Lintas Mikrotik: 2011

Sunday, November 20, 2011

Get Dynamic IP for Domains

This article is about getting Dynamic IP's for domains such as youtube.com and facebook.com. This is useful when particular task is needed to be done for such domain, tasks such as different route, QoS, prioritization, etc.
The following example will be done for youtube.com and facebook.com. Also that this example assumes that local network IP Subnet is 10.10.0.0/16.

Create firewall rules to add each IP visited by users to a dynamic IP Address-List which can be used later.

/ ip firewall filter add chain=forward action=add-dst-to-address-list protocol=tcp

src-address=10.10.0.0/16 address-list=youtube-list address-list-timeout=0s

content=youtube.com comment="youtube.com IPs"

/ ip firewall filter add chain=forward action=add-dst-to-address-list protocol=tcp

src-address=10.10.0.0/16 address-list=facebook-list address-list-timeout=0s

content=facebook.com comment="facebook.com IPs"

/ ip firewall filter add chain=forward action=add-dst-to-address-list protocol=tcp

src-address=10.10.0.0/16 address-list=facebook-list address-list-timeout=0s

content=fbcdn.net comment="Facebooks content delivery network IPs"

Snapshot of how you will create firewall rules to add each IP visited by users to a dynamic IP Address-List which can be used later.
The same procedure that is shown in snapshot will be followed for content="facebook.com" and content="fbcdn.net", if wanted change address-list to different name such as "facebook-list".
Also make sure that these rules are added in FILTER table and not in MANGLE.

wiki

Friday, November 4, 2011

AP mikrotik

This article will show a very quick overview for beginners on setting up a Wireless Access Point in RouterOS Winbox graphical configuration tool.
Requirements

a router running RouterOS loaded with supported miniPCI wireless cards
a connection to the router via the Winbox utility

Instructions

Start by opening the Wireless Interface window in Winbox. You will see some wireless cards listed here, they might be disabled - to turn them on, click on the blue Enable button. Make sure that the interface is configured and the antennas are connected before you enable an interface.

To configure an interface, double-click it's name, and the config window will appear. To set the device as an AP, choose "ap bridge" mode. You can also set other things, like the desired band, frequency, SSID (the AP identifier) and the security profile.

You probably want your AP to be secure, so you need to configure WPA2 security. Close the wireless setting window with OK if you are done, and move to the Security Profiles tab of the Wireless interface window. There, make a new profile with the Add button and set desired WPA2 settings. You can choose this new security profile back in the Interface configuration.

To see if any stations are connected to your AP, go to the Registration Table tab in the Wireless Interface window.

Just connecting is probaly not enough, as your AP needs an IP address. This can be configured in the IP menu. Make sure that your stations also have IP addresses from the same subnet, or set up a DHCP server in this Router (not covered in this tutorial).

If your ISP doesn't know about your new local network and hasn't set up proper routes to it, you need to configure SRC-NAT so that your stations have access to the internet via their private IP addresses. They will be masqueraded by the router's NAT functionality (not covered in this tutorial)

Mikrotik - Wireless AP

Instructions

Start by opening the Wireless Interface window in Winbox. You will see some wireless cards listed here, they might be disabled - to turn them on, click on the blue Enable button. Make sure that the interface is configured and the antennas are connected before you enable an interface.

To see if any stations are connected to your AP, go to the Registration Table tab in the Wireless Interface window.

wiki

Mikroti - Wireless AP Client

Configuration example shows how to establish simple wireless network by using MikroTik RouterOS. MikroTik RouterOS is fully compliant with IEEE802.11a/b/g/n standards, MikroTik RouterOS device can be used as wireless access-point and wireless station

Access Point Configuration

Connect to the router via Winbox
Setup Wireless interface, necessary configuration options are mode=ap-bridge band=ap_operated_band frequency=ap_operated_frequency ssid=network_identification

These settings are enough to establish wireless connection, additionally you need to add IP address for the wireless interface for IP routing, optionally add security and other settings.

Station Configuration

Wireless client configuration example is for MikroTik RouterOS, other vendor OS configuration should be looked in the appropriate documentation/forum/mailing list etc.
Connect to the client router via the same way and proceed to the Wireless interface configuration.
Necessary configuration options are mode=station band=band_ap_operates_on ssid=ap_network_ssid

These settings are enough to establish wireless connection, additionally you need to set IP address for the wireless interface to establish IP routing communication with access point, optionally use security and other settings.

Additional Configuration

IP Configuration

Add IP address to Access Point router, like 192.168.0.1/24

Add IP address to Client router, address should be from the same subnet like 192.168.0.2/24

Check IP communication by ping from station (for example),

Additional Access Point Configuration

All the necessary settings for the simple Access Point are showed here.
Security profiles are used for WPA/WPA2 protection, configuration options are explained here. Usually all wireless clients share the same security configuration as access point.
mode=ap-bridge allows 2007 clients, max-station-count is used to limit the number of wireless client per Access Point. Wireless mode=bridge is used for point-to-point wireless links and allows connection for one station only.
MikroTik RouterOS license level4 is minimum for mode=ap-bridge
Other wireless settings are (http://wiki.mikrotik.com/wiki/Category:Wireless explained here)

Additional Station Configuration

Station adapts to wireless access point frequency, despite of the frequency configuration in Wireless menu. Station uses scan-list to select available Access Point, when superchannel mode is used on wireless Access Point, set custom Access Point frequency to mode=station scan-list.

