II\~1If,jII,Il,IILearnRouterOSflY Dennis M Burgess1I Learn
RouterOS by Dennis BurgessCopyright and TrademarksAll trademarks
and copyrights are held by therespective copyright holder.Copyright
2009 by Dennis BurgessAll rights reserved. No part of this book may
bereproduced, stored, or transmitted by any means-whether auditory,
graphic, mechanical, or electronic-without written permission of
both publisher andauthor, except in the case of brief excerpts used
incritical articles and reviews. Unauthorizedreproduction of any
part of this work is illegal andis punishable by law.ISBN:
978-0-557-09271-02Learn RouterOS by Dennis BurgessI ntroduction-
-I!,II.,MikrotikRouterOSisa rout ing software thathasbeengrowing
inpopularityextremelyquickly. Whenit iscombinedwithreliable,
powerful hardware,RouterOScanquicklysurpassmanyroutersthat
arecurrentlyavailableonthe market. Many businesses,Wireless Int
ernet Service Providers, and otherend-users have found that the
cost savings thatRouterOS offers is the key totheir business
success.In this book, we are goingtogive you the knowledge and
examples ofconfigurationof theMikroTikRouterOSsoftware. Youwill
enduplearningRouterOS, andhaveworkingexamples
thatyoucanemulateandchange tomeet your needs. Wewill cover
manyaspectsof thesoftware, includingMikroTik specificsystems,
WirelessNetworking, Routing, aswell asvirtuallyall of the features
included in theRouterOS software.We are going to give you code
examples, screen shots and real worldapplicationdesignsthat youcan
doright on your own RouterOSsystem.Theseitems will enable you todo
RouterOSwork for your business, orcompany. You will have
theknowledge to use RouterOS as a router, wirelessaccess point,
client premisedevice, webcachingsystem, and even aVPN(Virtual
Private Network) server.Learn RouterOS by Dennis BurgessWho should
use this bookThisbookis designedasa reference guide. I want to give
youthedirectiononwhat featuresyouneedtouse, andwhy. If you
needtoknowwhatexactly a featureor commanddoes,youwill
needthecommandreference,that MikroTikoffersontheirwebsiteat
http://www.MikroTik.com. If youwanttolearnhow
totakethesefeaturesandput themtogether,commonbest practices,as well
as ways of configuring systems to make them do whatyou want them to
do, then this bookis for you.We will cover lots of topics, some are
simple topics and we wil l show you theoptions youhave, but more
importantly, we will show you why touse
them!Somefeaturesarepackedwithcommentsandsuggestionsonhowtousethat
feature along withother features, and why to use such
features.4LearnRouterOS by Dennis BurgessAbout the
AuthorDennisBurgessstartedlearningabout computersat ayoungage.
UsingaTRS-80Dennisstartedusingbasicprogrammingtocreatesmall
computerprograms. At the ageof 13 hestarted amulti-line BBS
(Bulletin BoardSystem), using small Dell computers and 9600 baud
modems. He
wasintroducedtonetworkingthroughtheneedtonetworkhisBBScomputerstogether.
After HighSchool, Dennisattendedalocal technical
collegeandgraduated with an Associate's Degree in Computer
Electronics andNetworking Technologies.Mr.Burgess went to work for
a number of consulting companies, focusing onServers,
andWide-AreaNetworks. He designedanddeployedanumber ofnetworks
forlaw firms, constructioncompaniesandother
small-to-mediumbusinesses. HedeployedMicrosoft Solutionsaswell
asCiscoroutersonaroutine basis. During this time, Dennis obtained
his Microsoft CertifiedProfessional status, as well as his A+
Computer Technician, N+NetworkTechnician, andeven became a Cisco
CertifiedNetwork Associateor CCNA.After workingfor anumberofyears
as an EnterpriseNetworkandServerConsultant, Mr. Burgess workedfora
number of dealershipsin theSt. Louisareabuildinga privatenetwork
for theirneeds. During thistimehestartedhisfirst Wireless Internet
ServiceProvider. Thiscompanyintroducedhiminto the world of MikroTik
RouterOS. The WISPneeding a method to controlbandwidth for
subscribers, built their first RouterOS x 86 systems.After
realizingthe power and performanceof RouterOS, as well as
usingthemin tower installations for 802.11b/g access-points in the
WISP, hecontinuedtouseRouterOS todeploya fullyredundant virtual
networkforthe group of dealerships he worked for. This network,
still using RouterOS, isworkingas intended, since 2001.Mr. Burgess,
ended up selling his Wireless Internet Service
ProviderCompanylater, andfocusedoncreatingacompanythat couldassist
otherWISPs, businesses and ISPs with RouterOS. Dennis's company,
LinkTechnologies, Inc, is now a world-wide MikroTik consulting
company.Consulting clients include smallWISPs as well as
Enterprises using RouterOS.I Learn RouterOS by Dennis
BurgessLinkTechnologies, Inc. alsostarted producingthe PowerRouter
Series ofRouterOS devices after seeing a need for
Enterprise-ClassRouterOSRouters.These lUCarrier-Gradesystems,
aredesignedwithEthernet routing, high-performance
applications,andweb cachingas well. The PowerRouter 732 isalso a
homeland security approved device.Link Technologies, IncLink
Technologies, IncwasformedwithapurposetohelpWirelessISPsaswell as
provide high-quality consulting services forRouterOS systems. In
theUSA theoptions forRouterOS consulting serviceswere verylimited
tosmallhomebusinesses, andtechnicianlevel adminstrying
tohelpoutbusinessesand ISPs with RouterOS. I formed Link
Technologies, Inc togive thesebusinesses theneeded level of
technicalsupport,engineering andconsultingservices that they
needed.Link Technologies, Inc offersmultiplecertifiedRouterOS
engineers, MikrotikCertifiedTrainers, RouterOSTrainingPrograms,
aswell asgeneral networkengineering, consultingandsupport.
Weareoneof thelargest MikroTikconsultingcompaniesintheworld.
Withclientsranging fromstart-up WISPoperations, to publicly traded
enterprises with over 35,000+ end-users.On top of MikroTik, we also
offer business support, Canopy, Cisco, Microsoft,Mail servers,
DNSServer and can help you with just about any type ofconsulting
services that youmay need for your networking business.So if
youneed some form of RouterOS consulting, engineering or training,
besure to contact us. We have several engineers'on-staff that
canassist you !Link Technologies, IncPO Box 96House Springs, MO
63051http://[email protected]
by Dennis BurgessTable of Contents-Introduction......3Who shoulduse
this book.About the Author.45 ... 618Link Technologies, IncWhat
isRouterOS?How thisBook is organized.RouterOS
Hardware1920RouterBoardDevices20Solar Power andRouterBoards 23X86
Based RouterOS Systems 24Supported x86 Hardware 26RouterOS
Licensing 27ExtendedFrequency Licenses 29Installation 30.....
31.41..40...44Using Netlnstall onRouterBoardProducts .DOM / Flash
Card / HardDisk Installation viaNetlnstallWays to Lose your
RouterOS License ..Accessing RouterOS 43What are all of themethods
of accessing a RouterOS System?Default User and Password 44Using
Neighborhood Viewer .44Using Telnet 46SSH - Secure Shell
AccessWebBox ...4749Interfaces andIP addressesWireless
Interfaces5052Registration Table53Routing 54System Options54Basic
Firewall 55Simple Queues 56PPPoE Client 57.. 5758 Access List..
..DHCP ServerUpgradesUsing WinBox596064 WinBox Menus .7Learn
RouterOS by Dennis BurgessWi nBox Interface Opt ions 68Managing
RouterOS 70User Defaults 70User Management
70Adding/Removing/Changing Local Users 71RouterOSUser Groups
72Active Users 73SSH Keys . 73 RadiusRouterOSUsers AAA
Settings-RouterOS Services 7475FTP Service 76API Service 76 SSH /
Te/net Services .WWW Service / WWW-SSL ServiceWinBox Service
767677Working withFiles .Backup/ Restore .Creating Editable Text
BackupFiles .777979Importing Scripts .Loggi ng .Setting Logging
Rules .81828384 Basic RouterOS SetupConfi guring IPAddresses
84CommonIP Information 8524 bi tBl ock or a /8 Prefix 8520 bit
Block or a /12 Prefix 8516 bit Block or a / 16 Prefix 85Default
Routes 86DNS Caching/ Service 87DHCP-Client 88DHCP-Server .
IIDHCPServer WizardIP Pools . 909096.. 9898 NAT Masqueradi ng
-Configuration of basic Masquerading .Home Router 100Home Router
Walkthrough 101.................................. .. 105 Verify
that we obtained anIP address ..CommonWireless
ConfigurationsBridged Access Poi nt Confi gurati onCPE - Client
Premise Equipment Conf igurati on1011041048Learn RouterOS by Dennis
BurgessBridged Client 105How to Use Pseudobridge Mode 106Routed /
NAT ePE 106RouterOS FeaturesIP Features 108108Interface ARP -
Address ResolutionProtocol Settings 109ARPList / Table 110Static
Routing 111Routing andRoutes .114 Checking GatewaysUsing
DistancesECMP- Equal Cost Multiple Path .114115115Poli cy
BasedRouting . 116Routing Policies 117Using Mangle to Route Traffic
119FirewallFeatures 121Traffic Identification 121Understanding
Connection States 122Packet Flow inRouterOS 124Chains... 125Input
Chain .125 Out putChainForward Chain 125125Other Chains ...... 126
Jumping to ChainsReturning fromChainsAddressLists126128129How to
Match Data131132133134 135136 Port ScanDetection
.ConnectionBytesBuilt-InPeer t o Peer Fil tering .Layer 7
FiltersConnecti onLimi tingIngress Priorit y / TOS /
DSCPRandom137137Limit / DST Limit 138Nth 138Time139Firewall Actions
139Protecting Your RouterProtecting Networks .... 142143I Learn
RouterOS by Dennis BurgessCommonFirewall OptionsSPAM
Prevention...........................................,
..............................143144Brute Force Attacks. 145DOS/POD
Attacks 146Firewalling Examples- Using Multiple Rules to do what
YOU want! 148Using Mangle .Chains .150150 Using MarksPacket Marks.
