General Information

More documents

Recommendations

Info

associated with matching SPD rule), the packet is dropped. This is called incoming policy check. Internet Key Exchange The Internet Key Exchange (IKE) is a protocol that provides authenticated keying material for Internet Security Association and Key Management Protocol (ISAKMP) framework. There are other key exchange schemes that work with ISAKMP, but IKE is the most widely used one. Together they provide means for authentication of hosts and automatic management of security associations (SA). Most of the time IKE daemon is doing nothing. There are two possible situations when it is activated: • There is some traffic caught by a policy rule which needs to become encrypted or authenticated, but the policy doesn't have any SAs. The policy notifies IKE daemon about that, and IKE daemon initiates connection to remote host. • IKE daemon responds to remote connection. In both cases, peers establish connection and execute 2 phases: • Phase 1 - The peers agree upon algorithms they will use in the following IKE messages and authenticate. The keying material used to derive keys for all SAs and to protect following ISAKMP exchanges between hosts is generated also. • Phase 2 - The peers establish one or more SAs that will be used by IPsec to encrypt data. All SAs established by IKE daemon will have lifetime values (either limiting time, after which SA will become invalid, or amount of data that can be encrypted by this SA, or both). There are two lifetime values - soft and hard. When SA reaches it's soft lifetime treshhold, the IKE daemon receives a notice and starts another phase 2 exchange to replace this SA with fresh one. If SA reaches hard lifetime, it is discarded. IKE can optionally provide a Perfect Forward Secrecy (PFS), whish is a property of key exchanges, that, in turn, means for IKE that compromising the long term phase 1 key will not allow to easily gain access to all IPsec data that is protected by SAs established through this phase 1. It means an additional keying material is generated for each phase 2. Generation of keying material is computationally very expensive. Exempli gratia, the use of modp8192 group can take several seconds even on very fast computer. It usually takes place once per phase 1 exchange, which happens only once between any host pair and then is kept for long time. PFS adds this expensive operation also to each phase 2 exchange. Diffie-Hellman MODP Groups Diffie-Hellman (DH) key exchange protocol allows two parties without any initial shared secret to create one securely. The following Modular Exponential (MODP) Diffie-Hellman (also known as "Oakley") Groups are supported: Diffie-Hellman Group Modulus Reference Group 1 768 bits RFC2409 Group 2 1024 bits RFC2409 Page 224 of 568 Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Group 5 1536 bits RFC3526 IKE Traffic To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA (that this packet perhaps is trying to establish), locally originated packets with UDP source port 500 are not processed with SPD. The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check. Setup Procedure To get IPsec to work with automatic keying using IKE-ISAKMP you will have to configure policy, peer and proposal (optional) entries. For manual keying you will have to configure policy and manual-sa entries. Policy Settings Home menu level: /ip ipsec policy Description Policy table is needed to determine whether encryption should be applied to a packet. Property Description action (accept | drop | encrypt; default: accept) - specifies what action to undertake with a packet that matches the policy • accept - pass the packet • drop - drop the packet • encrypt - apply transformations specified in this policyand it's SA decrypted (integer) - how many incoming packets were decrypted by the policy dont-fragment (clear | inherit | set; default: clear) - The state of the don't fragment IP header field • clear - clear (unset) the fields, so that packets previously marked as don't fragment got fragmented • inherit - do not change the field • set - set the field, so that each packet matching the rule will not be fragmented dst-address (IP address/mask:port; default: 0.0.0.0/32:any) - destination IP address encrypted (integer) - how many outgoing packets were encrypted by the policy in-accepted (integer) - how many incoming packets were passed through by the policy without an attempt to decrypt in-dropped (integer) - how many incoming packets were dropped by the policy without an attempt to decrypt ipsec-protocols (multiple choice: ah | esp; default: esp) - specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched Page 225 of 568 Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Page 1 and 2:
MikroTik RouterOS v2.8 Reference Ma
Page 3 and 4:
Removing Device Drivers............
Page 5 and 6:
General Information................
Page 7 and 8:
Source NAT.........................
Page 9 and 10:
Router User Groups.................