Mikrotik - sytem note

System note feature allows you to assign arbitrary text notes or messages that will be displayed on each login right after banner. For example, you may distribute warnings between system administrators this way, or describe what does that particular router actually do. To configure system note, you may upload a plain text file named sys-note.txt on the router's FTP server, or, additionally, edit the settings in this menu

example

[admin@RB493G] /system note> edit note 

                           (   )
                          (    )
                           (    )
                          (    )
                            )  )
                           (  (                  /\
                            (_)                 /  \  /\
                    ________[_]________      /\/    \/  \
           /\      /\        ______    \    /   /\/\  /\/\
          /  \    //_\       \    /\    \  /\/\/    \/    \
   /\    / /\/\  //___\       \__/  \    \/
  /  \  /\/    \//_____\       \ |[]|     \
 /\/\/\/       //_______\       \|__|      \
/      \      /XXXXXXXXXX\                  \
        \    /_I_II  I__I_\__________________\
               I_I|  I__I_____[]_|_[]_____I
               I_II  I__I_____[]_|_[]_____I
               I II__I  I     XXXXXXX     I
            ~~~~~"   "~~~~~~~~~~~~~~~~~~~~~~~~

C-c quit C-o save&quit C-u undo C-k cut line C-y paste F5 repaint

  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 5.3 (c) 1999-2011       http://www.mikrotik.com/





                           (   )
                          (    )
                           (    )
                          (    )
                            )  )
                           (  (                  /\
                            (_)                 /  \  /\
                    ________[_]________      /\/    \/  \
           /\      /\        ______    \    /   /\/\  /\/\
          /  \    //_\       \    /\    \  /\/\/    \/    \
   /\    / /\/\  //___\       \__/  \    \/
  /  \  /\/    \//_____\       \ |[]|     \
 /\/\/\/       //_______\       \|__|      \
/      \      /XXXXXXXXXX\                  \
        \    /_I_II  I__I_\__________________\
               I_I|  I__I_____[]_|_[]_____I
               I_II  I__I_____[]_|_[]_____I
               I II__I  I     XXXXXXX     I
            ~~~~~"   "~~~~~~~~~~~~~~~~~~~~~~~~
[admin@RB493G] >

Mikrotik - Hotspot Setup

[admin@MikroTik] /ip hotspot> setup 
Select interface to run HotSpot on 

hotspot interface: ether3
Set HotSpot address for interface 

local address of network: 10.5.50.1/24
masquerade network: yes
Set pool for HotSpot addresses 

address pool of network: 10.5.50.2-10.5.50.254
Select hotspot SSL certificate 

select certificate: none
Select SMTP server 

ip address of smtp server: 0.0.0.0
Setup DNS configuration 

dns servers: 10.1.101.1
DNS name of local hotspot server 

dns name: myhotspot
Create local hotspot user 

name of local hotspot user: admin
password for the user: 
[admin@MikroTik] /ip hotspot>

Mikrotik - User Manager

Introduction

To make this setup, you should have running Hotspot server on the router. Let us consider configuration steps for HotSpot and User Manager routers, in order to use User Manager for HotSpot users.

HotSpot configuration

Set HotSpot to use User Manager for HotSpot server users,

 / ip hotspot profile set hsprof1 use-radius=yes

Add radius client to consult User Manager for HotSpot service.

 / radius add service=hotspot address=y.y.y.y secret=123456

'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address. By default this is 127.0.0.1. If using a remotely located Router (perhaps via a VPN) then the IP address entered is the IP address of that remote Router. The router could be a Radius Server, or another ROS with User Manager installed.

Note, first local HotSpot database is consulted, then User Manager database.

It means that if you have configuration in '/ ip hotspot user print', users will be able to authenticate in HotSpot using this data.
Delete users configuration from '/ ip hotspot print' to stop using local HotSpot database for authentication. To move batch of local HotSpot users to the User Manager database use export and import . Use text editor program to create appropriate file to import local users to the User Manager database.

User Manager configuration

First, you need to download and install User Manager package;
Create User Manager subscriber (root customer). Note that when using a version 3.0 or newer, a subscriber called 'admin' is created automatically - you can skip the following stage and change 'MikroTik' to 'admin' in subsequent steps;

/ tool user-manager customer add login="MikroTik" password="qwerty" permissions=owner

Add HotSpot router information to router list,

 / tool user-manager router add subscriber=MikroTik ip-address=x.x.x.x shared-secret=123456

'x.x.x.x' is the address of the HotSpot router, 'shared-secret' should match on both User Manager and HotSpot routers. Adding 'x.x.x.x' as a router allows Radius requests from 'x.x.x.x' to be passed to the Radius Server built into User Manager. Therefore if you have any remote ROS Hotspots that require access to this Radius Server, then all their IP addresses must be added to this list.

