MikroTik Router OS V3.0 User Manual

							only if the client is also a MikroTik Router
•0- no limits
default-forwarding(yes|no; default:yes) - whether to forward frames to other AP clients or not
disable-running-check(yes|no; default:no) - disable running check. For broken cards it is a
good idea to set this value to yes
disabled(yes|no; default:yes) - whether to disable the interface or not
hide-ssid(yes|no; default:no) - whether to hide ssid or not in the beacon frames:
•yes- ssid is not included in the beacon frames. AP replies only to probe-requests with the given
ssid
•no- ssid is included in beacon frames. AP replies to probe-requests with the given ssid and to
broadcast ssid
mac-address(MAC address; default:02:00:00:AA:00:00) - MAC address of VAP. You can define
your own value for mac-address
master-interface(name) - hardware interface to use for VAP
max-station-count(integer; default:2007) - number of clients that can connect to this AP
simultaneously
mtu(integer: 68..1600; default:1500) - Maximum Transmission Unit
name(name; default:wlanN) - interface name
proprietary-extensions(pre-2.9.25|post-2.9.25; default:post-2.9.25) - the method to insert
additional information (MikroTik proprietary extensions) into the wireless frames. This option is
needed to workaround incompatibility between the old (pre-2.9.25) method and new Intel Centrino
PCI-Express cards
•pre-2.9.25- include extensions in the form accepted by older RouterOS versions. This will
include the new format as well, so this mode is compatiblewith all RouterOS versions. This
mode is incompatible with wireless clients built on the new Centrino wireless chipset and may
as well be incompatible with some other stations
security-profile(text; default:default) - which security profile to use. Define security profiles
under /interface wireless security-profiles where you can setup WPA or WEP wireless security, for
further details, see the Security Profiles section of this manual
ssid(text; default:MikroTik) - the service set identifier
update-stats-interval(time) - how often to update (request from the clients) signal strength and
ccq values in /interface wireless registration-table
wds-cost-range(integer; default:50-150) - range, within which the bridge port cost of the WDS
links are adjusted. The calculations are based on the p-throughput value of the respective WDS
interface, which represents estimated approimate rhtoughput on the interface, which is mapped on
the wds-cost-range scale so that bigger p-throughput would correspond to numerically lower port
cost. The cost is recalculated every 20 seconds or when the p-throughput changes more than by
10% since the last recalculation
wds-default-bridge(name; default:none) - the default bridge for WDS interface. If you use
dynamic WDS then it is very useful in cases when wds connection is reset - the newly created
dynamic WDS interface will be put in this bridge
wds-default-cost(integer; default:100) - default bridge port cost of the WDS links
wds-ignore-ssid(yes | no; default:no) - if set to yes, the AP will create WDS links with any other
Page 160 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							AP in this frequency. If set to no the ssid values must match on both APs
wds-mode(disabled|dynamic|static) - WDS mode:
•disabled- WDS interfaces are disabled
•dynamic- WDS interfaces are created on the fly
•static- WDS interfaces are created manually
wmm-support(disabled|enabled|required) - whether to allow (or require) peer to use WMM
extensions to provide basic quality of service
Notes
 O+$ +3 	  
  	
 
 
 	 	 	 
 	 

	 	 
 
 
 
 
 
 
 
 & 
 +3 	  
	
 
 .- * 
	
 	  		   

   O+$ 

	 
  
	  / 

 	  
  
 6
 	
	 	

 +3
	  
 
 
	
 
  	( 
 
 
  
 
 
 

 & 
  

   ./ 
+: 9
 	 
	
 
  
 
  
 +3 	  O+$ 	 	 &
 
  
 (	 


 +3 	  
 	 

	 
  
 

 	  	 
  

 

	 	 
  
 	
 	

WDS Interface Configuration
Home menu level:/interface wireless wds
Description
65! &6 5


 !
 	 	
 
 	  
  +$ &+ $

 
 	


4
 	  
 +$  
 
 	  F


 
 +$ 
  
 	 
	
	 &C.-//	 C.-//
 C.-// 	
  
 
 	 8
 
  
 


 
 	 

 	 
 
 
 	
 	 65! 

