Embed Size (px)
DESCRIPTION
WLAN AP Standards
Citation preview
Ref. Rule Title Vulnerability DiscussionW1
W2
W7
W8
The network element must not have any default manufacturer passwords.
Network elements not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of service. Many default vendor passwords are well known; hence, not removing them prior to deploying the network element into production A service or feature that calls home to
the vendor must be disabled. Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that transmission of sensitive data sent to
The network element’s OOBM interface must be configured with an OOBM network address.
The OOBM access switch will connect to the management interface of the managed network elements. The management interface of the managed network element will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the OOBM interface does not have an IP address from the managed network address space, it will not have reachability from the NOC using scalable and normal control plane and forwarding mechanisms.
The network elements management interface must be configured with both an ingress and egress ACL.
The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network.
W10
W11
W12
W13
W16
The network element must time out access to the console port after 10 minutes or less of inactivity.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network element. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.
The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network.
The network device must require authentication prior to establishing a management connection for administrative access.
Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.
The network element must only allow management connections for administrative access from hosts residing in the management network.
Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment, could acquire the device account and password information. With this intercepted information they could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.
The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network element and a PC or terminal server when the later has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network element as well as reduce the risk of a management session from being hijacked. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.
W17
W18
W19
W20
W22
W23
The network element must log all attempts to establish a management connection for administrative access.
Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker.
The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and negotiating the SSH session reduces the window of opportunity for the malicious user attempting to make a connection to the network element.
The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens against a Brute Force attack.
The network element must not allow SSH Version 1 to be used for administrative access.
SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1.
WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause a security vulnerability.
The WLAN inactive session timeout must be set for 30 minutes or less.
A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.
W24
W26
W30
WLAN signals must not be intercepted outside areas authorized for WLAN access.
Vulnerability Discussion: Most commercially-available WLAN equipment is pre-configured for signal power appropriate to most applications of the WLAN equipment. In some cases, this may permit the signals to be received outside the physical areas for which they are intended. This may occur when the intended area is relatively small, such as a conference room, or when the access point is placed near or window or wall, thereby allowing signals to be received in neighboring areas. In such cases, an adversary may be able to compromise the site’s security posture by measuring the presence of the signal and the quantity of data transmitted to obtain information about when personnel are active and what they are doing. Furthermore, if the signal is not appropriately protected through defense-in-depth mechanisms, the adversary could possibly use the connection to access networks and sensitive information.
The password configured on the WLAN Access Point for key generation and client access must be set to a 14 character or longer complex password
If the organization does not use a strong passcode for client access, then it is significantly more likely that an adversary will be able to obtain it. Once this occurs, the adversary may be able to obtain full network access, obtain sensitive information, and attack other information systems.
Wireless access points and bridges must be placed in dedicated subnets outside the perimeter.