Add HotSpot user information, it is equal to 'ip hotspot user' when local HotSpot is used for clients

In version 3:

 / tool user-manager user add name=demo password=demo subscriber=MikroTik

In version 4:

 / tool user-manager user add name=demo password=demo customer=MikroTik

We discuss only basic configuration example, detailed information about 'user' menu configuration.

You can use User Manager web interface after first subscriber created.

To make sure, that client is using User Manager for AAA,

 / ip hotspot active print
 Flags: R - radius, B - blocked
  #    USER          ADDRESS         UPTIME       SESSION-TIME-LEFT IDLE-TIMEOUT
  0 R  00:01:29:2... 192.168.100.2   1m29s

MikroTik RouterOS Interface Bonding

I have two separate Metro Ethernet links (via fiber optic) from the datacenter to the NOC. Each link is 10Mbps. I need to utilize both links (bonding) and make sure sure that if one of the links goes down (redundancy), I won’t lose half of my packets. Bonding and redundancy are my goals.
Initially I tried Cisco Catalyst’s EtherChannel feature to accommodate this need since I learned about EtherChannel when I was doing my CNAP. Unfortunately EtherChannel cannot fit in this scenario due to my Metro Ethernet provider’s network setup. They use Cisco Catalyst 3750 switches to aggregate customers links from each POP to their headquarters. My first attempt was to establish trunk mode EtherChannel (802.1q) with Cisco Catalyst 2950 on one side and Cisco Catalyst Express 500 on the other side. Later I noticed that this is not doable since trunking requires MTU size to be larger than 1500 (1504) when my provider strictly limits MTU size to 1500 and negotiation between my 2 switches to establish trunking wouldn’t work since my switches’ BPDU packets are “intercepted” by my provider’s switches. Basically my Cisco switches were trying to establish a VLAN trunk with my provider’s directly connected switches when my switches are supposed to be negotiating to each other.
I consulted a few experienced people including an employee of the provider, and they told me to use access mode EtherChannel instead of the trunk mode EtherChannel. This is not possible with Cisco Catalyst Express 500, which only offers trunk mode EtherChannel. I bought a Cisco Catalyst 2960 to replace the Cisco Catalyst Express 500 hoping that access mode EtherChannel would work, it didn’t. Even if it did work, it wouldn’t be aware of link state changes since my switches do not connect directly to the fiber cables. There is a fiber-to-ethernet bridge for each side of each link, so my switches will always detect both links as always up as long as the bridges are up.
Since link states cannot be used as a measurement in this scenario, I had to find another way. MikroTik RouterOS offers not only bonding feature, but fail-over mechanism too! The fail-over mechanism uses ARP packets to detect link failures, it is far from perfect but at least it works.
I will add examples later, but for now have a look at this. Hopefully I will discuss EoIP and EoIP over PPTP too.
References:
http://www.mikrotik.com/testdocs/ros/3.0/interface/bonding.php

MikroTik RouterOS — BGP

I have always wanted to learn about BGP. This time I got the ~~honor~~ chance to implement BGP for an ISP. This ISP has its own AS number and a /21 IP address block. This BGP setup is pretty simple because I’m only using 1 PC (with 3 ethernet cards and a MikroTik’s level 4 DOM) to interconnect with an Internet Exchange (IX) — NiCE — and a transit ISP (another transit will be added soon).
In MikroTik RouterOS version 2.9.42, BGP features are available for level 3 and above. You also need to enable routing-test package if you want more flexibility (BGP filtering features). The routing package, as of this version, only allows basic BGP features. I’m sure this will change later when they release RouterOS v3. Once you have enabled routing-test package, you will see new options (Routing – Filters in winbox, or /routing filters on CLI). This is very important when you have to peer with 2 or more ASes (specifically an IX and a transit which is not interested in getting IX’s routes for obvious reasons).
Since I have never configured BGP before, I caused a major problem when routes from each peer goes to another peer when they shouldn’t! I didn’t place any filter for BGP advertisements my BGP router sends to its peers. My transit ISP received the IX’s routes and the IX received full Internet routes feed my BGP router gets from the transit ISP. BGP is an exterior distance-vector routing protocol, it picks its best path by comparing the AS path lengths of every route it has. Advertising the whole Internet BGP feed to the local IX caused other ISPs’ routers participating in the IX to discover a shorter path of international routes going via my BGP router so the routers chose this new shorter path instead and outgoing traffic of these ISPs started to flow via my transit ISP! On the other hand, advertising IX routes to my transit was not a big problem since the path will be farther for their customers anyway, having to go via my BGP router first (that’s one AS further for the transit ISP’s customers to reach the IX routes, so BGP will not select it).
Fortunately I was able to spot the error immediately and placed BGP routing filters to include only my /21 IP block in the advertisements my BGP router sends to both the IX and transit. I also added an incoming BGP filter to discard a default route my transit IP includes in its BGP feed. This default route is not required since I get full BGP feed that is unfiltered.
Useful links:
http://www.mikrotik.com/testdocs/ros/2.9/routing/bgp.php
http://www.mikrotik.com/testdocs/ros/2.9/routing/filter.php
http://wiki.mikrotik.com/wiki/BGP_Case_Studies_1 — Route filters examples
http://wiki.mikrotik.com/wiki/Using_scope_and_target-scope_attributes — Important! Make sure that BGP neighbors are reachable via static routes for dynamic routes to be active (in the case of multihop BGP neighbors)
http://wiki.mikrotik.com/wiki/BGP_soft_reconfiguration_alternatives_in_RouterOS
Cisco’s BGP Reference

