Micro Tik - HowTo

Routes, Equal Cost Multipath Routing, Policy Routing
Description
MikroTik RouterOS has following types of routes:
dynamic routes - automatically created routes for networks, which are directly
accessed through an interface. They appear automatically, when adding a new I
address. !ynamic routes are also added "y routing protocols.
static routes - user-defined routes that specify the router which can forward traffic
to the specified destination network. They are useful for specifying the default
gateway
ECMP (Equal Cost Multi-Path) Routing
This routing mechanism ena"les packet routing along multiple paths with e#ual cost and
ensures load "alancing. $ith %&M routing, you can use more than one gateway for one
destination network '(ote) This approach does not pro*ide failo*er+. $ith %&M, a router
potentially has se*eral a*aila"le ne,t hops towards a gi*en destination. - new gateway is
chosen for each new source.destination I pair. It means that, for e,ample, one /T
connection will use only one link, "ut new connection to a different ser*er will use another
link. %&M routing has another good feature - single connection packets do not get
reordered and therefore do not kill T& performance.
The %&M routes can "e created "y routing protocols 'RI or OS/+, or "y adding a static
route with multiple gateways, separated "y a comma 'e.g., .ip route add
gateway0123.145.6.1,123.145.1.1+. The routing protocols may create routes 'dynamic+
with e#ual cost automatically, if the cost of the interfaces is ad7usted propery. /or more
information on using routing protocols, please read the corresponding Manual.
Policy-Based Routing
It is a routing approach where the ne,t hop 'gateway+ for a packet is chosen, "ased on a
policy, which is configured "y the network administrator. In RouterOS the procedure the
follwing:
mark the desired packets, with a routing-mark
choose a gateway for the marked packets
Note! In routing process, the router decides which route it will use to send out the packet.
-fterwards, when the packet is mas#ueraded, its source address is taken from the prefsrc
field.
Routes
Su"menu le*el: /ip route
Description
In this su"menu you can configure Static, %#ual &ost Multi-ath and olicy-8ased Routing
and see the routes.
Property Description
1
as-path 'text+ - manual *alue of 89:s as-path for outgoing route
atomic-aggregate 'yes ; no+ - 89 attri"ute. -n indication to recei*er that it cannot
<deaggregate< the prefi,
check-gateway 'arp ; ping= default: ping+ - which protocol to use for gateway reacha"ility
distance 'integer: 6..3>>+ - administrati*e distance of the route. $hen forwarding a
packet, the router will use the route with the lowest administrati*e distance and reacha"le
gateway
dst-address 'IP address.netmask= default: !!!"+ - destination address and network
mask, where netmask is num"er of "its which indicate network num"er. ?sed in static
routing to specify the destination which can "e reached, using a gateway
!!!" - any network
gateway 'IP address+ - gateway host, that can "e reached directly through some of the
interfaces. @ou can specify multiple gateways separated "y a comma <,< for %&M routes
local-pref 'integer+ - local preference *alue for a route
med 'integer+ - a 89 attri"ute, which pro*ides a mechanism for 89 speakers to con*ey
to an ad7acent -S the optimal entry point into the local -S
origin 'incomplete ; igp ; egp+ - the origin of the route prefi,
prefsrc 'IP address+ - source I address of packets, lea*ing router *ia this route
!!! - prefsrc is determined automatically
prepend 'integer: 6..14+ - num"er which indicates how many times to prepend -SA(-M%
to -SA-TB
routing-mark 'name+ - a mark for packets, defined under /ip firewall mangle. Only those
packets which ha*e the according routing-mark, will "e routed, using this gateway. $ith
this parameter we pro*ide policy "ased routing
scope 'integer: 6..3>>+ - a *alue which is used to recursi*ely lookup the ne,thop
addresses. (e,thop is looked up only through routes that ha*e scope C0 target-scope of
the ne,thop
target-scope 'integer: 6..3>>+ - a *alue which is used to recursi*ely lookup the ne,t-hop
addresses. %ach ne,thop address selects smallest *alue of target-scope from all routes that
use this ne,thop address. (e,thop is looked up only through routes that ha*e scope C0
target-scope of the ne,thop
Notes
@ou can specify more than one or two gateways in the route. Moreo*er, you can repeat
some routes in the list se*eral times to do a kind of cost setting for gateways.
Exaple
To add two static routes to networks 16.1.13.6.3D and 6.6.6.6.6 'the default destination
address+ on a router with two interfaces and two I addresses:
[admin@MikroTik] ip route> add dst-address=10.1.12.0/24 gateway=192.168.0.253
[admin@MikroTik] ip route> add gateway=10.5.8.1
[admin@MikroTik] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 A S 10.1.12.0/24 r 192.168.0.253 Local
1 ADC 10.5.8.0/24 Public
2 ADC 192.168.0.0/24 Local
3 A S 0.0.0.0/0 r 10.5.8.1 Public
[admin@MikroTik] ip route>
Policy Rules
Su"menu le*el: /ip route rule
2
action 'drop ; unreacha"le ; lookup= default: unreacha#le+ - action to "e processed on
packets matched "y this rule:
drop - silently drop packet
unreacha#le - reply that destination host is unreacha"le
lookup - lookup route in gi*en routing ta"le
dst-address 'IP address mask+ - destination I address.mask
interface 'name= default: $$+ - interface through which the gateway can "e reached
routing-mark 'name= default: $$+ - mark of the packet to "e mached "y this rule. To add
a routing mark, use :.ip firewall mangle: commands
src-address 'IP address mask+ - source I address.mask
ta#le 'name= default: $$+ - routing ta"le, created "y user
Notes
@ou can use policy routing e*en if you use mas#uerading on your pri*ate networks. The
source address will "e the same as it is in the local network. In pre*ious *ersions of
RouterOS the source address changed to !!!
It is impossi"le to recogniEe peer-to-peer traffic from the first packet. Only already
esta"lished connections can "e matched. That also means that in case source (-T is
treating eer-to-eer traffic differently from the regular traffic, eer-to-eer programs will
not work 'general application is policy-routing redirecting regular traffic through one
interface and eer-to-eer traffic - through another+. - known workaround for this pro"lem
is to sol*e it from the other side: making not eer-to-eer traffic to go through another
gateway, "ut all other useful traffic go through another gateway. In other words, to specify
what protocols 'BTT, !(S, OF, etc.+ will go through the gateway -, lea*ing all the rest
'so eer-to-eer traffic also+ to use the gateway 8 'it is not important, which gateway is
which= it is only important to keep eer-to-eer together with all traffic e,cept the specified
protocols+
Exaple
To add the rule specifying that all the packets from the 16.6.6.1DD host should lookup the
mt routing ta"le:
[admin@MikroTik] ip firewall mangle add action=mark-routing new-routing-mark=mt \
\... chain=prerouting
[admin@MikroTik] ip route> add gateway=10.0.0.254 routing-mark=mt
[admin@MikroTik] ip route rule> add src-address=10.0.0.144/32 \
\... table=mt action=lookup
[admin@MikroTik] ip route rule> print
Flags: X - disabled, I - invalid
0 src-address=192.168.0.144/32 action=lookup table=mt
[admin@MikroTik] ip route rule>
!pplication Exaples
"tatic Equal Cost Multi-Path routing
&onsider the following situation where we ha*e to route packets from the network
%&'!%()!!"'* to 3 gateways - %!%!!% and %!%!%!%:
3
(ote that the IS1 gi*es us 3M"ps and IS3 - DM"ps
so we want a traffic ratio 1:3 '1.F of the source.destination I pairs from %&'!%()!!"'*
goes through IS1, and 3.F through IS3+.
I addresses of the router:
[admin@ECMP-Router] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.254/24 192.168.0.0 192.168.0.255 Local
1 10.1.0.2/28 10.1.0.0 10.1.0.15 Public1
2 10.1.1.2/28 10.1.1.0 10.1.1.15 Public2
[admin@ECMP-Router] ip address>
-dd the default routes - one for IS1 and 3 for IS3 so we can get the ratio 1:F:
[admin@ECMP-Router] ip route> add gateway=10.1.0.1,10.1.1.1,10.1.1.1
[admin@ECMP-Router] ip route> print
0 ADC 10.1.0.0/28 Public1
1 ADC 10.1.1.0/28 Public2
2 ADC 192.168.0.0/24 Local
3 A S 0.0.0.0/0 r 10.1.0.1 Public1
r 10.1.1.1 Public2
r 10.1.1.1 Public2
[admin@ECMP-Router] ip route>
"tandard Policy-Based Routing #ith $ailo%er
This e,ample will show how to route packets, using an administrator defined policy. The
policy for this setup is the following: route packets from the network %&'!%()!!"'*,
using gateway 16.6.6.1, and packets from network %&'!%()!%!"'*, using gateway
16.6.6.3. If 9$A1 does not respond to pings, use 9$A8ackup for network 123.145.6.6.3D,
if 9$A3 does not respond to pings, use 9$A8ackup also for network 123.145.1.6.3D
instead of 9$A3.
The setup:
4
&onfiguration of the I addresses:
[admin@PB-Router] ip address> print
0 192.168.0.1/24 192.168.0.0 192.168.0.255 Local1
1 192.168.1.1/24 192.168.1.0 192.168.1.255 Local2
2 10.0.0.7/24 10.0.0.0 10.0.0.255 Public
[admin@PB-Router] ip address>
To achie*e the descri"ed result, follow these configuration steps:
1. Mark packets from network 123.145.6.6.3D with a new-routing-mark+net%, and
packets from network 123.145.1.6.3D with a new-routing-mark+net':
2. [admin@PB-Router] ip firewall mangle> add src-address=192.168.0.0/24 \
3. \... action=mark-routing new-routing-mark=net1 chain=prerouting
4. [admin@PB-Router] ip firewall mangle> add src-address=192.168.1.0/24 \
5. \... action=mark-routing new-routing-mark=net2 chain=prerouting
6. [admin@PB-Router] ip firewall mangle> print
7. Flags: X - disabled, I - invalid, D - dynamic
8. 0 chain=prerouting src-address=192.168.0.0/24 action=mark-routing
9. new-routing-mark=net1
10.
11. 1 chain=prerouting src-address=192.168.1.0/24 action=mark-routing
12. new-routing-mark=net2
[admin@PB-Router] ip firewall mangle>
1F. Route packets from network 123.145.6.6.3D to gateway 9$A1 '16.6.6.3+, packets
from network 123.145.1.6.3D to gateway 9$A3 '16.6.6.F+, using the according
packet marks. If 9$A1 or 9$A3 fails 'does not reply to pings+, route the respecti*e
packets to 9$AMain '16.6.6.1+:
5
14. [admin@PB-Router] ip route> add gateway=10.0.0.2 routing-mark=net1 \
15. \... check-gateway=ping
16. [admin@PB-Router] ip route> add gateway=10.0.0.3 routing-mark=net2 \
17. \... check-gateway=ping
18. [admin@PB-Router] ip route> add gateway=10.0.0.1
19. [admin@PB-Router] ip route> print
20. Flags: X - disabled, A - active, D - dynamic,
21. C - connect, S - static, r - rip, b - bgp, o - ospf
22. # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
23. 0 ADC 10.0.0.0/24 10.0.0.7 Public
24. 1 ADC 192.168.0.0/24 192.168.0.1 Local1
25. 2 ADC 192.168.1.0/24 192.168.1.1 Local2
26. 3 A S 0.0.0.0/0 r 10.0.0.2 Public
27. 4 A S 0.0.0.0/0 r 10.0.0.3 Public
28. 5 A S 0.0.0.0/0 r 10.0.0.1 Public
[admin@PB-Router] ip route>
,P -elephony
&eneral 'n(oration
"uary
The MikroTik RouterOS I Telephony feature ena"les Goice o*er I 'GoI+ communications
using routers e#uipped with the following *oice port hardware:
Huicknet IineJ-&K or honeJ-&K analog telephony cards
IS!( cards
Goicetroni, OpenIineD 'was GD&I+ - D analog telephone lines cards
Laptel $ildcard M166 I telephony card - 1 analog telephone line
"peci(ications
ackages re#uired: telephony
Iicense re#uired: Level1
Su"menu le*el: /ip telephony
Standards and Technologies: RT
Bardware usage: Pentium MMX level processor recommended
Related Docuents
ackage Management
IS!(
---
Description
I telephony, known as Goice o*er I 'GoI+, is the transmission of telephone calls o*er a
data network like one of the many networks that make up the Internet. There are four ways
that you might talk to someone using GoI:
&omputer-to-computer - This is certainly the easiest way to use GoI, and you don:t
ha*e to pay for long-distance calls.
&omputer-to-telephone - This method allows you to call anyone 'who has a phone+
from your computer. Iike computer-to-computer calling, it re#uires a software client.
The software is typically free, "ut the calls may ha*e a small per-minute charge.
6
Telephone-to-computer - -llows a standard telephone user to initiate a call to a
computer user.
Telephone-to-telephone - Through the use of gateways, you can connect directly
with any other standard telephone in the world.
Suppoted hardware:
Huicknet Technologies cards:
o Internet honeJ-&K 'IS- or &I+ for connecting an analog telephone '/MS
port+
o Internet IineJ-&K 'IS-+ for connecting an analog telephone line '/MO port+ or
a telephone '/MS port+
IS!( client cards '&I+ for connecting an IS!( line. See !e*ice !ri*er Iist for the list
of supported &I IS!( cards
Goicetroni, OpenIineD card for connecting four 'D+ analog telephone lines '/MO ports+
Laptel $ildcard M166 I telephony card 'from Iinu, Support Ser*ices+ for connecting
one analog telephone line '/MO port+
Supported standards:
MikroTik RouterOS supports I Telephony in compliance with the International
Telecommunications ?nion - Telecommunications 'IT?-T+ specification B.F3F*D.
B.F3F is a specification for transmitting multimedia '*oice, *ideo, and data+ across
an I network. B.F3F*D includes: B.3D>, B.33>, H.2F1, B.D>6.1, RT'real-time
protocol+
The followong audio codecs are supported: .!/%% 'the 4D k"ps ulse code
modulation '&M+ *oice coding+, .!/'0!% 'the 4.F k"ps compression techni#ue that
can "e used for compressing audio signal at *ery low "it rate+, .1M-(!% 'the 1F.3
k"ps coding+, 2PC-% 'the 3.> k"ps coding+, .!/'& and .!/'&a 'the 5 k"ps &S-
-&%I software coding+, .!/') '14 k"ps coding techni#ue, supported only on
Huicknet IineJ-&K cards+
In ST( lines there is a known delay of the signal caused "y switching and signal
compressing de*ices of the telephone network 'so, it depends on the distance "etween the
peers+, which is generally rather low. The delay is also present in I networks. The main
difference "etween a ST( and an I network is that in I networks that delay is more
random. The actual packet delay may *ary in order of magnutude in congested networks 'if
a network "ecomes congested, some packets may e*en "e lost+. -lso packet reordering
may take place. To pre*ent signal loss, caused "y random 7itter of I networks and packet
reordering, to corrupt audio signal, a 7itter "uffer is present in I telephony de*ices. The
7itter "uffer is delaying the actual play"ack of a recei*ed packet forming The larger the 7itter
"uffer, the larger the total delay, "ut fewer packets get lost due to timeout.
The total delay from the moment of recording the *oice signal till its play"ack is the sum of
following three delay times:
delay time at the recording point 'appro,. F5ms+
delay time of the I network '1..>ms and up+
delay time at the play"ack point 'the 7itter delay+
Notes
%ach installed Huicknet card re#uires IO memory range in the following se#uence: the first
card occupies addresses 6,F66-6,F1f, the second card 6,F36-6,FFf, the third 6,FD6-6,F>f,
and so on. Make sure there is no conflict in these ranges with other de*ices, e.g., network
interface cards, etc.
7
?se the telephony logging feature to de"ug your setup.
!dditional Resources
I Telephony Online
&eneral )oice port settings
Su"menu le*el: /ip telephony %oice-port
Description
This su"menu is used for managing all I telephony *oice ports 'line7ack, phone7ack, isdn,
*oip, *oicetroni,, Eaptel+
name 'name+ - assigned name of the *oice port
type 'read-only: phone7ack ; line7ack ; phone7ack-lite ; phone7ack-pci ; *oip ; isdn ;
*oicetroni, ; Eaptel+ - type of the installed telephony *oice port:
phone3ack - Huicknet honeJ-&K 'IS-+
line3ack - Huicknet IineJ-&K 'IS-+
phone3ack-lite - Huicknet honeJ-&K Iite Iinu, %dition 'IS-+
phone3ack-pci - Huicknet honeJ-&K '&I+
4oip - generic Goice o*er I port
isdn - IS!( cards
4oicetroni5 - Goicetroni, OpenIineD
6aptel - Laptel $ildcard M166
autodial 'integer= default: $$+ - num"er to "e dialed automatically, if call is coming in from
this *oice port
Notes
If autodial does not e,actly match an item in "ip telephony num#ers, there can "e two
possi"ilities:
if autodial is incomplete, rest of the num"er is asked 'local *oice port+ or incoming
call is denied 'GoI+
if autodial is in*alid, line is hung up 'ST( line+, "usy tone is played 'OTS+ or
incoming call is denied 'GoI+
)oicetronix )oice Ports
Su"menu le*el: /ip telephony %oice-port %oicetronix
name 'name+ - name gi*en "y the user or the default one
autodial 'integer= default: $$+ - phone num"er which will "e dialed immediately after the
handset has "een lifted. If this num"er is incomplete, then the remaining part has to "e
dialed on the dial-pad. If the num"er is incorrect, the line is hung up. If the num"er is
correct, then the appropriate num"er is dialed 'the direct-call mode is used - the line is
picked up only after the remote party answers the call+
play#ack-4olume 'integer: -D5..D5= default: + - play"ack *olume in d8
8
- 6d8 meand no change to signal le*el
record-4olume 'integer: -D5..D5= default: + - record *olume in d8
region 'name= default: us+ - regional setting for the *oice port. This setting is used for
setting the parameters of ST( line, as well as for detecting and generating the tones
agc-on-play#ack 'yes ; no= default: no+ - automatic gain control on play"ack 'can not "e
used together with hardware *oice codecs+
agc-on-record 'yes ; no= default: no+ - automatic gain control on record 'can not "e used
together with hardware *oice codecs+
detect-cpt 'yes ; no= default: no+ - automatically detect call progress tones
#alance-registers 'integer: 6..3>>= default: %&&+ - registers which depend on telephone
line impedance. &an "e ad7usted to get "est echo cancellation. Should "e changed only if
echo cancellation on *oicetroni, card does not work good enough. %cho cancellation
pro"lems can imply !TM/ and "usy-tone detection failures. The *alue has to "e in format
#al%7,#al07,#al'88, where #al%, #al', #al0 - "alance registers. #al% has to "e in inter*al
123..3D5 '6,&6..6,/5+. The others should "e in inter*al 6..3>> '6,66..6,//+
#alance-status 'read-only: integer= default: unknown+ - shows #uality of hardware echo
cancellation in d8
loop-drop-detection 'yes ; no= default: yes+ - automatically clear call when loop drop is
detected
Coand Description
test-#alance - current #alance-registers *alue is tested once. Result is placed in
#alance-status parameter. 8alance can "e tested only when line is off-hook. It won:t work
if line is on-hook or there is an esta"lished connection
,nput Parameters
unnamed 'name+ - port name to test "alance of
find-#est-#alance - series of test-#alance is e,ecuted with different #alance-registers
*alues. !uring the tests #alance-registers are updated to the "est *alues found
,nput Parameters
unnamed 'name+ - port name to find "est "alance of
clear-call - terminate a current call esta"lished with the specified *oice port
,nput Parameters
unnamed 'name+ - port name to clear call with
show-stats - show *oice port statistics
,nput Parameters
unnamed 'name+ - port name show statistics of
Return 9alues
round-trip-delay 'time+ - ma,imal time of packet round trip
packets-sent 'integer+ - num"er of packets sent "y this card 'these packets are digitaliEed input of the
*oice port+
#ytes-sent 'integer+ - num"er of "ytes sent "y this card 'these packets are digitaliEed input of the *oice
port+
sent-time 'text+ - minimal.a*erage.ma,imal inter*als "etween packets sent
packets-recei4ed 'integer+ - num"er of packets recei*ed "y this card 'these packets form analog output of
the *oice port+
#ytes-recei4ed 'integer+ - num"er of "ytes recei*ed "y this card 'these packets form analog output of the
*oice port+
recei4ed-time 'text+ - minimal.a*erage.ma,imal inter*als "etween packets recei*ed
a4erage-3itter-delay 'time+ - appro,imate delay time from the moment of recei*ing an audio packet from
the I network till it is played "ack o*er the telephony *oice port. The *alue shown is ne*er less than F6ms,
although the actual delay time could "e less. If the shown *alue is ND6ms, then it is close 'O.-1ms+ to the
actual delay time.
monitor - monitor status of the *oice port
,nput Parameters
unnamed 'name+ - port name to monitor
Return 9alues
status 'on-hook ; off-hook ; ring ; connection ; "usy+ - current state of the port:
P on-hook - the handset is on-hook, no acti*ity
P off-hook - the handset is off-hook, the num"er is "eing dialed
P ring - call in progress, direction of the call is shown "y the direction property
P connection - the connection has "een esta"lished
9
P #usy - the connection has "een terminated, the handset is still off-hook
directiopn 'ip-to-port ; port-to-ip+ - direction of the call
P ip-to-port - call from the I network to the *oice card
P port-to-ip - call from the *oice card to an I address
phone-num#er 'integer+ - the phone num"er "eing dialed
remote-party-name 'text+ - name and I address of the remote party
codec 'name+ - &O!%& used for the audio connection
duration 'time+ - duration of the phone call
Notes
-s some Goicetroni, cards fail to detect loop drop correctly, with loop-drop-detection you
can manage whether loop drop detection feature is ena"led. The effect of not working loop-
drop detection is call terminated at once when connection is esta"lished.
Some tips for testing "alance registers:
test is sensiti*e to noise from the phone, so it:s recommended to co*er mouth piece
during it=
find-#est-#alance can "e interrupted "y clear-call command=
once "est #alance-registers *alue is known, it can "e set manually to this "est
*alue for all *oicetroni, *oice ports, which will use the same telephone line.
*ine+ac, )oice Ports
Su"menu le*el: /ip telephony %oice-port line-ac,
dialed on the dial-pad. If the num"er is incorrect, the line is hung up '/MO <line< port+ or
"usy tone is played '/MS <phone< port+. If the num"er is correct, then the appropriate
num"er is dialed. If it is an incomming call from the ST( line, then the direct-call mode is
used - the line is picked up only after the remote party answers the call
ring-cadence 'text+ - a 14-sym"ol ring cadence for the phone, each sym"ol lasts 6.>
seconds, : means ringing, - means no ringing
aec 'yes ; no+ - whether echo detection and cancellation is ena"led
aec-tail-length 'short ; medium ; long= default: short+ - siEe of the "uffer of echo
detection
aec-nlp-threshold 'off ; low ; medium ; high= default: low+ - le*el of cancellation of silent
sounds
aec-attenuation-scaling 'integer: 6..16= default: *+ - factor of additional echo
attenuation
aec-attenuation-#oost 'integer: 6..26= default: + - le*el of additional echo attenuation
software-aec 'yes ; no+ - software echo canceller 'e,perimental, for most of the cards+
10
Coand Description
#link - "link the I%!s of the specified *oice port for fi*e seconds after it is in*oked. This
command can "e used to locate the respecti*e card from se*eral line7ack cards
,nput Parameters
unnamed 'name+ - card name to "link the I%! of
,nput Parameters
,nput Parameters
Return 9alues
*oice port+
port+
the *oice port+
#ytes-sent 'integer+ - num"er of "ytes recei*ed "y this card 'these packets form analog output of the
*oice port+
sent-time 'text+ - minimal.a*erage.ma,imal inter*als "etween packets recei*ed
actual delay time.
,nput Parameters
Return 9alues
port 'phone ; line+ - the acti*e port of the card
P phone - telephone connected to the card 'OTS /MS port+
P line - line connected to the card 'ST( /MO port+
line-status 'plugged ; unplugged+ - state of the ST( line
P plugged - the telephone line is connected to the ST( port of the card
P unplugged - there is no working line connected to the ST( port of the card
Notes
$hen telephone line is connected to the :line: port, green I%! ne,t to the port should "e lit
in some seconds. If telephone line disappear, the I%! ne,t to the :line: port will change its
state to red in an hour or when the line is acti*ated 'i.e. when some"ody calls to.from it+.
$hen telephone line is plugged in the :phone: port "efore the router is turned on, red I%!
ne,t to the port will "e lit. $-R(I(9: do not plug telephone line into the :phone: port when
the router is running and green I%! ne,t to the port is lit - this might damage the card. The
status of the :phone: port is only detected on system startup.
11
Phone+ac, )oice Ports
Su"menu le*el: /ip telephony %oice-port phone-ac,
type 'read-only: phone7ack ; phone7ack-lite ; phone7ack-pci+ - type of the card
dialed on the dial-pad. If the num"er is incorrect, "usy tone is played. If the num"er is
correct, then the appropriate num"er is dialed
ring-cadence 'text+ - a 14-sym"ol ring cadence for the phone, each sym"ol lasts 6.>
seconds, : means ringing, - means no ringing
generating the dial tones
aec 'yes ; no+ - wheteher echo detection and cancellation is ena"led
detection
sounds
attenuation
Coand Description
,nput Parameters
,nput Parameters
Return 9alues
*oice port+
port+
the *oice port+
*oice port+
actual delay time.
12
,nput Parameters
Return 9alues
port 'phone ; line+ - the acti*e port of the card
P phone - telephone connected to the card 'OTS /MS port+
P line - line connected to the card 'ST( /MO port+
.aptel )oice Ports
Su"menu le*el: /ip telephony %oice-port /aptel
dialed on the dial-pad. If the num"er is incorrect, the line is hung up. If the num"er is
correct, then the appropriate num"er is dialed 'the direct-call mode is used - the line is
picked up only after the remote party answers the call+
detection
sounds
attenuation
Coand Description
13
,nput Parameters
,nput Parameters
Return 9alues
*oice port+
port+
the *oice port+
*oice port+
actual delay time.
,nput Parameters
Return 9alues
'"DN )oice Ports
Su"menu le*el: /ip telephony %oice-port isdn
msn 'integer+ - telephone num"er of the IS!( *oice port 'IS!( MS( num"er+
lmsn 'text+ - msn pattern to listen on. It determines which calls from the IS!( line this
*oice port should answer. If left empty, msn is used
autodial 'integer= default: $$+ - phone num"er which will "e dialed immediately on each
incoming IS!( call. If this num"er contains :m:, then it will "e replaced "y originally called
'IS!(+ telephone num"er. If this num"er is incomplete, then the remaining part has to "e
dialed "y the caller. If the num"er is incorrect, call is refused. If the num"er is correct, then
the appropriate num"er is dialed. /or that direct-call mode is used - the line is picked up
only after the remote party answers the call
14
detection
Coand Description
,nput Parameters
,nput Parameters
Return 9alues
packets-sent 'integer+ - num"er of packets sent "y this card 'these packets are input of the *oice port+
#ytes-sent 'integer+ - num"er of "ytes sent "y this card 'these packets are input of the *oice port+
packets-recei4ed 'integer+ - num"er of packets recei*ed "y this card 'these packets form output of the
*oice port+
#ytes-sent 'integer+ - num"er of "ytes recei*ed "y this card 'these packets form output of the *oice port+
actual delay time.
,nput Parameters
Return 9alues
Notes
In contrary to analog *oice ports phone7ack, line7ack, *oicetroni,, Eaptel+, which are as
many as the num"er of cards installed, the isdn ports can "e added as many as desired.
There is a possi"ility to enter some special sym"ols in lmsn property. Meaning of the
special sym"ols:
; - separates pattern entries 'more than one pattern can "e specified this way+
< - matches one character
= - matches Eero or more characters
15
7 8 - matches any single character from the set in "rackets
7> 8 - matches any single character not from the set in "rackets
)oice Port (or )oice o%er 'P (%oip)
Su"menu le*el: /ip telephony %oice-port %oip
Description
The *oip *oice ports are *irtual ports, which designate a *oip channel to another host o*er
the I network. @ou must ha*e at least one *oip *oice port to "e a"le to make calls to other
B.F3F de*ices o*er I network.
remote-address 'IP address= default: !!!+ - I address of the remote party 'I
telephone or gateway+ associated with this *oice port. If the call has to "e performed
through this *oice port, then the specified I address is called. If there is an incoming call
from the specified I address, then the parameters of this *oice port are used. If there is an
incoming call from an I address, which is not specified in any of the *oip *oice port
records, then the default record is used. If there is no default record, then default *alues
are used
!!! - the record with this I address will specify the default *alues for an incomming call
autodial 'integer+ - phone num"er which will "e added in front of the telephone num"er
recei*ed o*er the I network. In most cases it should "e "lank
3itter-#uffer 'time: 6..1666ms= default: %ms+ - siEe of the 7itter "uffer
- the siEe of it is ad7usted automatically during the con*ersation, to keep amount of lost packets under 1Q
silence-detection 'yes ; no= default: no+ - whether silence is detected and no audio data
is sent o*er the I network during the silence period
prefered-codec 'name= default: none+ - the preferred codec to "e used for this *oip *oice
port. If possi"le, the specified codec will "e used
none - there is no preferred codec defined for this port, so whiche*er codec ad*ised "y the remote peer will
"e used 'if it is supported+
fast-start 'yes ; no= default: yes+ - allow or disallow the fast start. The fast start allows
esta"lishing the audio connection in a shorter time. Bowe*er, not all B.F3F endpoints
support this feature. Therefore, it should "e turned off, if there are pro"lems to esta"lish
telephony connection using the fast start mode
Nu0ers
Description
This is the so-called <routing ta"le< for *oice calls. This ta"le assigns num"ers to the *oice
ports.The main function of the num"ers routing ta"le is to determine:
to which *oice port route the call
what num"er to send o*er to the remote party
dst-pattern 'integer+ - pattern of the telephone num"er. Sym"ol :.: designate any digit,
sym"ol :A: 'only as the last one+ designate any sym"ols 'i.e. any num"er of characters can
follow, ended with :R: "utton+
16
4oice-port 'name+ - *oice port to "e used when calling the specified telephone num"er
prefi5 'integer+ - prefi,, which will "e used to su"stitute the known part of the dst-
pattern, i.e., the part containing digits. The dst-pattern argument is used to determine
which *oice port to "e used, whereas the prefi5 argument designates the num"er to dial
o*er the *oice port '"e sent o*er to the remote party+. If the remote party is an I
telephony gateway, then the num"er will "e used for making the call
Notes
More than one entry can "e added with e,actly the same dst-pattern. If first one of them
is already "usy, ne,t one with the same dst-pattern is used. Telephony num"er entries
can "e mo*ed, to select desired order.
Exaple
Iet us consider the following e,ample for the num"er ta"le:
[admin@MikroTik] ip telephony numbers> print
Flags: I - invalid, X - disabled, D - dynamic, R - registered
# DST-PATTERN VOICE-PORT PREFIX
0 12345 XX
1 1111. YY
2 22... ZZ 333
3 ... QQ 55
[admin@MikroTik] ip telephony numbers>

$e will analyEe the (um"er Recei*ed 'nr+ - num"er dialed at the telephone, or recei*ed
o*er the line, the Goice ort '*p+ - *oice port to "e used for the call, and the (um"er to &all
'nc+ - num"er to "e called o*er the Goice ort.
If nr0>>>>>, it does not match any of the destination patterns, therefore it is
re7ected
If nr013FD>4, it does not match any of the destination patterns, therefore it is
re7ected
If nr013FD, it does not match any of the destination patterns 'incomplete for record
R6+, therefore it is re7ected
If nr013FD>, it matches the record R6, therefore num"er << is dialed o*er the *oice
port MM
If nr011111, it matches the record R1, therefore num"er <1< is dialed o*er the *oice
port @@
If nr03325S, it matches the record R3, therefore num"er <FFF25S< is dialed o*er
the *oice port LL
If nr033666, it matches the record R3, therefore num"er <FFF666< is dialed o*er
the *oice port LL
If nr0DDD, it matches the record RF, therefore num"er <>>DDD< is dialed o*er the
*oice port HH
Iet us add a few more records:
0 12345 XX
1 1111. YY
2 22... ZZ 333
3 ... QQ 55
4 222 KK 44444
17
5 3.. LL 553

If nr0333 0N the "est match is the record RD 0N nc0DDDDD, *p0KK 'note: the :"est
match: means that it has the most coinciding digits "etween the nr and destination
pattern+.
If nr0331 0N incomplete record R3 0N call is re7ected
If nr0F31 0N the "est match is the record R> 0N nc0>>F31, *p0II
If nr0D31 0N matches the record RF 0N nc0>>D31, *p0HH
If nr0FF> 0N the "est match is the record R> 0N nc0>>F31, *p0II
Iet us add a few more records:
0 12345 XX
1 1111. YY
2 22... ZZ 333
3 ... QQ 55
4 222 KK 44444
5 3.. LL 553
6 33... MM 33
7 11. NN 7711

If nr0FF> 0N incomplete record R4 0N the call is re7ected. The nr0FF> fits perfectly
"oth the record RF and R>. The R> is chosen as the :"est match: candidate at the
moment. /urthermore, there is record R4, which has two matching digits 'more than
for RF or R>+. Therefore the R4 is chosen as the :"est match:. Bowe*er, the record
R4 re#uires fi*e digits, "ut the nr has only three. Two digits are missing, therefore
the num"er is incomplete. Two additional digits would "e needed to "e entered on
the dialpad. If the num"er is sent o*er from the network, it is re7ected.
If nr0F3> 0N matches the record R> 0N nc0>>F3>, *p0II
If nr0FF13F 0N matches the record R4 0N nc0FF13F, *p0MM
If nr013F 0N incomplete record R6 0N call is re7ected
If nr0111 0N incomplete record R1 0N call is re7ected
If nr0113 0N matches the record RS 0N nc0SS113, *p0((
If nr0131 0N matches the record RF 0N nc0>>131, *p0HH
It is impossi"le to add the following records:
reason:
11 DD conflict with record # 1
and # 7
11.. DD conflict with record # 7
111 DD conflict with record # 1
22. DD conflict with record # 2
..... DD conflict with record # 3

Regional "ettings
Su"menu le*el: /ip telephony region
Description
18
Regional settings are used to ad7ust the *oice port properties to the ST( system or the
8M. /or e,ample, to detect hang-up from line, there has to "e correct regional setting
'correct "usy-tone-fre#uency and "usy-tone-cadence+. $ithout that, detect-cpt parameter
the *oice port has to "e ena"led.
name 'name+ - name of the regional setting
#usy-tone-cadence 'integer: 6..F6666= default: ?,?+ - "usy tone cadence in ms
- end of cadence
#usy-tone-frequency 'integer: 36..3666integer: -3D..4= default: **5+ - fre#uency and
*olume gain of "usy tone, BE , d8
data-access-arrangement 'australia ; france ; germany ; 7apan ; uk ; us= default: us+ -
ring *oltage, impedance setting for line-7ack card
dial-tone-frequency 'integer: 36..3666integer: -3D..4= default: **5+ - fre#uency and
*olume gain of dial tone, BE , d8
dtmf-tone-cadence 'integer: 6..F6666= default: %),(+ - !ual Tone Multi /re#uency
tone cadence in ms
- end of cadence
dtmf-tone-4olume 'integer: -3D..4= default: -0,-0+ - !ual Tone Multi /re#uency tone
*olume in d8
ring-tone-cadence 'integer: 6..F6666= default: %,'+ - Ring tone cadence in ms
- end of cadence
ring-tone-frequency 'integer: 36..3666integer: -3D..4= default: **5+ - fre#uency and
*olume gain of "usy tone, BE , d8
Notes
To generate a tone, fre#uency and cadence arguments are used. The dialtone always is
continuous signal, therefore it does not ha*e the cadence argument. In order to detect
dialtone, it should "e at least 166ms long.
There are 16 pre-defined regions, which can not "e deleted '"ut may "e changed+
!udio C1DECs
Su"menu le*el: /ip telephony codec
Description
&O!%&s are listed according to their priority of use. The highest priority is at the top.
&O!%&s can "e ena"led, disa"led and mo*ed within the list. $hen connecting with other
B.F3F systems, the protocol will negotiate the &O!%& which "oth of them support according
to the priority order.
The hardware codecs '.hw+ are "uilt-in &O!%&s supported "y some cards.
The choice of the &O!%& type is "ased on the throughput and speed of the network. 8etter
audio #uality can "e achie*ed "y using &O!%& re#uiring higher network throughput. The
highest audio #uality can "e achie*ed "y using the 9.S11-uIaw &O!%& re#uiring 4Dk".s
throughput for each direction of the call. It is used mostly within a I-(. The 9.S3F.1 &O!%&
is the most popular one to "e used for audio connections o*er the Internet. It re#uires only
4.Fk".s throughput for each direction of the call.
Exaple
19
[admin@MikroTik] ip telephony codec> print
Flags: X - disabled
# NAME
0 G.723.1-6.3k/sw
1 G.728-16k/hw
2 G.711-ALaw-64k/hw
3 G.711-uLaw-64k/hw
4 G.711-uLaw-64k/sw
5 G.711-ALaw-64k/sw
6 G.729A-8k/sw
7 GSM-06.10-13.2k/sw
8 LPC-10-2.5k/sw
9 G.723.1-6.3k/hw
10 G.729-8k/sw
[admin@MikroTik] ip telephony codec>

