MikroTik RouterOS PC MikroTik RouterOS ISP x86 PC 586PC MikroTik
AP MikroTik RouterOS RouterOS
RouterOS RouterRoard Interface Ethernet IP ARP Route Network
DHCP Graphing Mangle Firewall Filte Queue NAT
-2-
www.mikrotik.com.cn
DNS DNS Bridge (VRRP) HotSpot EoIP PPTP IPsec PPPoE VLAN web log
IP RouterOS User Manager Webbox
TCP/IP
Firewall NAT P2P NAT MAC IP ICMP IP TCPMSS ToS ...
(); RIP v1 / v2, OSPF v2, BGP v4 IP PCQ, RED, SFQ, FIFO ;
Peer-to-Peer HotSpot HotSpot RADIUS HTML iPass SSL PPTP, PPPoE L2TP
PAP, CHAP, MSCHAPv1 MSCHAPv2 RADIUS MPPE PPPoE PPPoE
-3-
www.mikrotik.com.cn
IPIP EoIP (Ethernet over IP) IPsec IP AH ESP Proxy FTP HTTP
HTTPS SOCKS DNS static entries; DHCP DHCP DHCP DHCP ; DHCP DHCP
RADIUS VRRP VRRP UPnP NTP GPS Monitoring/Accounting IP HTTP SNMP
M3P MikroTik MNDP MikroTik CDP Tools - ping; traceroute; bandwidth
test; ping flood; telnet; SSH; packet sniffer; DDNS
Wireless - IEEE802.11a/b/g wireless client APNsetreme Nstreme2
(WDS) AP 40 104 bit WEP; WPA pre-shared key ; RADIUS (wireless
);
Bridge STPMAC NAT VLAN - IEEE802.1q Virtual LAN VLAN VLAN
Synchronous - V.35, V.24, E1/T1, X.21, DS3 (T3) sync-PPP, Cisco
HDLC, ; ANSI-617d (ANDI or annex D) Q933a (CCITT or annex A) LMI
Asynchronous PPP dial-in / dial-outPAP, CHAP, MSCHAPv1 MSCHAPv2
RADIUS modem 128 ISDN - ISDN dial-in / dial-out; PAP, CHAP,
MSCHAPv1 MSCHAPv2 RADIUS Cisco HDLC, x75i, x75ui, x75bui
CPU 100MHz i386 RAM 32 MiB, 1 GiB; 64 MiB ROM ATA/IDE USB SATA
(SCSI RAID ;) 64 Mb Flash ATA
MIPS RouterBOARD 500 (532, 512 511) RouterBOARD 100
(133133c150192) RAM 16MiB ROM NAND 64Mb
PPC RouterBOARD1000RouterBOARD600RouterBOARD333
RouterOS Windows WinBox Web
-4-
www.mikrotik.com.cn
undo/redo Scripts
teminal console - PS/2 USB VGA Serial console ( COM1) RS232
9600bit/s, 8 data bits, 1 stop bit, no parity, hardware (RTS/CTS)
flow control Telnet telnet TCP 23 SSH - SSH ( shell) TCP 22 MAC
Telnet - MikroTik MAC Telnet Winbox Winbox RouterOS Windows TCP
82913.0rc13 winbox MAC
: :
3.0 RouterOS V3.0
RouterOSMikroTik RouterOS Telnet, SSH, WinBox Webbox WinBox
MAC-telnet IP MAC MAC-telnet -5-
www.mikrotik.com.cn
: Winbox MAC MAC RouterOS Winbox MikroTik RouterOS GUI MikroTik
HTTP TCP 80 Winbox.exe Windows Windows Winbox.exe :
MNDP (MikroTik Neighbor Discovery Protocol) CDP (Cisco Discovery
Protocol) MikroTik Cisco MAC MikroTik RouterOS
winbox2.2.12 MAC IP MAC IP
IP 80 MAC
-6-
www.mikrotik.com.cn
wbx wbx
Secure Mode winbox RouterOS TLSTransport Layer Security
Keep Password
winbox2.2.12 MAC IP winbox
Winbox TCP8291 Winbox MikroTik
-7-
www.mikrotik.com.cn
Winbox
Linux Winbox Wine Winbox RouterOS
Winbox /ip service print www /ip service set www port=80
address=0.0.0.0/0 Winbox TCP8291
PC DB9 9600 bits/s (RouterBOARD 500 115200 bits/s), windows
SecureCRT UNIX/Linux minicom
MikroTik Router COM windows HyperTerminal
COM DB9
-8-
www.mikrotik.com.cn
(DB9f) 1, 6 2 3 4 5 7 8RB100 RB300RB600
Signal CD, DSR RxD TxD DTR GND RTS CTS 4 3 2
(DB9f)
1, 6 5 8 7
DB9f 1+4+6 2 3 5 7+8
signal CD+DTR+DSR RxD xD GND RTS+CTS
DB9f 1+4+6 3 2 5 7+8
DB25f 6+8+20 2 3 7 4+5
MikroTik RouterOS RouterOS admin
MikroTik v3.0 Login: admin Password:
/password
[admin@MikroTik] > password old password: new password:
************ retype new password: ************ [admin@MikroTik]
>
MAC (Telnet Winbox) MAC IP RouterOS . IP . MAC 2 MikroTik
RouterOS .
MAC telnet : /tool mac-server
-9-
www.mikrotik.com.cn
interface (name | all; : all) MAC all
.,interfaces mac .
mac .
Disabled (disabled=yes) mac . all
ether1 interface mac :
[admin@MikroTik] tool mac-server> print Flags: X - disabled #
0 INTERFACE all
[admin@MikroTik] tool mac-server> remove 0 [admin@MikroTik]
tool mac-server> add interface=ether1 disabled=no
[admin@MikroTik] tool mac-server> print Flags: X - disabled # 0
INTERFACE ether1
[admin@MikroTik] tool mac-server>
MAC WinBox Server: /tool mac-server mac-winbox
interface (name | all; : all) mac all
, mac . Disabled (disabled=yes) mac .
.
ether1 MAC
[admin@MikroTik] tool mac-server mac-winbox> print Flags: X -
disabled # 0 INTERFACE all
[admin@MikroTik] tool mac-server mac-winbox> remove 0
[admin@MikroTik] tool mac-server mac-winbox> add
interface=ether1 disabled=no - 10 -
www.mikrotik.com.cn
[admin@MikroTik] tool mac-server mac-winbox> print Flags: X -
disabled # 0 INTERFACE ether1
[admin@MikroTik] tool mac-server mac-winbox>
: /tool mac-server sessions
interface (read-only: name) src-address (read-only: MAC address)
mac uptime (read-only: time)
mac :
[admin@MikroTik] tool mac-server sessions> print # INTERFACE
SRC-ADDRESS 0 wlan1 UPTIME
00:0B:6B:31:08:22 00:03:01
[admin@MikroTik] tool mac-server sessions>
MAC : /tool mac-scan MAC telnet (name)
MAC telnet : /tool mac-telnet (MAC address) mac
[admin@MikroTik] > /tool mac-telnet 00:02:6F:06:59:42 Login:
admin Password: Trying 00:02:6F:06:59:42... Connected to
00:02:6F:06:59:42
- 11 -
www.mikrotik.com.cn
MMM MMMM MMM MMMM KKK KKK OOOOOO TTTTTTTTTTT TTTTTTTTTTT TTT TTT
TTT TTT KKK KKK III KKK KKK III KKKKK III KKK KKK III KKK KKK
MMM MMMM MMM III KKK KKK RRRRRR MMM MM MMM MMM MMM MMM MMM III
KKKKK III KKK KKK
RRR RRR OOO OOO RRRRRR OOO OOO OOOOOO
III KKK KKK RRR RRR
MikroTik RouterOS 3.0beta10 (c) 1999-2007
http://www.mikrotik.com/
Terminal linux detected, using multiline input mode
[admin@MikroTik] >
system IP IP TelephonyOSPF wireless FTP FTP
RouterOS
MikroTik RouterOS 3.0 (c) 1999-2007
http://www.mikrotik.com.cn/
Terminal xterm detected, using multiline input mode
[admin@MikroTik] >
[admin@MikroTik] > [admin@MikroTik] interface>
[admin@MikroTik] ip address>
- 12 -
www.mikrotik.com.cn
[admin@MikroTik] >
log/ -- quit radius/ -- Radius certificate/ -- special-login/ --
redo driver/ -- ping ping setup interface/ -- password undo port/
-- import snmp/ -- SNMP user/ -- file/ -- system/ -- queue/ -- ip/
-- IP tool/ -- ppp/ -- routing/ -- export --
[admin@MikroTik] > [admin@MikroTik] ip>
.. service/ -- IP socks/ -- SOCKS 4 arp/ -- ARP upnp/ -- UPNP
dns/ -- DNS address/ -- accounting/ -- the-proxy/ -vrrp/ -- pool/
-- IP packing/ -- neighbor/ -- route/ -- firewall/ -- dhcp-client/
-- DHCP dhcp-relay/ -- DHCP dhcp-server/ -- DHCP hotspot/ --
HotSpot - 13 -
www.mikrotik.com.cn
ipsec/ -- IP web-proxy/ -- HTTP export --
[admin@MikroTik] ip>
[admin@MikroTik] > [admin@MikroTik] > driver
[admin@MikroTik] driver> / [admin@MikroTik] > interface
[admin@MikroTik] interface> /ip [admin@MikroTik] ip>
| | 'driver' | '/' | 'interface' | '/ip' IP |
interface in int[Tab]
[admin@MikroTik] ip route> print [admin@MikroTik] ip
route> .. address print [admin@MikroTik] ip route> /ip
address print
IP IP
Command command [Enter] [?] command [?] command argument [?]
[Tab] / /command .. "" "word1 word2" / [Tab] Specifies a string of
2 words that contain a space
IP 'address''netmask' IP
- 14 -
www.mikrotik.com.cn
/ip address add address 10.0.0.1/24 interface ether1 /ip address
add address 10.0.0.1 netmask 255.255.255.0 interface ether1
Interface Management IP /interface /interface print
[admin@MikroTik] interface> print Flags: X - disabled, D -
dynamic, R - running # NAME TYPE ether ether wavelan wlan RX-RATE 0
0 0 0 TX-RATE 0 0 0 0 MTU 1500 1500 1500 1500
0 R ether1 1 R ether2 2 X wavelan1 3 X prism1 [admin@MikroTik]
interface>
/interface enable name
[admin@MikroTik] interface> print Flags: X - disabled, D -
dynamic, R - running # NAME TYPE ether ether RX-RATE 0 0 TX-RATE 0
0 MTU 1500 1500
0 X ether1 1 X ether2
[admin@MikroTik] interface> enable 0 [admin@MikroTik]
interface> enable ether2 [admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running # NAME TYPE ether
ether RX-RATE 0 0 TX-RATE 0 0 MTU 1500 1500
0 R ether1 1 R ether2 [admin@MikroTik] interface>
/interface set
[admin@MikroTik] interface> set ether1 name=Local; set ether2
name=Public [admin@MikroTik] interface> print Flags: X -
disabled, D - dynamic, R - running # NAME TYPE ether ether RX-RATE
0 0 TX-RATE 0 0 MTU 1500 1500
0 R Local 1 R Public [admin@MikroTik] interface>
- 15 -
www.mikrotik.com.cn
Setup /setup
IP DHCP DHCP pppoe pptp
Setup IP /setup
[admin@MikroTik] > setup Setup uses Safe Mode. It means that
all changes that are made during setup are reverted in case of
error, or if Ctrl-C is used to abort setup. To keep changes exit
setup using the 'x' key. [Safe Mode taken] Choose options by
pressing one of the letters in the left column, before dash.
Pressing 'x' will exit current menu, pressing Enter key will select
the entry that is marked by an '*'. You can abort setup at any time
by pressing Ctrl-C. Entries marked by '+' are already configured.
