MikroTik Router OS V3.0 User Manual

							VLAN example on MikroTik Routers
A
  	 
	
  	( 
    
 ! 
 


 
 	  *

	 
 

	 

  
 OA+9  
  	
 
 ! 	  
 &
  
 
  	
	

 
  9  	 

 


 
 
 OA+9 
 
  


 	 	
 
8 *$ 	  
	
 
  
	
 
  
 	 
 
 
 	  
 
 OA+9 

	  
	

[admin@MikroTik] interface vlan> add name=test vlan-id=32 interface=ether1[admin@MikroTik] interface vlan> printFlags: X - disabled, R - running# NAME MTU ARP VLAN-ID INTERFACE0 R test 1500 enabled 32 ether1[admin@MikroTik] interface vlan>
* 
 

	   	
 
  
  
 * 
 	 





 &
 

 ( 
	
  

 
	

  	 OA+9 	
 
 
  
 

 

	  

 

6
 
 

	  


 *$ 	 	
  	
 
 
 OA+9 

	
 
 
 
 /
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=test[admin@MikroTik] ip address> printFlags: X - disabled, I - invalid, D - dynamic# ADDRESS NETWORK BROADCAST INTERFACE0 10.0.0.204/24 10.0.0.0 10.0.0.255 ether11 10.20.0.1/24 10.20.0.0 10.20.0.255 pc12 10.10.10.1/24 10.10.10.0 10.10.10.255 test[admin@MikroTik] ip address>
 
 
 
 -
[admin@MikroTik] ip address> add address=10.10.10.2/24 interface=test[admin@MikroTik] ip address> printFlags: X - disabled, I - invalid, D - dynamic# ADDRESS NETWORK BROADCAST INTERFACE0 10.0.0.201/24 10.0.0.0 10.0.0.255 ether11 10.10.10.2/24 10.10.10.0 10.10.10.255 test[admin@MikroTik] ip address>
* 
 
  
 

 
   
 
 
 -  
 / 	
 ( (	
[admin@MikroTik] ip address> /ping 10.10.10.110.10.10.1 64 byte pong: ttl=255 time=3 ms10.10.10.1 64 byte pong: ttl=255 time=4 ms10.10.10.1 64 byte pong: ttl=255 time=10 ms10.10.10.1 64 byte pong: ttl=255 time=5 ms4 packets transmitted, 4 packets received, 0% packet lossround-trip min/avg/max = 3/10.5/10 ms[admin@MikroTik] ip address> /ping 10.10.10.210.10.10.2 64 byte pong: ttl=255 time=10 ms10.10.10.2 64 byte pong: ttl=255 time=11 ms10.10.10.2 64 byte pong: ttl=255 time=10 ms10.10.10.2 64 byte pong: ttl=255 time=13 ms4 packets transmitted, 4 packets received, 0% packet lossround-trip min/avg/max = 10/11/13 ms[admin@MikroTik] ip address>
Page 240 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Graphing
Document revision 1.3 (February 6, 2008, 1:44 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
GeneralInformation
Summary
Specifications
Description
GeneralOptions
PropertyDescription
Example
HealthGraphing
Description
PropertyDescription
InterfaceGraphing
Description
PropertyDescription
Example
SimpleQueueGraphing
Description
PropertyDescription
Example
ResourceGraphing
Description
PropertyDescription
Example
General Information
Summary
I	
  	 
     


 (	 
 ! 		
 ( 	   

Specifications
Packages required:system, routerboard (optional)
License required:level1
Home menu level:/tool graphing
Hardware usage:Not significant
Description
 I	
 
 	
 	 	 
Page 241 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•
	 	
 &(
	 	
 
	

• 	 &3$0  	
 5 	
•	   	 
 

	
•	   	 
  8
I	
 

  
 	
 7 
 	
 
 
	

 	
 
 	
 	 	
	 
 	 6 	 
	 
 	 
 

P3
45 	
  	 	 
 	 
 
6 
5	
	  
 
  	
 ( < 

 
 	( 
 
 
 ( (


+
 

 
 
 	
  	 
	

 
	
 	 	
 
 	( 
 
   




 ! 
	
  	  	 

•H5	H I	 &< 

 +(	
•H6H I	 &:. 