PPPoE Server HOWTO for MikroTik RouterOS 2.9

If you wish to run a PPPoE server, MikroTik RouterOS provides a convenient way to set one up in a few minutes (with built-in traffic shaping feature too!). Previously I used Fedora Core for my PPPoE servers, but I couldn’t find a working solution to keep ghost PPPoE sessions from bogging down my Linux server. I tried MikroTik DOM with RouterOS to replace my Linux-powered PPPoE servers, so far the results are very good.

Below is a mini guide that may be able to help you get your PPPoE server running in a few minutes using RouterOS.

First, make sure that your RouterOS server’s WAN connectivity has been properly configured. Remember that you need at least 2 network interface cards (NICs). This guide assumes that both NICs are ethernet — ether1 and ether2. If you haven’t set anything up on the new system, let me help you with the checklist: (based on my experience, the following issues are the most common)

Make sure that the Internet-facing NIC has an IP address assigned on it and the default gateway is set (/ip route add gateway=…)
If NAT is used, ensure that src-nat/masquerade firewall rule has been added (/ip firewall nat …) and it is working properly

Once you have verified the server’s connectivity, create a PPP profile (/ppp profile add name=”pppoe-profile” local-address=10.1.1.1 dns-server=… rate-limit=128k/128k). Every user account that uses this profile will get 128Kbps upload and download limit. If you wish to have different types of accounts (for example some customers pay for 256Kbps), create a new PPP profile (change the rate-limit attribute).

Next, create a user account assigned to the new PPP profile (/ppp secret add name=”andryan” password=”test” service=pppoe profile=”pppoe-profile” remote-address=10.1.1.2). When this user logs in successfully, this user gets assigned 10.1.1.2. To dynamically assign IP addresses, there is an example here.

Finally, create a PPPoE server instance (/interface pppoe-server server add service-name=”pppoe1″ interface=ether2 one-session-per-host=yes default-profile=”pppoe-profile”) and enable it. Now your RouterOS PPPoE server is ready to answer PPPoE requests and authenticate your PPPoE clients.

Reset MikroTik to default factory configuration

Current MikroTik RouterBOARDs do not have a reset button (if you find a button on your RouterBOARD, it’s not the reset-to-factory-default button) to get it reset to the default factory configuration. User guides for each RouterBOARD, which MikroTik provides on routerboard.com, define the identifier and location of the reset mechanism. Hint: look for a distinct hole on the RouterBOARD and short-circuit it.
I will post some pictures when I get the time chance.
To reset RouterOS to the default configuration, execute the command /system reset-configuration. That should do the job. It will do a backup of the current configuration prior to the reset (how convenient!), in case you change your mind and possibly prevent accidental resets.

Mikrotik - Wiki - Transparent Traffic Shaper

MIKROTIK - PCC

/ ip firewall mangle

add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn

add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn

add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1     

add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2

add chain=prerouting  dst-address=x.x.x.x  action=accept in-interface=Local 

add chain=prerouting  dst-address=y.y.y.y  action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 \

action=mark-connection new-connection-mark=wlan1_conn passthrough=yes

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 \

action=mark-connection new-connection-mark=wlan2_conn passthrough=yes

add chain=prerouting connection-mark=wlan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan1

add chain=prerouting connection-mark=wlan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan2

/ ip route

add dst-address=0.0.0.0/0 gateway=x.x.x.x routing-mark=to_wlan1 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=y.y.y.y routing-mark=to_wlan2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=x.x.x.x distance=1 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=y.y.y.y distance=2 check-gateway=ping

/ ip firewall nat 

add chain=srcnat out-interface=wlan1 action=masquerade

add chain=srcnat out-interface=wlan2 action=masquerade

MIKROTIK - FORWARD IP LOKAL

ip firewall nat add chain=dstnat dst-address=aaa.aaa.aaa.aaa protocol=tcp dst-port=bbbb \
   action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=yyyy
   ip firewall nat add chain=dstnat dst-address=aaa.aaa.aaa.aaa protocol=udp dst-port=bbbb \
   action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=yyyy

 example

/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5900 \
    action=dst-nat to-addresses=192.168.1.101 to-ports=5900

Review Router Wireless RB751U-2HND

Router Wireless RB751U-2HND

Spesifikasi RB751U-2HND
Product Code	RB751U-2HND
Architecture	MIPS-BE
CPU	AR7241 400MHz
Current Monitor	no
Main Storage/NAND	64MB
RAM	32MB
SFP Ports	0
LAN Ports	5
Gigabit	No
Switch Chip	1
MiniPCI	0
Integrated Wireless	1
Wireless Standarts	802.11 b/g
Wireless Tx Power	30dbm
Integrated Antenna	Yes
Antenna Gain	2 x 2,5dBi
MiniPCIe	0
SIM Card Slots	No
USB	1
Power on USB	Yes
Memory Cards	No
Power Jack	8-30V
802.3af Support	No
POE Input	Yes
POE Output	No
Serial Port	No
Voltage Monitor	No
Temperature Sensor	No
Dimentions	113x138x29mm.
Operating System	RouterOS
Temperature Range	-20C .. +50C
RouterOS License	Level 4