Entries marked by '-' cannot be used yet. Entries marked by 'X'
cannot be used without installing additional packages. r - reset
all router configuration + l - load interface driver * a -
configure ip address and gateway d - setup dhcp client s - setup
dhcp server p - setup pppoe client t - setup pptp client x - exit
menu your choice [press Enter to configure ip address and gateway]:
a
IP a [Enter]
* a - add ip address - g - setup default gateway x - exit menu
your choice [press Enter to add ip address]: a
- 16 -
www.mikrotik.com.cn
a IP IP [Tab] IP
your choice: a enable interface: ether1 ether2 wlan1 enable
interface: ether1 ip address/netmask: 10.1.0.66/24 #Enabling
interface /interface enable ether1 #Adding IP address /ip address
add address=10.1.0.66/24 interface=ether1 comment="added by setup"
+ a - add ip address * g - setup default gateway x - exit menu your
choice: x
RouteroS Interface ip address IP IP ip routes ip firewall nat
NAT
MikroTik router
- 17 -
www.mikrotik.com.cn
192.168.0.0 24-bit255.255.255.0 192.168.0.254 ISP 10.0.0.0
24-bit255.255.255.0 10.0.0.217
[admin@MikroTik] ip address> add address 10.0.0.217/24
interface Public [admin@MikroTik] ip address> add address
192.168.0.254/24 interface Local [admin@MikroTik] ip address>
print Flags: X - disabled, I - invalid, D - dynamic # 0 1 ADDRESS
10.0.0.217/24 192.168.0.254/24 NETWORK 10.0.0.217 192.168.0.0
BROADCAST 10.0.0.255 192.168.0.255 INTERFACE Public Local
[admin@MikroTik] ip address>
address netmask 255.255.255.0 RouterOS IP winbox
dynamic (D) connected (C):
[admin@MikroTik] ip route> print Flags: X - disabled, I -
invalid, D - dynamic, J - rejected, C - connect, S - static, R -
rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY r 0.0.0.0 r 0.0.0.0
DISTANCE INTERFACE 0 0 Local Public
0 DC 192.168.0.0/24 1 DC 10.0.0.0/24
[admin@MikroTik] ip route> print detail Flags: X - disabled,
I - invalid, D - dynamic, J - rejected, C - connect, S - static, R
- rip, O - ospf, B - bgp 0 DC dst-address=192.168.0.0/24
preferred-source=192.168.0.254 gateway=0.0.0.0
gateway-state=reachable distance=0 interface=Local 1 DC
dst-address=10.0.0.0/24 preferred-source=10.0.0.217 gateway=0.0.0.0
gateway-state=reachable distance=0 interface=Public
[admin@MikroTik] ip route>
- 18 -
www.mikrotik.com.cn
(destination 0.0.0.0 (any), netmask 0.0.0.0 (any)) ISP 10.0.0.1
Public
[admin@MikroTik] ip route> add gateway=10.0.0.1
[admin@MikroTik] ip route> print Flags: X - disabled, I -
invalid, D - dynamic, J - rejected, C - connect, S - static, R -
rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY r 10.0.0.1 r 0.0.0.0
r 0.0.0.0 DISTANCE INTERFACE 1 0 0 Public Local Public
0 S 0.0.0.0/0 1 DC 192.168.0.0/24 2 DC 10.0.0.0/24
[admin@MikroTik] ip route>
#0 10.0.0.1 'Public' 'interface' unknownWinbox
/ping
[admin@MikroTik] ip route> /ping 10.0.0.4 10.0.0.4 64 byte
ping: ttl=255 time=7 ms 10.0.0.4 64 byte ping: ttl=255 time=5 ms
10.0.0.4 64 byte ping: ttl=255 time=5 ms 3 packets transmitted, 3
packets received, 0% packet loss round-trip min/avg/max = 5/5.6/7
ms [admin@MikroTik] ip route> [admin@MikroTik] ip route>
/ping 192.168.0.1 192.168.0.1 64 byte ping: ttl=255 time=1 ms
192.168.0.1 64 byte ping: ttl=255 time=1 ms 192.168.0.1 64 byte
ping: ttl=255 time=1 ms 3 packets transmitted, 3 packets received,
0% packet loss round-trip min/avg/max = 1/1.0/1 ms [admin@MikroTik]
ip route>
192.168.0.254 windows TCP/IP ping
C:\>ping 192.168.0.254
- 19 -
www.mikrotik.com.cn
Reply from 192.168.0.254: bytes=32 time=10ms TTL=253 Reply from
192.168.0.254: bytes=32 time print Flags: X - disabled, I -
invalid, D - dynamic 0 chain=srcnat out-interface=Public
action=masquerade
Winbox
- 20 -
www.mikrotik.com.cn
NAT NAT RouterOS
LAN 192.168.0.88 128kbps 64kbps:
[admin@MikroTik] queue simple> add target-address=192.68.0.88
max-limit=64000/128000 interface=Local [admin@MikroTik] queue
simple> print Flags: X - disabled, I - invalid, D - dynamic 0
name="queue1" target-address=192.68.0.88 dst-address=0.0.0.0/0
interface=Local queue=default priority=8 limit-at=0/0
max-limit=64000/128000 [admin@MikroTik] queue simple>
NAT NAT
192.168.0.4 80 web 10.0.0.217 80 MikroTik (NAT) , 10.0.0.217 80
192.168.0.4:80
[admin@MikroTik] ip firewall nat> add chain=dstnat
action=dst-nat protocol=tcp dst-address=10.0.0.217/32 dst-port=80
to-addresses=192.168.0.4 [admin@MikroTik] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic 0 chain=dstnat
dst-address=10.0.0.217/32 protocol=tcp dst-port=80 action=dst-nat
to-addresses=192.168.0.4 to-ports=0-65535
- 21 -
www.mikrotik.com.cn
MikroTik RouterOS FTP T MikroTik RouterOS FTP !
/system backup Save /file /system reset RouterOS /system backup
load
load name=[filename] save name=[filename]
test
[admin@MikroTik] system backup> save name=test Saving system
configuration Configuration backup saved [admin@MikroTik] system
backup>
- 22 -
www.mikrotik.com.cn
[admin@MikroTik] > file print # NAME 0 test.backup
[admin@MikroTik] > TYPE backup SIZE 12567 CREATION-TIME
aug/12/2002 21:07:50
test:
[admin@MikroTik] system backup> load name=test Restore and
reboot? [y/N]: y ...
Exportexport Export export file FTP
from=[number] file=[filename]
[admin@MikroTik] > ip address print Flags: X - disabled, I -
invalid, D - dynamic # 0 1 ADDRESS 10.1.0.172/24 10.5.1.1/24
NETWORK 10.1.0.0 10.5.1.0 BROADCAST 10.1.0.255 10.5.1.255 INTERFACE
bridge1 ether1
[admin@MikroTik] >
[admin@MikroTik] ip address> export file=address
[admin@MikroTik] ip address>
[admin@MikroTik] ip address> export file=address1 from=1
[admin@MikroTik] ip address>
- 23 -
www.mikrotik.com.cn
[admin@MikroTik] > file print # NAME 0 address.rsc 1
address1.rsc [admin@MikroTik] > TYPE script script SIZE 315 201
CREATION-TIME dec/23/2003 13:21:48 dec/23/2003 13:22:57
[admin@MikroTik] ip address> export from=0,1 # dec/23/2003
13:25:30 by RouterOS 2.8beta12 # software id = MGJ4-MAN # / ip
address add address=10.1.0.172/24 network=10.1.0.0
broadcast=10.1.0.255 \ interface=bridge1 comment="" disabled=no add
address=10.5.1.1/24 network=10.5.1.0 broadcast=10.5.1.255 \
interface=ether1 comment="" disabled=no [admin@MikroTik] ip
address>
/import /import file_name , firewall rules
file=[filename]
[admin@MikroTik] > import address.rsc Opening script file
address.rsc Script file loaded successfully [admin@MikroTik]
>
- 24 -
www.mikrotik.com.cn
/system adminIP reset
[admin@MikroTik] > system reset Dangerous! Reset anyway?
[y/N]: n action cancelled [admin@MikroTik] >
resource/system resource RouterOS
monitor
CPU
[admin@MikroTik] system resource> print uptime: 5h26m12s
version: "3.0" free-memory: 17000kB total-memory: 30200kB model:
"RouterBOARD 500" cpu: "MIPS 4Kc V0.10" cpu-count: 1 cpu-frequency:
333MHz cpu-load: 3 free-hdd-space: 14208kB total-hdd-space: 61440kB
write-sect-since-reboot: 1047 write-sect-total: 379983 bad-blocks:
0 [admin@MikroTik] system resource>
CPU
[admin@MikroTik] > system resource monitor cpu-used: 0
free-memory: 115676
- 25 -
www.mikrotik.com.cn
[admin@MikroTik] >
IRQ : /system resource irq print IRQ
[admin@MikroTik] > system resource irq print Flags: U -
unused IRQ OWNER 1 2 U 3 4 5 U 6 U 7 U 8 U 9 U 10 11 ether1 12
[Ricoh Co Ltd RL5c476 II] U 13 14 IDE 1 [admin@MikroTik] >
serial port [Ricoh Co Ltd RL5c476 II (#2)] keyboard APIC
IO : /system resource io print IO (Input/Output)
[admin@MikroTik] > system resource io print PORT-RANGE
0x20-0x3F 0x40-0x5F 0x60-0x6F 0x80-0x8F 0xA0-0xBF 0xC0-0xDF
0xF0-0xFF 0x1F0-0x1F7 0x2F8-0x2FF OWNER APIC timer keyboard DMA
APIC DMA FPU IDE 1 serial port - 26 -
www.mikrotik.com.cn
0x3C0-0x3DF 0x3F6-0x3F6 0x3F8-0x3FF 0xCF8-0xCFF 0x4000-0x40FF
0x4400-0x44FF 0x4800-0x48FF 0x4C00-0x4CFF 0x5000-0x500F
0xC000-0xC0FF 0xC000-0xC0FF 0xC400-0xC407 0xC800-0xC87F
0xF000-0xF00F VGA IDE 1 serial port [PCI conf1] [PCI CardBus #03]
[PCI CardBus #03] [PCI CardBus #04] [PCI CardBus #04] [Intel Corp.
82801BA/BAM SMBus] [Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+] [8139too] [Cologne Chip Designs GmbH ISDN
network controller [HFC-PCI] [Cyclades Corporation PC300/TE (1
port)] [Intel Corp. 82801BA IDE U100]
[admin@MikroTik] >
USB : /system resource usb print USB device (read-only: text)
name (read-only: text) USB speed (read-only: integer) vendor
(read-only: text) USB
USB
[admin@MikroTik] system resource usb> print # DEVICE VENDOR 0
1:1 NAME USB OHCI Root Hub SPEED 12 Mbps
[admin@MikroTik] system resource usb>
PCI : /system resource pci print category (read-only: text)
device (read-only: text) device-id (read-only: integer) ID irq
(read-only: integer) IRQ memory (read-only: integer) name
(read-only: text) - 27 -
www.mikrotik.com.cn
vendor (read-only: text) vendor-id (read-only: integer)
PCI
[admin@MikroTik] system resource pci> print # DEVICE VENDOR
NAME IRQ
0 00:13.0 Compaq 1 00:12.5 National Semi 2 00:12.4 National Semi
3 00:12.3 National Semi 4 00:12.2 National Semi 5 00:12.1 National
Semi 6 00:12.0 National Semi 7 00:0e.0 Atheros Communications 8
00:0d.1 Texas Instruments 9 00:0d.0 Texas Instruments 10 00:0c.0
National Semi 11 00:0b.0 National Semi 12 00:00.0 Cyrix
Corporation
ZFMicro Chipset USB (rev... 12 SC1100 XBus (rev: 0) SC1100 Video
(rev: 1) SCx200 Audio (rev: 0) SCx200 IDE (rev: 1) SC1100 SMI (rev:
0) SC1100 Bridge (rev: 0) AR5212 (rev: 1) 10
PCI1250 PC card Cardbus ... 11 PCI1250 PC card Cardbus ... 11
DP83815 (MacPhyter) Ethe... 10 DP83815 (MacPhyter) Ethe... 9 PCI
Master (rev: 0)
[admin@MikroTik] system resource pci>
/system reboot
[admin@MikroTik] > system reboot Reboot, yes? [y/N]: y system
will reboot shortly [admin@MikroTik] >
: /system shutdown
- 28 -
www.mikrotik.com.cn
30 10
[admin@MikroTik] > system shutdown Shutdown, yes? [y/N]: y
system will shutdown promptly [admin@MikroTik] >
: /system identity DHCP host name
:
[admin@MikroTik] > system identity print name: "MikroTik"
[admin@MikroTik] >
[admin@MikroTik] > system identity set name=Gateway
[admin@Gateway] >
CPU/system hardware CPU RouterOS v3 /system resource CPU CPU
[admin@MikroTik] > system hardware [admin@MikroTik] /system
hardware> .. / : edit export get print set [admin@MikroTik]
/system hardware> set multi-cpu=yes ; [admin@MikroTik] /system
hardware> prin multi-cpu: yes [admin@MikroTik] /system
hardware>
- 29 -
www.mikrotik.com.cn
NetInstall RouterRoard RouterRoard RouterBoard RouterBoard
RouterOS 1. ether1 Hub RouteBoard RouterBoard
2.
NetInstall for MIPS (*.npk )NetInstall for MIPS:
- 30 -
www.mikrotik.com.cn
3.
Windows 115200
4.
Boot Server IP IP RouterBoard IP 172.16.0.0/24
RouterBoard ether1
5.
RouterBoard RouterBoard BIOS ( RouterBOARD press any key BIOS
):
- 31 -
www.mikrotik.com.cn
RouterBoard 532
CPU frequency: 330 MHz Memory size: 32 MB
Press any key within 2 seconds to enter setup.