151151Routing Marks .Connection Marks .Change TOS Bit / DSCP
.151152153Change MSS 153Clear DF .Set PriorityStrip IPv4
OptionsPerforming Network Address Translation ..Chains
.154154154155155Masquerading . 156PPPoE Client and other types of
Tunnels andMasquerading 157Inbound NAT 157OutboundNAT 158Performing
a One-to-One NAT - Assigning a PublicIP to a Private 159Selective
Port Forwarding 161InboundNAT withDHCPPublicIP Address
162Redirect.. .. 162Interfaces .......Ethernet ....164164Switch
Controls 165Ethernet Speed andNegotiation / MDI-X 166Virtual
Ethernet Interfaces 168Bridge Interfaces 170Bridge Ports 171Bridge
Settings / Using IP Firewall 174Virtual LAN (VLANs) 175VLAN
Configuration 176Bonding 177MESH 180Switches andMESH 182VRRP
182Tunnels 18510EolPLearnRouterOS by Dennis Burgess 185 Bridging
anEolP TunnelIPIP 187188ppp System .ppp Secrets .189189PPP Profi
les. 191PPP Active ConnectionsPPP Server191192PPP
Client195L2TP/PPTP ServersWindows PTPP VPNUsers197198L2TP/PPTP
Server Interfaces198L2TP/PPTP Client 199BridgingPPTP 200PPPoEServer
201PPPoEServer Interfaces201PPPoEServer, Dynamic Routing and /32
Subnets!PPPoE Client202203OpenVPN .OpenVPN Server .205205OpenVPN
Server Interface206OpenVPNCli ent 206IPSec 208IKE Domain
209Choosing a Tunnel Type 212Wireless andRouterOS 214WIC - Wireless
Interface Cards214Basic Configuration of Wireless Interface Cards
216Wireless Tools 218Air/DataRates andPerformanceAccess Point
Time220221Bands .221 Wireless Operat ional ModesAP- Bridge (P2MP
AccessPoint) Mode 222222WDS-Sl ave Mode .Bridge (P2P Access Point)
ModeStation (Wireless Cli ent) Modes .Security Profiles (Securing
your Wireless Connection) .MACAuthentication .222222223224224WEP
(Wired Equival ent Privacy)WPA/ WPA2 .225226Learn RouterOS by
Dennis BurgessAccess Lists 227Registration Table 229ConnectionLists
230Area / AreaPrefixes.... o o o 0 0 0 0.0.0.0.0 0 0 0.0 0
231Virtual Access Points 232N-Streme 233N-StremeDual 234Using WDS
(WirelessDistribution System) . 235WDS Bridged Wireless Link
.Static WDS Bridges .WDS Bridged AccessPoints .WDS Bridged
AccessPoints - Dual Radios .WDS and 802.11n236236237238238
WirelessLink Optimization / Best PracticesKeep it Simple First
239239Hardware Selection . 239Antennacoax and selection 239Antenna
Alignment .FindPossible Interference240240Signal Issues .Secure
your Link and Testing .240241241243243242243Minimize
RateFlappingUsing NstremeTroubleshooting Wireless Links .Low
SignalWandering/Fluctuating SignalBad CCQ . 243Traffic Control
246Identifying Queue DataHierarchical TokenBucket -HTB247248HTB
Packet Flow 248HTB Queue Tree Structure 249HTB andRate Limiting
249Queue Types 251FIFO Queues 252RED Queues 253SFQ Queues.
254PCQQueues 254Using PCQ....Queue Trees 256258Simple Queues.
25912IILearn RouterOS by Dennis BurgessLimiting Total Throughput
forIP or Subnet . 259Bursting .260Creating Queue Priorities
withParents .Ensuring Bandwidth Allocations - VoIP .261262Creating
Advanced Queues .Double Queuing .264264 264265270269268272272Large
Transfer QueuesSetting MultiplePCQ RatesUsing Multiple Data
Packages and peQ .Controlling P2P (Peer-to-Peer) TrafficLimiting /
Changing P2P and the Consequences
..HotspotsWirelessandHotspotsPaidHotspots .Free Hotspots .273273
RouterOS andHotspotsDefinitions .274274Setup of a Hotspot Interface
inRouterOSConfiguration of Servers and Server
Profiles276278Hotspots withRadius . 282Internal Hotspot User
Management . 282UsingIPBindings .284Creating Walled GardenEntries
.Viewing Hotspot Hosts and ActiveUsersRunning multiple-subnets
behind a hotspot interfaceRunning Dynamic Routing (RIP/OSPF)Behind
a Hotspot Interface284286287288Radius Client .290 Multiple Radius
ServersTroubleshooting Radius Client IssuesNuts
andBolts291292294Accounting 1 294DHCP Relaying 295Neighbors 295M3P
- MikroTik Packet Packing Protocol. 296Pools
296Socks297Clock297NTP.. 298Client 298Server ...... 298System
Identity 299Learn RouterOS by Dennis BurgessAuto Upgrades .Logging
.Reset Configuration .Scripting .Scheduler .WatchdogBandwidth Test
ServerBandwidth Test Client 299300301301302303303304E-Mail System
305Using Fetch Commands 305Graphing 306Packet Sniffer.Streaming
Packet Sniffer Data307307TFTP Server 308308309310311 Web
ProxyTraffic-FlowUPnP .IP ScanWeb Proxy AccessList 312Cache
andDirect Web Proxy Tabs 313Transparent Web Caching 313Store System
315MetaRouters 316Dynamic Routing 318If Installed vs. Always 318RiP
318 OSPF.Changing Path Costs.....OSPF Full Duplex Links320321321BGP
.AggregatesInstancesPeersNetworks322323323324325RoutingFilters
325The Dude NMS 328329329330330330 Installation ..Windows
InstallationRouterOS InstallationDude AgentsInstallation of a Dude
Agent14LearnRouterOS by Dennis BurgessDude Layout 331Running a
Server 332Resetting Configuration 333Menus and Options 333Server
Configuration 334Configuration of Dude Servers 336Dude Agents
337Dudes Syslog Server 337Dude Discovery Services ,338Admins
339Charts ..Devices 339340Device Options 342Device Appearance
.Files .345345Transferring Files withinDudeLinks 345347Link Speed
Setting .Logs .348349Network Maps350Map Settings 352Adding Devices
to your Maps 353Working withDevices 354Upgrades 354Creating Links
.Creating andLinking to Submaps ..Notifications .Outages .Probes
.355355356359359Tools361User Manager .Hardware / License
Requirements ..Installation of User ManagerConfiguration of User
Manager .364364365366First Time Access 366Understanding Concepts
andDefinitions 367Basic Configuration Settings 369User Sign-Ups
373User Sign-InPage374Active Sessions 374Vouchers 374II Learn
RouterOS by Dennis BurgessCommandLine Interface 377Quick Reference
Guide 380Netlnstall of RouterBoardProducts 380Netlnstall your Flash
/ DOM / HardDisk 381Creating a Active/BackupBridged Auto-Fail Link
381Setup Transparent WebProxy System 382Redirect Non-Paying
Customer 382Per Connection LoadBalancing 383Create a Private VPN
384Appendix 386Features Only Available via Command Line Interface
386Index 38816II,I.1II,,I,III,,I,,I,,I,,iII,I,LearnRouterOS by
Dennis Burgess17I Learn RouterOS by Dennis BurgessWhatis Router O
S?-Simplyput it is aninfinitelyconfigurableroutingsoftworepackaqe',
Thissoftwareallowsyoutousecommonhardwaretoperformhigh-endroutingapplications.
MikroTik creates this software, as well as many differenthardware
platforms to run the software on. These industrial
hardwareplatforms give youmany options including ultralow
costbusiness andhomedevices, all the way to corerouting functionsof
largeInternet Providers andEnterprises.Sowhat canyoudowith
RouterOS? It candovirtuallyanythingwhenitcomestoInternet Addresses
anddatatraffic. Intheworldof IProuting,thereis not muchthat
RouterOScannot do! Manyrouters and networkdevices will let you do
certain functions. One device may be a PPPoEServer/Concentrator.
