r 10.1.0.1        110      peer1                   
    5 IO 10.4.0.1/32        r 0.0.0.0         110      pptp-in1                
    6 DC 10.4.0.1/32        r 0.0.0.0         0        pptp-in1                
    7 DO 10.3.0.0/24        r 10.1.0.1        110      peer1                   
    8 IO 10.2.0.0/24        r 10.1.0.1        110      peer1                   
    9 DC 10.2.0.0/24        r 0.0.0.0         0        isp2                    
   10 DO 10.2.0.2/32        r 10.1.0.1        110      peer1                   
   11 IO 10.1.0.0/24        r 0.0.0.0         110      peer1                   
   12 DC 10.1.0.0/24        r 0.0.0.0         0        peer1                   
   13 DC 10.0.0.0/24        r 0.0.0.0         0        main_gw                 
[OSPF-Main] >   
=============================================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 10.2.0.0/24        r 10.3.0.2        1        backup                  
    1  S 192.168.3.0/24     r 192.168.0.20    1        local                   
    2  S 10.2.0.2/32        r 10.3.0.2        1        backup                  
    3 DO 0.0.0.0/0          r 10.1.0.2        110      main_link               
    4 DC 192.168.0.0/24     r 0.0.0.0         0        local                   
    5 IO 10.4.0.2/32        r 0.0.0.0         110      pptp-out1               
    6 DC 10.4.0.2/32        r 0.0.0.0         0        pptp-out1               
    7 DO 10.4.0.1/32        r 10.1.0.2        110      main_link               
    8 DC 10.3.0.0/24        r 0.0.0.0         0        backup                  
    9 IO 10.2.0.0/24        r 10.1.0.2        110      main_link               
   10 IO 10.1.0.0/24        r 0.0.0.0         110      main_link               
   11 DC 10.1.0.0/24        r 0.0.0.0         0        main_link               
   12 DO 10.0.0.0/24        r 10.1.0.2        110      main_link               
[OSPF-peer-1] > 

Functioning of the Backup

If the link between routers OSPF-Main and OSPF-peer-1 goes down, the OSPF routing changes as follows:

[OSPF-Main] > ip route print                                                   
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 0.0.0.0/0          r 10.0.0.1        1        main_gw                 
    1  S 10.3.0.1/32        r 10.2.0.1        1        isp2                    
    2 DO 192.168.3.0/24     r 10.4.0.1        110      pptp-in1                
    3 DO 192.168.0.0/24     r 10.4.0.1        110      pptp-in1                
    4 DO 10.4.0.2/32        r 10.4.0.1        110      pptp-in1                
    5 IO 10.4.0.1/32        r 0.0.0.0         110      pptp-in1                
    6 DC 10.4.0.1/32        r 0.0.0.0         0        pptp-in1                
    7 DO 10.3.0.0/24        r 10.4.0.1        110      pptp-in1                
    8 IO 10.2.0.0/24        r 10.4.0.1        110      pptp-in1                
    9 DC 10.2.0.0/24        r 0.0.0.0         0        isp2                    
   10 DO 10.2.0.2/32        r 10.4.0.1        110      pptp-in1                
   11 IO 10.1.0.0/24        r 0.0.0.0         110      peer1                   
   12 DC 10.1.0.0/24        r 0.0.0.0         0        peer1                   
   13 DC 10.0.0.0/24        r 0.0.0.0         0        main_gw                 
[OSPF-Main] > 
==========================================================
[OSPF-peer-1] > ip route print                                                 
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 10.2.0.0/24        r 10.3.0.2        1        backup                  
    1  S 192.168.3.0/24     r 192.168.0.20    1        local                   
    2  S 10.2.0.2/32        r 10.3.0.2        1        backup                  
    3 DO 0.0.0.0/0          r 10.4.0.2        110      pptp-out1               
    4 DC 192.168.0.0/24     r 0.0.0.0         0        local                   
    5 IO 10.4.0.2/32        r 0.0.0.0         110      pptp-out1               
    6 DC 10.4.0.2/32        r 0.0.0.0         0        pptp-out1               
    7 DO 10.4.0.1/32        r 10.4.0.2        110      pptp-out1               
    8 DC 10.3.0.0/24        r 0.0.0.0         0        backup                  
    9 IO 10.2.0.0/24        r 10.4.0.2        110      pptp-out1               
   10 IO 10.1.0.0/24        r 0.0.0.0         110      main_link               
   11 DC 10.1.0.0/24        r 0.0.0.0         0        main_link               
   12 DO 10.0.0.0/24        r 10.4.0.2        110      pptp-out1               
[OSPF-peer-1] > 

As we see, all routing goes through the PPTP tunnel now.


© Copyright 1999-2002, MikroTik MikroTik RouterOS RIP

RIP – Routing Information Protocol

Document revision 27-Mar-2002
This document applies to MikroTik RouterOS V2.4 and V2.5

Overview

Routing Information Protocol (RIP) is one protocol in a series of routing protocols based on Bellman-Ford (or distance vector) algorithm. This interior routing protocol lets routers in the same autonomous system exchange routing information in the way of periodic RIP updates. Routers transmit their own RIP updates to neighboring networks and listen to the RIP updates from the routers on those neighboring networks to ensure their routing table reflects current state of the network and all the best paths are available. Best path is a path with the fewest hops (routers gateways).

Topics covered in this manual:

What's New in V2.5?

When migrating from V2.4 to V2.5, please note that:

RIP Installation on the MikroTik RouterOS

The “routing-2.x.y.npk”(407KB) package is required. The package can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload one to the router with ftp and reboot. You may check to see if the package is installed with the command:

[MikroTik] > system package print                                              
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 routing                2.4.5                 dec/04/2001 14:54:29 no       
  1 snmp                   2.4.5                 dec/04/2001 14:54:41 no       
  2 ppp                    2.4.5                 dec/04/2001 14:55:36 no       
  3 pppoe                  2.4.5                 dec/04/2001 14:56:30 no       
  4 ssh                    2.4.5                 dec/04/2001 14:58:22 no       
  5 pptp                   2.4.5                 dec/04/2001 14:55:54 no       
  6 moxa-c101              2.4.5                 dec/04/2001 14:56:39 no       
  7 framerelay             2.4.5                 dec/04/2001 15:07:21 no       
  8 system                 2.4.5                 dec/04/2001 14:53:19 no       
[MikroTik] >  

RIP Routing Setup

RIP general settings are under the /routing rip menu:

[MikroTik]> routing rip print 
       redistribute-static: no
    redistribute-connected: no
         redistribute-ospf: no
             metric-static: 1
          metric-connected: 1
               metric-ospf: 1
              update-timer: 30s
             timeout-timer: 3m
             garbage-timer: 2m
[MikroTik]> 

Argument description:

Set the desired argument values to "yes" for redistributing the routing information to other routers, for example:

[MikroTik] routing rip> set redistribute-connected=yes
[MikroTik] routing rip> print                                                   
       redistribute-static: no
    redistribute-connected: yes
         redistribute-ospf: no
       redistribute-kernel: no
             metric-static: 1
          metric-connected: 1
               metric-ospf: 1
             metric-kernel: 1
              update-timer: 30s
             timeout-timer: 3m
             garbage-timer: 2m
[MikroTik] routing rip>    

RIP interface setup

To enable the RIP, it should be turned on for specific interfaces under the /routing rip interface menu:

[MikroTik]> routing rip interface print detail
Flags: X - disabled 
  0 X interface=ether1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

  1 X interface=prism1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

[MikroTik]> routing rip interface enable 0
[MikroTik]> routing rip interface print detail
Flags: X - disabled 
  0   interface=ether1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

  1 X interface=prism1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

[MikroTik]>

Argument description:

RIP Neighbors

To define a neighboring router with which to exchange routing information, use the /routing rip neighbour add command, for example:

[MikroTik] routing rip neighbour> add address=10.0.0.1                         
[MikroTik] routing rip neighbour> print                                        
Flags: X - disabled 
  #   ADDRESS        
  0   10.0.0.1       
[MikroTik] routing rip neighbour>                                              

Normally there is no need to add the neighbors, if the multicasting is working properly within the network. If there are problems with exchanging the routing information, the neighbors can be added to the list. It will force to exchange the routing information with the neighbor.

RIP Routes

The routes installed by RIP and other routing protocols can be viewed using the /routing rip route print command:

[MikroTik] routing rip route> print                                             
  0 type=ospf metric=1 prefix=0.0.0.0/0 gateway=10.7.1.254 from=0.0.0.0 
    timeout=0s 
...