Tuesday, August 23, 2011

Konfigurasi Dasar Mikrotik

Konfigurasi dasar routerOS Mikrotik, perencanaan IP Address, menambahkan IP Address, DHCP Client, Masquerade, Simple Queue (QoS), NTP Client

Basic Mikrotik Hotspot

Setting up a basic MikroTik hotspot

Mikrotik RouterOS includes an excellent hotspot solution. Read on for details on getting a basic hotspot going using RouterOS on any standard x86 PC hardware or a RouterBOARD.

The RouterOS hotspot solution is very powerful and only the very basics of the solution are covered here; just enough to get you started.
Introduction

This article assumes you want to set up a basic hotspot as shown in the diagram below. If you have a DNS server integrated into your router the same rule applies, just use the router IP for your DNS server as well.

To help get you started MikroTik now include a combined RADIUS server and simple web administration package for RouterOS called the User Manager. This provides a much simpler means of user administration then the command line or Winbox. The User Manager package is included standard with all versions of RouterOS from about 2.9.35 onwards.

Advanced users might wish to provide their own RADIUS server, however this is outside the scope of this article.
Getting the Hotspot to Work

First of all you will need to have a copy of RouterOS. You can purchase a license or download a 24-hour trial from Mikrotik. RouterBOARDs also usually come with RouterOS pre-licensed and installed. You will also need a computer with at least a 100MHz CPU, 32MB RAM and an IDE hard disk, or a RouterBOARD. Either method you choose will need a compatible wireless card and Ethernet adapter, or two Ethernet adapters with one connected to a standard wireless access point. You should check your hardware against the RouterOS compatibility list.

If you are installing RouterOS for the first time, download the ISO image from Mikrotik and burn it to CD. Note that installation of RouterOS will completely wipe the contents of the hard disk! Boot the PC off this CD and install the following packages:

System
DHCP
Wireless
Hotspot
Proxy
User Manager (optional)
Security (optional - recommended)
Advanced tools (optional)

Now to get started. Log onto the PC as admin with no password. If this box intended for deployment, change set a password by typing in password at the prompt. Change the hostname by typing in name.

Assign an IP address to each interface. As this is going to be set up as a router, they will need to be on a different subnet. Substitute wlan1 with ether2 if you have a separate access point.

[admin@Mikrotik] > ip address add address=192.168.24.3/24 interface=ether1
[admin@Mikrotik] > ip address add address=192.168.30.1/24 interface=wlan1

Now we need to add a default route to the IP of the internet router.

[admin@MikroTik] > ip route add gateway 192.168.24.1

Enable the wireless interface and set it to run as an access point as below. If you have an access point instead, ignore the command below, make sure it is running with no security enabled, use a suitable SSID and channel and change its admin password.

[admin@Mikrotik]> interface wireless set wlan1 ssid="My HotSpot" band=2.4ghz-b mode=ap-bridge

Run the hotspot setup as below. Substitute the values in italics to suit your network. The user account bears no relation to the admin account and is used for the hotspot service only. You may also need to add a host record to your DNS server for the hostname of the hotspot box. Make sure the address pool does not conflict with any devices using static IPs, such as access points.

[admin@MikroTik] > ip hotspot setup
hotspot interface: wlan1
local address of network: 192.168.30.1/24
masquerade network: yes
address pool of network: 192.168.30.2-192.168.30.99
select certificate: none
ip address of smtp server: 0.0.0.0
dns servers: 192.168.24.2
dns name: hotspot.mydomain.net (or leave this blank)
name of local hotspot user: user
password for the user: password

That’s the guts of it there. Fire up your laptop, associate to the network and try to access a web page. You should be redirected to the hotspot login page instead where you can enter the user credentials you set up earlier. Click the thumbnails for a full view of the default page.

You should now be able to access the web normally and a pop-up window will display your connection time and data usage as you go.

Bear in mind I have left out the certificate so usernames and passwords will be sent as plain text. If you intend on deploying the hotspot, you should install a certificate on it and set up SSL to protect account data from being sniffed.
Setting up User Manager

The User Manager is a nice and simple web administration for setting up user account for the MikroTik hotspot and other services. It can be hosted on either the same box as the hotspot or located in a separate box on the same local network. One User Manager package can control multiple hotspots.

Before getting the User Manager set up, check for any existing hotspot account and remove them. To do this, run the following command:

[admin@MikroTik] > ip hotspot user print
Flags: X - disabled, D - dynamic
# SERVER NAME ADDRESS PROFILE UPTIME
0 fred default 0s

If any items are listed (in this case bob), run the following command to remove them:

[admin@MikroTik] > ip hotspot user remove 0

You can delete multiple items at the same time, simply separate each item number with a comma.