!!!
Su"menu le*el: /ip telephony aaa
Description
--- '-uthentication -uthoriEation -ccounting+ can "e used to configure the R-!I?S
accounting feature.
The contents of the &!R '&all !etail Record+ are as follows:
N@1-,dentifier - router name 'from "system identity print+
N@1-,P-@ddress - router:s local I address which the connection was esta"lished to
'if e,ist+
N@1-Port--ype - always @sync
E4ent--imestamp - data and time of the e*ent
@cct-1ession--ime - current connection duration 'only in I(T%RIM-?!-T% and
STO records+
@cct-Autput-Packets - sent RT 'Real-Time Transport rotocol+ packet count 'only
in I(T%RIM-?!-T% and STO records+
@cct-Autput-Packets - sent RT 'Real-Time Transport rotocol+ packet count 'only
in I(T%RIM-?!-T% and STO records+
@cct-,nput-Packets - recei*ed RT 'Real-Time Transport rotocol+ packet count
'only in I(T%RIM-?!-T% and STO records+
@cct-Autput-Actets - sent "yte count 'only in I(T%RIM-?!-T% and STO records+
@cct-,nput-Actets - recei*ed "yte count 'only in I(T%RIM-?!-T% and STO
records+
@cct-1ession-,d - uni#ue session participient I!
h0'0-disconnect-cause - session disconnect reason 'only in STO records+:
o - Iocal endpoint application cleared call
o % - Iocal endpoint did not accept call
o ' - Iocal endpoint declined to answer call
o 0 - Remote endpoint application cleared call
o * - Remote endpoint refused call
o ? - Remote endpoint did not answer in re#uired time
o ( - Remote endpoint stopped calling
o / - Transport error cleared call
o ) - Transport connection failed to esta"lish call
o & - 9atekeeper has cleared call
o % - &all failed as could not find user 'in 9K+
20
o %% - &all failed as could not get enough "andwidth
o %' - &ould not find common capa"ilities
o %0 - &all was forwarded using /-&IIIT@ message
o %* - &all failed a security check and was ended
o %? - Iocal endpoint "usy
o %( - Iocal endpoint congested
o %/ - Remote endpoint "usy
o %) - Remote endpoint congested
o %& - &ould not reach the remote party
o ' - The remote party is not running an endpoint
o '% - The remote party host off line
o '' - The remote failed temporarily app may retry
h0'0-disconnect-time - session disconnect time 'only in I(T%RIM-?!-T% and
STO records+
h0'0-connect-time - session esta"lish time 'only in I(T%RIM-?!-T% and STO
records+
h0'0-gw-id - name of gateway emitting message 'should "e e#ual to N@1-
,dentifier+
h0'0-call-type - call leg type 'should "e 9o,P+
h0'0-call-origin - indicates origin of call relati*ely to the gateway 'answer for
calls from I network, originate - to I network+
h0'0-setup-time - call setup time
h0'0-conf-id - uni#ue session I!
h0'0-remote-address - the remote address of the session
N@1-Port-,d - *oice port I!
@cct-1tatus--ype - record type '1-@R- when session is esta"lished= 1-AP when
session is closed= ,N-ER,M-BPC@-E D@2,9EEsession is ali*e+. The time "etween
the interim-update messages is defined "y the interim-update-inter4al parameter
'if it is set to s, there will "e no such messages+
use-radius-accounting 'yes ; no= default: no+ - whether to use radius accounting or not
interim-update 'integer= default: + - defines time inter*al "etween communications with
the router. If this time will e,ceed, R-!I?S ser*er will assume that this connection is down.
This *alue is suggested not to "e less than F minutes
- no interim-update messages are sent at all
Notes
-ll the parameters, which names "egin with h0'0, are &IS&O *endor specific Radius
attri"utes
&ate,eeper
Su"menu le*el: /ip telephony gate,eeper
Description
/or each B.F3F endpoint gatekeeper stores its telephone num"ers. So, gatekeeper knows
all telephone num"ers for all registered endpoints. -nd it knows which telephone num"er is
handled "y which endpoint. Mapping "etween endpoints and their telephone num"ers is the
main functionality of gatekeepers.
21
If endpoint is registered to endpoint, it does not ha*e to know e*ery single endpoint and
e*ery single telephone num"er, which can "e called. Instead, e*ery time some num"er is
dialed, endpoint asks gatekeeper for destination endpoint to call "y pro*iding called
telephone num"er to it.
MikroTik I telephony package includes a *ery simple gatekeeper. This gatekeeper can "e
acti*ated "y setting gatekeeper parameter to local. In this case the local endpoint
automatically is registered to the local gatekeeper. -nd any other endpoint can register to
this gatekeeper too.
Registered endpoints are added to the "ip telephony 4oice-port 4oip ta"le. Those entries
are marked as dynamic and can not "e remo*ed or changed. If there already was an *oip
entry with the same I address, it is marked as registred. Remote-address can not "e
changed for these entries too, "ut registered *oip *oice ports can "e remo*ed - they will
stay as dynamic ones. If there already is a dynamic *oip *oice port and a static one with the
same I address is added, then instead of dynamic entry, registered will appear.
!ynamic entries disappear when corresponding endpoint unregisters itself from the
gatekeeper. Registered entries are static and will stay e*en after that endpoint will "e
unregistered from this gatekeeper.
Registered telephone num"ers are added to "ip telephony num#ers ta"le. Bere is e,actly
the same idea "ehind dynamic and registered telephone num"ers as it is with *oip *oice
ports.
$hen an endpoint registers to the gatekeeper, it sends its own telephone num"ers 'aliases
and prefi,es+ within this registration re#uest. "ip telephony num#ers entry is registered
to the endpoint only if *oice-port for that entry is local 'not *oip+. If dst-pattern contains
:.: or :A:, it is sent as prefi,, otherwise - as alias. The known part of the dst-pattern is sent
as prefi,. If there is no known part 'dst-pattern is <A< or <...<, for e,ample+, then this
entry is not sent at all.
gatekeeper 'none ; local ; remote= default: none+ - 9atekeeper type to use
none - don:t use any gatekeeper at all
local - start and use local gatekeeper
remote - use some other gatekeeper
remote-address 'IP address= default: !!!+ - I address of remote gatekeeper to use.
If set to !!!, "roadcast gatekeeper disco*ery is used
remote-id 'name+ - name of remote gatekeeper to use. If left empty, first a*aila"le
gatekeeper will "e used. (ame of locally started gatekeeper is the same as system identity
registered 'read-only: yes ; no+ - shows whether local B.F3F endpoint is registered to any
gatekeeper
registered-with 'read-only: name+ - name of gatekeeper to which local B.F3F endpoint is
registered
Exaple
In most simple case with one phone7ack card and some remote gatekeeper, configuration
can "e as follows:
[admin@MikroTik] ip telephony voice-port> print
Flags: X - disabled
# NAME TYPE AUTODIAL
0 phonejack1 phonejack
1 voip1 voip
22
[admin@MikroTik] ip telephony voice-port voip> print
Flags: X - disabled, D - dynamic, R - registered
# NAME AUTODIAL REMOTE-ADDRESS JITTER-BUFFER PREFERED-CODEC SIL FAS
0 voip1 0.0.0.0 0s none no yes
0 11 phonejack1
1 _ voip1
[admin@MikroTik] ip telephony gatekeeper> print
gatekeeper: remote
remote-id: ""
remote-address: 10.0.0.98
registered: yes
registered-with: "MikroTik@10.0.0.98"

In this case this endpoint will register to gatkeeper with the I address of 16.6.6.25 and
telephone num"er 11. %*ery call to telephone num"er 11 will "e transfered from gatekeeper
to this endpoint. -nd this endpoint will route this call to phone7ack1 *oice port. On any
other telephone num"er gatekeeper will "e asked for real destination. /rom this endpoint it
will "e possi"le to call all the endpoints, which are registered to the same gatekeeper. If
that gatekeeper has static entries a"out endpoints, which are not registered to gatekeeper,
it still will "e possi"le to call those endpoints "y those statically defined telephone num"ers
at gatekeeper.
Exaple
/or e,ample, if num"ers ta"le is like this:
0 1. phonejack1
1 128 voip1 128
2 78 voip2 78
3 77 phonejack1
4 76 phonejack1 55
5 _ voip1

then entries 6, F and D will "e sent to the gatekeeper, others are *oip *oice ports and are
ignored. %ntry 6 will "e sent as prefi, 1, entry F - as alias SS, and entry D - as alias S4.
If I address of local endpoint is 16.6.6.166, then gatekeeper *oip and num"ers ta"les will
look as follows:
[admin@MikroTik] ip telephony voice-port voip> print
0 tst-2.5 10.0.0.101 0s none no yes
1 D local 127.0.0.1 100ms none no yes
2 D 10.0.0... 10.0.0.100 100ms none no yes
0 78 linejack1
1 3... vctx1
2 33_ voip1
3 5.. voip1
23
4 XD 78 local 78
5 XD 3_ local 3
6 D 76 10.0.0.100 76
7 D 77 10.0.0.100 77
8 D 1_ 10.0.0.100 1

Bere we can see how aliases and prefi,es are added to num"ers ta"le. %ntries 6..F are
static. %ntries D and > are added "y registering the local endpoint to the local gatekeeper.
%ntries 4..5 are added "y registering endpoint 'with I address 16.6.6.166+ to the local
gatekeeper.
/or prefi,es, :A: is added at the end of dst-pattern to allow any additional digits to "e added
at the end.
Iocal endpoint is registered to the local gatekeeper too. So, local aliases and prefi,es are
added as dynamic num"ers too. Only, as they are local and corresponding num"er entries
already e,ist in the num"er ta"le, then these dynamically added entries are disa"led "y
default.
If any registered telephone num"er will conflict with some e,isting telephone num"ers
entry, it will "e added as disa"led and dynamic.
If in gatekeeper:s num"ers ta"le there already e,ists e,actly the same dst-pattern as some
other endpoint is trying to register, this gatekeeper registration for that endpoint will fail.
2rou0leshooting
Description
-he ,P -elephony does not work after upgrading from '!?!5 4ersion - @ou
need to completely reinstall the router using any installation procedure. @ou may
keep the configuration using either the installation program option or the "ackup file.
-he ,P -elephony gateway does not detect the drop of the line when
connected to some PFGs - !ifferent regional setting should "e used to match the
parameters of the 8M. /or e,ample, try using uk for Meridian 8M.
-he ,P -elephone does not call the gateway, #ut gi4es #usy signal - %na"le
the logging of I telephony e*ents under "system logging facility. ?se the
monitoring function for *oice ports to de"ug your setup while making calls.
-he ,P telephony is working without N@-, #ut sound goes only in one
direction - !isa"le BF3F ser*ice port in firewall: "ip firewall ser4ice-port set
h0'0 disa#led+yes
-he ,P -elephony does not work through N@- - %na"le BF3F ser*ice port in
firewall: "ip firewall ser4ice-port set h0'0 disa#led+no
! siple exaple
Description
The following descri"es e,amples of some useful I telephony applications using MikroTik
RouterOS.
Iet us consider the following e,ample of I telephony gateway, one MikroTik I telephone,
and one $elltech I-( hone 161 setup:
24
"etting up the Mi,ro2i, 'P 2elephone
If you pick up the handset, a dialtone should "e heard.
The "asic telephony configuration should "e as follows:
-dd a *oip *oice port to the "ip telephony 4oice-port 4oip for each of the de*ices
you want to call, or want to recei*e calls from, i.e., 'the I telephony gateway
16.1.1.13 and the $elltech I telephone 16.>.5.3+:
[admin@Joe] ip telephony voice-port voip> add name=gw remote-address=10.1.1.12
[admin@Joe] ip telephony voice-port voip> add name=rob remote-address=10.5.8.2
[admin@Joe] ip telephony voice-port voip> print
0 gw 10.1.1.12 100ms none no yes
1 rob 10.5.8.2 100ms none no yes
[admin@Joe] ip telephony voice-port voip>

@ou should ha*e three *ioce ports now:
[admin@Joe] ip telephony voice-port> print
Flags: X - disabled
# NAME TYPE AUTODIAL
0 linejack1 linejack
1 gw voip
2 rob voip
[admin@Joe] ip telephony voice-port>

-dd at least one uni#ue num"er to the "ip telephony num#ers for each *oice port.
This num"er will "e used to call that port:
[admin@Joe] ip telephony numbers> add dst-pattern=31 voice-port=rob
[admin@Joe] ip telephony numbers> add dst-pattern=33 voice-port=linejack1
[admin@Joe] ip telephony numbers> add dst-pattern=1. voice-port=gw prefix=1
[admin@Joe] ip telephony numbers> print
0 31 rob 31
1 33 linejack1
2 1. gw 1
[admin@Joe] ip telephony numbers>

Bere, the dst-pattern+0% is to call the $elltech I Telephone, if the num"er F1 is
dialed on the dialpad. The dst-pattern+00 is to ring the local telephone, if a call for
num"er FF is recei*ed o*er the network. -nything starting with digit :1: would "e
sent o*er to the I Telephony gateway.
Making calls from the I telephone 16.6.6.33D:
To call the I telephone 16.>.5.3, it is enough to lift the handset and dial the num"er
F1
25
To call the 8M e,tension 1F, it is enough to lift the handset and dial the num"er 1F
-fter esta"lishing the connection with 1F, the *oice port monitor shows:
[admin@Joe] ip telephony voice-port linejack> monitor linejack
status: connection
port: phone
direction: port-to-ip
line-status: unplugged
phone-number: 13
remote-party-name: PBX_Line [10.1.1.12]
codec: G.723.1-6.3k/hw
duration: 16s
[admin@Joe] ip telephony voice-port linejack>

"etting up the 'P 2elephony &ate#ay
The I telephony gateway T*oipAgwU re#uires the following configuration:
Set the regional setting to match our 8M. The mikrotik region will "e used in thisn
e,ample:
[admin@voip_gw] ip telephony voice-port linejack> set linejack1 region=mikrotik
[admin@voip_gw] ip telephony voice-port linejack> print
Flags: X - disabled
0 name="linejack1" autodial="" region=mikrotik playback-volume=0
record-volume=0 ring-cadence="++-++--- ++-++---" agc-on-playback=no
agc-on-record=no aec=yes aec-tail-length=short aec-nlp-threshold=low
aec-attenuation-scaling=4 aec-attenuation-boost=0 software-aec=no
detect-cpt=yes
[admin@voip_gw] ip telephony voice-port linejack>

-dd a *oip *oice port to the "ip telephony 4oice-port 4oip for each of the de*ices
you want to call, or want to recei*e calls from, i.e., 'the I telephone 16.6.6.33D and
the $elltech I telephone 16.>.5.3+:
[admin@voip_gw] ip telephony voice-port voip> add name=joe \
\... remote-address=10.0.0.224
[admin@voip_gw] ip telephony voice-port voip> add name=rob \
\... remote-address=10.5.8.2 prefered-codec=G.723.1-6.3k/hw
[admin@voip_gw] ip telephony voice-port voip> print
0 joe 10.0.0.224 100ms none no yes
1 rob 10.5.8.2 100ms G.723.1-6.3k/hw no yes
[admin@voip_gw] ip telephony voice-port voip>

-dd num"er records to the "ip telephony num#ers, so you are a"le to make calls:
[admin@voip_gw] ip telephony numbers> add dst-pattern=31 voice-port=rob
prefix=31
[admin@voip_gw] ip telephony numbers> add dst-pattern=33 voice-port=joe
prefix=33
[admin@voip_gw] ip telephony numbers> add dst-pattern=1. voice-port=linejack1 \
\... prefix=1
26
[admin@voip_gw] ip telephony numbers> print
0 31 rob 31
1 33 joe 33
2 1. linejack1 1
[admin@voip_gw] ip telephony numbers>

Making calls through the I telephony gateway:
To dial the I telephone 16.6.6.33D from the office 8M line, the e,tension num"er
12 should "e dialed, and, after the dial tone has "een recei*ed, the num"er FF
should "e entered. Thus, the telephone TJoeU is ringed.
-fter esta"lishing the *oice connection with :FF: 'the call has "een answered+, the
*oice port monitor shows:
[admin@voip_gw] ip telephony voice-port linejack> monitor linejack1
status: connection
port: line
direction: port-to-ip
line-status: plugged
phone-number: 33
remote-party-name: linejack1 [10.0.0.224]
codec: G.723.1-6.3k/hw
duration: 1m46s
[admin@voip_gw] ip telephony voice-port linejack>

To dial the I telephone 16.>.5.3 from the office 8M line, the e,tension num"er 12
should "e dialed, and, after the dial tone has "een recei*ed, the num"er F1 should
"e entered.
"etting up the 3elltech 'P 2elephone
lease follow the documentation from www.welltech.com.tw on how to set up the $elltech
I-( hone 161. Bere we gi*e 7ust "rief recommendations:
1. $e recommend to upgrade the $elltech I-( hone 161 with the latest application
software. Telnet to the phone and check what you ha*e, for e,ample:
2. usr/config$ rom -print
3.
4. Download Method : TFTP
5. Server Address : 10.5.8.1
6.
7. Hardware Ver. : 4.0
8. Boot Rom : nblp-boot.102a
9. Application Rom : wtlp.108h
10. DSP App : 48302ce3.127
11. DSP Kernel : 48302ck.127
12. DSP Test Code : 483cbit.bin
13. Ringback Tone : wg-ringbacktone.100
14. Hold Tone : wg-holdtone10s.100
15. Ringing Tone1 : ringlow.bin
16. Ringing Tone2 : ringmid.bin
17. Ringing Tone3 : ringhi.bin
18.
19. usr/config$

27
36. &heck if you ha*e the codecs arranged in the desired order:
21. usr/config$ voice -print
22. Voice codec setting relate information
23. Sending packet size :
24. G.723.1 : 30 ms
25. G.711A : 20 ms
26. G.711U : 20 ms
27. G.729A : 20 ms
28. G.729 : 20 ms
29. Priority order codec :
30. g7231 g711a g711u g729a g729
31. Volume levels :
32. voice volume : 54
33. input gain : 26
34. dtmf volume : 23
35. Silence suppression & CNG:
36. G.723.1 : Off
37. Echo canceller : On
38. JitterBuffer Min Delay : 90
39. JitterBuffer Max Delay : 150
40. usr/config$

D1. Make sure you ha*e set the B.F3F operation mode to phone to phone '3+, not
gatekeeper '9K+:
42. usr/config$ h323 -print
43. H.323 stack relate information
44. RAS mode : Non-GK mode
45. Registered e164 : 31
46. Registered H323 ID : Rob
47. RTP port : 16384
48. H.245 port : 16640
49. Allocated port range :
50. start port : 1024
51. end port : 65535
52. Response timeOut : 5
53. Connect timeOut : 5000
54. usr/config$

>>. -dd the gateway:s address to the phone"ook:
56. usr/config$ pbook -add name gw ip 10.1.1.12
57. usr/config$
58. This may take a few seconds, please wait....
59.
60. Commit to flash memory ok!
61.
62. usr/config$ pbook -print
63. index Name IP E164
64. ======================================================================
65. 1 gw 10.1.1.12
66. ----------------------------------------------------------------------
67. usr/config$

Making calls from the I telephone 16.>.5.3:
Just lift the handset and dial :11:, or :1F: fo the 8M e,tensions.
!ial :FF: for TJoeU. The call re#uest will "e sent to the gateway 16.1.1.13, where it
will "e forwarded to TJoeU. If you want to call TJoeU directly, add a phone"ook record
for it:
usr/config$ pbook -add name Joe ip 10.0.0.224 e164 33

28
?se the telephony logging feature on the gateway to de"ug your setup.
"etting up Mi,ro2i, Router and C'"C1 Router
Iet:s try a different e,ample.
Bere are some hints on how to get working configuration for telephony calls "etween &IS&O
and MikroTik router.
&onfiguration on the MikroTik side
9.S32a codec M?ST "e disa"led 'otherwise connections are not possi"le at all)))+
/ip telephony codec disable G.729A-8k/sw

9.S11--Iaw codec should not "e used 'in some cases there is no sound+
/ip telephony codec disable "G.711-ALaw-64k/sw G.711-ALaw-64k/hw"

/ast start has to "e used 'otherwise no ring-"ack tone and pro"lems with codec
negotiation+
/ip telephony voice-port set cisco fast-start=yes

Telephone num"er we want to call to must "e sent to &isco, for e,ample
/ip telephony numbers add destination-pattern=101 voice-port=cisco prefix=101

Telephone num"er, cisco will call us, must "e assigned to some *oice port, for
e,ample,
/ip telephony numbers add destination-pattern=098 voice-port=linejack

&onfiguration on the &IS&O side:
I routing has to "e ena"led
ip routing

!efault *alues for fast start can "e used:
voice service pots
default h323 call start
exit
voice service voip
default h323 call start
exit

%na"le opening of RT streams:
voice rtp send-recv

-ssign some %.14D num"er for local telephone, for e,ample, 161 to port 6.6
dial-peer voice 1 pots
destination-pattern 101
29
port 0/0
exit

create preferred codec listing:
voice class codec codec_class_number
codec preference 1 g711ulaw
codec preference 2 g723r63
exit

(OT%: gS3Fr>F codec can "e used, too
Tell, that some foreign %.14D telephone num"er can "e reached "y calling to some I
address, for e,ample, 625 "y calling to 16.6.6.25
dial-peer voice 11 voip
session target ipv4:10.0.0.98
voice-class codec codec_class_number
exit

(OT%: instead of codec class, one specified codec could "e specified:
codec g711ulaw

/or reference, following is an e,ported &IS&O configuration, that works:
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
enable secret 5 $1$bTMC$nDGl9/n/pc3OMbtWxADMg1
enable password 123
!
memory-size iomem 25
ip subnet-zero
no ip finger
!
call rsvp-sync
voice rtp send-recv
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g723r63
!
interface FastEthernet0
ip address 10.0.0.101 255.255.255.0
no ip mroute-cache
speed auto
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
no ip http server
!
30
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
voice-port 0/0
!
voice-port 0/1
!
voice-port 2/0
!
voice-port 2/1
!
dial-peer voice 1 pots
port 0/0
!
codec g711ulaw
!
voice-class codec 1
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password 123
login
!
end

"etting up PB4 to PB4 Connection o%er an 'P Net#or,
To interconnect two telephone switch"oards '8M+ o*er an I network, two I telephony
gateways should "e configured. The setup is shown in the following diagram:
$e want to "e a"le to use make calls from local telephones of one 8M to local telephones
or e,ternal lines of the other 8M.
-ssume that:
The I telephony gateway R1 has I address 16.6.6.153, and the name of the
Goicetroni, first line is :*ct,1:.
The I telephony gateway R3 has I address 16.6.6.15F, and the name of the
Goicetroni, first line is :*ct,1:.
The I telephony configuration should "e as follows:
I telephony gateway R1 should ha*e:
/ip telephony voice-port voip
add name=gw2 remote-address=10.0.0.183
/ip telephony numbers
add dst-pattern=1.. voice-port=gw2 prefix=2
add dst-pattern=2.. voice-port=vctx1 prefix=1
31

I telephony gateway R3 should ha*e
/ip telephony voice-port voip
add name=gw1 remote-address=10.0.0.182
/ip telephony numbers
add dst-pattern=2.. voice-port=vctx1 prefix=1
add dst-pattern=1.. voice-port=gw1 prefix=2

The system works as follows:
To dial from the main office 8MR1 any e,tension of the remote office 8MR3, the e,tension
with the connected gateway at 8MR1 should "e dialed first. Then, after the dial tone of the
gatewayR1 is recei*ed, the remote e,tension num"er should "e dialed.
To dial from the main office 8MR3 any e,tension of the remote office 8MR1, the actions
are the same as in first situation.
Fandwidth -est
Document revision: 1.9 (Fri Nov 26 11:00:29 GMT 2004)
Applies to: V2.9
&eneral 'n(oration
"uary
The 8andwidth Tester can "e used to monitor the throughput only to a remote MikroTik
router 'either wired or wireless+ and there"y help to disco*er network <"ottlenecks<.
"peci(ications
ackages re#uired: syste
Su"menu le*el: /tool
Standards and Technologies: T& 'R/& S2F+, ?! 'R/&S45+
Bardware usage: significant
Related Docuents
Software ackage Management
Description
Protocol Description
The T& test uses the standard T& protocol with acknowledgments and follows the T&
algorithm on how many packets to send according to latency, dropped packets, and other
32
features in the T& algorithm. lease re*iew the T& protocol for details on its internal
speed settings and how to analyEe its "eha*ior. Statistics for throughput are calculated
using the entire siEe of the T& packet. -s acknowledgments are an internal working of T&,
their siEe and usage of the link are not included in the throughput statistics. Therefore this
statistic is not as relia"le as the ?! statistic when estimating throughput.
The ?! tester sends 116Q or more packets than currently reported as recei*ed on the
other side of the link. To see the ma,imum throughput of a link, the packet siEe should "e
set for the ma,imum MT? allowed "y the links which is usually 1>66 "ytes. There is no
acknowledgment re#uired "y ?!= this implementation means that the closest
appro,imation of the throughput can "e seen.
5sage Notes
Caution! 8andwidth Test uses all a*aila"le "andwidth '"y default+ and may impact network
usa"ility.
8andwidth Test uses much resources. If you want to test real throughput of a router, you
should run "andwidth test through it not from or to it. To do this you need at least F routers
connected in chain: the 8andwidth Ser*er, the gi*en router and the 8andwidth &lient:
Note that if you use ?! protocol then 8andwidth Test counts I headerO?! headerO?!
data. In case if you use T& then 8andwidth Test counts only T& data 'T& header and I
header are not included+.
"er%er Con(iguration
Su"menu le*el: /tool 0and#idth-ser%er
allocate-udp-ports-from - allocate ?! ports from
authenticate 'yes ; no= default: yes+ - communicate only with authenticated '"y *alid
username and password+ clients
ena#le 'yes ; no= default: no+ - ena"le client connections for "andwidth test
ma5-sessions - ma,imal num"er of "andwidth-test clients
Notes
The list of current connections can "e o"tained in session su"menu
Exaple
8andwidth Ser*er:
[admin@MikroTik] tool bandwidth-server> print
enabled: no
authenticate: yes
allocate-udp-ports-from: 2000
max-sessions: 10
[admin@MikroTik] tool>
33
-cti*e sessions:
[admin@MikroTik] tool> bandwidth-server session print
# CLIENT PROTOCOL DIRECTION USER
0 35.35.35.1 udp send admin