Another devicemaycontrol bandwidthandthewaythe data flows across
your network. Then yet another device may docachingof
thedatathatflowstosavebandwidth. All of
thesedevicescanaddupincosts, not onlytheupfront hardwarecosts, but
theupkeep, themaintenance, and the professionals tounderstand each
device.RouterOSdoesall of theabovementionedfeatures! Withall of
thispowerinonedevice, youcanimmediatelyseethecost savingsjust
intheinitialhardwarecosts. Businessownerswill takealookat acost
savingsystemthathas the samereliabilityandperformance that they
areused toinmoreexpensivehardware. In somecases,
RouterOSdevicesandsoftwarecanbelessthanone-quarterof thecost
ofsimilarcapabledevice, andhavemorefeatures than those more
expensive devices.1 RouterOScontains many features, which make it
have almost endlessconfigurations.18Learn RouterOS by Dennis
Burgess-How thisBookis organized.-
-I,,I11,II!,jIII,,IIII,jI,,,I,\,,\,I,IThere are two sections to
this book. The first sectionwill teach youallaboutthefeatures
thatRouterOS offers, andhow they relate todifferent
typesofnetworks.Youwill learnabout the feature, what it does andhow
it canhelpyour network. The second trackis a quick configuration
guide. This lets youunderstand the components of the features,
andputs them into anexamplefor you.19I LearnRouterOS by Dennis
BurgessRouterOS HardwareRouterOSworksonseveral different typesof
hardware. Mikrotikproducestheir own hardware based on asingle board
computer approach, calledRouterBoards. RouterBoards come in anumber
of different CPUtypes,number Ethernet ports, wirelessslots,
memoryconfigurations, anddesigntypes. RouterBoardscancost under
$49USD, anduptoseveral hundreddepending on the hardware. These
devices are specifically created forRouterOS software, andevencome
withRouterOS already installed, licensedand ready to
use.RouterBoard DevicesTo the right is a RouterBoard 433AH. This
board includes a 680 MHzprocessor, three 10/100 Ethernet Interfaces
and threeM-PCI Slots. Thisunitalsoincludesa Micro-SDslot for
WebCachingandotherstoragefunctions,aswell as Power-Over-Ethernet
support, anda9-pinSerial connectionforconsole access.MikroTik is
constantly developing newproducts, so be sure to ask yourMikroTik
distributor, or sales channelabout thelatest productsandwheretouse
them. Experienced Engineers willknow what board to use for
whatpurpose. Abigmistakemany makeisusing underpowered equipment.At
thetimeof this writing, thereareanumber of board series in
production.TheRouterBoardCrossroadsplatformisa micro Access-Point
or CPE, ClientPremise Equipment. These units are lowcost, and
include a built in 400mw802.11 big wireless radio card. Thisradio
alsoisFCC certifiedwitha numberof antennas. Thisboardworksgreat
as20R84HAH680MHzLearn RouterOS by Dennis Burgessan indoor access
point or a client radio.Mikrotik's current mainRouterBoardis the
400 series. A number of versionsexist, the411includes a
RouterOSLevel 3 license, oneEthernet andoneM-PCI slot. This is
great if you wish to add your own radio card. TheRouterBoard 433,
as shown above, includes three Ethernet and Mini-PCISlots. Thereare
two versions though, a standard433anda 433AH.
TheAHincludesanultrahighpower CPU,at 680MHz, and theaddedMicro-SD
card.Thestandard433doesnot havethe Micro-SDcardslot,
andhasalowerspeedprocessor clocked at 300MHz.Other versions include
a mini-router, or RouterBoard 450 including fiveEthernet ports,anda
493Multiport Router. This unit includes
nineEthernetportsandthreeM-PCI slots.
Theymakethe493inbothstandardandAHversions, withtheAHhavingthefaster
CPUjust likethe433AH. Howeverthe 493AHdoesnot include
theMicro-SDcardslot. Mikrotik alsohas cameoutwitha dual
radioboard,the411AR, giving
youthehighpowerCPUandanintegratedbigradiocard, but alsogivesyoua
radiocardslot for futureexpansion.TheRouterBoard600is
consideredanExtremePerformanceAccess-Point,providing three Gigabit
Ethernet ports as well as four M-PCI slots for
wirelessconnectivity. Thisunit runsa networkprocessor that
ismuchfasterthanthe Atheros CPUon the 400series boards. This unit
also contains twocompact flashslots forstorageneeds. Onecouldbeused
forWebCachingdata, and another couldbe used to store Dude or User
Manager Data. If youarelooking torun802.11Nyouwill
typicallyneedtouse thistypeof boardas the 802.11N protocol allows
for greater than 100 Megabit UDPthroughput. Without the
GigEinterfaces,youwill have a hardware limit atyour Ethernet
port.For core routing, withfour Gigabit Ethernet interfaces as well
as arack-mountablecase, youcan purchaseaRouterBoard1000or 1000U.
TheUversion is arack-mountable model. Thissystemis alsobasedon
ahighperformancenetworkCPUrunningat 1333MHz. Youcanalso
usecompactflash storage cards, plus you have the ability to add
more RAMvia aSODIMMslot. Thisunit also comeswitha level6 RouterOS
license, includedwith the cost of the hardware.21I Learn RouterOS
by Dennis BurgessTheseRouterBoardsall containanon-boardNAND.
NANDisbasicallyFlashMemory,just likeyour USBSickorCompact
flashcard. Thisison-boardachip onthe RouterBoard,
givingtheRouterBoards anon-removableflashmemory area
toloadtheOperating System, in thiscaseRouterOSon. Mostof
theRouterBoard productswill have64Megabytesof NANDstorageormore,
morethanenoughfor RouterOS, itsconfiguration, aswell astypicalfiles
associated withRouterOS.You can find out more information about
current MikroTik RouterBoardhardware, specifications, and details
at http://www.routerboard.com.22Learn RouterOS by Dennis
BurgessSolar Power andRouterBoards- -I have hadquiteafewrequests
onhowtouseRouterBoards withSolarsystems. So I wanted to give you
afewpointers. The key is powerconsumption, the newer RouterBoards,
specifically the 400series, is themost commonboards used for solar
powered sites. Most sites are poweredby batteryarraysat ether12,
24, or48volt. The400seriesof devicesrunfrom10V to28VDC power. When
youinstall your RouterBoards witha longEthernetrunyouwill assume
thereissome voltagedrop, youcandoa websearchonhowtocalculatethis.
If youarenot doinga longEthernet run,then12 volt may workout for
you. MikroTik alsohasanultra-low wattageboardthe411R.
Thisboardonlyrequires5.6wattsof power andhasanintegrated big radio
card.If Ihadmychoice, Iwouldliketorun 18-20V. Thereason isthat
asthebatteries drain, the voltage drops,and if youare running12
volt source, youwill quicklydropbelow10VoltsandtheRouterBoardswill
stoprunning. Ifyouwantedtouse48v, theRouterBoardwill nottakethat
voltagesothatwon't work either.Some people have asked about using
24volt solar systems. On alongEthernet run this will work, but on
ashort run you haveto take intoconsideration oneother fact. Most of
thesolar chargingcontrollers willoutput 26.5 volts or higher, so
when you are running on the 24 voltbatteries, and then the solar
array is charging them, the voltageis higher andwe have seen
thevoltage spike higher than what the RouterBoards aredesigned for
so they power off toprevent overvoltage. SoI like toruna bitlower
than24 voltanda bit higher thanthe12 volt systemsaswell. If
youronly choices are 12 and24 volt, then run12 volt!Regardless,
RouterBoardscanrungreat onsolar setups,consumingonly35wattsatmax. A
single car 12 volt battery canruna singleboardfor
severaldayswithoutissues! Designthesystemcorrectly, anditcanrunfor
a longtime! Wehavesomesolar deployedandhavenever
hadtomesswithitother than to change batteries every few years.3I
Learn RouterOS by Dennis BurgessX86 Based RouterOS SystemsThesame
softwareisavailableforx86systems. X86systemsare thesamehardware
that commonPCs and computers are basedon. Youcaneven
loadRouterOSonabasic computer, onethat you may haveinyour
homeoroffice. Most of thefeaturesthough, arebasedona
numberofinterfacesand withmulti -port Ethernet cards and
wirelesscards on themarket as wellasavailablethroughMikroTik;
youcanmakeanx86RouterOSsystemwithlittle effort and at little
cost.Therearedesignissueswithbuildingyourownsystems. If
youunderstandbus limitations, speedsandIRQ conflictsandhow
theseitemsaffect overallsystemperformance, thenyou can buildyour
own systems usingoff theshelf hardware just likeany other computer
would, typically creating a high-performance system.Thereareother
companiesout thereaswell; a simpleInternetsearchwillprovide a
number of results, which sell completed x86 systems
withperformanceand reliability in mind. These systems aredesignedto
usemultiplebuschannels, and highqualityhardwaretodeliver
thepeaceofmind.OnesuchmanufacturerisLink Technologies, Inc.
TheirPowerRouterseriesofdevicesgives youout of thebox, ready
torunRouterOSSystems. Theyare designed for highperformance RouterOS
routing taking into account busspeed limitations, and even adding
multi-core processors to increaseperformance. These systems are
designed to run a Routing OperatingSystem. The PowerRouter 732,
pictured above, includes seven GigabitEthernet ports, a Dual-Core
CPU,along withoptions for SATA andSSD drivesfor storage. USB
portsare also included for other datastorage devices
such24l,"II,iI,,I,,II1!Ii,,I,,II~ LearnRouterOS by Dennis
BurgessasUSBMemory sticks, aswell asCellular datacards. They offer
thismodelinbothAC andDC versionsThey alsocreate an ultra high-end
system, calledthe PowerRouter 2200series. Thesesystemscanrunup
toDual QuadCoreXeonprocessors, andcandeliver upto22GigEInterfaces,
includingSFPinterfacesthat youcanuse Fiber modules with. These also
sport dual hot-swappable powersuppliesas well.25I Learn RouterOS by
Dennis BurgessSUQPorted x86 HardwareIt'simportant tonotethat
RouterOSdoesnot use "drivers" inthesamerespect thatmost people know
of. Most computer users are accustomed
toinstallinganOperatingSystem, andthentheyinstall driverstomakeall
ofthehardwarework. RouterOSisnotlike this. RouterOS containsall of
thedrivers that you will need right out of the main installation.
MikroTikthough, chooses based on popularity, usability, as well as
what is inthelatest Linux kernel to base what drivers to include
with the installationpackage.With that said RouterOS supports a
wide range of Ethernet networkadaptors, wireless interface cards,
fiber interfaces, as well as 10Gigabitinterfaces. It supports a
number of Tl/El interfaces, Mini-PCI and PCIadaptors, 3Gor cellular
datacard, andsystemboards. Beforeyoustartbuildingyourfirst
RouterOSsystem, makesureyoulookat thesupportedhardware list. You
can find that list by going to
http:/Lwiki.MikroTik.com/wiki/SuQPorted Hardware. This list is
constantly updated by bothMikroTik and RouterOS users.Withall of
theseoptionsout there, sometimesit canbedifficult tobuildyour
ownsystem. If thereisa knownRouterBoardorpre-designedsystemthat is
supported andtested with RouterOS, I would suggest purchasingthese.
Thecost ontheseistypicallyminimal vs. thecost ofrouterfailuresdue
to hardware failure. I have seenthismany times, customers
wonderingwhytheirsystemdoesnot constantlyrun.