	
•dynamic- is created on the fly and appers under wds menu as a dynamic interface
•static- is created manually
Property Description
arp(disabled|enabled|proxy-arp|reply-only; default:enabled) - Address Resolution Protocol
•disabled- the interface will not use ARP
•enabled- the interface will use ARP
•proxy-arp- the interface will use the ARP proxy feature
•reply-only- the interface will only reply to the requests originated to its own IP addresses.
Neighbour MAC addresses will be resolved using /ip arp statically set table only
disable-running-check(yes|no; default:no) - disable running check. For broken wireless cards it
is a good idea to set this value to yes
mac-address(read-only: MAC address; default:00:00:00:00:00:00) - MAC address of the
master-interface. Specifying master-interface, this value will be set automatically
master-interface(name) - wireless interface which will be used by WDS
Page 161 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							mtu(integer: 0..65336; default:1500) - Maximum Transmission Unit
name(name; default:wdsN) - WDS interface name
wds-address(MAC address) - MAC address of the remote WDS host
Notes
6
 
 
 

 65! ( 
$
  
 
 
	 65! 

	
		 	
  
 	 	
 *$ 	 
 
 
 

	 
 %

	% 


  	
 

F$G 6
 
 
   		
 
 %

	% (	  

 	
 7 
  	
 	
F$G 	
%  
  

 
 
 	 *$ 	 
 
	 65! 

	
*  	

 
  
	 65! 
 	  
 
$	

(	 
   

	

	 6
 
 
   
 	
 

 
   
 
	 65! 

	   
 
 

  	
	
	
+ 
 
  	 
 65!  	( 
 
	
 	
 8	 8
 
  

 
 

C/0	
/H0
	
 7 
  
 	 
	
 
 
  

 


 
 	 

65! 
	

 	
 
	
 F*$ & 
 /.7-.U 
 
) +5  add master-interface=wlan1 \\... wds-address=00:0B:6B:30:2B:27 disabled=no[admin@MikroTik] interface wireless wds> printFlags: X - disabled, R - running, D - dynamic0 R name=wds1 mtu=1500 mac-address=00:0B:6B:30:2B:23 arp=enableddisable-running-check=no master-inteface=wlan1wds-address=00:0B:6B:30:2B:27
[admin@MikroTik] interface wireless wds>
Align
Home menu level:/interface wireless align
Description
 	
  	
 
 

  
 

  
  	  


	 $
  
 


 *
 
  
 

	 %

% 
 
 	

 	 

 
 
  
 ( 
 
 
 	 	

  

	 	 	
 
 	
	
  

	
 
	

 	
 
 		

Property Description
active-mode(yes|no; default:yes) - whether the interface will receive and transmit alignment
packets or it will only receive them
audio-max(integer; default:-20) - signal-strength at which audio (beeper) frequency will be the
highest
audio-min(integer; default:-100) - signal-strength at which audio (beeper) frequency will be the
Page 162 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							lowest
audio-monitor(MAC address; default:00:00:00:00:00:00) - MAC address of the remote host
which will be listened
filter-mac(MAC address; default:00:00:00:00:00:00) - in case if you want to receive packets from
only one remote host, you should specify here its MAC address
frame-size(integer: 200..1500; default:300) - size of alignment packets that will be transmitted
frames-per-second(integer: 1..100; default:25) - number of frames that will be sent per second (in
active-mode)
receive-all(yes|no; default:no) - whether the interface gathers packets about other 802.11
standard packets or it will gather only alignment packets
ssid-all(yes|no; default:no) - whether you want to accept packets from hosts with other ssid than
yours
Command Description
test-audio(integer) - test the beeper for 10 seconds
Notes
*  	 
 
 	


	 $
 
 



 
  	
	
	 	
 

 

	%  







Example
[admin@MikroTik] interface wireless align> printframe-size: 300active-mode: yesreceive-all: yesaudio-monitor: 00:00:00:00:00:00filter-mac: 00:00:00:00:00:00ssid-all: noframes-per-second: 25audio-min: -100audio-max: -20[admin@MikroTik] interface wireless align>
Align Monitor
Command name:/interface wireless align monitor
Description
 	
   
 

 

 
	 		