If an adversary is able to compromise an access point or controller that is directly connected to an internal network, then the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection exist between the WLAN and the internal network. This is particularly important for wireless networks, which may be vulnerable to attack from outside physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.
RouterOS command
REMARKS
# oct/09/2014 13:25:03 by RouterOS 5.24# software id = NK7I-3JCM#/interface bridge/interface bridge/interface bridge/interface bridge/interface bridge/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet/interface ethernet switch/interface ethernet switch/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles
/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles
/interface wireless security-profiles/interface wireless security-profiles/interface wireless security-profiles/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless/interface wireless manual-tx-power-table/interface wireless manual-tx-power-table/interface wireless manual-tx-power-table/interface wireless manual-tx-power-table/interface wireless manual-tx-power-table/interface wireless manual-tx-power-table/interface wireless nstreme/interface wireless nstreme/interface wireless nstreme/ip hotspot profile/ip hotspot profile/ip hotspot profile/ip hotspot profile/ip hotspot profile/ip hotspot profile/ip hotspot profile/ip hotspot profile
/ip hotspot profile/ip hotspot profile/ip hotspot profile/ip hotspot user profile/ip hotspot user profile/ip hotspot user profile/ip ipsec proposal/ip ipsec proposal/ip ipsec proposal/ip pool/ip pool/ip pool/ip pool/ip pool/ip pool/ip dhcp-server/ip dhcp-server/ip dhcp-server/ip dhcp-server/ip dhcp-server/ip dhcp-server/ip dhcp-server/ip dhcp-server/ip dhcp-server/ip dhcp-server/ip dhcp-server/ip hotspot/ip hotspot/ip hotspot/ip hotspot/ppp profile/ppp profile/ppp profile/ppp profile/ppp profile/ppp profile/ppp profile/interface pptp-client/interface pptp-client/interface pptp-client/interface pptp-client/interface pptp-client/queue type/queue type/queue type/queue type/queue type/queue type
/queue type/queue type/queue type/queue type/routing bgp instance/routing bgp instance/routing bgp instance/routing bgp instance/routing bgp instance/routing ospf instance/routing ospf instance/routing ospf instance/routing ospf instance/routing ospf instance/routing ospf instance/routing ospf instance/routing ospf area/routing ospf area/routing ospf area/snmp community/snmp community/snmp community/snmp community/system logging action/system logging action/system logging action/system logging action/system logging action/system logging action/system logging action/system logging action/system logging action/user group/user group/user group/user group/user group/user group/user group/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port
/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge port/interface bridge settings/interface bridge settings/interface bridge settings/interface ethernet switch port/interface ethernet switch port/interface ethernet switch port/interface ethernet switch port/interface ethernet switch port/interface ethernet switch port/interface l2tp-server server/interface l2tp-server server/interface l2tp-server server/interface l2tp-server server/interface ovpn-server server/interface ovpn-server server/interface ovpn-server server/interface ovpn-server server/interface pptp-server server/interface pptp-server server/interface pptp-server server/interface sstp-server server/interface sstp-server server/interface sstp-server server/interface sstp-server server/interface wireless align/interface wireless align/interface wireless align
/interface wireless align/interface wireless sniffer/interface wireless sniffer/interface wireless sniffer/interface wireless sniffer/interface wireless snooper/interface wireless snooper/ip accounting/ip accounting/ip accounting web-access/ip accounting web-access/ip address/ip address/ip address/ip address/ip address/ip address/ip address/ip address/ip address/ip address/ip dhcp-client/ip dhcp-client/ip dhcp-client/ip dhcp-client/ip dhcp-server config/ip dhcp-server config/ip dhcp-server network/ip dhcp-server network/ip dhcp-server network/ip dhcp-server network/ip dhcp-server network/ip dhcp-server network/ip dhcp-server network/ip dhcp-server network/ip dhcp-server network/ip dhcp-server network/ip dhcp-server network/ip dns/ip dns/ip dns/ip dns static/ip dns static/ip firewall connection tracking/ip firewall connection tracking/ip firewall connection tracking/ip firewall connection tracking/ip firewall connection tracking