RouterBOOT-1.13 What do you want to configure? d - boot delay k
- boot key s - serial console o - boot device u - cpu mode f - try
cpu frequency c - keep cpu frequency r - reset configuration e -
format nand g - upgrade firmware i - board info p - boot protocol t
- do memory testing x - exit setup your choice:
BIOS boot deviceo
RouterBOOT-1.13 What do you want to configure? d - boot delay k
- boot key s - serial console o - boot device u - cpu mode f - try
cpu frequency c - keep cpu frequency r - reset configuration e -
format nand g - upgrade firmware i - board info p - boot protocol t
- do memory testing x - exit setup your choice: o - boot device
e RouterBoard
- 32 -
www.mikrotik.com.cn
Select boot device: e - boot over Ethernet * n - boot from NAND,
if fail then Ethernet c - boot from CF 1 - boot Ethernet once, then
NAND 2 - boot Ethernet once, then CF o - boot from NAND only b -
boot chosen device your choice: e - Etherboot
RouterBoard BIOS x BIOS 6. RouterBoard Netinstall Windows
RouterBoard IP RouterBoard Windows RouterBoard
IP 115200 Install RouterOS. 7. Reboot RouterBoard BIOS boot from
NAND only RouterBoard RouterOS
- 33 -
www.mikrotik.com.cn
MikroTik RouterOS MikroTik /
: /ip service
name - port (: 1..65535) - laddress (IP ; : 0.0.0.0/0) - IP
certificate (; : none) -
WWW 10.10.10.0/24 8081
[admin@MikroTik] > ip service [admin@MikroTik] /ip
service> prin Flags: X - disabled, I - invalid # 0 1 2 NAME
telnet ftp www PORT ADDRESS 23 21 80 443 0.0.0.0/0 0.0.0.0/0
0.0.0.0/0 0.0.0.0/0 none CERTIFICATE
3 X www-ssl 4 X api 5 winbox
8728 0.0.0.0/0 8291 0.0.0.0/0
[admin@MikroTik] /ip service> [admin@MikroTik] ip service>
set www port=8081 address=10.10.10.0/24 [admin@MikroTik] ip
service> print Flags: X - disabled, I - invalid # 0 1 2 NAME
telnet ftp www PORT ADDRESS 23 21 0.0.0.0/0 0.0.0.0/0
CERTIFICATE
8081 10.10.10.0/24 443 0.0.0.0/0 none
3 X www-ssl 4 X api 5 winbox
8728 0.0.0.0/0 8291 0.0.0.0/0
[admin@MikroTik] ip service>
MikoTik RouterOS
- 34 -
www.mikrotik.com.cn
/ 20/tcp 21/tcp 22/tcp 23/tcp 53/tcp 53/udp 67/udp 68/udp 80/tcp
123/udp 161/udp 443/tcp 500/udp 520/udp 521/udp 179/tcp 1080/tcp
1701/udp 1718/udp 1719/tcp 1720/tcp 1723/tcp 1731/tcp 1900/udp
2828/tcp 2000/tcp 3986/tcp 3987/tcp 5678/udp 8080/tcp FTP [] FTP []
SSH () DNS DNS DHCP ( dhcp ) DHCP ( dhcp ) WWWHTTP NTP ( ntp ) SNMP
( snmp ) SSL HTTP( hotspot ) Internet Key Exchange IKE protocol (
ipsec ) RIP () RIP ( routing ) BGP ( routing ) SOCKS Layer 2 Tunnel
Protocol L2TP ( ppp ) H.323 Gatekeeper Discovery ( telephony )
H.323 Gatekeeper RAS ( telephony ) H.323 ( telephony e) PPTP ( ppp
) H.323 ( telephony ) uPnP uPnP Winbox winbox SSL () MikroTik
Neighbor Discovery Protocol HTTP ( WEB )
- 35 -
www.mikrotik.com.cn
8291/tcp 20561/udp 5000+/udp /1 /4 /47 /50 /51 /89 /112 Winbox
MAC winbox H.323 RTP ( telephony ) ICMP IP - IP in IP
(encapsulation) GRE ( PPTP EoIP) ESP - IPv4 () AH - IPv4 () OSPFIGP
- OSPF VRRP
InterfaceMikroTik RouterOS VLANBridge
/interface
name () status type (: arlan | bridge | cyclades | eoip |
ethernet | farsync | ipip | isdn-client | isdn-server | l2tp-client
| l2tp-server | moxa-c101 | moxa-c502 | mtsync | pc | ppp-client |
ppp-server | pppoe-client | pppoe-server | pptp-client |
pptp-server | pvc | radiolan | sbe | vlan | wavelan | wireless |
xpeed) mtu () (bytes) rx-rate (; : 0) 0 - no limits tx-rate (; : 0)
0 - no limits
[admin@MikroTik] interface> print Flags: X - disabled, D -
dynamic, R - running - 36 -
www.mikrotik.com.cn
# NAME TYPE ether bridge ether wlan RX-RATE 0 0 0 0 TX-RATE 0 0
0 0 MTU 1500 1500 1500 1500
0 R ether1 1 R bridge1 2 R ether2 3 R wlan1 [admin@MikroTik]
interface>
/interface monitor-traffic
[admin@MikroTik] interface> monitor-traffic ether1,wlan1
received-packets-per-second: 1 received-bits-per-second: 475bps
sent-packets-per-second: 1 1 0 0bps
sent-bits-per-second: 2.43kbps 198bps -- [Q quit|D dump|C-z
pause]
EthernetMikroTik RouterOS Device Driver List 0H
system Level1 /interface ethernet : IEEE 802.31H
: Not significant
/interface ethernet
- 37 -
www.mikrotik.com.cn
name (; : etherN) , arp (disabled | enabled | proxy-arp |
reply-only; : enabled) mtu (; : 1500) disable-running-check (yes |
no; : yes) mac-address (: MAC ) auto-negotiation (yes | no; : yes)
full-duplex (yes | no; : yes) long-cable (yes | no; : no) ( NS
DP83815/6 ). 50m "long-cable=yes" speed (10 Mbps | 100 Mbps | 1000
Mbps)
[admin@MikroTik] > interface print Flags: X - disabled, D -
dynamic, R - running # NAME TYPE ether RX-RATE 0 TX-RATE 0 MTU
1500
0 X ether1
[admin@MikroTik] > interface enable ether1 [admin@MikroTik]
> interface print Flags: X - disabled, D - dynamic, R - running
# NAME TYPE ether RX-RATE 0 TX-RATE 0 MTU 1500
0 R ether1
[admin@MikroTik] > interface ethernet [admin@MikroTik]
interface ethernet> print Flags: X - disabled, R - running #
NAME MTU MAC-ADDRESS ARP
0 R ether1
1500 00:0C:42:03:00:F2 enabled
[admin@MikroTik] interface ethernet> print detail Flags: X -
disabled, R - running 0 R name="ether1" mtu=1500
mac-address=00:0C:42:03:00:F2 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps
[admin@MikroTik] interface ethernet>
/interface ethernet monitor
status (link-ok | no-link | unknown) link-ok no-link unknown
rate (10 Mbps | 100 Mbps | 1000 Mbps) auto-negotiation (done |
incomplete)
- 38 -
www.mikrotik.com.cn
done incomplete full-duplex (yes | no)
[admin@MikroTik] interface ethernet> monitor ether1,ether2
status: link-ok link-ok auto-negotiation: done done
rate: 100Mbps 100Mbps full-duplex: yes yes
IP ARP IP IP TCP/IP ARP
system Level1 /ip address, /ip arp IP, ARP2H 3H
IP /ip address IP IP IP (IPv4) 4 8 IP IP IP RouterOS 2.8 IP /ip
address print detail MikroTik RouterOS
Static Dynamic ppp, ppptp, pppoe
address (IP ) IP - 39 -
www.mikrotik.com.cn
broadcast (IP ; : 255.255.255.255) IP IP disabled (yes | no; :
no) interface () actual-interface (: ) bridgestunnels netmask (IP ;
: 0.0.0.0) IP network (IP ; : 0.0.0.0) IP
IP 10.0.0.1/24 ether1 10.0.0.132/24 ether2 10.0.0.0/24
IP 10.10.10.1/24 ether2
[admin@MikroTik] ip address> add address=10.10.10.1/24
interface=ether2 [admin@MikroTik] ip address> print Flags: X -
disabled, I - invalid, D - dynamic # 0 1 2 ADDRESS 2.2.2.1/24
10.5.7.244/24 10.10.10.1/24 NETWORK 2.2.2.0 10.5.7.0 10.10.10.0
BROADCAST 2.2.2.255 10.5.7.255 10.10.10.255 INTERFACE ether2 ether1
ether2
[admin@MikroTik] ip address>
/ip arp IP IP OSI 3 2 MAC ARP ARP
address (IP ) IP interface () IP mac-address (MAC ; :
00:00:00:00:00:00) MAC
ARP 1024. ARP arp=disabled ARP ARP arp IP MAC windows
C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09
- 40 -
www.mikrotik.com.cn
arp reply-onlyo ARP MAC /ip arp ARP
[admin@MikroTik] ip arp> add address=10.10.10.10
interface=ether2 mac-address=06:21:00:56:00:12 [admin@MikroTik] ip
arp> print Flags: X - disabled, I - invalid, H - DHCP, D -
dynamic # ADDRESS MAC-ADDRESS INTERFACE
0 D 2.2.2.2 1 D 10.5.7.242 2 10.10.10.10
00:30:4F:1B:B3:D9 ether2 00:A0:24:9D:52:A4 ether1
06:21:00:56:00:12 ether2
[admin@MikroTik] ip arp>
ARP arp 'reply-only' /interface
[admin@MikroTik] ip arp> /interface ethernet set ether2
arp=reply-only [admin@MikroTik] ip arp> print Flags: X -
disabled, I - invalid, H - DHCP, D - dynamic # ADDRESS MAC-ADDRESS
INTERFACE
0 D 10.5.7.242 1 10.10.10.10
00:A0:24:9D:52:A4 ether1 06:21:00:56:00:12 ether2
[admin@MikroTik] ip arp>
ARP Atheros Prism (wireless), Aironet (PC), WaveLAN ARP ARP ARP
ARP (ProxyARP) ARP
- 41 -
www.mikrotik.com.cn
Router
admin@MikroTik] ip arp> /interface ethernet print Flags: X -
disabled, R - running, S slave # NAME MTU MAC-ADDRESS ARP MA..
SWITCH none 0
0 R ether1
1500 00:0C:42:11:54:F5 enabled
[admin@MikroTik] ip arp> /interface print Flags: X -
disabled, R - running, D - dynamic, S - slave # NAME TYPE ether
prism pppoe-in pppoe-in 1500 MTU 1500
0 R ether1 1 prism1
2 D pppoe-in25 3 D pppoe-in26
[admin@MikroTik] ip arp> /ip address print Flags: X -
disabled, I - invalid, D - dynamic # 0 ADDRESS 10.0.0.217/24
NETWORK 10.0.0.0 10.0.0.230 10.0.0.231 BROADCAST 10.0.0.255 0.0.0.0
0.0.0.0 INTERFACE eth-LAN pppoe-in25 pppoe-in26
1 D 10.0.0.217/32 2 D 10.0.0.217/32
[admin@MikroTik] ip arp> /ip route print Flags: X - disabled,
I - invalid, D - dynamic, J - rejected, C - connect, S - static, R
- rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY r 10.0.0.1 r
0.0.0.0 r 0.0.0.0 r 0.0.0.0 DISTANCE INTERFACE 1 0 0 0 eth-LAN
eth-LAN pppoe-in25 pppoe-in26
0 S 0.0.0.0/0 1 DC 10.0.0.0/24 2 DC 10.0.0.230/32 3 DC
10.0.0.231/32 [admin@MikroTik] ip arp>
ARP
- 42 -
www.mikrotik.com.cn
/ip arp LAN ARP ARP
:foreach i in [/ip arp find dynamic=yes interface=LAN] do={ /ip
arp add copy-from=$i}
LAN Reply-only [admin@MikroTik] ip arp> /interface ethernet
set LAN arp=reply-only IP Windows
C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09
windows .dat
Proxy-ARP ? router router, proxy ARP proxy-ARP ? 1. ARP 2. ARP
table IP MAC 3., ARP (spoofing) 4. ARP 5.