 33 type=rip metric=2 prefix=159.148.10.104/29 gateway=10.6.1.1 
    from=10.6.1.1 timeout=2m44s 

 34 type=rip metric=2 prefix=159.148.10.112/28 gateway=10.6.1.1 
    from=10.6.1.1 timeout=2m44s 

[MikroTik] routing rip route>

Additional Resources

Links for RIP documentation:


RIP Examples

Let us consider an example of routing information exchange between MikroTik router, a Cisco router, and the ISP (also mikrotik) routers:

RIP Example

The Configuration of the MikroTik Router

The configuration of the MikroTik router is as follows:

[MikroTik] > interface print                                                   
Flags: X - disabled, D - dynamic 
  #   NAME                 MTU   TYPE                                          
  0   ether2               1500  ether                                         
  1   ether1               1500  ether                                         
[MikroTik] > ip address print                                                  
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.174/24      10.0.0.174      10.0.0.255      ether1                
  1   192.168.0.1/24     192.168.0.0     192.168.0.255   ether2                
[MikroTik] >
[MikroTik] > ip route print                                                    
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  1 D  connect 192.168.0.0/24     A            0.0.0.0     0        ether2     
  2 D  connect 10.0.0.0/24        A            0.0.0.0     0        ether1     
[MikroTik] >

Note, that no default route has been configured. The route will be obtained using the RIP. The necessary configuration of the RIP general settings is as follows:

[MikroTik] routing rip> set redistribute-connected=yes
[MikroTik] routing rip> print                                                  
       redistribute-static: no
    redistribute-connected: yes
         redistribute-ospf: no
             metric-static: 1
          metric-connected: 1
               metric-ospf: 1
              update-timer: 30s
             timeout-timer: 3m
             garbage-timer: 2m
[MikroTik] routing rip>

The minimum required configuration of RIP interface is just enabling the ether1:

[MikroTik] routing rip interface> enable ether1                                
[MikroTik] routing rip interface> print                                        
Flags: X - disabled 
  0 X interface=ether2 send=v2 receive=v2 authentication=none 
      authentication-key="" 

  1   interface=ether1 send=v2 receive=v2 authentication=none 
      authentication-key="" 

[MikroTik] routing rip interface>  

Note, that the ether2 does not need to be enabled, if no propagation of RIP information is required into the Remote network. The routes obtained by RIP can be viewed in the /routing rip route menu:

[MikroTik] routing rip> route print                                            
  0 type=rip metric=2 prefix=0.0.0.0/0 gateway=10.0.0.26 from=10.0.0.26 
    timeout=2m52s 

  1 type=connect metric=1 prefix=10.0.0.0/24 gateway=0.0.0.0 from=0.0.0.0 
    timeout=0s 

  2 type=connect metric=1 prefix=192.168.0.0/24 gateway=0.0.0.0 from=0.0.0.0 
    timeout=0s 

  3 type=rip metric=2 prefix=192.168.1.0/24 gateway=10.0.0.26 from=10.0.0.26 
    timeout=2m52s 

  4 type=rip metric=3 prefix=192.168.3.0/24 gateway=10.0.0.26 from=10.0.0.26 
    timeout=2m52s 

[MikroTik] routing rip> 

The regular routing table is:

[MikroTik] routing rip> /ip route print                                        
Flags: X - disabled, I - invalid, D - dynamic, R - rejected 
  #    TYPE    DST-ADDRESS        NEXTHOP-S... GATEWAY     DISTANCE INTERFACE  
  0 D  rip     0.0.0.0/0          A            10.0.0.26   120      ether1     
  1 D  rip     192.168.3.0/24     A            10.0.0.26   120      ether1     
  2 D  rip     192.168.1.0/24     A            10.0.0.26   120      ether1     
  3 D  connect 192.168.0.0/24     A            0.0.0.0     0        ether2     
  4 D  connect 10.0.0.0/24        A            0.0.0.0     0        ether1     
[MikroTik] routing rip> 

As we can see, the MikroTik router has learned RIP routes from the Cisco router.

The Configuration of the Cisco Router

Cisco#show running-config
...
interface Ethernet0
 ip address 10.0.0.26 255.255.255.0
 no ip directed-broadcast
!
interface Serial1
 ip address 192.168.1.1 255.255.255.252
 ip directed-broadcast
!
router rip
 version 2
 redistribute connected
 redistribute static
 network 10.0.0.0
 network 192.168.1.0
!
ip classless
!
...

The routing table of the Cisco router is:

Cisco#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
R    192.168.0.0/24 [120/1] via 10.0.0.174, 00:00:19, Ethernet0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, Serial1
R    192.168.3.0/24 [120/1] via 192.168.1.2, 00:00:05, Serial1
R*   0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:05, Serial1
Cisco#

As we can see, the Cisco router has learned RIP routes both from the MikroTik router (192.168.0.0/24), and from the ISP router (0.0.0.0/0 and 192.168.3.0/24).


© Copyright 1999-2002, MikroTik MikroTik RouterOS BGP Routing Protocol

MikroTik RouterOS BGP Routing Protocol

Draft

Document revision 06-Apr-2002
This document applies to the MikroTik RouterOS 2.5

Overview

The Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP). It allows setting up an interdomain routing system that automatically guarantees the loop-free exchange of routing information between autonomous systems.

MikroTik RouterOS supports BGP Versions 2, 3, and 4, as defined in RFCs 1163, 1267, and 1771, respectively.

The MikroTik RouterOS implementation of the BGP has the following features:

Contents of the Manual

The following topics are covered in this manual:

Installation

The BGP feature is included in the “bgp” package. The package file bgp-2.x.y.npk can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload it to the router with ftp and reboot. You may check to see if the routing package is installed with the command:

[MikroTik] > system package print                                              
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   system                2.5                  apr/03/2002 10:06:30 no       
  1   bgp                   2.5                  apr/03/2002 10:19:15 no       
[MikroTik] >                                                                   

Hardware Resource Usage

The BGP requires additional RAM for storing the routing information. It is recommended to have 128MB or more RAM.

BGP Description

For BGP description and implementation guidelines please refer to the readings mentioned in the list of Additional Resources. Current document discusses BGP configuration for MikroTik RouterOS.

BGP Setup

The BGP management can be accessed under the /routing bgp submenu.

Setting the Basic BGP Configuration

To enable the BGP and set the AS number, use the /routing bgp set command, for example:

[MikroTik] routing bgp> print                                                  
                   enabled: no
                        as: 0
                 router-id: 0.0.0.0
       redistribute-static: no
    redistribute-connected: no
          redistribute-rip: no
         redistribute-ospf: no
                     state: disabled
[MikroTik] routing bgp> set as=65002 router-id=159.148.147.2206 enabled=yes                               
[MikroTik] routing bgp> print                                                  
                   enabled: yes
                        as: 65002
                 router-id: 159.148.147.206
       redistribute-static: no
    redistribute-connected: no
          redistribute-rip: no
         redistribute-ospf: no
                     state: running
[MikroTik] routing bgp>       

Argument description:

enabled - (yes / no) Enable or disable the BGP.
as - Autonomous system number.
router-id – The Router ID.
redistribute-connected – ( yes / no ) If set to yes, then the router will redistribute the information about all connected routes, i.e., routes to networks, that can be directly reached from the router.
redistribute-static – ( yes / no ) If set to yes, then the router will redistribute the information about all static routes added to its routing database, i.e., routes, that have been created using the /ip route add command of the router.
redistribute-rip – ( yes / no ) If set to yes, then the router will redistribute the information about all routes learned by the RIP protocol.
state - Status of the BGP:
disabled - not working, has been disabled
running - working

Usually you want to redistribute connected and static routes, if any. Therefore change the settings for these arguments and proceed to the BGP networks.

BGP Network

To tell the BGP router which networks to advertise, use the /routing bgp network add command:

[MikroTik] routing bgp network> add network=159.148.150.192/27        
[MikroTik] routing bgp network> print                                          
  # NETWORK           
  0 159.148.150.192/27
[MikroTik] routing bgp network>

Here, the network argument is used to specify the network/mask to advertise. You can add to the list as many networks as required. Also, you can use 0.0.0.0/0 to advertise all networks.

Note, that the OSPF uses network list for different purpose - to determine where to send updates.

BGP Peers

You need to specify the BGP peer with whom you want to exchange the routing information. The BGP exchanges routing information only if it can establish a TCP connection to its peer. You can add as many peers as required, for example:

[MikroTik] routing bgp peer> add remote-address=192.168.0.254 remote-as=217
[MikroTik] routing bgp peer> print                                             
  # REMOTE-ADDRESS  REMOTE-AS MULTIHOP ROUTE-REFLECT
  0 192.168.0.254   217       no       no           
[MikroTik] routing bgp peer> print detail                                      
  0 remote-address=192.168.0.254 remote-as=217 multihop=no route-reflect=no 
    prefix-list-in=none prefix-list-out=none state=not-connected 
    routes-received=0 

[MikroTik] routing bgp peer>  

Argument description:

remote-address - Address of the remote peer.
remote-as - AS number of the remote peer.
multihop - (yes / no) Allows BGP sessions, even when the neighbor is not on a directly connected segment. The multihop session is not established if the only route to the multi-hop peer's address is the default route (0.0.0.0).
route-reflect - (yes / no)
prefix-list-in - Name of the filtering prefix list for receiving routes.
prefix-list-out - Name of the filtering prefix list for advertising routes.
state - Shows the status of the BGP connection to the peer. Can be 'not-connected' or 'connected'.
routes-received - Shows the number of received routes from this peer.

The prefix lists should be defined under the '/routing prefix-list'.

BGP Filtering using Prefix Lists

Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list. When there is a match, the route is used. The prefix lists are used when specifying the peers under '/routing bgp peer'. An empty prefix list permits all prefixes.

To add a prefix list, use the '/routing prefix-list add' command, for example:

[MikroTik] routing prefix-list> add name=cybernet                              
[MikroTik] routing prefix-list> print                                          
  # NAME                                                         DEFAULT-ACTION
  0 cybernet                                                     accept        
[MikroTik] routing prefix-list>                                                

Argument description:

name - Name for the prefix list
default-action - (accept / reject) Default action for all members of this list.

The list members can be added using the '/routing prefix-list list _listname_ add' command, for example:

[MikroTik] routing prefix-list> list cybernet
[MikroTik] routing prefix-list list cybernet>  
add prefix=172.16.0.0 prefix-length=16                                     
[MikroTik] routing prefix-list list cybernet> print                            
  # PREFIX             PREFIX-LENGTH ACTION
  0 172.16.0.0/0       16            accept
[MikroTik] routing prefix-list list cybernet>                                  

Argument description:

prefix - Network preffix, e.g., 198.168.0.0
preffix-length - Length od the network preffix in bits, e.g., 16
action - (accept / reject) Action for the list member

You can add as many members to the list as required.