/ip firewall connection tracking/ip firewall filter/ip firewall filter/ip firewall filter/ip firewall filter/ip firewall filter/ip firewall filter/ip firewall filter/ip firewall filter/ip firewall filter/ip firewall filter/ip firewall filter/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall nat/ip firewall service-port/ip firewall service-port/ip firewall service-port/ip firewall service-port/ip firewall service-port/ip firewall service-port/ip firewall service-port/ip hotspot service-port/ip hotspot service-port/ip hotspot walled-garden/ip hotspot walled-garden/ip hotspot walled-garden/ip hotspot walled-garden/ip hotspot walled-garden ip/ip hotspot walled-garden ip/ip hotspot walled-garden ip/ip hotspot walled-garden ip/ip hotspot walled-garden ip/ip hotspot walled-garden ip/ip hotspot walled-garden ip/ip hotspot walled-garden ip/ip hotspot walled-garden ip/ip proxy/ip proxy
/ip proxy/ip proxy/ip proxy/ip proxy/ip route/ip route/ip route/ip service/ip service/ip service/ip service/ip service/ip service/ip service/ip service/ip smb/ip smb/ip smb/ip smb shares/ip smb shares/ip smb shares/ip smb users/ip smb users/ip socks/ip socks/ip traffic-flow/ip traffic-flow/ip traffic-flow/ip upnp/ip upnp/mpls/mpls/mpls interface/mpls interface/mpls ldp/mpls ldp/mpls ldp/mpls ldp/port firmware/port firmware/ppp aaa/ppp aaa/queue interface/queue interface/queue interface/queue interface/queue interface/queue interface
/queue interface/radius/radius/radius
/radius/radius incoming/radius incoming/routing bfd interface/routing bfd interface/routing bfd interface/routing mme/routing mme/routing mme/routing mme/routing rip/routing rip/routing rip/routing rip/routing rip/snmp/snmp/snmp/system clock/system clock/system clock manual/system clock manual/system clock manual/system identity/system identity/system leds/system leds/system logging/system logging/system logging/system logging/system logging/system logging/system note/system note/system ntp client/system ntp client/system ntp client/system resource irq/system resource irq/system resource irq/system resource irq/system resource irq
/system routerboard settings/system routerboard settings/system routerboard settings/system scheduler/system scheduler/system scheduler/system scheduler/system scheduler/system scheduler/system scheduler/system scheduler/system scheduler/system scheduler/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script
/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script
/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system script/system upgrade mirror/system upgrade mirror/system upgrade mirror/system watchdog/system watchdog/system watchdog/tool bandwidth-server/tool bandwidth-server/tool bandwidth-server/tool e-mail/tool e-mail/tool graphing/tool graphing/tool mac-server/tool mac-server/tool mac-server/tool mac-server/tool mac-server/tool mac-server/tool mac-server/tool mac-server
/tool mac-server mac-winbox/tool mac-server mac-winbox/tool mac-server mac-winbox/tool mac-server mac-winbox/tool mac-server mac-winbox/tool mac-server mac-winbox/tool mac-server mac-winbox/tool mac-server mac-winbox/tool mac-server ping/tool mac-server ping/tool sms/tool sms/tool sniffer/tool sniffer/tool sniffer/tool sniffer/tool sniffer/tool traffic-generator/tool traffic-generator/user aaa/user aaa/user aaa/user aaa
/interface bridgeadd admin-mac=D4:CA:6D:9F:3D:25 ageing-time=5m arp=enabled auto-mac=no \ disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1504 \ name=bridge-local priority=0x8000 protocol-mode=rstp transmit-hold-count=\6/interface ethernetset 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 \ mac-address=D4:CA:6D:9F:3D:24 mtu=1500 name=ether1-gateway speed=100Mbpsset 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \ disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:9F:3D:25 \ master-port=none mtu=1500 name=ether2-master-local speed=100Mbpsset 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \ disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:9F:3D:26 \ master-port=none mtu=1500 name=ether3-slave-local speed=100Mbpsset 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \ disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:9F:3D:27 \ master-port=none mtu=1500 name=ether4-slave-local speed=100Mbpsset 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \ disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:9F:3D:28 \ master-port=none mtu=1500 name=ether5-slave-local speed=100Mbps/interface ethernet switchset 0 mirror-source=none mirror-target=none name=switch1/interface wireless security-profilesset [ find default=yes ] authentication-types="" eap-methods=passthrough \ group-ciphers=aes-ccm group-key-update=5m interim-update=0s \ management-protection=disabled management-protection-key="" mode=none \ name=default radius-eap-accounting=no radius-mac-accounting=no \ radius-mac-authentication=no radius-mac-caching=disabled \ radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \ static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\ none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \ static-sta-private-algo=none static-sta-private-key="" \ static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\ none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\ "" wpa2-pre-shared-key=""