ARP IP IP MAC Address resolution protocol (ARP) IP ARP ARP IP
MAC ARP IP MAC ARP ARP ARP ARP IP ARP 1. WinBox ARP
- 43 -
www.mikrotik.com.cn
[admin@RB230] ip arp> add address=10.10.10.10
interface=ether2 mac-address=00:21:00:56:00:12
ARP
2. ether2 interface ARP
- 44 -
www.mikrotik.com.cn
[admin@RB230] > interface ethernet set ether2
arp=reply-only
Routes IP ECMPequal-cost multi-path
: system : Level1 : /ip route, /ip policy-routing : IP (RFC
791)4H
NAT RouterOS
IP
- 45 -
www.mikrotik.com.cn
IP RIP OSPF
ECMP (Equal Cost Multi-Path) Equal-Cost Multi-Path Routing / IP
FTP
gateway=x.x.x.x,y.y.y.y
RouterOS
routing-mark
: /ip route Equal Cost Multi-PathPolicy-Based Routing
IP 10.1.12.0/24 0.0.0.0/0 ()
[admin@NAT] ip route> add dst-address=10.1.12.0/24
gateway=192.168.0.253 [admin@NAT] ip route> add gateway=10.5.8.1
[admin@NAT] ip route> print Flags: X - disabled, A - active, D -
dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf #
DST-ADDRESS G GATEWAY r 192.168.0.253 DISTANCE INTERFACE Local
Public Local r 10.5.8.1 Public
0 A S 10.1.12.0/24 1 ADC 10.5.8.0/24 2 ADC 192.168.0.0/24 3 A S
0.0.0.0/0 [admin@NAT] ip route>
Equal Cost Multi-Path 192.168.0.0/24 10.1.0.1 10.1.1.1
- 46 -
www.mikrotik.com.cn
ISP1 2Mbps ISP2 4Mbps 1:2 (1/3 192.168.0.0/24 ISP12/3 ). IP
[admin@ECMP-Router] ip address> print Flags: X - disabled, I
- invalid, D - dynamic # 0 1 2 ADDRESS 192.168.0.254/24 10.1.0.2/28
10.1.1.2/28 NETWORK 192.168.0.0 10.1.0.0 10.1.1.0 BROADCAST
INTERFACE Local Public1 Public2
192.168.0.255 10.1.0.15 10.1.1.15
[admin@ECMP-Router] ip address>
ISP1 ISP2 1:3 :
[admin@ECMP-Router] ip route> add
gateway=10.1.0.1,10.1.1.1,10.1.1.1 [admin@ECMP-Router] ip route>
print Flags: X - disabled, A - active, D - dynamic, C - connect, S
- static, r - rip, b - bgp, o - ospf # DST-ADDRESS G GATEWAY
DISTANCE INTERFACE Public1 Public2 Local r 10.1.0.1 r 10.1.1.1 r
10.1.1.1 [admin@ECMP-Router] ip route> Public1 Public2
Public2
0 ADC 10.1.0.0/28 1 ADC 10.1.1.0/28 2 ADC 192.168.0.0/24 3 A S
0.0.0.0/0
Policy-Based
- 47 -
www.mikrotik.com.cn
192.168.0.0/24 10.0.0.2 192.168.1.0/24 10.0.0.3 GW_1 ping
192.168.0.0/24 GW_Backup GW_2 ping GW_Backup 192.168.1.0/24GW_2
IP
[admin@PB-Router] ip address> print Flags: X - disabled, I -
invalid, D - dynamic # 0 1 2 ADDRESS 192.168.0.1/24 192.168.1.1/24
10.0.0.7/24 NETWORK 192.168.0.0 192.168.1.0 10.0.0.0 BROADCAST
INTERFACE Local1 Local2 Public
192.168.0.255 192.168.1.255 10.0.0.255
[admin@PB-Router] ip address>
1.
192.168.0.0/24 new-routing-mark=net1 192.168.1.0/24
new-routing-mark=net2
[admin@PB-Router] ip firewall mangle> add
src-address=192.168.0.0/24 \ \... action=mark-routing
new-routing-mark=net1 chain=prerouting [admin@PB-Router] ip
firewall mangle> add src-address=192.168.1.0/24 \ \...
action=mark-routing new-routing-mark=net2 chain=prerouting
[admin@PB-Router] ip firewall mangle> print Flags: X - disabled,
I - invalid, D - dynamic 0 chain=prerouting
src-address=192.168.0.0/24 action=mark-routing
new-routing-mark=net1
1
chain=prerouting src-address=192.168.1.0/24 action=mark-routing
new-routing-mark=net2
[admin@PB-Router] ip firewall mangle>
- 48 -
www.mikrotik.com.cn
2. 192.168.0.0/24 GW_1 (10.0.0.2), 192.168.1.0/24 GW_2
(10.0.0.3), GW_1 GW_2 fails ( ping), GW_Backup (10.0.0.1):
[admin@PB-Router] ip route> add gateway=10.0.0.2
routing-mark=net1 \ \... check-gateway=ping [admin@PB-Router] ip
route> add gateway=10.0.0.3 routing-mark=net2 \ \...
check-gateway=ping [admin@PB-Router] ip route> add
gateway=10.0.0.1 [admin@PB-Router] ip route> print Flags: X -
disabled, A - active, D - dynamic, C - connect, S - static, r -
rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC 10.0.0.7 192.168.0.1
192.168.1.1 r 10.0.0.2 r 10.0.0.3 r 10.0.0.1 G GATEWAY DISTANCE
INTERFACE Public Local1 Local2 Public Public Public
0 ADC 10.0.0.0/24 1 ADC 192.168.0.0/24 2 ADC 192.168.1.0/24 3 A
S 0.0.0.0/0 4 A S 0.0.0.0/0 5 A S 0.0.0.0/0
[admin@PB-Router] ip route>
netwatch 5 ping 2.2.2.2 3.3.3.1
/system script add name=down source={/ip route \ {... set [/ip
route find dst-address=0.0.0.0] gateway 3.3.3.1} /system script add
name=up source={/ip route \ {... set [/ip route find
dst-address=0.0.0.0] gateway 2.2.2.1} /tool netwatch add
host=2.2.2.2 interval=5s up-script=up down-script=down
Internet
/ip route add gateway=1.1.1.1,2.2.2.1
/system script add name=fo source={ :local R1 :local R2 :if
([/tool netwatch get R1 status]=up) do={:set R1 1.1.1.1} :if
([/tool netwatch get R2 status]=up) do={:set R2 2.2.2.1}
- 49 -
www.mikrotik.com.cn
/ip route set [/ip route find dst-address=0.0.0.0/0] \
gateway=($R1 . , . $R2) } /tool netwatch add comment=R1
host=1.1.1.1 interval=5s up-script=fo \ down-script=fo /tool
netwatch add comment=R2 host=2.2.2.1 interval=5s up-script=fo \
down-script=fo
3.3.3.1
/system script add name=fo source={ :local R1 :local R2 :local
R3 :if ([/tool netwatch get R1 status]=up) do={:set R1 1.1.1.1} :if
([/tool netwatch get R2 status]=up) do={:set R2 2.2.2.1} :if
([/tool netwatch get R3 status]=up) do={:set R3 3.3.3.1} /ip route
set [/ip route find dst-address=0.0.0.0/0] \ gateway=($R1 . , . $R2
. , . $R3) } /tool netwatch add comment=R1 host=1.1.1.1 interval=5s
up-script=fo \ down-script=fo /tool netwatch add comment=R2
host=2.2.2.1 interval=5s up-script=fo \ down-script=fo /tool
netwatch add comment=R3 host=3.3.3.1 interval=5s up-script=fo \
down-script=fo
RouterOS 2.9 1 RouterOS 2.9 check-gateway check-gateway 10s 2
RouterOS 2.9 RouterOS 2.9 0.0.0.0/0routing-mark,
- 50 -
www.mikrotik.com.cn
IP 10.200.15.1 AS S 202.112.12.12.11 10.200.15.1
202.112.12.11 check-gateway 10s 10.200.15.11 202.112.12.11
202.112.12.11 10.200.15.1
ADSL Internet 2M ADSL 2M NAT 3 WAN1 WAN2 ADSL LAN
WAN1 WAN2 IP ADSL PPPoE
ADSL /interface pppoe-client ADSL - 51 -
www.mikrotik.com.cn
/interface pppoe-client add name pppoe-line1 service
CHN-Telecom/ user c999@166 password5H
123 interface WAN2 use-peer-dns yes mtu 1942 mru 1942
:
pppoe-client ADSL pppoe-client add-default-route=yes
add-default-route=no
[admin@MikroTik] ip address> add address 61.193.77.77/24
interface WAN1 [admin@MikroTik] ip address> print Flags: X -
disabled, I - invalid, D - dynamic # 0 D 1 ADDRESS 61.193.77.77/24
218.88.32.10/24 NETWORK 61.193.77.0 218.88.32.1 BROADCAST
61.193.77.255 0.0.0.0 INTERFACE WAN1 pppoe-out1
[admin@MikroTik] ip address>
192.168.0.1/24
[admin@MikroTik] ip address> add address 192.168.0.1/24
interface LAN [admin@MikroTik] ip address> print Flags: X -
disabled, I - invalid, D - dynamic # 0 D 1 2 ADDRESS
61.193.77.77/24 218.88.32.10/24 192.168.0.1/24 NETWORK 61.193.77.0
218.88.32.1 192.168.0.0 BROADCAST 61.193.77.255 0.0.0.0
192.168.0.255 INTERFACE WAN1 pppoe-out1 LAN
[admin@MikroTik] ip address>
61.193.77.1
[admin@MikroTik] ip route> add gateway=61.193.77.1
[admin@MikroTik] ip route> print Flags: X - disabled, A -
active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o -
ospf # DST-ADDRESS PREFSRC 61.193.77.77 218.88.32.10 192.168.0.1 r
61.193.77.1 G GATEWAY DISTANCE INTERFACE WAN1 pppoe-out1 LAN
WAN1
0 ADC 61.193.77.0/24 1 ADC 218.88.32.1/32 2 ADC 192.168.0.0/24 3
A S 0.0.0.0/0
[admin@MikroTik] ip route>
www.mikrotik.com.cn - winbox Terminal Terminalpaste
- 52 -
www.mikrotik.com.cn
218.88.32.1 IP 218.88.32.1 Terminal
[hcf@NAT] ip route> prin Flags: X - disabled, A - active, D -
dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf #
DST-ADDRESS PREFSRC 61.193.77.77 218.88.32.10 192.168.0.1 r
61.193.77.1 r 218.88.32.1 r 218.88.32.1 r 218.88.32.1 r 218.88.32.1
r 218.88.32.1 r 218.88.32.1 r 218.88.32.1 r 218.88.32.1 r
218.88.32.1 r 218.88.32.1 r 218.88.32.1 r 218.88.32.1 r 218.88.32.1
G GATEWAY DIS INTERFACE WAN1 pppoe-out1 LAN WAN1 pppoe-out1
pppoe-out1 pppoe-out1 pppoe-out1 pppoe-out1 pppoe-out1 pppoe-out1
pppoe-out1 pppoe-out1 pppoe-out1 pppoe-out1 pppoe-out1
pppoe-out1
0 ADC 61.193.77.0/24 1 ADC 218.88.32.1/32 2 ADC 192.168.0.0/24 3
A S 0.0.0.0/0 4 A S 218.4.0.0/15 5 A S 218.6.0.0/16 6 A S
218.13.0.0/16 7 A S 218.14.0.0/15 8 A S 218.16.0.0/14 9 A S
218.20.0.0/16 10 A S 218.21.0.0/17 11 A S 218.22.0.0/15 12 A S
218.30.0.0/15 13 A S 218.62.128.0/17 14 A S 218.63.0.0/16 15 A S
218.64.0.0/15 16 A S 218.66.0.0/16 .....
/tool netwatch Network , 222.212.48.1
:foreach i in=[/ip route find gateway=218.88.32.1] do={/ip rout
disable $i} :foreach i in=[/ip route find gateway=218.88.32.1]
do={/ip rout enable $i}
ISP ADSL LAN
- 53 -
www.mikrotik.com.cn
6H
IP IP IP ISP1 ISP2 192.168.100.0/24IP
192.168.100.1-127 A 192.168.100.128-253 B 192.168.100.254 IP
A 192.168.100.0/25192.168.100.0-127 B
192.168.100.128/25192.168.100.128-255 TCP/IP ip firewall mangle A B
A chain=preroutingsrc-address=192.168.100.0/25 Action=mark routing
GroupA.
- 54 -
www.mikrotik.com.cn
B chain=preroutingsrc-address=192.168.100.128/25 Action=mark
routing GroupB
IP GroupA GroupBrouting table
- 55 -
www.mikrotik.com.cn
NAT /ip firewall nat src- Address=192.168.100.0/24
action=masquerade, A
C:\>tracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a
maximum of 30 hops
1 2 ...
2 ms 10 ms
2 ms 4 ms
2 ms 192.168.100.254 3 ms 10.1.0.1
B
C:\>tracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a
maximum of 30 hops
1 2 ...