Troubleshooting

Additional Resources

Recommended readings for guidelines on building BGP networks:

BGP Application Examples

(Not complete yet)


© Copyright 1999-2002, MikroTik MikroTik RouterOS Bridge Management

MikroTik RouterOS Bridge Management

Document revision 31-Jan-2002
This document applies to the MikroTik RouterOS V2.5

Overview

MAC level bridging of Ethernet packets is supported. The router has one internal bridging table. Interfaces can be included or excluded. Ethernet, Ethernet over IP (EoIP), Prism and RadioLAN interfaces are supported. All 802.11b client wireless interfaces (ad-hoc or infrastructure) do not support this because of the limits of 802.11b – it is possible to bridge over them using the Ethernet over IP protocol (please see documentation on EoIP).

Features include:

Contents of the Manual

The following topics are covered in this manual:

Installation

The bridge feature is included in the 'system' package. No installation is needed for this feature.

Hardware Resource Usage

When Bridge is enabled, it uses a small amount of memory. No increase of memory is suggested.

Bridge Setup

IP bridge management can be accessed under the /bridge menu:

[MikroTik] bridge> ?
Configure interfaces that are used for bridge forwarding, protocols that will
be forwarded and look at bridge forwarding table.

     export  print configuration as set of router commands
        get  get value of property
       host  Bridge forwarding table
  interface  Interfaces used for bridging
      print  print settings
        set  change settings
[MikroTik] bridge> print
           ip: discard
          ipx: discard
    appletalk: discard
         ipv6: discard
          arp: discard
        other: discard
     priority: 1
[MikroTik] bridge>

Assume we want to enable bridging between two Ethernet LAN segments and have the MikroTik router be the default gateway for them:

When configuring the MikroTik router for bridging you should do the following:

  1. Configure the bridge settings
  2. Configure the bridge interfaces for bridging
  3. Enable the bridge interface
  4. Assign an IP address to the bridge interface, if needed
When configuring the bridge settings, each protocol that should be forwarded should be set to 'forward'. The 'other' protocol includes all protocols not listed before:

[MikroTik] bridge> set ip=forward arp=forward other=forward
[MikroTik] bridge> print
           ip: forward
          ipx: discard
    appletalk: discard
         ipv6: discard
          arp: forward
        other: forward
     priority: 1
[MikroTik] bridge>

The priority argument is used by the Spanning Tree Protocol to determine, which port remains enabled if two ports form a loop.

Next, each interface that should be included in the bridging table should be set to 'forward=yes':

[MikroTik] bridge interface> print
Flags: X - disabled
  #   INTERFACE
  0 X ether2
  1 X ether1
[MikroTik] bridge interface> enable 0
[MikroTik] bridge interface> enable 1
[MikroTik] bridge interface> print
  #   INTERFACE
  0   ether2
  1   ether1
[MikroTik] bridge interface>

After setting some interface for bridging, a bridge interface is added to the router's interfaces table. You should enable the interface in order to start using it:

[MikroTik] bridge interface> /interface
[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 MTU   TYPE
  0   ether2               1500  ether
  1   ether1               1500  ether
  2   wavelan1             1500  wavelan
  3 X pppoe-out1           1492  pppoe-out
  4 X bridge1              1500  bridge
[MikroTik] interface> enable bridge1
[MikroTik] interface> print
Flags: X - disabled, D - dynamic
  #   NAME                 MTU   TYPE
  0   ether2               1500  ether
  1   ether1               1500  ether
  2   wavelan1             1500  wavelan
  3 X pppoe-out1           1492  pppoe-out
  4   bridge1              1500  bridge
[MikroTik] interface> bridge print
Flags: X - disabled
  #   NAME                 MAC-ADDRESS
  0   bridge1              FE:FD:08:00:9A:CB
[MikroTik] interface>

If you want to access the router through unnumbered bridged interfaces, it is required to add an IP address to the 'bridge' interface:

[MikroTik] ip address> add address=192.168.0.254/24 interface=bridge1
[MikroTik] ip address> add address=10.1.1.12/24 interface=wavelan1
[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   bridge1
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      wavelan1
[MikroTik] ip address>

The hosts on LAN segments #1 and #2 should use IP addresses from the same network 192.168.0.0/24 and have the default gateway set to 192.168.0.254 (MikroTik router).

Bridge Monitoring

The bridge can be monitored in real time. The bridging table shows the MAC address of hosts, interface which can forward packets to the host, and the age of the information shown in seconds:

[MikroTik] bridge host> print
Flags: L - local 
   MAC-ADDRESS       ON-INTERFACE                           AGE                 
   00:00:21:84:88:81 ether1                                 0s                  
 L 00:00:B4:5D:7C:68 ether1                                 0s                  
   00:00:B4:C6:80:EA eoip-tunnel1                           49s                 
   00:30:4F:12:81:F0 eoip-tunnel1                           3m59s               
   00:30:4F:12:84:F8 eoip-tunnel1                           2m55s               
   00:30:84:0A:58:B7 ether1                                 12s                 
   00:90:27:45:26:CD ether1                                 1m14s               
   00:90:27:6A:A1:2E ether1                                 1m14s               
   00:A0:24:C8:07:E6 ether1                                 4m14s               
   00:A0:C9:1C:E4:9B ether1                                 1m30s               
   00:A0:C9:3D:50:08 ether1                                 4m4s                
   00:C0:DF:E6:A7:43 ether1                                 1m30s               
   00:C0:DF:ED:FA:2C ether1                                 4m14s               
 L FE:FD:00:00:00:00 eoip-tunnel1                           0s                  
[MikroTik] bridge host>


© Copyright 1999-2002, MikroTik MikroTik RouterOS System Resource Management

MikroTik RouterOS System Resource Management

Document revision 26-Mar-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

MikroTik RouterOS offers several features for monitoring and managing the system resources. Most of the system resource management tools are grouped under the /system menu. The user management, logging feature and some other system features are described in separate manuals.

Contents of the Manual

The following topics are covered in this manual:

System Resource Monitor

System Resource Monitor can be accessed under the /system resource menu:

[MikroTik] system resource>

  monitor  Monitor CPU and memory usage
      irq  Interrupt Request usage information
       io  Input/Output ports usage information
    print  Print basic system resources information
      get  get value of property
[MikroTik] system resource>

Basic System Resources

Use the print command to view the basic system resource status:

[MikroTik] system resource> print
           uptime: 14d8h49m58s
      free-memory: 8232 kB
     total-memory: 29532 kB
              cpu: WinChip
         cpu-load: 0
   free-hdd-space: 28460 kB
  total-hdd-space: 46474 kB
[MikroTik] system resource>

The argument values are self-explanatory.

System Resource Monitoring

The current system CPU usage and free memory can be viewed using the monitor command:

[MikroTik] system resource> monitor
       cpu-used: 1
    free-memory: 8232

[MikroTik] system resource>

The values for cpu usage and free memory are in percentage and megabytes, respectively.

IRQ and IO Usage Monitor

The IRQ and IO addresses can be viewed using the irq print and io print commands:

[MikroTik] system resource> irq print
Flags: U- unused
   IRQ OWNER
   1   keyboard
   2   APIC
 U 3
   4   serial port
 U 5
 U 6
 U 7
 U 8
   9   ether1
 U 10
   11  ether2
 U 12
 U 13
   14  IDE 1
[MikroTik] system resource> io print
 PORT-RANGE            OWNER
 20-3F                 APIC
 40-5F                 timer
 60-6F                 keyboard
 80-8F                 DMA
 A0-BF                 APIC
 C0-DF                 DMA
 F0-FF                 FPU
 1F0-1F7               IDE 1
 2F8-2FF               serial port
 3C0-3DF               VGA
 3F6-3F6               IDE 1
 3F8-3FF               serial port
 EE00-EEFF             ether1
 EF40-EF7F             pc1
 FC00-FC07             IDE 1
 FC08-FC0F             IDE 2
 FC10-FC7F             [CS5530]
[MikroTik] system resource>

Reboot and Shutdown

The system reboot is required when upgrading or installing new software packages. The packages are installed during the system shutdown. Use the reboot command to reboot the router:

[MikroTik] system> reboot
Reboot, yes? [y/N]: y
system will reboot shortly

Only users which are members of groups with reboot privileges can reboot the router or shutdown. The reboot process sends termination signal to all running processes, unmounts the file systems, and reboots the router.

Before turning the power off for the router, the system should be brought to halt using the halt command:

[MikroTik] system> shutdown
Shutdown, yes? [y/N]: y
system will shutdown promptly

For most systems, it is necessary to wait approximately 30 seconds for a safe power down.

Configuration Reset

The reset command clears all configuration of the router and sets it to the default including the login name and password ('admin' and no password):

[MikroTik] system> reset
Dangerous! Reset anyway? [y/N]:

The router is rebooted after the reset command.

Router Identity

The router identity is displayed before the command prompt. It is also used for DHCP client as 'host name' parameter when reporting it to the DHCP server. The router identity can be set using the /system identity set command:

[MikroTik] system identity> print
    name: MikroTik
[MikroTik] system identity> set name=Our_GW
[Our_GW] system identity>

Date and Time Settings

The system Date and Time settings are managed under the /system clock menu:

[MikroTik] system clock> print
         time: mar/26/2002 14:41:45
    time-zone: +00:00
[MikroTik] system clock>

To set the system date and time use the set command:

[MikroTik] system clock> set ?
       date New system date [month/DD/YYYY]
       time New system time [HH:MM:SS]
  time-zone Local time zone
[MikroTik] system clock> set date=mar/26/2002 time=14:41:00 time-zone=+02:00
[MikroTik] system clock> print
         time: mar/26/2002 16:41:12
    time-zone: +02:00
[MikroTik] system clock>

Date and time settings become permanent and effect BIOS settings.