To get the User Manager working we first need to add a customer login. This is used to access the UM web administration. Make sure you substitute the values in italics to suit.

[admin@MikroTik] > tool user-manager customer add login=hs_admin password=password

Now we need to add the hotspot as a RADIUS client to the user manager. This is done under the user manager router section. The shared secret can be any string of text and should be reasonably long and complex. If you are setting the user manager up on the same box as the hotspot, use 127.0.0.1 for the IP address.

[admin@MikroTik] > tool user-manager router add ip-address=hotspot-ip shared-secret=12345 subscriber=hs_admin

In return, we need to set up the hotspot to use RADIUS for user authentication. First this involves creating a RADIUS client to communicate with the UM. Remember that if you have both services on the same box, the IP address should be set to 127.0.0.1. The secret should be the same as you set up above.

[admin@MikroTik] > radius add service=hotspot address=ip-address secret=12345

Now we tell the hotspot itself to use a RADIUS client. First bring up a list of hotspot profiles:

admin@MikroTik] > ip hotspot profile print

Locate the profile in use and type the following command where 1 is the number of the profile to configure:

[admin@MikroTik] > ip hotspot profile set 1 use-radius=yes

Now we are done with configuration. Browse to http://router-ip/userman where router-ip is the IP address of the box you are configuring UM on. Login using the customer username and password created earlier.

Click on the User menu and select Add. Enter in a username, password and any other details you wish. You can limit the speed the client can access the internet by selecting the Rate limits checkbox and typing in a suitable speed (e.g. for a flat 128kBps download/64kBps upload speed limit simply type in 128k in the RX field and 64k in the TX field).

Click Add and you should be able to now access the hotspot using the username and password you specified. If you want to generate a printable ticket for the users you set up, click on the Users link, select the users to make a ticket for, click Generate and select the number of tickets per page.
Other Tips

You can also go a step further and play with some other available options, as this only skims the surface of the hotspot capabilities. I’ll post more notes as I play with additional options.

To disable communication between wireless clients (recommended), disable the default forward option on the wireless interface.
interface wireless set wlan1 default-forward=disabled
To set up a walled garden (pages people can access without authenticating), use the following command:
ip hotspot walled-garden add dst-host=www.website.com
To limit client bandwidth type the following, replacing profilename with the current hotspot profile in use and speed with the rate limit in bits per second:
ip hotspot profile set profilename rate-limit=”speed“
You can customise the login and status pages by editing the files in the hotspot directory of the Mikrotik box. You can access these via FTP.

scr:www.marlwifi.org.nz

Hotspot Gateway

How to make a HotSpot gateway

The MikroTik HotSpot Gateway enables providing of public network access for clients using wireless or wired network connections. HotSpot Gateway should have at least two network interfaces:

1. HotSpot interface, which is used to connect HotSpot clients

2. LAN/WAN interface, which is used to access network resources.

The following picture shows wireless HotSpot setup

How to make a HotSpot gateway

To setup simple HotSpot Gateway follow the steps below:

1. Configure wireless interface on HotSpot Gateway:

[admin@HotSpot_Gateway]> interface wireless set wlan1 ssid=HotSpot band=2.4ghz-b \
\... mode=ap-bridge

2. Configure ip address for HotSpot interface:

[admin@HotSpot_Gateway] > ip add add address=192.168.0.1/24 interface=wlan1

3. Configure ip address for WAN/LAN interface:

[admin@HotSpot_Gateway] > ip add add address=10.5.8.250/24 interface=ether1

4. Add a route on HotSpot Gateway

[admin@HotSpot_Gateway] > ip route add gateway=10.5.8.1

5. Configure Hotspot on wlan1 interface and add user admin with pasword test

[admin@MikroTik] > ip hotspot setup
hotspot interface: wlan1
local address of network: 192.168.0.1/24
masquerade network: yes
address pool of network: 192.168.0.2-192.168.0.254
select certificate: none
ip address of smtp server: 0.0.0.0
dns servers: 10.5.8.2
dns name: hs.example.net
name of local hotspot user: admin
password for the user: test

In order to access network resources HotSpot clients have to configure their wireless interfaces setting proper ssid, band and mode, and enabling dynamic host configuration (dhcp) on the wireless interface.
scr: mikrotik wiki

Mikrotik Hotspot

How to Setup Your Own Hotspot with MIKROTIK routers

You need to setup your Mikrotik router by using Winbox. Winbox is the graphical user interface for configuring the Mikrotik Router OS. You can get Winbox via The Dude. Once installed, click on Discover. Once the devices are discovered and displayed, you can right click on the Router OS select tools then select Winbox.

1. First we need to define the first port for WAN connection so the router will connect to the internet via another router with DHCP.

In winbox click IP > DHCP Client and Add DHCP Client to port ether1

2. Let's add the hotspot service to wlan Click IP > HotSpot and the Setup box, choose wlan1 as hotspot interface. You can accept default values but choose none for certificate. Leave the IP as it is (10.5.50.x). If you change this IP, the LOGIN and LOGOUT links will not work on your splash page.