2 ms 10 ms
2 ms 4 ms
2 ms 192.168.100.254 3 ms 10.5.8.1
PPTP A B PPTP A
- 56 -
www.mikrotik.com.cn
A B 10ms B B A PPTP A PPTP B A IP 202.112.12.10B
202.112.12.12
PPPTP-Server A PPTP-Server
Default-Profile default-encryption PPTP-Server profiles
Keepalive-Timeout PPTP-Server ICMP ICMP Server Profile
- 57 -
www.mikrotik.com.cn
PPTP-Server IP 192.168.100.1(local-address)
192.168.100.2(remote-address) IP Secrets profile /ip pool DHCP
limit
limit idle-timeout 1 Rate-limit 512K 1M only-one yes
- 58 -
www.mikrotik.com.cn
secret name password service pptpprofile default-encryption
PPTP-Server
PPTP-Client PPTP B PPTP-Client PPP PPTP-Client
dial-out PPTP server-address 202.112.12.10 A
- 59 -
www.mikrotik.com.cn
cdnat A PPTP-Server
A B IP NAT A A A B AB PPTP A PPTP IP 192.168.100.1
PPTP A
RouterOS v3 NTH v3.0 NTH everypacket
RouterOS v3 1every 0 passthrough
nth=2,1 50% passthrough=no 25% 3.0 2.9
50%
/ip firewall mangle add action=mark-packet chain=prerouting
new-packet-mark=AAA nth=2,1 passthrough=no;
- 60 -
www.mikrotik.com.cn
1/3 2/3 50% 1/3
/ip firewall mangle add action=mark-packet chain=prerouting
new-packet-mark=AAA nth=3,1 passthrough=no; add action=mark-packet
chain=prerouting new-packet-mark=BBB nth=2,1 passthrough=no; add
action=mark-packet chain=prerouting new-packet-mark=CCC ;
3
/ip firewall mangle add action=mark-packet chain=prerouting
new-packet-mark=AAA nth=3,1 passthrough=yes; add action=mark-packet
chain=prerouting new-packet-mark=BBB nth=3,2 passthrough=yes; add
action=mark-packet chain=prerouting new-packet-mark=CCC nth=3,3
passthrough=yes;
RouterOS3.0
- 61 -
www.mikrotik.com.cn
/ ip address add address=192.168.0.1/24 network=192.168.0.0
broadcast=192.168.0.255 interface=local add address=10.111.0.2/24
network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 add
address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255
interface=wlan1
/ ip firewall mangle 0 chain=prerouting action=mark-connection
new-connection-mark=odd passthrough=no connection-state=new
in-interface=local nth=2,1
1
chain=prerouting action=mark-connection new-connection-mark=even
passthrough=no connection-state=new in-interface=local
2
chain=prerouting action=mark-routing new-routing-mark=odd
passthrough=yes connection-mark=odd
3
chain=prerouting action=mark-routing new-routing-mark=even
passthrough=yes connection-mark=even
/ ip firewall nat add chain=srcnat connection-mark=odd
action=src-nat to-addresses=10.111.0.2 \ to-ports=0-65535 add
chain=srcnat connection-mark=even action=src-nat
to-addresses=10.112.0.2 \ to-ports=0-65535
/ ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1
scope=255 target-scope=10 routing-mark=odd add
dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
routing-mark=even
- 62 -
www.mikrotik.com.cn
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255
target-scope=10
connection=new nth oddevenGatewayA GatewayB
IP / ip address add address=192.168.0.1/24 network=192.168.0.0
broadcast=192.168.0.255 interface=Local add address=10.111.0.2/24
network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 add
address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255
interface=wlan1
WAN 10.111.0.2/24 10.112.0.2/24LAN 192.168.0.1/24 LOCAL
Mangle nth
/ ip firewall mangle 0 chain=prerouting action=mark-connection
new-connection-mark=odd passthrough=no connection-state=new
in-interface=local nth=2,1
1
chain=prerouting action=mark-connection new-connection-mark=even
passthrough=no connection-state=new in-interface=local
- 63 -
www.mikrotik.com.cn
odd odd v3 NTH even
/ ip firewall mangle 2 chain=prerouting action=mark-routing
new-routing-mark=odd passthrough=yes connection-mark=odd
3
chain=prerouting action=mark-routing new-routing-mark=even
passthrough=yes connection-mark=even
new-routing-mark
NAT / ip firewall nat add chain=srcnat connection-mark=odd
action=src-nat to-addresses=10.111.0.2 \ to-ports=0-65535 add
chain=srcnat connection-mark=even action=src-nat
to-addresses=10.112.0.2 \ to-ports=0-65535
ODD NAT 10.111.0.2 EVEN NAT 10.112.0.2
/ ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1
scope=255 target-scope=10 routing-mark=odd add
dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
routing-mark=even
ODD 10.111.0.1 EVEN 10.112.0.1
- 64 -
www.mikrotik.com.cn
/ ip route add dst-address=0.0.0.0/0 gateway=10.112.0.1
scope=255 target-scope=10
10.112.0.2
Network Netwatch ping
: advanced-tools : Level1 : /tool netwatch : none Hardware
usage: Not significant Netwatch IP ICMP ping netwatch
down-script () unknown up down host (IP ; : 0.0.0.0) IP interval
(; : 1s) ping status (: up | down | unknown) up up down down
unknown timeout (; : 1s) ping timeout down up-script () - unknown
down up
- 65 -
www.mikrotik.com.cn
gw_1 gw_2
[admin@MikroTik] system script> add name=gw_1 source={/ip
route set {... [/ip route find dst 0.0.0.0] gateway 10.0.0.1}
[admin@MikroTik] system script> add name=gw_2 source={/ip route
set {.. [/ip route find dst 0.0.0.0] gateway 10.0.0.217}
[admin@MikroTik] system script> /tool netwatch [admin@MikroTik]
tool netwatch> add host=10.0.0.217 interval=10s timeout=998ms
\\... up-script=gw_2 down-script=gw_1 [admin@MikroTik] tool
netwatch> print Flags: X - disabled # 0 HOST 10.0.0.217 TIMEOUT
997ms INTERVAL 10s STATUS up
[admin@MikroTik] tool netwatch> print detail Flags: X -
disabled 0 host=10.0.0.217 timeout=997ms interval=10s
since=feb/27/2003 14:01:03 status=up up-script=gw_2
down-script=gw_1
[admin@MikroTik] tool netwatch>
up "gw_2"
[admin@MikroTik] > /ip route set [/ip route find dst 0.0.0.0]
gateway 10.0.0.217
/ip route find dst 0.0.0.0 dst-address 0.0.0.0 /ip route set
down "gw_1"
[admin@MikroTik] > /ip route set [/ip route find dst 0.0.0.0]
gateway 10.0.0.1
10.0.0.217 10.0.0.215 e-mail
[admin@MikroTik] system script> add name=e-down source={/tool
e-mail send {... from="[email protected]" server="159.148.147.198"
body="Router down" {... subject="Router at second floor is down"
to="[email protected]"} [admin@MikroTik] system script> add
name=e-up source={/tool e-mail send {... from="[email protected]"
server="159.148.147.198" body="Router up" {.. subject="Router at
second floor is up" to="[email protected]"} [admin@MikroTik] system
script> [admin@MikroTik] system script> /tool netwatch
[admin@MikroTik] system netwatch> add host=10.0.0.215
timeout=999ms \ \... interval=20s up-script=e-up
down-script=e-down
- 66 -
www.mikrotik.com.cn
[admin@MikroTik] tool netwatch> print detail Flags: X -
disabled 0 host=10.0.0.215 timeout=998ms interval=20s
since=feb/27/2003 14:15:36 status=up up-script=e-up
down-script=e-down
[admin@MikroTik] tool netwatch>
DHCP DHCP-Client : /ip dhcp-client MikroTik RouterOS DHCP-client
client DNS IP DHCP-client
add-default-route (yes | no; : yes) DHCP client-id ()
administraor ISP enabled (yes | no; : no) DHCP host-name ()
interface (; : (unknown)) interface ( wireless EoIP ) use-peer-dns
(yes | no; : yes) DHCP DNS (/ip dns )
renew
ether1 interface DHCP-client
[admin@MikroTik] ip dhcp-client> set enabled=yes
interface=ether1 [admin@MikroTik] ip dhcp-client> print enabled:
yes interface: ether1 host-name: "" client-id: ""
add-default-route: yes use-peer-dns: yes [admin@MikroTik] ip
dhcp-client>
DHCP-Server - 67 -
www.mikrotik.com.cn
: /ip dhcp-server setup
dhcp server interface () DHCP interface dhcp address space (IP
/; : 192.168.0.0/24) DHCP gateway (IP ; : 0.0.0.0) dhcp relay (IP ;
: 0.0.0.0) DHCP DHCP DHCP IP addresses to give out () DHCP IP dns
servers (IP ) DHCP DNS lease time (; : 3d)
DHCP ether1 interface 10.0.0.2 10.0.0.254 10.0.0.1 DNS
159.148.60.2 3
[admin@MikroTik] ip dhcp-server> setup DHCP interface
dhcp server interface: ether1 DHCP
dhcp address space: 10.0.0.0/24
gateway for dhcp network: 10.0.0.1 IP DHCP
addresses to give out: 10.0.0.2-10.0.0.254 DNS
dns servers: 159.148.60.2
lease time: 3d [admin@MikroTik] ip dhcp-server>
[admin@MikroTik] ip dhcp-server> print Flags: X - disabled, I
- invalid # 0 NAME dhcp1 INTERFACE RELAY ether1 0.0.0.0
ADDRESS-POOL LEASE-TIME ADD-ARP dhcp_pool1 3d no
[admin@MikroTik] ip dhcp-server> network print # ADDRESS 0
10.0.0.0/24 GATEWAY 10.0.0.1 DNS-SERVER 159.148.60.2 WINS-SERVER
DOMAIN
[admin@MikroTik] ip dhcp-server> /ip pool print
- 68 -
www.mikrotik.com.cn
# NAME 0 dhcp_pool1 [admin@MikroTik] ip dhcp-server> RANGES
10.0.0.2-10.0.0.254
GraphingGraphing RouterOS : system, routerboard(optional) :
Level1 : /tool graphing
Graphing
Routerboard () (CPU, Disk usage) Interfaces simple queues
Graphing - Web page http://[Router_IP_address]/graphs/ RouterOS
5 store-every RouterOS generates four graphics for each item:
"Daily" Graph (5 Minute Average) "Weekly" Graph (30 Minute
Average) "Monthly" Graph (2 Hour Average) "Yearly" Graph (1 Day
Average)
allow-address
: /tool graphing
store-every (5min | hour | 24hours; : 5min)
- 69 -
www.mikrotik.com.cn
/tool graphing set store-every=hour [admin@NAT] tool
graphing> print store-every: hour [admin@NAT] tool
graphing>
: /tool graphing health RouterBoard routerboard RouterBoard
Property Descriptionallow-address (IP /; : 0.0.0.0/0)
store-on-disk (yes | no; : yes) no RAM
Graphing: /tool graphing interface interface
allow-address (IP /; : 0.0.0.0/0) -
http://[Router_IP_address]/graphs/, interface (; : all) interface
store-on-disk (yes | no; : yes) -no RAM
192.168.0.0/24 ether1 :
[admin@NAT] tool graphing interface> add interface=ether1
allow-address=192.168.0.0/24 store-on-disk=yes [admin@NAT] tool
graphing interface> print Flags: X - disabled # 0 INTERFACE
ALLOW-ADDRESS ether1 192.168.0.0/24 STORE-ON-DISK yes
[admin@NAT] tool graphing interface>
Graphing - 70 -
www.mikrotik.com.cn
: /tool graphing queue /queue simple
allow-address (IP /; : 0.0.0.0/0) -
http://[Router_IP_address]/graphs/, allow-target (yes | no; : yes)
/queue simple target-address IP graphing web simple-queue (; : all)
simple queue store-on-disk (yes | no; : yes) -no RAM
simple queue simple-queue queue1:
[admin@NAT] tool graphing queue> add simple-queue=queue1
allow-address=192.168.0.0/24 store-on-disk=yes
Graphing: /tool graphing resource
CPU usage Memory usage Disk usage
allow-address (IP /; : 0.0.0.0/0) -
http://[Router_IP_address]/graphs/, store-on-disk (yes | no; : yes)
-no RAM
IP 192.168.0.0/24
[admin@NAT] tool graphing resource> add
allow-address=192.168.0.0/24 store-on-disk=yes [admin@NAT] tool
graphing resource> print Flags: X - disabled # 0 ALLOW-ADDRESS
192.168.0.0/24 STORE-ON-DISK yes
[admin@NAT] tool graphing resource>
- 71 -
www.mikrotik.com.cn
System Watchdog.