Configuration Change History

The history of system configuration changes is held until the next router shutdown. The invoked commands can be 'undone' using the /undo command. By invoking the command several times, the configuration changes can be 'undone' in reverse order they have been invoked. Use the /system history print command to see the list of performed actions:

[MikroTik] system history> print
Flags: U - undoable, R - redoable
   ACTION                                BY                                   POLICY
 U address removed                                                            write
 U route added                                                                write
 U system identity changed                                                    write
 U system time changed                                                        write
[MikroTik] system history>
The list is printed with the newest actions at the top. Thus, in this example, the /undo command would 'undelete' the address which has been removed:

[MikroTik] system history> /undo
[MikroTik] system history> print
Flags: U- undoable, R - redoable
   ACTION                                BY                                   PoLICY
 R address removed                                                            write
 U route added                                                                write
 U system identity changed                                                    write
 U system time changed                                                        write
[MikroTik] system history>

Tip: If you accidentally removed some item, or set wrong argument value, just execute the /undo command to undo previously done action. The /redo would do the opposite - redo the previous undo action.


© Copyright 1999-2002, MikroTik MikroTik RouterOS Users and Groups

MikroTik RouterOS Users and Groups

Document revision 13-Jun-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

MikroTik RouterOS has a local user database. Permissions and user rights are granted to groups. Users belong to groups and receive all the permissions and user rights assigned to that group.

Contents of the Manual

The following topics are covered in this manual:

User Management

User management can be accessed under the /user menu:

[MikroTik] user> print
Flags: X - disabled
  0   ;;; system default user
      name=admin group=full address=0.0.0.0/0 caller-id="" tx-bit-rate=0
      rx-bit-rate=0 only-one=no max-session-time=0s

[MikroTik] user>

Use the add command to add a user to the user database:

[MikroTik] user> add name=joe group=ppp password=j1o2e3
[MikroTik] user> print
Flags: X - disabled
  0   ;;; system default user
      name=admin group=full address=0.0.0.0/0 caller-id="" tx-bit-rate=0
      rx-bit-rate=0 only-one=no max-session-time=0s

  1   name=joe group=ppp address=0.0.0.0/0 caller-id="" tx-bit-rate=0
      rx-bit-rate=0 only-one=no max-session-time=0s

[MikroTik] user>

Argument description:

name - (required) User name. Must start with an alphanumeric character and contain alphanumeric characters, "*", "_", ".", "@".
group - (required) Name of the group the user belongs to. The system default groups are 'full', 'write', 'read', and 'ppp'. See below on how to manage user groups.
password - User password. If not specified, it is left blank (hit 'Enter' when logging in). It conforms to standard Unix characteristics of passwords. Can contain letters, digits, "*" and "_"
tx-bit-rate - Connection rate limit for PPPoE transfer
rx-bit-rate - Connection rate limit for PPPoE receive
caller-id - For PPTP it IP address of the client, for PPPoE it is MAC address of the client
max-session-time - (Only for PPP connections) Maximum session time user can have when logged in
only-one - (yes / no) (Only for PPP connections) If 'yes' user can have only one session at a time
address - Ip address form which the user is allowed to log in. When logging in using PPP, if the remote address is specified in PPP interface settings then this address should match the specified address in order to enable client to log in. Can be in the form address/mask, where 'mask' is the number of bits in the subnet mask.
netmask - Network mask of addresses assigned to the user

Note! User name "*" will be used for PPP as any user.
List of active users can be viewed using the /user active print command:

[MikroTik] > /user active print
  0 when=mar/26/2002 15:55:44 name=admin address=0.0.0.0 via=console
  1 when=mar/26/2002 15:56:44 name=joe address=0.0.0.0 via=console

[MikroTik] >

When the user has logged on he can change his password using the /password command. The user is required to enter his/her current password before entering the new password. When the user logs out and logs in for the next time, the new password must be entered.

User Groups

User group management can be accessed under the /user group menu:

[MikroTik] user group> print
  0 ;;; ppp users
    name=ppp policy=ppp

  1 ;;; users with read only permission
    name=read policy=local telnet ssh reboot read test web

  2 ;;; users with write permission
    name=write policy=local telnet ssh reboot read write test web

  3 ;;; users with complete access
    name=full policy=local telnet ssh ftp reboot read write policy test web

[MikroTik] user group>

There are four system groups which cannot be deleted. Use add command to add a user group:

[MikroTik] user group> add name=reboot policy="telnet reboot read"
[MikroTik] user group> print
  0 ;;; ppp users
    name=ppp policy=ppp

  1 ;;; users with read only permission
    name=read policy=local telnet ssh reboot read test web

  2 ;;; users with write permission
    name=write policy=local telnet ssh reboot read write test web

  3 ;;; users with complete access
    name=full policy=local telnet ssh ftp reboot read write policy test web

  4 name=reboot policy=telnet reboot read
[MikroTik] user group>

Here, the argument name is the name of the group, and policy contains the list of policies assigned to the group:

local - User can log on locally via console
telnet - User can log on remotely via telnet
ssh - User can log on remotely via secure shell
ftp - User can log on remotely via ftp and send and retrieve files from the router
reboot - User can reboot the router
read - User can retrieve the configuration
write - User can retrieve and change the configuration
policy - Manage user policies, add and remove user
test - User can run ping, traceroute, bandwidth test
web - user can log on remotely via http
ppp - User can log on using ppp connections to the router (PPP, PPTP, PPPoE)


© Copyright 1999-2002, MikroTik MikroTik RouterOS License

MikroTik RouterOS License

Document revision 26-Mar-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

MikroTik RouterOS software has a licensing system where Software License (Software Key) is issued for each individual installation of the RouterOS. The Software License can be obtained through the Account Server at www.mikrotik.com after the MikroTik RouterOS has been installed. The Software ID of the installation is required when obtaining the Software License. Please read the MikroTik RouterOS Basic Setup Guide for detailed explanation of the installation and licensing process.

Contents of the Manual

The following topics are covered in this manual:

Managing the License

License management can be accessed under the /system license menu:

[MikroTik] system license> print    
          software-id: M61X-UPT
                  key: 7CJH-BD6-UXK
    upgradeable-until: apr/01/2002
[MikroTik] system license> ?

      set  Set the new Software Key
  feature  Unlocked router features
    print  Show license information
      get  get value of property
[MikroTik] system license>                                                                   

Here, the upgradeable-until means the date until which software can be upgraded to higher versions.

To see the software features that are enabled with the current license use the following command:

[MikroTik] system license> feature print                                                                              
Flags: X - disabled 
  #   FEATURE                                                                                                              
  0 X AP                                                                                                                   
  1   synchronous                                                                                                          
  2 X radiolan                                                                                                             
  3   wireless-2.4gHz                                                                                                      
  4   licensed                                                                                                             
[MikroTik] system license>                                                                                            

Here we see, that the software has full license (not the demo version), and the 2.4GHz Wireless and Synchronous features are enabled.

Obtaining Additional License Features

To enable additional MikroTik RouterOS software features, or to enable upgrading (if it has expired), a new Software Key should be obtained from the Account Server at www.mikrotik.com. The new Software Key should be supplied to the router and the system should be rebooted:

[MikroTik] system license> set key=PSJ5-FG3-BCD                                                                       
[MikroTik] system license> /system reboot                                                                             
Reboot, yes? [y/N]: y

After reboot you will see the new licensing information, for example:

[MikroTik] system license> print                                                                                      
          software-id: M61X-UPT
                  key: PSJ5-FG3-BCD
    upgradeable-until: dec/01/2002
[MikroTik] system license>


© Copyright 1999-2002, MikroTik MikroTik RouterOS Log Management

MikroTik RouterOS Log Management

Document revision 26-Mar-2002
This document applies to MikroTik RouterOS v2.4 and v2.5

Overview

Various system events and status information can be logged. Logs can be saved in a file on the router or sent to a remote server running a syslog daemon. MikroTik provides a shareware Windows Syslog daemon, which can be downloaded from www.mikrotik.com.

Topics covered in this manual:

Installation

The Log Management feature is included in the 'system' package. No installation is needed for this feature.

Hardware Resource Usage

There is no significant resource usage.

Log Management Description

The logging feature sends all of your actions on the router to a log file or to a logging daemon. Router has several global configuration settings that are applied to logging. Logs have different facilities. Logs from each facility can be configured to be discarded, logged locally or remotely.

General settings for logging facility can be configured in the /system logging menu:

[MikroTik] system logging> print
    default-remote-address: 10.5.13.11
       default-remote-port: 514
              buffer-lines: 100

General logging parameters:


buffer-lines - Number of lines kept in local buffer. Contents of the local logs can be viewed using the /log print command. When number of lines in local log buffer is exceeded, lines from the beginning of buffer are deleted.
default-remote-address - Remote log server IP address. Used when remote logging is enabled but no IP address of the remote server is specified (IP=0.0.0.0).
default-remote-port - Remote log server UDP port. Used when remote logging is enabled but no UDP port of the remote server is specified (UDP=0).

Individual settings for various logging facilities are in the /system logging facility menu:

[MikroTik] system logging facility> print
  # FACILITY          LOGGING PREFIX     REMOTE-ADDRESS  REMOTE-PORT
  0 Firewall-Log      none
  1 PPP-Account       none
  2 PPP-Info          remote             10.5.13.10      514        
  3 PPP-Error         none
  4 System-Info       remote             10.5.13.11      514        
  5 System-Error      remote             10.5.13.11      514        
  6 System-Warning    local

Logging facility parameters:


facility - (Read-only) Name of the log group.
logging - Type of logging.
prefix - Local log prefix.
remote-address - Remote log server IP address. Used when logging type is remote. If not set, default log server IP address is used
remote-port - Remote log server UDP port. Used when logging type is remote. If not set, default log server UDP port is used.

Types of logging:


local - When type "local" is used, logs are stored in local log buffer. Local logs can be viewed using /log print command.
none - When type "none" is used, logs from this source are discarded.
remote - When type "remote" is used, logs are sent to remote log server.