To ena"le #andwidth-test ser*er without client authentication:
[admin@MikroTik] tool bandwidth-server> set enabled=yes authenticate=no
[admin@MikroTik] tool bandwidth-server> print
enabled: yes
authenticate: no
allocate-udp-ports-from: 2000
max-sessions: 10
Client Con(iguration
&ommand name: /tool 0and#idth-test
address 'IP address+ - I address of destination host
assume-lost-time 'time= default: s+ - assume that connection is lost if 8andwidth Ser*er
is not responding for that time
direction 'recei*e . transmit . "oth= default: recei4e+ - the direction of the test
do 'name ; string= default: $$+ - script source
duration 'time= default: s+ - duration of the test
s - test duration is not limited
inter4al 'time: 36ms..>s= default: %s+ - delay "etween reports 'in seconds+
local-t5-speed 'integer= default: + - transfer test ma,imum speed '"its per second+
- no speed limitations
local-t5-si6e 'integer: D6..4D666+ - local transmit packet siEe in "ytes
password 'text= default: $$+ - password for the remote user
protocol 'udp ; tcp= default: udp+ - protocol to use
random-data 'yes ; no= default: no+ - if random-data is set to yes, the payload of the
"andwidth test packets will ha*e incompressi"le random data so that links that use data
compression will not distort the results 'this is &? intensi*e and random-data should "e
set to no for low speed &?s+
remote-t5-speed 'integer= default: + - recei*e test ma,imum speed '"its per second+
- no speed limitations
remote-t5-si6e 'integer: D6..4D666+ - remote transmit packet siEe in "ytes
user 'name= default: $$+ - remote user
Exaple
To run 1>-second long "andwidth-test to the %!!!'%% host sending and recei*ing %-
"yte ?! packets and using username admin to connect
[admin@MikroTik] tool> bandwidth-test 10.0.0.211 duration=15s direction=both \
\... size=1000 protocol=udp user=admin
status: done testing
duration: 15s
tx-current: 3.62Mbps
tx-10-second-average: 3.87Mbps
34
tx-total-average: 3.53Mbps
rx-current: 3.33Mbps
rx-10-second-average: 3.68Mbps
rx-total-average: 3.49Mbps
,P @ddresses and @RP
Document revision: 1.3 (Tue Sep 20 19:02:32 GMT 200)
Applies to: V2.9
&eneral 'n(oration
"uary
The following Manual discusses I address management and the -ddress Resolution
rotocol settings. I addresses ser*e as identification when communicating with other
network de*ices using the T&.I protocol. In turn, communication "etween de*ices in one
physical network proceeds with the help of -ddress Resolution rotocol and -R addresses.
"peci(ications
Su"menu le*el: /ip address, /ip arp
Standards and Technologies: I, -R
Bardware usage: ot significant
Related Docuents
'P !ddressing
Su"menu le*el: /ip address
Description
I addresses ser*e for a general host identification purposes in I networks. Typical 'I*D+
address consists of four octets. /or proper addressing the router also needs the network
mask *alue, id est which "its of the complete I address refer to the address of the host,
and which - to the address of the network. The network address *alue is calculated "y
"inary @NC operation from network mask and I address *alues. It:s also possi"le to
specify I address followed "y slash <.< and amount of "its assigned to a network mask.
In most cases, it is enough to specify the address, the netmask, and the interface
arguments. The network prefi, and the "roadcast address are calculated automatically.
35
It is possi"le to add multiple I addresses to an interface or to lea*e the interface without
any addresses assigned to it. Iea*ing a physical interface without an I address is not a
must when the "ridging "etween interfaces is used. In case of "ridging, the I address can
"e assigned to any interface in the "ridge, "ut actually the address will "elong to the "ridge
interface. @ou can use "ip address print detail to see to which interface the address
"elongs to.
MikroTik RouterOS has following types of addresses:
1tatic - manually assigned to the interface "y a user
Cynamic - automatically assigned to the interface "y esta"ilished ppp, ppptp, or
pppoe connections
actual-interface 'read-only: name+ - only applica"le to logical interfaces like "ridges or
tunnels. Bolds the name of the actual hardware interface the logical one is "ound to.
address 'IP address+ - I address
#roadcast 'IP address= default: '??!'??!'??!'??+ - "roadcasting I address, calculated
"y default from an I address and a network mask
disa#led 'yes ; no= default: no+ - specifies whether the address is disa"led or not
interface 'name+ - interface name the I address is assigned to
netmask 'IP address= default: !!!+ - specifies network address part of an I address
network 'IP address= default: !!!+ - I address for the network. /or point-to-point
links it should "e the address of the remote end
Notes
@ou cannot ha*e two different I addresses from the same network assigned to the router.
!xempli gratia, the com"ination of I address %!!!%"'* on the ether% interface and I
address %!!!%0'"'* on the ether' interface is in*alid, "ecause "oth addresses "elong
to the same network %!!!"'*. ?se addresses from different networks on different
interfaces, or ena"le pro5y-arp on ether% or ether'.
Exaple
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=ether2
[admin@MikroTik] ip address> print
0 2.2.2.1/24 2.2.2.0 2.2.2.255 ether2
1 10.5.7.244/24 10.5.7.0 10.5.7.255 ether1
2 10.10.10.1/24 10.10.10.0 10.10.10.255 ether2
[admin@MikroTik] ip address>
!ddress Resolution Protocol
Su"menu le*el: /ip arp
Description
%*en though I packets are addressed using I addresses, hardware addresses must "e
used to actually transport data from one host to another. -ddress Resolution rotocol is
used to map OSI le*el F I addreses to OSI le*el 3 M-& addreses. - router has a ta"le of
36
currently used -R entries. (ormally the ta"le is "uilt dynamically, "ut to increase network
security, it can "e "uilt statically "y means of adding static entries.
address 'IP address+ - I address to "e mapped
interface 'name+ - interface name the I address is assigned to
mac-address 'M"# address= default: HHHHH+ - M-& address to "e mapped
to
Notes
Ma,imal num"er of -R entries is 5123.
If arp feature is turned off on the interface, i.e., arp+disa#led is used, -R re#uests from
clients are not answered "y the router. Therefore, static arp entry should "e added to the
clients as well. /or e,ample, the router:s I and M-& addresses should "e added to the
$indows workstations using the arp command:
C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09
If arp property is set to reply-only on the interface, then router only replies to -R
re#uests. (eigh"our M-& addresses will "e resol*ed using "ip arp statically.
Exaple
[admin@MikroTik] ip arp> add address=10.10.10.10 interface=ether2 mac-address=06 \
\... :21:00:56:00:12
[admin@MikroTik] ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D 2.2.2.2 00:30:4F:1B:B3:D9 ether2
1 D 10.5.7.242 00:A0:24:9D:52:A4 ether1
2 10.10.10.10 06:21:00:56:00:12 ether2
[admin@MikroTik] ip arp>
If static arp entries are used for network security on an interface, you should set arp to
:reply-only: on that interface. !o it under the rele*ant "interface menu:
[admin@MikroTik] ip arp> /interface ethernet set ether2 arp=reply-only
[admin@MikroTik] ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D 10.5.7.242 00:A0:24:9D:52:A4 ether1
1 10.10.10.10 06:21:00:56:00:12 ether2
Proxy-!RP (eature
Description
- router with properly configured pro,y -R feature acts like a transparent -R pro,y
"etween directly connected networks. &onsider the following network diagram:
37
Suppose the host - needs to communicate to host &. To do this, it needs to know host:s &
M-& address. -s shown on the diagram a"o*e, host - has .3D network mask. That makes
host - to "elie*e that it is directly connected to the whole 123.145.6.6.3D network. $hen a
computer needs to communicate to another one on a directly connected network, it sends a
"roadcast -R re#uest. Therefore host - sends a "roadcast -R re#uest for the host & M-&
address.
8roadcast -R re#uests are sent to the "roadcast M-& address //://://://://://. Since
the -R re#uest is a "roadcast, it will reach all hosts in the network -, including the router
R1, "ut it will not reach host &, "ecause routers do not forward "roadcasts "y default. -
router with ena"led pro,y -R knows that the host & is on another su"net and will reply
with its own M-& adress. The router with ena"led pro,y -R always answer with its own
M-& address if it has a route to the destination.
This "eha*iour can "e usefull, for e,ample, if you want to assign dial-in 'ppp, pppoe, pptp+
clients I addresses from the same address space as used on the connected I-(.
Exaple
&onsider the following configuration:
38
The MikroTik Router setup is as follows:
admin@MikroTik] ip arp> /interface ethernet print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R eth-LAN 1500 00:50:08:00:00:F5 proxy-arp
[admin@MikroTik] ip arp> /interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
0 eth-LAN ether 1500
1 prism1 prism 1500
2 D pppoe-in25 pppoe-in
3 D pppoe-in26 pppoe-in
[admin@MikroTik] ip arp> /ip address print
0 10.0.0.217/24 10.0.0.0 10.0.0.255 eth-LAN
1 D 10.0.0.217/32 10.0.0.230 0.0.0.0 pppoe-in25
2 D 10.0.0.217/32 10.0.0.231 0.0.0.0 pppoe-in26
[admin@MikroTik] ip arp> /ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
0 S 0.0.0.0/0 r 10.0.0.1 1 eth-LAN
1 DC 10.0.0.0/24 r 0.0.0.0 0 eth-LAN
2 DC 10.0.0.230/32 r 0.0.0.0 0 pppoe-in25
3 DC 10.0.0.231/32 r 0.0.0.0 0 pppoe-in26
5nnu0ered 'nter(aces
Description
?nnum"ered interfaces can "e used on serial point-to-point links, e.g., MOM- or &yclades
interfaces. - pri*ate address should "e put on the interface with the network "eing the
same as the address on the router on the other side of the p3p link 'there may "e no I on
that interface, "ut there is an ip for that router+.
39
Exaple
[admin@MikroTik] ip address> add address=10.0.0.214/32 network=192.168.0.1 \
\... interface=pppsync
0 10.0.0.214/32 192.168.0.1 192.168.0.1 pppsync
[admin@MikroTik] ip address> .. route print detail
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
0 S dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=192.168.0.1
gateway-state=reachable distance=1 interface=pppsync
1 DC dst-address=192.168.0.1/32 preferred-source=10.0.0.214
gateway=0.0.0.0 gateway-state=reachable distance=0 interface=pppsync
-s you can see, a dynamic connected route has "een automatically added to the routes list.
If you want the default gateway "e the other router of the p3p link, 7ust add a static route
for it. It is shown as in the e,ample a"o*e.
2rou0leshooting
Description
Router shows that the ,P address is in4alid
&heck whether the interface e,ists to which the I address is assigned. Or may"e it
is disa"led. It is also possi"le that the system has crashed - re"oot the router.
Router shows that the @RP entry is in4alid
&heck whether the interface e,ists to which the -R entry is assigned. Or may"e it is
disa"led. &heck also for an I address for the particular interface.
Mangle
Document revision: 3 (Fri Nov 04 19:22:14 GMT 200)
Applies to: V2.9
&eneral 'n(oration
"uary
40
The mangle facility allows to mark I packets with special marks. These marks are used "y
*arious other router facilities to identify the packets. -dditionaly, the mangle facility is used
to modify some fields in the I header, like TOS '!S&+ and TTI fields.
"peci(ications
Su"menu le*el: /ip (ire#all angle
Standards and Technologies: I
Bardware usage: Increases wit$ count of mangle rules
Related Docuents
I -ddresses and -R
Routes, %#ual &ost Multipath Routing, olicy Routing
(-T
/ilter
acket /low
Mangle
Su"menu le*el: /ip (ire#all angle
Description
Mangle is a kind of :marker: that marks packets for future processing with special marks.
Many other facilities in RouterOS make use of these marks, e.g. #ueue trees and (-T. They
identify a packet "ased on its mark and process it accordingly. The mangle marks e,ist only
within the router, they are not transmitted across the network.
action 'accept ; add-dst-to-address-list ; add-src-to-address-list ; change-mss ; change-
tos ; change-ttl ; 7ump ; log ; mark-connection ; mark-packet ; mark-routing ; passthrough
; return ; strip-ip*D-options= default: accept+ - action to undertake if the packet matches
the rule
accept - accept the packet. (o action, i.e., the packet is passed through and no more rules are applied to it
add-dst-to-address-list - add destination address of an I packet to the address list specified "y
address-list parameter
add-src-to-address-list - add source address of an I packet to the address list specified "y address-list
parameter
change-mss - change Ma,imum Segment SiEe field *alue of the packet to a *alue specified "y the new-
mss parameter
change-tos - change Type of Ser*ice field *alue of the packet to a *alue specified "y the new-tos
parameter
change-ttl - change Time to Ii*e field *alue of the packet to a *alue specified "y the new-ttl parameter
3ump - 7ump to the chain specified "y the *alue of the 3ump-target parameter
log - each match with this action will add a message to the system log
mark-connection - place a mark specified "y the new-connection-mark parameter on the entire
connection that matches the rule
mark-packet - place a mark specified "y the new-packet-mark parameter on a packet that matches the
rule
mark-routing - place a mark specified "y the new-routing-mark parameter on a packet. This kind of
marks is used for policy routing purposes only
passthrough - ignore this rule go on to the ne,t one
41
return - pass control "ack to the chain from where the 7ump took place
strip-ip4*-options - strip I*D option fields from the I packet
address-list 'name+ - specify the name of the address list to collect I addresses from
rules ha*ing action+add-dst-to-address-list or action+add-src-to-address-list
actions. These address lists could "e later used for packet matching
address-list-timeout 'time= default: HH+ - time inter*al after which the address
will "e remo*ed from the address list specified "y address-list parameter. ?sed in
con7unction with add-dst-to-address-list or add-src-to-address-list actions
HH - lea*e the address in the address list fore*er
chain 'forward ; input ; output ; postrouting ; prerouting+ - specify the chain to put a
particular rule into. -s the different traffic is passed through different chains, always "e
careful in choosing the right chain for a new rule. If the input does not match the name of
an already defined chain, a new chain will "e created
comment 'text+ - free form te,tual comment for the rule. - comment can "e used to refer
the particular rule from scripts
connection-#ytes 'integer-integer+ - match packets only if a gi*en amount of "ytes has
"een transfered through the particular connection
- means infinity, exempli gratia: connection-#ytes+'- means that the rule matches if more
than 3M8 has "een transfered through the rele*ant connection
connection-limit 'integer,netmask+ - restrict connection limit per address or address "lock
connection-mark 'name+ - match packets marked *ia mangle facility with particular
connection mark
connection-type 'ftp ; gre ; hF3F ; irc ; mms ; pptp ; #uakeF ; tftp+ - match packets from
related connections "ased on information from their connection tracking helpers. - rele*ant
connection helper must "e ena"led under "ip firewall ser4ice-port
content 'text+ - the te,t packets should contain in order to match the rule
dst-address 'IP address.netmask ; IP address-IP address+ - specify the address range an
I packet is destined to. (ote that console con*erts entered address"netmask *alue to a
*alid network address, i.e.:%!%!%!%"'* is con*erted to %!%!%!"'*
dst-address-list 'name+ - match destination address of a packet against user-defined
address list
dst-address-type 'unicast ; local ; "roadcast ; multicast+ - match destination address type
of the I packet, one of the:
unicast - I addresses used for one point to another point transmission. There is only one sender and one
recei*er in this case
local - match addresses assigned to router:s interfaces
#roadcast - the I packet is sent from one point to all other points in the I su"network
multicast - this type of I addressing is responsi"le for transmission from one or more points to a set of
other points
dst-limit 'integer.timeV6,1W,integer,dst-address ; dst-port ; src-addressVOW,timeV6,1W+ -
limit the packet per second 'pps+ rate on a per destination I or per destination port "ase.
-s opposed to the limit match, e*ery destination I address . destination port has it:s own
limit. The options are as follows 'in order of appearance+:
Count - ma,imum a*erage packet rate, measured in packets per second 'pps+, unless followed "y -ime
option
-ime - specifies the time inter*al o*er which the packet rate is measured
Furst - num"er of packets to match in a "urst
Mode - the classifier'-s+ for packet rate limiting
E5pire - specifies inter*al after which recorded I addresses . ports will "e deleted
dst-port 'integer: 6..4>>F>-integer: 6..4>>F>VXW+ - destination port num"er or range
hotspot 'multiple c$oice: from-client ; auth ; local-dst ; http+ - match packets recei*ed
from clients against *arious Bot-Spot. -ll *alues can "e negated
from-client - true, if a packet comes from BotSpot client
auth - true, if a packet comes from authenticted client
local-dst - true, if a packet has local destination I address
hotspot - true, if it is a T& packet from client and either the transparent pro,y on port 56 is ena"led or the
client has a pro,y address configured and this address is e#ual to the address:port pair of the I packet
icmp-options 'integer:integer+ - match I&M Type:&ode fields
in-interface 'name+ - interface the packet has entered the router through
ip4*-options 'any ; loose-source-routing ; no-record-route ; no-router-alert ; no-source-
routing ; no-timestamp ; none ; record-route ; router-alert ; strict-source-routing ;
timestamp+ - match ip*D header options
42
any - match packet with at least one of the ip*D options
loose-source-routing - match packets with loose source routing option. This option is used to route the
internet datagram "ased on information supplied "y the source
no-record-route - match packets with no record route option. This option is used to route the internet
datagram "ased on information supplied "y the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp
3ump-target 'forward ; input ; output ; postrouting ; preroutingname+ - name of the
target chain to 7ump to, if the action+3ump is used
limit 'integer.timeV6,1W,integer+ - restrict packet match rate to a gi*en limit. ?sefull to
reduce the amount of log messages
option
-ime - specify the time inter*al o*er which the packet rate is measured
log-prefi5 'text+ - all messages written to logs will contain the prefi, specified herein. ?sed
in con7unction with action+log
new-connection-mark 'name+ - specify the new *alue of the connection mark to "e used
in con7unction with action+mark-connection
new-mss 'integer+ - specify MSS *alue to "e used in con7unction with action+change-
mss
new-packet-mark 'name+ - specify the new *alue of the packet mark to "e used in
con7unction with action+mark-packet
new-routing-mark 'name+ - specify the new *alue of the routing mark used in con7unction
with action+mark-routing
new-tos 'ma,-relia"ility ; ma,-throughput ; min-cost ; min-delay ; normal integer+ -
specify TOS *alue to "e used in con7unction with action+change-tos
ma5-relia#ility - ma,imiEe relia"ility 'ToS0D+
ma5-throughput - ma,imiEe throughput 'ToS05+
min-cost - minimiEe monetary cost 'ToS03+
min-delay - minimiEe delay 'ToS014+
normal - normal ser*ice 'ToS06+
new-ttl 'decrement ; increment ; set:integer+ - specify the new TTI field *alue used in
con7unction with action+change-ttl
decrement - the *alue of the TTI field will "e decremented for value
increment - the *alue of the TTI field will "e incremented for value
setH - the *alue of the TTI field will "e set to value
nth 'integer,integer: 6..1>,integerV6,1W+ - match a particular (th packet recei*ed "y the
rule. One of 14 a*aila"le counters can "e used to count packets
E4ery - match e*ery E4ery:%th packet. /or e,ample, if E4ery+% then the rule matches e*ery 3nd packet
Counter - specifies which counter to use. - counter increments each time the rule containing nth match
matches
Packet - match on the gi*en packet num"er. The *alue "y o"*ious reasons must "e "etween and E4ery.
If this option is used for a gi*en counter, then there must "e at least E4ery:% rules with this option,
co*ering all *alues "etween and E4ery inclusi*ely.
out-interface 'name+ - match the interface name a packet left the router through
p'p 'all-p3p ; "it-torrent ; direct-connect ; edonkey ; fasttrack ; gnutella ; soulseek ;
wareE ; winm,+ - match packets "elonging to connections of the a"o*e 3 protocols
packet-mark 'name+ - match the packets marked in mangle with specific packet mark
packet-si6e 'integer: 6..4>>F>-integer: 6..4>>F>V6,1W+ - matches packet of the specified
siEe or siEe range in "ytes
Min - specifies lower "oundary of the siEe range or a standalone *alue
Ma5 - specifies upper "oundary of the siEe range
passthrough 'yes ; no= default: yes+ - whether to let the packet to pass further 'like
action passthrough+ after marking it with a gi*en mark 'property only *alid if action is
mark packet, connection or routing mark+
phys-in-interface 'name+ - matches the "ridge port physical input de*ice added to a
"ridge de*ice. It is only useful if the packet has arri*ed through the "ridge
43
protocol 'ddp ; egp ; encap ; ggp ; gre ; hmp ; icmp ; idrp-cmtp ; igmp ; ipencap ; ipip ;
ipsec-ah ; ipsec-esp ; iso-tpD ; ospf ; pup ; rdp ; rspf ; st ; tcp ; udp ; *mtp ; ,ns-idp ; ,tp
; integer+ - matches particular I protocol specified "y protocol name or num"er. @ou
should specify this setting if you want to specify ports
psd 'integer,time,integer,integer+ - attempts to detect T& and ?! scans. It is ad*ised to
assign lower weight to ports with high num"ers to reduce the fre#uency of false positi*es,
such as from passi*e mode /T transfers
Ieight-hreshold - total weight of the latest T&.?! packets with different destination ports coming from
the same host to "e treated as port scan se#uence
Celay-hreshold - delay for the packets with different destination ports coming from the same host to "e
treated as possi"le port scan su"se#uence
2owPortIeight - weight of the packets with pri*ileged 'C0163D+ destination port
JighPortIeight - weight of the packet with non-pri*iliged destination port
random 'integer: 1..22+ - matches packets randomly with gi*en propa"ility
routing-mark 'name+ - matches packets marked with the specified routing mark
src-address 'IP address.netmask ; IP address-IP address+ - specifies the address range an
I packet is originated from. (ote that console con*erts entered address"netmask *alue
to a *alid network address, i.e.:%!%!%!%"'* is con*erted to %!%!%!"'*
src-address-list 'name+ - matches source address of a packet against user-defined
address list
src-address-type 'unicast ; local ; "roadcast ; multicast+ - matches source address type
local - matches addresses assigned to router:s interfaces
other points
src-mac-address 'M"# address+ - source M-& address
src-port 'integer: 6..4>>F>-integer: 6..4>>F>VXW+ - source port num"er or range
tcp-flags 'multiple c$oice: ack ; cwr ; ece ; fin ; psh ; rst ; syn ; urg+ - tcp flags to match
ack - acknowledging data
cwr - congestion window reduced
ece - %&(-echo flag 'e,plicit congestion notification+
fin - close connection
psh - push function
rst - drop connection
syn - new connection
urg - urgent data
tcp-mss 'integer: 6..4>>F>+ - matches T& MSS *alue of an I packet
time 'time-time,sat ; fri ; thu ; wed ; tue ; mon ; sunVOW+ - allows to create filter "ased on
the packets: arri*al time and date or, for locally generated packets, departure time and date
tos 'ma,-relia"ility ; ma,-throughput ; min-cost ; min-delay ; normal+ - specifies a match
for the *alue of Type of Ser*ice 'ToS+ field of an I header
Notes
Instead of making two rules if you want to mark a packet, connection or routing-mark and
finish mangle ta"le processing on that e*ent 'in other words, mark and simultaneously
accept the packet+, you may disa"le the set "y default passthrough property of the
marking rule.
?sually routing-mark is not used for 3, since 3 traffic always is routed o*er a default
getaway.
44
!pplication Exaples
Description
The following section discusses some e,amples of using the mangle facility.
Peer-to-Peer 2ra((ic Mar,ing
To ensure the #uality of ser*ice for network connection, interacti*e traffic types such as
GoI and BTT should "e prioritiEed o*er non-interacti*e, such as peer-to-peer network
traffic. RouterOS HOS implementation uses mangle to mark different types of traffic first,
and then place them into #ueues with different limits.
The following e,ample enforces the 3 traffic will get no more than 1M"ps of the total link
capacity when the link is hea*ily used "y other traffic otherwice e,panding to the full link
capacity:
[admin@MikroTik] > /ip firewall mangle add chain=forward \
\... p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
\... connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
\... connection-mark=!p2p_conn action=mark-packet new-packet-mark=other
[admin@MikroTik] > /ip firewall mangle print
0 chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
1 chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
2 chain=forward packet-mark=!p2p_conn action=mark-packet new-packet-mark=other
[admin@MikroTik] >
[admin@MikroTik] > /queue tree add parent=Public packet-mark=p2p limit-at=1000000 \
\... max-limit=100000000 priority=8
[admin@MikroTik] > /queue tree add parent=Local packet-mark=p2p limit-at=1000000 \
[admin@MikroTik] > /queue tree add parent=Public packet-mark=other limit-
at=1000000 \
[admin@MikroTik] > /queue tree add parent=Local packet-mark=other limit-at=1000000 \
Mar, 0y M!C address
To mark traffic from a known M-& address which goes to the router or through it, do the
following:
[admin@MikroTik] > / ip firewall mangle add chain=prerouting \
\... src-mac-address=00:01:29:60:36:E7 action=mark-connection new-connection-
mark=known_mac_conn
[admin@MikroTik] > / ip firewall mangle add chain=prerouting \
\... connection-mark=known_mac_conn action=mark-packet new-packet-mark=known_mac
Change M""
It is a well known fact that G( links ha*e smaller packet siEe due to incapsulation
o*erhead. - large packet with MSS that e,ceeds the MSS of the G( link should "e
fragmented prior to sending it *ia that kind of connection. Bowe*er, if the packet has !/
flag set, it cannot "e fragmented and should "e discarded. On links that ha*e "roken path
45
MT? disco*ery 'MT?!+ it may lead to a num"er of pro"lems, including pro"lems with /T
and BTT data transfer and e-mail ser*ices.
In case of link with "roken MT?!, a decrease of the MSS of the packets coming through
the G( link sol*es the pro"lem. The following e,ample demonstrates how to decrease the
MSS *alue *ia mangle:
[admin@MikroTik] > /ip firewall mangle add out-interface=pppoe-out \
\... protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward
[admin@MikroTik] > /ip firewall mangle print
0 chain=forward out-interface=pppoe-out protocol=tcp tcp-flags=syn
action=change-mss new-mss=1300
[admin@MikroTik] >
N@-
Document revision: 2.! (Tue Fe" 2! 1:1:00 GMT 2006)
Applies to: V2.9
&eneral 'n(oration
"uary
(etwork -ddress Translation '(-T+ is a router facility that replaces source and 'or+
destination I addresses of the I packet as it pass through thhe router. It is most
commonly used to ena"le multiple host on a pri*ate network to access the Internet using a
single pu"lic I address.
"peci(ications
Iicense re#uired: Level1 %num&er of rules limited to 1' , Level(
Su"menu le*el: /ip (ire#all nat
Standards and Technologies: I, R/&14F1, R/&344F
Bardware usage: Increases wit$ t$e count of rules
Related Docuents
I -ddresses and -R
/ilter
Mangle
acket /low
N!2
Description
46
(etwork -ddress Translation is an Internet standard that allows hosts on local area
networks to use one set of I addresses for internal communications and another set of I
addresses for e,ternal communications. - I-( that uses (-T is referred as natted network.
/or (-T to function, there should "e a (-T gateway in each natted network. The (-T
gateway '(-T router+ performs I address rewriting on the way a packet tra*el from.to
I-(.
There are two types of (-T:
source (-T or srcnat. This type of (-T is performed on packets that are originated
from a natted network. - (-T router replaces the pri*ate source address of an I
packet with a new pu"lic I address as it tra*els through the router. - re*erse
operation is applied to the reply packets tra*elling in the other direction.
destination (-T or dstnat. This type of (-T is performed on packets that are
destined to the natted network. It is most comonly used to make hosts on a pri*ate
network to "e acceesi"le from the Internet. - (-T router performing dstnat replaces
the destination I address of an I packet as it tra*el through the router towards a
pri*ate network.
N!2 Dra#0ac,s
Bosts "ehind a (-T-ena"led router do not ha*e true end-to-end connecti*ity. Therefore
some Internet protocols might not work in scenarios with (-T. Ser*ices that re#uire the
initiation of T& connection from outside the pri*ate network or stateless protocols such as
?!, can "e disrupted. Moreo*er, some protocols are inherently incompati"le with (-T, a
"old e,ample is -B protocol from the Isec suite.
RouterOS includes a num"er of so-called (-T helpers, that ena"le (-T tra*ersal for *arious
protocols.
Redirect and Masquerade
Redirect and mas#uerade are special forms of destination (-T and source (-T,
respecti*ely. Redirect is similar to the regular destination (-T in the same way as
mas#uerade is similar to the source (-T - mas#uerade is a special form of source (-T
without need to specify to-addresses - outgoing interface address is used automatically.
The same is for redirect - it is a form of destination (-T where to-addresses is not used -
incoming interface address is used instead. (ote that to-ports is meaningful for redirect
rules - this is the port of the ser*ice on the router that will handle these re#uests 'e.g. we"
pro,y+.
$hen packet is dst-natted 'no matter - action+nat or action+redirect+, dst address is
changed. Information a"out translation of addresses 'including original dst address+ is kept
in router:s internal ta"les. Transparent we" pro,y working on router 'when we" re#uests
get redirected to pro,y port on router+ can access this information from internal ta"les and
get address of we" ser*er from them. If you are dst-natting to some different pro,y ser*er,
it has no way to find we" ser*er:s address from I header '"ecause dst address of I packet
that pre*iously was address of we" ser*er has changed to address of pro,y ser*er+.
Starting from BTT.1.1 there is special header in BTT re#uest which tells we" ser*er
address, so pro,y ser*er can use it, instead of dst address of I packet. If there is no such
header 'older BTT *ersion on client+, pro,y ser*er can not determine we" ser*er address
and therefore can not work.
It means, that it is impossi"le to correctly transparently redirect BTT traffic from router to
some other transparent-pro,y "o,. Only correct way is to add transparent pro,y on the
router itself, and configure it so that your <real< pro,y is parent-pro,y. In this situation your
<real< pro,y does not ha*e to "e transparent any more, as pro,y on router will "e
47
transparent and will forward pro,y-style re#uests 'according to standard= these re#uests
include all necessary information a"out we" ser*er+ to <real< pro,y.
action 'accept ; add-dst-to-address-list ; add-src-to-address-list ; dst-nat ; 7ump ; log ;
mas#uerade ; netmap ; passthrough ; redirect ; return ; same ; src-nat= default: accept+ -
action to undertake if the packet matches the rule
accept - accepts the packet. (o action is taken, i.e. the packet is passed through and no more rules are
applied to it
add-dst-to-address-list - adds destination address of an I packet to the address list specified "y
add-src-to-address-list - adds source address of an I packet to the address list specified "y address-
list parameter
dst-nat - replaces destination address of an I packet to *alues specified "y to-addresses and to-ports
parameters
masquerade - replaces source address of an I packet to an automatically determined "y the routing
facility I address
netmap - creates a static 1:1 mapping of one set of I addresses to another one. Often used to distri"ute
pu"lic I addresses to hosts on pri*ate networks
passthrough - ignores this rule goes on to the ne,t one
redirect - replaces destination address of an I packet to one of the router:s local addresses
return - passes control "ack to the chain from where the 7ump took place
same - gi*es a particular client the same source.destination I address from supplied range for each
connection. This is most fre#uently used for ser*ices that e,pect the same client address for multiple
connections from the same client
src-nat - replaces source address of an I packet to *alues specified "y to-addresses and to-ports
parameters
address-list 'name+ - specifies the name of the address list to collect I addresses from
chain 'dstnat ; srcnat ; name+ - specifies the chain to put a particular rule into. -s the
different traffic is passed through different chains, always "e careful in choosing the right
chain for a new rule. If the input does not match the name of an already defined chain, a
new chain will "e created
dstnat - a rule placed in this chain is applied "efore routing. The rules that replace destination addresses of
I packets should "e placed there
srcnat - a rule placed in this chain is applied after routing. The rules that replace the source addresses of I
packets should "e placed there
comment 'text+ - a descripti*e comment for the rule. - comment can "e used to identify
rules form scripts
connection-#ytes 'integer-integer+ - matches packets only if a gi*en amount of "ytes has
connection-mark 'name+ - matches packets marked *ia mangle facility with particular
connection mark
connection-type 'ftp ; gre ; hF3F ; irc ; mms ; pptp ; #uakeF ; tftp+ - matches packets
from related connections "ased on information from their connection tracking helpers. -
rele*ant connection helper must "e ena"led under "ip firewall ser4ice-port
dst-address 'IP address.netmask ; IP address-IP address+ - specifies the address range an
48
dst-address-list 'name+ - matches destination address of a packet against user-defined
address list
dst-address-type 'unicast ; local ; "roadcast ; multicast+ - matches destination address
type of the I packet, one of the:
other points
limits the packet per second 'pps+ rate on a per destination I or per destination port "ase.
option
hotspot 'multiple c$oice: from-client ; auth ; local-dst+ - matches packets recei*ed from
clients against *arious Bot-Spot. -ll *alues can "e negated
icmp-options 'integer:integer+ - matches I&M Type:&ode fields
3ump-target 'dstnat ; srcnatname+ - name of the target chain to 7ump to, if the
action+3ump is used
limit 'integer.timeV6,1W,integer+ - restricts packet match rate to a gi*en limit. ?sefull to
option
matches
out-interface 'name+ - interface the packet is lea*ing the router through
packet-mark 'text+ - matches packets marked *ia mangle facility with particular packet
mark
49
phys-out-interface 'name+ - matches the "ridge port physical output de*ice added to a
"ridge de*ice. It is only useful if the packet will lea*e the router through the "ridge
random 'integer+ - match packets randomly with gi*en propa"ility
routing-mark 'name+ - matches packets marked "y mangle facility with particular routing
mark
same-not-#y-dst 'yes ; no+ - specifies whether to account or not to account for
destination I address when selecting a new source I address for packets matched "y rules
with action+same
address list
other points
to-addresses 'IP address-IP addressV6,1W= default: !!!+ - address or address range
to replace original address of an I packet with
to-ports 'integer: 6..4>>F>-integer: 6..4>>F>V6,1W+ - port or port range to replace original
port of an I packet with
to the *alue of Type of Ser*ice 'ToS+ field of I header
N!2 !pplications
Description
50
In this section some (-T applications and e,amples of them are discussed.
Basic N!2 con(iguration
-ssume we want to create router that:
<hides< the pri*ate I-( <"ehind< one address
pro*ides u"lic I to the Iocal ser*er
creates 1:1 mapping of network addresses
Exaple o( "ource N!2 (Masquerading)
If you want to <hide< the pri*ate I-( 123.145.6.6.3D <"ehind< one address 16.>.5.162
gi*en to you "y the IS, you should use the source network address translation
'mas#uerading+ feature of the MikroTik router. The mas#uerading will change the source I
address and port of the packets originated from the network 123.145.6.6.3D to the address
16.>.5.162 of the router when the packet is routed through it.
To use mas#uerading, a source (-T rule with action :mas#uerade: should "e added to the
firewall configuration:
/ip firewall nat add chain=srcnat action=masquerade out-interface=Public
-ll outgoing connections from the network 123.145.6.6.3D will ha*e source address
16.>.5.162 of the router and source port a"o*e 163D. (o access from the Internet will "e
possi"le to the Iocal addresses. If you want to allow connections to the ser*er on the local
network, you should use destination (etwork -ddress Translation '(-T+.
Exaple o( Destination N!2
If you want to link u"lic I 16.>.5.366 address to Iocal one 123.145.6.162, you should use
destination address translation feature of the MikroTik router. -lso if you want allow Iocal
ser*er to talk with outside with gi*en u"lic I you should use source address translation,
too
-dd u"lic I to u"lic interface:
/ip address add address=10.5.8.200/32 interface=Public
-dd rule allowing access to the internal ser*er from e,ternal networks:
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109
-dd rule allowing the internal ser*er to talk to the outer networks ha*ing its source address
translated to 16.>.5.366:
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200
Exaple o( 676 apping
51
If you want to link u"lic I su"net 11.11.11.6.3D to local one 3.3.3.6.3D, you should use
destination address translation and source address translation features with
action+netmap.
/ip firewall nat add chain=dstnat dst-address=11.11.11.1-11.11.11.254 \
action=netmap to-addresses=2.2.2.1-2.2.2.254
/ip firewall nat add chain=srcnat src-address=2.2.2.1-2.2.2.254 \
action=netmap to-addresses=11.11.11.1-11.11.11.254
@ddress 2ists
Document revision: 2.# (Mon M$% 02 10:1!:10 GMT 200)
Applies to: V2.9
&eneral 'n(oration
"uary
/irewall address lists allow to create a list of I addresses to "e used for packet matching.
"peci(ications
Su"menu le*el: /ip (ire#all address-list
Related Docuents
(-T
/ilter
acket /low
acket /low
!ddress *ists
Description
/irewall address lists allow user to create lists of I addresses grouped together. /irewall
filter, mangle and (-T facilities can use address lists to match packets against them.
The address list records could "e updated dynamically *ia the action+add-src-to-
address-list or action+add-dst-to-address-list items found in (-T mangle and filter
facilities.
52
list 'name+ - specify the name of the address list to add I address to
address 'IP address.netmask ; IP address-IP address+ - specify the I address or range to
"e added to the address list. (ote that console con*erts entered address"netmask *alue
Exaple
The following e,ample creates an address list of people thet are connecting to port 3F
'telnet+ on the router and drops all further traffic from them. -dditionaly, the address list
will contain one static entry of address+%&'!!0*!%(("0' 'www.e,ample.com+:
[admin@MikroTik] > /ip firewall address-list add list=drop_traffic
address=192.0.34.166/32
[admin@MikroTik] > /ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 drop_traffic 192.0.34.166
[admin@MikroTik] > /ip firewall mangle add chain=prerouting protocol=tcp dst-
port=23 \
\... action=add-src-to-address-list address-list=drop_traffic
[admin@MikroTik] > /ip firewall filter add action=drop chain=input src-address-
list=drop_traffic
[admin@MikroTik] > /ip firewall address-list print
# LIST ADDRESS
0 drop_traffic 192.0.34.166
1 D drop_traffic 1.1.1.1
2 D drop_traffic 10.5.11.8
[admin@MikroTik] >
-s seen in the output of the last print command, two new dynamic entries appeared in the
address list. Bosts with these I addresses tried to initialiEe a telnet session to the router.
Packet Klow
Document revision: 2.# (Mon &un 0 12:04:1 GMT 2006)
Applies to: V2.9
&eneral 'n(oration
"uary
This manual descri"es the order in which an I packet tra*erses *arious internal facilities of
the router and some general information regarding packet handling, common I protocols
and protocol options.
"peci(ications
Iicense re#uired: Level(
Su"menu le*el: /ip (ire#all
Bardware usage: Increases wit$ ")* mangle and filter rules count
53
Related Docuents
I -ddresses and -R
(-T
Mangle
/ilter
Pac,et $lo#
Description
MikroTik RouterOS is designed to "e easy to operate in *arious aspects, including I
firewall. Therefore regular firewall policies can "e created and deployed without the
knowledge a"out how the packets are processed in the router. /or e,ample, if all that
re#uired is 7ust natting internal clients to a pu"lic address, the following command can "e
issued 'assuming the interface to the Internet in named Pu#lic+:
/ip firewall nat add action=masquerade out-interface=Public chain=srcnat
Regular packet filtering, "andwith management or packet marking can "e configured with
ease in a similar manner. Bowe*er, a more complicated configuration could "e deployed
only with a good understanding of the underlying processes in the router.
The packet flow through the router is depicted in the following diagram:
54
-s can "e seen on the diagram, there are fi*e chains in the processing pipeline. These are
prerouting, input, forward, output and postrouting. The actions performed on a packet
in each chain are discussed later in this chapter.
-dditional arrows from Isec "o,es shows the processing of encrypted packets 'they need
to "e encrypted . decrypted first and then processed as usual, id est from the point an
ordinal packet enters the router+.
55
- paket can enter processing con*eyer of the router in two ways. /irst, a packet can come
from one of the interfaces present in the roter 'then the interface is referred as input
interface+. Second, it can "e originated from a local process, like we" pro,y, G( or
others. -like, there are two ways for a packet to lea*e the processing pipeline. - packet can
lea*e through the one of the router:s interfaces 'in this case the interface is referred as
output interface+ or it can end up in the local process. In general, traffic can "e destined
to one of the router:s I addresses, it can originate from the router or simply should "e
passed through. To further complicate things the traffic can "e "ridged or routed one, which
is determined during the Fridge Cecision stage.
Routed tra((ic
The traffic recei*ed for the router:s M-& address on the respecti*e port, is passed to the
routing procedures and can "e of one of these four types:
the traffic which is destined to the router itself. The I packets has destination
address e#ual to one of the router:s I addresses. - packet enters the router through
the input interface, se#uentially tra*erses prerouting and input chains and ends
up in the local process. &onse#uently, a packet can "e filtered in the input chain
filter and mangled in two places: the input and the prerouting chain filters.
the traffic is originated from the router. In this case the I packets ha*e their source
addresses identical to one of the router:s I addresses. Such packets tra*el through
the output chain, then they are passed to the routing facility where an appropriate
routing path for each packet is determined and lea*e through the postrouting
chain.
routa"le traffic, which is recei*ed at the router:s M-& address, has an I address
different from any of the router:s own addresses, and its destination can "e found in
the routing ta"les. These packets go through the prerouting, forward and
postrouting chains.
unrouta"le traffic, which is recei*ed at the router:s M-& address, has an I address
different from any of the router:s own addresses, "ut its destination can not "e found
in the routing ta"les. These packets go through the prerouting and stop in the
routing recision.
The actions imposed "y *arious router facilities are se#uentially applied to a packet in each
of the default chains. The e,act order they are applied is pictured in the "ottom of the flow
diagram. !xempli gratia, for a packet passing postrouting chain the mangle rules are
applied first, two types of #ueuing come in second place and finally source (-T is performed
on packets that need to "e natted.
(ote, that any gi*en packet can come through only one of the input, forward or output
chains.
Bridged 2ra((ic
In case the incoming traffic needs to "e "ridged 'do not confuse it with the traffic coming to
the "ridge interface at the router:s own M-& address and, thus, classified as routed traffic+
it is first determined whether it is an I traffic or not. -fter that, I traffic goes through the
prerouting, forward and postrouting chains, while non-I traffic "ypasses all I firewall
rules and goes directly to the interface #ueue. 8oth types of traffic, howe*er, undergo the
full set of "ridge firewall chains anyway, regardless of the protocol.
Connection 2rac,ing
Su"menu le*el: /ip (ire#all connection
56
Description
&onnection tracking refers to the a"ility to maintain the state information a"out
connections, such as source and destination I address and ports pairs, connection states,
protocol types and timeouts. /irewalls that do connection tracking are known as <stateful<
and are inherently more secure that those who do only simple <stateless< packet
processing.
The state of a particular connection could "e esta#ilished meaning that the packet is part
of already known connection, new meaning that the packet starts a new connection or
"elongs to a connection that has not seen packets in "oth directions yet, related meaning
that the packet starts a new connection, "ut is associated with an e,isting connection, such
as /T data transfer or I&M error message and, finally, in4alid meaning that the packet
does not "elong to any known connection and, at the same time, does not open a *alid new
connection.
&onnection tracking is done in the prerouting chain, or the output chain for locally
generated packets.
-nother function of connection tracking which cannot "e o*erestimated is that it is needed
for (-T. @ou should "e aware that no (-T can "e performed unless you ha*e connection
tracking ena"led, the same applies for p3p protocols recognition. &onnection tracking also
assem"les I packets from fragments "efore further processing.
The ma,imum num"er of connections the "ip firewall connection state ta"le can contain
is determined initially "y the amount of physical memory present in the router. Thus, for
e,ample, a router with 4D M8 of R-M can hold the information a"out up to 4>>F4
connections, "ut a router with 135 M8 R-M increases this *alue to more than 1F6666.
lease ensure that your router is e#uipped with sufficient amount of physical memory to
properly handle all connections.
assured 'read-only: true ; false+ - shows whether replay was seen for the last packet
matching this entry
connection-mark 'read-only: text+ - &onnection mark set in mangle
dst-address 'read-only: IP address:port+ - the destination address and port the connection
is esta"lished to
icmp-id 'read-only: integer+ - contains the I&M I!. %ach I&M packet gets an I! set to it
when it is sent, and when the recei*er gets the I&M message, it sets the same I! within
the new I&M message so that the sender will recogniEe the reply and will "e a"le to
connect it with the appropriate I&M re#uest
icmp-option 'read-only: integer+ - the I&M type and code fields
p'p 'read-only: text+ - peer to peer protocol
protocol 'read-only: text+ - I protocol name or num"er
reply-dst-address 'read-only: IP address:port+ - the destination address and port the
reply connection is esta"lished to
reply-icmp-id 'read-only: integer+ - contains the I&M I! of recei*ed packet
reply-icmp-option 'read-only: integer+ - the I&M type and code fields of recei*ed packet
reply-src-address 'read-only: IP address:port+ - the source address and port the reply
connection is esta"lished from
src-address 'read-only: IP address:port+ - the source address and port the connection is
esta"lished from
tcp-state 'read-only: text+ - the state of T& connection
timeout 'read-only: time+ - the amount of time until the connection will "e timed out
57
unreplied 'read-only: true ; false+ - shows whether the re#uest was unreplied
Connection 2ieouts
Su"menu le*el: /ip (ire#all connection trac,ing
Description
&onnection tracking pro*ides se*eral timeouts. $hen particular timeout e,pires the
according entry is remo*ed from the connection state ta"le. The following diagram depicts
typical T& connection esta"lishment and termination and tcp timeouts that take place
during these processes:
ena#le 'yes ; no= default: yes+ - whether to allow or disallow connection tracking
generic-timeout 'time= default: %m+ - ma,imal amount of time connection state ta"le
entry that keeps tracking of packets that are neither T& nor ?! 'for instance 9R%+ will
sur*i*e after ha*ing seen last packet matching this entry. &reating T connection this
*alue will "e increased automaticly
icmp-timeout 'time= default: %s+ - ma,imal amount of time connection tracking entry
will sur*i*e after ha*ing seen I&M re#uest
ma5-entries 'read-only: integer+ - the ma,imum num"er of connections the connection
state ta"le can contain, depends on an amount of total memory
tcp-close-timeout 'time= default: %s+ - ma,imal amount of time connection tracking
entry will sur*i*e after ha*ing seen connection reset re#uest 'RST+ or an acknowledgment
'-&K+ of the connection termination re#uest from connection release initiator
tcp-close-wait-timeout 'time= default: %s+ - ma,imal amount of time connection
tracking entry will sur*i*e after ha*ing seen an termination re#uest '/I(+ from responder
tcp-esta#lished-timeout 'time= default: %d+ - ma,imal amount of time connection
tracking entry will sur*i*e after ha*ing seen an acknowledgment '-&K+ from connection
initiator
58
tcp-fin-wait-timeout 'time= default: %s+ - ma,imal amount of time connection tracking
entry will sur*i*e after ha*ing seen connection termination re#uest '/I(+ from connection
release initiator
tcp-syncookie 'yes ; no= default: no+ - ena"le T& S@( cookies for connections destined
to the router itself 'this may "e useful for BotSpot and tunnels+
tcp-syn-recei4ed-timeout 'time= default: %m+ - ma,imal amount of time connection
tracking entry will sur*i*e after ha*ing seen a matching connection re#uest 'S@(+
tcp-syn-sent-timeout 'time= default: %m+ - ma,imal amount of time connection tracking
entry will sur*i*e after ha*ing seen a connection re#uest 'S@(+ from connection initiator
tcp-time-wait-timeout 'time= default: %s+ - ma,imal amount of time connection
tracking entry will sur*i*e after ha*ing seen connection termination re#uest '/I(+ 7ust after
connection re#uest 'S@(+ or ha*ing seen another termination re#uest '/I(+ from connection
release initiator
total-entries 'read-only: integer+ - num"er of connections currently recorded in the
connection state ta"le
udp-stream-timeout 'time= default: 0m+ - ma,imal amount of time connection tracking
entry will sur*i*e after replay is seen for the last packet matching this entry 'connection
tracking entry is assured+. It is used to increase timeout for such connections as BF3F,
GoI, etc.
udp-timeout 'time= default: %s+ - ma,imal amount of time connection tracking entry will
sur*i*e after ha*ing seen last packet matching this entry
Notes
The ma,imum timeout *alue depends on amount of entries in connection state ta"le. If
amount of entries in the ta"le is more than:
1.14 of ma,imum num"er of entries the ma,imum timeout *alue will "e 1 day
F.14 of ma,imum num"er of entries the ma,imum timeout *alue will "e 1 hour
1.3 of ma,imum num"er of entries the ma,imum timeout *alue will "e 16 minute
1F.14 of ma,imum num"er of entries the ma,imum timeout *alue will "e 1 minute
The shortest timeout will always "e choden "etween the configured timeout and the *alue
listed a"o*e.
If connection tracking timeout *alue is less than the normal inter*al "etween the data
packets rate 'timeout e,pires "efore the ne,t packet ari*es+, (-T and statefull-firewalling
stop working.
"er%ice Ports
Su"menu le*el: /ip (ire#all ser%ice-port
Description
Some network protocols are not compati"le with network address translation, for e,ample
due to some additional infomation a"out the actual addresses or ports is present in the
packet payload, which is not known for the (-T procedures, as they only look at the I,
?! and T& headers, not inside the packets. /or these protocols to work correctly, a
connection tracking helper is needed to work around such design issues. @ou may ena"le
and disa"le helpers here 'you may want to disa"le some of them to increase performance or
if you are e,periencing pro"lems with some protocols detected incorrectly+. (ote that you
can not add or remo*e the helpers, 7ust ena"le or disa"le the e,isting ones.
59
name - protocol name
ports 'integer+ - port range that is used "y the protocol 'only some helpers need this+
&eneral $ire#all 'n(oration
Description
'CMP 28PE7C1DE %alues
In order to protect your router and attached pri*ate networks, you need to configure
firewall to drop or re7ect most of I&M traffic. Bowe*er, some I&M packets are *ital to
maintain network relia"ility or pro*ide trou"leshooting ser*ices.
The following is a list of I&M T@%:&O!% *alues found in good packets. It is generally
suggested to allow these types of I&M traffic.
ing
o )H - echo re#uest
o H - echo reply
Trace
o %%H - TTI e,ceeded
o 0H0 - ort unreacha"le
ath MT? disco*ery
o 0H* - /ragmentation-!/-Set
9eneral suggestion to apply I&M filtering
-llow pingYI&M %cho-Re#uest out"ound and %cho-Reply messages in"ound
-llow tracerouteYTTI-%,ceeded and ort-?nreacha"le messages in"ound
-llow path MT?YI&M /ragmentation-!/-Set messages in"ound
8lock e*erything else
2ype o( "er%ice
Internet paths *ary in #uality of ser*ice they pro*ide. They can differ in cost, relia"ility,
delay and throughput. This situation imposes some tradeoffs, exempli gratia the path with
the lowest delay may "e among the ones with the smallest throughput. Therefore, the
<optimal< path for a packet to follow through the Internet may depend on the needs of the
application and its user.
-s the network itself has no knowledge on how to optimiEe path choosing for a particular
application or user, the I protocol pro*ides a method for upper layer protocols to con*ey
hints to the Internet Iayer a"out how the tradeoffs should "e made for the particular
packet. This method is implemented with the help of a special field in the I protocol
header, the <Type of Ser*ice< field.
The fundamental rule is that if a host makes appropriate use of the TOS facility, its network
ser*ice should "e at least as good as it would ha*e "een if the host had not used this
facility.
60
Type of Ser*ice 'ToS+ is a standard field of I packet and it is used "y many network
applications and hardware to specify how the traffic should "e treated "y the gateway.
MikroTik RouterOS works with the full ToS "yte. It does not take account of reser*erd "its in
this "yte '"ecause they ha*e "een redefined many times and this approach pro*ides more
fle,i"ility+. It means that it is possi"le to work with !iffSer* marks '!ifferentiated Ser*ices
&odepoint, !S& as defined in R/&3DSD+ and %&( codepoints '%,plicit &ongestion
(otification, %&( as defined in R/&F145+, which are using the same field in the I protocol
header. (ote that it does not mean that RouterOS supports !iffSer* or %&(, it is 7us
Kilter
Document revision: 2.# (Fri Nov 04 16:04:3# GMT 200)
Applies to: V2.9
&eneral 'n(oration
"uary
The firewall implements packet filtering and there"y pro*ides security functions that are
used to manage data flow to, from and through the router. -long with the (etwork -ddress
Translation it ser*e as a tool for pre*enting unauthoriEed access to directly attached
networks and the router itself as well as a filter for outgoing traffic.
9uic, "etup &uide
To add a firewall rule which drops all -CP packets that are destined to port %0? and
going through the router, use the following command:
/ip firewall filter add chain=forward dst-port=135 protocol=tcp action=drop
To deny acces to the router *ia Telnet 'protocol T&, port 3F+, type the following
command:
/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop
To only allow not more than > simultaneous connections from each of the clients, do
the following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-
limit=6,32 action=drop
"peci(ications
Iicense re#uired: Level1 %P+P filters limited to 1' , Level(
Su"menu le*el: /ip (ire#all (ilter
Standards and Technologies: I, R/&311F
Bardware usage: Increases wit$ filtering rules count
Related Docuents
61
I -ddresses and -R
(-T
Mangle
acket /low
$ire#all $ilter
Su"menu le*el: /ip (ire#all (ilter
Description
(etwork firewalls keep outside threats away from sensiti*e data a*aila"le inside the
network. $hene*er different networks are 7oined together, there is always a threat that
someone from outside of your network will "reak into your I-(. Such "reak-ins may result
in pri*ate data "eing stolen and distri"uted, *alua"le data "eing altered or destroyed, or
entire hard dri*es "eing erased. /irewalls are used as a means of pre*enting or minimiEing
the security risks inherent in connecting to other networks. roperly configured firewall
plays a key role in efficient and secure network infrastrure deployment.
MikroTik RouterOS has *ery powerful firewall implementation with features including:
stateful packet filtering
peer-to-peer protocols filtering
traffic classification "y:
o source M-& address
o I addresses 'network or list+ and address types '"roadcast, local, multicast,
unicast+
o port or port range
o I protocols
o protocol options 'I&M type and code fields, T& flags, I options and MSS+
o interface the packet arri*ed from or left through
o internal flow and connection marks
o ToS '!S&+ "yte
o packet content
o rate at which packets arri*e and se#uence num"ers
o packet siEe
o packet arri*al time
o and much more)
&eneral $iltering Principles
The firewall operates "y means of firewall rules. - rule is a definiti*e form e,pression that
tells the router what to do with a particular I packet. %ach rule consists of two parts that
are the matcher which matches traffic flow against gi*en conditions and the action which
defines what to do with the mathched packets. Rules are organiEed in chains for "etter
management.
The filter facility has three default chains: input, forward and output that are responsi"le
for traffic coming from, throurh and to the router, respecti*ely. (ew user-defined chains can
"e added, as necessary. Since these chains ha*e no default traffic to match, rules with
action+3ump and rele*ant 3ump-target should "e added to one or more of the three
default chains.
62
$ilter Chains
-s mentioned "efore, the firewall filtering rules are grouped together in chains. It allows a
packet to "e matched against one common criterion in one chain, and then passed o*er for
processing against some other common criteria to another chain. /or e,ample a packet
should "e matched against the ,P addressHport pair. Of course, it could "e achie*ed "y
adding as many rules with ,P addressHport match as re#uired to the forward chain, "ut a
"etter way could "e to add one rule that matches traffic from a particular I address, e.g.:
/ip firewall filter add src-address=1.1.1.2/32 jump-target="mychain" and in
case of successfull match passes control o*er the I packet to some other chain, id est
mychain in this e,ample. Then rules that perform matching against separate ports can "e
added to mychain chain without specifying the I addresses.
There are three predefined chains, which cannot "e deleted:
input - used to process packets entering the router through one of the interfaces
with the destination I address which is one of the router:s addresses. ackets
passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and lea*ing it through
one of the interfaces. ackets passing through the router are not processed against
the rules of the output chain
$hen processing a chain, rules are taken from the chain in the order they are listed there
from top to "ottom. If a packet matches the criteria of the rule, then the specified action is
performed on it, and no more rules are processed in that chain 'the e,ception is the
passthrough action+. If a packet has not matched any rule within the chain, then it is
accepted.
action 'accept ; add-dst-to-address-list ; add-src-to-address-list ; drop ; 7ump ; log ;
passthrough ; re7ect ; return ; tarpit= default: accept+ - action to undertake if the packet
matches the rule
accept - accept the packet. (o action is taken, i.e. the packet is passed through and no more rules are
applied to it
add-dst-to-address-list - adds destination address of an I packet to the address list specified "y
add-src-to-address-list - adds source address of an I packet to the address list specified "y address-
list parameter
drop - silently drop the packet 'without sending the I&M re7ect message+
passthrough - ignores this rule and goes on to the ne,t one
re3ect - re7ect the packet and send an I&M re7ect message
return - passes control "ack to the chain from where the 7ump took place
tarpit - captures and holds incoming T& connections 'replies with S@(.-&K to the in"ound T& S@(
packet+
address-list 'name+ - specifies the name of the address list to collect I addresses from
chain 'forward ; input ; output ; name+ - specifies the chain to put a particular rule into. -s
the different traffic is passed through different chains, always "e careful in choosing the
right chain for a new rule. If the input does not match the name of an already defined chain,
a new chain will "e created
63
comment 'text+ - a descripti*e comment for the rule. - comment can "e used to identify
rules form scripts
connection-#ytes 'integer-integer+ - matches packets only if a gi*en amount of "ytes has
connection-mark 'name+ - matches packets marked *ia mangle facility with particular
connection mark
connection-state 'esta"ilished ; in*alid ; new ; related+ - interprets the connection
tracking analysis data for a particular packet
esta#ilished - a packet which "elongs to an e,isting connection, exempli gratia a reply packet or a packet
which "elongs to already replied connection
in4alid - a packet which could not "e identified for some reason. This includes out of memory condition and
I&M errors which do not correspond to any known connection. It is generally ad*ised to drop these packets
new - a packet which "egins a new T& connection
related - a packet which is related to, "ut not part of an e,isting connection, such as I&M errors or a
packet which "egins /T data connection 'the later re#uires ena"led /T connection tracking helper under
"ip firewall ser4ice-port+
connection-type 'ftp ; gre ; hF3F ; irc ; mms ; pptp ; #uakeF ; tftp+ - matches packets
from related connections "ased on information from their connection tracking helpers. -
rele*ant connection helper must "e ena"led under "ip firewall ser4ice-port
dst-address 'IP address.netmask ; IP address-IP address+ - specifies the address range an
dst-address-list 'name+ - matches destination address of a packet against user-defined
address list
dst-address-type 'unicast ; local ; "roadcast ; multicast+ - matches destination address
type of the I packet, one of the:
other points
limits the packet per second 'pps+ rate on a per destination I or per destination port "ase.
option
hotspot 'multiple c$oice: from-client ; auth ; local-dst ; http+ - matches packets recei*ed
from clients against *arious Bot-Spot. -ll *alues can "e negated
hotspot - true, if it is a T& packet from client and either the transparent pro,y on port 56 is ena"led or the
client has a pro,y address configured and this address is e#ual to the address:port pair of the I packet
icmp-options 'integer:integer+ - matches I&M Type:&ode fields
64
3ump-target 'forward ; input ; output ; name+ - name of the target chain to 7ump to, if the
action+3ump is used
limit 'integer.timeV6,1W,integer+ - restricts packet match rate to a gi*en limit. ?sefull to
option
matches
out-interface 'name+ - interface the packet will lea*e the router through
p'p 'all-p3p ; "it-torrent ; "lu"ster ; direct-connect ; edonkey ; fasttrack ; gnutella ;
soulseek ; wareE ; winm,+ - matches packets from *arious peer-to-peer '3+ protocols
packet-mark 'text+ - matches packets marked *ia mangle facility with particular packet
mark
phys-out-interface 'name+ - matches the "ridge port physical output de*ice added to a
"ridge de*ice. It is only useful if the packet will lea*e the router through the "ridge
random 'integer: 1..22+ - matches packets randomly with gi*en propa"ility
re3ect-with 'icmp-admin-prohi"ited ; icmp-echo-reply ; icmp-host-prohi"ited ; icmp-host-
unreacha"le ; icmp-net-prohi"ited ; icmp-network-unreacha"le ; icmp-port-unreacha"le ;
icmp-protocol-unreacha"le ; tcp-reset ; integer+ - alters the reply packet of re3ect action
routing-mark 'name+ - matches packets marked "y mangle facility with particular routing
mark
65
address list
other points
tcp-flags 'ack ; cwr ; ece ; fin ; psh ; rst ; syn ; urg+ - tcp flags to match
ack - acknowledging data
cwr - congestion window reduced
ece - %&(-echo flag 'e,plicit congestion notification+
fin - close connection
psh - push function
rst - drop connection
syn - new connection
urg - urgent data
for the *alue of Type of Ser*ice 'ToS+ field of an I header
Notes
8ecause the (-T rules are applied first, it is important to hold this in mind when setting up
firewall rules, since the original packets might "e already modified "y the (-T
$ilter !pplications
Protect your Router1" router
To protect your router, you should not only change admin:s password "ut also set up packet
filtering. -ll packets with destination to the router are processed against the ip firewall input
chain. (ote, that the input chain does not affect packets which are "eing transferred
through the router.
/ ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \
comment="Allow Established connections"
add chain=input protocol=udp action=accept \
comment="Allow UDP"
add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
add chain=input src-address=192.168.0.0/24 action=accept \
comment="Allow access to router from known network"
add chain=input action=drop comment="Drop anything else"
66
Protecting the Custoer:s Net#or,
To protect the customer:s network, we should check all traffic which goes through router
and "lock unwanted. /or icmp, tcp, udp traffic we will create chains, where will "e droped all
unwanted packets:
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"
8lock I addreses called <"ogons<:
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
Make 7umps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
&reate tcp chain and deny some tcp ports in it:
add chain=tcp protocol=tcp dst-port=69 action=drop \
comment="deny TFTP"
comment="deny RPC portmapper"
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \
comment="deny NBT"
comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
!eny udp ports in udp chain:
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
-llow only needed icmp codes in icmp chain:
67
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="drop invalid connections"
comment="allow established connections"
comment="allow already established connections"
comment="allow source quench"
comment="allow echo request"
comment="allow time exceed"
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
Fandwidth Control
Document revision:
1. (Fri Fe" 03 1:1:03 GMT
2006)
Applies to: V2.9
&eneral 'n(oration
"uary
8andwidth &ontrol is a set of mechanisms that control data rate allocation, delay *aria"ility,
timely deli*ery, and deli*ery relia"ility. The MikroTik RouterOS supports the following
#ueuing disciplines:
PK,KA - ackets /irst-In /irst-Out
FK,KA - 8ytes /irst-In /irst-Out
1KL - Stochastic /airness Hueuing
REC - Random %arly !etect
PCL - er &onnection Hueue
J-F - Bierarchical Token 8ucket
"peci(ications
Iicense re#uired: Level1 %limited to 1 ,ueue' , Level(
Su"menu le*el: /queue
Standards and Technologies: (one
Bardware usage: significant
Related Docuents
I -ddresses and -R
Mangle
Description
68
Huality of Ser*ice 'HoS+ means that the router should prioritiEe and shape network traffic.
HoS is not so much a"out limiting, it is more a"out pro*iding #uality. 8elow are listed the
some features of MikroTik RouterOS 8andwidth &ontrol mechanism:
limit data rate for certain I adresses, su"nets, protocols, ports, and other
parameters
limit peer-to-peer traffic
prioritiEe some packet flows o*er others
use #ueue "ursts for faster $%8 "rowsing
apply #ueues on fi,ed time inter*als
share a*aila"le traffic among users e#ually, or depending on the load of the channel
The #ueuing is applied on packets lea*ing the router through a real interface 'i.e., the
#ueues are applied on the outgoing interface, regarding the traffic flow+, or any of the F
additional *irtual interfaces 'glo"al-in, glo"al-out, glo"al-total+.
The HoS is performed "y means of dropping packets. In case of T& protocol, the dropped
packets will "e resent so there is no need to worry that with shaping we lose some T&
information.
The main terms used to descri"e the le*el of HoS for network applications, are:
queuing discipline DqdiscE - an algorithm that holds and maintains a #ueue of
packets. It specifies the order of the outgoing packets 'it means that #ueuing
discipline can reorder packets+ and which packets to drop if there is no space for
them
C,R DCommitted ,nformation RateE - the guaranteed data rate. It means that
traffic rate, not e,ceeding this *alue should always "e deli*ered
M,R DMa5imal ,nformation RateE - the ma,imal data rate router will pro*ide
Priority - the order of importance in what traffic will "e processed. @ou can gi*e
priority to some traffic in order it to "e handeled "efore some other traffic
Contention Ratio - the ratio to which the defined data rate is shared among users
'when data rate is allocated to a num"er of su"scri"ers+. It is the num"er of
su"scri"ers that ha*e a single speed limitation, applied to all of them together. /or
e,ample, the contention ratio of 1:D means that the allocated data rate may "e
shared "etween no more than D users
8efore sending data o*er an interface, it is processed with a #ueuing discipline. 8y default,
#ueuing disciplines are set under "queue interface for each physical interface 'there is no
default #ueuing discipline for *irtual interfaces+. Once we add a #ueue 'in "queue tree+ to
a physical interface, the interface default #ueue, defined in "queue interface, for that
particular interface gets ignored. It means - when a packet does not match any filter, it is
sent through the interface with the highest priority.
"cheduler and "haper qdiscs
$e can classify #ueuing disciplines "y their influence to packet flow:
schedulers - #ueuing disciplines only reschedule packets regarding their algorithm
and drop packets which :do not fit in the #ueue:. Scheduler #ueuing disciplines are:
/I/O, 8/I/O, S/H, &H, R%!
shapers - #ueuing disciplines that also perform the limitation. Shapers are &H and
BT8
)irtual 'nter(aces
69
There are F *irtual interfaces in RouterOS, in addition to real interfaces:
glo#al-in - represents all the input interfaces in general 'I(9R%SS #ueue+. lease
note that #ueues attached to glo#al-in apply to traffic that is recei*ed "y the
router, "efore the packet filtering. glo#al-in #ueueing is e,ecuted 7ust after mangle
and dst-nat
glo#al-out - represents all the output interfaces in general. Hueues attached to it
apply "efore the ones attached to a specific interface
glo#al-total - represents a *irtual interface through which all the data, going
through the router, is passing. $hen attaching a #disc to glo"al-total, the limitation
is done in "oth directions. /or e,ample, if we set a total-ma5-limit to 3>4666, we
will get uploadOdownload03>4k"ps 'ma,imum+
'ntroduction to ;2B
BT8 'Bierarchical Token 8ucket+ is a classful #ueuing discipline that is useful for applying
different handling for different kinds of traffic. 9enerally, we can set only one #ueue for an
interface, "ut in RouterOS #ueues are attached to the main Bierarchical Token 8ucket 'BT8+
and thus ha*e some properties deri*ed from that parent #ueue. /or e,ample, we can set a
ma,imum data rate for a workgroup and then distri"ute that amount of traffic "etween the
mem"ers of that workgroup.
BT8 #disc in detail:
BT8 terms:
queuing discipline DqdiscE - an algorithm that holds and maintains a #ueue of
packets. It specifies the order of the outgoing packets 'it means that #ueuing
discipline can reorder packets+. Hdisc also decides which packets to drop if there is
no space for them
filter - a procedure that classifies packets. The filter is responsi"le for classifying
packets so that they are put in the corresponding #discs
le4el - position of a class in the hierarchy
inner class - a class that has one or more child-classes attached to it. Inner classes
do not store any packets, "ut they do traffic shaping. The class also does not ha*e
its own priority
leaf class - a class that has a parent "ut does not ha*e any child-classes. Ieaf
classes are always located at le*el 6 of the hierarchy. %ach leaf class has a #disc,
attached to it
70
self feed - an o"7ect that represents the e,it for the packets from all the classes
acti*e at its le*el of the hierarchy. It consists of 5 self slots
self slot - an element of a self feed that corresponds to each particular priority. -ll
classes, acti*e at the same le*el, of one priority are attached to one self slot that
they are using to send packets out through
acti4e class Dat a particular le4elE - a class that is attached to a self slot at the
gi*en le*el
inner feed - similar to self feed o"7ect, which consists of inner self slots, present on
each inner class
inner feed slot - similar to self slot. %ach inner feed consists of inner slots which
represent a priority
%ach class has a parent and may ha*e one or more children. &lasses that do not ha*e
children, are put at le*el 6, where #ueues are maintained, and are called :leaf classes:
%ach class in the hierarchy can prioritiEe and shape traffic. There are 3 main parameters in
RouterOS which refer to shaping and one - to prioritiEing:
limit-at - data rate that is guaranteed to a class '&IR+
ma5-limit - ma,imal data rate that is allowed for a class to reach 'MIR+
priority - order in which classes are ser*ed at the same le*el '5 is the lowest
priority, 1 is the highest+
%ach BT8 class can "e in one of F states, depending on data rate that it consumes:
green - a class the actual rate of which is e#ual or less than limit-at. -t this state,
the class is attached to self slot at the corresponding priority at its le*el, and is
allowed to satisfy its limit-at limitation regardless of what limitations its parents
ha*e. /or e,ample, if we ha*e a leaf class with limit-at+?%' and its parent has
ma5-limit+limit-at+%'), the class will get its >13k"ps)
yellow - a class the actual rate of which is greater than limit-at and e#ual or less
than ma5-limit. -t this state, the class is attached to the inner slot of the
corresponding priority of its parent:s inner feed, which, in turn, may "e attached to
either its parent:s inner slot of the same priority 'in case the parent is also yellow+,
or to its own le*el self slot of the same priority 'in case the parent is green+. ?pon
the transition to this state, the class :disconnects: from self feed of its le*el, and
:connects: to its parent:s inner feed
red - a class the actual rate of which e,ceeds ma5-limit. This class cannot "orrow
rate from its parent class
Priorities
$hen a leaf class wants to send some traffic 'as they are the only classes that hold
packets+, BT8 checks its priority. It will "egin with the highest priority and the lowest le*el
and proceed until the lowest priority at highest le*el is reached:
71
-s you can see from the picture, leaf-classes which are at the green state, will always ha*e
a higher priority than those which are "orrowing "ecause their priority is at a lower le*el
'le*el6+. In this picture, 2eaf% will "e ser*ed only after 2eaf', although it has a higher
priority 'S+ than 2eaf% '5+.
In case of e#ual priorities and e#ual states, BT8 ser*es these classes, using round ro"in
algorithm.
;2B Exaples
Bere are some e,amples on how the BT8 works.
Imagine the following scenario - we ha*e F different kinds of traffic, marked in "ip firewall
mangle 'packetAmark1, packetAmark3 and packetAmarkF+, and now ha*e "ulit a BT8
hierarchy:
[admin@MikroTik] queue tree> add name=ClassA parent=Local max-limit=2048000
[admin@MikroTik] queue tree> add name=ClassB parent=ClassA max-limit=1024000
[admin@MikroTik] queue tree> add name=Leaf1 parent=ClassA max-limit=2048000 \
\... limit-at=1024000 packet-mark=packet_mark1 priority=8
[admin@MikroTik] queue tree> add name=Leaf2 parent=ClassB max-limit=1024000 \
[admin@MikroTik] queue tree> add name=Leaf3 parent=ClassB max-limit=1024000 \
[admin@MikroTik] queue tree> print
0 name="ClassA" parent=Local packet-mark="" limit-at=0 queue=default
priority=8 max-limit=2048000 burst-limit=0 burst-threshold=0
burst-time=0s
1 name="ClassB" parent=ClassA packet-mark="" limit-at=0 queue=default
priority=8 max-limit=1024000 burst-limit=0 burst-threshold=0
burst-time=0s
2 name="Leaf1" parent=ClassA packet-mark=packet_mark1 limit-at=1024000
queue=default priority=8 max-limit=2048000 burst-limit=0
burst-threshold=0 burst-time=0s
3 name="Leaf2" parent=ClassB packet-mark=packet_mark2 limit-at=256000
4 name="Leaf3" parent=ClassB packet-mark=packet_mark3 limit-at=768000
[admin@MikroTik] queue tree>
(ow let us descri"e some scenarios, using this BT8 hierarchy.
72
1. Imagine a situation when there ha*e packets arri*ed at Ieaf1 and Ieaf3. 8ecause of
this, Ieaf1 attaches itself to this le*el:s 'Ie*el 6+ self slot with priority05 and Ieaf3
attaches to self slot with priority0S. IeafF has nothing to send, so it does nothing.
This is a simple situation: there are acti*e classes 'Ieaf1 and Ieaf3+ at Ie*el 6, and
as they "oth are in green state, they are processed in order of their priorities - at
first, we ser*e Ieaf3, then Ieaf1.
3. (ow assume that Ieaf3 has to send more than 3>4k"ps, for this reason, it attaches
itself to its parent:s '&lass8+ inner feed, which recursi*ely attaches itself to Ie*el1
self slot at priority0S. Ieaf1 continues to "e at green state - it has to send packets,
"ut not faster than 1M"ps. IeafF still has nothing to send.
This is a *ery interesting situation "ecause Ieaf1 gets a higher priority than Ieaf3
'when it is in the green state+, although we ha*e configured it for a lower priority '5+
than Ieaf3. It is "ecause Ieaf3 has disconnected itself from self feed at Ie*el 6 and
now is "orrowing from its parent '&lass8+ which has attached to self feed at Ie*el 1.
73
-nd "ecause of this, the priority of Ieaf3 :has tra*eled to Ie*el1:. Remem"er that at
first, we ser*e those classes which are at the lowest le*el with the highest priority,
then continuing with the ne,t le*el, and so on.
F. &onsider that Ieaf1 has reached its ma,-limit and changed its state to red, and
Ieaf3 now uses more than 1M"ps 'and less than 3M"ps+, so its parent &lass8 has to
"orrow from &lass- and "ecomes yellow. IeafF still has no packets to send.
This scenario shows that Ieaf1 has reached its ma,-limit, and cannot e*en "orrow
from its parent '&lass-+. Ieaf3 has hierarchical reached Ie*el3 and "orrows from
&lass8 which recursi*ely must "orrow from &lass- "ecause it has not enough rate
a*aila"le. -s IeafF has no packets to send, the only one class who sends them, is
Ieaf3.
D. -ssume that Ieaf3 is "orrowing from &lass8, &lass8 from &lass-, "ut &lass- reaches
its ma,-limit '3M"ps+.
74
In this situation Ieaf3 is in yellow state, "ut it cannot "orrow 'as &lass 8 cannot
"orrow from &lass -+.
>. /inally, let:s see what happens, if Ieaf1, Ieaf3, IeafF and &lass8 are in the yellow
state, and &lass- is green.
Ieaf1 "orrows from &lass-, Ieaf3 and IeafF from &lass8, and &lass8 also "orrows
from &lass-. (ow all the priorities ha*e :mo*ed: to Ie*el3. So Ieaf3 is on the highest
priority and is ser*ed at first. -s Ieaf1 and IeafF are at the same priority '5+ on the
same le*el '3+, they are ser*ed, using the round ro"in algorithm.
Bursts
8ursts are used to allow higher data rates for a short period of time. %*ery 1.14 part of the
#urst-time, the router calculates the a*erage data rate of each class o*er the last #urst-
time seconds. If this a*erage data rate is less than #urst-threshold, "urst is ena"led and
the actual data rate reaches #urst-limit "ps, otherwise the actual data rate falls to ma5-
limit or limit-at.
Iet us consider that we ha*e a setup, where ma5-limit03>4666, #urst-time05, #urst-
threshold0123666 and #urst-limit0>13666. $hen a user is starting to download a file *ia
BTT, we can o"ser*e such a situation:
75
-t the "eginning the a*erage data rate o*er the last 5 seconds is 6"ps "ecause "efore
applying the #ueue rule no traffic was passed, using this rule. Since this a*erage data rate
is less than #urst-threshold '123k"ps+, "urst is allowed. -fter the first second, the
a*erage data rate is '6O6O6O6O6O6O6O>13+.504Dk"ps, which is under #urst-threshold.
-fter the second second, a*erage data rate is '6O6O6O6O6O6O>13O>13+.50135k"ps.
-fter the third second comes the "reakpoint when the a*erage data rate "ecomes larger
than #urst-threshold. -t this moment "urst is disa"led and the current data rate falls
down to ma5-limit '3>4k"ps+.
;2B in Router1"
There are D BT8 trees maintained "y RouterOS:
glo"al-in
glo"al-total
glo"al-out
interface #ueue
$hen adding a simple #ueue, it creates F BT8 classes 'in glo"al-in, glo"al-total and glo"al-
out+, "ut it does not add any classes in interface #ueue.
Hueue tree is more fle,i"le - you can add it to any of these BT8:s.
$hen packet tra*els through the router, it passesall D BT8 trees - glo"al-in, glo"al-total,
glo"al-out and interface #ueue. If it is directed to the router, it passes glo"al-in and glo"al-
total BT8 #ueues. If packets are sent from the router, they are tra*ersing glo"al-total,
glo"al-out and interface #ueues
http:..linu,-ip.net.articles.Traffic-&ontrol-BO$TO.o*er*iew.html
http:..lu,ik.cdi.cE.Zde*ik.#os.ht".
http:..www.docum.org.docum.org.docs.
9ueue 2ypes
Su"menu le*el: /queue type
76
Description
In this su"menu you can create your custom #ueue types. -fterwards, you will "e a"le to
use them in "queue tree, "queue simple or "queue interface.
P$'$1 and B$'$1
These #ueuing disciplines are "ased on the /I/O algorithm '/irst-In /irst-Out+. The
difference "etween /I/O and 8/I/O is that one is measured in packets and the other one in
"ytes. There is only one parameter called pfifo-limit '#fifo-limit+ which defines how much
data a /I/O #ueue can hold. %*ery packet that cannot "e en#ueued 'if the #ueue is full+, is
dropped. Iarge #ueue siEes can increase latency.
?se /I/O #ueuing disciplines if you ha*en:t a congested link
"$9
Stochastic /airness Hueuing 'S/H+ cannot limit traffic at all. Its main idea is to e#ualiEe
traffic flows 'T& sessions or ?! streams+ when your link is completely full.
The fairness of S/H is ensured "y hashing and round-ro"in algorithms. Bashing algorithm
di*ides the session traffic o*er a limited num"er of su"#ueues. -fter sfq-pertur# seconds
the hashing algorithm changes and di*ides the session traffic to other su"#ueues. The
round-ro"in algorithm de#ueues pcq-allot "ytes from each su"#ueue in a turn.
The whole S/H #ueue can contain 135 packets and there are 163D su"#ueues a*aila"le for
these packets.
?se S/H for congested links to ensure that some connections do not star*e
PC9
77
To sol*e some S/H imperfectness, er &onnection Hueuing '&H+ was created. It is the only
classless #ueuing type that can do limitation. It is an impro*ed *ersion of S/H without its
stohastic nature. &H also creates su"#ueues, regarding the pcq-classifier parameter.
%ach su"#ueue has a data rate limit of pcq-rate and siEe of pcq-limit packets. The total
siEe of a &H #ueue cannot "e greater than pcq-total-limit packets.
The following e,ample demonstrates the usage of &H with packets, classified "y their
source address.
If you classify the packets "y src-address then all packets with different source I
addresses will "e grouped into different su"#ueues. (ow you can do the limitation or
e#ualiEation for each su"#ueue with the pcq-rate parameter. erhaps, the most significant
part is to decide to which interface should we attach this #ueue. If we will attach it to the
Iocal interface, all traffic from the u"lic interface will "e grouped "y src-address 'pro"a"ly
it:s not what we want+, "ut if we attach it to the u"lic interface, all traffic from our clients
will "e grouped "y src-address - so we can easily limit or e#ualiEe upload for clients.
To e#ualiEe rate among su"#ueues, classified "y the pcq-classifier, set the pcq-rate to )
&H can "e used to dynamically e#ualiEe or shape traffic for multiple users, using little
administration.
RED
Random %arly !etection is a #ueuing mechanism which tries to a*oid network congestion "y
controlling the a*erage #ueue siEe. $hen the a*erage #ueue siEe reaches red-min-
threshold, R%! randomly chooses which arri*ing packet to drop. The pro"a"ility how many
packets will "e dropped increases when the a*erage #ueue siEe "ecomes larger. If the
a*erage #ueue siEe reaches red-ma5-threshold, the packets are dropped. Bowe*er, there
may "e cases when the real #ueue siEe 'not a*erage+ is much greater than red-ma5-
threshold, then all packets which e,ceed red-limit are dropped.
78
Mainly, R%! is used on congested links with high data rates. $orks well with T& protocol,
"ut not so well with ?!.
#fifo-limit 'integer= default: %?+ - ma,imum num"er of "ytes that the 8/I/O #ueue
can hold
kind '"fifo ; pc# ; pfifo ; red ; sf#+ - which #ueuing discipline to use
#fifo - 8ytes /irst-In, /irst-Out
pcq - er &onnection Hueue
pfifo - ackets /irst-In, /irst-Out
red - Random %arly !etection
sfq - Stohastic /airness Hueuing
name 'name+ - associati*e name of the #ueue type
pcq-classifier 'dst-address ; dst-port ; src-address ; src-port= default: $$+ - a classifier "y
which &H will group its su"#ueues. &an "e used se*eral classifiers at once, e.g., src-
address,src-port will group all packets with different source address and source-ports into
separate su"#ueues
pcq-limit 'integer= default: ?+ - num"er of packets that can hold a single &H su"-#ueue
pcq-rate 'integer= default: + - ma,imal data rate allowed for each &H su"-#ueue. Galue
means that there is no limitation set
pcq-total-limit 'integer= default: '+ - num"er of packets that can hold the whole &H
#ueue
pfifo-limit 'integer+ - ma,imum num"er of packets that the /I/O #ueue can hold
red-a4g-packet 'integer= default: %+ - used "y R%! for a*erage #ueue siEe
calculations
red-#urst 'integer+ - *alue in "ytes which is used for determining how fast the a*erage
#ueue siEe will "e influenced "y the real #ueue siEe. Iarger *alues will slow down the
calculation "y R%! - longer "ursts will "e allowed
red-limit 'integer+ - *alue in "ytes. If the real #ueue siEe 'not a*erage+ e,ceeds this *alue
then all packets a"o*e this *alue are dropped
red-ma5-threshold 'integer+ - *alue in "ytes. It is the a*erage #ueue siEe at which packet
marking pro"a"ility is the highest
red-min-threshold 'integer+ - a*erage #ueue siEe in "ytes. $hen a*erage R%! #ueue siEe
reaches this *alue, packet marking "ecomes possi"le
sfq-allot 'integer= default: %?%*+ - amount of "ytes that a su"#ueue is allowed to send
"efore the ne,t su"#ueue gets a turn 'amount of "ytes which can "e sent from a su"#ueue
in a single round-ro"in turn+
sfq-pertur# 'integer= default: ?+ - time in seconds. Specifies how often to change S/H:s
hashing algorithm
'nter(ace De(ault 9ueues
Su"menu le*el: /queue inter(ace
Description
In order to send packets o*er an interface, they ha*e to "e en#ueued in a #ueue e*en if you
do not want to limit traffic at all. Bere you can specify the #ueue type which will "e used for
transmitting data.
(ote that if other #ueues are applied for a particular packet, then these settings are not
used)
79
interface 'read-only: name= default: name of the interface+ - name of the interface
queue 'name= default: default+ - #ueue type which will "e used for the interface
Exaple
Set the wireless interface to use wireless-default #ueue:
[admin@MikroTik] queue interface> set 0 queue=wireless-default
[admin@MikroTik] queue interface> print
# INTERFACE QUEUE
0 wlan1 wireless-default
[admin@MikroTik] queue interface>
"iple 9ueues
Description
The simpliest way to limit data rate for specific I addresses and.or su"nets, is to use
simple #ueues.
@ou can also use simple #ueues to "uild ad*anced HoS applications. They ha*e useful
integrated features:
eer-to-peer traffic #ueuing
-pplying #ueue rules on chosen time inter*als
riorities
?sing multiple packet marks from /ip firewall mangle
Shaping of "idirectional traffic 'one limit for the total of upload O download+
#urst-limit 'integer.integer+ - ma,imum data rate which can "e reached while the "urst is
acti*e in form of in.out 'target upload.download+
#urst-threshold 'integer.integer+ - used to calculate whether to allow "urst. If the a*erage
data rate o*er the last "urst-time seconds is less than &urst-t$res$old, the actual data rate
may reach &urst-limit. set in form of in.out 'target upload.download+
#urst-time 'integer.integer+ - used to calculate a*erage data rate, in form of in.out 'target
upload.download+
direction 'none "oth upload download+ - traffic flow directions, affected "y this #ueue
none - the #ueue is effecti*ely inacti*e
#oth - the #ueue limits "oth target upload and target download
upload - the #ueue limits only target upload, lea*ing the download rates unlimited
download - the #ueue limits only target download, lea*ing the upload rates unlimited
dst-address 'IP address.netmask+ - destination address to match
dst-netmask 'netmask+ - netmask for dst-address
interface 'text+ - interface, this #ueue applies to 'i.e., the interface the target is connected
to+
limit-at 'integer.integer+ - guaranteed data rate to this #ueue in form of in.out 'target
upload.download+
ma5-limit 'integer.integer+ - data rate which can "e reached if there is enough "andwidth
a*aila"le, in form of in.out 'target upload.download+
name 'text+ - descripti*e name of the #ueue
p'p 'any ; all-p3p ; "it-torrent ; "lu"ster ; direct-connect ; edonkey ; fasttrack ; gnutella ;
soulseek ; winm,+ - which type of 3 traffic to match
all-p'p - match all 3 traffic
any - match any packet 'i.e., do not check this property+
80
packet-marks 'name= default: $$+ - packet mark to match from "ip firewall mangle.
More packet marks are separated "y a comma '<,<+.
parent 'name+ - name of the parent #ueue in the hierarchy. &an "e only other simple
#ueue
priority 'integer: 1..5+ - priority of the #ueue. 1 is the highest, 5 - the lowest
queue 'name.name= default: default"default+ - name of the #ueue from "queue type in
form of in.out
target-addresses 'IP address.netmask+ - limitation target I addresses 'source
addresses+. To use multiple addresses, separate them with comma
time 'time-time,sat ; fri ; thu ; wed ; tue ; mon ; sunVOW= default: $$+ - limit #ueue effect
to a specified time period
total-#urst-limit 'integer+ - "urst limit for glo&al-total #ueue
total-#urst-threshold 'integer+ - "urst threshold for glo&al-total #ueue
total-#urst-time 'time+ - "urst time for glo&al-total #ueue
total-limit-at 'integer+ - limit-at for glo&al-total #ueue 'limits cumulati*e upload O
download to total-limit-at "ps+
total-ma5-limit 'integer+ - ma,-limit for glo&al-total #ueue 'limits cumulati*e upload O
download to total-max-limit "ps+
total-queue 'name+ - #ueuing discipline to use for glo#al-total #ueue
9ueue 2rees
Su"menu le*el: /queue tree
Description
The #ueue trees should "e used when you want to use sophisticated data rate allocation
"ased on protocols, ports, groups of I addresses, etc. -t first you ha*e to mark packet
flows with a mark under "ip firewall mangle and then use this mark as an identifier for
packet flows in #ueue trees.
#urst-limit 'integer+ - ma,imum data rate which can "e reached while the "urst is acti*e
#urst-threshold 'integer+ - used to calculate whether to allow "urst. If the a*erage data
rate o*er the last "urst-time seconds is less than &urst-t$res$old, the actual data rate may
reach &urst-limit
#urst-time 'time+ - used to calculate a*erage data rate
flow 'text+ - packet flow which is marked in "ip firewall mangle. &urrent #ueue
parameters apply only to packets which are marked with this flow mark
limit-at 'integer+ - guaranteed data rate to this #ueue
ma5-limit 'integer+ - data rate which can "e reached if there is enough "andwidth a*aila"le
name 'text+ - descripti*e name for the #ueue
parent 'text+ - name of the parent #ueue. The top-le*el parents are the a*aila"le interfaces
'actually, main BT8+. Iower le*el parents can "e other #ueues
priority 'integer: 1..5+ - priority of the #ueue. 1 is the highest, 5 - the lowest
queue 'text+ - name of the #ueue type. Types are defined under "queue type. This
parameter applies only to the leaf #ueues in the tree hierarchy
!pplication Exaples
Exaple o( eulating a 6<=>i0ps/?@>i0ps *ine
81
-ssume, we want to emulate a 135Ki"ps download and 4DKi"ps upload line, connecting I
network %&'!%()!!"'*. The network is ser*ed through the Iocal interface of customer:s
router. The "asic network setup is in the following diagram:
To sol*e this situation, we will use simple #ueues.
I addresses on MikroTik router:
0 192.168.0.254/24 192.168.0.0 192.168.0.255 Local
1 10.5.8.104/24 10.5.8.0 10.5.8.255 Public
-nd routes:
[admin@MikroTik] ip route> print
0 ADC 10.5.8.0/24 Public
1 ADC 192.168.0.0/24 Local
2 A S 0.0.0.0/0 r 10.5.8.1 Public
-dd a simple #ueue rule, which will limit the download traffic to 135Ki".s and upload to
4DKi".s for clients on the network %&'!%()!!"'*, ser*ed "y the interface 2ocal:
[admin@MikroTik] queue simple> add name=Limit-Local interface=Local \
\... target-address=192.168.0.0/24 max-limit=65536/131072
[admin@MikroTik] queue simple> print
82
0 name="Limit-Local" target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
[admin@MikroTik] queue simple>
The ma5-limit parameter cuts down the ma,imum a*aila"le "andwidth. /rom the clients:
point of *iew, the *alue (??0("%0%/' means that they will get ma,imum of 1F16S3"ps
for download and 4>>F4"ps for upload. The target-addresses parameter defines the
target network 'or networks, separated "y a comma+ to which the #ueue rule will "e
applied.
(ow see the traffic load:
[admin@MikroTik] interface> monitor-traffic Local
received-packets-per-second: 7
received-bits-per-second: 68kbps
sent-packets-per-second: 13
sent-bits-per-second: 135kbps
[admin@MikroTik] interface>
ro"a"ly, you want to e,clude the ser*er from "eing limited, if so, add a #ueue for it
without any limitation 'ma5-limit+" which means no limitation+ and mo*e it to the
"eginning of the list:
[admin@MikroTik] queue simple> add name=Server target-addresses=192.168.0.1/32 \
\... interface=Local
1 name="Server" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0
[admin@MikroTik] queue simple> mo 1 0
0 name="Server" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0
[admin@MikroTik] queue simple>
9ueue 2ree Exaple 3ith Masquerading
In the pre*ious e,ample we dedicated 135Ki".s download and 4DKi".s upload traffic for the
local network. In this e,ample we will guarantee 3>4Ki".s download '135Ki".s for the
ser*er, 4DKi".s for the $orkstation and also 4DKi".s for the Iaptop+ and 135Ki".s for
upload '4D.F3.F3Ki".s, respecti*elly+ for local network de*ices. -dditionally, if there is
spare "andwidth, share it among users e#ually. /or e,ample, if we turn off the laptop, share
its 4DKi".s download and F3Ki".s upload to the Ser*er and $orkstation.
$hen using mas#uerading, you ha*e to mark the outgoing connection with new-
connection-mark and take the mark-connection action. $hen it is done, you can mark
all packets which "elong to this connection with the new-packet-mark and use the mark-
packet action.
83
1. -t first, mark the Ser*er:s download and upload traffic. $ith the first rule we will
mark the outgoing connection and with the second one, all packets, which "elong to
this connection:
2. [admin@MikroTik] ip firewall mangle> add src-address=192.168.0.1/32 \
3. \... action=mark-connection new-connection-mark=server-con chain=prerouting
4. [admin@MikroTik] ip firewall mangle> add connection-mark=server-con \
5. \... action=mark-packet new-packet-mark=server chain=prerouting
6. [admin@MikroTik] ip firewall mangle> print
8. 0 chain=prerouting src-address=192.168.0.1 action=mark-connection
9. new-connection-mark=server-con
10.
11. 1 chain=prerouting connection-mark=server-con action=mark-packet
12. new-packet-mark=server
[admin@MikroTik] ip firewall mangle>
1F. The same for Iaptop and $orkstation:
14. [admin@MikroTik] ip firewall mangle> add src-address=192.168.0.2 \
15. \... action=mark-connection new-connection-mark=lap_works-con chain=prerouting
16. [admin@MikroTik] ip firewall mangle> add src-address=192.168.0.3 \
17. \... action=mark-connection new-connection-mark=lap_works-con chain=prerouting
18. [admin@MikroTik] ip firewall mangle> add connection-mark=lap_works-con \
19. \... action=mark-packet new-packet-mark=lap_work chain=prerouting
20. [admin@MikroTik] ip firewall mangle> print
23. new-connection-mark=server-con
24.
25. 1 chain=prerouting connection-mark=server-con action=mark-packet
26. new-packet-mark=server
27.
29. new-connection-mark=lap_works-con
30.
32. new-connection-mark=lap_works-con
84
33.
34. 4 chain=prerouting connection-mark=lap_works-con action=mark-packet
35. new-packet-mark=lap_work
[admin@MikroTik] ip firewall mangle>
-s you can see, we marked connections that "elong for Iaptop and $orkstation with
the same flow.
F4. In "queue tree add rules that will limit Ser*er:s download and upload:
37. [admin@MikroTik] queue tree> add name=Server-Download parent=Local \
38. \... limit-at=131072 packet-mark=server max-limit=262144
39. [admin@MikroTik] queue tree> add name=Server-Upload parent=Public \
40. \... limit-at=65536 packet-mark=server max-limit=131072
41. [admin@MikroTik] queue tree> print
42. Flags: X - disabled, I - invalid
43. 0 name="Server-Download" parent=Local packet-mark=server limit-at=131072
44. queue=default priority=8 max-limit=262144 burst-limit=0
45. burst-threshold=0 burst-time=0s
46.
47. 1 name="Server-Upload" parent=Public packet-mark=server limit-at=65536
48. queue=default priority=8 max-limit=131072 burst-limit=0
49. burst-threshold=0 burst-time=0s
-nd similar config for Iaptop and $orkstation:
[admin@MikroTik] queue tree> add name=Laptop-Wkst-Down parent=Local \
\... packet-mark=lap_work limit-at=65535 max-limit=262144
[admin@MikroTik] queue tree> add name=Laptop-Wkst-Up parent=Public \
\... packet-mark=lap_work limit-at=32768 max-limit=131072
[admin@MikroTik] queue tree> print
0 name="Server-Download" parent=Local packet-mark=server limit-at=131072
1 name="Server-Upload" parent=Public packet-mark=server limit-at=65536
2 name="Laptop-Wkst-Down" parent=Local packet-mark=lap_work limit-at=65535
3 name="Laptop-Wkst-Up" parent=Public packet-mark=lap_work limit-at=32768
Equal 0and#idth sharing aong users
This e,ample shows how to e#ually share 16Mi"ps download and 3Mi"ps upload among
acti*e users in the network %&'!%()!!"'*. If Jost @ is downloading 3 Mi"ps, Jost F
gets 5 Mi"ps and *ice *ersa. There might "e situations when "oth hosts want to use
ma,imum "andwidth '16 Mi"ps+, then they will recei*e > Mi"ps each, the same goes for
upload. This setup is also *alid for more than 3 users.
85
-t first, mark all traffic, coming from local network %&'!%()!!"'* with a mark users:
/ip firewall mangle add chain=forward src-address=192.168.0.0/24 \
action=mark-connection new-connection-mark=users-con
/ip firewall mangle add connection-mark=users-con action=mark-packet \
new-packet-mark=users chain=forward
(ow we will add 3 new &H types. The first, called pcq-download will group all traffic "y
destination address. -s we will attach this #ueue type to the 2ocal interface, it will create a
dynamic #ueue for each destination address 'user+ which is downloading to the network
%&'!%()!!"'*. The second type, called pcq-upload will group the traffic "y source
address. $e will attach this #ueue to the Pu#lic interface so it will make one dynamic
#ueue for each user who is uploading to Internet from the local network %&'!%()!!"'*.
/queue type add name=pcq-download kind=pcq pcq-classifier=dst-address
/queue type add name=pcq-upload kind=pcq pcq-classifier=src-address
/inally, make a #ueue tree for download traffic:
/queue tree add name=Download parent=Local max-limit=10240000
/queue tree add parent=Download queue=pcq-download packet-mark=users
-nd for upload traffic:
/queue tree add name=U
Scripting Host and Copleentar! "ools
86
Network Monitor
Document revision: 1 (T'u (ct 2# 11:43:46 GMT 200)
Applies to: V2.9
&eneral 'n(oration
"uary
The (etwatch tool monitors network host "y means of ping and generates e*ents on status
change.
"peci(ications
Su"menu le*el: /tool net#atch
Related Docuents
Scripting Bost
Net#or, 3atching 2ool
"peci(ications
ackages re#uired: ad%anced-tools
Su"menu le*el: /tool net#atch
Standards and Technologies: none
Description
(etwatch monitors state of hosts on the network. It does so "y sending I&M pings to the
list of specified I addresses. /or each entry in netwatch ta"le you can specify I address,
ping inter*al and console scripts. The main ad*antage of netwatch is it:s a"ility to issue
ar"itrary console commands on host state changes.
down-script 'name+ - a console script that is e,ecuted once when state of a host changes
from unknown or up to down
host 'IP address= default: !!!+ - I address of host that should "e monitored
87
inter4al 'time= default: %s+ - the time "etween pings. Iowering this will make state
changes more responsi*e, "ut can create unnecessary traffic and consume system
resources
since 'read-only: time+ - indicates when state of the host changed last time
status 'read-only: up ; down ; unknown+ - shows the current status of the host
up - the host is up
down - the host is down
unknown - after any properties of this list entry were changed, or the item is ena"led or disa"led
timeout 'time= default: %s+ - timeout for each ping. If no reply from a host is recei*ed
during this time, the host is considered unreacha"le 'down+
up-script 'name+ - a console script that is e,ecuted once when state of a host changes
from unknown or down to up
Exaple
This e,ample will run the scripts gwA1 or gwA3 which change the default gateway
depending on the status of one of the gateways:
[admin@MikroTik] system script> add name=gw_1 source={/ip route set
{... [/ip route find dst 0.0.0.0] gateway 10.0.0.1}
[admin@MikroTik] system script> add name=gw_2 source={/ip route set
{.. [/ip route find dst 0.0.0.0] gateway 10.0.0.217}
[admin@MikroTik] system script> /tool netwatch
[admin@MikroTik] tool netwatch> add host=10.0.0.217 interval=10s timeout=998ms \
\... up-script=gw_2 down-script=gw_1
[admin@MikroTik] tool netwatch> print
Flags: X - disabled
# HOST TIMEOUT INTERVAL STATUS
0 10.0.0.217 997ms 10s up
[admin@MikroTik] tool netwatch> print detail
Flags: X - disabled
0 host=10.0.0.217 timeout=997ms interval=10s since=feb/27/2003 14:01:03
status=up up-script=gw_2 down-script=gw_1
[admin@MikroTik] tool netwatch>
$ithout scripts, netwatch can "e used 7ust as an information tool to see which links are up,
or which specific hosts are running at the moment.
Iet:s look at the e,ample a"o*e - it changes default route if gateway "ecomes unreacha"le.
Bow it:s done[ There are two scripts. The script <gwA3< is e,ecuted once when status of
host changes to up. In our case, it:s e#ui*alent to entering this console command:
[admin@MikroTik] > /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.217
The "ip route find dst !!! command returns list of all routes whose dst-address
*alue is !!!. ?sually, that is the default route. It is su"stituted as first argument to "ip
route set command, which changes gateway of this route to 16.6.6.31S
The script <gwA1< is e,ecuted once when status of host "ecomes down. It does the
following:
[admin@MikroTik] > /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.1
It changes the default gateway if 16.6.6.31S address has "ecome unreacha"le.
Bere is another e,ample, that sends e-mail notification whene*er the 16.6.6.31> host goes
down:
[admin@MikroTik] system script> add name=e-down source={/tool e-mail send
88
{... from="rieks@mt.lv" server="159.148.147.198" body="Router down"
{... subject="Router at second floor is down" to="rieks@latnet.lv"}
[admin@MikroTik] system script> add name=e-up source={/tool e-mail send
{... from="rieks@mt.lv" server="159.148.147.198" body="Router up"
{.. subject="Router at second floor is up" to="rieks@latnet.lv"}
[admin@MikroTik] system script>
[admin@MikroTik] system script> /tool netwatch
[admin@MikroTik] system netwatch> add host=10.0.0.215 timeout=999ms \
\... interval=20s up-script=e-up down-script=e-down
[admin@MikroTik] tool netwatch> print detail
Flags: X - disabled
0 host=10.0.0.215 timeout=998ms interval=20s since=feb/27/2003 14:15:36
status=up up-script=e-up down-script=e-down
[admin@MikroTik] tool netwatch>
1erial Port Monitor
Document revision: 1 (Mon &u) 11 10:1#:0! GMT 200)
Applies to: V2.9
&eneral 'n(oration
"uary
Serial port monitoring utility monitors state of attached asynchronous serial ports and
generates system e*ents upon state change.
"peci(ications
Su"menu le*el: /tool sig#atch
Related Docuents
Scripting Bost
"ig#atch
Description
Sigwatch monitors state of the serial port pins.
count 'read-only: integer+ - how many times the e*ent for this item was triggered. &ount is
reset on re"oot and on most item configuration changes
89
log 'yes ; no= default: no+ - whether to add a message in form of name-of-sigwatc$-item:
signal c$anged -to $ig$ . to low/ to System-Info facility whene*er this sigwatch item is
triggered
name 'name+ - name of the sigwatch item
on-condition 'on ; off ; change= default: on+ - on what condition to trigger action of this
item
on - trigger when state of pin changes to high
off - trigger when state of pin changes to low
change - trigger whene*er state of pin changes. If state of pin changes rapidly, there might "e triggered
only one action for se*eral state changes
port 'name+ - serial port name to monitor
script 'name+ - script to e,ecute when this item is trigered
signal 'dtr ; rts ; cts ; dcd ; ri ; dsr= default: rts+ - name of signal of num"er of pin 'for
standard 2-pin connector+ to monitor
dtr - !ata Terminal Ready 'pin RD+
rts - Re#uest To Send 'pin RS+
cts - &lear To Send 'pin R5+
dcd - !ata &arrier !etect 'pin R1+
ri - Ring Indicator 'pin R2+
dsr - !ata Set Ready 'pin R4+
state 'read-only: text+ - last remem"ered state of monitored signal
Notes
@ou can type actual script source instead of the script name from "system script list.
Exaple
In the following e,ample we will add a new sigwatch item that monitors whether the port
serial% has cts signal.
[admin@10.179] tool sigwatch> pr
Flags: X - disabled
# NAME PORT SIGNAL ON-CONDITION LOG
0 test serial1 cts change no
[admin@MikroTik] tool sigwatch>
8y typing a command print detail inter4al+%s, we can check whether a ca"le is
connected or it is not. See the state argument - if the ca"le is connected to the serial port,
it shows on, otherwise it will "e off.
[admin@MikroTik] tool sigwatch> print detail
Flags: X - disabled
0 name="test" port=serial1 signal=cts on-condition=change log=no script=""
count=1 state=on
Flags: X - disabled
count=1 state=on
Flags: X - disabled
count=2 state=off
Flags: X - disabled
count=2 state=off
[admin@MikroTik] tool sigwatch>
90
In the port menu you can see what signal is used "y serial ca"le. /or e,ample, without any
ca"les it looks like this:
[admin@MikroTik] port> print stats
0 name="serial0" line-state=dtr,rts
[admin@MikroTik] port>
8ut after adding a serial ca"le to the serial port:
[admin@MikroTik] port> print stats
1 name="serial1" line-state=dtr,rts,cts
[admin@MikroTik] port>
This means that the line-state "esides the dtr and rts signals has also cts when a serial
ca"le is connected.
The e,ample "elow will e,ecute a script whene*er on-condition changes to off:
[admin@10.MikroTik] tool sigwatch> pr detail
Flags: X - disabled
0 name="cts_rest" port=serial1 signal=cts on-condition=off log=no
script=/system shutdown count=0 state=on
[admin@10.MikroTik] tool sigwatch>
It means that if a serial ca"le is connected to the serial port, all works fine, "ut as soon as it
is disconnected, the router shuts down. It will continue all the time until the serial ca"le will
not "e connected again.
-raffic Monitor
Document revision: 1 (T'u &u) 0# 0!:34:34 GMT 200)
Applies to: V2.9
&eneral 'n(oration
"uary
Traffic monitor e,ecutes scripts on a specific datarate throough an interface.
"peci(ications
Su"menu le*el: /tool tra((ic-onitor
Related Docuents
91
Scripting Bost
2ra((ic Monitor
Su"menu le*el: /tool tra((ic-onitor
Description
The traffic monitor tool is used to e,ecute console scripts when interface traffic crosses a
gi*en threshold. %ach item in traffic monitor list consists of its name 'which is useful if you
want to disa"le or change properties of this item from another script+, some parameters,
specifying traffic condition, and the pointer to a script or scheduled e*ent to e,ecute when
this condition is met.
interface 'name+ - interface to monitor
name 'name+ - name of the traffic monitor item
on-e4ent 'name+ - script source. Must "e present under "system script
threshold 'integer= default: + - traffic threshold
traffic 'transmitted ; recei*ed= default: transmitted+ - type of traffic to monitor
transmitted - transmitted traffic
recei4ed - recei*ed traffic
trigger 'a"o*e ; always ; "elow= default: a#o4e+ - condition on which to e,ecute the script
a#o4e - the script will "e run each time the traffic e,ceeds the threshold
always - triggers scripts on "oth - a#o4e and #elow condition
#elow - triggers script in the opposite condition, when traffic reaches a *alue that is lower than the
threshold
Exaple
In this e,ample the traffic monitor ena"les the interface ether3, if the recei*ed treffic
e,ceeds 1>k"ps on ether1, and disa"les the interface ether3, if the recei*ed traffic falls
"elow 13k"ps on ether1.
[admin@MikroTik] system script> add name=eth-up source={/interface enable ether2}
[admin@MikroTik] system script> add name=eth-down source={/interface disable
{... ether2}
[admin@MikroTik] system script> /tool traffic-monitor
[admin@MikroTik] tool traffic-monitor> add name=turn_on interface=ether1 \
\... on-event=eth-up threshold=15000 trigger=above traffic=received
[admin@MikroTik] tool traffic-monitor> add name=turn_off interface=ether1 \
\... on-event=eth-down threshold=12000 trigger=below traffic=received
[admin@MikroTik] tool traffic-monitor> print
# NAME INTERFACE TRAFFIC TRIGGER THRESHOLD ON-EVENT
0 turn_on ether1 received above 15000 eth-up
1 turn_off ether1 received below 12000 eth-down
[admin@MikroTik] tool traffic-monitor>
1cripting Jost
Document revision: 2.# (T'u Sep 22 13:33: GMT 200)
Applies to: V2.9
92
&eneral 'n(oration
"uary
This manual pro*ides introduction to RouterOS "uilt-in powerful scripting language.
Scripting host pro*ides a way to automate some router maintenance tasks "y means of
e,ecuting user-defined scripts "ounded to some e*ent occurence. - script consists of
configuration commands and e,pressions 'I&% - internal console e,pression+. The
configuration commands are standard RouterOS commands, e.g. /ip firewall filter
add chain=forward protocol=gre action=drop that are descri"ed in the rele*ant
manuals, while e,pressions are prefi,ed with H and are accessi"le from all su"menus.
The e*ents used to trigger script e,ecution include, "ut are not limited to the System
Scheduler, the Traffic Monitoring Tool, and the (etwatch Tool generated e*ents.
"peci(ications
Su"menu le*el: /syste script
Related Docuents
System Scheduler
(etwork Monitor
Traffic Monitor
Serial ort Monitor
Console Coand "yntax
Description
&onsole commands are made of the following parts, listed in the order you type them in
console:
prefi5 - indicates whether the command is an I&%, like H in :put or that the
command path starts from the root menu le*el, like " in
[admin@MikroTik] ip firewall mangle> /ping 10.0.0.1
path - a relati*e path to the desired menu le*el, like !! filter in
[admin@MikroTik] ip firewall mangle> .. filter print
pathMargs - this part is re#uired to select some menu le*els, where the actual path
can *ary across different user inputs, like mylist in
93
[admin@MikroTik] ip firewall mangle> /routeing prefix-list list mylist
action - one of the actions a*aila"le at the specified menu le*el, like add in
[admin@MikroTik] ip firewall mangle> /ip firewall filter add chain=forward
action=drop
unnamed parameter - these are re#uired "y some actions and should "e entered
in fi,ed order after the action name, like in %!!!% in
[admin@MikroTik] ip firewall mangle> /ping 10.0.0.1
name7+4alue8 - a se#uence of parameter names followed "y respecti*e *alues, if
re#uired, like ssid+myssid in
/interface wireless set wlan1 ssid=myssid
Notes
Garia"le su"stitution, command su"stitution and e,pressions are allowed only for
pathMargs and unnamed parameter *alues. prefi5, path, action and name7+4alue8
pairs can "e gi*en only directly, as a word. Therefore, :put (1 + 2) is *alid and :("pu" .
"t") 3 is not.
Exaple
The parts of internal console commands are futher e,plained in the following e,amples:
/ping 10.0.0.1 count=5
pre#i$ %
action ping
&nnaed paraeter 10.0.0.1
nae'()al&e* co&nt(5
.. ip firewall rule input
pat+ .. ip #ire,all r&le
pat+-args inp&t
:for i from=1 to=10 do={:put $i}
pre#i$ :
action #or
&nnaed paraeter i
pnae'()al&e* #ro(1 to(10 do(.:p&t /i0
/interface monitor-traffic ether1,ether2,ipip1
pre#i$ %
pat+ inter#ace
94
action onitor1tra##ic
&nnaed paraeter et+er12et+er22ipip1
Expression &rouping
Description
This feature pro*ides an easy way to e,ecute commands from within one command le*el,
"y enclosing them in "races :V W:.
Notes
Su"se#uent script commands are e,ecuted from the same menu le*el as the entire script.
&onsider the following e,ample:
[admin@MikroTik] ip route> /user {
{... /ip route
{... print}
Flags: X - disabled
# NAME GROUP ADDRESS
0 ;;; system default user
admin full
0.0.0.0/0
1 uuu full
0.0.0.0/0
-lthough the current command le*el is changed to "ip route, it has no effect on ne,t
commands entered from prompt, therefore print command is still considered to "e "user
print.
Exaple
The e,ample "elow demonstrates how to add two users to the user menu.
[admin@MikroTik] ip route> /user {
{... add name=x password=y group=write
{... add name=y password=z group=read
{... print}
Flags: X - disabled
# NAME GROUP ADDRESS
0 ;;; system default user
admin full 0.0.0.0/0
1 x write 0.0.0.0/0
2 y read 0.0.0.0/0
)aria0les
Description
RouterOS scripting language suports two types of *aria"les, which are glo"al 'system wide+
and local 'accessi"le only within the current script+, respecti*ely. - *aria"le can "e
referenced "y :\: 'dollar+ sign followed "y the name of the *aria"le with the e,ception of set
and unset commands that take *aria"le name without preceding dollar sign. Garia"le
95
names should "e composed of contain letters, digits and :-: character. - *aria"le must "e
declared prior to using it in scripts. There are four types of declaration a*aila"le:
glo#al - defined "y glo#al keyword, glo"al *aria"les can "e accessed "y all scripts
and console logins on the same router. Bowe*er, glo"al *aria"les are not kept across
re"oots.
local - defined "y local keyword, local *aria"les are not shared with any other
script, other instance of the same script or other console logins. The *alue of local
*aria"le *alue is lost when script finishes.
loop inde5 4aria#les - defined within for and foreach statements, these *aria"les
are used only in do "lock of commands and are remo*ed after command completes.
monitor 4aria#les - some monitor commands that ha*e do part can also introduce
*aria"les. @ou can o"tain a list of a*aila"le *aria"les "y placing Hen4ironment print
statement inside the do "lock of commands.
@ou can assign a new *alue to *aria"le using set action. It takes two unnamed parameters:
the name of the *aria"le and the new *alue of the *aria"le. If a *aria"le is no longer
needed, it:s name can "e freed "y Hunset command. If you free local *aria"le, it:s *alue is
lost. If you free glo"al *aria"le, it:s *alue is still kept in router, it 7ust "ecomes inaccessi"le
from current script.
Notes
Ioop *aria"les <shadows< already introduced *aria"les with the same name.
Exaple
[admin@MikroTik] ip route> /
[admin@MikroTik] > :global g1 "this is global variable"
[admin@MikroTik] > :put $g1
this is global variable
[admin@MikroTik] >
Coand "u0stitution and Return )alues
Description
Some console commands are most useful if their output can "e feed to other commands as
an argument *alue. In RouterOS console this is done "y using the return *alues from
commands. Return *alues are not displayed on the screen. To get the return *alue from a
command, it should "e enclosed in s#uare "rackets :T U:. ?pon e,ecution the return *alue of
the the command will "ecome the *alue of these "rackets. This is called command
su"stitution.
The commands that produce return *alues are, "ut not limited to: find, which returns a
reference to a particular item, ping, which returns the num"er of sucessful pings, time,
which returns the measured time *alue, incr and decr, which return the new *alue of a
*aria"le, and add, which returns the internal num"er of newly created item.
Exaple
&onsider the usage of find command:
[admin@MikroTik] > /interface
[admin@MikroTik] interface> find type=ether
96
[admin@MikroTik] interface> :put [find type=ether]
*1,*2
This way you can see internal console num"ers of items. (aturally, you can use them as
arguments in other commands:
[admin@MikroTik] interface> enable [find type=ether]
1perators
Description
RouterOS console can do simple calculations with num"ers, time *alues, I addresses,
strings and lists. To get result from an e,pression with operators, enclose it in parentheses
:': and :+:. The e,pression result ser*es as a return *alue for the parentheses.
Coand Description
- - unary minus. In*erts gi*en num"er *alue.
- - "inary minus. Su"stracts two num"ers, two time *alues, two I addresses or an I
address and a num"er
! - logical NA-. ?nary operator, which in*erts gi*en "oolean *alue
" - di*ision. 8inary operator. !i*ides one num"er "y another 'gi*es num"er+ or a time
*alue "y a num"er 'gi*es time *alue+.
! - concatenation. 8inary operator, concatenates two string or append one list to another or
appends an element to a list.
> - "itwise GAR. The argumens and the result are "oth I addresses
N - "it in*ersion. ?nary operator, which in*erts "its in I address
= - multiplication. 8inary operator, which can multiply two num"ers or a time *alue "y a
num"er.
O - "itwise @NC The argumens and the result are "oth I addresses
OO - logical @NC. 8inary operator. The argumens and the result are "oth logical *alues
: - "inary plus. -dds two num"ers, two time *alues or a num"er and an I address.
P - less. 8inary operator which compares two num"ers, two time *alues or two I
addresses. Returns "oolean *alue
PP - left shift. 8inary operator, which shifts I address "y a gi*en amount of "its. The first
argument is an I address, the second is an integer and the result is an I address.
P+ - less or e#ual. 8inary operator which compares two num"ers, two time *alues or two
I addresses. Returns "oolean *alue
Q - greater. 8inary operator which compares two num"ers, two time *alues or two I
addresses. Returns "oolean *alue
Q+ - greater or e#ual. 8inary operator which compares two num"ers, two time *alues or
two I addresses. Returns "oolean *alue
QQ - right shift. 8inary operator, which shifts I address "y a gi*en amount of "its. The first
argument is an I address, the second is an integer and the result is an I address.
R - "itwise AR. The argumens and the result are "oth I addresses
RR - logical AR. 8inary operator. The argumens and the result are "oth logical *alues
Notes
$hen comparing two arrays note, that two arrays are e#ual only if their respecti*e elements
are e#ual.
97
Exaple
Operator priority and e*aluation order
[admin@MikroTik] ip firewall rule forward> :put (10+1-6*2=11-12=2+(-3)=-1)
false
[admin@MikroTik] ip firewall rule forward> :put (10+1-6*2=11-12=(2+(-3)=-1))
true
[admin@MikroTik] ip firewall rule forward
logical (OT
[admin@MikroTik] interface> :put (!true)
false
[admin@MikroTik] interface> :put (!(2>3))
true
unary minus
[admin@MikroTik] interface> :put (-1<0)
true
[admin@MikroTik] >
1
"it in*ersion
[admin@MikroTik] interface> :put (~255.255.0.0)
0.0.255.255
sum
[admin@MikroTik] interface> :put (3ms + 5s)
00:00:05.003
[admin@MikroTik] interface> :put (10.0.0.15 + 0.0.10.0)
cannot add ip address to ip address
[admin@MikroTik] interface> :put (10.0.0.15 + 10)
10.0.0.25
su"traction
[admin@MikroTik] interface> :put (15 - 10)
5
[admin@MikroTik] interface> :put (10.0.0.15 - 10.0.0.3)
12
[admin@MikroTik] interface> :put (10.0.0.15 - 12)
10.0.0.3
[admin@MikroTik] interface> :put (15h - 2s)
14:59:58
multiplication
[admin@MikroTik] interface> :put (12s * 4)
00:00:48
[admin@MikroTik] interface> :put (-5 * -2)
10
di*ision
98
[admin@MikroTik] interface> :put (10s / 3)
00:00:03.333
[admin@MikroTik] interface> :put (5 / 2)
2
[admin@MikroTik] > :put (0:0.10 / 3)
00:00:02
[admin@MikroTik] >
comparison
[admin@MikroTik] interface> :put (10.0.2.3<=2.0.3.10)
false
[admin@MikroTik] interface> :put (100000s>27h)
true
[admin@MikroTik] interface> :put (60s,1d!=1m,3600s)
true
[admin@MikroTik] interface> :put (bridge=routing)
false
[admin@MikroTik] interface> :put (yes=false)
false
[admin@MikroTik] interface> :put (true=aye)
false
logical -(!, logical OR
[admin@MikroTik] interface> :put ((yes && yes) || (yes && no))
true
[admin@MikroTik] interface> :put ((no || no) && (no || yes))
false
"itwise -(!, "itwise OR, "itwise MOR
[admin@MikroTik] interface> :put (10.16.0.134 & ~255.255.255.0)
0.0.0.134
shift operators
[admin@MikroTik] interface> :put (~((0.0.0.1 << 7) - 1))
255.255.255.128
&oncatenation
[admin@MikroTik] interface> :put (1 . 3)
13
[admin@MikroTik] interface> :put (1,2 . 3)
1,2,3
[admin@MikroTik] interface> :put (1 . 3,4)
13,4
[admin@MikroTik] interface> :put (1,2 . 3,4)
1,2,3,4
[admin@MikroTik] interface> :put ((1 . 3) + 1)
14
Data types
Description
99
The RouterOS console differentiates "etween se*eral data types, which are string, "oolean,
num"er, time inter*al, I address, internal num"er and list. The console tries to con*ert any
*alue to the most specific type first, "acking if it fails. The order in which the console
attempts to con*ert an entered *alue is presented "elow:
list
internal num"er
num"er
I address
time
"oolean
string
Internal scripting language supplies special functions to e,plicitly control type con*ersion.
The toarray, to#ool, toid, toip, tonum, tostr and totime functions con*ert a *alue
accordingly to list, #oolean, internal num#er, ,P address, num#er, string or time.
The num"er type is internally represented as 4D "it signed integer, so the *alue a num"er
type *aria"le can take is in range from -233FFS36F45>DSS>565 to 233FFS36F45>DSS>56S.
It is possi"le to input num"er *alue in he,adecimal form, "y prefi,ing it with 5, e.g.:
[admin@MikroTik] > :global MyVar 0x10
[admin@MikroTik] > :put $MyVar
16
[admin@MikroTik] >
Iists are treated as comma separated se#uence of *alues. utting whitespaces around
commas is not recommended, "ecause it might confuse console a"out words: "oundaries.
8oolean *alues can "e either true or false. &onsole also accepts yes for true, and no for
false.
Internal num"ers are preceided = sign.
Time inter*als can "e entered either using BB:MM:SS.MS notation, e.g.:
[admin@MikroTik] > :put 01:12:1.01
01:12:01.010
[admin@MikroTik] >
or as se#uence of num"ers, optionally followed "y letters specifying the units of time
measure 'd dor days, h for hours, m for minutes, s for seconds and ms for milliseconds+,
e.g.:
[admin@MikroTik] > :put 2d11h12
2d11:00:12
[admin@MikroTik] >
-s can "ee seen, time *alues with omitted unit specificators are treated as e,pressed in
seconds.
ossi"le aliases for time units:
d, day, days - one day, or 3D hours
h, hour, hours - one hour
m, min - one minute
s - one second
100
ms - one millisecond, id est 6.661 second
The console also accepts time *alues with decimal point:
[admin@MikroTik] > :put 0.1day1.2s
02:24:01.200
[admin@MikroTik] >
Coand Re(erence
Description
RouterOS has a num"er of "uilt-in console commands and e,pressions 'I&%+ that do not
depend on the current menu le*el. These commands do not change configuration directly,
"ut they are useful for automating *arious maintenance tasks. The full I&% list can "e
accessed "y typing :[: after the ::: prefi, 'therefore it can "e safely assumed that all I&%
ha*e ::: prefi,+, for e,ample:
[admin@MikroTik] > :
beep execute global list pick time toip typeof
delay find if local put toarray tonum while
do for led log resolve tobool tostr
environment foreach len nothing set toid totime
[admin@MikroTik] >
Coand Description
#eep - forces the "uilt-in & "eeper to produce a signal for length seconds at frequency
BE.
,nput Parameters
frequency 'integer= default: %+ - signal fre#uency measured in BE
length 'time= default: %ms+ - signal length
[admin@MikroTik] > :beep length=2s frequency=10000
[admin@MikroTik] >
delay - does nothing for a gi*en amount of time.
,nput Parameters
delay-time 'time+ - amount of time to wait
P omitted - delay fore*er
do - e,ecutes commands repeatedly until gi*en conditions are met. If no parameters are
gi*en, do 7ust e,ecutes its payload once, which does not make much use. If a logical
condition is specified for the while parameter, it will "e e*aluated after e,ecuting
commands, and in case it is true, do statement is e,ecuted again and again until false. The
if parameter, if present, is e*aluated only once "efore doing anything else, and if it is false
then no action is taken
,nput Parameters
unnamed 'text+ - actions to e,ecute repeatedly
while 'yes ; no+ - condition, which is e*aluated each time after the e,ecution of enclosed statements
if 'yes ; no+ - condition, which is e*aluated once "efore the e,ecution of enclosed statements
[admin@MikroTik] > {:global i 10; :do {:put $i; :set i ($i - 1);} \
\... while (($i < 11) && ($i > 0)); :unset i;}
10
9
8
7
6
5
4
3
2
1
101
[admin@MikroTik] >
en4ironment print - prints information a"out *aria"les that are currently initialised. -ll
glo"al *aria"les in the system are listed under the heading .lo#al 9aria#les. -ll *aria"les
that are introduced in the current script '*aria"les introduced "y Hlocal or created "y Hfor or
Hforeach statements+ are listed under the heading 2ocal 9aria#les!
&reating *aria"les and displaying a list of them
[admin@MikroTik] > :local A "This is a local variable"
[admin@MikroTik] > :global B "This is a global one"
[admin@MikroTik] > :environment print
Global Variables
B=This is a global one
Local Variables
A=This is a local variable
[admin@MikroTik] >
find - searches for su"string inside a string or for an element with particular *alue inside an
array, depending on argument types and returns position at which the *alue is found. The
elements in list and characters in string are num"ered from 6 upwards
,nput Parameters
unnamed'text ; list+ - the string or *alue list the search will "e performed in
unnamed'text+ - *alue to "e searched for
unnamed'integer+ - position after which the search is started
[admin@MikroTik] interface pppoe-server> :put [:find "13sdf1sdfss1sfsdf324333" ]
0
[admin@MikroTik] interface pppoe-server> :put [:find "13sdf1sdfss1sfsdf324333" 3 ]
1
[admin@MikroTik] interface pppoe-server> :put [:find "13sdf1sdfss1sfsdf324333" 3 3]
17
[admin@MikroTik] interface pppoe-server> :put [:find
"1,1,1,2,3,3,4,5,6,7,8,9,0,1,2,3" 3 ]
4
"1,1,1,2,3,3,4,5,6,7,8,9,0,1,2,3" 3 3]
4
"1,1,1,2,3,3,4,5,6,7,8,9,0,1,2,3" 3 4]
5
"1,1,1,2,3,3,4,5,6,7,8,9,0,1,2,3" 3 5]
15
[admin@MikroTik]
for - e,ecutes supplied commands o*er a gi*en num"er of iterations, which is e,plicity set
through from and to parameters
,nput Parameters
unnamed 'name+ - the name of the loop counter *aria"le
from 'integer+ - start *alue of the loop counter *aria"le
to 'integer+ - end *alue of the loop counter *aria"le
step 'integer= default: %+ - increment *alue. !epending on the loop counter *aria"le start and end *alues,
step parameter can "e treated also as decrement
do 'text+ - contains the command to "e e,ecuted repeatedly
[admin@MikroTik] > :for i from=1 to=100 step=37 do={:put ($i . " - " . 1000/$i)}
1 - 1000
38 - 26
75 - 13
[admin@MikroTik] >
foreach - e,ecutes supplied commands for each element in list
,nput Parameters
unnamed 'name+ - the name of the loop counter *aria"le
in 'list+ - list of *alues o*er which to iterate
do 'text+ - contains the command to "e e,ecuted repeatedly
rinting a list of a*aila"le interfaces with their respecti*e I addresses
:foreach i in=[/interface find type=ether ] \
\... do={:put ("+--" . [/interface get $i name]); \
\... :foreach j in=[/ip address find interface=$i]
\... do={:put ("| `--" . [/ip address get $j address])}}
+--ether1
| `--1.1.1.3/24
| `--192.168.50.1/24
102
| `--10.0.0.2/24
+--ether2
| `--10.10.0.2/24
[admin@MikroTik] >
glo#al - declares glo"al *aria"le
,nput Parameters
unnamed'name+ - name of the *aria"le
unnamed'text+ - *alue, which should "e assigned to the *aria"le
[admin@MikroTik] > :global MyString "This is a string"
[admin@MikroTik] > :global IPAddr 10.0.0.1
[admin@MikroTik] > :global time 0:10
Global Variables
IPAddr=10.0.0.1
time=00:10:00
MyString=This is a string
Local Variables
[admin@MikroTik] >
if - conditional statement. If a gi*en logical condition e*aluates to true then the do "lock of
commands is e,ecuted. Otherwice an optional else "lock is e,ecuted.
,nput Parameters
unnamed'yes ; no+ - logical condition, which is e*aluated once "efore the e,ecution of enclosed statements
do'text+ - this "lock of commands is e,ecuted if the logical condition e*aluates to true
else'text+ - this "lock of commands is e,ecuted if the logical condition e*aluates to false
&heck if the firewall has any rules added
[admin@MikroTik] > :if ([:len [/ip firewall filter find]] > 0) do={:put true}
else={:put false}
true
[admin@MikroTik] >
&heck whether the gateway is reacha"le. In this e,ample, the I address of the gateway is
%!!!'?*
[admin@MikroTik] > :if ([/ping 10.0.0.254 count=1] = 0) do {:put "gateway
unreachable"}
10.0.0.254 ping timeout
1 packets transmitted, 0 packets received, 100% packet loss
gateway unreachable
[admin@MikroTik] >
led - allows to control the I%!s 'Iight %mitting !iodes+ of the Router8O-R! 366 series
em"edded "oards. This command is a*aila"le only on Router8oard 366 platform with the
router#oard package installed
,nput Parameters
led%'yes ; no+ - controls first I%!
led''yes ; no+ - controls second I%!
led0'yes ; no+ - controls third I%!
led*'yes ; no+ - controls fourth I%!
length'time+ - specifies the length of the action
P omitted - altar I%! state fore*er
Switch on I%!s 3 and F for > seconds
[admin@MikroTik] > :led led2=yes led3=yes length=5s
len - returns the num"er of characters in string or the num"er of elements in list depending
on the type of the argument
,nput Parameters
unnamed'name+ - string or list the length of which should "e returned
[admin@MikroTik] > :put [:len gvejimezyfopmekun]
17
[admin@MikroTik] > :put [:len gve,jim,ezy,fop,mek,un]
6
[admin@MikroTik] >
list - displays a list of all a*aila"le console commands that match gi*en search key's+
,nput Parameters
unnamed'text+ - first search key
unnamed'text+ - second search key
unnamed'text+ - third search key
!isplay console commands that ha*e hotspot, add and user parts in the command:s name and path
[admin@MikroTik] > :list user hotspot "add "
List of console commands under "/" matching "user" and "hotspot" and "add ":
103
ip hotspot profile add name= hotspot-address= dns-name= \
\... html-directory= rate-limit= http-proxy= smtp-server= \
\... login-by= http-cookie-lifetime= ssl-certificate= split-user-domain= \
\... use-radius= radius-accounting= radius-interim-update= copy-from=
ip hotspot user add server= name= password= address= mac-address= \
\... profile= routes= limit-uptime= limit-bytes-in= limit-bytes-out= \
\... copy-from= comment= disabled=
ip hotspot user profile add name= address-pool= session-timeout= \
\... idle-timeout= keepalive-timeout= status-autorefresh= \
\... shared-users= rate-limit= incoming-filter= outgoing-filter= \
\... incoming-mark= outgoing-mark= open-status-page= on-login= on-logout= copy-from=
[admin@MikroTik] >
local - declares local *aria"le
,nput Parameters
unnamed'name+ - name of the *aria"le
unnamed'text+ - *alue, which should "e assigned to the *aria"le
[admin@MikroTik] > :local MyString "This is a string"
[admin@MikroTik] > :local IPAddr 10.0.0.1
[admin@MikroTik] > :local time 0:10
Global Variables
Local Variables
IPAddr=10.0.0.1
time=00:10:00
MyString=This is a string
[admin@MikroTik] >
log - adds a message specified "y message parameter to the system logs.
,nput Parameters
unnamed'name+ - name of the logging facility to send message to
unnamed'text+ - the te,t of the message to "e logged
Send message to info log
[admin@MikroTik] > :log info "Very Good thing happened. We have received our first
packet!"
[admin@MikroTik] > /log print follow
...
19:57:46 script,info Very Good thing happened. We have received our first packet!
...
nothing - has no action, and returns *alue of type <nothing<. In conditions nothing "eha*es
as <false<
ick a sym"ol that does not e,ist from a string
[admin@MikroTik] > :local string qwerty
[admin@MikroTik] > :if ([:pick $string 10]=[:nothing]) do={
{... :put "pick and nothing commands return the same value"}
pick and nothing commands return the same value
[admin@MikroTik] >
pick - returns a range of elements or a su"string depending on the type of input *alue
,nput Parameters
unnamed'text ; list+ - the string or *alue list from which a su"string or a su"range should "e returned
unnamed'integer+ - start position of su"string or su"range
unnamed'integer+ - end position for su"string or su"range
[admin@MikroTik] > :set a 1,2,3,4,5,6,7,8
[admin@MikroTik] > :put [:len $a]
8
[admin@MikroTik] > :put [:pick $a]
1
[admin@MikroTik] > :put [:pick $a 0 4]
1,2,3,4
3,4
[admin@MikroTik] > :put [:pick $a 2]
3
6,7,8
[admin@MikroTik] > :set a abcdefghij
[admin@MikroTik] > :put [:len $a]
10
[admin@MikroTik] > :put [:pick $a]
a
104
abcd
cd
[admin@MikroTik] > :put [:pick $a 2]
c
fghij
put - echoes supplied argument to the console
,nput Parameters
unnamed'text+ - the te,t to "e echoed to the console
!isplay the MT? of ether% interface
[admin@MikroTik] > :put [/interface get ether1 mtu]
1500
[admin@MikroTik] >
resol4e - returns I address of the host resol*ed from the !(S name. The !(S settings
should "e configured on the router '"ip dns su"menu+ prior to using this command.
,nput Parameters
unnamed'text+ - domain name to "e resol*ed into an I address
!(S configuration and resol4e command e,ample
[admin@MikroTik] ip route> /ip dns set primary-dns=159.148.60.2
[admin@MikroTik] ip route> :put [:resolve www.example.com]
192.0.34.166
set - assigns new *alue to a *aria"le
,nput Parameters
unnamed'name+ - the name of the *aria"le
unnamed'text+ - the new *alue of the *aria"le
Measuring time needed to resol*e www.e,ample.com
[admin@MikroTik] > :put [:time [:resolve www.example.com ]]
00:00:00.006
[admin@MikroTik] >
time - measures the amount of time needed to e,ecute gi*en console commands
,nput Parameters
unnamed'text+ - the console commands to measure e,ecution time of
Measuring time needed to resol*e www.e,ample.com
[admin@MikroTik] > :put [:time [:resolve www.example.com ]]
00:00:00.006
[admin@MikroTik] >
while - e,ecutes gi*en console commands repeatedly while the logical conditions is true
,nput Parameters
unnamed'yes ; no+ - condition, which is e*aluated each time "efore the e,ecution of enclosed statements
do'text+ - console commands that should "e e,ecuted repeatedly
[admin@MikroTik] > :set i 0; :while ($i < 10) do={:put $i; :set i ($i + 1)};
0
1
2
3
4
5
6
7
8
9
[admin@MikroTik] >
"pecial Coands
Description
Monitor
It is possi"le to access *alues that are shown "y most monitor actions from scripts. -
monitor command that has a do parameter can "e supplied either script name 'see
"system scripts+, or console commands to e,ecute.
105
&et
Most print commands produce *alues that are accessi"le from scripts. Such print
commands ha*e a corresponding get command on the same menu le*el. The get command
accepts one parameter when working with regular *alues or two parameters when working
with lists.
Notes
Monitor command with do argument can also "e called directly from scripts. It will not print
anything then, 7ust e,ecute the gi*en script.
The names of the properties that can "e accessed "y get are the same as shown "y print
command, plus names of item flags 'like the disa"led in the e,ample "elow+. @ou can use TT
a"U key completions to see what properties any particular get action can return.
Exaple
In the e,ample "elow monitor action will e,ecute gi*en script each time it prints stats on
the screen, and it will assign all printed *alues to local *aria"les with the same name:
[admin@MikroTik] interface> monitor-traffic ether2 once do={:environment print}
received-packets-per-second: 0
received-bits-per-second: 0bps
sent-packets-per-second: 0
sent-bits-per-second: 0bps
Global Variables
i=1
Local Variables
sent-bits-per-second=0
received-packets-per-second=0
received-bits-per-second=0
sent-packets-per-second=0
!dditional $eatures
Description
To include comment in the console script prefi, it with :R:. In a line of script that starts with
:R: all characters until the newline character are ignored.
To put multiple commands on a single line separate them with :=:. &onsole treats :=: as the
end of line in scripts.
-ny of the ST78$UVW characters should "e escaped in a re#ular string with :]: character.
&onsole takes any character following :]: literally, without assigning any special meaning to
it, e,cept for such cases:
\a bell (alarm), character code 7
\b backspace, character code 8
\f form feed, character code 12
\n newline, character code 10
\r carriage return, character code 13
\t tabulation, character code 9
\v vertical tabulation, character code 11
\_ space, character code 32
106
Note that :]:, followed "y any amount of whitespace characters 'spaces, newlines, carriage
returns, ta"ulations+, followed "y newline is treated as a single whitespace, e,cept inside
#uotes, where it is treated as nothing. This is used "y console to "reak up long lines in
scripts generated "y e,port commands.
"cript Repository
Su"menu le*el: /syste script
Description
-ll scripts are stored in the "system script menu along with some ser*ice information such
as script name, script owner, num"er of times the script was e,ecuted and permissions for
particular script.
In RouterOS, a script may "e automatically started in three different ways:
*ia the scheduler
on e*ent occurence - for e,ample, the netwatch tool generates an e*ent if a network
host it is configured to monitor "ecomes unaccessi"le
"y another script
It is also possi"le to start a script manually *ia "system script run command.
last-started 'time+ - date and time when the script has "een last in*oked. The argument is
shown only if the run-count)0.
owner 'name= default: admin+ - the name of the user who created the script
policy 'multiple c$oice: ftp ; local ; policy ; read ; re"oot ; ssh ; telnet ; test ; we" ; write=
default: re#oot,read,write,policy,test+ - the list of the policies applica"le:
ftp - user can log on remotely *ia ftp and send and retrie*e files from the router
local - user can log on locally *ia console
policy - manage user policies, add and remo*e user
read - user can retrie*e the configuration
re#oot - user can re"oot the router
ssh - user can log on remotely *ia secure shell
telnet - user can log on remotely *ia telnet
test - user can run ping, traceroute, "andwidth test
we# - user can log on remotely *ia http
write - user can retrie*e and change the configuration
run-count 'integer= default: + - script usage counter. This counter is incremented each
time the script is e,ecuted. The counter will reset after re"oot.
source 'text= default: $$+ - the script source code itself
Coand Description
run 'name+ - e,ecutes a gi*en script
,nput Parameters
unnamed'name+ - the name of the script to e,ecute
Notes
@ou cannot do more in scripts than you are allowed to do "y your current user rights, that
is, you cannot use disa"led policies. /or e,ample, if there is a policy group in "user group
107
which allows you ssh,local,telnet,read,write,policy,test,we# and this group is assigned
to your user name, then you cannot make a script that re"oots the router.
Exaple
The following e,ample is a script for writing message <Bello $orld)< to the info log:
[admin@MikroTik] system script> add name="log-test" source={:log info "Hello World!"}
[admin@MikroTik] system script> run log-test
[admin@MikroTik] system script> print
0 name="log-test" owner="admin"
policy=ftp,reboot,read,write,policy,test,winbox,password last-started=mar/20/2001
22:51:41
run-count=1 source=:log info "Hello World!"
2as, Manageent
Su"menu le*el: /syste script -o0
Description
This facility is used to manage the acti*e or scheduled tasks.
name 'read-only: name+ - the name of the script to "e referenced when in*oking it
owner 'text+ - the name of the user who created the script
source 'read-only: text+ - the script source code itself
Exaple
[admin@MikroTik] system script> job print
# SCRIPT OWNER STARTED
0 DelayeD admin dec/27/2003 11:17:33
@ou can cancel e,ecution of a script "y remo*ing it from the 7o" list
[admin@MikroTik] system script> job remove 0
[admin@MikroTik] system script> job print
"cript Editor
&ommand name: /syste script edit
Description
RouterOS console has a simple full-screen editor for scripts with support for multiline script
writing.
108
>ey0oard "hortcuts
Celete - deletes character at cursor position
Ctrl:h, #ackspase - deletes character "efore cursor. ?nindents line
-a# - indents line
Ctrl:#, 2eft@rrow - mo*es cursor left
Ctrl:f, Right@rrow - mo*es cursor right
Ctrl:p, Bp@rrow - mo*es cursor up
Ctrl:n, Cown@rrow - mo*es cursor down
Ctrl:a, Jome - mo*es cursor to the "eginning of line or script
Ctrl:e, End - mo*es cursor to the end of line or script
Ctrl:y - inserts contents of "uffer at cursor position
Ctrl:k - deletes characters from cursor position to the end of line
Ctrl:u - undoes last action
Ctrl:o - e,its editor accepting changes
Ctrl:5 - e,its editor discarding changes
Coand Description
edit 'name+ - opens the script specified "y the name argument in full-screen editor
Notes
-ll characters that are deleted "y #ackspace, delete or Ctrl:k keys are accumulated in
the "uffer. ressing any other key finishes adding to this "uffer 'Ctrl:y can paste it:s
contents+, and the ne,t delete operation will replace it:s contents. ?ndo doesn:t change
contents of cut "uffer.
Script editor works only on GT163 compati"le terminals 'terminal names <*t163<, <linu,<,
<,term<, <r,*t< are recogniEed as GT163 at the moment+. !elete, "ackspace and cursor
keys might not work with all terminal programs, use :&trl: alternati*es in such cases.
Exaple
The following e,ample shows the script editor window with a sample script open:
This script is used for writing message <hello< and F messages <kuku< to the system log.
3l&g1and13la! 4et,or5 Access
CJCP Client and 1er4er
Document revision: 2.# (Mon *pr 1! 22:24:1! GMT 200)
Applies to: V2.9
&eneral 'n(oration
109
"uary
The !B& '!ynamic Bost &onfiguration rotocol+ is needed for easy distri"ution of I
addresses in a network. The MikroTik RouterOS implementation includes "oth - ser*er and
client parts and is compliant with R/&31F1.
9eneral usage of !B&:
I assignment in I-(, ca"le-modem, and wireless systems
O"taining I settings on ca"le-modem systems
I addresses can "e "ound to M-& addresses using static lease feature.
!B& ser*er can "e used with MikroTik RouterOS BotSpot feature to authenticate and
account !B& clients. See the BotSpot Manual for more information.
9uic, "etup &uide
This e,ample will show you how to setup !B&-Ser*er and !B&-&lient on MikroTik
RouterOS.
Setup of a !B&-Ser*er.
1. &reate an I address pool
/ip pool add name=dhcp-pool ranges=172.16.0.10-172.16.0.20
3. -dd a !B& network which will concern to the network %/'!%(!!"%' and
will distri"ute a gateway with I address %/'!%(!!% to !B& clients:
/ip dhcp-server network add address=172.16.0.0/12 gateway=172.16.0.1
F. /inally, add a !B& ser*er:
/ip dhcp-server add interface=wlan1 address-pool=dhcp-pool
Setup of the !B&-&lient 'which will get a lease from the !B& ser*er, configured
a"o*e+.
1. -dd the !B& client:
2. /ip dhcp-client add interface=wlan1 use-peer-dns=yes \
add-default-route=yes disabled=no
F. &heck whether you ha*e o"tained a lease:
4. [admin@Server] ip dhcp-client> print detail
5. Flags: X - disabled, I - invalid
6. 0 interface=wlan1 add-default-route=yes use-peer-dns=yes
status=bound
7. address=172.16.0.20/12 gateway=172.16.0.1 dhcp-server=192.168.0.1
8. primary-dns=159.148.147.194 expires-after=2d23:58:52
[admin@Server] ip dhcp-client>
"peci(ications
ackages re#uired: dhcp
110
Su"menu le*el: /ip dhcp-client, /ip dhcp-ser%er, /ip dhcp-relay
Standards and Technologies: !B&
Description
The !B& protocol gi*es and allocates I addresses to I clients. !B& is "asically insecure
and should only "e used in trusted networks. !B& ser*er always listens on ?! 4S port,
!B& client - on ?! 45 port. The initial negotiation in*ol*es communication "etween
"roadcast addresses 'on some phases sender will use source address of !!! and.or
destination address of '??!'??!'??!'??+. @ou should "e aware of this when "uilding
firewall.
IS& !ynamic Bost &onfiguration rotocol '!B&+
!B& mini-BO$TO
IS& !B& /-H
D;CP Client "etup
Su"menu le*el: /ip dhcp-client
Description
The MikroTik RouterOS !B& client may "e ena"led on any %thernet-like interface at a
time. The client will accept an address, netmask, default gateway, and two dns ser*er
addresses. The recei*ed I address will "e added to the interface with the respecti*e
netmask. The default gateway will "e added to the routing ta"le as a dynamic entry. Should
the !B& client "e disa"led or not renew an address, the dynamic default route will "e
remo*ed. If there is already a default route installed prior the !B& client o"tains one, the
route o"tained "y the !B& client would "e shown as in*alid.
address 'IP address.netmask+ - I address and netmask, which is assigned to !B& &lient
from the Ser*er
add-default-route 'yes ; no= default: yes+ - whether to add the default route to the
gateway specified "y the !B& ser*er
client-id 'text+ - corresponds to the settings suggested "y the network administrator or
IS. &ommonly it is set to the client:s M-& address, "ut it may as well "e any test string
dhcp-ser4er 'IP address+ - I address of the !B& Ser*er
ena#led 'yes ; no= default: no+ - whether the !B& client is ena"led
e5pires-after 'time+ - time, which is assigned "y the !B& Ser*er, after which the lease
e,pires
gateway 'IP address+ - I address of the gateway which is assigned "y !B& Ser*er
host-name 'text+ - the host name of the client as sent to a !B& ser*er
interface 'name+ - any %thernet-like interface 'this includes wireless and %oI tunnels+ on
which the !B& &lient searches the !B& Ser*er
primary-dns 'IP address+ - I address of the primary !(S ser*er, assigned "y the !B&
Ser*er
secondary-dns 'IP address+ - I address of the secondary !(S ser*er, assigned "y !B&
Ser*er
primary-ntp - I address of the primary (T ser*er, assigned "y the !B& Ser*er
secondary-ntp - I address of the secondary (T ser*er, assigned "y the !B& Ser*er
111
status '"ound ; error ; re"inding... ; renewing... ; re#uesting... ; searching... ; stopped+ -
shows the status of !B& &lient
use-peer-dns 'yes ; no= default: yes+ - whether to accept the !(S settings ad*ertiEed "y
!B& ser*er 'they will "e o**erriden in .ip dns su"menu+
use-peer-ntp 'yes ; no= default: yes+ - whether to accept the (T settings ad*ertiEed "y
!B& ser*er 'they will o*erride the settings put in the "system ntp client su"menu+
Coand Description
release - release current "inding and restart !B& client
renew - renew current leases. If the renew operation was not successful, client tries to
reinitialiEe lease 'i.e. it starts lease re#uest procedure 're"ind+ as if it had not recei*ed an
I address yet+
Notes
If host-name property is not specified, client:s system identity will "e sent in the respecti*e
field of !B& re#uest.
If client-id property is not specified, client:s M-& address will "e sent in the respecti*e field
of !B& re#uest.
If use-peer-dns property is ena"led, the !B& client will unconditionally rewrite the
settings in "ip dns su"menu. In case two or more !(S ser*ers were recei*ed, first two of
them are set as primary and secondary ser*ers respecti*ely. In case one !(S ser*er was
recei*ed, it is put as primary ser*er, and the secondary ser*er is left intact.
Exaple
To add a !B& client on ether% interface:
/ip dhcp-client add interface=ether1 disabled=no
[admin@MikroTik] ip dhcp-client> print detail
0 interface=ether1 add-default-route=no use-peer-dns=no status=bound
address=192.168.25.100/24 dhcp-server=10.10.10.1 expires-after=2d21:25:12
[admin@MikroTik] ip dhcp-client>