Iactuallyaskedonecustomerwhat kind of hardware, andtheir response
was, "WhenmyWindows98computer was tooslow forme, weput it
ontheshelf. Later, weneededarouter, sowepluggeditinandputRouterOS
onit. Whenthepower supplydied init, we replaced it, with oneof our
standardfifteen dollar powersupplies."Asa wisemansaid, "You get
what youpay for". I tend toagree with this, ifyouput a $15 power
supply in a systemand think itis going torun24 hoursa day7daysa
week for monthsor yearswithoutfailure, thenyouneedtorethink
whatbusiness youarein. Gethardware thatis supported, testedaswell
as designedfor alonglifespan. Servers arebuilt withhigher
gradecomponents, power supplies, andbetternetworkcards typically,
and thisis26Learn RouterOS by Dennis Burgesswhy they tendtolast
longer. Same withyourRouterOSx86device. Don'tskimp when youhave to
rely on it.RouterOSLicensing-RouterOS has five different licensing
levels. Several are designed forevaluation of the RouterOSsoftware.
Licenselevels 3through 6arethemost commonli censes.
Thesearepaidlicenses. Most level 3 and 4licensescome with Rout
erBoard Product s and other products designed to runRouterOS.
ThelevelSand6areextendedlicensesdesignedfor
highendapplications.LicenseLevel 4 5 6Price/Cost $45 $95
$250Upgradable ROS v4.x ROS v5.x ROS vs.xWireless AP Yes Yes
YesWireless CPE/Bridge Yes Yes YesDynamic Routing Yes Yes YesEolP
Tunnels No Limit No Limit No LimitPPPoE Sessions 200 500 No
LimitPPTP Tunnels 200 No Limit No LimitL2TP Tunnels 200 NoLi mit
NoLimitOVPN Tunnels 200 No Limit No LimitVLAN Interfaces NoLi mit
No Limi t No Limi tP2P Firewall Rules No Limit No Limit No LimitNAT
Rules NoLi mit NoLi mit NoLi mitHotspot Clients 200 500 No
LimitRadius Client Yes Yes YesWebProxy Yes Yes YesUser Manager
Sessions 20 50 No LimitThelevel 3Licensesaredesi gnedf or Client or
CPEdevices. Theseareforwireless CPEs, or customer equipment.
Typically you wouldpurchase a Level4licenseor a WISPlicense.
Thislicenseisincludedwithmanyofthe400series RouterBoardproducts, as
well as other x86RouterOS products. Thereare no upgrades
betweenlicenses, so keep inmind the final usages. Youcanpurchase
another license and place it on-top of an existing license. AnI
Learn RouterOS by Dennis Burgessexampleof thismaybe thatyouhavea
hotspot that needsmorethan200active clients at one time. If thisis
thecase, youcanpurchaseanother level5 license, at full cost, and
then apply it to the existing hardware.Note that the licenses never
expire, support an unlimited number ofinterfaces,
andeachlicenseisfor onlyoneinstallation.
TheinstallationisbasedontheDiskDriveor storagedeviceyouusetoinstall
RouterOSon.Youcaninstall RouterOSonUSBsticks, SATAandIDEHardDrives,
DiskonModulesor DOMs2, as well as compact flashcards. Youcan
movethestorage device fromone system to another,but not from one
storage devicetoanother. So youcanmove your compact flashcard
fromonex86systemto another x86 system. You cannot movethe
licensefromthe existingcompact flash card to another. If youneed a
larger compact flash card, thenyou willhave to purchase another
license.What ismy SoftwareID? ThesoftwareIDis theIDnumber
associatedwithyour RouterOS installation. It uses the hardware,
disk informationas well asother methods to generate software ID
Key. This key is then used togenerate a license upon paying or
registering for a demo license.What if your harddisk fails?
MikroTik has theability to replacea license fora nominal cost. You
will need to contact them to receive a replacement key.Theymayneed
toknowhoworwhythedrivefailed,
andmayrequestthedrivebeforeissuingareplacement key. Inmost
casesthough, it maybequicker and cheaper just to purchase another
license.Whereis thelicense stored? RouterOS stores thelicense
inside theMBRorthe boot sector of your drive. Because of this, if
youformat thedevice witha non-MikroTik format utility,
suchaswindowsformat etc, YOUWILLLOSEYOUR LICENSE! However, MikroTik
has thought of this for us, and has2 DaMor Disk onModuleis a
Flashdisk that plugsinto either a SATA orIDEport.28Learn RouterOS
by Dennis Burgessprovided the NetlnstallUtility. The next section
will cover the Installation ofRouterOS on many different
devices.Extended Frequency LicensesRouterOS also has the ability to
add an extended frequency license,sometimes also called a custom
frequencylicense.Todetermine if youhaveanextendedfrequencylicense,
clickonSYSTEM->LICENSE. Inthelicensewindowextendedfrequencyshows
inthefeatures section. Theselicensefeaturesallow RouterOS in
conjunctionwiththeright radiocard, tooperatein any frequency that
thehardware canoperate in. Youwill need to contactareseller inyour
countrytoobtainthislicensefeature", Somemayhavespecial paperwork
for you to fill out to obtain t his license feature. However,if
youhavealicenseorcanrunina bandthat isnot
normallyallowedbyRouterOS, you can obt ainthis licensefeature,
install it and run on anyfrequency that the radio card supports.
Please see your reseller ordistributor for costs associated with
this license feature.3 Extended Frequency licenses overridethe
country frequencies that arelistedinthebasicRouterOSconfiguration.
Thisallowsyoutooperateinabandor onawirelessfrequencythat
istypicallynot allowed. Besuretocheck local laws for regulations in
your area.I LearnRouterOS by Dennis
BurgessInstallationInstallationmethods will depend on what hardware
youare using. RouterOScan be installed on many different devices.
These would include x86computers,or RouterBoardProducts.
RouterBoards typically come
withnotonlytheRouterOSsoftwarealreadyloaded, but
hasalicenseinstalledaswell. Contactyour local distributor tofindout
what hardwarecomeswithwhat license.If youbuilt your ownPC
andareplanning toinstall RouterOS onit, then youhaveseveral
choicesfor theinstallation. PCbasedinstallationscanuseNetlnstall
toloada IDEor SATA DaM, or possibly aUSBstick or other formof
flashcard. Compactflashcardswouldbeincludedwiththis. Youcanthough,
use three other methods. Netlnstall using abootable
networkinterface cardorNICis one method. Using a Floppyisanother,
aswell asaCD based installation.For PC or x86 systeminstallations,
the recommended method is eitherNetlnstall with a Compact Flash or
DaM module, or theCD based installationmethod.For RouterBoards, we
have one installation method. Note
thatRouterBoardsshouldcomewithaninstallationandalicense;
youtypicallywill onlyneedtousethismethodtoeitherupgradea deviceor
torecoverfromalost password. Youcanalsoreset theunit;
seethe"RouterBoardReset" Section. Since quite a few of
theRouterBoardproductsare put intostatic intensive areas, such as
radio towers, etc, as well as lightningdischarges near where the
RouterBoard is installed. There are times that theRouterBoardunit
maystopfunctioningdue toaNANDissue. Areloadofthe NAND via
theNetlnstall program will reloadthe as and allow theunit torestart
insomecases. Keepinmindthat ifyour
hardwaretakesadirectlightningstrikeetc, thechancesof it
evenpoweringonisslim. You mayeven need to look around for the
pieces of the board.30Learn RouterOS by Dennis BurgessUsing
Netlnstall onRouterBoard ProductsWhat you will need: Your
RouterBoard device Access to the Serial port on
theRouterBoardDevice An Null Modem cable between your PC and
theRouterBoardDeviceAn Ethernet cable fromyour network interface on
yourcomputer to the RouterBoards Ethernetl portThe RouterOS
Netlnstall Utility, found on the MikroTikWebsite The latest NPK
file for your RouterBoardDevice Power Supplyfor your RouterOSdevice
as well, can beeither POE or youcanuse thePower
Jack.Beforeyoustart,youwill have todownloadtherightfile,
dependingonthemodel ofyour RouterBoard. Thereareseveral
CPUversionsof RouterOS,and what RouterBoard you have will determine
what CPU version ofRouterOSyou need. For instance; if you
haveaRouterBoard 400seriesdevice, you will need the RouterOS
version that supports theMIPSBE CPU. Ifyouhave a RouterBoard 1000,
you will need the PowerPC Processor Version.So let's get
started:First, make sure you canuse a terminal program to connect
to the serial portof your RouterBoard product. You should be able
to power on theRouterBoard, and seetheboot process inyour terminal
program. Somecommonprograms that youcanuse,
wouldbeWindowsHyperTerminal, orPutty. You can download putty atYou
can also do aweb search as well to finddownload locations for
Putty.Second, youwill
needtoconfigureaPCwithanetworkcablerunningtoetherl of your
RouterBoardproduct. Youdon't needa cross-overcableasRouterBoardsare
createdwithautoMDI-X ports to automatically cross overif necessary.
It is possibletorunthroughaswitch, but thissometimesisproblematic,
soIsuggest runningacabledirectlybetweenyour computerand the
RouterBoard.I Learn RouterOS by Dennis BurgessThird,
onyourComputer, placeanIPaddressof 192.168.0.1 witha subnetmask of
255.255.255.0 on the Ethernet interface. You do not need agateway
or DNS servers. This may disconnect you fromthe Internet;however,
we should have already downloaded all necessary files.Fourth,
ensurethatyour PC does not have any firewallsturnedonor activeand
any active network defense softwareis disabled. Netlnstall uses
Layer 2alongwithIPaddresses that youidentify;
firewallscouldblocktherequestsfrom the RouterBoard and prevent the
Netlnstall Utility from runningcorrectly. Anti-virusprograms that
havenetwork or softwarefirewalls, andother similar applications
should also be disabled,removed or turned off.Now Open your serial
port, RouterBoards typically operates at115200 baud.YouMUST usea
null-modemcable! YoucanuseUSB toserial converters ifyouneedtoo.