Log Management Examples

Use the /log print command to view the local logs:

[MikroTik] log> print
 TIME                 MESSAGE                                                   
 dec/21/2001 12:10:59 pbx_26: Call from line, line picked up                    
 dec/21/2001 12:11:01 pbx_26: Calling by number 51 to 51@10.5.9.2               
 dec/21/2001 12:11:01 pbx_26: Waiting for Jevgenijs [10.5.9.2] to answer        
 dec/21/2001 12:11:46 pbx_26: Call ended, Remote endpoint did not answer in r...
 dec/21/2001 12:48:44 Incoming call from pernavas_46 [10.5.0.21] to 15 denied...
 dec/21/2001 21:04:20 Incoming call from linejack (MikroTik) [10.0.0.100] to ...
 dec/22/2001 12:41:11 Incoming call from ARNIS13 (013) [10.5.8.243] to 51 for...
 dec/22/2001 13:46:28 Incoming call from linejack (MikroTik) [10.0.0.154] to ...
 dec/22/2001 13:46:36 Incoming call from linejack (MikroTik) [10.0.0.154] to ...
 dec/22/2001 13:55:13 user admin logged in at Sat Dec 22 13:55:13 2001 from 1...
-- more

To view complete (not truncated) log lines, use the /log print detail command:

[MikroTik] log> print detail

 time=dec/22/2001 15:56:35 
    message=Incoming call from vpb_2 (MikroTik) [10.0.0.125] to 88 \
             forwarded to 88@10.0.0.154 

 time=dec/22/2001 15:58:10 
    message=user admin logged in at Sat Dec 22 15:58:10 2001 from \
             10.0.0.96 via telnet 
... 


© Copyright 1999-2002, MikroTik MikroTik RouterOS Export and Import

MikroTik RouterOS Export and Import

Document revision 26-Mar-2002
This document applies to MikroTik RouterOS v2.4 and v2.5

The configuration export can be used for dumping out MikroTik RouterOS configuration to the console screen or to a text (script) file, which can be downloaded from the router using ftp. The configuration import can be used to import the router configuration script (or part of it) from a text file.

For backing up configuration to a binary file and restoring it without alterations, please refer to the configuration backup and restore section of the MikroTik RouterOS Manual.

Topics covered in this manual:

Installation

The Export and Import features are included in the 'system' package. No installation is needed for this feature

Hardware Resource Usage

There is no significant resource usage.

Export and Import Description

The export command prints a script that can be used to restore configuration. The command can be invoked at any menu level, and it acts for that menu level and all menu levels below it. If the argument "from" is used, then it is possible to export only specified items. The "export" does not descend recursively through the command hierarchy. "export" also has the argument "file", which allows you to save the script in a file on the router to retrieve it later via ftp.

The root level command /import file_name restores the exported information from the specified file. This is used to restore configuration or part of it after a 'system reset' event or anything that causes configuration data loss.

Export and Import Examples

[MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   10.5.5.244/24      10.5.5.244      10.5.5.255      ether1
  1   10.5.5.245/32      10.5.5.245      10.5.5.245      ether1
  2   10.5.5.246/32      10.5.5.246      10.5.5.246      ether1
[MikroTik] ip address>

To make an export file use the following command:
[MikroTik] ip address> export file=address
[MikroTik] ip address>

To make an export file from only one item use the following command:
[MikroTik] ip address> export file=address1 from=1
[MikroTik] ip address>

To see the files stored on the router use the following command:

[MikroTik] file> print
  # NAME                           TYPE    SIZE       CREATION-TIME                
  0 address1.script                unknown 128        mar/26/2002 16:00:13
  1 address.script                 unknown 354        mar/26/2002 15:48:57
[MikroTik] file>

To export the setting on the display use the same command but without the 'file' argument:

[MikroTik] ip address> export from=0,2
/ ip address 
add address=10.5.5.244/24 network=10.5.5.244 broadcast=10.5.5.255 interface=ether1 
comment="" disabled=no 
add address=10.5.5.246/32 network=10.5.5.246 broadcast=10.5.5.246 interface=ether1 
comment="" disabled=no 
[MikroTik] ip address>

To load the saved export file use the following command:

[MikroTik] > import
file-name: address1.script
[MikroTik] >


© Copyright 1999-2002, MikroTik MikroTik RouterOS Backup and Restore

MikroTik RouterOS Backup and Restore

Document revision 26-Mar-2002
This document applies to MikroTik RouterOS v2.4 and v2.5

The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary file, which can be stored on the router or downloaded from the router using ftp. The configuration restore can be used to restoring the router's configuration from a backup file. For exporting configuration or part of it to a text (script) file and importing it, please refer to the configuration export and import section of the MikroTik RouterOS Manual.

Topics covered in this manual:

Installation

The Backup and Restore features are included in the 'system' package. No installation is needed for this feature

Hardware Resource Usage

There is no significant resource usage.

Backup and Restore Description

Backup and Restore feature can be found under "system backup" submenu. This function is used to store the entire router configuration in a backup file. The file is stored in the 'file' folder under "[MikroTik] file>". You can download this file through ftp to keep it as a backup for your hardware.

To restore the system configuration, for example, after a 'system reset', you can upload that file via ftp and then load that backup file, using 'load' command in "system backup" submenu.

Backup and Restore Examples

To make a backup file use the following command:

[MikroTik] system backup> save name=test
Configuration backup saved
[MikroTik] system backup>

To see the files stored on the router use the following command:

[MikroTik] file> print
  # NAME                       TYPE    SIZE   CREATION-TIME
  0 test.backup                bakcup  22727  mar/26/2002 13:02:55
[MikroTik] file>

To load the saved backup file use the following command:

[MikroTik] system backup> load name=test
Restore and reboot? [y/N]:

The restored configuration is loaded and the router is rebooted.


© Copyright 1999-2002, MikroTik MikroTik RouterOS Serial Console

MikroTik RouterOS Serial Console

Document revision 26-Mar-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

The Serial Console feature allows configuring one serial port of The MikroTik router for access to the router's Terminal Console over the serial port. A special null-modem cable is required to connect the router's serial port with the workstation's or laptop's serial (COM) port. A terminal emulation program, e.g., HyperTerminal, should be run on the workstation. Alternatively, another MikroTik router can be used as terminal, if its communication port is configured as serial terminal. See the relevant manual for details.

Contents of the Manual

The following topics are covered in this manual:

Installation

The Serial Console feature is included in the 'system' package. No installation is needed for this feature.

Hardware Resource Usage

There is no significant resource usage.

Serial Console Configuration

A special null-modem cable should be used for connecting to the serial console. The Serial Console cabling diagram for DB9 connectors is as follows:

	1 --- 1
	2 --- 3
	3 --- 2
	4 --- 4
	5 --- 5
	6 --- 6
	7 --- 8
	8 --- 7
	9 n/c 9

After installation of the MikroTik RouterOS the serial console is configured to use port serial0 (COM1 on the motherboard), if available. To check the Serial Console settings use:

[MikroTik] system serial-console> print
    enabled: no
       port: serial0
[MikroTik] system serial-console>

To enable Serial Console:

[MikroTik] system serial-console> set enabled=yes
[MikroTik] system serial-console> print
    enabled: yes
       port: serial0
[MikroTik] system serial-console>

To change port:

[MikroTik] system serial-console> set port=serial1
[MikroTik] system serial-console> print
    enabled: yes
       port: serial1
[MikroTik] system serial-console>

To check if the port is available or used:

[MikroTik] system serial-console> /port print detail
  0 name=serial0 used-by="" baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=none 

  1 name=serial1 used-by=Serial Console baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=none 

[MikroTik] system serial-console>

Troubleshooting


© Copyright 1999-2002, MikroTik
MikroTik RouterOS Telnet Client

MikroTik RouterOS Telnet Client

Document revision 26-Mar-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

MikroTik RouterOS has a build-in Telnet Client. It is used to communicate with other systems over a network.

Contents of the Manual

The following topics are covered in this manual:

Installation

The Telnet client feature is included in the 'system' package. No installation is needed for this feature.

Hardware Resource Usage

There is no significant resource usage.

Telnet Client Description

[MikroTik] system> telnet ?
Run telnet session to remote host. 

  <host>  IP address of host
[MikroTik] system> telnet

Telnet Client Examples

A simple example of using Telnet:

[MikroTik] > /system telnet 10.0.0.100
Trying 10.0.0.100...
Connected to 10.0.0.100.
Escape character is '^]'.

MikroTik v2.5rc3
Login:

Telnet using Telnet command mode:

[Mikrotik] > /system telnet
telnet> open 10.0.0.100
Trying 10.0.0.100...
Connected to 10.0.0.100.
Escape character is '^]'.

MikroTik v2.5rc3
Login:


© Copyright 1999-2002, MikroTik MikroTik RouterOS Serial Terminal

MikroTik RouterOS Serial Terminal

Document revision 26-Mar-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

The /system serial-terminal command is used to communicate with devices and other systems that are connected to router via serial port. The serial terminal may be used to monitor and configure many devices – including modems, network devices, and any device that can be connected to a serial-terminal.

Contents of the Manual

The following topics are covered in this manual:

Installation

The Serial Terminal feature is included in the 'system' package. No installation is needed for this feature.

Hardware Resource Usage

There is no significant resource usage.

Serial Terminal Description

All keyboard input is forwarded to the serial port and all data from the port is output to the connected device. After exiting with "Ctrl-X", the control signals of the port are lowered. It is not possible to send "Ctrl-X" key to serial port as it is intercepted and the serial-terminal is closed. The speed and other parameters of serial port may be configured in the "/port" directory of router console. No terminal translation on printed data is performed. It is possible to get the terminal in an unusable state by outputting sequences of inappropriate control characters or random data. Do not connect to devices at an incorrect speed and avoid dumping binary data.