dynamic-keys name=password radius-eap-accounting=no \ radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\ disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \ static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\ none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \ static-sta-private-algo=none static-sta-private-key="" \
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
group-ciphers=aes-ccm group-key-update=5m interim-update=0s \ management-protection=disabled management-protection-key="" mode=\
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\ none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
/interface wirelessset 0 adaptive-noise-immunity=client-mode allow-sharedkey=no antenna-gain=0 \ antenna-mode=ant-a area="" arp=enabled band=2ghz-b/g/n basic-rates-a/g=\ 36Mbps basic-rates-b=11Mbps bridge-mode=enabled channel-width=20mhz \ compression=no country=no_country_set default-ap-tx-limit=0 \ default-authentication=yes default-client-tx-limit=0 default-forwarding=\ yes dfs-mode=no-radar-detect disable-running-check=no disabled=no \ disconnect-timeout=3s distance=indoors frame-lifetime=0 frequency=2412 \ frequency-mode=manual-txpower frequency-offset=0 hide-ssid=no \ ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 \ ht-basic-mcs=mcs-5,mcs-7 ht-guard-interval=long ht-rxchains=0 \ ht-supported-mcs=mcs-5,mcs-7,mcs-12,mcs-15 ht-txchains=0 \ hw-fragmentation-threshold=disabled hw-protection-mode=rts-cts \ hw-protection-threshold=255 hw-retries=7 l2mtu=2290 mac-address=\ D4:CA:6D:9F:3D:29 max-station-count=2007 mode=ap-bridge mtu=1500 \ multicast-helper=default name=wlan1 noise-floor-threshold=-90 \ nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-preshared-key="" \ nv2-qos=default nv2-queue-count=2 nv2-security=disabled \ on-fail-retry-time=100ms periodic-calibration=default \ periodic-calibration-interval=60 preamble-mode=both \ proprietary-extensions=post-2.9.25 radio-name=D4CA6D9F3D29 \ rate-selection=advanced rate-set=configured scan-list=default \ security-profile=default ssid="_WF SMART" station-bridge-clone-mac=\ 00:00:00:00:00:00 supported-rates-a/g=36Mbps,54Mbps supported-rates-b=\ 11Mbps tdma-period-size=2 tx-power=1 tx-power-mode=all-rates-fixed \ update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\ none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \ wireless-protocol=any wmm-support=enabled/interface wireless manual-tx-power-tableset wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\ bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\ 17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\ T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\ 7:17"/interface wireless nstremeset wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\ 3200 framer-policy=none/ip hotspot profileset [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\ hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\ cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
pow_wifun http-proxy=0.0.0.0:0 login-by=https,http-pap name=POWProfile \ nas-port-type=wireless-802.11 radius-accounting=no radius-default-domain=\
password wpa2-pre-shared-key=1e090e7e4e6807
split-user-domain=no use-radius=noadd dns-name=pow.portal.ph hotspot-address=192.168.88.1 html-directory=\
pow.wifun.ph radius-location-id="" radius-location-name="" \ radius-mac-format=XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 \
/ip hotspot user profileset [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \ shared-users=unlimited status-autorefresh=1m transparent-proxy=no/ip ipsec proposalset [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \ lifetime=30m name=default pfs-group=modp1024/ip pooladd name=default-dhcp ranges=192.168.88.10-192.168.88.254add name=port3 ranges=10.5.30.2-10.5.30.254add name=port4 ranges=10.5.40.2-10.5.40.254add name=port5 ranges=10.5.60.2-10.5.60.254add name=wifi ranges=10.5.50.2-10.5.50.254/ip dhcp-serveradd address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=\ static disabled=no interface=bridge-local lease-time=3d name=defaultadd address-pool=port3 authoritative=after-2sec-delay bootp-support=static \ disabled=no interface=ether3-slave-local lease-time=3d name=port3dhcpadd address-pool=port4 authoritative=after-2sec-delay bootp-support=static \ disabled=no interface=ether4-slave-local lease-time=3d name=port4dhcpadd address-pool=port5 authoritative=after-2sec-delay bootp-support=static \ disabled=no interface=ether5-slave-local lease-time=3d name=port5dhcpadd address-pool=wifi authoritative=after-2sec-delay bootp-support=static \ disabled=no interface=personal lease-time=3d name=wifidhcp/ip hotspotadd address-pool=default-dhcp addresses-per-mac=2 disabled=no idle-timeout=5m \ interface=bridge-local keepalive-timeout=none name=POWHotspot profile=\ POWProfile/ppp profileset 0 change-tcp-mss=yes name=default only-one=default