Page 11 and 12:
LCD Information Display Configurati
Page 13 and 14:
Basic Setup Guide Document revision
Page 15 and 16:
Downloading and Installing the Mikr
Page 17 and 18:
• You shoud have an account on ou
Page 19 and 20:
The list of available commands at a
Page 21 and 22:
Description Interface Management Be
Page 23 and 24:
e assigned. If the setup offers you
Page 25 and 26:
2 DC 10.0.0.0/24 r 0.0.0.0 0 Public
Page 27 and 28:
interface=Local queue=default prior
Page 29 and 30:
Terminal Console Document revision
Page 31 and 32:
[admin@MikroTik] ip route> /ping 10
Page 33 and 34:
Notes Pressing [Tab] key while ente
Page 35 and 36:
edit - this command is in every pla
Page 37 and 38:
Package Management Document revisio
Page 39 and 40:
• Check the information about the
Page 41 and 42:
• Ethernet interface support •
Page 43 and 44:
Specifications Sheet Document revis
Page 45 and 46:
"El Torito" bootable CDs (you might
Page 47 and 48:
Device Driver List Document revisio
Page 49 and 50:
• 3c905B Cyclone 10/100/BNC • 3
Page 51 and 52:
• Macronix 98715 PMAC • Macroni
Page 53 and 54:
Compatibility: • Planet ENW-9601T
Page 55 and 56:
• Olicom OC-2326 VIA vt612x 'Velo
Page 57 and 58:
• Samsung SWL2000-N 11Mbit/s 802.
Page 59 and 60:
• Moxa Smartio C104H/PCI, CP-114,
Page 61 and 62:
Driver Management Document revision
Page 63 and 64:
0xF0-0xFF FPU 0x100-0x13F [prism2_c
Page 65 and 66:
General Interface Settings Document
Page 67 and 68:
Description The traffic passing thr
Page 69 and 70:
Additional Documents • http://www
Page 71 and 72:
The interface should be enabled acc
Page 73 and 74:
1 1.1.1.2/32 1.1.1.1 1.1.1.1 farsyn
Page 75 and 76:
Finally we need to add IP addresses
Page 77 and 78:
• accessing an Intranet/LAN of a
Page 79 and 80:
[admin@MikroTik] interface l2tp-cli
Page 81 and 82:
[admin@MikroTik] interface l2tp-ser
Page 83 and 84:
To route the local Intranets over t
Page 85 and 86:
On the L2TP server a user must be s
Page 87 and 88:
CISCO/Aironet 2.4GHz 11Mbps Wireles
Page 89 and 90:
Try to change the I/O base address
Page 91 and 92:
Troubleshooting Description Keep in
Page 93 and 94:
The default route should be set to
Page 95 and 96:
The second router will have address
Page 97 and 98:
1. Add an IPIP interface (by defaul
Page 99 and 100:
[admin@MikroTik] interface ipip> pr
Page 101 and 102:
Additional Documents • http://www
Page 103 and 104:
MOXA C502 Dual-port Synchronous Int
Page 105 and 106:
Example [admin@MikroTik] interface
Page 107 and 108:
[admin@MikroTik] ip route> print Fl
Page 109 and 110:
Flags: X - disabled, I - invalid, D
Page 111 and 112:
Description VLANs are simply a way
Page 113 and 114:
[admin@MikroTik] interface vlan> pr
Page 115 and 116:
Description Installing the Wireless
Page 117 and 118:
[admin@MikroTik] interface radiolan
Page 119 and 120:
Ethernet interfaces respectively. T
Page 122 and 123:
Flags: X - disabled, R - running 0
Page 124 and 125:
Example with MikroTik Router to Mik
Page 126 and 127:
ISDN (Integrated Services Digital N
Page 128 and 129:
name (name) - name of the driver is
Page 130 and 131:
undle-128K (yes | no; default: yes)
Page 132 and 133:
# NAME SERVICE CALLER-ID PASSWORD P
Page 134 and 135:
[admin@Mikrotik] ip route> add gate
Page 136 and 137:
• For mobile or remote clients to
Page 138 and 139:
10.1.1.12 PPTP server and use it as
Page 140 and 141:
encoding (text) - encryption and en
Page 142 and 143:
To route the local Intranets over t
Page 144 and 145:
On the PPTP server a user must be s
Page 146 and 147:
Wireless Client and Wireless Access
Page 148 and 149:
protocol created to improve point-t
Page 150 and 151:
with Atheros cards. There might be
Page 152 and 153:
• ap-bridge - the interface is op
Page 154 and 155:
wds-mode=disabled wds-default-bridg
Page 156 and 157:
• exact-size - put as much packet
Page 158 and 159:
ap (read-only: no | yes) - whether
Page 160 and 161:
Property Description 2ghz-b-channel
Page 162 and 163:
5305,5310,5315,5320,5325,5330,5335,
Page 164 and 165:
arp (disabled | enabled | proxy-arp
Page 166 and 167:
Description This command is used to
Page 168 and 169:
• none - do not use encryption an
Page 170 and 171:
ssid="test1" frequency=5180 band=5G
Page 172 and 173:
Flags: X - disabled, R - running, D
Page 174 and 175:
select the frequency that is used b
Page 176 and 177:
2. On router with IP address 10.1.0
Page 178 and 179:
To make a secure Ethernet bridge be
Page 180 and 181:
Xpeed SDSL Interface Document revis
Page 182 and 183:
[admin@r1] interface> print Flags:
Page 184 and 185:
• I tried to connect two routers
Page 186 and 187: To add the driver for Arlan 655 ada
Page 188 and 189: Obtain the required license for 2.4
Page 190 and 191: MAC level bridging of Ethernet, Eth
Page 192 and 193: Always take care not to bridge virt
Page 194 and 195: designated-cost: 0 -- [Q quit|D dum
Page 196 and 197: idge firewall, not in forwarded pro
Page 198 and 199: [admin@MikroTik] ip address> print
Page 200 and 201: • Log Management Description You
Page 202 and 203: [admin@MikroTik] interface moxa-c10
Page 204 and 205: [admin@MikroTik] ip route> print Fl
Page 206 and 207: Flags: X - disabled, I - invalid, D
Page 208 and 209: • IP Addresses and ARP • Log Ma
Page 210 and 211: The driver for the Cyclades PC300/R
Page 212 and 213: PPPoE Document revision 1.4 (Fri Ap
Page 214 and 215: License required: level1 (limited t
Page 216 and 217: uptime (time) - connection time dis
Page 218 and 219: [admin@MikroTik] interface pppoe-se
Page 220 and 221: [admin@MT_Prism_AP] interface prism
Page 222 and 223: PPP and Asynchronous Interfaces Doc
Page 224 and 225: Example [admin@MikroTik] > /port pr
Page 226 and 227: Example You can add a PPP client us
Page 228 and 229: IP Addresses and ARP Document revis
Page 230 and 231: ether1 or ether2. Example [admin@Mi
Page 232 and 233: The MikroTik Router setup is as fol
Page 234 and 235: IP Security Document revision 3.1 (
Page 238 and 239: traffic. AH is applied after ESP, a
Page 240 and 241: Such policies are created dynamical
Page 242 and 243: auth-algorithm (multiple choice, re
Page 244 and 245: in-accept: 12 in-accept-isakmp: 0 i
Page 246 and 247: [admin@Router1] > ip firewall src-n
Page 248 and 249: • on MikroTik router we can see i
Page 250 and 251: Routes, Equal Cost Multipath Routin
Page 252 and 253: dst-address (IP address/mask; defau
Page 254 and 255: Example There is always a table cal
Page 256 and 257: Command sequence to achieve this: 1
Page 258 and 259: Connection Tracking and Service Por
Page 260 and 261: appropriate ICMP request icmp-optio
Page 262 and 263: Packet Marking (Mangle) Document re
Page 264 and 265: action (accept | passthrough; defau
Page 266 and 267: How to Mangle NATted Traffic Suppos
Page 268 and 269: • Package Management • M3P Desc
Page 270 and 271: Firewall Filters Document revision
Page 272 and 273: As we can see, a packet can enter t
Page 274 and 275: may be among the slowest. Therefore
Page 276 and 277: Keep in mind, that protocol must be
Page 278 and 279: • Protect the customer's hosts Co
Page 280 and 281: comment="Reject and log everything
Page 282 and 283: ip firewall dst-nat add action=nat
Page 284 and 285: Notes Whenever possible, the same i
Page 286 and 287:
Hardware usage: Increases with rule
Page 288 and 289:
Description You can limit peer-to-p
Page 290 and 291:
• Then create custom queue type w
Page 292 and 293:
• Package Management • IP Addre
Page 294 and 295:
The virtual IP addresses should be
Page 296 and 297:
[admin@MikroTik] ip vrrp> address a
Page 298 and 299:
Specifications Packages required: s
Page 300 and 301:
limit-count (integer; default: 0) -
Page 302 and 303:
limit-count (integer; default: 0) -
Page 304 and 305:
IP address on it, and as many inter
Page 306 and 307:
# INTERFACE TYPE 0 X ether1 externa
Page 308 and 309:
Description The wireless protocol I
Page 310 and 311:
DNS Client and Cache Document revis
Page 312 and 313:
[admin@MikroTik] ip dns> Cache Moni
Page 314 and 315:
Services, Protocols, and Ports Docu
Page 316 and 317:
1719/udp 1720/tcp 1723/tcp 2000/tcp
Page 318 and 319:
Example Walled Garden Description P
Page 320 and 321:
The HotSpot interface should have a
Page 322 and 323:
consulted first, then - a RADIUS se
Page 324 and 325:
use transparent web proxy (yes | no
Page 326 and 327:
allow-unencrypted-password=yes and
Page 328 and 329:
[admin@MikroTik] ip hotspot profile
Page 330 and 331:
ytes-out (read-only: integer) - how
Page 332 and 333:
[admin@MikroTik] ip hotspot server>
Page 334 and 335:
1. request for a remote host • if
Page 336 and 337:
• popup - whether to pop-up check
Page 338 and 339:
href="https://login.server.serv/log
Page 340 and 341:
There are two kinds of errors: fata
Page 342 and 343:
choose the address ranges, just mak
Page 344 and 345:
13. Add hotspot chain: /ip firewall
Page 346 and 347:
As we see from example, only hotspo
Page 348 and 349:
DHCP Client and Server Document rev
Page 350 and 351:
Standards and Technologies: DHCP De
Page 352 and 353:
• requesting... - the DHCP client
Page 354 and 355:
dns-server (text) - the DHCP client
Page 356 and 357:
[admin@MikroTik] ip dhcp-server lea
Page 358 and 359:
# NAME RANGES 0 dhcp_pool1 10.0.0.2
Page 360 and 361:
one network address translation so
Page 362 and 363:
mac-address (MAC address) - client'
Page 364 and 365:
Audio CODECs Description Example AA
Page 366 and 367:
The larger the jitter buffer, the l
Page 368 and 369:
find-best-balance - series of test-
Page 370 and 371:
monitor - monitor status of the voi
Page 372 and 373:
(plugged | unplugged) - state of th
Page 374 and 375:
aec (yes | no) - wheteher echo dete
Page 376 and 377:
• to which voice port route the c
Page 378 and 379:
• If nr=112 => matches the record
Page 380 and 381:
• NAS-Port-Type - always Async
Page 382 and 383:
marked as dynamic and can not be re
Page 384 and 385:
egistering endpoint (with IP addres
Page 386 and 387:
VOICE-PORT PREFIX 0 31 rob 31 1 33
Page 388 and 389:
Volume levels : voice volume : 54 i
Page 390 and 391:
call rsvp-sync voice rtp send-recv
Page 392 and 393:
OSPF Document revision 1.3 (Mon Sep
Page 394 and 395:
• if-installed-as-type-1 - send t
Page 396 and 397:
• none - do not use authenticatio
Page 398 and 399:
[admin@MikroTik] routing ospf> inte
Page 400 and 401:
OSPF backup without using a tunnel
Page 402 and 403:
Set redistribute-connected as as-ty
Page 404 and 405:
We should change cost value in both
Page 406 and 407:
0 Io 192.168.0.0/24 110 1 DC 192.16
Page 408 and 409:
Packages required: routing License
Page 410 and 411:
eceive (v1 | v1-2 | v2; default: v2
Page 412 and 413:
Example To view the list of the rou
Page 414 and 415:
[admin@MikroTik] routing rip> • C
Page 416 and 417:
Related Documents • Package Manag
Page 418 and 419:
[admin@modux] routing bgp network>
Page 420 and 421:
Prefix Lists Document revision 1.2
Page 422 and 423:
To accept the routes to the 172.16.