Serial Terminal Usage

The serial-terminal is invoked with one argument - the name of serial port:

[MikroTik] system> serial-terminal port=serial0
[Type Ctrl-X to return to console]

Serial Terminal Examples

Several customers have described situations where the serial-terminal feature would be useful. One situation is described as a mountaintop where a MikroTik wireless installation sits next to equipment that also includes switches and Cisco routers that can not be managed in-band (by telnet through an IP network). Another situation describes a need to monitor weather reporting equipment through a serial-console. Another situation described a connection to a high-speed microwave modem that needed to be monitored and managed by a serial-console connection. With the serial-terminal feature of the MikroTik, one to thirty-four device can be monitored and controlled (using serial expansion cards from more than two devices).

The serial-console was tested and found working with:


© Copyright 1999-2002, MikroTik MikroTik RouterOS V2.5 Network Time Protocol

MikroTik RouterOS V2.5 Network Time Protocol

Document revision 25-Nov-2001
This document applies to the MikroTik RouterOS V2.5

Overview

NTP protocol allows to synchronize time among computers in network. The best is if there is internet connection available and local NTP server is synchronized to correct time source. List of public NTP servers is available: http://www.eecis.udel.edu/~mills/ntp/servers.htm

Contents of the Manual

The following topics are covered in this manual:

NTP Client

The NTP Client setup is under /system ntp client

[MikroTik] system ntp client> print 
               status: stopped
              enabled: no
                 mode: unicast
           ntp-server: 0.0.0.0
    second-ntp-server: 0.0.0.0

NTP client synchronizes local clock to some other time source (NTP server). There are 4 modes in which NTP client can operate: unicast, broadcast, multicast and manycast.

In unicast (Client/Server) mode NTP client connects to specifed NTP server. IP address of NTP server must be set in ntp-server and/or second-ntp-server parameters. At first client synchronizes to NTP server. Afterwards client periodically (64..1024s) sends time requests to NTP server. Unicast mode is the only one which uses ntp-server and second-ntp-server parameters.

In broadcast mode NTP client listens for broadcast messages sent by NTP server. After receiving first broadcast message, client synchronizes local clock using unicast mode, and afterwards does not send any packets to that NTP server. It uses received broadcast messages to adjust local clock.

Multicast mode acts the same as broadcast mode, only instead of broadcast messages (IP address 255.255.255.255) multicast messages are sent (IP address 224.0.1.1).

Manycast mode actually is unicast mode only with unknown IP address of NTP server. To discover NTP server, client sends multicast message (IP 239.192.1.1). If NTP server is configured to listen for these multicast messages (manycast mode is enabled), it replies. After client receives reply, it enters unicast mode and synchronizes to that NTP server. But in parallel client continues to look for more NTP servers by sending multicast messages periodically.

Status of NTP client can be monitored by looking at status parameter. There are several possible statuses:

NTP Server

The NTP Server setup is under /system ntp server

[MikroTik] system ntp server> print 
      enabled: no
    broadcast: no
    multicast: no
     manycast: yes

(!) NTP server activates only when local NTP client is in synchronized or using-local-clock mode.

If NTP server is disabled, all NTP requests are ignored.

If NTP server is enabled and (!), all individual time requests are answered.

If broadcast is enabled and (!), NTP broadcast message is sent to 255.255.255.255 every 64s.

If multicast is enabled and (!), NTP multicast message is sent to 224.0.1.1 every 64s.

If manycast is enabled and (!), NTP server listens for multicast messages sent to 239.192.1.1 and responds to them.

CAUTION! Using broadcast, multicast and manycast modes is dangerous! Intruder (or simple user) can set up his own NTP server. If this new server will be chosen as time source for Your server, this user can change time on Your server at his will. Authentication is strongly suggested in these modes, but it is not implemented. It is possible (but not easy) to implement it (in case MikroTik users need authentication).

TIMEZONE

NTP changes local clock to UTC (GMT) time by default. To specify different time zone, time-zone parameter under "/system clock" has to be changed.

[MikroTik] system clock> print 
         time: nov/08/2001 17:33:42
    time-zone: 0s

Time zone is specified as a difference between local time and GMT time. For example, if GMT time is 18:00:00, but correct local time is 19:00:00, then time-zone has to be set to +1 hour:

[MikroTik] system clock> set time-zone=1h 
[MikroTik] system clock> print 
         time: nov/08/2001 18:36:53
    time-zone: 1h

If local time is before GMT time, time-zone value will be negative. For example, if GMT is 18:00:00, but correct local time is 15:00:00, time-zone has to be set to -3 hours:

[MikroTik] system clock> set time-zone=-3h 
[MikroTik] system clock> print 
         time: nov/08/2001 14:39:18
    time-zone: -3h


© Copyright 1999-2001, MikroTik MikroTik RouterOS UPS Monitor

MikroTik RouterOS UPS Monitor

Document revision 26-Mar-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

The UPS monitor feature works with APC UPS units that support “smart” signaling. This feature enables the network administrator to monitor the UPS and set the router to ‘gracefully’ handle any power outage with no corruption or damage to the router. The basic purpose of this feature is to ensure that the router will come back online after an extended power failure. To do this, the router will monitor the UPS and set itself to hibernate mode when the ‘utility’ power is down and the UPS battery is has less than 10% of its battery power left. The router will then continue to monitor the UPS (while in hibernate mode) and then restart itself after when the ‘utility’ power returns. If the UPS battery is drained and the router loses all power, the router will power back to full operation when the ‘utility’ power returns.

The UPS monitor feature on the MikroTik RouterOS supports:

Contents of the Manual

The following topics are covered in this manual:

Installation

The 'ups-2.5x.npk' (less than 100KB) package for v2.5x is required. The package can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload it to the router with ftp and reboot. You may check to see if the SNMP package is installed with the command:

[MikroTik] > system package print
Flags I - invalid                                            
  # NAME                   VERSION               BUILD-TIME           UNINSTALL
  0 ppp                    2.5rc11               mar/20/2002 14:55:36 no       
  1 pptp                   2.5rc11               mar/20/2002 14:56:36 no       
  2 pppoe                  2.5rc11               mar/20/2002 14:57:36 no       
  3 ssh                    2.5rc11               mar/20/2002 14:58:36 no       
  4 ups                    2.5rc11               mar/20/2002 14:59:36 no       
  5 system                 2.5rc11               mar/20/2002 15:02:36 no       
  6 routing                2.5rc11               mar/20/2002 15:08:36 no       
  7 snmp                   2.5rc11               mar/20/2002 15:09:36 no       
[MikroTik] >                                                                   

Line 4 shows that the UPS package is installed.

Hardware Resource Usage

There is no significant resource usage.

UPS Monitor Setup

Check the port menu to find a free serial port:

[MikroTik] > port print detail
  0 name=serial0 used-by=Serial Console baud-rate=9600 data-bits=8 
    parity=none stop-bits=1 flow-control=none 

  1 name=serial1 used-by="" baud-rate=9600 data-bits=8 parity=none 
    stop-bits=1 flow-control=none 

[MikroTik] >  

The proprietary APC UPS smart-mode cable should be connected to the free port. To configure the ups monitoring in MikroTik RouterOS, go to the /system ups menu:

[MikroTik] system ups> print                                                   
                    enabled: no
                       port: (unknown)
              off-line-time: 5m
               min-run-time: 5m
              alarm-setting: immediate
          rtc-alarm-setting: none
[MikroTik] system ups>  

Argument description:

enabled - ( yes / no ) Status of the monitoring is disabled by default
port - A communication port of the router
off-line-time - How long to work on batteries
When set to a number >0, the router waits x hours/minutes/seconds and then goes into hibernate mode until the UPS reports that the ‘utility’ power is back. When set to 0, the router will go into hibernate mode according the “min-run-time” setting and 10% of battery power event. The default is set to 0. In this case, the router will wait until the UPS reports that the battery power is below 10%. The number setting should be followed by “h” for hours, “m” for minutes, and “s” for seconds.
min-run-time - Minimal run time remaining
After a ‘utility’ failure, the router will monitor the run-time-left value. When the value reaches the min-run-time value, the router will go to hibernate mode. If the min-run-time value is set to 0, then the router will go to hibernate mode when the “battery low” signal is sent indicating that the battery power is below 10%.
alarm-setting - UPS sound alarm setting
rtc-alarm-setting - UPS sound alarm setting during run time calibration

To enable the UPS monitor for port 'serial1', use the set command:

[MikroTik] system ups> set port=serial1 enabled=yes                            
[MikroTik] system ups> print                                                   
                    enabled: yes
                       port: serial1
              off-line-time: 5m
               min-run-time: 5m
              alarm-setting: immediate-alarm
          rtc-alarm-setting: immediate-alarm
                      model: QS0030311640
                    version: 60.11.I
                     serial: 
           manufacture-date: 07/18/00
    nominal-battery-voltage: 24
[MikroTik] system ups>

Argument description:

model - Less than 32 ASCII character string consisting of the UPS model name (the words on the front of the UPS itself).
version - The first field is an SKU number. The second field is a variable length decimal number indicating the firmware revision. The third field is one of the following country codes:
I = 220/230/240 Vac
D = 115/120 Vac
A = 100 Vac
M = 208 Vac
J = 200 Vac
Examples:
11.12.D
1.4.A
102.56.J
serial - A string of at least 8 characters directly representing the UPS's serial number as set at the factory. Newer SmartUPS models have 12-character serial numbers.
manufacture-date - represents the UPS's date of manufacture in the format " mm/dd/yy" (month, day, year).
nominal-battery-voltage - a three-digit number representing the UPS's nominal battery voltage rating. This is not the UPS's actual battery voltage, for example, the UPS returns "024" for a 24 Volt battery system, "018" for a 18 Volt battery system, and "048" for a 48 Volt battery system.

Runtime Calibration

To start the runtime calibration of the UPS monitor, run the /system ups run-time-calibration command:

[MikroTik] system ups> run-time-calibration

The run-time-calibration command causes the UPS to start a run time calibration until less than 25% of full battery capacity is reached. This command calibrates the returned run time value. The test begins only if battery capacity is 100%.