D;CP "er%er "etup
Su"menu le*el: /ip dhcp-ser%er
Description
The router supports an indi*idual ser*er for each %thernet-like interface. The MikroTik
RouterOS !B& ser*er supports the "asic functions of gi*ing each re#uesting client an I
address.netmask lease, default gateway, domain name, !(S-ser*er's+ and $I(S-ser*er's+
'for $indows clients+ information 'set up in the !B& networks su"menu+
In order !B& ser*er to work, you must set up also I pools 'do not include the !B&
ser*er:s I address into the pool range+ and !B& networks.
It is also possi"le to hand out leases for !B& clients using the R-!I?S ser*er, here are
listed the parameters for used in R-!I?S ser*er.
112
-ccess-Re#uest:
N@1-,dentifier - router identity
N@1-,P-@ddress - I address of the router itself
N@1-Port - uni#ue session I!
N@1-Port--ype - %thernet
Calling-1tation-,d - client identifier 'acti*e-client-id+
Kramed-,P-@ddress - I address of the client 'acti*e-address+
Called-1tation-,d - name of !B& ser*er
Bser-Name - M-& address of the client 'acti*e-mac-address+
Password - <<
-ccess--ccept:
Kramed-,P-@ddress - I address that will "e assigned to client
Kramed-Pool - ip pool from which to assign ip address to client
Rate-2imit - !atarate limitation for !B& clients. /ormat is: r,-rateT.t,-rateU Tr,-
"urst-rateT.t,-"urst-rateU Tr,-"urst-thresholdT.t,-"urst-thresholdU Tr,-"urst-
timeT.t,-"urst-timeUTpriorityU Tr,-rate-minT.t,-rate-minUUUU. -ll rates should "e
num"ers with optional :k: '1,666s+ or :M: '1,666,666s+. If t,-rate is not specified, r,-
rate is as t,-rate too. Same goes for t,-"urst-rate and t,-"urst-threshold and t,-
"urst-time. If "oth r,-"urst-threshold and t,-"urst-threshold are not specified '"ut
"urst-rate is specified+, r,-rate and t,-rate are used as "urst thresholds. If "oth r,-
"urst-time and t,-"urst-time are not specified, 1s is used as default. riority takes
*alues 1..5, where 1 implies the highest priority, "ut 5 - the lowest. If r,-rate-min
and t,-rate-min are not specified r,-rate and t,-rate *alues are used. The r,-rate-
min and t,-rate-min *alues can not e,ceed r,-rate and t,-rate *alues.
@scend-Cata-Rate - t,.r, data rate limitation if multiple attri"utes are pro*ided,
first limits t, data rate, second - r, data rate. If used together with -scend-Mmit-
Rate, specifies r, rate. 6 if unlimited
@scend-Gmit-Rate - t, data rate limitation. It may "e used to specify t, limit only
instead of sending two se#uental -scend-!ata-Rate attri"utes 'in that case -scend-
!ata-Rate will specify the recei*e rate+. 6 if unlimited
1ession--imeout - ma, lease time 'lease-time+
add-arp 'yes ; no= default: no+ - whether to add dynamic -R entry:
no - either -R mode should "e ena#led on that interface or static -R entries should "e administrati*ely
defined in "ip arp su"menu
address-pool 'name ; static-only= default: static-only+ - I pool, from which to take I
addresses for clients
static-only - allow only the clients that ha*e a static lease 'i.e. no dynamic addresses will "e gi*en to
clients, only the ones added in lease su"menu+
always-#roadcast 'yes ; no= default: no+ - always send replies as "roadcasts
authoritati4e 'after-16sec-delay ; after-3sec-delay ; no ; yes= default: after-'sec-delay+
- whether the !B& ser*er is the only one !B& ser*er for the network
after-%sec-delay - to clients re#uest for an address, dhcp ser*er will wait 16 seconds and if there is
another re#uest from the client after this period of time, then dhcp ser*er will offer the address to the client
or will send !B&(-K, if the re#uested address is not a*aila"le from this ser*er
after-'sec-delay - to clients re#uest for an address, dhcp ser*er will wait 3 seconds and if there is another
re#uest from the client after this period of time, then dhcp ser*er will offer the address to the client or will
send !B&(-K, if the re#uested address is not a*aila"le from this ser*er
no - dhcp ser*er ignores clients re#uests for addresses that are not a*aila"le from this ser*er
yes - to clients re#uest for an address that is not a*aila"le from this ser*er, dhcp ser*er will send negati*e
acknowledgment '!B&(-K+
#ootp-support 'none ; static ; dynamic= default: static+ - support for 8OOT clients
113
none - do not respond to 8OOT re#uests
static - offer only static leases to 8OOT clients
dynamic - offer static and dynamic leases for 8OOT clients
delay-threshold 'time= default: none+ - if secs field in !B& packet is smaller than delay-
t$res$old, then this packet is ignored
none - there is no threshold 'all !B& packets are processed+
interface 'name+ - %thernet-like interface name
lease-time 'time= default: /'h+ - the time that a client may use an address. The client will
try to renew this address after a half of this time and will re#uest a new address after time
limit e,pires
name 'name+ - reference name
ntp-ser4er 'text+ - the !B& client will use these as the default (T ser*ers. Two comma-
separated (T ser*ers can "e specified to "e used "y !B& client as primary and secondary
(T ser*ers
relay 'IP address= default: !!!+ - the I address of the relay this !B& ser*er should
process re#uests from:
!!! - the !B& ser*er will "e used only for direct re#uests from clients 'no !B& really allowed+
'??!'??!'??!'?? - the !B& ser*er should "e used for any incomming re#uest from a !B& relay e,cept
for those, which are processed "y another !B& ser*er that e,ists in the "ip dhcp-ser4er su"menu
src-address 'IP address= default: !!!+ - the address which the !B& client must send
re#uests to in order to renew an I address lease. If there is only one static address on the
!B& ser*er interface and the source-address is left as !!!, then the static address will
"e used. If there are multiple addresses on the interface, an address in the same su"net as
the range of gi*en addresses should "e used
use-radius 'yes ; no= default: no+ - whether to use R-!I?S ser*er for dynamic leases
Notes
If using "oth - ?ni*ersal &lient and !B& Ser*er on the same interface, client will only
recei*e a !B& lease in case it is directly reacha"le "y its M-& address through that
interface 'some wireless "ridges may change client:s M-& address+.
If authoritati4e property is set to yes, the !B& ser*er is sending re7ects for the leases it
cannot "ind or renew. It also may 'although not always+ help to pre*ent the users of the
network to run illicitly their own !B& ser*ers distur"ing the proper way this network
should "e functioning.
If relay property of a !B& ser*er is not set to !!! the !B& ser*er will not respond to
the direct re#uests from clients.
Exaple
To add a !B& ser*er to interface ether%, lending I addresses from dhcp-clients I pool
for 3 hours:
/ip dhcp-server add name=dhcp-office disabled=no address-pool=dhcp-clients \
interface=ether1 lease-time=2h
[admin@MikroTik] ip dhcp-server> print
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 dhcp-office ether1 dhcp-clients 02:00:00
[admin@MikroTik] ip dhcp-server>