 
1 	 
 

Property Description
address(read-only: MAC address) - MAC address of the remote host
avg-rxq(read-only: integer) - average signal strength of received packets since last display update
on screen
correct(read-only: percentage) - how many undamaged packets were received
Page 163 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							last-rx(read-only: time) - time in seconds before the last packet was received
last-tx(read-only: time) - time in seconds when the last TXQ info was received
rxq(read-only: integer) - signal strength of last received packet
ssid(read-only: text) - service set identifier
txq(read-only: integer) - the last received signal strength from our host to the remote one
Example
[admin@MikroTik] interface wireless align> monitor wlan2# ADDRESS SSID RXQ AVG-RXQ LAST-RX TXQ LAST-TX CORRECT0 00:01:24:70:4B:FC wirelesa -60 -60 0.01 -67 0.01 100 %
[admin@MikroTik] interface wireless align>
Frequency Monitor
Command name:/interface wireless frequency-monitor
Description
+	
   	 	 
  	


Property Description
freq(read-only: integer) - shows current channel
use(read-only: percentage) - shows usage in current channel
Example


 C.-// 

 	
[admin@MikroTik] interface wireless> frequency-monitor wlan1
FREQ USE2412MHz 3.8%2417MHz 9.8%2422MHz 2%2427MHz 0.8%2432MHz 0%2437MHz 0.9%2442MHz 0.9%2447MHz 2.4%2452MHz 3.9%2457MHz 7.5%2462MHz 0.9%
 

 
 	
 	
 
 



  
 
(  

	
Manual Transmit Power Table
Home menu level:/interface wireless manual-tx-power-table
Description
Page 164 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							*
 
 
  	
 
 
	 


  	 	
 E   		 
	
  	
 		
  	   
  

  
	
 
  	 9
 
	
 
 (	 
 
 
	 	 

IM print0 name=wlan1 manual-tx-powers=1Mbps:10,2Mbps:10,5.5Mbps:9,11Mbps:7[admin@MikroTik] interface wireless manual-tx-power-table>
Network Scan
Command name:/interface wireless scan interface_name
Description
  	 	
 
	
 	  
 	
 	 	(		  

 6 	


 
 	 



  
 	 

 &
 
	

   

 	 

 &
   	7  


 



 	 
  	



Property Description
address(read-only: MAC address) - MAC address of the AP
band(read-only: text) - in which standard does the AP operate
bss(read-only: yes|no) - basic service set
freeze-time-interval(time; default:1s) - time in seconds to refresh the displayed data
freq(read-only: integer) - the frequency of AP
interface_name(name) - the name of interface which will be used for scanning APs
privacy(read-only: yes|no) - whether all data is encrypted or not
signal-strength(read-only: integer) - signal strength in dBm
ssid(read-only: text) - service set identifier of the AP
Example
Page 165 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							!	
 
  scan wlan1Flags: A - active, B - bss, P - privacy, R - routeros-network, N - nstremeADDRESS SSID BAND FREQ SIG RADIO-NAMEAB R 00:0C:42:05:00:28 test 5ghz 5180 -77 000C42050028AB R 00:02:6F:20:34:82 aap1 5ghz 5180 -73 00026F203482AB 00:0B:6B:30:80:0F www 5ghz 5180 -84AB R 00:0B:6B:31:B6:D7 www 5ghz 5180 -81 000B6B31B6D7AB R 00:0B:6B:33:1A:D5 R52_test_new 5ghz 5180 -79 000B6B331AD5AB R 00:0B:6B:33:0D:EA short5 5ghz 5180 -70 000B6B330DEAAB R 00:0B:6B:31:52:69 MikroTik 5ghz 5220 -69 000B6B315269AB R 00:0B:6B:33:12:BF long2 5ghz 5260 -55 000B6B3312BF-- [Q quit|D dump|C-z pause][admin@MikroTik] interface wireless>
Security Profiles
Home menu level:/interface wireless security-profiles
Description
 

 ( 6F$ &6 F8(	

 $(	 	
 6$+16$+- &67# $

 + 


 

 

	
WPA
 67# $

 +  	 
	

  C.-/B F+$ *3 L*$ 	
 +F!   	 	 
 

	
   	
 *
 	 
 	
 	
 
 (
 - 
 ( 	
 

$	 	
  	
  F+$ 	


	

  
  6$+-  	
 
	
 





 	
 


 

 	
 F+$ 	


	

   	 
 (	 &	
 
 

	  

 
	

 
	
  !
7
 
 	  +5*0! 	