UPS Monitoring

The monitor command displays changing information:

[MikroTik] system ups> monitor                                             
                      read-state: reading remaining run time
                         on-line: yes
                      on-battery: no
                   run-time-left: 16m
                  battery-charge: 100
                 battery-voltage: 27
                    line-voltage: 228
                  output-voltage: 227
                            load: 67
                     temperature: 31
                   line-fequency: 50
                   alarm-setting: immediate-alarm

[MikroTik] system ups>  

Explanation of the output and possible output:

read-state - status of the UPS:
low-battery - appears when a low-battery event occurs
on-line - displayed when power is being provided by the external utility (power company)
on-battery - displayed when displayed when UPS battery is supplying power
transfer cause - Only shown when the unit is on-battery. Displays the reason for the most recent transfer to on-battery operation, which may be:
- unacceptable utility voltage rate of change.
- detection of high utility voltage.
- detection of low utility voltage.
- detection of a line voltage notch or spike.
- transfer in response to battery-test or run-time-calibration
replace battery - Only shown when the UPS report this status
overloaded-output - Only shown when the UPS report this status
smart-boost-mode - Only shown when the UPS report this status
smart-ssdd-mode - Only shown when the UPS report this status
run-time-calibration-running - Only shown when the UPS report this status
run-time-left - the UPS's estimated remaining run time in minutes. You can query the UPS when it is operating in the on-line, bypass, or on-battery modes of operation. The UPS's remaining run time reply is based on available battery capacity and output load.
battery-charge - the UPS's remaining battery capacity as a percent of the fully charged condition.
battery-voltage - the UPS's present battery voltage. The typical accuracy of this measurement is ±5% of the maximum value of 24 Vdc, 34 Vdc or 68 Vdc (depending upon the UPS's nominal battery voltage).
load-power - the UPS's output load as a percentage of full rated load in Watts. The typical accuracy of this measurement is ±3% of the maximum of 105%.
load-current - the true rms load current drawn from UPS. The typical accuracy of this measurement is ±7.5% of the load rating of UPS.
apparent-load-power - representing the UPS's output load as a percentage of the full rated load in Volt-Amps. The typical accuracy of this measurement is ±5% of the maximum of 105%.
temperature - the UPS's present internal operating temperature in degrees Celsius. The typical accuracy of this measurement is ±5% of the full scale value of 100°C.
line-frequency - When operating on-line, the UPS's internal operating frequency is synchronized to the line within variations within 3 Hz of the nominal 50 or 60 Hz. The typical accuracy of this measurement is ±1% of the full scale value of 63 Hz.

UPS Cable Pin-Out

The APC UPS (BackUPS Pro or SmartUPS) requires a special serial cable. If no cable came with the UPS, a cable may be ordered from APC or one can be made "in-house". Use the following diagram:

Router side             UPS side
(DB9 Female)            (DB9 Male)
2 (TD)          ->      2
3 (RD)          ->      1
5 (GND)         ->      4
7 (CTS)         ->      6

The cable for the ACP SMART-UPS and APC BACK-UPS:

Female 9-pin router side               Male 9-pin UPS side
1--------------------------------------------------------5
3--------------------------------------------------------1
2--------------------------------------------------------2
5--------------------------------------------------------4
8--------------------------------------------------------6

Additional Resources

http://www.linuxdoc.org/HOWTO/UPS-HOWTO.html


© Copyright 1999-2002, MikroTik MikroTik RouterOS Support Output File

MikroTik RouterOS Support Output File

Document revision 10-May-2002
This document applies to MikroTik RouterOS v2.5.3 and higher

The support file is used for debugging MikroTik RouterOS and to solve the support questions faster. All MikroTik Router information is saved in a binary file, which is stored on the router and can be downloaded from the router using ftp.

Topics covered in this manual:

Installation

The Support file feature is included in the 'system' package. No installation is needed for this feature

Hardware Resource Usage

There is no significant resource usage.

Support File Description

Support file feature can be found under "system" submenu. The file is stored in the 'file' folder under "[MikroTik] file>". You can download this file through ftp to send it to the MikroTik Support.

Example of Making Support Output File

To make a Support Output File use the following command:

[MikroTik] system> sup-output
creating supout.rif file, might take a while
..............
Accomplished!
[MikroTik] system>

To see the files stored on the router use the following command:

[MikroTik] file> print
  # NAME             TYPE         SIZE       CREATION-TIME
  0 supout.rif       support-info 18418      may/09/2002 22:46:44
[MikroTik] file> 

Connect to the router using FTP and download the supout.rif file using BINARY file transfer mode. Send the supout.rif file to MikroTik Support support@mikrotik.com with detailed description of the problem.


© Copyright 1999-2002, MikroTik

MikroTik RouterOS Ping

MikroTik RouterOS Ping

Document revision 27-Mar-2002
This document applies to MikroTik RouterOS v2.4 and v2.5

Overview

Ping uses Internet Control Message Protocol (ICMP) Echo messages to determine if a remote host is active or inactive and to determine the round-trip delay when communicating with it.

Topics covered in this manual:

Installation

The Ping feature is included in the 'system' package. No installation is needed for this feature

Hardware Resource Usage

There is no significant resource usage.

Ping Description

Ping utility shows Time To Live value of the received packet (ttl) and Roundtrip time (time) in ms. The console Ping session may be stopped when the Ctrl + C is pressed.

[MikroTik] > ping ?
Send ICMP Echo packets. Repeat after given time interval.

        <address>  
            count  Number of packets
  do-not-fragment  Do not fragment the packets
         interval  Delay between messages
             size  Packet size in bytes
[MikroTik] >

Descriptions of arguments:

address - IP address for the host you want to ping.
size - (optional) Size of the IP packet (in bytes, including the IP and ICMP headers). Can be 36...4096.
do-not-fragment - if added, packets aren't fragmented
interval - (optional) Delay between messages (in seconds). Default is 1 second. Can be 10ms...5s.
count - How many time ICMP packets will be sent. If not specified, ping continues till CTRL+C is pressed.

Ping Examples

[MikroTik] > ping 159.148.60.2 count=5 interval=20ms size=64
159.148.60.2 64 byte pong: ttl=249 time=3 ms
159.148.60.2 64 byte pong: ttl=249 time<1 ms
159.148.60.2 64 byte pong: ttl=249 time<1 ms
159.148.60.2 64 byte pong: ttl=249 time<1 ms
159.148.60.2 64 byte pong: ttl=249 time<1 ms
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0/0.6/3 ms
[MikroTik] > 


© Copyright 1999-2002, MikroTik MikroTik RouterOS Traceroute

MikroTik RouterOS Traceroute

Document revision 27-Mar-2002
This document applies to MikroTik RouterOS v2.4 and v2.5

Overview

Traceroute is a TCP/IP protocol-based utility, which allows the user to determine how packets are being routed to a particular host. Traceroute works by increasing the time-to-live value of packets and seeing how far they get until they reach the given destination; thus, a lengthening trail of hosts passed through is built up.

Topics covered in this manual:

Installation

The Traceroute feature is included in the 'system' package. No installation is needed for this feature

Hardware Resource Usage

There is no significant resource usage.

Traceroute Description

Traceroute shows the number of hops to the given host address of every passed gateway. Traceroute utility sends packets three times to each passed gateway so it shows three timeout values for each gateway in ms. The Traceroute session may be stopped when the Ctrl + C is pressed.

[MikroTik] tool> traceroute ?
Trace route to host by increasing Time To Live value in sent packets
and waiting for "TTL expired" messages from routers.

  <address>
       port  UDP port number
   protocol  Protocol of sent packets
       size  Packet size
    timeout  Response wait timeout
        tos  Type of service
    use-dns
[MikroTik] >

Descriptions of arguments:

address - IP address of the host you are tracing route to.
port - Port number. Values are in range 0-65535.
protocol - Type of protocol to use (UDP or ICMP). If one fails (for example, it is blocked by a firewall) try the other.
size - (optional) Packet size in bytes (28..1428, default 64).
timeout - (optional) Response waiting timeout, i.e. delay between messages. Can be 1..5s, default 1s.
tos - Type Of Service – parameter of IP packet. Can be 0..255, default 0.
use-dns - (yes/no) specifies whether to use DNS server, which can be set in /ip dns menu, default is "no"

Traceroute Examples

[MikroTik] tool> traceroute 216.239.39.101 size=64 timeout=4s tos=0 protocol=icmp
     ADDRESS                                    STATUS
   1 159.148.60.227       3ms      3ms      3ms 
   2 195.13.173.221      80ms    169ms     14ms 
   3 195.13.173.28        6ms      4ms      4ms 
   4 195.158.240.21     111ms    110ms    110ms 
   5 213.174.71.49      124ms    120ms    129ms 
   6 213.174.71.134     139ms    146ms    135ms 
   7 213.174.70.245     132ms    131ms    136ms 
   8 213.174.70.58      211ms    215ms    215ms 
   9 195.158.229.130    225ms    239ms       0s 
  10 216.32.223.114     283ms    269ms    281ms 
  11 216.32.132.14      267ms    260ms    266ms 
  12 209.185.9.102      296ms    296ms    290ms 
  13 216.109.66.1       288ms    297ms    294ms 
  14 216.109.66.90      297ms    317ms    319ms 
  15 216.239.47.66      137ms    136ms    134ms 
  16 216.239.47.46      135ms    134ms    134ms 
  17 216.239.39.101     134ms    134ms    135ms 
[MikroTik] tool> 


© Copyright 1999-2002, MikroTik MikroTik RouterOS Bandwidth Test

MikroTik RouterOS Bandwidth Test

Document revision 27-Mar-2002
This document applies to MikroTik RouterOS v2.4 and v2.5

Overview

The Bandwidth Tester can be used to monitor the throughput only to a remote MikroTik router (either wired or wireless) and thereby help to discover network ‘bottlenecks’.