Whenyouopenyour serial port, youshouldseetheloginprompt if
yourboardisstartedup. If youhavenot appliedpower toyourRouterBoard,
youcandoso, andyoushouldseetheBIOSscreen. DuringthisBIOS screen,
you shouldhave an option to "pres any key to enter setup".If
youhave already startedyour RouterOS andhave a
loginprompt,youwillneedtounplugyour RouterBoard, wait afewseconds,
andthen reapplypower so that the RouterBOOT booter comes up and
youhave theoption toenter theBIOS
configuration.Thescreenaboveisanexampleof theRouterBOOTBIOS.
Notethat youhave theoption to"Press any key within 2 seconds to
enter setup". Youwillneed to enter theBIOS setup.32Learn RouterOS
by Dennis BurgessPr e s s any key n a t.hi nt.o e n ter ese t
up'-Rout erBC'OT- 2 .71eou dkdo you t'Jant. 1:.0 can't 1.!;f11r e
?boot d el"yboot k eys - ser 1al consolehoot de v i c ecpu modec
-con flgurationt orn'\e; t n'3ndg - upgct de f. 1 rravtaceboard l
nfop boot pr oto c o lt - do we mor y te""i ngx - eX1t setup c no
tce e I)nceyouenter theRouterBOOT or BIOSof theRouterBoard, now
youwillreed to finishsetting up your Pc. Start your Netlnstall
Utility..dD.l 1!..lHell> I > IJIRer-oveble mede =.I
E.\Routen/O"....esN..... V"'. .... ....._'hisUtilitywill allow
youtoinstall viaNetbootingof your RouterBoard. ItviII use your
Ethernet cable to boot your RouterBoard, and enter an3I Learn
RouterOS by Dennis Burgessinstallationmode. Then youcan select your
installationpackage, or NPK f ile,and finish the installation.Next,
select your Net booting Button:There yOu can set tk'famelers tor
P}(E IPTe-booteXecutIOn Environmentland Ethetbootserver that can
boot your router0 v01networkP' SootS efVC1 enabledCient IP~ d d r
~..: 11.1 .1 .11OKu.nce! IHere, enter the IP address that you wish
to give your RouterBoardsEthernetl Interface upon Netbooting.
Remember, before we entered192.168.0.1 as ourIP on our Pc. Just
like any otherIP based device, we needtomakesuretheIP thatwegiveour
RouterBoardis in thesamesubnet asour Netlnstall Pc. My suggestion
would be to use 192.168.0.2 and press OK.Once we have
theInstallationserver ready by using the Netlnstall Utility,
weneedtotell our RouterBoardtoboot fromtheEthernet interface.
Fromwhereweleft theterminal window, In theBIOS
thereisanoptionforBootDevice. The option to select thisis o.34Learn
RouterOS by Dennis BurgessUpon selecting 0, we have anumber of
other options. Typically yourRouterBoardwill boot fromitsNANDor
itson-boardflashmemory. Sincethis is not working, or you don't want
to load the existing version ofRouterOS, weneed toboot fromanother
device. Youcantypicallyselect1toboot fromEthernetOnce,
andthenbootfromtheNAND. I say typically,asyour resultsmay vary
andif it's your firsttime,youmight have to try theinstallation
server a few times to understand its ins and outs.If youselect I,
thenyouhaveonetimetoboot intotheinstallationservermode, after that,
itwill continuebootingtotheNAND. Thisisusuallywhatyouwant,
asyouwant toboot via Ethernet, loadtheinstallationserver,install
RouterOS, andthenitwill reboot usingtheNANDandfinishloadingtheOS.
Another optionwouldbe to just boot over Ethernet,however, onceyour
installationiscomplete, youwill havetogobackintothe BIOSandselect
to boot from the NAND to finish the installation.Onceyouchooseyour
boot device, remember weneedEthernet at leastoncetostart
theinstallationprogram, hit xtoexit theBIOSsetupontheRouterBoard.
This will cause your device to reboot,you shouldsee
theBIOSscreenagain, but thistime, donot
pressanykeytostoptheboardfrombooting.Learn RouterOS by Dennis
Burgessvou shouldseethe RouterBoardtryingbootpprotocol toboot as
shownabove. Within afewseconds you should seethe IPyou put into
yourNetlnstall Booter program, it
shouldtransfertheinstallationsoftware, andcome up with the MikroTik
Router Software Remote Installer.t.o l ll k ro T i k Pout e r
Software r e n,ot e l n 2 t a llfttloc o abort00 : DC : 42: 0 1' :
66 : 6900 : OC : 4i:: OD : 66:6AW.:l C' - :'tddt-e3S : 00 : OC :
42: or. . 66 : e.sroe e - a d dr e s s: 00 : DC : 42 : 0 [.: 156 :
6I1OO :OO :OO :OO:6o :oD30ftlJal:e-lcl : VfLS-jTT k e y :r s ZJ ZJI
l.No BL1f l,rg1-.'! ' d u l;. '.JL"lJ-n:1dr ZrK=qj."TRE- -\.Tal t
ing .tor l.T..I:::'t.,3I 1lett ion servet: ..Itis now waiting for
the installation server,next we go back to our NetlnstallUtility as
the RouterBoardis waiting for input.36Learn RouterOS by Dennis
BurgessQMikrotik ROIlt,., Tni:tl'lUer"" '>.1/""i Route rs/ Drive
i - - - ,,-Help IBrQWt$. IGet key... II:P", . ::::ck :::; '..,
Qo",{' :!... l _i---=-Select I I CancelRoutelOSIor RoutelBOARD 500,
includesdll supported leetures _AQUl:e,OSforAoute,BOARDPB5)!)!
&.ASl)( )( . includesell 'Supported Iee twesAoulerOS tOf
AoulelBOARDRB5)()( $.RS1 )(Jo( , includes allsupported
featulBS::Jset I"--No'booing I--- -- . erne versionorout
eloNnipslt:' 3. 6orocaeros-miosle 3.6iiio2.9.51-:, outeros-mIPsle
depends on rlOtlilno;JI.M floppy !i. SO," ::,1Notethat wenowhavea
device, typicallylabelednstreme, alongwithitsMAC Address. Thisis
theRouterBoard, andit's waitingforinstallation. Wethen use the
browse button under the packages section and find
thelocationwhereour NPK installationfileisat. Uponselecting
thefolder, wecanthenchecktheboxwiththeproper
installationfileandversion. Youmay only have one file in this box,
as it's the only oneyou may havedownloaded.Once youhave
thepackageselected, youhavea fewother options. Intheupperright
corner, youcanselect tokeepoldconfiguration, thiswill keepthe
existing configuration,but write over the RouterOS Operating
System. ItWILLNOT removeany passwordson your system. Youalsohave
theoptionof specifying the default baud rate for the serial port,
or including aconfiguration script.Once you are ready to do the
installation, simply press the Install button!37I Learn RouterOS by
Dennis BurgessIhe Netlnstall Utilitywill then format thedisk,
inthis case it will betheNANDof theRouterBoard, performtheinitial
installationof theRouterOSinst allat ionpackage. Once
thisiscomplete, youcanpressanykey andtheRouterBoardwill reboot. If
youselectedtoboot fromEthernet once, andthentheNAND, uponrebooting,
it will finishtheloadofRouterOS. If youselectedEthernet only, it
will comebacktotheinstallationserver, unlessyou go into theBIOS and
set it to boot from the NANDAbovethesystemhasrestarted,
bootedfromtheNAND,generates
theSSH38IIii,!IIIIII1j\I1III1!\1I,I,I,,,IIIILearn RouterOS by
Dennis BurgessKeys, andstartstheRouterOSServices. At thispoint,
youhavea workingRouterOS system!Learn RouterOS by Dennis BurgessDaM
I Flash Card I Hard Disk Installationvia NetlnstallRouterOS
Installation via Netlnstall is very similar to the
NetlnstallinstallationofRouterBoards, but itissimpler!
ForyourFlashcard, youwillneedsomeformof reader. I commonlyuse
Compact Flashcards, anduse asimpleUSBFlashreader. If youareusinga
DOMmoduleorHardDisk, youwill needtoinstall
thislikeanyotherdeviceinside yourPc. Of course, youwill needyour
PCsBI OStorecognizeit. If youcanstart by formatt ing it viawindows
thent his will ensure that itis workingprior tousing
theNetlnstallUtili t y. Remember t hough, if you f ormat analready
licensed drive withanything BUT Netlnstall, you WILLLOSE
YOURLICENSE.Onceyouhavethediskreadytogo, start your Netlnstall
Utility. Just likewith theRouterBoardproducts, youwill need theNPK
file that goes with thesystem youare installing. Chances are this
will be an x86 system, so youwillneedt hex86versionof RouterOSNPK.