use-compression=\ default use-encryption=default use-mpls=default use-vj-compression=\ defaultset 1 change-tcp-mss=yes name=default-encryption only-one=default \ use-compression=default use-encryption=yes use-mpls=default \ use-vj-compression=default/interface pptp-clientadd add-default-route=no allow=pap,chap,mschap1,mschap2 comment=pow_vpn \ connect-to=65.181.120.40 dial-on-demand=no disabled=no max-mru=1460 \ max-mtu=1460 mrru=disabled name=pow_vpn password=b1946ac92492d2347c6235b4d2611184; profile=\ default-encryption user=0b53719b1ade59b556b62b5b5560512b/queue typeset 0 kind=pfifo name=default pfifo-limit=50set 1 kind=pfifo name=ethernet-default pfifo-limit=50set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \ red-limit=60 red-max-threshold=50 red-min-threshold=10
split-user-domain=no ssl-certificate=none use-radius=yes
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5set 5 kind=none name=only-hardware-queueset 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-defaultset 7 kind=pfifo name=default-small pfifo-limit=10/routing bgp instanceset default as=65530 client-to-client-reflection=yes disabled=no \ ignore-as-path-len=no name=default out-filter="" redistribute-connected=\ no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \ redistribute-static=no router-id=0.0.0.0 routing-table=""/routing ospf instanceset [ find default=yes ] disabled=no distribute-default=never in-filter=\ ospf-in metric-bgp=auto metric-connected=20 metric-default=1 \ metric-other-ospf=auto metric-rip=20 metric-static=20 name=default \ out-filter=ospf-out redistribute-bgp=no redistribute-connected=no \ redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \ router-id=0.0.0.0/routing ospf areaset [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\ backbone type=default/snmp communityset [ find default=yes ] addresses="" authentication-password="" \ authentication-protocol=MD5 encryption-password="" encryption-protocol=\ DES name=public read-access=yes security=none write-access=no/system logging actionset 0 memory-lines=100 memory-stop-on-full=no name=memory target=memoryset 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \ disk-stop-on-full=no name=disk target=diskset 2 name=echo remember=yes target=echoset 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 \ syslog-facility=daemon syslog-severity=auto target=remoteadd bsd-syslog=no name=WebProxy remote-port=514 src-address=0.0.0.0 \ syslog-facility=daemon syslog-severity=auto target=remote/user groupset read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\ eb,sniff,sensitive,api,!ftp,!write,!policy" skin=defaultset write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\ ssword,web,sniff,sensitive,api,!ftp,!policy" skin=defaultset full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\ winbox,password,web,sniff,sensitive,api" skin=default/interface bridge portadd bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=ether2-master-local path-cost=10 point-to-point=auto priority=\ 0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=wlan1 path-cost=10 point-to-point=auto priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=wlan3 path-cost=10 point-to-point=no priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \
interface=wlan4 path-cost=10 point-to-point=no priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=wlan6 path-cost=10 point-to-point=auto priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=wlan5 path-cost=10 point-to-point=auto priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=wlan7 path-cost=10 point-to-point=no priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=wlan8 path-cost=10 point-to-point=no priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=wlan9 path-cost=10 point-to-point=auto priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=wlan2 path-cost=10 point-to-point=auto priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface="wlan wep 64" path-cost=10 point-to-point=auto priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface="wlan wep 128" path-cost=10 point-to-point=auto priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface="wlan wep 154" path-cost=10 point-to-point=auto priority=0x80add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \ interface=wlanWPA2 path-cost=10 point-to-point=auto priority=0x80/interface bridge settingsset use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\ no/interface ethernet switch portset 0 vlan-header=leave-as-is vlan-mode=fallbackset 1 vlan-header=leave-as-is vlan-mode=fallbackset 2 vlan-header=leave-as-is vlan-mode=fallbackset 3 vlan-header=leave-as-is vlan-mode=fallbackset 4 vlan-header=leave-as-is vlan-mode=fallback/interface l2tp-server serverset authentication=pap,chap,mschap1,mschap2 default-profile=\ default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=\ 1460 mrru=disabled/interface ovpn-server serverset auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\ default enabled=no keepalive-timeout=60 mac-address=FE:A5:57:72:9D:EC \ max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no/interface pptp-server serverset authentication=mschap1,mschap2 default-profile=default-encryption \ enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled/interface sstp-server serverset authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\ default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\ disabled port=443 verify-client-certificate=no/interface wireless alignset active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\ 00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no/interface wireless snifferset channel-time=200ms file-limit=10 file-name="" memory-limit=10 \ multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\ no streaming-max-rate=0 streaming-server=0.0.0.0/interface wireless snooperset channel-time=200ms multiple-channels=yes receive-errors=no/ip accountingset account-local-traffic=no enabled=no threshold=256/ip accounting web-accessset accessible-via-web=no address=0.0.0.0/0/ip addressadd address=192.168.88.1/24 comment="default configuration" disabled=no \ interface=bridge-local network=192.168.88.0add address=10.5.30.1/24 disabled=no interface=ether3-slave-local network=\ 10.5.30.0add address=10.5.40.1/24 disabled=no interface=ether4-slave-local network=\ 10.5.40.0add address=10.5.60.1/24 disabled=no interface=ether5-slave-local network=\ 10.5.60.0add address=10.5.50.1/24 disabled=no interface=personal network=10.5.50.0/ip dhcp-clientadd add-default-route=yes comment="default configuration" \ default-route-distance=1 disabled=no interface=ether1-gateway \ use-peer-dns=yes use-peer-ntp=yes/ip dhcp-server configset store-leases-disk=5m/ip dhcp-server networkadd address=10.5.30.0/24 dhcp-option="" dns-server="" gateway=10.5.30.1 \ ntp-server="" wins-server=""add address=10.5.40.0/24 dhcp-option="" dns-server="" gateway=10.5.40.1 \ ntp-server="" wins-server=""add address=10.5.50.0/24 dhcp-option="" dns-server="" gateway=10.5.50.1 \ ntp-server="" wins-server=""add address=10.5.60.0/24 dhcp-option="" dns-server="" gateway=10.5.60.1 \ ntp-server="" wins-server=""add address=192.168.88.0/24 comment="default configuration" dhcp-option="" \ dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server="" wins-server=""/ip dnsset allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \ max-udp-packet-size=4096 servers=""/ip dns staticadd address=192.168.88.1 disabled=no name=router ttl=1d/ip firewall connection trackingset enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \ tcp-close-wait-timeout=10s tcp-established-timeout=1d \ tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \ tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s/ip firewall filteradd action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yesadd action=accept chain=input comment="default configuration" disabled=no \ protocol=icmpadd action=accept chain=input comment="default configuration" \ connection-state=established disabled=noadd action=accept chain=input comment="default configuration" \ connection-state=related disabled=noadd action=drop chain=input comment="default configuration" disabled=no \ in-interface=ether1-gateway/ip firewall natadd action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes to-addresses=0.0.0.0add action=masquerade chain=srcnat comment="default configuration" disabled=\ no out-interface=ether1-gateway to-addresses=0.0.0.0add action=masquerade chain=srcnat disabled=no src-address=10.5.30.0/24add action=masquerade chain=srcnat disabled=no src-address=10.5.40.0/24add action=masquerade chain=srcnat disabled=no src-address=10.5.60.0/24add action=masquerade chain=srcnat disabled=no src-address=10.5.50.0/24add action=dst-nat chain=dstnat comment=OpenDNS disabled=no dst-port=53 \ protocol=udp src-address=192.168.88.0/24 to-addresses=208.67.222.123 \ to-ports=53/ip firewall service-portset ftp disabled=no ports=21set tftp disabled=no ports=69set irc disabled=no ports=6667set h323 disabled=noset sip disabled=no ports=5060,5061 sip-direct-media=yesset pptp disabled=no/ip hotspot service-portset ftp disabled=no ports=21/ip hotspot walled-gardenadd action=allow comment="place hotspot rules here" disabled=yes dst-port=""add action=allow disabled=no dst-host=*.wifun.ph dst-port=""add action=allow disabled=no dst-host=pow.portal.ph dst-port=""/ip hotspot walled-garden ipadd action=accept comment=allow_source disabled=no src-address=\ 106.186.124.211add action=accept comment=allow_destination disabled=no dst-address=\ 106.186.124.211add action=accept comment=allow_source disabled=no src-address=65.181.120.40add action=accept comment=allow_destination disabled=no dst-address=\ 65.181.120.40add action=accept disabled=no dst-address=192.168.88.1/ip proxyset always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=unlimited \ max-client-connections=600 max-fresh-time=3d max-server-connections=600 \ parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\ no src-address=0.0.0.0/ip routeadd disabled=no distance=1 dst-address=192.168.0.0/16 gateway=pow_vpn scope=\ 30 target-scope=10/ip serviceset telnet address="" disabled=no port=23set ftp address="" disabled=no port=21set www address="" disabled=no port=80set ssh address="" disabled=no port=22set www-ssl address="" certificate=none disabled=yes port=443set api address="" disabled=yes port=8728set winbox address="" disabled=no port=8291/ip smbset allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\ all/ip smb sharesset [ find default=yes ] comment="default share" directory=/pub disabled=no \ max-sessions=10 name=pub/ip smb usersset [ find default=yes ] disabled=no name=guest password="" read-only=yes/ip socksset connection-idle-timeout=2m enabled=no max-connections=200 port=1080/ip traffic-flowset active-flow-timeout=30m cache-entries=4k enabled=no \ inactive-flow-timeout=15s interfaces=all/ip upnpset allow-disable-external-interface=yes enabled=no show-dummy-rule=yes/mplsset dynamic-label-range=16-1048575 propagate-ttl=yes/mpls interfaceset [ find default=yes ] disabled=no interface=all mpls-mtu=1508/mpls ldpset distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \ lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \ use-explicit-null=no/port firmwareset directory=firmware ignore-directip-modem=no/ppp aaaset accounting=yes interim-update=0s use-radius=no/queue interfaceset ether1-gateway queue=only-hardware-queueset ether2-master-local queue=only-hardware-queueset ether3-slave-local queue=only-hardware-queueset ether4-slave-local queue=only-hardware-queueset ether5-slave-local queue=only-hardware-queue
set wlan1 queue=wireless-default/radius
authentication-port=1812 called-id="" comment=pow_radius disabled=no \
/radius incomingset accept=no port=3799/routing bfd interfaceset [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \ multiplier=5/routing mmeset bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \ gateway-selection=no-gateway origination-interval=5s preferred-gateway=\ 0.0.0.0 timeout=1m ttl=50/routing ripset distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \ metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \ redistribute-connected=no redistribute-ospf=no redistribute-static=no \ routing-table=main timeout-timer=3m update-timer=30s/snmp
trap-target="" trap-version=1/system clockset time-zone-name=Asia/Singapore/system clock manualset dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\ "jan/01/1970 00:00:00" time-zone=+00:00/system identityset name=Wifun_d4ca6d9f3d24/system ledsset 0 disabled=no interface=wlan1 leds=wlan-led type=wireless-status/system loggingset 0 action=memory disabled=no prefix="" topics=infoset 1 action=memory disabled=no prefix="" topics=errorset 2 action=memory disabled=no prefix="" topics=warningset 3 action=echo disabled=no prefix="" topics=criticaladd action=WebProxy disabled=no prefix="" topics=web-proxy/system noteset note="" show-at-login=yes/system ntp clientset enabled=yes mode=unicast primary-ntp=121.58.193.100 secondary-ntp=\ 121.58.193.100/system resource irqset 0 cpu=autoset 1 cpu=autoset 2 cpu=autoset 3 cpu=auto
add accounting-backup=no accounting-port=1813 address=106.186.124.211 \
domain=pow.wifun.ph realm="" secret=4332wurx service=hotspot timeout=5s
set contact="" enabled=no engine-id="" location="" trap-generators="" \
/system routerboard settingsset boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\ 400MHz force-backup-booter=no silent-boot=no/system scheduleradd disabled=no interval=5m name=CloudCheck on-event=CloudPing policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-date=jan/02/1970 start-time=08:08:59add disabled=no interval=5m name=FTP on-event=WebWatcher policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-date=jan/02/1970 start-time=08:08:59add disabled=no interval=5m name=Updater on-event=UpdateFiles policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-date=jan/02/1970 start-time=08:08:59/system scriptadd name=WiFunOnline policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source="/ip hotspot profile set [/ip hotspot profile find name=POWProfile]\ \_html-directory=pow_wifun login-by=http-pap,https"add name=WiFunBypass policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source="/ip hotspot profile set [/ip hotspot profile find name=POWProfile]\ \_html-directory=pow_wifun_down login-by=http-chap,trial trial-uptime=1h/1\ s"add name=CloudPing policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source=":local i 0; \r\ \n:do {:set i (\$i+1)} while=((\$i<3) && [/ping 8.8.8.8 interval=2 count=3\ ]<1); \r\ \n:log info \$i;\r\ \n:if (\$i<3) do { /ip hotspot profile set 1 html-directory=pow_wifun logi\ n-by=http-pap,https };"add name=WebWatcher policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source=":local int;\r\ \n:global oldlist;\r\ \n:global newlist;\r\ \n:local actusrlist \"\$[/system identity get name]\";\r\ \n:local wlanID;\r\ \n:local bandwidth;\r\ \n:local txAll;\r\ \n:local rxAll;\r\ \n\r\ \n:local count [:tonum [/ip hotspot active print count-only]];\r\ \n\r\ \n:local txbps;\r\ \n:local rxbps;\r\ \n\r\ \n/interface monitor wlan1 once do={\r\