The TCP test uses the standard TCP protocol with acknowledgments and follows the TCP algorithm on how many packets to send according to latency, dropped packets, and other features in the TCP algorithm. Please review the TCP protocol for details on its internal speed settings and how to analyze its behavior. Statistics for throughput are calculated using the entire size of the TCP packet. As acknowledgments are an internal working of TCP, their size and usage of the link are not included in the throughput statistics. Therefore this statistic is not as reliable as the UDP statistic when estimating throughput.

The UDP tester sends 110% or more packets than currently reported as received on the other side of the link. To see the maximum throughput of a link, the packet size should be set for the maximum MTU allowed by the links – usually this is 1500 bytes. There is no acknowledgment required by UDP; this implementation means that the closest approximation of the throughput can be seen.

Topics covered in this manual:

What's New in v2.5?

The MikroTik RouterOS v2.5 has a different Bandwidth test features compared to the previous versions. When migrating from v2.4 to v2.5, please note that:

Installation

The Bandwidth Test feature is included in the 'system' package. No installation is needed for this feature

Hardware Resource Usage

!Caution! Bandwidth Test uses all available bandwidth (by default) and may impact network usability.

There is no other significant resource usage.

Bandwidth Test Description

Bandwidth Test uses TCP or UDP protocol for test. The test tries to use maximum or partial amount of bandwidth to test link speed. Note that remote router must be MikroTik router in order to run the test. Be aware that default test uses all available bandwidth and may impact network usability.

[MikroTik] tool> bandwidth-test ?
Bandwidth Test uses TCP or UDP protocol for test. Tries to use maximum or partial amount of
bandwidth to test link speed. Note that remote router must be MikroTik router 
in order to run the test. Be aware that default test uses all available 
bandwidth and may impact network usability.

        <address>
        direction  Direction of data flow
               do
         duration  How long should the test take
         interval  Interval between sent packets
   local-tx-speed  
         password  Password for remote user
         protocol  Protocol to use for test
  remote-tx-speed
             size  UDP packet size or TCP segment size
             user  remote user
[MikroTik] tool>

Descriptions of arguments:

address - IP address of destination host.
direction - (both/receive/transmit) specify the direction of the test, default is transmit
do - Script source
duration - Duration of the test
interval - (optional) Delay between messages (in seconds). Default is 1 second. Can be 20ms...5s.
local-tx-speed - Transfer test maximum speed (must be given in bits per second)
password - Password for remote user
protocol - Type of protocol to use (UDP or TCP, default TCP).
remote-tx-speed - Receive test maximum speed (must be given in bits per second)
size - Packet size in bytes (50..1500, default 512). Works only with UDP protocol.
user - Remote user

Bandwidth Test Examples

[MikroTik] tool> bandwidth-test 10.0.0.224 duration=14s protocol=udp size=1500 direction=both
               status: done testing
           tx-current: 33.98Mbps
 tx-10-second-average: 25.56Mbps
     tx-total-average: 19.07Mbps
           rx-current: 33.96Mbps
 rx-10-second-average: 26.45Mbps
     rx-total-average: 19.83Mbps

[MikroTik] tool>



[MikroTik] tool> bandwidth-test 10.0.0.152 local-tx-speed=3000 remote-tx-speed=5000 direction=both
               status: running
           tx-current: 90.00bps
 tx-10-second-average: 90.00bps
     tx-total-average: 2.76kbps
           rx-current: 96.00bps
 rx-10-second-average: 96.00bps
     rx-total-average: 5.97kbps

[MikroTik] tool> 


© Copyright 1999-2002, MikroTik MikroTik RouterOS Traffic Monitor

MikroTik RouterOS Traffic Monitor

Document revision 27-Mar-2002
This document applies to MikroTik RouterOS v2.4 and v2.5

Overview

The traffic monitor tool is used to execute console scripts on when interface traffic crosses some given thresholds.

Topics covered in this manual:

Installation

Traffic monitor feature is included in the 'system' package. No installation is needed for this feature

Hardware Resource Usage

There is no other significant resource usage.

Traffic Monitor Description

Each item in traffic monitor list consists of its name (which is useful if you want to disable or change properties of this item from another script), some parameters specifying traffic condition and the pointer to a script or scheduled event to execute when this condition is met.

[MikroTik] tool traffic-monitor> print detail
Flags: X - disabled, I - invalid 
  #   NAME           INTERFACE     TRAFFIC     TRIGGER THRESHOLD  ON-EVENT     
  0   turn_on        ether1        received    above   15000      eth-up       
  1   turn_off       ether1        received    below   12000      eth-down     

Argument description for traffic monitoring tool:

name - Name of traffic monitor item
interface - Interface to monitor
threshold - Traffic threshold, in bits per second.
trigger - ( above / always / below ) Condition on which to execute script.
traffic - ( transmitted / received ) Type of traffic to monitor.
on-event - Script source. Must be present under '/system script'.

You should specify the interface on which to monitor the traffic, the type of traffic to monitor (transmitted or received), the threshold (bits per second). The script is started, when traffic exceeds the threshold in direction given by the "trigger" argument. "above" means that script will be run each time traffic exceeds the threshold, i.e. goes from being less than threshold to being more than threshold value. "below" triggers script in the opposite condition, when traffic drops under the threshold. "always" triggers script on both "above" and "below" conditions.

Traffic Monitor Examples

The example monitor enables the interface ether2, if the received traffic exceeds 15kbps on ether1, and disables the interface ether2, if the received traffic falls below 12kbps on ether1.

[MikroTik] system script>
add name=eth-up source={/interface enable ether2}
add name=eth-down source={/interface disable ether2}
[MikroTik] system script> /tool traffic-monitor                                
[MikroTik] tool traffic-monitor>
add name=turn_on interface=ether1 on-event=eth-up \
threshold=15000 trigger=above traffic=received
add name=turn_off interface=ether1 on-event=eth-down \
threshold=12000 trigger=below traffic=received
[MikroTik] tool traffic-monitor> print                                         
Flags: X - disabled, I - invalid 
  #   NAME           INTERFACE     TRAFFIC     TRIGGER THRESHOLD  ON-EVENT     
  0   turn_on        ether1        received    above   15000      eth-up       
  1   turn_off       ether1        received    below   12000      eth-down     
[MikroTik] tool traffic-monitor> 


© Copyright 1999-2002, MikroTik MikroTik RouterOS SNMP Service

MikroTik RouterOS SNMP Service

Document revision 11-Jul-2002
This document applies to the MikroTik RouterOS V2.5

Overview

SNMP is a network protocol that allows managing many network devices from one location. MikroTik RouterOS supports SNMPv2 (Simple Network Management Protocol version 2) as defined by RFC 1592. Installation of the SNMP package makes the router into an SNMP agent.

The MikroTik RouterOS supports:

Contents of the Manual

The following topics are covered in this manual:

Installation

The 'snmp-2.x.y.npk' (less than 150KB) package for installation of SNMP is required. The package can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload it to the router with ftp and reboot. You may check to see if the SNMP package is installed with the command:

[MikroTik] > system package print                                              
Flags: I - invalid 
  #   NAME                  VERSION              BUILD-TIME           UNINSTALL
  0   snmp                  2.5                  apr/03/2002 10:07:13 no       
  1   routing               2.5                  apr/03/2002 10:18:41 no       
  2   ssh                   2.5                  apr/03/2002 10:08:54 no       
  3   system                2.5                  apr/03/2002 10:06:30 no       
  4   dhcp                  2.5                  apr/03/2002 10:08:10 no       
  5   ppp                   2.5                  apr/03/2002 10:11:07 no       
  6   pppoe                 2.5                  apr/03/2002 10:12:50 no       
  7   pptp                  2.5                  apr/03/2002 10:11:47 no       
  8   bgp                   2.5                  apr/03/2002 10:19:15 no       
[MikroTik] > 

Line 0 shows that the SNMP package is installed.

Hardware Resource Usage

When the SNMP is enabled, it uses approximately 2MB of RAM. When using SNMP, memory usage estimates should be made, system resources should be monitored, and RAM should be increased accordingly.

SNMP Setup

SNMP management can be accessed under the /snmp menu. Use the set command to configure it and enable the service:

[MikroTik] snmp> set contact=Sysadmin-555-1212 location=MikroTik enabled=yes   
[MikroTik] snmp> print                                                         
     enabled: yes
     contact: Sysadmin-555-1212
    location: MikroTik
[MikroTik] snmp>

Description of arguments:

contact-info, location - Informative only settings for the NMS.
enabled - (yes / no). SNMP service is disabled by default.

SNMP Communities

Community management can be accessed under the '/snmp community' menu. The default community for the SNMP is "public":

[MikroTik] snmp> community                                                     
[MikroTik] snmp community> print                                               
  # NAME                                                            READ-ACCESS
  0 public                                                          yes        
[MikroTik] snmp community>   

Argument description:

name - Community name.
read-access - (yes / no) Enables or disables the read access for the community.

You can add new communities and change the read access type, for example:

[MikroTik] snmp community> set public read-access=no ; add name=private        
[MikroTik] snmp community> print                                               
  # NAME                                                            READ-ACCESS
  0 public                                                          no         
  1 private                                                         no         
[MikroTik] snmp community> 

Tools for SNMP Data Collection and Analysis

MRTG (Multi Router Traffic Grapher) is the most commonly used SNMP monitor.

http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/

Example of using MRTG with Mikrotik SNMP

Here is a example configuration file for MRTG to monitor network card traffic on Mikrotik 2.5.x This file was created with MRTG v2.9.17 cfgmaker on a linux computer. This is a only an example file.

MRTG Sample Configuration

For more information read the MRTG documentation: Configuration Reference

Additional Resources

http://www.ietf.org/rfc/rfc1592.txt
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm


© Copyright 1999-2002, MikroTik