Youcandownloadthisalong withthe NetlnstallUtility right
fromMikrotik's webpage.Holp,. "', 10:1" ey:Ir JIP adOI I8"-1ttI
(ticIStatusAe4dyR.ody __RoodI'ReadyMAC oddr l Modi,!,''!."ol "
:!!!l!!.-__l _Bemcvebte med iaRem Mle mediaAemovMlle mediaRemovable
meoaL_I13.\S fI3G"SH \Selected ' Po>Ck4geI.j Ito,,,,. 1Net
booloading rrote",o-rrnpsbe-... (400.9 Ki Sof 99 Mi Sat
5S5.45kb)'Uploading FillS." ,'. ."'".' ','.'Youcanuse theFTP
Getting filesinto thefilesystem of RouterOSissimple.service to
upload or downloadfiles as needed. But RouterOSandyour WinBox
application issmarter than that. You cansimplydraganddropfilesfroma
folder on your desktop, etc,right into the file list window!Below,
youcanseethat wehaveuploadedan.npkfile. ThisisaMikroTikPackage file
thatallows your RouterOS to either install or upgrade theOS
orpackages. Youcansimplydraganddropit fromyourfilesystemright
intothe file list window.-!IJ Rle list, .. ,', , - "r:::J 9
r;;;;;:l fi1L = ~ J 1 . ~ ~ J L ~ J ~ J, .... c.,,. ..,
23r,............'FileName.. MikroTiexport : i:e=expor tOnce you
export the file, you can go to the file listing, and see that
thereisan export.rsc... . EJ.script. .11.6Kl B-----------7I Learn
RouterOS by Dennis BurgessNow you can take this file, just like a
backup file or other files, and downloadit in WinBox. If you open
this file, in any text editor, you will see/interfacebridgeadd
admin-mac=OO:OO:OO:OO:OO:OO ageing-time=5m arp=enabled
auto-mac=yes\comment= "" disabled=no forward-delay=15s
max-message-age=20smtu=1500\name=bridge1priority=Ox8000
protocol-mode=stptransmit-hold-count=6/interfaceethernetset 0
arp=enabled euto-neqottetioneves comment= "" disabled=no
full-duplex=yes\mac-address=00:OC:42:32:22:17 mtu=1500
name=ether1speed=1OOMbpsset 1 arp=enabled euto-neqotietioneves
bandwidth=unlimited/unlimitedcomment=\"" disabled=no
full-duplex=yes mac-address=00:OC:42:32:22: 18 master-port=\none
mtu=1500 name=ether2 speed=100Mbpsset 2 arp=enabled
euto-neqotistioneves bandwidth=unlimited/unlimitedcomment=\''''
disabled=no full-duplex> yes mac-address=00:OC:42: 32: 22: 19
master-port=\none mtu=1500 name=ether3
speed=100Mbps/interfacevlanadd arp=enabled comment="" disabled=no
interface=ether2 mtu=1500name=\vlan100.2vlan-id=100add arp=enabled
comment= "" disabled=no interface=ether3
mtu=1500name=\vlanlOO.3vlan-id=100/interfacewirelesssecurity-profilesset
default authentication-types= "" eap-methods=passthrough
group-ciphers n n \group-key-update=5minterim-update=Os mode-none
name=default\radius-eap-accounting=noradius-mac-accounting=no\radius-mac-authentication=noradius-mac-caching=disabled\radius-mac-format=XX:
XX: XX:XX: XX: XX radius-mac-mode=as-username\static-algo-O=none
static-algo-1 =none static-algo-2=none static-algo-3=\none
static-key-O= "" stetic-key-L = "" static-key-2= n n static-key-3=
n n \ststic-ste-prtvete-etqovnone stettc-ste-prtvete-kev ""
\static-transmit-key=key-O supplicant-identity=MikroTik
tis-certificate=\nonetls-mode=no-certificates unicest-ciptiers ""
wpe-pre-sbered-key>n n \wpa2-pre-shared-key= ""This is the
command line representation of the programming andconfiguration
that youhave on your RouterOS. You can take sections of
this,80Scr1pt f i le l oaded and e&ecutedeucceeefully
>Opening 3cript :ile expo:c. rsc\"II"IIIIII. I\\\ IILI
LearnRouterOS by Dennis Burgessandpastethemintotheterminal window
tocopyconfiguration. Doingthisfor the entire script will not work.
However, since you can read theconfiguration, you can use this to
base other configurations and/orreconfigure other units.Importing
ScriptsOnce youget real goodat
readinganddoingcommand-lineinterfaces, youcanstart creating
scripts, orRSC files that youcanbring rightintoRouterOS.You will
need to create this file,and of course test and testagain. Once
youhave it just theway youwant it, then go aheadanduploadthefile.
Of courseyoucansimply paste it rightintotheterminal window, but
youcanalsoimport thefileinthecommandline. Tousethisfeature,
yousimplytypeimport filename. Youwill needtobe at theroot
inthecommandlineinterface for this to work.81----- --- - - - - - -I
Learn RouterOS by Dennis BurgessJust
likewithotherRoutingsystems,youhaveloggingcapabilities. Youwilluse
this toreview access to therouter, changesandeven show packets
thatyou maybedroppingor changing. We alsohaveoptions
tosendyourlogging dataout toa Syslog server, like
theonecontainedinMikrotik's TheDude Application, or other
standardized Syslog servers. Debugginginformation also can help
youdiagnose issues, suchas Radius, and hotspot.To access your log
in WinBox, simply cl ick Log on the left menu.oJJarl/01/1S70
oo.cxn6 syslerrl en-or otiCai !OtA:Cl' whoU prooer JhlAdonn.
probably power Ol..tagc.JanItl 11970 0000 18 S'f'lem
riochangedJo.,/01/1970 00 00.18 ct'oCll riodel>...g "''''''New
Route. Gener>i l: De_n. I. ..,. ..j;Gateway Wedace: [" ]Wedace:
L .J[,01epo,troudngl
OutputOut put. --LOCAl Local i i Bndge I 1process.m...;,-\
I,Src-NA1I I p roC.,.jbt 'Oi e', bii>sl: e' edonk. "-, OO. OC42
3C.73.SDRMetess 00:00:00.000000-Now, once you have your
meshinterfaceupand running, simplyaddyour mesh ports. You can
addEthernet interfaces as well as wirelessinterfaces. Youcanalso
addbridgeinterfacesif youwishto. I typically willnot use the bridge
interface because I want the mesh to take care ofeverything. Also,
youcan set the port type if youwish;however,RouterOS
isreallygoodwiththeautotype. Thiswill allowyoutoset it
upthetypeofport that it is, either an Ethernet, wireless, or WDS.I
Learn RouterOS by Dennis BurgessAs the mesh builds,it will
determine different MACs and devices. As it buildsit creates a FOB,
for forwarding database. This willlabel devices as outsidersif
theyarenot partof themeshnetwork. Thesemaybeclientsetc.
Localtypesare theMACsthat belong tothelocal device. Direct
typesareMACsthat area wirelessclient onaninterfacethat
isinthemeshnetwork. Youwill alsohaveMESHMACs. Thesearedevicesthat
arereachableoverthemeshnetwork. It maybeeither internal or external
tothemeshsystemtough. MACs that are another mesh router directly
connected toyourrouter are called neighbors. UnknownMACs are
addresses that belong to anunknown device and if that deviceis
reachable over the mesh network, thenthey are changed to a larval
device, but are stillunknown.The mesh system is not real difficult
to manage or to run; the whole point ofit is a self aware layer 2
bridgednetworks withmany interconnectionpoints.If one link f ail s,
it will rerout e aroundthe failedlink. Thiswill also give
youthebestrouting of data toitsendpoint, thusmaking it better
thanRSTPasit's only for loop prevention. It calculates the best
routeby simply using thelink metrics. Think of OSPF, just fora
layer 2 network. However,withWDSlinks, the metricis updated
dynamically depending on actual link bandwidth.Thisisinfluencedby
wirelesssignal and thecurrentdatatransferrate. Theideaisthat it
will usethebetter qualitylinks first, beforethelower
qualitylinks.Switches and MESHJust likeanythinggood,
thereareafewconfigurationsthat youwill haveissueswith. Oneof
themisbysimplyplacinga switchbetweentwomeshnodes. Hubs do not have
this issue, but the endresultis that the switch cancause data to be
lost and devices not to get their data. I have found the bestway of
getting around this, is to use a RouterBoard 493andsimply set
allofthe portsas meshports. This will allow the mesh touse this
nodeas a meshdevice and prevent the lost MAC issue that can occur
with a switch.VRRPVRRPor Virtual Router Redundancy Protocol is a
RFC standardprotocolthatisused tocombineseveralroutersintoa Virtual
RouterGroup, orVR. Thisgroup'spurposeistohaverouterredundancy.
Eachof theVirtual RouterNodeswill havea virtual
IPconfiguredalongwith a virtual MACaddress.182Learn RouterOS by
Dennis BurgessOne of thenodeswill have thevirtual IPasitsreal IP.
Thisnodewill be theowner, andwill only bereplaced if thepower
becomesunavailable. Theother routers will bebackups, when they do
not see a number of broadcaststhat normallycomefromthe owner at
theadvertisement int ervals, theystartanelectionprocessandoneof
thebackuproutersbecome themasterrouter, assuming that virtuallP as
their own.BeforeweconfigureVRRP, it isimportant
tounderstandhowthissystemworksandwhat itslimitationsare. ThereasonI
say this, istypicallywhenIthought about using VRRP, I ended up
using dynamic routing to routearounda failedinterfaceorrouter.
Thistypicallyworksbetter, andallowsyou more options. But, there may
not be an ability to dothis inyournetwork designetc,hence,
VRRP.TraffIC, "' J Preemption ModeVRID: .! . _Pnooty: 100Interval :
1Intelface: .Password: ' New lnterfaceGeneral VRRP
IScnptsSotoconfigureVRRP, youhavetocreate a VRRP interface; this
isdoneontheinterfacemenu. ClickInterfaces -7 Add -7 VRRP. Thiswill
start you off with a newinterface. TheVRIDisyourVirtualRouter ID
number, and you willalsoneedtosetupa priority if youwishtohave one
router tobe primaryand secondary. I would alsosuggest using some
form ofauthentication. Also, youwill needtohavethesameinterval
onall ofyour routers, otherwise otherrouterswill ignore
thereceivedadvertisement packetsandit simply will
notwork.Therearethreetypesof VRRProuters. TheMaster is the router
that iscurrently beingusedas theIP. It wouldbe theunit that
youwouldbeusingtogo throughnormally. Thebackup, of course,
isthebackupunit, andyoucan have multiple of these if you wish. When
the master is no longeravailable, thenthebackuprouterwiththehighest
prioritywill becomethenewmaster. Now, if theoriginal
unitcomesbackonline, if it hasa higherpriority, it will
automaticallybecomethe newmaster, soyour trafficwillswitchover
tothat higherpriorityunit. Youmaynot wishthistooccur, soyoucan turn
onPreemption mode.I Learn RouterOS by Dennis
BurgessThePreemptionmodeignoreshigher priorityroutersanddoesnot
switchoverjust becauseahigher prioritybackuprouter comeson-line.