: system : Level1 : /system watchdog : : Not significant
: /system watchdog
IP . , () . RouterBOARD
auto-send-supout (yes | no; default: no) automatic-supout (yes |
no; default: yes) , "autosupout.rif" . "autosupout.rif"
"autosupout.old.rif" no-ping-delay (time; default: 5m) ping
watch-address. watch-address 6 . send-email-from (text; default:
"") . /tool e-mail send-email-to (text; default: "")
send-smtp-server (text; default: "") SMTP . /tool e-mail
watch-address (IP address; default: none) 6 ping ip 10 none
watchdog-timer (yes | no; default: no)
192,0.2.1 [email protected]:
[admin@MikroTik] system watchdog> set auto-send-supout=yes \
\... [email protected] send-smtp-server=192.0.2.1
[admin@MikroTik] system watchdog> print
- 72 -
www.mikrotik.com.cn
watch-address: none watchdog-timer: yes no-ping-delay: 5m
automatic-supout: yes auto-send-supout: yes send-smtp-server:
192.0.2.1 send-email-to: [email protected] [admin@MikroTik]
system watchdog>
Bandwidth-text MikroTik
TCP TCP TCP TCP TCP TCP TCP UDP UDP 110% MTU 1500 UDP Bandwidth
Test (by default) Bandwidth Test bandwidth test Bandwidth Testing
Router Bandwidth :
UDP Bandwidth Test IP header+UDP header+UDP TCP Bandwidth Test
TCP TCP IP
Server : /tool bandwidth-server
allocate-udp-ports-from UDP authenticate (yes | no; : yes) - 73
-
www.mikrotik.com.cn
enable (yes | no; : no) max-sessions bandwidth-test
Bandwidth :
[admin@MikroTik] tool bandwidth-server> print enabled: yes
authenticate: yes allocate-udp-ports-from: 2000 max-sessions: 10
[admin@MikroTik] tool>
[admin@MikroTik] tool> bandwidth-server session print #
CLIENT 0 35.35.35.1 1 25.25.25.1 2 36.36.36.1 PROTOCOL DIRECTION
USER udp udp udp send send send admin admin admin
[admin@MikroTik] tool>
bandwidth-test
[admin@MikroTik] tool bandwidth-server> set enabled=yes
authenticate=no [admin@MikroTik] tool bandwidth-server> print
enabled: yes authenticate: no allocate-udp-ports-from: 2000
max-sessions: 10 [admin@MikroTik] tool>
Client : /tool bandwidth-test
(IP address) - IP assume-lost-time (time; : 0s) Bandwidth Server
direction (receive / transmit / both; : receive) - do (name |
string; : "") - duration (time; : 0s) - 0s
interval (time: 20ms..5s; : 1s) - 74 -
www.mikrotik.com.cn
local-tx-speed (integer; : 0) (bits per second)0
local-udp-tx-size (integer: 40..64000) UDP password (text; : "")
protocol (udp | tcp; : udp) random-data (yes | no; : no)
yesBandwidth ( CPUrandom-data no) remote-tx-speed (integer; : 0)
(bits per second)0
remote-udp-tx-size (integer: 40..64000) UDP user (name; : "")
-
10.0.0.211 15 1000-byte UDP admin.
[admin@MikroTik] tool> bandwidth-test 10.0.0.211 duration=15s
direction=both \... size=1000 protocol=udp user=admin status: done
testing duration: 15s tx-current: 3.62Mbps tx-10-second-average:
3.87Mbps tx-total-average: 3.53Mbps rx-current: 3.33Mbps
rx-10-second-average: 3.68Mbps rx-total-average: 3.49Mbps
[admin@MikroTik] tool>
Torch (): system : Level1 : /tool : none : Not significant
torch . . Torch . - 75 -
www.mikrotik.com.cn
Torch : /tool torch
(name) dst-address (IP address/netmask) : 0.0.0.0/0 .
freeze-frame-interval (time) port (name | integer) protocol (any |
any-ip | ddp | egp | encap | ggp | gre | hmp | icmp | idpr-cmtp |
igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup
| rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp) any -
any-ip
src-address (IP address/netmask) : 0.0.0.0/0
, tcp udp , any any-ip tcp udp.
, (,).
telnet ether1 :
[admin@MikroTik] tool> torch ether1 port=telnet SRC-PORT 1439
DST-PORT 23 (telnet) TX 1.7kbps RX 368bps
[admin@MikroTik] tool>
IP ether1
[admin@MikroTik] tool> torch ether1 protocol=any-ip PRO.. TX
tcp udp 1.06kbps 896bps RX 608bps 3.7kbps 480bps 192bps
icmp 480bps ospf 0bps
[admin@MikroTik] tool>
IP 10.0.0.144/32 ether1
[admin@MikroTik] tool> torch ether1 src-address=10.0.0.144/32
protocol=any PRO.. SRC-ADDRESS tcp 10.0.0.144 TX 1.01kbps 480bps RX
608bps 480bps - 76 -
icmp 10.0.0.144
www.mikrotik.com.cn
[admin@MikroTik] tool>
tcp/udp ether1
[admin@MikroTik] tool> torch ether1 protocol=any-ip port=any
PRO.. SRC-PORT tcp udp tcp 3430 2812 1059 DST-PORT 22 (ssh) 1813
(radius-acct) 139 (netbios-ssn) TX 1.06kbps 512bps 248bps RX 608bps
2.11kbps 360bps
[admin@MikroTik] tool>
Manglemangle IP mangle IP IP : system : Level1 : /ip firewall
mangle : IP7H
Mangle RouterOS queue-trees NAT Mangle
Peer-to-Peer VoIP HTTP P2P RouterOS QOS mangle queues P2P
1Mbps
[admin@NAT] > /ip firewall mangle add chain=forward
p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
[admin@NAT] > /ip firewall mangle add chain=forward
connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
[admin@NAT] > /ip firewall mangle add chain=forward
packet-mark=!p2p_conn action=mark-packet new-packet-mark=other
[admin@NAT] > /ip firewall mangle print - 77 -
www.mikrotik.com.cn
Flags: X - disabled, I - invalid, D - dynamic 0 chain=forward
p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
1
chain=forward connection-mark=p2p_conn action=mark-packet
new-packet-mark=p2p
2
chain=forward packet-mark=!p2p_conn action=mark-packet
new-packet-mark=other
[admin@NAT] > [admin@NAT] > /queue tree add parent=Public
packet-mark=p2p limit-at=1000000 max-limit=100000000 priority=8
[admin@NAT] > /queue tree add parent=Local packet-mark=p2p
limit-at=1000000 max-limit=100000000 priority=8 [admin@NAT] >
/queue tree add parent=Public packet-mark=other limit-at=1000000
max-limit=100000000 priority=1 [admin@NAT] > /queue tree add
parent=Local packet-mark=other limit-at=1000000 max-limit=100000000
priority=1
Firewall FilteFirewall
firewall TCP 135
/ip firewall filter add chain=forward dst-port=135 protocol=tcp
action=drop
Telnet ( TCP, 23)
/ip firewall filter add chain=input protocol=tcp dst-port=23
action=drop
: system : Level1 (P2P filters limited to 1) , Level3 : /ip
firewall filter : IP, RFC21138H 9H
Firewall : /ip firewall filter LAN
- 78 -
www.mikrotik.com.cn
MikroTik RouterOS
P2P 7 IPv6 MAC IP IP (ICMP TCP IP MSS) Interface ToS (DSCP) byte
packet content rate at which packets arrive and sequence
numbers
o o o o o o o o o o o o
IP Chains chainsinput, forward output action=jump
jump-target
chains
input IP IP input-chains forward output
- 79 -
www.mikrotik.com.cn
chain chain
input
- 80 -
www.mikrotik.com.cn
input
0
;;;
IP (src-address= IP,)
chain=input src-address=192.168.100.2 action=accept 1 ;;;
chain=input connection-state=invalid action=drop 2 ;;;
chain=input action=drop
forward
forward 7 ICMP virus
0 ;;;
chain=forward connection-state=established action=accept 1
;;;
chain=forward connection-state=related action=accept
- 81 -
www.mikrotik.com.cn
2 ;;; TCP 80 ICMP
chain=forward connection-state=invalid action=drop 3 ;;;
chain=forward protocol=tcp connection-limit=80,32 action=drop 4
;;;
chain=forward src-address-type=!unicast action=drop 5 ;;;
chain=forward protocol=icmp action=jump jump-target=ICMP 6
;;;
chain=forward action=jump jump-target=virus
forward
ICMP ICMPInternet ICMP IP ICMP IP TCP UDP ping traceroute trace
TTL ICMP ICMP
ICMP
0
;;; Ping 5
- 82 -
www.mikrotik.com.cn
chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5
action=accept 1 ;;; Traceroute 5 chain=ICMP protocol=icmp
icmp-options=3:3 limit=5,5 action=accept 2 ;;; MTU 5 chain=ICMP
protocol=icmp icmp-options=3:4 limit=5,5 action=accept 3 ;;; Ping 5
chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5
action=accept 4 ;;; Trace TTL 5 chain=ICMP protocol=icmp
icmp-options=11:0-255 limit=5,5 action=accept 5 ;;; ICMP
chain=ICMP protocol=icmp action=drop
virus
RouterOS admin input input
/ ip firewall filter add chain=input connection-state=invalid
action=drop comment="Drop Invalid connections" add chain=input
connection-state=established action=accept \ comment="Allow
Established connections" add chain=input protocol=udp action=accept
\ comment="Allow UDP" add chain=input protocol=icmp action=accept \
comment="Allow ICMP" add chain=input src-address=192.168.0.0/24
action=accept \ comment="Allow access to router from known network"
add chain=input action=drop comment="Drop anything else"
- 83 -
www.mikrotik.com.cn
RouterOS admin input input
/ ip firewall filter add chain=input connection-state=invalid
action=drop comment="Drop Invalid connections" add chain=input
connection-state=established action=accept \ comment="Allow
Established connections" add chain=input protocol=udp action=accept
\ comment="Allow UDP" add chain=input protocol=icmp action=accept \
comment="Allow ICMP" add chain=input src-address=192.168.0.0/24
action=accept \ comment="Allow access to router from known network"
add chain=input action=drop comment="Drop anything else"
icmp tcp udp chains
/ip firewall filter add chain=forward protocol=tcp
connection-state=invalid \ action=drop comment="drop invalid
connections" add chain=forward connection-state=established
action=accept \ comment="allow already established connections" add
chain=forward connection-state=related action=accept \
comment="allow related connections"
IP
add chain=forward src-address=0.0.0.0/8 action=drop add
chain=forward dst-address=0.0.0.0/8 action=drop add chain=forward
src-address=127.0.0.0/8 action=drop add chain=forward
dst-address=127.0.0.0/8 action=drop add chain=forward
src-address=224.0.0.0/3 action=drop add chain=forward
dst-address=224.0.0.0/3 action=drop
chains
add chain=forward protocol=tcp action=jump jump-target=tcp add
chain=forward protocol=udp action=jump jump-target=udp add
chain=forward protocol=icmp action=jump jump-target=icmp
- 84 -
www.mikrotik.com.cn
tcp-chain tcp
add chain=tcp protocol=tcp dst-port=69 action=drop \
comment="deny TFTP" add chain=tcp protocol=tcp dst-port=111
action=drop \ comment="deny RPC portmapper" add chain=tcp
protocol=tcp dst-port=135 action=drop \ comment="deny RPC
portmapper" add chain=tcp protocol=tcp dst-port=137-139 action=drop
\ comment="deny NBT" add chain=tcp protocol=tcp dst-port=445
action=drop \ comment="deny cifs" add chain=tcp protocol=tcp
dst-port=2049 action=drop comment="deny NFS" add chain=tcp
protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny
NetBus" add chain=tcp protocol=tcp dst-port=3133 action=drop
comment="deny BackOriffice" add chain=tcp protocol=tcp
dst-port=67-68 action=drop comment="deny DHCP"
udp-chain udp Deny udp ports in udp chain:
add chain=udp protocol=udp dst-port=69 action=drop comment="deny
TFTP" add chain=udp protocol=udp dst-port=111 action=drop
comment="deny PRC portmapper" add chain=udp protocol=udp
dst-port=135 action=drop comment="deny PRC portmapper" add
chain=udp protocol=udp dst-port=137-139 action=drop comment="deny
NBT" add chain=udp protocol=udp dst-port=2049 action=drop
comment="deny NFS" add chain=udp protocol=udp dst-port=3133
action=drop comment="deny BackOriffice"
icmp-chain icmp