"tore *eases on Dis,
Su"menu le*el: /ip dhcp-ser%er con(ig
114
Description
Ieases are always stored on disk on graceful shutdown and re"oot. If on e*ery lease change
it is stored on disk, a lot of disk writes happen. There are no pro"lems if it happens on a
hard dri*e, "ut is *ery "ad on &ompact /lash 'especially, if lease times are *ery short+. To
minimiEe writes on disk, all changes are flushed together e*ery store-leases-disk seconds.
If this time will "e *ery short 'immediately+, then no changes will "e lost e*en in case of
hard re"oots and power losts. 8ut, on &/ there may "e too many writes in case of short
lease times 'as in case of hotspot+. If this time will "e *ery long 'ne*er+, then there will "e
no writes on disk, "ut information a"out acti*e leases may "e lost in case of power loss. In
these cases dhcp ser*er may gi*e out the same ip address to another client, if first one will
not respond to ping re#uests.
store-leases-disk 'time-inter*al ; immediately ; ne*er= default: ?min+ - how fre#uently
lease changes should "e stored on disk
D;CP Net#or,s
Su"menu le*el: /ip dhcp-ser%er net#or,
address 'IP address.netmask+ - the network !B& ser*er's+ will lend addresses from
#oot-file-name 'text+ - 8oot file name
dhcp-option 'text+ - add additional !B& options from /ip d$cp-server option list. @ou
cannot redefine parameters which are already defined in this su"menu:
1u#net-Mask Dcode %E - netmask
Router Dcode 0E - gateway
Comain-1er4er Dcode (E - dns-server
Comain-Name Dcode %?E - domain
NE-F,A1-Name-1er4er - wins-server
dns-ser4er 'text+ - the !B& client will use these as the default !(S ser*ers. Two comma-
separated !(S ser*ers can "e specified to "e used "y !B& client as primary and
secondary !(S ser*ers
domain 'text+ - the !B& client will use this as the :!(S domain: setting for the network
adapter
gateway 'IP address= default: !!!+ - the default gateway to "e used "y !B& clients
netmask 'integer: 6..F3= default: + - the actual network mask to "e used "y !B& client
- netmask from network address is to "e used
ne5t-ser4er 'IP address+ - I address of ne,t ser*er to use in "ootstrap
wins-ser4er 'text+ - the $indows !B& client will use these as the default $I(S ser*ers.
Two comma-separated $I(S ser*ers can "e specified to "e used "y !B& client as primary
and secondary $I(S ser*ers
Notes
The address field uses netmask to specify the range of addresses the gi*en entry is *alid
for. The actual netmask clients will "e using is specified in netmask property.
D;CP "er%er *eases
Su"menu le*el: /ip dhcp-ser%er lease
115
Description
!B& ser*er lease su"menu is used to monitor and manage ser*er:s leases. The issued
leases are showed here as dynamic entries. @ou can also add static leases to issue the
definite client 'determined "y M-& address+ the specified I address.
9enerally, the !B& lease it allocated as follows:
1. an unused lease is in waiting state
3. if a client asks for an I address, the ser*er chooses one
F. if the client will recei*e statically assigned address, the lease "ecomes offered, and
then #ound with the respecti*e lease time
D. if the client will recei*e a dynamic address 'taken from an I address pool+, the
router sends a ping packet and waits for answer for 6.> seconds. !uring this time,
the lease is marked testing
>. in case, the address does not respond, the lease "ecomes offered, and then #ound
with the respecti*e lease time
4. in other case, the lease "ecomes #usy for the lease time 'there is a command to
retest all "usy addresses+, and the client:s re#uest remains unanswered 'the client
will try again shortly+
- client may free the leased address. $hen the dynamic lease is remo*ed, and the allocated
address is returned to the address pool. 8ut the static lease "ecomes #usy until the client
will reac#uire the address.
Note that the I addresses assigned statically are not pro"ed.
acti4e-address 'read-only: IP address+ - actual I address for this lease
acti4e-client-id 'read-only: text+ - actual client-id of the client
acti4e-mac-address 'read-only: M"# address+ - actual M-& address of the client
acti4e-ser4er 'read-only: list+ - actual dhcp ser*er, which ser*es this client
address 'IP address+ - specify ip address 'or ip pool+ for static lease
!!! - use pool from ser*er
agent-circuit-id 'read-only: text+ - circuit I! of !B& relay agent
agent-remote-id 'read-only: text+ - Remote I!, set "y !B& relay agent
#lock-access 'yes ; no= default: no+ - "lock access for this client 'drop packets from this
client+
client-id 'text= default: $$+ - if specified, must match !B& :client identifier: option of the
re#uest
e5pires-after 'read-only: time+ - time until lease e,pires
host-name 'read-only: text+ - shows host name option from last recei*ed !B& re#uest
lease-time 'time= default: s+ - time that the client may use an address
s - lease will ne*er e,pire
mac-address 'M"# address= default: HHHHH+ - if specified, must match M-&
address of the client
radius 'read-only: yes ; no+ - shows, whether this dynamic lease is authenticated "y
R-!I?S or not
rate-limit 'read-only: text= default: $$+ - sets rate limit for acti*e lease. /ormat is: r,-
rateT.t,-rateU Tr,-"urst-rateT.t,-"urst-rateU Tr,-"urst-thresholdT.t,-"urst-thresholdU Tr,-
"urst-timeT.t,-"urst-timeUUUU. -ll rates should "e num"ers with optional :k: '1,666s+ or :M:
'1,666,666s+. If t,-rate is not specified, r,-rate is as t,-rate too. Same goes for t,-"urst-
rate and t,-"urst-threshold and t,-"urst-time. If "oth r,-"urst-threshold and t,-"urst-
threshold are not specified '"ut "urst-rate is specified+, r,-rate and t,-rate is used as "urst
thresholds. If "oth r,-"urst-time and t,-"urst-time are not specified, 1s is used as default.
116
r5-rate 'integer= default: + - ma,imal recei*e "itrate to the client 'for users it is upload
"itrate++
- no limitation
ser4er 'read-only: name+ - ser*er name which ser*es this client
status 'read-only: waiting ; testing ; authoriEing ; "usy ; offered ; "ound+ - lease status:
waiting - not used static lease
testing - testing whether this address is used or not 'only for dynamic leases+ "y pinging it with timeout of
6.>s
authori6ing - waiting for response from radius ser*er
#usy - this address is assigned statically to a client or already e,ists in the network, so it can not "e leased
offered - ser*er has offered this lease to a client, "ut did not recei*e confirmation from the client
#ound - ser*er has recei*ed client:s confirmation that it accepts offered address, it is using it now and will
free the address not later, than the lease time will "e o*er
t5-rate 'integer= default: + - ma,imal transmit "itrate to the client 'for users it is
download "itrate++
- no limitation
Coand Description
check-status - &heck status of a gi*en "usy dynamic lease, and free it in case of no
response
make-static - con*ert a dynamic lease to static one
Notes
If rate-limit is specified, a simple #ueue is added with corresponding parameters when
lease enters "ound state. -rp entry is added right after adding of #ueue is done 'only if
add-arp is ena"led for dhcp ser*er+. To "e sure, that client cannot use his ip address
without getting dhcp lease and thus a*oiding rate-limit, reply-only mode must "e used on
that ethernet interface.
%*en though client address may "e changed 'with adding a new item+ in lease print list, it
will not change for the client. It is true for any changes in the !B& ser*er configuration
"ecause of the nature of the !B& protocol. &lient tries to renew assigned I address only
when half a lease time is past 'it tries to renew se*eral times+. Only when full lease time is
past and I address was not renewed, new lease is asked 're"ind operation+.
the deault mac-address *alue will ne*er work) @ou should specify a correct M-& address
there.
Exaple
To assign 16.>.3.166 static I address for the e,isting !B& client 'shown in the lease ta"le
as item R6+:
[admin@MikroTik] ip dhcp-server lease> print
Flags: X - disabled, H - hotspot, D - dynamic
# ADDRESS MAC-ADDRESS EXPIRES-AFTER SERVER STATUS
0 D 10.5.2.90 00:04:EA:C6:0E:40 1h48m59s switch bound
1 D 10.5.2.91 00:04:EA:99:63:C0 1h42m51s switch bound
[admin@MikroTik] ip dhcp-server lease> add copy-from=0 address=10.5.2.100
[admin@MikroTik] ip dhcp-server lease> print
Flags: X - disabled, H - hotspot, D - dynamic
# ADDRESS MAC-ADDRESS EXPIRES-AFTER SERVER STATUS
1 D 10.5.2.91 00:04:EA:99:63:C0 1h42m18s switch bound
2 10.5.2.100 00:04:EA:C6:0E:40 1h48m26s switch bound
[admin@MikroTik] ip dhcp-server lease>

