MikroTik RouterOSâ¢ v2.9

More documents

Recommendations

Info

add-dst-to-address-list or add-src-to-address-list actions • 00:00:00 - leave the address in the address list forever chain (forward | input | output | postrouting | prerouting) - specify the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created comment (text) - free form textual comment for the rule. A comment can be used to refer the particular rule from scripts connection-bytes (integer | integer) - match packets only if a given amount of bytes has been transfered through the particular connection • 0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection-limit (integer | netmask) - restrict connection limit per address or address block connection-mark (name) - match packets marked via mangle facility with particular connection mark connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - match packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port content (text) - the text packets should contain in order to match the rule dst-address (IP address | netmask | IP address | IP address) - specify the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24 dst-address-list (name) - match destination address of a packet against user-defined address list dst-address-type (unicast | local | broadcast | multicast) - match destination address type of the IP packet, one of the: • unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case • local - match addresses assigned to router's interfaces • broadcast - the IP packet is sent from one point to all other points in the IP subnetwork • multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points dst-limit (integer | time | integer | dst-address | dst-port | src-address | time) - limit the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance): • Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option • Time - specifies the time interval over which the packet rate is measured • Burst - number of packets to match in a burst • Mode - the classifier(-s) for packet rate limiting • Expire - specifies interval after which recorded IP addresses / ports will be deleted dst-port (integer: 0..65535 | integer: 0..65535) - destination port number or range Page 389 of 615 Copyright 1999-2005, <strong>MikroTik</strong>. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
hotspot (multiple choice: from-client | auth | local-dst | http) - match packets received from clients against various Hot-Spot. All values can be negated • from-client - true, if a packet comes from HotSpot client • auth - true, if a packet comes from authenticted client • local-dst - true, if a packet has local destination IP address • hotspot - true, if it is a TCP packet from client and either the transparent proxy on port 80 is enabled or the client has a proxy address configured and this address is equal to the address:port pair of the IP packet icmp-options (integer | integer) - match ICMP Type:Code fields in-interface (name) - interface the packet has entered the router through ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - match ipv4 header options • any - match packet with at least one of the ipv4 options • loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source • no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source • no-router-alert - match packets with no router alter option • no-source-routing - match packets with no source routing option • no-timestamp - match packets with no timestamp option • record-route - match packets with record route option • router-alert - match packets with router alter option • strict-source-routing - match packets with strict source routing option • timestamp - match packets with timestamp jump-target (forward | input | output | postrouting | prerouting | name) - name of the target chain to jump to, if the action=jump is used limit (integer | time | integer) - restrict packet match rate to a given limit. Usefull to reduce the amount of log messages • Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option • Time - specify the time interval over which the packet rate is measured • Burst - number of packets to match in a burst log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log new-connection-mark (name) - specify the new value of the connection mark to be used in conjunction with action=mark-connection new-mss (integer) - specify MSS value to be used in conjunction with action=change-mss new-packet-mark (name) - specify the new value of the packet mark to be used in conjunction with action=mark-packet new-routing-mark (name) - specify the new value of the routing mark used in conjunction with action=mark-routing Page 390 of 615 Copyright 1999-2005, <strong>MikroTik</strong>. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Page 1 and 2:
MikroTik RouterOS v2.9 Reference Ma
Page 3 and 4:
General Information ...............
Page 5 and 6:
Bridge Host Monitoring.............
Page 7 and 8:
Frame Relay Configuration Examples.
Page 9 and 10:
Queue Trees........................
Page 11 and 12:
Dynamic DNS Update.................
Page 13 and 14:
Scheduler Configuration............
Page 15 and 16:
Description General Information Sum
Page 17 and 18:
Broadcom Tigon3 Chipset type: Broad
Page 19 and 20:
Chipset type: Marvell Yukon 88E80xx
Page 21 and 22:
Compatibility: • RealTek RTL8129
Page 23 and 24:
Description Atheros Chipset type: A
Page 25 and 26:
Description This is driver for lega
Page 27 and 28:
xDSL Packages required: synchronous
Page 29 and 30:
License Management Document revisio
Page 31 and 32:
Important: the abovementioned limit
Page 33 and 34:
• ERROR: You are not allowed to u
Page 35 and 36:
• NTP - Network Time Protocol ser
Page 37 and 38:
package is installed) • MAC Telne
Page 39 and 40:
Related Documents • Software Pack
Page 41 and 42:
from this type of media; if El Tori
Page 43 and 44:
etype new password: ************ [a
Page 45 and 46:
| from any level [admin@MikroTik] i
Page 47 and 48:
0 D RealTek 8139 1 D Intel EtherExp
Page 49 and 50:
when the addresses were added in th
Page 51 and 52:
y the ISP, you should use the sourc
Page 53 and 54:
Installing RouterOS with CD-Install
Page 55 and 56:
Installing RouterOS with Floppies D
Page 57 and 58:
• IP address/mask - address with
Page 59 and 60:
Configuration Management Document r
Page 61 and 62:
Description The export command prin
Page 63 and 64:
FTP (File Transfer Protocol) Server
Page 65 and 66:
MAC Level Access (Telnet and Winbox
Page 67 and 68:
Flags: X - disabled # INTERFACE 0 a
Page 69 and 70:
Description The Serial Console (man
Page 71 and 72:
Notes [Ctrl]+[Q] and [Ctrl]+[X] hav
Page 73 and 74:
License required: level1 Home menu
Page 75 and 76:
Uninstalling Command name: /system
Page 77 and 78:
10 ppp 2.9.11 11 dhcp 2.9.11 12 hot
Page 79 and 80:
To add a router with IP address 192
Page 81 and 82:
thinrouter-pcipc forces PCI-to-Card
Page 83 and 84:
Description In this submenu you can
Page 85 and 86:
SSH (Secure Shell) Server and Clien
Page 87 and 88:
Example [admin@MikroTik] > /system
Page 89 and 90:
MikroTik RouterOS implements indust
Page 91 and 92:
Common Console Functions Descriptio
Page 93 and 94:
[admin@MikroTik] interface> set 0 m
Page 95 and 96:
Description There are some commands
Page 97 and 98:
owner of safe mode is notified abou
Page 99 and 100:
where: • discovers and shows MNDP
Page 101 and 102:
IP Addresses and ARP Document revis
Page 103 and 104:
ether1 or ether2. Example [admin@Mi
Page 105 and 106:
0 10.0.0.217/24 10.0.0.0 10.0.0.255
Page 107 and 108:
OSPF Document revision 1.4 (Wed Dec
Page 109 and 110:
• if-installed-as-type-1 - send t
Page 111 and 112:
• none - do not use authenticatio
Page 113 and 114:
[admin@MikroTik] routing ospf> inte
Page 115 and 116:
OSPF backup without using a tunnel
Page 117 and 118:
# NETWORK AREA 0 10.3.0.0/24 local_
Page 119 and 120:
[admin@OSPF_peer_2] > ip route prin
Page 121 and 122:
Packages required: routing License
Page 123 and 124:
eceive (v1 | v1-2 | v2; default: v2
Page 125 and 126:
Example To view the list of the rou
Page 127 and 128:
[admin@MikroTik] routing rip> • C
Page 129 and 130:
• dynamic routes - automatically
Page 131 and 132:
Static Equal Cost Multi-Path routin
Page 133 and 134:
General Interface Settings Document
Page 135 and 136:
ARLAN 655 Wireless Client Card Docu
Page 137 and 138:
Example [admin@MikroTik] > interfac
Page 139 and 140:
Interface Bonding Document revision
Page 141 and 142:
determenation relies on the device
Page 143 and 144:
• for Office1through ISP2 [admin@
Page 145 and 146:
Bridge Document revision 2.1 (Fri M
Page 147 and 148:
• Filter Description Ethernet-lik