3. You need to add our radius server as authentication and accounting server.

In the hotspot profiles (IP > HotSpot > Profiles) choose your hotspot profile and allow radius in the radius tab, de-select cookie, allow http pap and chap.

4. You need to define our radius server. Click Radius and the + sign to add our radius server.

Click Servies > Hotspot, enter radius address: 195.228.254.149, Secret: hotsys123

5. We have to allow certain sites and servers for non authenticated users otherwise they can't buy access.

In the section IP > HotSpot > Walled Garden, click on + sign and add the following domains to Dst. Host one by one:

*.hotspotsystem.com
*.rbsworldpay.com
*.paypal.com
*.paypalobjects.com
*.akamaiedge.net
paypal.112.2O7.net
*.moneybookers.com
*.adyen.com

Then in the section IP > HotSpot > Walled Garden > IP List add the following IPs to Dst. Address one by one (if your Mikrotik doesn't allow netmask values (.0/24) you can skip the netmask value):

194.149.46.0/24
198.241.128.0/17
66.211.128.0/17
216.113.128.0/17
70.42.128.0/17
128.242.125.0/24
216.52.17.0/24
62.249.232.74
155.136.68.77
66.4.128.0/17
66.211.128.0/17
66.235.128.0/17
88.221.136.146
195.228.254.149
195.228.254.152
203.211.140.157
203.211.150.204
82.199.90.136/29
82.199.90.160/27
91.212.42.0/24

6. You need to syncronize the router's time with our server.

Click on System > NTP Client. Enter primary and secondary NTP servers. To find NTP servers, go to http://www.pool.ntp.org/ and select the location's continent on the right side of the page. You'll find NTP servers there.

Be sure to leave TimeZoneName: manual, and TimeZone: 00:00 in System > Clock. (Don't set your own timezone, because the router has to show the GMT time!)

7. You need to change the router's NASID. The NASID setting in the Mikrotik is located under System > Identity. Default is 'MikroTik'.

Change this the following way: OPERATORUSERNAME_LOCATIONNUMBER

Example: Operator Username is 'globalhotspot', Location ID: '2', then NASID should be: 'globalhotspot_2'

8. You have to customize Mikrotik's built-in login page. On the side menu go to Files, and find the login.html file under the 'hotspot' directory. Double click on the file and choose Backup.

Open a simple text editor like notepad and copy and paste the following to the editor:
HotSpot System Login

Save it as login.html to your Desktop.

Drag and drop this login.html to your "hotspot" directory in the Winbox program.

If you wish to use FTP you can FTP to your mikrotik router with the admin userid and password and replace the file there under the 'hotspot' directory.

If you don't wish to redirect users to our nice splash page you can continue to use the router's built-in login page but in this case it is important to add a link to the internal page where your users can buy access or activate their prepaid cards. Click here for more information.

9. You have to set the Login/Logout URL IP addresses in the Control Center. Log in to the Control Center with your Operator Username and password and go to Manage > Locations. Click on the location, then click on Modify Hotspot Data & Settings. In Splash Page Settings modify the Internal Login/Logout URL Set to Mikrotik. Make sure that 'Display Login Box on Main Splash Page' option is CHECKED.

10. As the last step you have to add hourly checking for up status for the Router Alert feature.

Go to System > Scheduler and add a new task by pressing the plus sign.

Name: up
Interval: 01:00:00

On Event:

/tool fetch keep-result=no mode=http address=tech.hotspotsystem.com src-path=("up.php?mac=".[/interface ethernet get 0 mac-address]."&nasid=".[/system identity get name]."&os_date=Mikrotik&uptime=".[/system clock get time]."%20up%20".[/system resource get uptime].",%20load%20average:%20".[/system resource get cpu-load]."%")

Policy: enable all

Press Apply and OK.

That's all. You can setup hotspot service even on a wired connection. In this case you have to choose an ethernet port instead of wlan or you can setup hotspot on both ports.

If you have successfully setup your mikrotik router you have to see a login window when connecting via wireless. You can log in with username admin, blank password.

scr: http://www.hotspotsystem.com/en/hotspot/install_guide_mikrotik.html

Mikrotik Netinstall

Tuesday, May 31, 2011

Mikrotik Wireless Repeater

Introduction

This example shows how to configure a wireless repeater. Wireless repeater extends the range of an existing WLAN instead of adding more access points. Consider the network layout:

We will use two wireless interfaces (two antennas) on the repeater router. WDS links will be established between 'Main gateway' and 'Repeater', 'Repeater' and 'AP1', 'AP2' (end-users are connected to the AP1 and AP2).

Note, client wireless interfaces (station, ad-hoc, infrastructure) do not support bridging because of the limitations of 802.11.