117
D;CP !lert
Su"menu le*el: /ip dhcp-ser%er alert
Description
To find any rogue !B& ser*ers as soon as they appear in your network, !B& -lert tool
can "e used. It will monitor ethernet for all !B& replies and check, whether this reply
comes from a *alid !B& ser*er. If reply from unknown !B& ser*er is detected, alert gets
triggered:
[admin@MikroTik] ip dhcp-server alert>/log print
00:34:23 dhcp,critical,error,warning,info,debug dhcp alert on Public:
discovered unknown dhcp server, mac 00:02:29:60:36:E7, ip 10.5.8.236
[admin@MikroTik] ip dhcp-server alert>
$hen the system alerts a"out a rogue !B& ser*er, it can e,ecute a custom script.
-s !B& replies can "e unicast, rogue dhcp detector may not recei*e any offer to other
dhcp clients at all. To deal with this, rogue dhcp ser*er acts as a dhcp client as well - it
sends out dhcp disco*er re#uests once a minute
alert-timeout 'none.time= default: none+ - time, after which alert will "e forgotten. If
after that time the same ser*er will "e detected, new alert will "e generated
none - infinite time
interface 'name+ - interface, on which to run rogue !B& ser*er finder
in4alid-ser4er 'read-only: text+ - list of M-& addresses of detected unknown !B&
ser*ers. Ser*er is remo*ed from this list after alert-timeout
on-alert 'text+ - script to run, when an unknown !B& ser*er is detected
4alid-ser4er 'text+ - list of M-& addresses of *alid !B& ser*ers
Notes
-ll alerts on an interface can "e cleared at any time using command: "ip dhcp-ser4er
alert reset-alert PinterfaceQ
(ote, that e-mail can "e sent, using /system logging action add target0email
D;CP 1ption
Su"menu le*el: /ip dhcp-ser%er option
Description
$ith help of !B& Option, it is possi"le to define additional custom options for !B&
Ser*er.
code 'integer: 1..3>D+ - dhcp option code. -ll codes are a*aila"le at
http:..www.iana.org.assignments."ootp-dhcp-parameters
118
name 'name+ - descripti*e name of the option
4alue 'text+ - parameter:s *alue in form of a string. If the string "egins with <6,<, it is
assumed as a he,adecimal *alue
Notes
The defined options you can use in /ip d$cp-server network su"menu
-ccording to the !B& protocol, a parameter is returned to the !B& client only if it
re#uests this parameter, specifying the respecti*e code in !B& re#uest arameter-Iist
'code >>+ attri"ute. If the code is not included in arameter-Iist attri"ute, !B& ser*er will
not send it to the !B& client.
Exaple
This e,ample shows how to set !B& ser*er to reply on !B& client:s Bostname re#uest
'code 13+ with *alue Jost-@.
-dd an option named Aption-Jostname with code %' 'Bostname+ and *alue Jost-@:
[admin@MikroTik] ip dhcp-server option> add name=Hostname code=12 \
value="Host-A"
[admin@MikroTik] ip dhcp-server option> print
# NAME CODE VALUE
0 Option-Hostname 12 Host-A
[admin@MikroTik] ip dhcp-server option>
?se this option in !B& ser*er network list:
[admin@MikroTik] ip dhcp-server network> add address=10.1.0.0/24 \
\... gateway=10.1.0.1 dhcp-option=Option-Hostname dns-server=159.148.60.20
[admin@MikroTik] ip dhcp-server network> print detail
0 address=10.1.0.0/24 gateway=10.1.0.1 dns-server=159.148.60.20
dhcp-option=Option-Hostname
[admin@MikroTik] ip dhcp-server network>
(ow the !B& ser*er will reply with its Bostname Jost-@ to !B& client 'if re#uested+
D;CP Relay
Su"menu le*el: /ip dhcp-relay
Description
!B& Relay is 7ust a pro,y that is a"le to recei*e a !B& re#uest and resend it to the real
!B& ser*er
dhcp-ser4er 'text+ - list of !B& ser*ers: I addresses which should the !B& re#uests "e
forwarded to
delay-threshold 'time= default: none+ - if secs field in !B& packet is smaller than delay-
threshold, then this packet is ignored
interface 'name+ - interface name the !B& relay will "e working on
local-address 'IP address= default: !!!+ - the uni#ue I address of this !B& relay
needed for !B& ser*er to distinguish relays:
119
!!! - the I address will "e chosen automatically
name 'name+ - descripti*e name for relay
Notes
!B& relay does not choose the particular !B& ser*er in the dhcp-ser*er list, it 7ust sent
to all the listed ser*ers.
Exaple
To add a !B& relay named relay on ether% interface resending all recei*ed re#uests to
the %!!!% !B& ser*er:
[admin@MikroTik] ip dhcp-relay> add name=relay interface=ether1 \
\... dhcp-server=10.0.0.1 disabled=no
[admin@MikroTik] ip dhcp-relay> print
# NAME INTERFACE DHCP-SERVER LOCAL-ADDRESS
0 relay ether1 10.0.0.1 0.0.0.0
[admin@MikroTik] ip dhcp-relay>

9uestionA!ns#er-Based "etup
&ommand name: /ip dhcp-ser%er setup
9uestions
addresses to gi4e out 'text+ - the pool of I addresses !B& ser*er should lease to the
clients
dhcp address space 'IP address.netmask= default: %&'!%()!!"'*+ - network the !B&
ser*er will lease to the clients
dhcp relay 'IP address= default: !!!+ - the I address of the !B& relay "etween the
!B& ser*er and the !B& clients
dhcp ser4er interface 'name+ - interface to run !B& ser*er on
dns ser4ers 'IP address+ - I address of the appropriate !(S ser*er to "e propagated to
the !B& clients
gateway 'IP address= default: !!!+ - the default gateway of the leased network
lease time 'time= default: 0d+ - the time the lease will "e *alid
Notes
!epending on current settings and answers to the pre*ious #uestions, default *alues of
following #uestions may "e different. Some #uestions may disappear if they "ecome
redundant 'for e,ample, there is no use of asking for :relay: when the ser*er will lend the
directly connected network+
Exaple
To configure !B& ser*er on ether% interface to lend addresses from 16.6.6.3 to
16.6.6.3>D which "elong to the %!!!"'* network with %!!!% gateway and
%?&!%*)!(!' !(S ser*er for the time of F days:
[admin@MikroTik] ip dhcp-server> setup
Select interface to run DHCP server on
120
dhcp server interface: ether1
Select network for DHCP addresses
dhcp address space: 10.0.0.0/24
Select gateway for given network
gateway for dhcp network: 10.0.0.1
Select pool of ip addresses given out by DHCP server
addresses to give out: 10.0.0.2-10.0.0.254
Select DNS servers
dns servers: 159.148.60.20
Select lease time
lease time: 3d

The wiEard has made the following configuration "ased on the answers a"o*e:
[admin@MikroTik] ip dhcp-server> print
0 dhcp1 ether1 0.0.0.0 dhcp_pool1 3d no
[admin@MikroTik] ip dhcp-server> network print
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 10.0.0.0/24 10.0.0.1 159.148.60.20
[admin@MikroTik] ip dhcp-server> /ip pool print
# NAME RANGES
0 dhcp_pool1 10.0.0.2-10.0.0.254