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="drop invalid connections" add chain=icmp protocol=icmp
icmp-options=3:0 action=accept \ comment="allow established
connections" add chain=icmp protocol=icmp icmp-options=3:1
action=accept \ comment="allow already established connections" add
chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench" add chain=icmp protocol=icmp
icmp-options=8:0 action=accept \ comment="allow echo request" add
chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed" add chain=icmp protocol=icmp
icmp-options=12:0 action=accept \ comment="allow parameter bad" add
chain=icmp action=drop comment="deny all other types"
10H
MikroTik RouterOS 3.0 7 - 85 -
www.mikrotik.com.cn
RouterOS V3.0 7 skype QQ MSN 7 ip firewall Layer7 Protocols
7 Regexp Regexp 7 http://www.mikrotik.com.cn/download/m3dex.htm
MikroTik RouterOS 3.0 7 11H 12H
FTPFiles
(Terminal) 7 import 17-protos.rsc - 86 -
www.mikrotik.com.cn
Script file loaded and executed successfully Layer7
Protocols
ip firewall Layer7 Protocols Filter Rules L7
- 87 -
www.mikrotik.com.cn
QQ QQ Advanced Layer7 Protocols qq Action drop
QQ drop
IP IP src-address dst-address
- 88 -
www.mikrotik.com.cn
: /ip firewall connection
IP statefulstateless estabilished new related FTP ICMP invalid
prerouting output NAT NAT P2P IP /ip firewall connection 64M RAM
65536 128M RAM 130000
connection-mark (read-only: text) - mangle dst-address
(read-only: IP address:port) - protocol (read-only: text) IP p2p
(read-only: text) P2P reply-src-address (read-only: IP
address:port) - reply-dst-address (read-only: IP address:port) -
src-address (read-only: IP address:port) - tcp-state (read-only:
text) - TCP timeout (read-only: time) - assured (read-only: true |
false) - icmp-id (read-only: integer) - ICMP ID ICMP ICMP ID ICMP
icmp-option (read-only: integer) - ICMP reply-icmp-id (read-only:
integer) - ICMP ID reply-icmp-option (read-only: integer) - ICMP
unreplied (read-only: true | false) -
: /ip firewall connection tracking
- 89 -
www.mikrotik.com.cn
timeout TCP TCP
count-curent (read-only: integer) - count-max (read-only:
integer) - enable (yes | no; default: yes) - generic-timeout (time;
default: 10m) - TCP UDP icmp-timeout (time; default: 10s) - ICMP
tcp-close-timeout (time; default: 10s) - RST ACK
tcp-close-wait-timeout (time; default: 10s) - FIN
tcp-established-timeout (time; default: 1d) - tcp-fin-wait-timeout
(time; default: 10s) - FIN tcp-syn-received-timeout (time; default:
1m) - SYN tcp-syn-sent-timeout (time; default: 1m) - SYN
tcp-time-wait-timeout (time; default: 10s) - SYNFIN FIN udp-timeout
(time; default: 10s) - udp-stream-timeout (time; default: 3m) -
H323VoIP
:
1/16 1 - 90 -
www.mikrotik.com.cn
3/16 1 1/2 10 13/16 1
NAT statefull-firewalling
ICMP ICMP ICMP ICMP ICMP Ping o o Trace o o 11:0 TTL 3:3 8:0
0:0
MTU o 3:4 Fragmentation-DF-Set
ICMP pingICMP tracerouteTTL MTUICMP Fragmentation-DF-Set
Peer-to-Peer Peer-to-peer p2p Skype http e-mail RouterOS P2P QOS
Fasttrack (Kazaa, KazaaLite, Diet Kazaa, Grokster, iMesh, giFT,
Poisoned, mlMac) Gnutella (Shareaza, XoLoX, , Gnucleus, BearShare,
LimeWire (java), Morpheus, Phex, Swapper, Gtk-Gnutella (linux),
Mutella (linux), Qtella (linux), MLDonkey, Acquisition (Mac OS),
Poisoned, Swapper, Shareaza, XoloX, mlMac) Gnutella2 (Shareaza,
MLDonkey, Gnucleus, Morpheus, Adagio, mlMac)
- 91 -
www.mikrotik.com.cn
DirectConnect (DirectConnect (AKA DC++), MLDonkey, NeoModus
Direct Connect, BCDC++, CZDC++ ) eDonkey (eDonkey2000, eMule, xMule
(linux), Shareaza, MLDonkey, mlMac, Overnet) Soulseek (Soulseek,
MLDonkey) BitTorrent (BitTorrent, BitTorrent++, uTorrent, Shareaza,
MLDonkey, ABC, Azureus, BitAnarch, SimpleBT, BitTorrent.Net, mlMac)
Blubster (Blubster, Piolet) WPNP (WinMX) Warez (Warez, Ares;
starting from 2.8.18) drop
DMZ DMZ demilitarized zone Web FTP DMZ
3 Public Local DMZ-Zone :
[admin@gateway] interface> print Flags: X - disabled, D -
dynamic, R - running # NAME TYPE ether ether ether RX-RATE 0 0 0
TX-RATE 0 0 0 MTU 1500 1500 1500
0 R Public 1 R Local 2 R DMZ-zone [admin@gateway]
interface>
Interface IP
[admin@gateway] ip address> print Flags: X - disabled, I -
invalid, D - dynamic # 0 1 2 3 ADDRESS 192.168.0.2/24 10.0.0.254/24
10.1.0.1/32 192.168.0.3/24 NETWORK 192.168.0.0 10.0.0.0 10.1.0.2
192.168.0.0 BROADCAST INTERFACE Public Local DMZ-zone Public
192.168.0.255 10.0.0.255 10.1.0.2 192.168.0.255
[admin@gateway] ip address>
[admin@MikroTik] ip route> print - 92 -
www.mikrotik.com.cn
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C -
connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G
GATEWAY r 10.0.0.254 r 0.0.0.0 DISTANCE INTERFACE 1 0 ether1
ether1
0 S 0.0.0.0/0 1 DC 10.0.0.0/24
[admin@MikroTik] ip route>
DMZ IP IP 10.1.0.2 10.1.0.1/24 10.1.0.1 DMZ dst-nat 192.168.0.3
DMZ
[admin@gateway] ip firewall nat> add chain=dst-nat
action=dst-nat \ \... dst-address=192.168.0.3
to-dst-address=10.1.0.2 [admin@gateway] ip firewall dst-nat>
print Flags: X - disabled, I - invalid, D - dynamic
1
Chain=dst-nat dst-address=192.168.0.3 action=dst-nat
to-dst-address=10.1.0.2
[admin@gateway] ip firewall nat>
Queue(delivery) MikroTik RouterOS :
PFIFO - BFIFO SFQ - RED - Random Early Detect PCQ HTB -
: system : Level1 (limited to 1 queue) Level3 : /queue : None :
Significant
(QoS) QoS RouterOS :
- 93 -
www.mikrotik.com.cn
IP P2P WEB (:) ( global-in global-out global-total)
QoS TCP TCP QoS :
Queuing discipline (qdisc) - ( ) CIR (Committed Information
Rate) - MIR (Maximal Information Rate) - Priority - Contention
Ratio - () : 1:4 4
/queue interface ( )(/queue tree)/queue interface
qdiscs:
(schedulers) - : PFIFO BFIFO SFQ PCQ RED (shapers) - PCQ HTB
RouterOS :
global-in - (INGRESS ) global-in global-in mangle dst-nat
global-out - global-total - qdisc global-total total-max-limit
256000 upload+download=256kbps()
HTB HTB() RouterOS HTB
- 94 -
www.mikrotik.com.cn
HTB qdisc :
HTB :
queuing discipline (qdisc) - ( ) Qdisc filter - level - inner
class - leaf class - 0 self feed - 8 self slot - (self feed) (self
slot) active class (at a particular level) - inner feed - inner
feed slot -
0 RouterOS 2 :
limit-at - (CIR) max-limit - (MIR) priority - (8 1 )
HTB 3 :
green - limit-at limit-at limit-at=512000
max-limit=limit-at=128000 512kbps
yellow - limit-at yellow green
red - max-limit
- 95 -
www.mikrotik.com.cn
HTB
green 0 Leaf1 Leaf2 Leaf27 Leaf18 HTB round robin
HTB HTB 3 /ip firewall mangle (packet_mark1 packet_mark2 and
packet_mark3) HTB
[admin@MikroTik] queue tree> add name=ClassA parent=Local
max-limit=2048000 [admin@MikroTik] queue tree> add name=ClassB
parent=ClassA max-limit=1024000 [admin@MikroTik] queue tree> add
name=Leaf1 parent=ClassA max-limit=2048000 \ \ limit-at=1024000
packet-mark=packet_mark1 priority=8 [admin@MikroTik] queue tree>
add name=Leaf2 parent=ClassB max-limit=1024000 \ \ limit-at=256000
packet-mark=packet_mark2 priority=7 [admin@MikroTik] queue tree>
add name=Leaf3 parent=ClassB max-limit=1024000 \ \ limit-at=768000
packet-mark=packet_mark3 priority=8 [admin@MikroTik] queue tree>
print Flags: X - disabled I - invalid 0 name="ClassA" parent=Local
packet-mark="" limit-at=0 queue=default priority=8
max-limit=2048000 burst-limit=0 burst-threshold=0 burst-time=0s
1
name="ClassB" parent=ClassA packet-mark="" limit-at=0
queue=default priority=8 max-limit=1024000 burst-limit=0
burst-threshold=0 burst-time=0s
2
name="Leaf1" parent=ClassA packet-mark=packet_mark1
limit-at=1024000 queue=default priority=8 max-limit=2048000
burst-limit=0 burst-threshold=0 burst-time=0s
3
name="Leaf2" parent=ClassB packet-mark=packet_mark2
limit-at=256000 queue=default priority=7 max-limit=1024000
burst-limit=0
- 96 -
www.mikrotik.com.cn
burst-threshold=0 burst-time=0s
4
name="Leaf3" parent=ClassB packet-mark=packet_mark3
limit-at=768000 queue=default priority=8 max-limit=1024000
burst-limit=0 burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>
HTB 1. Leaf1 Leaf2 Leaf1 priority=8 0Leaf2 priority=7 Leaf3
0 Leaf1 and Leaf2 green Leaf2 Leaf1 2. Leaf2 256kbps Class B
priority=7 1 Leaf1 green 1MbpsLeaf3
Leaf1 Leaf2 green Leaf2 8 Leaf2 0 Class B - 97 -
www.mikrotik.com.cn
1 Leaf2 1 3. Leaf1 max-limit red Leaf2 1Mbps 2Mbps Class B Class
A yellow Leaf3
Leaf1 max-limitClass ALeaf2 2 Class B Class B Class A Leaf3
Leaf2 4. Leaf2 Class B Class B Class A Class A max-limit2Mbps
Leaf2 yellow Class B Class A 5. Leaf1 Leaf2 Leaf3 Class B yellow
Class A green
- 98 -
www.mikrotik.com.cn
Leaf1 ClassA Leaf2 Leaf3 ClassB ClassB ClassA 2 Leaf2 Leaf2
Leaf3 2 8 round robin
Bursts 1/16 burst-time burst-time burst-threshold burst-limit
bps max-limit limit-at max-limit=256000 burst-time=8
burst-threshold=192000 burst-limit=512000 HTTP
8 0bps burst-threshold (192kbps)(0+0+0+0+0+0+0+512)/8=64kbps
burst-threshold(0+0+0+0+0+0+512+512)/8=128kbps burst-threshold
max-limit (256kbps)
RouterOS HTB RouterOS 4 HTB :
- 99 -
www.mikrotik.com.cn
global-in global-total global-out interface queue
3 HTB (in global-in global-total and global-out) 4 HTB global-in
global-total global-out and interface queue global-in global-total
HTB global-total global-out interface
: /queue type
/queue tree /queue simple /queue interface
PFIFO BFIFO(FIFOFirst-In First-Out)PFIFO BFIFO pfifo-limit
(bfifo-limit) FIFO
FIFO
SFQSFQTCP UDP SFQ round-robin sfq-perturb Round-robin
pcq-allot
- 100 -
www.mikrotik.com.cn
SFQ 128 1024 SFQ starve
PCQ SFQ Per Connection Queuing (PCQ) SFQPCQ pcq-classifier
pcq-rate pcq-limit PCQ pcq-total-limit PCQ
src-address IP pcq-rate src-address src-address pcq-classifier
pcq-rate 0 PCQ
REDRandom Early Detection RED red-min-threshold RED
red-max-threshold red-max-threshold red-limit
- 101 -
www.mikrotik.com.cn
RED TCP UDP
bfifo-limit (integer; default: 15000) - BFIFO kind (bfifo | pcq
| pfifo | red | sfq) bfifo - Bytes First-In-First-Out pcq - Per
Connection Queue pfifo - Packets First-In-First-Out red - Random
Early Detection sfq - Stohastic Fairness Queuing name (name) -
pcq-classifier (dst-address | dst-port | src-address | src-port;
default: "") pcq-limit (integer; default: 50) - PCQ pcq-rate
(integer; default: 0) - 0 pcq-total-limit (integer; default: 2000)
- PCQ pfifo-limit (integer) - PFIFP red-avg-packet (integer;
default: 1000) - RED red-burst (integer) - RED red-limit (integer)
- red-max-threshold (integer) - red-min-threshold (integer) - RED
sfq-allot (integer; default: 1514) - round-robin sfq-perturb
(integer; default: 5) - SFQ PCQ src-addresssrc-port
Queue interface : /queue interface
interface (read-only: name; default: name of the interface) -
queue (name; default: default) -
- 102 -
www.mikrotik.com.cn
wireless-default
[admin@MikroTik] queue interface> set 0
queue=wireless-default [admin@MikroTik] queue interface> print #
INTERFACE QUEUE 0 wlan1 wireless-default