But thethirdtypeofVRRPRouter isanowner. Anowner router isbydefault
themaster router. The owner needs to have a priority of 255 andits
virtuallPisthesameasitsreal IP. It will owntheIPaddress.
Whenthisunit comesback on-line, regardless of the preemption mode,
it willbecome the master.So since youcreateda VRRP interface,
youwillneed a virtuallP. Well thisIPis going tobe placed on
theVRRPinterface, but youwill need to have a /32onit. What youwill
doiscreateareal IP; this istheIPthat therouterscommunicate
betweenon. ThisIP wouldbe172.25.0.1/24 on etherl. Yourbackup router
would be172.25.0.2/24. Thenyou would configureyourVRRPIP, the
virtual IP. Thiswill be placed on theVRRP interface,and
theIPaddress wouldbe something like172.25.0.254/32. Your default
gateway onyour networkwouldbethe.254, but theother
IPswouldensurethat thetwo VRRP routers can communicate on the
network.Testing this is simple, by unplugging the master router,
you willnote that theIPandgatewaydoesnot change, nor
doestheARPentryfor the.254orVirtuallP. The second router simply
uses the same MAC andIP. Some otherconsiderationsthat youwill
needtounderstandisthat thebackuprouterwill need to ensure that you
have the right configuration on it for it to route,senddata, etc.
Just becausetheIPisstill reachabledoesnot meanthat itwill just
continue to work.Also, keepinmindthat if youhavearouter that
youwishtoserveas abackuprouter, youwill needtohaveall of
theIPaddressesonall of yourinterfacessetupwithVRRP. Youwill
alsoneedtocopytheconfigurationfromyour primary unit often toensure
youhave thesame configurationonthebackuprouter. Thenif your
primaryrouter completelygoesoff-line,your backup willwork for you.
Youwill need to put some thought into whathappensif
oneinterfacegoesdown onyour primaryrouter andnot theentire router
as well!184Learn RouterOS by Dennis
BurgessTunnelsRouterOSoffersmanydifferent typesof tunnelingoptions.
Someoftheseyoucanbridge and some youcannot. Tunnels that
youcanbridge are Layer2 tunnels. My experiencethough, shows that
youwill alwayshavea betterperforming network if youuselayer 3
tunnels. These tunnels youwill routethrough, thus reducing network
overhead and broadcast domains. Also,these provideroutingabilities,
soyou can really control traffic oneeachsegment, provide queuing,
and traffic shaping as well as OoS.Some tunnelsalsoencrypt traffic,
and that encryptioncanbe simple or veryadvanced. RouterOS can do
fromMPPE 128 Stateless encryption, verycommon for home
VPNconnections, to AES-256 bit encryption. Some of thetunnels
though, do not encrypt traffic or havean option not
toencrypttraffic. I usearuleofthumbtokeepencryptiontoaminimum; this
alsokeeps theloadoff of your RouterOSCPUaswell. An examplewouldbe
formost sitetositetraffic, which does not deal with private
personal dataand/or credit cardinformation; I wouldsuggest just
usingthe MPPE128encryption.
Typicallythisprovidesenoughencryptiontokeepthat privatedataprivate.
IF youaretransmittingcredit cardinformation, first itshouldbe
encryptedbywhatevermethodyouare transmittingit before it
hitsanytypesof tunneling, but you maywishtobumpthat
uptosomethinglike3DES or AES-128. But if youwant themost encryption
youcan get, youcandoanIPSectunnel insideanencryptedL2TPtunnel. So,
youencrypt withAES-256 or 3Des, and then hit the tunnel, that
encrypts the alreadyencrypted data withMPPE 128.EalPEolP or
Ethernet over IP tunnels are proprietary to RouterOS. These give
youa veryquick, unsecuredmethodof creatinga Layer 2 tunnel. To
createanEolPtunnel, yousimplyneedtwoMikroTiksystemsthat
cancommunicatedirectly to eachother. EolP will useIPProtocol 47,
more commonly referredto as GREfor the communication between
thetwosites. EolPis not areplacement for WDS in wireless bridging
as well.- ~ -- - - - - - - - - -I Learn RouterOS by Dennis Burgess
--1Name : I.L.-_ _1,ARP: lenabled,.Type:MTU: ie.:.:, 1500 = Tunnel
lD: 0 New InterfaceEventhoughEolPisnot encrypted, it
canrunontopofothertunnels. Anexamplewouldbe anEncryptedMPPE128bit
PPTPtunnel. As well as anyother connectionthat usesTCP/IP.
TouseaPPTPtunnel,first setupaPPTPtunnel andset it touseencryption.
Now create your EolP tunnels,andusetheremoteaddressof the
PPTPinterface onbothends. This will forcethetunnel to go through
the PPTP tunnel,thus, encrypting it. This method doeswork, however,
lookinthe PPTPsection,as you can nowsimply bridge the
PPTPinterfaces vs. setting up two tunnels.TocreateanEolPtunnel
clickInterfacesPlusSignEolPTunnel. Thiswill createanewinterfacethat
you can applyfilters, queues, andsetuproutingon.
Theonlytwoitemsthat youneedintheinterfacesettingsisyour
Remoteaddress, thiswouldbetheremoteIPaddressof theremoteend,
andthetunnel IDnumber. This number must bethesameon bothends. Once
youcreate the two ends,now you have a Tunnel. You can at thispoint,
placeIPsoneachend, andsetuprouting, asyoucanrouteacrossanEolP
tunnelif youwish, but most people woulduse it for what itis
intendedfor, and thatis bridging it.One thing that I want topoint
out, and one reason Ido not use EolP tunnelsmuch, is that the
interface,regardless of its actual status,always showsrunning.
Thismeans that youwill nothave a statechange,orother
identificationthat showsthat theinterfaceisdown. It never goesdown,
andhence, anything that isbasedontheinterfaceneverchangesorfailover
due to this fact. Also, unless youpass data to the other side you
willnot know if the link it working or not.186Learn RouterOS by
Dennis BurgessBridging an EalP TunnelCreat inga
bridgeonanEolPtunnel is supereasy. Since thei nt erface wasdesigned
tobeabridge, youwill only havetoaddit toabridge group, tobridgeit.
Intheexample tot he right, you will see that an EolPtunnelint erf
ace is in the same bridge group with an Ethernet port
.!lhjgebndgelbnOOel-One majorissuethatyoumayhavewit hEolPlinks is
MTU. Typicallywhenyou bridge Ethernet across the Internet, if you
have a good Ethernetconnection, youwon'thave issues; however, if
yougo throughthingslikeaPPPoEclient, youmayhave toadjust thepacket
sizesof yourtunnel. Bydefault yourtunnel MTUwill be1500, and
thisisfinefor Ethernet, but notovertheInternet. MTUissues are
oftendifficult to troubleshoot. Commonsignsare HTIPS and other very
specificwebsitesare not working(assumingyou are going through
theEolP tunnelto get to theInternet)as well
aslargepingpacketsarenot gettingthough. Tofixthis, youwill
simplyneedtochangetheMSS sizeonlarge packets tobe smaller
thanthemax MTU thatthe devices between your two routers can
support.187I Learn RouterOS by Dennis BurgessIPIPJType:
IPTlJY1e1.-====--,MTU: 1480 .._..... _.._._......__...- ..;Name:
IPIP1Local hldress:[local lP on "effacePoemote Address : General
TraflicIPIP is IP inside IP. It simplyencapsulates
IPpacketsinsideother IPpackets. IPIP, unlike EolP, is astandardized
tunnel type and used byother router vendors. IPI P like Eol
Pisverysimpletosetupandcanruninsideanother tunnel if you
requireencryption, but does not offerencryptionbyitself. IPIPalso,
doesnotshow an interface state. Once youcreatetheinterface, itwill
alwaysshowas up regardless of theother side of thetunnel. Youwill
have toimplement other kindsof checking, suchaspingingor ARP to
verify that this tunnel is running.TocreatetheIPIPinterface,
clickonInterfaces-7PlusSign-7 IP Tunnel.Once youget
thenewinterfacescreenup, youwill have twoIPaddresses.Oneisthelocal
IP addressof yourrouter. Typically thisIPistheIP addressof
theclosest interface to theremoterouter. Thiscouldbeany
addressonthat interface though. TheremoteaddressistheIPaddress of
theremoterouter. Once youcreatebothends, I wouldplaceIP addresses
on them,andpingacrossthetunnel toverifyitsoperation. Youwill
needtoroutedataacross the IPIP Tunnel as it is not designed to
bridge.188I Learn RouterOS by Dennis BurgessPPP
SystemRouterOSoffersa full PPPServer/Clientsystem.
ThisPoint-to-Point Systemincludes other protocols as well, such as
PPTP, L2TP, PPPoE, and evenOpenVPN. The PPPsystemis apackagethat
isinstalled by default; thispackage supports PPP, PPTP, L2TP, PPPoE
and even ISDN PPP. It alsosupportsthePPPServerandClient.
ToaccessthePPPsystem, clickPPPinWin Box..' pppIrtenace PPPoESevers
Secret. Profile. ActIve Connection.......... _..... ..__..-_.._....
, -... ._._- _.. _--,- -__- ,..._ -. , ,.. ..'..,,, ..+. "': 3 v i
PPTP Server LZTP Server iOVPN SeNer I"". II '.' ., _ ...... "--
.-1,NameTrx ,Rlt [Tx Pac",lRlt Pac,, :.L. ,,"" .ji _1, .... t
,Asyoucansee wehave quitea fewoptionshere. Theimportant thinghereis
that thereareanumber of tabs that are commontoseveral
differentsystems. Thesecrets,
profilesandactiveconnectionstabsareall sharedbythePPP Systemandeach
of protocols will share these. ThePPP Systemusesfour
authenticationmodesaswell dependingontheprotocol andservice.What is
important to note is that the PAP method is not encrypted
orsecured, when in doubt, disable thismethod. . ' PPP Secret Name:
[dPPP Secrets Password IUmrt Byte.0tA:
"""",,,,,''0,,,,'0,,,,,,,,,,,,,,,,,,,,,,, ....Routes: i
...."c-Remate .Address: i ....,._ ,., ., .UrnKBytes In: L.........