!pplication Exaples
Dynaic !ddressingB using D;CP-Relay
Iet us consider that you ha*e se*eral I networks :"ehind: other routers, "ut you want to
keep all !B& ser*ers on a single router. To do this, you need a !B& relay on your
network which relies !B& re#uests from clients to !B& ser*er.
This e,ample will show you how to configure a !B& ser*er and a !B& relay which ser*e 3
I networks - %&'!%()!%!"'* and %&'!%()!'!"'* that are "ehind a router CJCP-
Relay.
I addresses of CJCP-1er4er:
121
[admin@DHCP-Server] ip address> print
0 192.168.0.1/24 192.168.0.0 192.168.0.255 To-DHCP-Relay
1 10.1.0.2/24 10.1.0.0 10.1.0.255 Public
[admin@DHCP-Server] ip address>
I addresses of CJCP-Relay:
[admin@DHCP-Relay] ip address> print
0 192.168.0.1/24 192.168.0.0 192.168.0.255 To-DHCP-Server
1 192.168.1.1/24 192.168.1.0 192.168.1.255 Local1
2 192.168.2.1/24 192.168.2.0 192.168.2.255 Local2
[admin@DHCP-Relay] ip address>
To setup 3 !B& Ser*ers on CJCP-1er4er router add 3 pools. /or networks
%&'!%()!%!"'* and %&'!%()!'!:
/ip pool add name=Local1-Pool ranges=192.168.1.11-192.168.1.100
/ip pool add name=Local1-Pool ranges=192.168.2.11-192.168.2.100
[admin@DHCP-Server] ip pool> print
# NAME RANGES
0 Local1-Pool 192.168.1.11-192.168.1.100
1 Local2-Pool 192.168.2.11-192.168.2.100
[admin@DHCP-Server] ip pool>
&reate !B& Ser*ers:
/ip dhcp-server add interface=To-DHCP-Relay relay=192.168.1.1 \
address-pool=Local1-Pool name=DHCP-1 disabled=no
/ip dhcp-server add interface=To-DHCP-Relay relay=192.168.2.1 \
address-pool=Local2-Pool name=DHCP-2 disabled=no
[admin@DHCP-Server] ip dhcp-server> print
0 DHCP-1 To-DHCP-Relay 192.168.1.1 Local1-Pool 3d00:00:00
1 DHCP-2 To-DHCP-Relay 192.168.2.1 Local2-Pool 3d00:00:00
[admin@DHCP-Server] ip dhcp-server>
&onfigure respecti*e networks:
/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 \
dns-server=159.148.60.20
/ip dhcp-server network add address=192.168.2.0/24 gateway=192.168.2.1 \
dns-server 159.148.60.20
[admin@DHCP-Server] ip dhcp-server network> print
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 192.168.1.0/24 192.168.1.1 159.148.60.20
1 192.168.2.0/24 192.168.2.1 159.148.60.20
[admin@DHCP-Server] ip dhcp-server network>
&onfiguration of CJCP-1er4er is done. (ow let:s configure CJCP-Relay:
/ip dhcp-relay add name=Local1-Relay interface=Local1 \
dhcp-server=192.168.0.1 local-address=192.168.1.1 disabled=no
/ip dhcp-relay add name=Local2-Relay interface=Local2 \
dhcp-server=192.168.0.1 local-address=192.168.2.1 disabled=no
[admin@DHCP-Relay] ip dhcp-relay> print
# NAME INTERFACE DHCP-SERVER LOCAL-ADDRESS
0 Local1-Relay Local1 192.168.0.1 192.168.1.1
1 Local2-Relay Local2 192.168.0.1 192.168.2.1
[admin@DHCP-Relay] ip dhcp-relay>
122
'P !ddress assignentB using $reeR!D'5" "er%er
Iet us consider that we want to assign I addresses for clients, using the R-!I?S ser*er.
$e assume that you already ha*e installed /reeR-!I?S. Just add these lines to specified
files:
users file:
00:0B:6B:31:02:4B Auth-Type := Local, Password == ""
Framed-IP-Address = 192.168.0.55
clients.conf file
client 172.16.0.1 {
secret = MySecret
shortname = Server
}
&onfigure Radius &lient on RouterOS:
/radius add service=dhcp address=172.16.0.2 secret=MySecret
[admin@DHCP-Server] radius> print detail
Flags: X - disabled
0 service=dhcp called-id="" domain="" address=172.16.0.2 secret="MySecret"
authentication-port=1812 accounting-port=1813 timeout=00:00:00.300
accounting-backup=no realm=""
[admin@DHCP-Server] radius>
Setup !B& Ser*er:
1. &reate an address pool:
/ip pool add name=Radius-Clients ranges=192.168.0.11-192.168.0.100
3. -dd a !B& ser*er:
3. /ip dhcp-server add address-pool=Radius-Clients use-radius=yes interface=Local
\
disabled=no
123
D. &onfigure !B& networks:
5. /ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1 \
dns-server=159.148.147.194,159.148.60.20
(ow the client with M-& address HFH(FH0%H'H*F will always recei*e I address
%&'!%()!!??.
CN1 Client and Cache
Document revision: 1.2 (Fri *pr 1 1#:3#:43 GMT 200)
Applies to: V2.9
&eneral 'n(oration
"uary
!(S cache is used to minimiEe !(S re#uests to an e,ternal !(S ser*er as well as to
minimiEe !(S resolution time. This is a simple recursi*e !(S ser*er with local items.
"peci(ications
Su"menu le*el: /ip dns
Standards and Technologies: !(S
Related Docuents
BotSpot 9ateway
Description
The MikroTik router with !(S cache feature ena"led can "e set as a primary !(S ser*er for
any !(S-compliant clients. Moreo*er, MikroTik router can "e specified as a primary !(S
ser*er under its dhcp-ser*er settings. $hen the !(S cache is ena"led, the MikroTik router
responds to !(S T& and ?! re#uests on port >F.
http:..www.freesoft.org.&I%.&ourse.Section3.F.htm
http:..www.networksorcery.com.enp.protocol.dns.htm
R/&16F>
Client Con(iguration and Cache "etup
Su"menu le*el: /ip dns
124
Description
!(S client is used to pro*ide domain name resolution for router itself as well as for the 3
clients connected to the router.
allow-remote-requests 'yes ; no+ - specifies whether to allow network re#uests
cache-ma5-ttl 'time= default: %w+ - specifies ma,imum time-to-li*e for cahce records. In
other words, cache records will e,pire after cache-ma5-ttl time.
cache-si6e 'integer: >13..163D6= default: '*)XiF+ - specifies the siEe of !(S cache in
Ki8
cache-used 'read-only: integer+ - displays the currently used cache siEe in Ki8
primary-dns 'IP address= default: !!!+ - primary !(S ser*er
secondary-dns 'IP address= default: !!!+ - secondary !(S ser*er
Notes
If the property use-peer-dns under "ip dhcp-client is set to yes then primary-dns
under "ip dns will change to a !(S address gi*en "y !B& Ser*er.
Exaple
To set 1>2.1D5.46.3 as the primary !(S ser*er and allow the router to "e used as a !(S
ser*er, do the following:
[admin@MikroTik] ip dns> set primary-dns=159.148.60.2 \
\... allow-remote-requests=yes
[admin@MikroTik] ip dns> print
primary-dns: 159.148.60.2
secondary-dns: 0.0.0.0
allow-remote-requests: yes
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 17KiB
[admin@MikroTik] ip dns>
Cache Monitoring
Su"menu le*el: /ip dns cache
address 'read-only: IP address+ - I address of the host
name 'read-only: name+ - !(S name of the host
ttl 'read-only: time+ - remaining time-to-li*e for the record
"tatic DN" Entries
Su"menu le*el: /ip dns static
Description
125
The MikroTik RouterOS has an em"edded !(S ser*er feature in !(S cache. It allows you to
link the particular domain names with the respecti*e I addresses and ad*ertiEe these links
to the !(S clients using the router as their !(S ser*er.
address 'IP address+ - I address to resol*e domain name with
name 'text+ - !(S name to "e resol*ed to a gi*en I address
ttl 'time+ - time-to-li*e of the !(S record
Exaple
To add a static !(S entry for www!e5ample!com to "e resol*ed to %!!!% I address:
[admin@MikroTik] ip dns static> add name www.example.com address=10.0.0.1
[admin@MikroTik] ip dns static> print
# NAME ADDRESS TTL
0 aaa.aaa.a 123.123.123.123 1d
1 www.example.com 10.0.0.1 1d
[admin@MikroTik] ip dns static>
$lushing DN" cache
&ommand name: /ip dns cache (lush
Coand Description
flush - clears internal !(S cache
Exaple
[admin@MikroTik] ip dns> cache flush
[admin@MikroTik] ip dns> print
primary-dns: 159.148.60.2
secondary-dns: 0.0.0.0
allow-remote-requests: yes
cache-size: 2048 KiB
cache-max-ttl: 1w
cache-used: 10 KiB
[admin@MikroTik] ip dns>
Jot1pot .ateway
Document revision: 4.2 (Tue &u) 04 14:49:3! GMT 2006)
Applies to: V2.9
&eneral 'n(oration
"uary
The MikroTik BotSpot 9ateway ena"les pro*iding of pu"lic network access for clients using
wireless or wired network connections.
126
BotSpot 9ateway features:
authentication of clients using local client data"ase, or R-!I?S ser*er
accounting using local data"ase, or R-!I?S ser*er
$alled-garden system 'accessing some we" pages without authoriEation+
9uic, "etup &uide
The most noticea"le difference in user e,perience setting up BotSpot system in *ersion 3.2
from the pre*ious RouterOS *ersions is that it has "ecome in order of magnitude easier to
set up a correctly working BotSpot system.
9i*en a router with two interfaces: Iocal 'where BotSpot clients are connected to+ and
u"lic, which is connected to the Internet. To set up BotSpot on the Iocal interface:
1. first, a *alid I config is re#uired on "oth interfaces. This can "e done with "setup
command. In this e,ample we will assume the configuration with !B& ser*er on the
Iocal interface
3. *alid !(S configuration must "e set up in the "ip dns su"menu
3. To put BotSpot on the Iocal interface, using the same I address pool as !B&
ser*er uses for that interface: /ip hotspot add interface=local address-
pool=dhcp-pool-1
4. and finally, add at least one BotSpot user: /ip hotspot user add name=admin
These simple steps should "e sufficient to ena"le BotSpot system
lease find many BotSpot Bow-to:s, which will answer most of your #uestions a"out
configuring a BotSpot gateway, at the end of this manual. It is still recommended that you
read and understand all the Cescription section "elow "efore deploying a BotSpot system.
If this does not work:
check that "ip dns contains *alid !(S ser*ers, try to "ping www!mikrotik!com to
see, that !(S resol*ing works
make sure that connection tracking is ena"led: /ip firewall connection
tracking set enabled=yes
"peci(ications
ackages re#uired: hotspot, dhcp%optional'
Iicense re#uired: Level1 %Limited to 1 active user' , Level( %Limited to 1 active user' ,
Level1 %Limited to +22 active users' , Level3 %Limited to 322 active users' , Level4
Su"menu le*el: /ip hotspot
Standards and Technologies: I&M, !B&
Description
MikroTik BotSpot 9ateway should ha*e at least two network interfaces:
1. BotSpot interface, which is used to connect BotSpot clients
3. I-(.$-( interface, which is used to access network resources. /or e,ample, !(S
and R-!I?S ser*er's+ should "e accessi"le
127
The diagram "elow shows a sample BotSpot setup.
The BotSpot interface should ha*e an I address assigned to it. hysical network connection
has to "e esta"lished "etween the BotSpot user:s computer and the gateway. It can "e
wireless 'the wireless card should "e registered to -+, or wired 'the (I& card should "e
connected to a hu" or a switch+.
(ote that the most noticea"le difference in user e,perience setting up BotSpot system in
*ersion 3.2 from the pre*ious RouterOS *ersions is that it has "ecome in order of
magnitude easier to set up a correctly working BotSpot system.
'ntroduction to ;ot"pot
BotSpot is a way to authoriEe users to access some network resources. It does not pro*ide
traffic encryption. To log in, users may use almost any we" "rowser 'either BTT or BTTS
protocol+, so they are not re#uired to install additional software. The gateway is accounting
the uptime and amount of traffic each of its clients ha*e used, and also can send this
information to a R-!I?S ser*er. The BotSpot system may limit each particular user:s
"itrate, total amount of traffic, uptime and some other parameters mentioned further in this
document.
The BotSpot system is targeted to pro*ide authentication within a local network 'to access
the Internet+, "ut may as well "e used to authoriEe access from outer networks to access
local resources. &onfiguring $alled 9arden feature, it is possi"le to allow users to access
some we" pages without the need of prior authentication.
&etting !ddress
/irst of all, a client must get an I address. It may "e set on the client statically, or leased
from a !B& ser*er. The !B& ser*er may pro*ide ways of "inding lent I addresses to
clients M-& addresses, if re#uired. The BotSpot system does not care how did a client get
an address "efore he.she gets to the BotSpot login page.
128
Moreo*er, BotSpot ser*er may automatically and transparently change any I address 'yes,
meaning really any I address+ of a client to a *alid unused address from the selected I
pool. This feature gi*es a possi"ility to pro*ide a network access 'for e,ample, Internet
access+ to mo"ile clients that are not willing 'or are disallowed, not #ualified enough or
otherwise una"le+ to change their networking settings. The users will not notice the
translation 'i.e., there will not "e any changes in the users: config+, "ut the router itself will
see completely different 'from what is actually set on each client+ source I addresses on
packets sent from the clients 'e*en firewall mangle ta"le will :see: the translated
addresses+. This techni#ue is called one-to-one (-T, "ut is also known as <?ni*ersal &lient<
as that is how it was called in the RouterOS *ersion 3.5.
One-to-one (-T accepts any incoming address from a connected network interface and
performs a network address translation so that data may "e routed through standard I
networks. &lients may use any preconfigured addresses. If the one-to-one (-T feature is
set to translate a client:s address to a pu"lic I address, then the client may e*en run a
ser*er or any other ser*ice that re#uires a pu"lic I address. This (-T is changing source
address of each packet 7ust after it is recei*ed "y the router 'it is like source (-T that is
performed earlier, so that e*en firewall mangle ta"le, which normally :sees: recei*ed
packets unaltered, can only :see: the translated address+.
Note also that arp mode must "e ena#led on the interface you use one-to-one (-T on.
Be(ore the authentication
$hen ena"ling BotSpot on an interface, the system automatically sets up e*erything
needed to show login page for all clients that are not logged in. This is done "y adding
dynamic destination (-T rules, which you can o"ser*e on a working BotSpot system. These
rules are needed to redirect all BTT and BTTS re#uests from unauthoriEed users to the
BotSpot ser*let 'i.e., the authentication procedure, e.g., the login page+. Other rules that
are also inserted, we will descri"e later in a special section of this manual.
In most common setup, opening any BTT page will "ring up the BotSpot ser*let login page
'which can "e customiEed e,tensi*ely, as will "e descri"ed later on+. -s normal user
"eha*ior is to open we" pages "y their !(S names, a *alid !(S configuration should "e set
up on the BotSpot gateway itself 'it is possi"le to reconfigure the gateway so that it will not
re#uire local !(S configuration, "ut such a configuration is impractical and thus not
recommended+.
3alled &arden
@ou may wish not to re#uire authoriEation for some ser*ices 'for e,ample to let clients
access the we" ser*er of your company without registration+, or e*en to re#uire
authoriEation only to a num"er of ser*ices 'for e,ample, for users to "e allowed to access
an internal file ser*er or another restricted area+. This can "e done "y setting up $alled
9arden system.
$hen a not logged-in user re#uests a ser*ice allowed in the $alled 9arden configuration,
the BotSpot gateway does not intercept it, or in case of BTT, simply redirects the re#uest
to the original destination 'or to a specified parent pro,y+. $hen a user is logged in, there is
no effect of this ta"le on him.her.
To implement the $alled 9arden feature for BTT re#uests, an em"edded we" pro,y ser*er
has "een designed, so all the re#uests from not authoriEed users are really going through
this pro,y. Note that the em"edded pro,y ser*er does not ha*e caching function yet. -lso
note that this em"edded pro,y ser*er is in the system software package and does not
re#uire we#-pro5y package. It is configura"le under "ip pro5y
129
!uthentication
There are currently > different authentication methods. @ou can use one or more of them
simultaneously:
J--P P@P - simplest method, which shows the BotSpot login page and e,pect to
get the authentication info 'i.e. username and password+ in plain te,t. Note that
passwords are not "eing encrypted when transferred o*er the network. -n another
use of this method is the possi"ility of hard-coded authentication information in the
ser*let:s login page simply creating the appropriate link.
J--P CJ@P - standard method, which includes &B- challenge in the login page.
The &B- M!> hash challenge is to "e used together with the user:s password for
computing the string which will "e sent to the BotSpot gateway. The hash result 'as
a password+ together with username is sent o*er network to BotSpot ser*ice 'so,
password is ne*er sent in plain te,t o*er I network+. On the client side, M!>
algorithm is implemented in Ja*aScript applet, so if a "rowser does not support
Ja*aScript 'like, for e,ample, Internet %,plorer 3.6 or some !- "rowsers+, it will
not "e a"le to authenticate users. It is possi"le to allow unencrypted passwords to "e
accepted "y turning on BTT - authentication method, "ut it is not recommended
'"ecause of security considerations+ to use that feature.
J--P1 - the same as BTT -, "ut using SSI protocol for encrypting
transmissions. BotSpot user 7ust send his.her password without additional hashing
'note that there is no need to worry a"out plain-te,t password e,posure o*er the
network, as the transmission itself is encrypted+. In either case, BTT OST method
'if not possi"le, then - BTT 9%T method+ is used to send data to the BotSpot
gateway.
J--P cookie - after each successful login, a cookie is sent to we" "rowser and the
same cookie is added to acti*e BTT cookie list. (e,t time the same user will try to
log in, we" "rowser will send http cookie. This cookie will "e compared with the one
stored on the BotSpot gateway and only if source M-& address and randomly
generated I! match the ones stored on the gateway, user will "e automatically
logged in using the login information 'username and password pair+ was used when
the cookie was first generated. Otherwise, the user will "e prompted to log in, and in
the case authentication is successful, old cookie will "e remo*ed from the local
BotSpot acti*e cookie list and the new one with different random I! and e,piration
time will "e added to the list and sent to the we" "rowser. It is also possi"le to erase
cookie on user manual logoff 'not in the default ser*er pages+. This method may
only "e used together with BTT -, BTT &B- or BTTS methods as there would
"e nothing to generate cookies in the first place otherwise.
M@C address - try to authenticate clients as soon as they appear in the hosts list
'i.e., as soon as they ha*e sent any packet to the BotSpot ser*er+, using client:s
M-& address as username
BotSpot can authenticate users consulting the local user data"ase or a R-!I?S ser*er 'local
data"ase is consulted first, then - a R-!I?S ser*er+. In case of BTT cookie authentication
*ia R-!I?S ser*er, the router will send the same information to the ser*er as was used
when the cookie was first generated. If authentication is done locally, profile corresponding
to that user is used, otherwise 'in case R-!I?S reply did not contain the group for that
user+ the default profile is used to set default *alues for parameters, which are not set in
R-!I?S access-accept message. /or more information on how the interaction with a
R-!I?S ser*er works, see the respecti*e manual section.
The BTT - method also makes it possi"le to authenticate "y re#uesting the page
/login?username=username&password=password . In case you want to log in using telnet
connection, the e,act BTT re#uest would look like that: .E- "login<
username+usernameOpassword+password J--P"%! 'note that the re#uest is case-
sensiti*e+
130
!uthori/ation
-fter authentication, user gets access to the Internet, and recei*es some limitations 'which
are user profile specific+. BotSpot may also perform a one-to-one (-T for the client, so that
a particular user would always recei*e the same I address regardless of what & is he.she
working at.
The system will automatically detect and redirect re#uests to a pro,y ser*er a client is using
'if any= it may "e set in his.her settings to use an unknown to us pro,y ser*er+ to the pro,y
ser*er em"edded in the router.
-uthoriEation may "e delegated to a R-!I?S ser*er, which deli*ers similar configuration
options as the local data"ase. /or any user re#uiring authoriEation, a R-!I?S ser*er gets
#ueried first, and if no reply recei*ed, the local data"ase is e,amined. R-!I?S ser*er may
send a &hange of -uthoriEation re#uest according to standards to alter the pre*iously
accepted parameters.
!d%ertiseent
The same pro,y used for unauthoriEed clients to pro*ide $alled-9arden facility, may also "e
used for authoriEed users to show them ad*ertisement popups. Transparent pro,y for
authoriEed users allows to monitor http re#uests of the clients and to take some action if
re#uired. It ena"les the possi"ility to open status page e*en if client is logged in "y mac
address, as well as to show ad*ertisements time after time
$hen time has come to show an ad*ertisement, the ser*er redirects client:s we" "rowser to
the status page. Only re#uests, which pro*ide html content, are redirected 'images and
other content will not "e affected+. The status page displays the ad*ertisement and ne,t
ad*ertise-inter*al is used to schedule ne,t ad*ertisement. If status page is una"le to display
an ad*ertisement for configured timeout starting from moment, when it is scheduled to "e
shown, client access is "locked within walled-garden 'as unauthoriEed clients are+. &lient is
un"locked when the scheduled page is finally shown. (ote that if popup windows are
"locked in the "rowser, the link on the status page may "e used to open the ad*ertisement
manually.
$hile client is "locked, /T and other ser*ices will not "e allowed. Thus re#uiring client to
open an ad*ertisement for any Internet acti*ity not especially allowed "y the $alled-
9arden.
!ccounting
The BotSpot system implement accounting internally, you are not re#uired to do anything
special for it to work. The accounting information for each user may "e sent to a R-!I?S
ser*er.
Con(iguration enus
"ip hotspot - BotSpot ser*ers on particular interfaces 'one ser*er per interface+.
BotSpot ser*er must "e added in this menu in order for BotSpot system to work on
an interface
"ip hotspot profile - BotSpot ser*er profiles. Settings, which affect login procedure
for BotSpot clients are configured here. More than one BotSpot ser*ers may use the
same profile
"ip hotspot host - dynamic list of acti*e network hosts on all BotSpot interfaces.
Bere you can also find I address "indings of the one-to-one (-T
"ip hotspot ip-#inding - rules for "inding I addresses to hosts on hotspot
interfaces
131
"ip hotspot ser4ice-port - address translation helpers for the one-to-one (-T
"ip hotspot walled-garden - $alled 9arden rules at BTT le*el '!(S names, BTT
re#uest su"strings+
"ip hotspot walled-garden ip - $alled 9arden rules at I le*el 'I addresses, I
protocols+
"ip hotspot user - local BotSpot system users
"ip hotspot user profile - local BotSpot system users profiles 'user groups+
"ip hotspot acti4e - dynamic list of all authenticated BotSpot users
"ip hotspot cookie - dynamic list of all *alid BTT cookies
9uestionA!ns#er-Based "etup
&ommand name: /ip hotspot setup
9uestions
address pool of network 'name+ - I address pool for the BotSpot network
dns name 'text+ - !(S domain name of the BotSpot gateway 'will "e statically configured
on the local !(S pro,y
dns ser4ers 'IP address,TIP addressU+ - !(S ser*ers for BotSpot clients
hotspot interface 'name+ - interface to run BotSpot on
ip address of smtp ser4er 'IP address= default: !!!+ - I address of the SMT ser*er
to redirect SMT re#uests 'T& port 3>+ to
P !!! - no redirect
local address of network 'IP address= default: %!?!?!%"'*+ - BotSpot gateway
address for the interface
masquerade network 'yes ; no= default: yes+ - whether to mas#uerade the BotSpot
network
name of local hotspot user 'text= default: admin+ - username of one automatically
created user
passphrase 'text+ - the passphrase of the certificate you are importing
password for the user 'text+ - password for the automatically created user
select certificate 'name ; none import-other-certificate+ - choose SSI certificate from the
list of the imported certificates
P none - do not use SSI
P import-other-certificate - setup the certificates not imported yet, and ask this #uestion again
Notes
!epending on current settings and answers to the pre*ious #uestions, default *alues of
following #uestions may "e different. Some #uestions may disappear if they "ecome
redundant
Exaple
To configure BotSpot on ether1 interface 'which is already configured with address of
123.6.3.1.3>+, and adding user admin with password ru""ish:
[admin@MikroTik] > ip hotspot setup
hotspot interface: ether1
local address of network: 192.0.2.1/24
masquerade network: yes
address pool of network: 192.0.2.2-192.0.2.126
select certificate: none
ip address of smtp server: 0.0.0.0
dns servers: 192.0.2.254
132
dns name: hs.example.net
name of local hotspot user: admin
password for the user: rubbish
[admin@MikroTik] >

;ot"pot 'nter(ace "etup
Su"menu le*el: /ip hotspot
Description
BotSpot system is put on indi*idual interfaces. @ou can run completely different BotSpot
configurations on different interfaces
addresses-per-mac 'integer ; unlimited= default: '+ - num"er of I addresses allowed to
"e "ind with any particular M-& address 'it is a small chance to reduce denial of ser*ice
attack "ased on taking o*er all free I addresses+
unlimited - num"er of I addresses per one M-& address is not limited
address-pool 'name ; none= default: none+ - I address pool name for performing one-to-
one (-T. @ou can choose not to use the one-to-one (-T
none - do not perform one-to-one (-T for the clients of this BotSpot interface
J--P1 'read-only: flag+ - whether the BTTS ser*ice is actually running on the interface
'i.e., it is set up in the ser*er profile, and a *alid certificate is imported in the router+
idle-timeout 'time ; none= default: H?H+ - idle timeout 'ma,imal period of inacti*ity+
for unauthoriEed clients. It is used to detect, that client is not using outer networks 'e.g.
Internet+, i.e., there is (O TR-//I& coming from that client and going through the router.
Reaching the timeout, user will "e dropped of the host list, and the address used "uy the
user will "e freed
none - do not timeout idle users
interface 'name+ - interface to run BotSpot on
ip-of-dns-name 'read-only: IP address+ - I address of the BotSpot gateway:s !(S name
set in the BotSpot interface profile
keepali4e-timeout 'time ; none= default: none+ - keepali*e timeout for unauthoriEed
clients. ?sed to detect, that the computer of the client is ali*e and reacha"le. If check will
fail during this period, user will "e dropped of the host list, and the address used "uy the
user will "e freed
none - do not timeout unreacha"le users
profile 'name= default: default+ - default BotSpot profile for the interface
Coand Description
reset-html 'name+ - o*erwrite the e,isting BotSpot ser*let with the original BTMI files. It
is used if you ha*e changed the ser*let and it is not working after that
Notes
addresses-per-mac property works only if address pool is defined. -lso note that in case
you are authenticating users connected through a router, than all the I addresses will
seem to ha*e come from one M-& address.
Exaple
133
To add BotSpot system to the local interface, allowing the system to do one-to-one (-T for
each client 'addresses from the J1-real address pool will "e used for the (-T+:
[admin@MikroTik] ip hotspot> add interface=local address-pool=HS-real
[admin@MikroTik] ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 hs-local local HS-real default 00:05:00
[admin@MikroTik] ip hotspot>

;ot"pot "er%er Pro(iles
Su"menu le*el: /ip hotspot pro(ile
dns-name 'text+ - !(S name of the BotSpot ser*er. This is the !(S name used as the
name of the BotSpot ser*er 'i.e., it appears as the location of the login page+. This name
will automatically "e added as a static !(S entry in the !(S cache
hotspot-address 'IP address= default: !!!+ - I address for BotSpot ser*ice
html-directory 'text= default: $$+ - name of the directory 'accessi"le with /T+, which
stores the BTMI ser*let pages 'when changed, the default pages are automatically copied
into specified directory if it does not e,ist already+
http-cookie-lifetime 'time= default: 0d+ - *alidity time of BTT cookies
http-pro5y 'IP address= default: !!!+ - the address of the pro,y ser*er the BotSpot
ser*ice will use as a pro,y ser*er for all those re#uests intercepted "y ?ni*ersal ro,y
system and not defined in the "ip pro5y direct list. If not specified, the address defined in
parent-pro5y parameter of "ip pro5y. If that is a"sent too, the re#uest will "e resol*ed
"y the local pro,y
login-#y 'multiple c$oice: cookie ; http-chap ; http-pap ; https ; mac ; trial= default:
cookie,http-chap+ - which authentication methods to use
cookie - use BTT cookies to authenticate, without asking user credentials. Other method will "e used in
case the client does not ha*e cookie, or the stored username and password pair are not *alid anymore since
the last authentication. May only "e used together with other BTT authentication methods 'BTT--,
BTT-&B- or BTTS+, as in the other case there would "e no way for the cookies to "e generated in the
first place
http-chap - use &B- challenge-response method with M!> hashing algorithm for hashing passwords. This
way it is possi"le to a*oid sending clear-te,t passwords o*er an insecure network. This is the default
authentication method
http-pap - use plain-te,t authentication o*er the network. lease note that in case this method will "e
used, your user passwords will "e e,posed on the local networks, so it will "e possi"le to intercept them
https - use encrypted SSI tunnel to transfer user communications with the BotSpot ser*er. (ote that in
order this to work, a *alid certificate must "e imported into the router 'see a separate manual on certificate
management+
mac - try to use client:s M-& address first as its username. If the matching M-& address e,ists in the local
user data"ase or on the R-!I?S ser*er, the client will "e authenticated without asking to fill the login form
trial - does not re#uire authentication for a certain amount of time
radius-accounting 'yes ; no= default: yes+ - whether to send R-!I?S ser*er accounting
information on each user once in a while 'the <while< is defined in the radius-interim-
update property+
radius-default-domain 'text= default: $$+ - default domain to use for R-!I?S re#uests. It
allows to select different R-!I?S ser*ers depending on BotSpot ser*er profile, "ut may "e
handful for single R-!I?S ser*er as well.
radius-interim-update 'time ; recei*ed= default: recei4ed+ - how often to sent
cumulati*e accounting reports.
s - same as recei4ed
recei4ed - use whate*er *alue recei*ed from the R-!I?S ser*er
rate-limit 'text= default: $$+ - Rate limitation in form of r5-rate7"t5-rate8 7r5-#urst-
rate7"t5-#urst-rate8 7r5-#urst-threshold7"t5-#urst-threshold8 7r5-#urst-time7"t5-
134
#urst-time8888 from the point of *iew of the router 'so <r,< is client upload, and <t,< is
client download+. -ll rates should "e num"ers with optional :k: '1,666s+ or :M: '1,666,666s+.
If t,-rate is not specified, r,-rate is as t,-rate too. Same goes for t,-"urst-rate and t,-
"urst-threshold and t,-"urst-time. If "oth r,-"urst-threshold and t,-"urst-threshold are not
specified '"ut "urst-rate is specified+, r,-rate and t,-rate is used as "urst thresholds. If "oth
r,-"urst-time and t,-"urst-time are not specified, 1s is used as default
smtp-ser4er 'IP address= default: !!!+ - default SMT ser*er to "e used to redirect
unconditionally all user SMT re#uests to
split-user-domain 'yes ; no= default: no+ - whether to split username from domain name
when the username is gi*en in <user^domain< or in <domain]user< format
ssl-certificate 'name ; none= default: none+ - name of the SSI certificate to use for
BTTS authentication. (ot used for other authentication methods
trial-uptime 'time.time= default: 0m"%d+ - is used only when authentication method is
trial. Specifies the amount of time the user identified "y M-& address can use hotspot
ser*ices without authentication and the time, that has to pass that the user is allowed to
use hotspot ser*ices again
trial-user-profile 'name= default: default+ - is used only only when authentication
method is trial. Specifies user profile, that trial users will use
use-radius 'yes ; no= default: no+ - whether to use R-!I?S to authenticate BotSpot users
Notes
If dns-name property is not specified, hotspot-address is used instead. If hotspot-
address is also a"sent, then "oth are to "e detected automatically.
In order to use R-!I?S authentication, the "radius menu must "e set up accordingly.
Trial authentication method should allways "e used together with one of the other
authentication methods.
Exaple
;ot"pot 5ser Pro(iles
Su"menu le*el: /ip hotspot user pro(ile
Description
-rticle mo*ed to: BotSpot --- section
;ot"pot 5sers
Su"menu le*el: /ip hotspot user
Description
;ot"pot !cti%e 5sers
Su"menu le*el: /ip hotspot acti%e
135
Description
;ot"pot Coo,ies
Su"menu le*el: /ip hotspot coo,ie
Description
&ookies can "e used for authentication in the Botspot ser*ice
domain 'read-only: text+ - domain name 'if split from username+
e5pires-in 'read-only: time+ - how long the cookie is *alid
mac-address 'read-only: M"# address+ - user:s M-& address
user 'read-only: name+ - username
Notes
There can "e multiple cookies with the same M-& address. /or e,ample, there will "e a
separate cookie for each we" "rowser on the same computer.
&ookies can e,pire - that:s the way how it is supposed to "e. !efault *alidity time for
cookies is 0 days 'S3 hours+, "ut it can "e changed for each indi*idual BotSpot ser*er
profile, for e,ample :
/ip hotspot profile set default http-cookie-lifetime=1d
Exaple
To get the list of *alid cookies:
[admin@MikroTik] ip hotspot cookie> print
# USER DOMAIN MAC-ADDRESS EXPIRES-IN
0 ex 01:23:45:67:89:AB 23h54m16s
[admin@MikroTik] ip hotspot cookie>

;22P-le%el 3alled &arden
Su"menu le*el: /ip hotspot #alled-garden
Description
$alled garden is a system which allows unauthoriEed use of some resources, "ut re#uires
authoriEation to access other resources. This is useful, for e,ample, to gi*e access to some
general information a"out BotSpot ser*ice pro*ider or "illing options.
This menu only manages $alled 9arden for BTT and BTTS protocols. Other protocols can
also "e included in $alled 9arden, "ut that is configured elsewhere 'in "ip hotspot
walled-garden ip= see the ne,t section of this manual for details+
136
action 'allow ; deny= default: allow+ - action to undertake if a packet matches the rule:
allow - allow the access to the page without prior authoriEation
deny - the authoriEation is re#uired to access this page
dst-address 'IP address+ - I address of the destination we" ser*er
dst-host 'wildcard= default: $$+ - domain name of the destination we" ser*er 'this is a
wildcard+
dst-port 'integer= default: $$+ - the T& port a client has send the re#uest to
method 'text+ - BTT method of the re#uest
path 'text= default: $$+ - the path of the re#uest 'this is a wildcard+
ser4er 'name+ - name of the BotSpot ser*er this rule applied to
src-address 'IP address+ - I address of the user sending the re#uest
Notes
$ildcard properties 'dst-host and dst-path+ match a complete string 'i.e., they will not
match <e,ample.com< if they are set to <e,ample<+. -*aila"le wildcards are :X: 'match any
num"er of any characters+ and :[: 'match any one character+. Regular e,pressions are also
accepted here, "ut if the property should "e treated as a regular e,pression, it should start
with a colon ':::+.
Small hits in using regular e,pressions:
VV sym"ol se#uence is used to enter V character in console
V! pattern means ! only 'in regular e,pressions single dot in pattern means any
sym"ol+
to show that no sym"ols are allowed "efore the gi*en pattern, we use > sym"ol at
the "eginning of the pattern
to specify that no sym"ols are allowed after the gi*en pattern, we use W sym"ol at
the end of the pattern
@ou can not use path property for BTTS re#uests as router can not 'and should not - that
is what the BTTS protocol was made for)+ decrypt the re#uest.
Exaple
To allow unauthoriEed re#uests to the www!e5ample!com domain:s "paynow!html page:
[admin@MikroTik] ip hotspot walled-garden> add path="/paynow.html" \
\... dst-host="www.example.com"
[admin@MikroTik] ip hotspot walled-garden> print
0 dst-host="www.example.com" path="/paynow.html" action=allow
[admin@MikroTik] ip hotspot walled-garden>

'P-le%el 3alled &arden
Su"menu le*el: /ip hotspot #alled-garden ip
Description
137
This menu is manages $alled 9arden for generic I re#uests. See the pre*ious section for
managing BTT and BTTS protocol specific properties 'like the actual !(S name, BTT
method and path used in re#uests+.
action 'accept ; drop ; re7ect= default: accept+ - action to undertake if a packet matches
the rule:
accept - allow the access to the page without prior authoriEation
drop - the authoriEation is re#uired to access this page
re3ect - the authoriEation is re#uired to access this page, in case the page will "e accsessed withot
authoriEation I&M re7ect message host-unreacha"le will "e generated
dst-address 'IP address+ - I address of the destination we" ser*er
dst-host 'text= default: $$+ - domain name of the destination we" ser*er 'this is not a
regular e,pression or a wildcard of any kind+. The !(S name specified is resol*ed to a list of
I addresses when the rule is added, and all those I addresses are used
dst-port 'integer= default: $$+ - the T& or ?! port 'protocol MB1- "e specified e,plicitly
in the protocol property+ a client has send the re#uest to
protocol 'integer ; ddp egp encap ggp gre hmp icmp idpr-cmtp igmp ipencap ipip ipsec-ah
ipsec-esp iso-tpD ospf pup rdp rspf st tcp udp *mtp ,ns-idp ,tp+ - I protocol name
ser4er 'name+ - name of the BotSpot ser*er this rule applied to
src-address 'IP address+ - I address of the user sending the re#uest
Exaple
1ne-to-one N!2 static address 0indings
Su"menu le*el: /ip hotspot ip-0inding
Description
@ou can setup (-T translations statically "ased on either the original I address 'or I
network+, or the original M-& address. @ou can also allow some addresses to "ypass
BotSpot authentication 'i.e., they will "e a"le work without ha*ing to log in to the network
first+ and completely "lock some addresses.
address 'IP address . TnetmaskU= default: $$+ - the original I address or network of the
client
mac-address 'M"# address= default: $$+ - the source M-& address of the client
ser4er 'name;all= default: all+ - the name of the ser*er the client is connecting to
to-address 'IP address= default: $$+ - I address to translate the original client address to.
If address property is gi*en as network, this is the starting address for the translation 'i.e.,
the first address is translated to to-address, address O 1 to to-address O 1, and so on+
type 'regular ; "ypassed ; "locked+ - type of the static "inding entry
regular - perform a one-to-one (-T translation according to the *alues set in this entry
#ypassed - perform the translation, "ut e,clude the client from ha*ing to log in to the BotSpot system
#locked - the translation will not "e preformed, and all packets from the host will "e dropped
Notes
This is an ordered list, so you can put more specific entries on the top of the list for them to
o*erride the more common that appear lower.
138
!cti%e ;ost *ist
Su"menu le*el: /ip hotspot host
Description
This menu shows all acti*e network hosts that are connected to the BotSpot gateway. This
list includes all one-to-one (-T translations
address 'read-only: IP address+ - the original I address of the client
authori6ed 'read-only: flag+ - whether the client is successfully authenticated "y the
BotSpot system
#locked 'read-only: flag+ - true, if access is "locked within walled-garden "ecause of
e,pired ad*ertisement timeout
#ridge-port 'read-only: name+ - the actual physical interface, which the host is connected
to. This is used when BotSpot ser*ice is put on a "ridge interface to determine the host:s
actual port within the "ridge.
#ypass-hotspot 'read-only: flag+ - whether the client does not need to "e authoriEed "y
the BotSpot system
#ytes-in 'read-only: integer+ - how many "ytes did the router recei*e from the client
#ytes-out 'read-only: integer+ - how many "ytes did the router send to the client
host-dead-time 'read-only: time+ - how long has the router not recei*ed any packets
'including -R replies, keepali*e replies and user traffic+ from this host
idle-time 'read-only: time+ - the amount of time has the user "een idle
idle-timeout 'read-only: time+ - the e,act *alue of idle-timeout that applies to this user.
This property shows how long should the user stay idle for it to "e logged off automatically
keepali4e-timeout 'read-only: time+ - the e,act *alue of keepali4e-timeout that applies
to this user. This property shows how long should the user:s computer stay out of reach for
it to "e logged off automatically
mac-address 'read-only: M"# address+ - the actual M-& address of the user
packets-in 'read-only: integer+ - how many packets did the router recei*e from the client
packets-out 'read-only: integer+ - how many packets did the router send to the client
ser4er 'read-only: name+ - name of the ser*er, which the host is connected to
static 'read-only: flag+ - whether this translation has "een taken from the static I "inding
list
to-address 'read-only: IP address+ - what address is the original I address of the host
translated to
uptime 'read-only: time+ - current session time of the user 'i.e., how long has the user
"een in the acti*e host list+
Coand Description
make-#inding - copy a dynamic entry from this list to the static I "indings list
,nput Parameters
unnamed 'name+ - item num"er
comment 'text+ - custom comment to the static entry to "e created
type 'regular ; "ypassed ; "locked+ - the type of the static entry
"er%ice Port
Su"menu le*el: /ip hotspot ser%ice-port
139
Description
Just like for classic (-T, the BotSpot em"edded one-to-one (-T :"reaks: some protocols
that are incompati"le with address translation. To lea*e these protocols consistent, helper
modules must "e used. /or the one-to-one (-T the only such a module is for /T protocol.
name 'read-only: name+ - protocol name
ports 'read-only: integer+ - list of the ports on which the protocol is working
Exaple
To set the /T protocol uses "oth 36 and 31 T& port:
[admin@MikroTik] ip hotspot service-port> print
Flags: X - disabled
# NAME PORTS
0 ftp 21
[admin@MikroTik] ip hotspot service-port> set ftp ports=20,21
[admin@MikroTik] ip hotspot service-port> print
Flags: X - disabled
# NAME PORTS
0 ftp 20
21
[admin@MikroTik] ip hotspot service-port>

Custoi/ing ;ot"pot7 $ire#all "ection
Description
-part from the o"*ious dynamic entries in the "ip hotspot su"menu itself 'like hosts and
acti*e users+, some additional rules are added in the firewall ta"les when acti*ating a
BotSpot ser*ice. ?nlike RouterOS *ersion 3.5, there are relati*ely few firewall rules added in
the firewall as the main 7o" is made "y the one-to-one (-T algorithm.
N!2 rules
/rom "ip firewall nat print dynamic command, you can get something like this
'comments follow after each of the rules+:
0 D chain=dstnat hotspot=from-client action=jump jump-target=hotspot

utting all BotSpot-related tasks for packets from all BotSpot clients into a separate chain
1 D chain=hotspot protocol=udp dst-port=53 action=redirect to-ports=64872
2 D chain=hotspot protocol=tcp dst-port=53 action=redirect to-ports=64872

Redirect all !(S re#uests to the BotSpot ser*ice. The 4D5S3 port pro*ides !(S ser*ice for
all BotSpot users. If you want BotSpot ser*er to listen also to another port, add rules here
the same way, changing dst-port property
3 D chain=hotspot protocol=tcp dst-port=80 hotspot=local-dst action=redirect
to-ports=64873
140

Redirect all BTT login re#uests to the BTT login ser*let. The 4D5SF is BotSpot BTT
ser*let port.
4 D chain=hotspot protocol=tcp dst-port=443 hotspot=local-dst action=redirect
to-ports=64875

Redirect all BTTS login re#uests to the BTTS login ser*let. The 4D5S> is BotSpot BTTS
ser*let port.
5 D chain=hotspot protocol=tcp action=jump hotspot=!auth jump-target=hs-unauth

-ll other packets e,cept !(S and login re#uests from unauthoriEed clients should pass
through the hs-unauth chain
6 D chain=hotspot protocol=tcp action=jump hotspot=auth jump-target=hs-auth

-nd packets from the authoriEed clients - through the hs-auth chain
7 D ;;; www.mikrotik.com
chain=hs-unauth dst-address=159.148.147.196 protocol=tcp dst-port=80
action=return

/irst in the hs-unauth chain is put e*erything that affects T& protocol in the "ip hotspot
walled-garden ip su"menu 'i.e., e*erything where either protocol is not set, or set to
T&+. Bere we are e,cluding www.mikrotik.com from "eing redirected to the login page.
8 D chain=hs-unauth protocol=tcp dst-port=80 action=redirect to-ports=64874

-ll other BTT re#uests are redirected to the $alled 9arden pro,y ser*er which listens the
4D5SD port. If there is an allow entry in the "ip hotspot walled-garden menu for an
BTT re#uest, it is "eing forwarded to the destination. Otherwise, the re#uest will "e
automatically redirected to the BotSpot login ser*let 'port 4D5SF+.

BotSpot "y default assumes that only these ports may "e used for BTT pro,y re#uests.
These two entries are used to <catch< client re#uests to unknown pro,ies. I.e., to make it
possi"le for the clients with unknown pro,y settings to work with the BotSpot system. This
feature is called <?ni*ersal ro,y<. If it is detected that a client is using some pro,y ser*er,
the system will automatically mark that packets with the http hotspot mark to work around
the unknown pro,y pro"lem, as we will see later on. (ote that the port used '4D5SD+ is the
same as for BTT re#uests in the rule R5 'so "oth BTT and BTT pro,y re#uests are
processed "y the same code+.