Page 149 and 150:
To group ether1 and ether2 in the a
Page 151 and 152:
idge1 00:C0:DF:07:5E:E6 ether1 4m46
Page 153 and 154:
• ddp - datagram delivery protoco
Page 155 and 156:
Home menu level: /interface bridge
Page 157 and 158:
action=dst-nat is selected Troubles
Page 159 and 160:
• Device Driver List • IP Addre
Page 161 and 162:
tx-antenna (both | default | left |
Page 163 and 164:
The access point is connected to th
Page 165 and 166:
• One of the units (slave) should
Page 167 and 168:
Cyclades PC300 PCI Adapters Documen
Page 169 and 170:
chdlc-keepalive (time; default: 10s
Page 171 and 172:
[admin@MikroTik] ip route> add gate
Page 173 and 174:
Additional Documents • http://www
Page 175 and 176:
ut it does not affect the NIC's per
Page 177 and 178:
Additional Documents • http://www
Page 179 and 180:
The interface should be enabled acc
Page 181 and 182:
1 1.1.1.2/32 1.1.1.1 1.1.1.1 farsyn
Page 183 and 184:
Finally we need to add IP addresses
Page 185 and 186:
• Moxa C502 Dual Port Synchronous
Page 187 and 188:
0 1.1.1.1/24 1.1.1.0 1.1.1.255 pvc1
Page 189 and 190:
Troubleshooting Description • I c
Page 191 and 192:
[admin@MikroTik] interface ppp-clie
Page 193 and 194:
Hardware usage: Not significant Rel
Page 195 and 196:
mtu (integer; default: 1500) - Maxi
Page 197 and 198:
session-timeout=0s idle-timeout=0s
Page 199 and 200:
• And finally, you have to add sc
Page 201 and 202:
Description With the introduction o
Page 203 and 204:
M3P Document revision 0.3.0 (Wed Ma
Page 205 and 206:
unpacking (none | simple | compress
Page 207 and 208:
• Log Management Description You
Page 209 and 210:
[admin@MikroTik] interface moxa-c10
Page 211 and 212:
[admin@MikroTik] ip route> print Fl
Page 213 and 214:
Flags: X - disabled, I - invalid, D
Page 215 and 216:
• Log Management Description You
Page 217 and 218:
The driver for MOXA C502 card shoul
Page 219 and 220:
The driver for MOXA C502 card shoul
Page 221 and 222:
PPP and Asynchronous Interfaces Doc
Page 223 and 224:
Example [admin@MikroTik] > /port pr
Page 225 and 226:
Example You can add a PPP client us
Page 227 and 228:
RadioLAN 5.8GHz Wireless Interface
Page 229 and 230:
default-destination (ap | as-specif
Page 231 and 232:
1. Setting the Service Set Identifi
Page 233 and 234:
Property Description Notes WDS Inte
Page 235 and 236:
Service Set Identifier test, do the
Page 237 and 238:
acceptance timeout) in microseconds
Page 239 and 240:
• manual-tx-power - channels in c
Page 241 and 242:
Notes It is strongly suggested to l
Page 243 and 244:
• none - do nothing special, do n
Page 245 and 246:
WDS cannot be used on Nstreme-dual
Page 247 and 248:
access point routeros-version (read
Page 249 and 250:
client-tx-limit (integer; default:
Page 251 and 252:
nstreme-support (read-only: yes | n
Page 253 and 254:
Property Description arp (disabled
Page 255 and 256:
Align Home menu level: /interface w
Page 257 and 258:
2412MHz 3.8% 2417MHz 9.8% 2422MHz 2
Page 259 and 260:
Property Description group-key-upda
Page 261 and 262:
Prism card doesn't report that the
Page 263 and 264:
2 2412 -45dBm@1Mbps 00:02:6F:05:68:
Page 265 and 266:
ack-timeout=dynamic tx-power=defaul
Page 267 and 268:
This example will show you how to c
Page 269 and 270:
adio-name: "000C42050022" signal-st
Page 271 and 272:
Flags: X - disabled, R - running 0
Page 273 and 274:
[admin@WEP_StationX] interface wire
Page 275 and 276:
Xpeed SDSL Interface Document revis
Page 277 and 278:
[admin@r1] interface> print Flags:
Page 279 and 280:
• I tried to connect two routers
Page 281 and 282:
2. On router with IP address 10.1.0
Page 283 and 284:
network. Example Our goal is to cre
Page 285 and 286:
IP Security Document revision 3.4 (
Page 287 and 288:
Internet Key Exchange The Internet
Page 289 and 290:
level (acquire | require | use; def
Page 291 and 292:
hash-algorithm (multiple choice: md
Page 293 and 294:
current-bytes (read-only: integer)
Page 295 and 296:
General Information MikroTik Router
Page 297 and 298:
! Create IPsec transform set - tran
Page 299 and 300:
[admin@MikroTik] > /ip ipsec policy
Page 301 and 302:
1. Add an IPIP interface (by defaul
Page 303 and 304:
[admin@MikroTik] interface ipip> pr
Page 305 and 306:
• accessing an Intranet/LAN of a
Page 307 and 308:
[admin@MikroTik] interface l2tp-cli
Page 309 and 310:
[admin@MikroTik] interface l2tp-ser
Page 311 and 312:
To route the local Intranets over t
Page 313 and 314:
On the L2TP server a user must be s
Page 315 and 316:
PPPoE Document revision 1.5 (Fri No
Page 317 and 318:
License required: level1 (limited t
Page 319 and 320:
Example To monitor the pppoe-out1 c
Page 321 and 322:
To disconnect the user ex: [admin@M
Page 323 and 324:
disconnect, they are still shown an
Page 325 and 326:
• For mobile or remote clients to
Page 327 and 328:
Example To set up PPTP client named
Page 329 and 330:
connection mtu (integer) - (cannot
Page 331 and 332:
ound-trip min/avg/max = 3/3.0/3 ms
Page 333 and 334:
VLAN Document revision 1.2 (Mon Sep
Page 335 and 336:
• http://www.cisco.com/warp/publi
Page 337 and 338:
Graphing Document revision 1.0 (09-
Page 339 and 340:
allow-address (IP address | netmask
Page 341 and 342:
HotSpot User AAA Document revision
Page 343 and 344:
name (name) - profile reference nam
Page 345 and 346:
Example To add user ex with passwor
Page 347 and 348:
IP accounting Document revision 2.1
Page 349 and 350:
enabled: yes account-local-traffic:
Page 351 and 352: PPP User AAA Document revision 2.4
Page 353 and 354: was no activity present. There is n
Page 355 and 356: is the caller's number (that may or
Page 357 and 358: RADIUS client Document revision 0.4
Page 359 and 360: • ppp - Point-to-Point clients au
Page 361 and 362: address of the client) • User-Nam
Page 363 and 364: • Advertise-Interval - Time inter
Page 365 and 366: Framed-IP-Address 8 RFC2865 Framed-
Page 367 and 368: Router User AAA Document revision 2
Page 369 and 370: • password - policy that grants r
Page 371 and 372: when (read-only: date) - log in dat
Page 373 and 374: information included • version 9
Page 375 and 376: Bandwidth Control Document revision
Page 377 and 378: disciplines are set under /queue in
Page 379 and 380: picture, Leaf1 will be served only
Page 381 and 382: PFIFO and BFIFO These queuing disci
Page 383 and 384: Interface Default Queues Home menu
Page 385 and 386: Home menu level: /queue tree Descri
Page 387 and 388: upload to the Server and Workstatio
Page 389 and 390: Filter Document revision 2.7 (Fri N
Page 391 and 392: • packet arrival time • and muc
Page 393 and 394: connection-type (ftp | gre | h323 |
Page 395 and 396: ipsec-esp | iso-tp4 | ospf | pup |
Page 397 and 398: add chain=forward src-address=0.0.0
Page 399 and 400: The address list records could be u
Page 401: Mangle Home menu level: /ip firewal
Page 405 and 406: coming from the same host to be tre
Page 407 and 408: Change MSS It is a well known fact
Page 409 and 410: NAT Description Network Address Tra
Page 411 and 412: chain (dstnat | srcnat | name) - sp
Page 413 and 414: out-interface (name) - interface th
Page 415 and 416: Example of Destination NAT If you w
Page 417 and 418: Packet Flow Description MikroTik Ro
Page 419 and 420: Property Description connection-mar
Page 421 and 422: Description ICMP TYPE:CODE values I
Page 423 and 424: DHCP Client and Server Document rev
Page 425 and 426: Flags: X - disabled, I - invalid 0
Page 427 and 428: DHCP Server Setup Home menu level:
Page 429 and 430: DHCP lease in case it is directly r
Page 431 and 432: 6. in other case, the lease becomes
Page 433 and 434: Description To find any rogue DHCP
Page 435 and 436: • 0.0.0.0 - the IP address will b
Page 437 and 438: IP addresses of DHCP-Relay: [admin@
Page 439 and 440: DNS Client and Cache Document revis
Page 441 and 442: secondary-dns: 0.0.0.0 allow-remote
Page 443 and 444: HotSpot Gateway Document revision 4
Page 445 and 446: for that interface: /ip hotspot add
Page 447 and 448: You may wish not to require authori
Page 449 and 450: While client is blocked, FTP and ot
Page 451 and 452: set up in the server profile, and a
Page 453 and 454:
split-user-domain (yes | no; defaul
Page 455 and 456:
• deny - the authorization is req
Page 457 and 458:
• bypassed - perform the translat
Page 459 and 460:
NAT rules From /ip firewall nat pri
Page 461 and 462:
finished session • error.html - e
Page 463 and 464:
• link-login - link to login page
Page 465 and 466:
Notes If you want to use HTTP-CHAP
Page 467 and 468:
• Hotspot will ask RADIUS server
Page 469 and 470:
that they will have login-free acce
Page 471 and 472:
[admin@MikroTik] ip proxy> print en