\n:set txbps \$(\"tx-bits-per-second\");\r\ \n:set rxbps \$(\"rx-bits-per-second\");\r\ \n}\r\ \n\r\ \n:set wlanID [/interface find name=wlan1];\r\ \n\r\ \n:set txAll \"\$txAll\$[/interface get \$wlanID tx-byte]\";\r\ \n:set rxAll \"\$rxAll\$[/interface get \$wlanID rx-byte]\";\r\ \n\r\ \n:set newlist \"\$actusrlist;\$count;\$txbps;\$rxbps;\$txAll;\$rxAll\";\r\ \n\r\ \n:log error \$newlist;\r\ \n\r\ \n:local localFilename;\r\ \n:set localFilename \"\$[/system identity get name].txt\";\r\ \n/file print file=\$localFilename;\r\ \n/file set \$localFilename contents=\"\$newlist\";\r\ \n\r\ \n:log info \"Uploading file\";\r\ \n/tool fetch address=cp1.wifun.org src-path=\$localFilename user=active m\ ode=ftp password=activewurx dst-path=\$localFilename upload=yes;\r\ \n\r\ \n:set oldlist \$newlist;\r\ \n:log error \"Active list sent\";"add name=WiFunUpdate policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source=":log info \"WiFun Version Updater\";\r\ \n:local update;\r\ \n:local mac;\r\ \n:local password;\r\ \n:local list ;\r\ \n:local newList;\r\ \n\r\ \n:log info \"Checking Files\";\r\ \n:set update \"\$[/file find where name~\"updates/\"]\";\r\ \n\r\ \n:set mac \"\$[/system identity get name] \";\r\ \n:set password \"\$[put [:pick \$mac 6 [:find \$mac \" \"]]]\";\r\ \n\r\ \n:foreach i in \$update do { \r\ \n :set list \"\$[/file get \$i name] \";\r\ \n :set newList \"\$[put [:pick \$list 8 [:find \$list \" \"]]]\";\r\ \n :log info \"Uploading \$newList..\";\r\ \n \r\ \n :if condition=(\$newList != \"css\" and \$newList != \"img/upload\"\ \_and \$newList !=\"img\") do={ /tool fetch address=127.0.0.1 src-path=\"u\ pdates/\$newList\" user=admin mode=ftp password=\$password dst-path=\"test\ /\$newList\" upload=yes; /file remove \"updates/\$newList\"}\r\
\n \r\ \n :log info \"Done\";\r\ \n}\r\ \n"add name=UpdateFiles policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source=":local file;\r\ \n:local images;\r\ \n:set file \"\$[/file find where name~\"updates/\"]\";\r\ \n\r\ \n:log info \$file;\r\ \n\r\ \n:foreach i in \$file do {:set images \"\$images\$[/file get \$i name],\$\ [/file get \$i size]\\n\"}\r\ \n\r\ \n:local localFilename ;\r\ \n:set localFilename \"\$[/system identity get name]_updates.txt\"\r\ \n/file print file=\$localFilename;\r\ \n/file set \$localFilename contents=\"\$images\"\r\ \n\r\ \n/tool fetch address=65.181.120.40 src-path=\$localFilename \\\r\ \nuser=active mode=ftp password=activewurx dst-path=\$localFilename upload\ =yes\r\ \n\r\ \n:log error \"File sent\"\r\ \n\r\ \n"/system upgrade mirrorset check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\ 0.0.0.0 user=""/system watchdogset auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\ none watchdog-timer=yes/tool bandwidth-serverset allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\100/tool e-mailset address=0.0.0.0 from=<> password="" port=25 starttls=no user=""/tool graphingset page-refresh=300 store-every=5min/tool mac-serverset [ find default=yes ] disabled=yes interface=alladd disabled=no interface=ether2-master-localadd disabled=no interface=ether3-slave-localadd disabled=no interface=ether4-slave-localadd disabled=no interface=ether5-slave-localadd disabled=no interface=wlan1add disabled=no interface=bridge-local
/tool mac-server mac-winboxset [ find default=yes ] disabled=yes interface=alladd disabled=no interface=ether2-master-localadd disabled=no interface=ether3-slave-localadd disabled=no interface=ether4-slave-localadd disabled=no interface=ether5-slave-localadd disabled=no interface=wlan1add disabled=no interface=bridge-local/tool mac-server pingset enabled=yes/tool smsset allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""/tool snifferset file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol=\ "" filter-mac-address="" filter-mac-protocol="" filter-port="" \ filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes \ only-headers=no streaming-enabled=no streaming-server=0.0.0.0/tool traffic-generatorset latency-distribution-scale=10 test-id=0/user aaaset accounting=yes default-group=read exclude-groups="" interim-update=0s \ use-radius=no
REF. Remarks
W25
AES-CCM WPA en cryption protocol W29
WPA-PSK, WPA2-PSK, AP will relay authentication to Radius
WPA2-Pre-shared key
Radius Authentication for Hotspot users
RADIUS server
W5
Shared secret for authentication reply only of router, not authentication used by RADIUS
No user authentication via RADIUS