	


WEP
 6 F8(	

 $(	 

 	
	 
 

 C.-// ( 
 
	
  *
  


 	 (   	
	 


 	
 
 
  

 
	
 
 


 	
 	
 
	

  6F$  8
  
  
 ! 
 
Property Description
authentication-types(multiple choice: wpa-psk|wpa2-psk|wpa-eap|wpa2-eap; default:) - the
list of accepted authentication types. APs will advertise the listed types. Stations will choose the
AP, which supports the best type from the list (WPA2 is always preferred to WPA1; EAP is
preferred to PSK)
eap-methods(multiple choice: eap-tls|passthrough) - the ordered list of EAP methods. APs will
to propose to the stations one by one (if first method listed is rejected, the next one is tried). Stations
will accept first proposed method that will be on the list
•eap-tls- Use TLS certificates for authentication
•passthrough- relay the authentication process to the RADIUS server (not used by the stations)
Page 166 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							group-ciphers(multiple choice: tkip|aes-ccm) - a set of ciphers used to encrypt frames sent to all
wireless station (broadcast transfers) in the order of preference
•tkip- Temporal Key Integrity Protocol - encryption protocol, compatible with lagacy WEP
equipment, but enhanced to correct some of WEP flaws
•aes-ccm- more secure WPA encryption protocol, based on the reliable AES (Advanced
Encryption Standard). Networks free of WEP legacy should use only this
group-key-update(time; default:5m) - how often to update group key. This parameter is used
only if the wireless card is configured as an Access Point
interim-update(time) - default update interval for RADIUS accounting, if RADIUS server has not
provided different value
mode(none|static-keys-optional|static-keys-required|dynamic-keys; default:none) - security
mode:
•none- do not encrypt packets and do not accept encrypted packets
•static-keys-optional- if there is a static-sta-private-key set, use it. Otherwise, if the interface is
set in an AP mode, do not use encryption, if the the interface is in station mode, use encryption
if the static-transmit-key is set
•static-keys-required- encrypt all packets and accept only encrypted packets
•dynamic-keys- generate encryptioon keys dynamically
name(name) - descriptive name for the security profile
radius-eap-accounting(yes | no; default:no) - use RADUIS accounting if EAP authentication is
used
radius-mac-accounting(yes | no; default:no) - use RADIUS accounting, providing MAC address
as username
radius-mac-authentication(no|yes; default:no) - whether to use RADIUS server for MAC
authentication
radius-mac-caching(time; default:disabled) - how long the RADIUS authentication reply for
MAC address authentication if considered valid (and thus can be cached for faster reauthentication)
radius-mac-format(text; default:XX:XX:XX:XX:XX:XX) - MAC address format to use for
communication with RADIUS server
radius-mac-mode(as-username|as-username-and-password; default:as-username) - whether to
use MAC address as username only or ad both username and password for RADIUS authentication
static-algo-0(none|40bit-wep|104bit-wep|aes-ccm|tkip; default:none) - which encryption
algorithm to use:
•none- do not use encryption and do not accept encrypted packets
•40bit-wep- use the 40bit encryption (also known as 64bit-wep) and accept only these packets
•104bit-wep- use the 104bit encryption (also known as 128bit-wep) and accept only these
packets
•aes-ccm- use the AES-CCM (Advanced Encryption Standard in Counter with CBC-MAC)
encryption algorithm and accept only these packets
•tkip- use the TKIP (Temporal Key Integrity Protocol) and accept only these packets
static-algo-1(none|40bit-wep|104bit-wep|aes-ccm|tkip; default:none) - which encryption
algorithm to use:
Page 167 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•none- do not use encryption and do not accept encrypted packets
•40bit-wep- use the 40bit encryption (also known as 64bit-wep) and accept only these packets
•104bit-wep- use the 104bit encryption (also known as 128bit-wep) and accept only these
packets
•aes-ccm- use the AES-CCM (Advanced Encryption Standard in Counter with CBC-MAC)
encryption algorithm and accept only these packets
•tkip- use the TKIP (Temporal Key Integrity Protocol) and accept only these packets
static-algo-2(none|40bit-wep|104bit-wep|aes-ccm|tkip; default:none) - which encryption
algorithm to use:
•none- do not use encryption and do not accept encrypted packets
•40bit-wep- use the 40bit encryption (also known as 64bit-wep) and accept only these packets
•104bit-wep- use the 104bit encryption (also known as 128bit-wep) and accept only these