-'...IIT".- '0... __'r..i..-.....__....Profie : jdeld-'5eNice:
Caler 10: 'I------,: ....
----local .Address:I........The PPP Secrets section is for
thecreation of PPP shared user accounts.These accounts are
basically a localauthentication database for the PPPprotocols.
These accounts have manyoptions that you can setup
whatusername/password they have, whatservice they18I Learn RouterOS
by Dennis BurgessIkerface PPPoE Sorv lola>. Thr... ' }-_
-1rDropPllClt PootSo>n Poot Ill11......,, --..
fjilm---------*'-n Pot!iiiAIouulldNet ilf:N... ---------Sc:s>Ql\
T1tlleQ;,J .------)10... Wft> ItcetAr Eo;....Theserver tabis
very important. Thiscontrolstheremoteserveraswell asthewebserver
application. Thedefault istoallowremoteconnectionstoyour Dude
server. Theseconnections are other Dudeclient's attemptingtoconnect
totheDude server. Thewebserverportion allows you to access thebasic
Dude information, deviceup/down status and maps on aweb server
port. I use the webserver portion to allow usersaccess to maps etc
as well asup/downstatusfor devices, but Idon't want themtoedit data
orhave to install the Dude clientsoftware.
Ihaveusedthisverysuccessfullywithcall centerstoallowtheiragents
tocheckonnetwork statuswitha click of a buttonvs. again, havingto
have that client software loaded on eachPc.336I Learn RouterOS by
Dennis BurgessDude Agents,- ~ " 'I,0.bIe;;;;I.CIv:
IDevice.F".lAddresslmandevce: aI~
oComThetoolspaneallowsyoutoaddandcontrol toolsthat
youcanaccessbyright clickingthe device. Thereisanumber of bui lt in
tools, includingWinBox, telnet, snmpwalk, etc,however, one tool
that I have founduseful isM5T5C, or terminal services. Ido use Dude
to monitor windowsservers and havingthe abilityto
rightclickonthedeviceandtermservrightinto the server makes it very
simple.M5T5Cuses acommand lineof MSTC/v:address. Soit isverysimple
tobuildthistool. I clicktheplus, toadda newtool, andthengiveit
aname. NowIsimply enter the command line, alongwith the address
variable.If you wanted to builda 55H tool,simply add another
tool,name it, and thenmakesurethe55Happlicationisinyour path,
oryouwill needtospecifythat path. Inmycase, I useputty. So,
mycommandlinewouldbeverysimple: putty address. That'sit. If youhave
other tools youcanenter them361I Learn RouterOS by Dennis
Burgesshere, whatever you think would help you, and you can place
in here,assuming that there is a commandline interface for it.362I
LearnRouterOS by Dennis Burgess363Learn RouterOS by Dennis
BurgessUser Manager----------------- ------an ge rOSl oRecently
Mikrotik has developed asystem called User Manager. Themain purpose
for this was toeliminate the bulky and
slowdatabasesysteminsideRouterOSandprovidea fast andefficientway
torunlargeuser databases. As time went on,User
Managergrewtoamuchslicker system. Thecommonusefor UserManager
nowisasa radiusserver, user management andpayment gatewayfor
hotspot systems. Eventhoughit could alsobeusedfor other
radiuspurposes, thisisthemost commonusage that IuseUser Managerfor.
Ontop of that, theUser Manager system comes with your RouterOS
license!Using User Manager as ahotspot gateway allows usersto
create auseraccount, passthoughsometypeofpayment gateway,
andthencomebackand usetheir username/passwordtheycreatedtologin.
Typicallythis isused in a hotspot environment allowing users topay
for internet access timeand get on the internet without
administration intervention or action. Thereareother
systemsoutthere, but, f or thecost youcan't gowrongusingtheUser
Manager system. DidI menti onit'sFREE?Hardware I License
RequirementsUsermanagerhas torunona RouterOSsystem, so youhave
tohavesomeform of license. It is important to note here that there
are licenserestrictions to thenumber of users that user manager
willallow you to run.License Level 3 4 5 6Number ofActive Users10
Users 20 Users 50 Users UnlimitedThe installations I do with
RouterOS and User Manager as a hotspotpayment gateway,I will use a
Level 6 license. Other factors thoughalso playintothehardwarethat I
select for theinstallationof User Manager. The364I Learn RouterOS
by Dennis Burgessmi ni mumhardware that I will use is a
RouterBoard433AH. Therearesomereasons for this, one RAM, you need
at least 32 Megof RAMfor UserManager and thesecondis disk space.
Eventhoughthe 493AHhas a sizableNANO, Iprefertobeabletouseexternal
storage, soI gowiththe433AHboard withanadd-on2 Gig Micro-SO card.
If youareinterested in the exacthardwareI use for UserManager
Installations withunder 200activeusers,Iwould suggest visiting
myhomepage at http://www.linktechs.net. Thereyou
willfindthePowerSpot 400 system. This is a completed 433AH with
theMicro-SO Card installed and formatted, User Manager installed on
theMicro-SO card, and a Level 6 RouterOS license installed.Onceyou
goover the 200-300 user mark, I would suggest goingwith
aRouterBoard1000or PowerRouter 732toensurethat you havefast
userlookups. Havingfast responsetimesiscritical insomecases,
somakesureyouare not over tasking yourhardware. I also typically
donot put both theUser Manager softwarerunningRadiusanda numberof
usersona 433AHalong withhaving that 433AHperformingmy routing,
hotspot server etc. Ifit is just for a single site with a few Meg
of throughput, then thismay be fineas longas thenumber of users do
not get higher than50 or so activeat onetime.At thetimeof thebook,
user manager isstill inv3for production,
manythingshavealreadychanged toincrease your
optionsandcustomizabilityinv4beta. Sinceit is not production, I
havenot includeditssettings inthisbook.Installation of User
Manager3.25user-managerInstalling User Manger isas simpleas adding
another package to RouterOS. Iwouldask you torefer to
thepackageinstallationprocedures in this book
tounderstandhowtodothis. Simplyput though,
draganddroptheUserManager .npk fileinto your RouterOSsystem, and
reboot your router.Uponrebooting, youshouldseetheUser Manager
package installed.365I Learn RouterOS by Dennis
BurgessConfiguration of User ManagerFirst Time AccessTo access your
User Manager system for the first time you will need to verifythat
yourWWWserviceonyour RouterOS systemisrunning. Youwill alsoneed to
verify theport. The default inRouterOS is port 80, and the
serviceisenabled. If thishasnotbeenmodified,
thenyoucansimplyopenyour
webbrowsertohttp://ipaddress/usermanfortheadmininterface.
Thedefaultusername/passwordis admin andadmin...... . . , ......
J::' i'r"'H-ilh..cer oece :r- , _._ _.. -.--"ir: or r,!d: t ;
Creditssayhowmuchtimetheenduserreceivesif theypayxxamount. Remember
that in thetime field, there is no mformonth, soif
youwishtogiveamonthaccessyouwill needtouse4w, forfourweeks. Thefull
priceis thepricethattheuser will payuponcreatingtheirinitial
useraccount,andtheextendedpriceisthepricetoaddtimetotheirexistingaccount.
Soif youwish youcould give existing users a discount.Con/jguTation
of CreditsNow that you have all of the necessary information inside
your UserManager, youshouldbeabletohaveauser get
tothesign-uppageandsignupfor anaccount, payon-line, andthencomeback
tosigninandusethe internet!372I Learn RouterOS by Dennis
BurgessUser Sign-UpsFor userstosignupfor service, theywill
needtofollowalinkfromyoursplash page to get them to create an
account. The signup linkis as
follows:http://urlorIPo!UserManager/user?signup=publicIDWhenusersclick
thesign-uplink fromyoursplashpage, thisiswheretheyshould be taken,
remember,that you will need to allow thisURLand/or IPinyour
walledgarden. This page will allowyour users to enter their e-mail
address, create a newloginand password,and selecthowmuch prepaid
timetheywish. Since this systemhasauthorize.net configured,
theywillpay with a credit card.choo seone v.........iddNext they
will click the sign-upbutton. This will take the userto a page that
will remindthem to remember theirusername and
passwordandabuttontopay withcredit card.Inthisprocessit
isnotsendingdata to authorize.net anddelivering the customer
toauthorize. net for payment.UserMangerdoesnot processor store
credit card information. It passes themoff to the
respectivewebsitesfor yourpayment processor, andtheyprocess
andtakethecreditcardsoversecureHTIPSsites.
Thereistypicallynoneedforyoutohaveyour ownSSL as you never take
personalinformation.373I Learn RouterOS by Dennis BurgessUser
Sign-InTheusersalsohavea
pagethattheycansigninandupdatetheiraccount,and add more time. This
pageis http://ipaddress/user.Summal'otdl netce:.00 us:I.mHt: I);LJ
p t lll1 e Ue e d : :JJfI, A < "" "" " .... d, " _ ., '" .. .. T
i:: .. _ .:.1 uti .o. pr/ l..V':OO?(:9- ... ')-2 3 30n Apl! H/ ':
009(!'iI 3 23_.__ n. _ _ __-'_ _ _!....... .. ..... .. .. .. .-. _
_.. ---_.. ---_ - _ _......... .. .. ......---i c 10 'v h om
"rtmec. "7 Till Time[:;. iv upt tme L.}!\1unleed ;-- .-
.-_.....-_.__.__... -.- I --j , , D. !-. .:"1)1'/.1..