Page 424 and 425:
Example Example Local IP Traffic Ac
Page 426 and 427:
Notes There are three system groups
Page 428 and 429:
Router User Remote AAA Home menu le
Page 430 and 431:
To add the profile ex that will ass
Page 432 and 433:
RADIUS user database is consulted o
Page 434 and 435:
7 159.148.172.197 192.168.0.2 835 1
Page 436 and 437:
timeouts: 5 bad-replies: 0 last-req
Page 438 and 439:
• Session-Timeout - overrides ses
Page 440 and 441:
• Acct-Output-Packets - number of
Page 442 and 443:
OK:...", but the user cannot log on
Page 444 and 445:
To use a Certificate (which contain
Page 446 and 447:
equirements of your CA Example To i
Page 448 and 449:
There you can delete unnecessary fi
Page 450 and 451:
The Ping Command Command name: /pin
Page 452 and 453:
Bandwidth Control Document revision
Page 454 and 455:
you put no limit and choose all cla
Page 456 and 457:
than burst-threshold. This type of
Page 458 and 459:
[admin@MikroTik] queue interface> C
Page 460 and 461:
Example To mark all the traffic goi
Page 462 and 463:
[admin@MikroTik] queue simple> prin
Page 464 and 465:
max-limit=131072 And the same for L
Page 466 and 467:
3. Add a queue tree rule that will
Page 468 and 469:
Configuration Export and Import Doc
Page 470 and 471:
Home menu level: /import Descriptio
Page 472 and 473:
• No Set support • No Trap supp
Page 474 and 475:
• /system resource Example To see
Page 476 and 477:
ip.ipNetToMediaTable.ipNetToMediaEn
Page 478 and 479:
Description MRTG (Multi Router Traf
Page 480 and 481:
MAC Telnet Server and Client Docume
Page 482 and 483:
Ping Document revision 08-Jun-2004
Page 484 and 485:
Example To disable MAC pings: [admi
Page 486 and 487:
Additional Documents • DNS relate
Page 488 and 489:
interface (name) - the name of the
Page 490 and 491:
Bandwidth Test Document revision 1.
Page 492 and 493:
[admin@MikroTik] tool bandwidth-ser
Page 494 and 495:
Packet Sniffer Document revision 1.
Page 496 and 497:
filter-address1 and filter-address2
Page 498 and 499:
• ospf - Open Shortest Path First
Page 500 and 501:
Packet Sniffer Host Home menu level
Page 502 and 503:
Traceroute Document revision 1.2 (F
Page 504 and 505:
ICMP Bandwidth Test Document revisi
Page 506 and 507:
System Resource Management Document
Page 508 and 509:
IRQ Usage Monitor Command name: /sy
Page 510 and 511:
7 00:0e.0 Atheros Communications AR
Page 512 and 513:
[admin@Gateway] system clock> print
Page 514 and 515:
How to Connect PowerTip LCD to a Pa
Page 516 and 517:
[admin@MikroTik] system lcd> print
Page 518 and 519:
Support Output File Document revisi
Page 520 and 521:
SSH (Secure Shell) Server and Clien
Page 522 and 523:
SSH Client Command name: /system ss
Page 524 and 525:
General Information Command name: /
Page 526 and 527:
• http://www.ctsystems.org/rs.htm
Page 528 and 529:
To connect to a device connected to
Page 530 and 531:
• Precise Positioning Service (PP
Page 532 and 533:
Scripting Host and Complementary To
Page 534 and 535:
License required: level1 Home menu
Page 536 and 537:
[admin@MikroTik] ip address> /user
Page 538 and 539:
* - multiplication. Binary operator
Page 540 and 541:
[admin@MikroTik] interface> :put (~
Page 542 and 543:
Local Variables g1=this is global v
Page 544 and 545:
In the example below monitor action
Page 546 and 547:
Home menu level: /system script job
Page 548 and 549:
Specifications Packages required: s
Page 550 and 551:
[admin@MikroTik] system script> ..
Page 552 and 553:
Specifications Packages required: a
Page 554 and 555:
In the following example we will ad
Page 556 and 557:
Packages required: ups License requ
Page 558 and 559:
Runtime Calibration Command name: /
Page 560 and 561:
NTP (Network Time Protocol) Documen
Page 562 and 563:
• synchronized - local clock is s
Page 564 and 565:
RouterBoard-specific functions Docu
Page 566 and 567:
Firmware upgrade can take up to 20s
Page 568 and 569:
LED Managment Command name: :led De
Page 570 and 571:
License Management Document revisio
Page 572 and 573:
can not move license on another har
Page 574 and 575:
• ERROR: Key for specified softwa
Page 576 and 577:
MikroTik RouterOS implements indust
Page 578 and 579:
Router has several global configura
Page 580:
Notes print command has the followi
show all

General Information

Create successful ePaper yourself

Delete template?

Save as template?