packets
•aes-ccm- use the AES-CCM (Advanced Encryption Standard in Counter with CBC-MAC)
encryption algorithm and accept only these packets
•tkip- use the TKIP (Temporal Key Integrity Protocol) and accept only these packets
static-algo-3(none|40bit-wep|104bit-wep|aes-ccm|tkip; default:none) - which encryption
algorithm to use:
•none- do not use encryption and do not accept encrypted packets
•40bit-wep- use the 40bit encryption (also known as 64bit-wep) and accept only these packets
•104bit-wep- use the 104bit encryption (also known as 128bit-wep) and accept only these
packets
•aes-ccm- use the AES-CCM (Advanced Encryption Standard in Counter with CBC-MAC)
encryption algorithm and accept only these packets
•tkip- use the TKIP (Temporal Key Integrity Protocol) and accept only these packets
static-key-0(text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep or
104bit-wep algorithm (algo-0). If AES-CCM is used, the key must consist of even number of
characters and must be at least 32 characters long. For TKIP, the key must be at least 64 characters
long and also must consist of even number characters
static-key-1(text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep or
104bit-wep algorithm (algo-1). If AES-CCM is used, the key must consist of even number of
characters and must be at least 32 characters long. For TKIP, the key must be at least 64 characters
long and also must consist of even number characters
static-key-2(text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep or
104bit-wep algorithm (algo-2). If AES-CCM is used, the key must consist of even number of
characters and must be at least 32 characters long. For TKIP, the key must be at least 64 characters
long and also must consist of even number characters
static-key-3(text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep or
104bit-wep algorithm (algo-3). If AES-CCM is used, the key must consist of even number of
characters and must be at least 32 characters long. For TKIP, the key must be at least 64 characters
long and also must consist of even number characters
static-sta-private-algo(none|40bit-wep|104bit-wep|aes-ccm|tkip) - algorithm to use if the
static-sta-private-key is set. Used to commumicate between 2 devices
Page 168 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							static-sta-private-key(text) - if this key is set in station mode, use this key for encryption. In AP
mode you have to specify static-private keys in the access-list or use the Radius server using
radius-mac-authentication. Used to commumicate between 2 devices
static-transmit-key(static-key-0|static-key-1|static-key-2|static-key-3; default:static-key-0) -
which key to use for broadcast packets. Used in AP mode
supplicant-identity(text; default:MikroTik) - EAP supplicant identity to use for RADIUS EAP
authentication
tls-certificate(name) - select the certificate for this device from the list of imported certificates
tls-mode(no-certificates|dont-verify-certificate|verify-certificate; default:no-certificates) - TLS
certificate mode
•no-certificates- certificates are negotiated dynamically using anonymous Diffie-Hellman
MODP 2048 bit algorithm
•dont-verify-certificate- require a certificate, but do not chack, if it has been signed by the
available CA certificate
•verify-certificate- require a certificate and verify that it has been signed by the available CA
certificate
unicast-ciphers(multiple choice: tkip|aes-ccm) - a set of ciphers used to encrypt frames sent to
individual wireless station (unicast transfers) in the order of preference
•tkip- Temporal Key Integrity Protocol - encryption protocol, compatible with lagacy WEP
equipment, but enhanced to correct some of WEP flaws
•aes-ccm- more secure WPA encryption protocol, based on the reliable AES (Advanced
Encryption Standard). Networks free of WEP legacy should use only this
wpa-pre-shared-key(text; default:) - string, which is used as the WPA Pre Shared Key. It must
be the same on AP and station to communicate
wpa2-pre-shared-key(text; default:) - string, which is used as the WPA2 Pre Shared Key. It
must be the same on AP and station to communicate
Notes
    


 	 
 		  *  1+

$ 
  	 
  /.
		
 
   !+1

$ 
  	 
  -G 		
 

$ 	 
%
 
 
	
 
   6F$  8  	 	
	 
 	  	
 
	
 


  

  
	
 	 

  


 	
  

  	 
 


 
  +$   	
$ 		  	
 	
 

   0 +
7	 	 &

	  $ 
 +$  
	

 
 ( 6F$ 
   


6 


 	


  

 
  

Sniffer
Home menu level:/interface wireless sniffer
Description
6
  
  	
 
 	
   


Page 169 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.