Quick Start

Main Gateway configuration export:

/ ip address add address=192.168.0.1/24 interface=wlan1
/ interface wireless set wlan1 disabled=no mode=ap-bridge band=5ghz frequency=5180 ssid=Main_gw wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X2 master-interface=wlan1
/ interface bridge add
/ interface bridge port add interface=wlan1 bridge=bridge1
/ interface bridge port add interface=wds1 bridge=bridge1

Repeater configuration export:

/ interface wireless set wlan1 disabled=no mode=ap-bridge band=5ghz frequency=5180 ssid=Main_gw wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X1 master-interface=wlan1
/ interface bridge add
/ interface bridge port add interface=wlan1 bridge=bridge1
/ interface bridge port add interface=wds1 bridge=bridge1

/ interface wireless set wlan2 disabled=no mode=ap-bridge band=5ghz frequency=5805 ssid=To_clients wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X4 master-interface=wlan2
/ interface bridge port add interface=wlan2 bridge=bridge1
/ interface bridge port add interface=wds2 bridge=bridge1
/ ip address add address=192.168.0.2/24 interface=bridge1

AP1, AP2 configuration export:

/ interface wireless set wlan1 disabled=no mode=ap-bridge band=5ghz frequency=5805 ssid=To_clients wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X3 master-interface=wlan1
/ interface bridge add
/ interface bridge port add interface=wlan1 bridge=bridge1
/ interface bridge port add interface=wds1 bridge=bridge1
/ ip adress add address=192.168.0.3/24 interface=wlan1

wiki

Friday, April 8, 2011

Queue tree

In the previous example we dedicated 128Kib/s download and 64Kib/s upload traffic for the local network. In this example we will guarantee 256Kib/s download (128Kib/s for the server, 64Kib/s for the Workstation and also 64Kib/s for the Laptop) and 128Kib/s for upload (64/32/32Kib/s, respectivelly) for local network devices. Additionally, if there is spare bandwidth, share it among users equally. For example, if we turn off the laptop, share its 64Kib/s download and 32Kib/s upload to the Server and Workstation.

When using masquerading, you have to mark the outgoing connection with new-connection-mark and take the mark-connection action. When it is done, you can mark all packets which belong to this connection with the new-packet-mark and use the mark-packet action.

At first, mark the Server's download and upload traffic. With the first rule we will mark the outgoing connection and with the second one, all packets, which belong to this connection:

[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.1/32 \
\... action=mark-connection new-connection-mark=server-con chain=prerouting
[admin@MikroTik] ip firewall mangle> add connection-mark=server-con \
\... action=mark-packet new-packet-mark=server chain=prerouting
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting src-address=192.168.0.1 action=mark-connection
new-connection-mark=server-con

1 chain=prerouting connection-mark=server-con action=mark-packet
new-packet-mark=server
[admin@MikroTik] ip firewall mangle>

The same for Laptop and Workstation:

[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.2 \
\... action=mark-connection new-connection-mark=lap_works-con chain=prerouting
[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.3 \
\... action=mark-connection new-connection-mark=lap_works-con chain=prerouting
[admin@MikroTik] ip firewall mangle> add connection-mark=lap_works-con \
\... action=mark-packet new-packet-mark=lap_work chain=prerouting
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting src-address=192.168.0.1 action=mark-connection
new-connection-mark=server-con

1 chain=prerouting connection-mark=server-con action=mark-packet
new-packet-mark=server

2 chain=prerouting src-address=192.168.0.2 action=mark-connection
new-connection-mark=lap_works-con

3 chain=prerouting src-address=192.168.0.3 action=mark-connection
new-connection-mark=lap_works-con

4 chain=prerouting connection-mark=lap_works-con action=mark-packet
new-packet-mark=lap_work
[admin@MikroTik] ip firewall mangle>

As you can see, we marked connections that belong for Laptop and Workstation with the same flow.

In /queue tree add rules that will limit Server's download and upload:

[admin@MikroTik] queue tree> add name=Server-Download parent=Local \
\... limit-at=131072 packet-mark=server max-limit=262144
[admin@MikroTik] queue tree> add name=Server-Upload parent=Public \
\... limit-at=65536 packet-mark=server max-limit=131072
[admin@MikroTik] queue tree> print
Flags: X - disabled, I - invalid
0 name="Server-Download" parent=Local packet-mark=server limit-at=131072
queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0s

1 name="Server-Upload" parent=Public packet-mark=server limit-at=65536
queue=default priority=8 max-limit=131072 burst-limit=0
burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>

And similar config for Laptop and Workstation:

[admin@MikroTik] queue tree> add name=Laptop-Wkst-Down parent=Local \
\... packet-mark=lap_work limit-at=65535 max-limit=262144
[admin@MikroTik] queue tree> add name=Laptop-Wkst-Up parent=Public \
\... packet-mark=lap_work limit-at=32768 max-limit=131072
[admin@MikroTik] queue tree> print
Flags: X - disabled, I - invalid
0 name="Server-Download" parent=Local packet-mark=server limit-at=131072
queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0s

1 name="Server-Upload" parent=Public packet-mark=server limit-at=65536
queue=default priority=8 max-limit=131072 burst-limit=0
burst-threshold=0 burst-time=0s

2 name="Laptop-Wkst-Down" parent=Local packet-mark=lap_work limit-at=65535
queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0s

3 name="Laptop-Wkst-Up" parent=Public packet-mark=lap_work limit-at=32768
queue=default priority=8 max-limit=131072 burst-limit=0
burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>
mikrotik.com

Pages