Page 473 and 474:
path (wildcard) - name of the reque
Page 475 and 476:
esponse may be used to update previ
Page 477 and 478:
Description IP pools simply group I
Page 479 and 480:
SOCKS Proxy Server Document revisio
Page 481 and 482:
Access List Home menu level: /ip so
Page 483 and 484:
client. In this case IP address wou
Page 485 and 486:
IP address on it, and as many inter
Page 487 and 488:
Web Proxy Document revision 1.1 (We
Page 489 and 490:
Note that it may be useful to have
Page 491 and 492:
Description Access list is implemen
Page 493 and 494:
src-address (IP address | netmask)
Page 495 and 496:
This method retrieves whatever info
Page 497 and 498:
Certificate Management Document rev
Page 499 and 500:
decrypt - decrypt and cache public
Page 501 and 502:
DDNS Update Tool Document revision
Page 503 and 504:
GPS Synchronization Document revisi
Page 505 and 506:
[admin@MikroTik] system gps> print
Page 507 and 508:
Description How to Connect PowerTip
Page 509 and 510:
contrast: 0 [admin@MikroTik] system
Page 511 and 512:
MNDP Document revision 1.4 (Fri Mar
Page 513 and 514:
Description This submenu allows you
Page 515 and 516:
MikroTik RouterOS provides both - N
Page 517 and 518:
Home menu level: /system clock Note
Page 519 and 520:
• Health monitoring (RouterBOARD
Page 521 and 522:
• optimal - the BIOS tries to det
Page 523 and 524:
led3 (yes | no; default: no) - whet
Page 525 and 526:
Support Output File Document revisi
Page 527 and 528:
Command Description Notes Example S
Page 529 and 530:
0xCF8-0xCFF [PCI conf1] 0x4000-0x40
Page 531 and 532:
Only users, which are members of gr
Page 533 and 534:
Home menu level: Command name: /sys
Page 535 and 536:
Bandwidth Test Document revision 1.
Page 537 and 538:
[admin@MikroTik] tool bandwidth-ser
Page 539 and 540:
ICMP Bandwidth Test Document revisi
Page 541 and 542:
Packet Sniffer Document revision 1.
Page 543 and 544:
filter-address1 and filter-address2
Page 545 and 546:
• ospf - Open Shortest Path First
Page 547 and 548:
Packet Sniffer Host Home menu level
Page 549 and 550:
Ping Document revision 1 (Mon Jul 1
Page 551 and 552:
and press the [Tab] key: [admin@Mik
Page 553 and 554:
interface (name) - the name of the
Page 555 and 556:
Traceroute Document revision 1.8 (F
Page 557 and 558:
Network Monitor Document revision 1
Page 559 and 560:
done There are two scripts. The scr
Page 561 and 562:
eboot and on most item configuratio
Page 563 and 564:
Scripting Host Document revision 2.
Page 565 and 566:
Console commands are made of the fo
Page 567 and 568:
Variables Description RouterOS scri
Page 569 and 570:
= - greater or equal. Binary operat
Page 571 and 572:
[admin@MikroTik] interface> :put (1
Page 573 and 574:
epeatedly (yes | no) - condition, w
Page 575 and 576:
• omitted - altar LED state forev
Page 577 and 578:
3 4 5 6 7 8 9 [admin@MikroTik] > Sp
Page 579 and 580:
policy (multiple choice: ftp | loca
Page 581 and 582:
Command Description edit (name) - o
Page 583 and 584:
interval (time; default: 0s) - inte
Page 585 and 586:
Traffic Monitor Document revision 1
Page 587 and 588:
IP Telephony Document revision 2.2
Page 589 and 590:
Description IP telephony, known as
Page 591 and 592:
If autodial does not exactly match
Page 593 and 594:
name (name) - name given by the use
Page 595 and 596:
ing-cadence (text) - a 16-symbol ri
Page 597 and 598:
number of packets received by this
Page 599 and 600:
There is a possibility to enter som
Page 601 and 602:
ZZ • If nr=444, it matches the re
Page 603 and 604:
To generate a tone, frequency and c
Page 605 and 606:
• 10 - Call failed as could not f
Page 607 and 608:
0 11 phonejack1 1 _ voip1 [admin@Mi
Page 609 and 610:
Setting up the MikroTik IP Telephon
Page 611 and 612:
# DST-PATTERN VOICE-PORT PREFIX 0 3
Page 613 and 614:
• G.729a codec MUST be disabled (
Page 615 and 616:
We want to be able to use make call
Page 617 and 618:
no-ping-delay (time; default: 5m) -
Page 619 and 620:
Packages required: ups License requ
Page 621 and 622:
Notes The test begins only if the b
Page 623 and 624:
VRRP Document revision 1.4 (Fri Mar
Page 625 and 626:
advertisement packets • none - no
Page 627 and 628:
This example shows how to configure
show all

MikroTik RouterOSâ¢ v2.9

Create successful ePaper yourself

Delete template?

Save as template?

MikroTik RouterOSâ¢ v2.9