[admin@MikroTik] queue interface>
Simple Queue IP / QoS
P2P /ip firewall mangle
burst-limit (integer/integer) - in/out/ burst-threshold
(integer/integer) - burst-threshold burst-limit in/out/ burst-time
(integer/integer) - in/out/ direction (none both upload download) -
none - the queue is effectively inactive both - the queue limits
both target upload and target download upload - the queue limits
only target upload leaving the download rates unlimited download -
the queue limits only target download leaving the upload rates
unlimited dst-address (IP address/netmask) - dst-netmask (netmask)
- dst-address interface (text) - limit-at (integer/integer) in/out/
max-limit (integer/integer) - in/out/ name (text) - p2p (any |
all-p2p | bit-torrent | blubster | direct-connect | edonkey |
fasttrack | gnutella | soulseek | winmx) - P2P all-p2p - match all
P2P traffic any - match any packet (ie do not check this property)
packet-marks (name; default: "") - /ip firewall mangle ("") parent
(name) - priority (integer: 1..8) - 1 8
- 103 -
www.mikrotik.com.cn
queue (name/name; default: default/default) - in/out//queue type
target-addresses (IP address/netmask) - IP time (time-timesat | fri
| thu | wed | tue | mon | sun{+}; default: "") - total-burst-limit
(integer) - global-total total-burst-threshold (integer) -
global-total total-burst-time (time) - global-total total-limit-at
(integer) - total-limit-at bps total-max-limit (integer) -
global-total ( total-max-limit bps) total-queue (name) -
global-total
Queue tree : /queue tree IP /ip firewall mangle
burst-limit (integer) - burst-threshold (integer) -
burst-threshold burst-limit burst-time (integer) - flow (text) -
/ip firewall mangle limit-at (integer) - max-limit (integer) - name
(text) - parent (text) - HTB priority (integer: 1..8) - 1 8 queue
(text) - /queue type
128Kibps/64Kibps
- 104 -
www.mikrotik.com.cn
128kps 64kps IP 192.168.0.0/24
MikroTik router IP
[admin@MikroTik] ip address> print Flags: X disabled, I
invalid, D - dynamic # 0 1 ADDRESS 192.168.0.254/24 10.5.8.104/24
NETWORK 192.168.0.0 10.5.8.0 BROADCAST INTERFACE Local
192.168.0.255 10.5.8.255
Public
[admin@MikroTik] ip address>
[admin@MikroTik] ip route> print Flags: X disabled, A active,
D dynamic, C connect, S static, r rip, b bgp, o - ospf #
DST-ADDRESS G GATEWAY DISTANCE INTERFACE Public Local r 10.5.8.1
Public
0 ADC 10.5.8.0/24 1 ADC 192.168.0.0/24 2 A S 0.0.0.0/0
[admin@MikroTik] ip route>
192.168.0.0/24 128kbps 64kbps Local
[admin@MikroTik] queue simple> add name=Limit-Local
interface=Local \ \. target-address=192.168.0.0/24
max-limit=65536/131072 [admin@MikroTik] queue simple> print
Flags: X - disabled I - invalid D - dynamic 0 name="Limit-Local"
target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
- 105 -
www.mikrotik.com.cn
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
[admin@MikroTik] queue simple>
max-limit 65536/131072 131072bps 65536bps target-addresses
[admin@MikroTik] interface> monitor-traffic Local
received-packets-per-second: 7 received-bits-per-second: 68kbps
sent-packets-per-second: 13 sent-bits-per-second: 135kbps
[admin@MikroTik] interface>
max-limit=0/0
[admin@MikroTik] queue simple> add name=Server
target-addresses=192.168.0.1/32 \\... interface=Local
[admin@MikroTik] queue simple> print Flags: X - disabled I -
invalid D - dynamic 0 name="Limit-Local"
target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
1
name="Server" target-addresses=192.168.0.1/32
dst-address=0.0.0.0/0 interface=Local parent=none priority=8
queue=default/default limit-at=0/0 max-limit=0/0
total-queue=default
[admin@MikroTik] queue simple> mo 1 0 [admin@MikroTik] queue
simple> print Flags: X - disabled I - invalid D - dynamic 0
name="Server" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=0/0 total-queue=default
1
name="Limit-Local" target-addresses=192.168.0.0/24
dst-address=0.0.0.0/0 interface=Local parent=none priority=8
queue=default/default limit-at=0/0 max-limit=65536/131072
total-queue=default
[admin@MikroTik] queue simple>
128kbps 64kbps 256kbps 128kbps 64kbps 64kbps 128kbps - 106 -
www.mikrotik.com.cn
64/32/32kbps 64kbps 32kbps new-connection-mark mark-connection
new-packet-mark mark-packet
[admin@MikroTik] ip firewall mangle> add
src-address=192.168.0.1/32 \ \... action=mark-connection
new-connection-mark=server-con chain=prerouting [admin@MikroTik] ip
firewall mangle> add connection-mark=server-con \ \...
action=mark-packet new-packet-mark=server chain=prerouting
[admin@MikroTik] ip firewall mangle> print Flags: X - disabled I
- invalid D - dynamic 0 chain=prerouting src-address=192.168.0.1
action=mark-connection new-connection-mark=server-con
1
chain=prerouting connection-mark=server-con action=mark-packet
new-packet-mark=server
[admin@MikroTik] ip firewall mangle>
[admin@MikroTik] ip firewall mangle> add
src-address=192.168.0.2 \ \... action=mark-connection
new-connection-mark=lap_works-con chain=prerouting [admin@MikroTik]
ip firewall mangle> add src-address=192.168.0.3 \ \...
action=mark-connection new-connection-mark=lap_works-con
chain=prerouting [admin@MikroTik] ip firewall mangle> add
connection-mark=lap_works-con \
- 107 -
www.mikrotik.com.cn
\... action=mark-packet new-packet-mark=lap_work
chain=prerouting [admin@MikroTik] ip firewall mangle> print
Flags: X - disabled I - invalid D - dynamic 0 chain=prerouting
src-address=192.168.0.1 action=mark-connection
new-connection-mark=server-con
1
chain=prerouting connection-mark=server-con action=mark-packet
new-packet-mark=server
2
chain=prerouting src-address=192.168.0.2 action=mark-connection
new-connection-mark=lap_works-con
3
chain=prerouting src-address=192.168.0.3 action=mark-connection
new-connection-mark=lap_works-con
4
chain=prerouting connection-mark=lap_works-con
action=mark-packet new-packet-mark=lap_work
[admin@MikroTik] ip firewall mangle>
/queue tree
[admin@MikroTik] queue tree> add name=Server-Download
parent=Local \ \... limit-at=131072 packet-mark=server
max-limit=262144 [admin@MikroTik] queue tree> add
name=Server-Upload parent=Public \ \... limit-at=65536
packet-mark=server max-limit=131072 [admin@MikroTik] queue tree>
print Flags: X - disabled I - invalid 0 name="Server-Download"
parent=Local packet-mark=server limit-at=131072 queue=default
priority=8 max-limit=262144 burst-limit=0 burst-threshold=0
burst-time=0s 1 name="Server-Upload" parent=Public
packet-mark=server limit-at=65536 queue=default priority=8
max-limit=131072 burst-limit=0 burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>
[admin@MikroTik] queue tree> add name=Laptop-Wkst-Down
parent=Local \ \... packet-mark=lap_work limit-at=65535
max-limit=262144 [admin@MikroTik] queue tree> add
name=Laptop-Wkst-Up parent=Public \ \... packet-mark=lap_work
limit-at=32768 max-limit=131072 [admin@MikroTik] queue tree>
print Flags: X - disabled I - invalid 0 name="Server-Download"
parent=Local packet-mark=server limit-at=131072 queue=default
priority=8 max-limit=262144 burst-limit=0
- 108 -
www.mikrotik.com.cn
burst-threshold=0 burst-time=0s
1
name="Server-Upload" parent=Public packet-mark=server
limit-at=65536 queue=default priority=8 max-limit=131072
burst-limit=0 burst-threshold=0 burst-time=0s
2
name="Laptop-Wkst-Down" parent=Local packet-mark=lap_work
limit-at=65535 queue=default priority=8 max-limit=262144
burst-limit=0 burst-threshold=0 burst-time=0s
3
name="Laptop-Wkst-Up" parent=Public packet-mark=lap_work
limit-at=32768 queue=default priority=8 max-limit=131072
burst-limit=0 burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>
192.168.0.0/24 10Mbps 2Mbps Host A 2Mbps Host B 8Mbps There
might be situations when both hosts want to use maximum bandwidth
(10 Mibps) then they will receive 5 Mibps each the same goes for
upload 10Mbps 5Mbps 2
users 192.168.0.0/24
/ip firewall mangle add chain=forward src-address=192.168.0.0/24
\ action=mark-connection new-connection-mark=users-con /ip firewall
mangle add connection-mark=users-con action=mark-packet \
new-packet-mark=users chain=forward
- 109 -
www.mikrotik.com.cn
2 PCQ pcq-download 192.168.0.0/24 pcq-upload 192.168.0.0/24
/queue type add name=pcq-download kind=pcq
pcq-classifier=dst-address /queue type add name=pcq-upload kind=pcq
pcq-classifier=src-address
/queue tree add name=Download parent=Local max-limit=10240000
/queue tree add parent=Download queue=pcq-download
packet-mark=users
/queue tree add name=Upload parent=Public max-limit=2048000
/queue tree add parent=Upload queue=pcq-upload
packet-mark=users
ISP
/queue tree add parent=Local queue=pcq-download
packet-mark=users /queue tree add parent=Public queue=pcq-upload
packet-mark=users
mangle
/queue simple add queue=pcq-upload/pcq-download
target-addresses=192.168.0.0/24
RouterOS RouterOS PCQ ,
- 110 -
www.mikrotik.com.cn
PCQ 128k 128k PCQ PCQ 0k 2 73k Queue Type PCQ
PCQ rate=0 down
- 111 -
www.mikrotik.com.cn
Queue Type Simple Queue 1M 512k 192.168.10.0/24
Interface Queue Type PCQ Up Down
- 112 -
www.mikrotik.com.cn
PCQ
IP RouterOSaddress-list www.mikrotik.com.cn13H
import
/ip firewall address-list
- 113 -
www.mikrotik.com.cn
mangle/ip firewall mangle 192.168.0.0/24
src-address=192.168.0.0/24 mangle
/ ip firewall mangle add chain=prerouting
src-address=192.168.0.0/24 dst-address-list=Telecom
action=mark-connection new-connection-mark=Telecom passthrough=yes
comment="" disabled=no
- 114 -
www.mikrotik.com.cn
Telecom
/ ip firewall mangle add chain=prerouting
connection-mark=Telecom action=mark-packet new-packet-mark=TEL
passthrough=no comment="" disabled=no
simple queue/queue simple 1M 2M
- 115 -
www.mikrotik.com.cn
/ queue simple add name="telecom" dst-address=0.0.0.0/0
interface=all parent=none packet-marks=TEL direction=both
priority=8 queue=default-small/default-small limit-at=0/0
max-limit=1000000/2000000 total-queue=default-small disabled=no
NAT(NAT) IP () IP
: system : Level1 (number of rules limited to 1) Level3 : /ip
firewall nat : IP RFC1631 RFC266314H 15H 16H
: CPUNAT
NAT IP IP natted() natted NAT NAT (NAT )/ IP :
srcnat natted NAT IP IP
dstnat natted dstnat IP IP IP
NAT UDP TCP NAT IPsec AH
- 116 -
www.mikrotik.com.cn
NAT NAT to-addresses to-ports web dst-nat action=nat
action=redirect web web web IP web IP web HTTP/1.1 HTTP web IP HTTP
web HTTP web
action (accept | add-dst-to-address-list |
add-src-to-address-list | dst-nat | jump | log | masquerade |
netmap | passthrough | redirect | return | same | src-nat; default:
accept) - action accept - add-dst-to-address-list - address-list IP
add-src-to-address-list - address-list IP dst-nat - to-addresses
to-ports IP jump - jump-target log - action masquerade - IP IP
netmap - IP 11 IP passthrough - redirect - IP return - same - / IP
src-nat - IP to-addresses to-ports
address-list (name) - action=add-dst-