BTTS pro,y is listening on the 4D5S> port
12 D chain=hs-unauth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
141

Redirect for SMT protocol may also "e defined in the BotSpot configuration. In case it is, a
redirect rule will "e put in the hs-smtp chain. This is done so that users with unknown
SMT configuration would "e a"le to send their mail through the ser*ice pro*ider:s 'your+
SMT ser*er instead of going to Tpossi"ly una*aila"le outside their network of originU the
SMT ser*er users ha*e configured in their computers.
13 D chain=hs-auth protocol=tcp hotspot=http action=redirect to-ports=64874

ro*iding BTT pro,y ser*ice for authoriEed users. -uthenticated user re#uests may need to
"e su"7ect to the transparent pro,ying 'the <?ni*ersal ro,y< techni#ue and for the
ad*ertisement feature+. This http mark is put automatically on the BTT pro,y re#uests to
the ser*ers detected "y the BotSpot BTT pro,y 'the one that is listening on the 4D5SD
port+ to "e BTT pro,y re#uests to unknown pro,y ser*ers. This is done so that users that
ha*e some pro,y settings would use the BotSpot gateway instead of the Tpossi"ly
una*aila"le outside their network of originU pro,y ser*er users ha*e configured in their
computers. The mark is as well put on any BTT re#uests done form the users whoose
profile is configured to transparently pro,y their re#uests.
14 D chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp

ro*iding SMT pro,y for authoriEed users 'the same as in rule R13+
Pac,et (ilter rules
/rom "ip firewall filter print dynamic command, you can get something like this
'comments follow after each of the rules+:
0 D chain=forward hotspot=from-client,!auth action=jump jump-target=hs-unauth

-ny packet that tra*erse the router from unauthoriEed client will "e sent to the hs-unauth
chain. The hs-unauth implements the I-"ased $alled 9arden filter.
1 D chain=forward hotspot=to-client,!auth action=jump jump-target=hs-unauth-to

%*erything that comes to clients through the router, gets redirected to another chain, called
hs-unauth-to. This chain should re7ect unauthoriEed re#uests to the clients
2 D chain=input hotspot=from-client action=jump jump-target=hs-input

%*erything that comes from clients to the router itself, gets to another chain, called hs-
input.
3 D chain=hs-input protocol=udp dst-port=64872 action=accept
4 D chain=hs-input protocol=tcp dst-port=64872-64875 action=accept

-llow client access to the local authentication and pro,y ser*ices 'as descri"ed earlier+
5 D chain=hs-input hotspot=!auth action=jump jump-target=hs-unauth

142
-ll other traffic from unauthoriEed clients to the router itself will "e treated the same way as
the traffic tra*ersing the routers
6 D chain=hs-unauth protocol=icmp action=return
7 D ;;; www.mikrotik.com
chain=hs-unauth dst-address=159.148.147.196 protocol=tcp dst-port=80
action=return

?nlike (-T ta"le where only T&-protocol related $alled 9arden entries were added, in the
packet filter hs-unauth chain is added e*erything you ha*e set in the "ip hotspot walled-
garden ip menu. That is why although you ha*e seen only one entry in the (-T ta"le,
there are two rules here.
8 D chain=hs-unauth protocol=tcp action=reject reject-with=tcp-reset
9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited

%*erything else that has not "een while-listed "y the $alled 9arden will "e re7ected. (ote
usage of T& Reset for re7ecting T& connections.
10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited

Re7ect all packets to the clients with I&M re7ect message
Custoi/ing ;ot"pot7 ;22P "er%let Pages
Description
@ou can create a completely different set of ser*let pages for each BotSpot ser*er you ha*e,
specifying the directory it will "e stored in html-directory property of a BotSpot ser*er
profile '"ip hotspot profile+. The default ser*let pages are copied in the directory of your
choice right after you create the profile. This directory can "e accessed "y connecting to the
router with an /T client. @ou can modify the pages as you like using the information from
this section of the manual.
!%aila0le "er%let Pages
Main BTMI ser*let pages, which are shown to user:
redirect!html - redirects user to another url 'for e,ample, to login page+
login!html - login page shown to a user to ask for username and password. This
page may take the following parameters:
o username - username
o password - either plain-te,t password 'in case of - authentication+ or
M!> hash of chap-id *aria"le, password and &B- challenge 'in case of
&B- authentication+
o dst - original ?RI re#uested "efore the redirect. This will "e opened on
successfull login
o popup - whether to pop-up a status window on successfull login
o radiusPidQ - send the attri"ute identified with CidN in te,t string form to
the R-!I?S ser*er 'in case R-!I?S authentication is used= lost otherwise+
o radiusPidQu - send the attri"ute identified with CidN in unsigned form to
the R-!I?S ser*er 'in case R-!I?S authentication is used= lost otherwise+
143
o radiusPidQ-P4nd-idQ - send the attri"ute identified with CidN and *endor
I! C*nd-idN in te,t string form to the R-!I?S ser*er 'in case R-!I?S
authentication is used= lost otherwise+
o radiusPidQ-P4nd-idQu - send the attri"ute identified with CidN and *endor
I! C*nd-idN in unsigned form to the R-!I?S ser*er 'in case R-!I?S
authentication is used= lost otherwise+
md?!3s - Ja*aScript for M!> password hashing. ?sed together with http-chap login
method
alogin.html - page shown after client has logged in. It pops-up status page and
redirects "rowser to originally re#uested page '"efore he.she was redirected to the
BotSpot login page+
status!html - status page, shows statistics for the client
logout!html - logout page, shown after user is logged out. Shows final statistics
a"out the finished session. This page may take the folllowing additional parameters:
o erase-cookie - whether to erase cookies from the BotSpot ser*er on logout
'makes impossi"le to log in with cookie ne,t time from the same "rowser,
might "e useful in multiuser en*ironments+
error!html - error page, shown on fatal errors only
Some other pages are a*aila"le as well, if more control is needed:
rlogin!html - page, which redirects client from some other ?RI to the login page, if
authoriEation of the client is re#uired to access that ?RI
rstatus!html - similarly to rlogin.html, only in case if the client is already logged in
and the original ?RI is not known
flogin!html - shown instead of login.html, if some error has happened 'in*alid
username or password, for e,ample+
fstatus!html - shown instead of redirect, if status page is re#uested, "ut client is
not logged in
flogout!html - shown instead of redirect, if logout page is re#uested, "ut client is
not logged in
"er%ing "er%let Pages
The BotSpot ser*let recogniEes > different re#uest types:
1. re#uest for a remote host
o if user is logged in, the re#uested page is ser*ed
o if user is not logged in, "ut the destination host is allowed "y walled garden,
then the re#uest is also ser*ed
o if user is not logged in, and the destination host is disallowed "y walled
garden, rlogin!html is displayed= if rlogin!html is not found, redirect!html
is used to redirect to the login page
3. re#uest for <.< on the BotSpot host
o if user is logged in, rstatus!html is displayed= if rstatus!html is not found,
redirect!html is used to redirect to the status page
o if user is not logged in, rlogin!html is displayed= if rlogin!html is not found,
redirect!html is used to redirect to the login page
F. re#uest for <.login< page
o if user has successfully logged in 'or is already logged in+, alogin!html is
displayed= if alogin!html is not found, redirect!html is used to redirect to
the originally re#uested page or the status page 'in case, original destination
page was not gi*en+
o if user is not logged in 'username was not supplied, no error message
appeared+, login!html is showed
144
o if login procedure has failed 'error message is supplied+, flogin!html is
displayed= if flogin!html is not found, login!html is used
o in case of fatal errors, error!html is showed
D. re#uest for <.status< page
o if user is logged in, status!html is displayed
o if user is not logged in, fstatus!html is displayed= if fstatus!html is not
found, redirect!html is used to redirect to the login page
>. re#uest for :.logout: page
o if user is logged in, logout!html is displayed
o if user is not logged in, flogout!html is displayed= if flogout!html is not
found, redirect!html is used to redirect to the login page
Note that if it is not possi"le to meet a re#uest using the pages stored on the router:s /T
ser*er, %rror D6D is displayed
There are many possi"ilities to customiEe what the BotSpot authentication pages look like:
The pages are easily modifia"le. They are stored on the router:s /T ser*er in the
directory you choose for the respecti*e BotSpot ser*er profile.
8y changing the *aria"les, which client sends to the BotSpot ser*let, it is possi"le to
reduce keyword count to one 'username or password= for e,ample, the client:s M-&
address may "e used as the other *alue+ or e*en to Eero 'Iicense -greement= some
predefined *alues general for all users or client:s M-& address may "e used as
username and password+
Registration may occur on a different ser*er 'for e,ample, on a ser*er that is a"le to
charge &redit &ards+. &lient:s M-& address may "e passed to it, so that this
information need not "e written in manually. -fter the registration, the ser*er may
change R-!I?S data"ase ena"ling client to log in for some amount of time.
To insert *aria"le in some place in BTMI file, the \'*arAname+ synta, is used, where the
<*arAname< is the name of the *aria"le 'without #uotes+. This construction may "e used in
any BotSpot BTMI file accessed as :.:, :.login:, :.status: or :.logout:, as well as any te,t or
BTMI file stored on the BotSpot ser*er. /or e,ample, to show a link to the login page,
following construction can "e used:
<a href="$(link-login)">login</a>
)aria0les
-ll of the Ser*let BTMI pages use *aria"les to show user specific *alues. Garia"le names
appear only in the BTMI source of the ser*let pages - they are automatically replaced with
the respecti*e *alues "y the BotSpot Ser*let. /or each *aria"le there is an e,ample of its
possi"le *alue included in "rackets. -ll the descri"ed *aria"les are *alid in all ser*let pages,
"ut some of them 7ust might "e empty at the time they are accesses 'for e,ample, there is
no uptime "efore a user has logged in+.
&ommon ser*er *aria"les:
o hostname - !(S name or I address 'if !(S name is not gi*en+ of the
BotSpot Ser*let '<hotspot.e,ample.net<+
o identity - RouterOS identity name '<MikroTik<+
o login-#y - authentication method used "y user
o plain-passwd - a <yes.no< representation of whether BTT-- login method
is allowed '<no<+
o ser4er-address - BotSpot ser*er address '<16.>.>6.1:56<+
o ser4er-name - name of hotspot ser*er
o ssl-login - a <yes.no< representation of whether BTTS method was used to
access that ser*let page '<no<+
145
o ser4er-name - BotSpot ser*er name 'set in the "ip hotspot menu, as the
name property+
o interface-name - physical BotSpot interface name 'in case of "ridged
interfaces, this will return the actual "ridge port name+
Iinks:
o link-login - link to login page including original ?RI re#uested
'<http:..16.>.>6.1.login[dst0http:..www.e,ample.com.<+
o link-login-plain - link to login page, not including original ?RI re#uested
'<http:..16.>.>6.1.login<+
o link-logout - link to logout page '<http:..16.>.>6.1.logout<+
o link-status - link to status page '<http:..16.>.>6.1.status<+
o link-orig - original ?RI re#uested '<http:..www.e,ample.com.<+
9eneral client information
o domain - domain name of the user '<mt.l*<+
o interface-name - name of the physical interface, on which client is
connected 'in case of "ridge, it will contain the name of "ridge port+
o ip - I address of the client '<16.>.>6.3<+
o logged-in - <yes< if the user is logged in, otherwise - <no< '<yes<+
o mac - M-& address of the user '<61:3F:D>:4S:52:-8<+
o trial - a <yes.no< representation of whether the user has access to trial time.
If users trial time has e,pired, the *alue is <no<
o username - the name of the user '<John<+
?ser status information:
o idle-timeout - idle timeout '<36m< or << if none+
o idle-timeout-secs - idle timeout in seconds '<55< or <6< if there is such
timeout+
o limit-#ytes-in - "yte limit for send '<1666666< or <---< if there is no limit+
o limit-#ytes-out - "yte limit for recei*e '<1666666< or <---< if there is no
limit+
o refresh-timeout - status page refresh timeout '<1mF6s< or << if none+
o refresh-timeout-secs - status page refresh timeout in seconds '<26s< or <6<
if none+
o session-timeout - session time left for the user '<>h< or << if none+
o session-timeout-secs - session time left for the user, in seconds '<FDS>< or
<6< if there is such timeout+
o session-time-left - session time left for the user '<>h< or << if none+
o session-time-left-secs - session time left for the user, in seconds '<FDS><
or <6< if there is such timeout+
o uptime - current session uptime '<16h3mFFs<+
o uptime-secs - current session uptime in seconds '<13><+
Traffic counters, which are a*aila"le only in status page:
o #ytes-in - num"er of "ytes recei*ed from the user '<1>D3F<+
o #ytes-in-nice - user-friendly form of num"er of "ytes recei*ed from the user
'<1>D3F<+
o #ytes-out - num"er of "ytes sent to the user '<11F>3<+
o #ytes-out-nice - user-friendly form of num"er of "ytes sent to the user
'<11F>3<+
o packets-in - num"er of packets recei*ed from the user '<3>1<+
o packets-out - num"er of packets sent to the user '<311<+
o remain-#ytes-in - remaining "ytes until limit-"ytes-in will "e reached
'<FFSD4>< or <---< if there is no limit+
o remain-#ytes-out - remaining "ytes until limit-"ytes-out will "e reached
'<13DD>>< or <---< if there is no limit+
Miscellaneous *aria"les
o session-id - *alue of :session-id: parameter in the last re#uest
146
o 4ar - *alue of :*ar: parameter in the last re#uest
o error - error message, if something failed '<in*alid username or password<+
o error-orig - original error message 'without translations retrie*ed from
errors!t5t+, if something failed '<in*alid username or password<+
o chap-id - *alue of chap I! '<]FS1<+
o chap-challenge - *alue of chap challenge
'<]F>S]61>]FF6]61F]631]3FD]1D>]3D>]F6F]3>F]1D3]3D4]1FF]1S>]FS>]F14<
+
o popup - whether to pop-up check"o, '<true< or <false<+
o ad4ert-pending - whether an ad*ertisement is pending to "e displayed
'<yes< or <no<+
R-!I?S-related *aria"les
o radiusPidQ - show the attri"ute identified with CidN in te,t string form 'in
case R-!I?S authentication was used= << otherwise+
o radiusPidQu - show the attri"ute identified with CidN in unsigned form 'in
case R-!I?S authentication was used= <6< otherwise+
o radiusPidQ-P4nd-idQ - show the attri"ute identified with CidN and *endor
I! C*nd-idN in te,t string form 'in case R-!I?S authentication was used= <<
otherwise+
o radiusPidQ-P4nd-idQu - show the attri"ute identified with CidN and *endor
I! C*nd-idN in unsigned form 'in case R-!I?S authentication was used= <6<
otherwise+
3or,ing #ith %aria0les
$(if <var_name>) statements can "e used in theses pages. /ollowing content will "e
included, if *alue of C*arAnameN will not "e an empty string. It is an e#ui*alent to $(if
<var_name> != "") It is possi"le to compare on e#ui*alence as well: $(if
<var_name> == <value>) These statements ha*e effect until $(elif <var_name>), $
(else) or $(endif). In general case it looks like this:
some content, which will always be displayed
$(if username == john)
Hey, your username is john
$(elif username == dizzy)
Hello, Dizzy! How are you? Your administrator.
$(elif ip == 10.1.2.3)
You are sitting at that crappy computer, which is damn slow...
$(elif mac == 00:01:02:03:04:05)
This is an ethernet card, which was stolen few months ago...
$(else)
I don't know who you are, so lets live in peace.
$(endif)
other content, which will always be displayed

Only one of those e,pressions will "e shown. $hich one - depends on *alues of those
*aria"les for each client.
Custoi/ing Error Messages
-ll error messages are stored in the errors!t5t file within the respecti*e BotSpot ser*let
directory. @ou can change and translate all these messages to your nati*e language. To do
so, edit the errors!t5t file. @ou can also use *aria"les in the messages. -ll instructions are
gi*en in that file.
Multiple )ersions o( ;ot"pot Pages
147
Multiple hotspot page sets for the same hotspot ser*er are supported. They can "e chosen
"y user 'to select language+ or automatically "y Ja*aScript 'to select !-.regular *ersion of
BTMI pages+.
To utiliEe this feature, create su"directories in BotSpot BTMI directory, and place those
BTMI files, which are different, in that su"directory. /or e,ample, to translate e*erything in
Iat*ian, su"directory <l*< can "e created with login.html, logout.html, status.html,
alogin.html, rad*ert.html and errors.t,t files, which are translated into Iat*ian. If the
re#uested BTMI page can not "e found in the re#uested su"directory, the corresponding
BTMI file from the main directory will "e used. Then main login.html file would contain link
to <.l*.login[dst0\'link-orig-esc+<, which then displays Iat*ian *ersion of login page: <a
href="/lv/login?dst=$(link-orig-esc)">Latviski</a> . -nd Iat*ian *ersion would
contain link to %nglish *ersion: <a href="/login?dst=$(link-orig-esc)">English</a>
-nother way of referencing directories is to specify :target: *aria"le:
<a href="$(link-login-only)?dst=$(link-orig-esc)&target=lv">Latviski</a>
<a href="$(link-login-only)?dst=$(link-orig-esc)&target=%2F">English</a>

-fter preferred directory has "een selected 'for e,ample, <l*<+, all links to local BotSpot
pages will contain that path 'for e,ample, $(link-status) =
"http://hotspot.mt.lv/lv/status"+. So, if all hotspot pages reference links using <\
'link-,,,+< *aria"les, then no more changes are to "e made - each client will stay within the
selected directory all the time.
Notes
If you want to use BTT-&B- authentication method it is supposed that you include the
do2oginDE function 'which references to the md?!3s which must "e already loaded+ "efore
the 1u#mit action of the login form. Otherwise, &B- login will fail.
The resulting password to "e sent to the BotSpot gateway in case of BTT-&B- method, is
formed M!>-hashing the concatenation of the following: chap-id, the password of the user
and chap-challenge 'in the gi*en order+
In case if *aria"les are to "e used in link directly, then they must "e escaped accordingly.
/or e,ample, in login page, Ca href0<https:..login.e,ample.com.login[mac0\
'mac+_user0\'username+<NlinkC.aN will not work as intended, if username will "e
<13F_D>401 3<. In this case instead of \'user+, its escaped *ersion must "e used: \'user-
esc+: Ca href0<https:..login.ser*er.ser*.login[mac0\'mac-esc+_user0\'user-
esc+<NlinkC.aN. (ow the same username will "e con*erted to <13FQ34D>4QF!1O3<,
which is the *alid representation of <13F_D>401 3< in ?RI. This trick may "e used with any
*aria"les, not only with \'username+.
There is a "oolean parameter <erase-cookie< to the logout page, which may "e either <on<
or <true< to delete user cookie on logout 'so that the user would not "e automatically logged
on when he.she opens a "rowser ne,t time.
Exaple
$ith "asic BTMI language knowledge and the e,amples "elow it should "e easy to
implement the ideas descri"ed a"o*e.
To pro*ide predefined *alue as username, in login.html change:
148
<type="text" value="$(username)>
to this line:
<input type="hidden" name="user" value="hsuser">
'where hsuser is the username you are pro*iding+
To pro*ide predefined *alue as password, in login.html change:
<input type="password">
to this line:
<input type="hidden" name="password" value="hspass">
'where hspass is the password you are pro*iding+
To send client:s M-& address to a registration ser*er in form of:
https://www.server.serv/register.html?mac=XX:XX:XX:XX:XX:XX
change the Iogin "utton link in login.html to:
https://www.server.serv/register.html?mac=$(mac)
'you should correct the link to point to your ser*er+
To show a "anner after user login, in alogin.html after
$(if popup == 'true')
add the following line:
open('http://your.web.server/your-banner-page.html', 'my-banner-name','');
'you should correct the link to point to the page you want to show+
To choose different page shown after login, in login.html change:
<input type="hidden" name="dst" value="$(link-orig)">
to this line:
<input type="hidden" name="dst" value="http://your.web.server">
'you should correct the link to point to your ser*er+
To erase the cookie on logoff, in the page containing link to the logout 'for e,ample,
in status.html+ change:
open('$(link-logout)', 'hotspot_logout', ...
to this:
open('$(link-logout)?erase-cookie=on', 'hotspot_logout', ...
149
or alternati*ely add this line:
<input type="hidden" name="erase-cookie" value="on">
"efore this one:
<input type="submit" value="log off">
-n another e,ample is making BotSpot to authenticate on a remote ser*er 'which may, for
e,ample, perform creditcard charging+:
-llow direct access to the e,ternal ser*er in walled-garden 'either BTT-"ased, or I-
"ased+
Modify login page of the BotSpot ser*let to redirect to the e,ternal authentication
ser*er. The e,ternal ser*er should modify R-!I?S data"ase as needed
Bere is an e,ample of such a login page to put on the BotSpot router 'it is
redirecting to https:..auth.e,ample.com.login.php, replace with the actual address
of an e,ternal authentication ser*er+:
<html>
<title>...</title>
<body>
<form name="redirect" action="https://auth.example.com/login.php"
method="post">
<input type="hidden" name="mac" value="$(mac)">
<input type="hidden" name="ip" value="$(ip)">
<input type="hidden" name="user" value="$(username)">
<input type="hidden" name="link-login" value="$(link-login)">
<input type="hidden" name="link-orig" value="$(link-orig)">
<input type="hidden" name="error" value="$(error)">
</form>
<script language="JavaScript">

</script>
</body>
</html>

The e,ternal ser*er can log in a BotSpot client "y redirecting it "ack to the original
BotSpot ser*let login page, specifying the correct username and password
Bere is an e,ample of such a page 'it is redirecting to
https:..hotspot.e,ample.com.login, replace with the actual address of a BotSpot
router= also, it is displaying www.mikrotik.com after successful login, replace with
what needed+:
<html>
<title>Hotspot login page</title>
<body>
<form name="login" action="https://hotspot.example.com/login" method="post">
<input type="text" name="username" value="demo">
<input type="password" name="password" value="none">
<input type="hidden" name="domain" value="">
<input type="hidden" name="dst" value="http://www.mikrotik.com/">
<input type="submit" name="login" value="log in">
</form>
</body>
</html>

150
Botspot will ask R-!I?S ser*er whether to allow the login or not. If not allowed,
alogin.html page will "e displayed 'it can "e modified to do anything)+. If not
allowed, flogin.html 'or login.html+ page will "e displayed, which will redirect client
"ack to the e,ternal authentication ser*er.
(ote: as shown in these e,amples, BTTS protocol and OST method can "e used to
secure communications.
Possi0le Error Messages
Description
There are two kinds of errors: fatal non-fatal. /atal errors are shown on a separate BTMI
page called error.html. (on-fatal errors are "asically indicating incorrect user actions and
are shown on the login form.
9eneral non-fatal errors:
You are not logged in - trying to access the status page or log off while not logged
in. 1olution: log in
already authori6ing, retry later - authoriEation in progress. &lient already has
issued an authoriEation re#uest which is not yet complete. 1olution: wait for the
current re#uest to "e completed, and then try again
chap-missing + we# #rowser did not send challenge response Dtry again,
ena#le Za4a1criptE - trying to log in with BTT-&B- method using M!> hash, "ut
BotSpot ser*er does not know the challenge used for the hash. This may happen if
you use 8-&K "uttons in "rowser= if Ja*aScript is not ena"led in we" "rowser= if
login!html page is not *alid= or if challenge *alue has e,pired on ser*er 'more than
1h of inacti*ity+. 1olution: instructing "rowser to reload 'refresh+ the login page
usually helps if Ja*aScript is ena"led and login!html page is *alid
in4alid username DWDusernameEEH this M@C address is not yours - trying to log
in using a M-& address username different from the actual user:s M-& address.
1olution: no - users with usernames that look like a M-& address 'eg.,
13:FD:>4:S5:2a:"c+ may only log in from the M-& address specified as their user
name
session limit reached DWDerror-origEE - depending on licence num"er of acti*e
hotspot clients is limited to some num"er. The error is displayed when this limit is
reached. 1olution: try to log in later when there will "e less concurrent user
sessions, or "uy an another license that allows more simultaneous sessions
hotspot ser4ice is shutting down - RouterOS is currently "eing restarted or shut
down. 1olution: wait until the ser*ice will "e a*aila"le again
9eneral fatal errors:
internal error DWDerror-origEE - this should ne*er happen. If it will, error page will
"e shown displaying this error message 'error-orig will descri"e what has happened+.
1olution: correct the error reported
configuration error DWDerror-origEE - the BotSpot ser*er is not configured
properly 'error-orig will descri"e what has happened+. 1olution: correct the error
reported
cannot assign ip address - no more free addresses from pool - una"le to get
an I address from an I pool as there is no more free I addresses in that pool.
1olution: make sure there is a sufficient amount of free I addresses in I pool
Iocal BotSpot user data"ase non-fatal errors:
151
in4alid username or password - self-e,planatory
user WDusernameE is not allowed to log in from this M@C address - trying to
log in from a M-& address different from specified in user data"ase. 1olution: log in
from the correct M-& address or take out the limitation
user WDusernameE has reached uptime limit - self-e,planatory
user WDusernameE has reached traffic limit - either limit-#ytes-in or limit-
#ytes-out limit is reached
no more sessions are allowed for user WDusernameE - the shared-users limit
for the user:s profile is reached. 1olution: wait until someone with this username
logs out, use different login name or e,tend the shared-users limit
R-!I?S client non-fatal errors:
in4alid username or password - R-!I?S ser*er has re7ected the username and
password sent to it without specifying a reason. Cause: either wrong username
and.or password, or other error. 1olution: should "e clarified in R-!I?S ser*er:s log
files
PerrorMmessageMsentM#yMradiusMser4erQ - this may "e any message 'any te,t
string+ sent "ack "y R-!I?S ser*er. &onsult with your R-!I?S ser*er:s
documentation for further information
R-!I?S client fatal errors:
R@C,B1 ser4er is not responding - user is "eing authenticated "y R-!I?S ser*er,
"ut no response is recei*ed from it. 1olution: check whether the R-!I?S ser*er is
running and is reacha"le from the BotSpot router
;ot"pot ;o#-to:s
Description
This section will focus on some simple e,amples of how to use your BotSpot system, as well
as gi*e some useful ideas.
"etting up https authori/ation
-t first certificate must "e present with decrypted pri*ate key:
[admin@MikroTik] > /certificate print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
0 KR name="hotspot.example.net"
subject=C=LV,L=Riga,O=MT,OU=dev,CN=hotspot.example.net,
emailAddress=admin@hotsot.example.net
issuer=C=LV,L=Riga,O=MT,OU=dev,CN=hotsot.example.net,
emailAddress=admin@hotsot.example.net
serial-number="0" email=admin@hotsot.example.net
invalid-before=oct/27/2004 11:43:22 invalid-after=oct/27/2005 11:43:22
ca=yes

Then we can use that certificate for hotspot:
/ip hotspot profile set default login-by=cookie,http-chap,https \
ssl-certificate=artis.hotspot.mt.lv

-fter that we can see, that BTTS is running on hotspot interface:
152
[admin@MikroTik] > /ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 S hs-local local default 00:05:00

Bypass hotspot (or soe de%ices in hotspot net#or,
-ll I "inding entries with type property set to #ypassed, will not "e asked to authoriEe - it
means that they will ha*e login-free access:
[admin@MikroTik] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER
0 P 10.11.12.3

If all fields has "een filled in the ip-"inding ta"le and type has "een set to #ypassed, then
the I address of this entry will "e accessi"le from pu"lic interfaces immediately:
[admin@MikroTik] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER
0 P 10.11.12.3
1 P 00:01:02:03:04:05 10.11.12.3 10.11.12.3 hs-local
[admin@MikroTik] ip hotspot ip-binding> .. host print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER IDLE-TIMEOUT
0 SB 00:01:02:03:04:05 10.11.12.3 10.11.12.3 hs-local
Ie# Pro5y
Document revision: 1.2 (Tue M$% 16 14:04:40 GMT 2006)
Applies to: V2.9
&eneral 'n(oration
"uary
The MikroTik RouterOS implements the following pro,y ser*er features:
Regular BTT pro,y
Transparent pro,y. &an "e transparent and regular at the same time
-ccess list "y source, destination, ?RI and re#uested method
&ache access list 'specifies which o"7ects to cache, and which not+
!irect -ccess Iist 'specifies which resources should "e accessed directly, and which -
through another pro,y ser*er+
Iogging facility
9uic, "etup &uide
To set up a 1 9i8 large we" cache which will listen on port 5666, do the following:
[admin@MikroTik] ip web-proxy> set enabled=yes port=8000 max-cache-size=1048576
[admin@MikroTik] ip web-proxy> print
enabled: yes
src-address: 0.0.0.0
153
port: 8000
hostname: proxy
transparent-proxy: no
parent-proxy: 0.0.0.0:0
cache-administrator: webmaster
max-object-size: 4096 KiB
cache-drive: system
max-cache-size: 1048576 KiB
max-ram-cache-size: unlimited
status: rebuilding-cache
reserved-for-cache: 9216 KiB
reserved-for-ram-cache: 2048 KiB
[admin@MikroTik] ip web-proxy>
Remem"er to secure your pro,y "y pre*enting unauthoriEed access to it, otherwise it may
"e used as an open pro,y.
"peci(ications
ackages re#uired: #e0-proxy
Iicense re#uired: Level(
Su"menu le*el: /ip #e0-proxy
Standards and Technologies: BTT.1.6, BTT.1.1, /T
Bardware usage: uses memory and disk space* if availa&le %see description &elow'
Related Docuents
I -ddresses and -R
Iog Management
Description
$e" pro,y performs Internet o"7ect cache function "y storing re#uested Internet o"7ects,
i.e., data a*aila"le *ia BTT and /T protocols on a system positioned closer to the recipient
than the site the data is originated from. Bere :closer: means increased path relia"ility,
speed or "oth. $e" "rowsers can then use the local pro,y cache to speed up access and
reduce "andwidth consumption.
$hen setting up $e" pro,y, make sure it ser*es only your clients, and is not misused as
relay. lease read the security notice in the -ccess Iist Section)
(ote that it may "e useful to ha*e $e" pro,y running e*en with no cache when you want to
use it as something like BTT and /T firewall 'for e,ample, denying access to mpF files+ or
to redirect re#uests to e,ternal pro,y transparently.
"etup
Su"menu le*el: /ip #e0-proxy
cache-administrator 'text= default: we#master+ - administrator:s e-mail displayed on
pro,y error page
154
cache-dri4e 'system ; name= default: system+ - specifies the target disk dri*e to "e used
for storing cached o"7ects. @ou can use console completion to see the list of a*aila"le dri*es
ena#led 'yes ; no= default: no+ - specifies whether the we" pro,y is ena"led
hostname 'text= default: pro5y+ - hostname '!(S or I address+ of the we" pro,y
ma5-cache-si6e 'none ; unlimited ; integer: 6..D32D24S32>= default: none+ - specifies
the ma,imal disk cache siEe, measured in ki"i"ytes
ma5-o#3ect-si6e 'integer= default: *&(+ - o"7ects larger than the siEe specified will not
"e sa*ed on disk. The *alue is measured in ki"i"ytes. If you wish to get a high "ytes hit
ratio, you should pro"a"ly increase this 'one 3 Mi8 o"7ect hit counts for 36D5 1Ki8 hits+. If
you wish to increase speed more than your want to sa*e "andwidth you should lea*e this
low
ma5-ram-cache-si6e 'none ; unlimited ; integer: 6..D32D24S32>= default: unlimited+ -
specifies the ma,imal memory cache siEe, measured in ki"i"ytes
parent-pro5y 'IP address:port= default: !!!H+ - specifies upper-le*el 'parent+ pro,y
port 'portV1,16W= default: 0%')+ - specifies the port's+ the we" pro,y will "e listening on
reser4ed-for-cache 'read-only: integer= default: + - specifies allocated memory cache
siEe, measured in ki"i"ytes
reser4ed-for-ram-cache 'read-only: integer= default: '*)+ - specifies allocated memory
cache siEe, measured in ki"i"ytes
src-address 'IP address= default: !!!+ - the we"-pro,y will use this address
connecting to the parent pro,y or we" site.
!!! - appropriate src-address will "e automatically taken from the routing ta"le
status 'read-only: text= default: stopped+ - display status information of the pro,y ser*er
stopped - pro,y is disa"led and is not running
re#uilding-cache - pro,y is ena"led and running, e,isting cache is "eing *erified
running - pro,y is ena"led and running
stopping - pro,y is shutting down 'ma, 16s+
clearing-cache - pro,y is stopped, cache files are "eing remo*ed
creating-cache - pro,y is stopped, cache directory structure is "eing created
dns-missing - pro,y is ena"led, "ut not running "ecause of unknown !(S ser*er 'you should specify it
under "ip dns+
in4alid-address - pro,y is ena"led, "ut not running "ecause of in*alid address 'you should change address
or port+
in4alid-cache-administrator - pro,y is ena"led, "ut not running "ecause of in*alid cache-administrator:s
e-mail address
in4alid-hostname - pro,y is ena"led, "ut not running "ecause of in*alid hostname 'you should set a *alid
hostname *alue+
error-logged - pro,y is not running "ecause of unknown error. This error is logged as System-%rror.
lease, send us this error and some description, how it happened
reser4ed-for-cache DintegerE - ma,imal cache siEe, that is accessi"le to we"-pro,y
transparent-pro5y 'yes ; no= default: no+ - specifies whether the pro,y uses transparent
mode or not
Notes
8y default the pro,y cache can use as much disk space as there is allocated for it. $hen the
system allocates the space for the pro,y cache, 1.Sth of the total partition 'disk+ siEe is
reser*ed for the system, "ut not less than >6M8. The rest is left for the pro,y cache. The
system R-M siEe is considered as well when allocating the cache siEe. The cache siEe is
limited so, that there are at least 1>M8 of R-M per 198 of cache plus >>M8 of R-M is
reser*ed for the system. ma5-cache-si6e is also taken in account, so the cache will not
occupy more than it is specified in this property. The effecti*e limit is calculated as a
minimum of all three limits. (ote also that RouterOS supports up to 2>6M8 of memory.
&onsidering the pre*ious note, you should "e aware that you will not "e a"le to ena"le we"
pro,y, if you ha*e less than 46M8 of R-M on your router
%,pire time of cache entries can "e different for each BTMI page 'specified in headers+. 8ut,
if there is no such header, the entry will "e considered fresh for not more than S3 hours.
155
The we" pro,y listens to all I addresses that the router has in its I address list.
Exaple
To ena"le the pro,y on port 5656:
[admin@MikroTik] ip web-proxy> set enabled=yes port=8080
[admin@MikroTik] ip web-proxy> print
enabled: yes
src-address: 0.0.0.0
port: 8080
hostname: proxy
transparent-proxy: no
parent-proxy: 0.0.0.0:0
cache-administrator: webmaster
max-object-size: 4096 KiB
cache-drive: system
max-cache-size: none
max-ram-cache-size: unlimited
status: running
reserved-for-cache: 0 KiB
reserved-for-ram-cache: 2048 KiB
[admin@MikroTik] ip web-proxy>
!ccess *ist
Su"menu le*el: /ip #e0-proxy access
Description
-ccess list is configured in the same way as MikroTik RouterOS firewall rules. Rules are
processed from the top to the "ottom. /irst matching rule specifies decision of what to do
with this connection. There is a total of 4 classifiers that specify matching constraints. If
none of these classifiers is specified, the particular rule will match e*ery connection.
If connection is matched "y a rule, action property of this rule specifies whether connection
will "e allowed or not. If the particular connection does not match any rule, it will "e
allowed.
8y default, there is one rule, which pre*ents connect re#uests to ports other then **0 and
?(0.
action 'allow ; deny= default: allow+ - specifies whether to pass or deny matched packets
dst-address 'IP address.netmask+ - destination address of the I packet
dst-port 'portV1,16W+ - a list or range of ports the packet is destined to
local-port 'port+ - specifies the port of the we" pro,y *ia which the packet was recei*ed.
This *alue should match one of the ports we" pro,y is listening on.
method 'any ; connect ; delete ; get ; head ; options ; post ; put ; trace+ - BTT method
used in the re#uest 'see BTT Methods section at the end of this document+
src-address 'IP address.netmask+ - source address of the I packet
url 'wildcard+ - the ?RI of the BTT re#uest
Notes
156
There is one rule "y default, that disallows connect method connections to ports other than
**0 'https+ and ?(0 'snews+. connect method is a security hole that allows connections
'transparent tunneling+ to any computer using any protocol. It is used mostly "y spammers,
as they found it *ery con*enient to use others: mail 'SMT+ ser*ers as anonymous mail
relay to send spam o*er the Internet.
It is strongly recommended to deny all I addresses e,cept those "ehind the router as the
pro,y still may "e used to access your internal-use-only 'intranet+ we" ser*ers. -lso,
consult e,amples in /irewall Manual on how to protect your router.
$ildcard property url matches a complete string 'i.e., they will not match <e,ample.com< if
they are set to <e,ample<+. -*aila"le wildcards are :X: 'match any num"er of any
characters+ and :[: 'match any one character+. Regular e,pressions are also accepted here,
"ut if the property should "e treated as a regular e,pression, it should start with a colon
':::+.
Small hits in using regular e,pressions:
VV sym"ol se#uence is used to enter V character in console
V! pattern means ! only 'in regular e,pressions single dot in pattern means any
sym"ol+
to show that no sym"ols are allowed "efore the gi*en pattern, we use > sym"ol at
the "eginning of the pattern
to specify that no sym"ols are allowed after the gi*en pattern, we use W sym"ol at
the end of the pattern
to enter 7 or 8 sym"ols, you should escape them with "ackslash V.
Exaple
The default rule:
[admin@MikroTik] ip web-proxy access> print
0 ;;; allow CONNECT only to SSL ports 443 [https] and 563 [snews]
dst-port=!443,563 method=connect action=deny
[admin@MikroTik] ip web-proxy access>
To disallow download of .MF and .M9 files and /T connections other than from the
%!!!% ser*er:
[admin@MikroTik] ip web-proxy access> add url=":\\.mp\[3g\]$" action=deny
[admin@MikroTik] ip web-proxy access> add src-address=10.0.0.1/32 action=allow
[admin@MikroTik] ip web-proxy access> add url="ftp://*" action=deny
[admin@MikroTik] ip web-proxy access> print
0 ;;; allow CONNECT only to SSL ports 443 [https] and 563 [snews]
dst-port=!443,563 method=connect action=deny
1 url=":\.mp[3g]$" action=deny
2 src-address=10.0.0.1/32 action=allow
3 url="ftp://*" action=deny
[admin@MikroTik] ip web-proxy access>
Direct !ccess *ist
Su"menu le*el: /ip #e0-proxy direct
157
Description
If parent-pro5y property is specified, it is possi"le to tell the pro,y ser*er whether to try to
pass the re#uest to the parent pro,y or to resol*e it connecting to the re#uested ser*er
directly. !irect -ccess Iist is managed 7ust like ro,y -ccess Iist descri"ed in the pre*ious
chapter e,cept the action argument.
action 'allow ; deny= default: allow+ - specifies the action to perform on matched packets
allow - always resol*e matched re#uests directly "ypassing the parent router
deny - resol*e matched re#uests through the parent pro,y. If no one is specified this has the same effect as
allow
used in the re#uest 'see BTT Methods section in the end of this document+
Notes
?nlike the access list, the direct pro,y access list has default action e#ual to deny. It takes
place when no rules are specified or a particular re#uest did not match any rule.
Cache Manageent
Su"menu le*el: /ip #e0-proxy cache
Description
&ache access list specifies, which re#uests 'domains, ser*ers, pages+ ha*e to "e cached
locally "y we" pro,y, and which not. This list is implemented e,actly the same way as we"
pro,y access list. !efault action is to cache o"7ect 'if no matching rule is found+.
action 'allow ; deny= default: allow+ - specifies the action to perform on matched packets
allow - cache o"7ects from matched re#uest
deny - do not cache o"7ects from matched re#uest
used in the re#uest 'see BTT Methods section in the end of this document+
Copleentary 2ools
158
Description
$e" pro,y has additional commands to handle non-system dri*e used for caching purposes
and to reco*er the pro,y from se*ere file system errors.
Coand Description
check-dri4e - checks non-system cache dri*e for errors
clear-cache - deletes e,isting cache and creates new cache directories
format-dri4e - formats non-system cache dri*e and prepairs it for holding the cache
2ransparent Mode
Description
Transparent pro,y feature performs re#uest caching in*isi"ly to the end-user. This way the
user does not notice that his connection is "eing processed "y the pro,y and therefore does
not need to perform any additional configuration of the software he is using.
This feature may as well "e com"ined with "ridge to simplify deployment of we" pro,y in
the e,isting infrastructure.
To ena"le the transparent mode, place a firewall rule in destination (-T, specifying which
connections, id est traffic coming to which ports should "e redirected to the pro,y.
Notes
Only BTT traffic is supported in transparent mode of the we" pro,y. BTTS and /T
protocols are not going to work this way.
Exaple
To configure the router to transparently redirect all connections coming from ether%
interface to port ) to the we" pro,y listening on port )), then add the following
destination (-T rule:
[admin@MikroTik] > /ip firewall nat add in-interface=ether1 dst-port=80 \
\... protocol=tcp action=redirect to-ports=8080 chain=dstnat
[admin@MikroTik] > /ip firewall nat print
0 chain=dstnat protocol=tcp in-interface=ether1 dst-port=80 action=redirect
to-ports=8080
[admin@MikroTik] >
otes
8e aware, that you will not "e a"le to access the router:s we" page after addition of the rule
a"o*e unless you will change the port for the www ser*ice under "ip ser4ice su"menu to
a different *alue or e,plicitly e,clude router:s I address from those to "e matched, like:
/ip firewall nat add in-interface=ether1 dst-port=80 \
\... protocol=tcp action=redirect to-ports=8080 chain=dstnat dst-address=!1.1.1.1/32
It is assumed that the router:s address is %!%!%!%"0'.
159
;22P Methods
Description
1P2'1N"
This method is a re#uest of information a"out the communication options a*aila"le on the
chain "etween the client and the ser*er identified "y the Request-BR,. The method allows
the client to determine the options and 'or+ the re#uirements associated with a resource
without initiating any resource retrie*al
&E2
This method retrie*es whate*er information identified "y the Request-BR,. If the
Request-BR, refers to a data processing process than the response to the .E- method
should contain data produced "y the process, not the source code of the process
procedure'-s+, unless the source is the result of the process.
The .E- method can "ecome a conditional .E- if the re#uest message includes an ,f-
Modified-1ince, ,f-Bnmodified-1ince, ,f-Match, ,f-None-Match, or ,f-Range header
field. The conditional .E- method is used to reduce the network traffic specifying that the
transfer of the entity should occur only under circumstances descri"ed "y conditional header
field'-s+.
The .E- method can "ecome a partial .E- if the re#uest message includes a Range
header field. The partial .E- method intends to reduce unnecessary network usage "y
re#uesting only parts of entities without transferring data already held "y client.
The response to a .E- re#uest is cachea"le if and only if it meets the re#uirements for
BTT caching.
;E!D
This method shares all features of .E- method e,cept that the ser*er must not return a
message-"ody in the response. This retrie*es the metainformation of the entity implied "y
the re#uest which leads to a wide usage of it for testing hyperte,t links for *alidity,
accessi"ility, and recent modification.
The response to a JE@C re#uest may "e cachea"le in the way that the information
contained in the response may "e used to update pre*iously cached entity identified "y that
Request-BR,.
P1"2
This method re#uests that the origin ser*er accept the entity enclosed in the re#uest as a
new su"ordinate of the resource identified "y the Request-BR,.
The actual action performed "y the PA1- method is determined "y the origin ser*er and
usually is Request-BR, dependent.
Responses to PA1- method are not cachea"le, unless the response includes appropriate
Cache-Control or E5pires header fields.
P52
160
This method re#uests that the enclosed entity "e stored under the supplied Request-BR,.
If another entity e,ists under specified Request-BR,, the enclosed entity should "e
considered as updated 'newer+ *ersion of that residing on the origin ser*er. If the
Request-BR, is not pointing to an e,isting resource, the origin ser*er should create a
resource with that ?RI.
If the re#uest passes through a cache and the Request-BR, identifies one or more
currently cached entities, those entries should "e treated as stale. Responses to this method
are not cachea"le.
2R!CE
This method in*okes a remote, application-layer loop-"ack of the re#uest message. The
final recipient of the re#uest should reflect the message recei*ed "ack to the client as the
entity-"ody of a 366 'OK+ response. The final recipient is either the origin ser*er or the first
pro,y or gateway to recei*e a Ma5-Korwards *alue of in the re#uest. - -R@CE re#uest
must not include an entity.
Responses to this method M?ST (OT "e cached.
161

Micro Tik - HowTo

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Micro Tik - HowTo

Uploaded by

Copyright:

Available Formats

Routes, Equal Cost Multipath Routing, Policy Routing

[admin@voip_gw] ip telephony voice-port linejack>

You might also like