 +(	
•H

H I	 &- , +(	
•HE	H I	 &/ 5	 +(	
 	 	 	  	 

  
 

 
$		
  
 
(


General Options
Home menu level:/tool graphing
Property Description
store-every(5min|hour|24hours; default:5min) - how often to store information on system drive
Example
 
 
	

 
 
 ( ( 
/tool graphing set store-every=hour[admin@MikroTik] tool graphing> printstore-every: hour[admin@MikroTik] tool graphing>
Health Graphing
Home menu level:/tool graphing health
Description
 
 ( 
	

 	
 
)	% %	
% 7 (
	 	
 
	
 # 
 


 	( 
 

	 

		
Page 242 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Property Description
allow-address(IP addressnetmask; default:0.0.0.0/0) - network which is allowed to view graphs
of router health
store-on-disk(yes | no; default:yes) - whether to store information about traffic on system drive or
not. If not, the information will be stored in RAM and will be lost after a reboot
Interface Graphing
Home menu level:/tool graphing interface
Description
!   
	  	 
 	
 

	 ( 	   

Property Description
allow-address(IP addressnetmask; default:0.0.0.0/0) - network which is allowed to view graphs
of router health
interface(name; default:all) - name of the interface which will be monitored
store-on-disk(yes | no; default:yes) - whether to store information about traffic on system drive or
not. If not, the information will be stored in RAM and will be lost after a reboot
Example
 

 
	   	 
 

	
 !
  	 

!&%!)(%+%+&1 	


 
	

 
 
[admin@MikroTik] tool graphing interface> add interface=ether1 \\... allow-address=192.168.0.0/24 store-on-disk=yes[admin@MikroTik] tool graphing interface> printFlags: X - disabled# INTERFACE ALLOW-ADDRESS STORE-ON-DISK0 ether1 192.168.0.0/24 yes[admin@MikroTik] tool graphing interface>
Simple Queue Graphing
Home menu level:/tool graphing queue
Description
*
 
 
  	
  	 8  
: 

 
 	 	 	  

Property Description
allow-address(IP addressnetmask; default:0.0.0.0/0) - network which is allowed to view graphs
of router health
allow-target(yes | no; default:yes) - whether to allow access to web graphing from IP range that is
Page 243 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							specified in /queue simple target-address
simple-queue(name; default:all) - name of simple queue which will be monitored
store-on-disk(yes | no; default:yes) - whether to store information about traffic on hard drive or
not. If not, the information will be stored in RAM and will be lost after a reboot
Example
+ 	  8 
 I	 
 
 78 
	:! 	 
 

 
 	 I	
  
 
	

 	
 
	 
 
[admin@MikroTik] tool graphing queue> add simple-queue=queue1 allow-address=yes \\... store-on-disk=yes
Resource Graphing
Home menu level:/tool graphing resource
Description
$( 
 
  	 
	

 ( 	   

•3$0 	
• 	
•5 	
Property Description
allow-address(IP addressnetmask; default:0.0.0.0/0) - network which is allowed to view graphs
of router health
store-on-disk(yes | no; default:yes) - whether to store information about traffic on hard drive or
not. If not, the information will be stored in RAM and will be lost after a reboot
Example
+ *$ 	
!&%!)(%+%+&1   	 	 
 

 I	%  	
[admin@MikroTik] tool graphing resource> add allow-address=192.168.0.0/24 \\... store-on-disk=yes[admin@MikroTik] tool graphing resource> printFlags: X - disabled# ALLOW-ADDRESS STORE-ON-DISK0 192.168.0.0/24 yes[admin@MikroTik] tool graphing resource>
Page 244 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							HotSpot User AAA
Document revision 2.4 (February 6, 2008, 1:40 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
Description
HotSpotUserProfiles
Description
PropertyDescription
Notes
Example
HotSpotUsers
PropertyDescription
Notes
Example
HotSpotActiveUsers
Description
PropertyDescription
Example
General Information
Summary
 

 ( 
	

 
 	


	

 	
2	

 	
 	


 		
 	


	

  ,
!
 	
	 

Specifications
Packages required:system
License required:level1
Home menu level:/ip hotspot user
Standards and Technologies:RADIUS
Hardware usage:Local traffic accounting requires additional memory
Description
HotSpot User Profiles
Home menu level:/ip hotspot user profile
Description
Page 245 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							,
!
 0  	   
  


 $ 	    
 	 

 
 
 	 

Property Description
address-pool(namenone; default:none) - the IP pool name which the users will be given IP
addresses from. This works like dhcp-pool method in earlier versions of MikroTik RouterOS,
except that it does not use DHCP, but rather the embedded one-to-one NAT
•none- do not reassign IP addresses to the users of this profile
advertise(yes | no; default:no) - whether to enable forced advertisement popups for this profile
advertise-interval(multiple choice: time; default:30m,10m) - set of intervals between showing
advertisement popups. After the list is done, the last value is used for all further advertisements
advertise-timeout(timeimmediately|never; default:1m) - how long to wait for advertisement to
be shown, before blocking network access with walled-garden
advertise-url(multiple choice: text; default:
http://www.mikrotik.com/,http://www.routerboard.com/) - list of URLs to show as
advertisement popups. The list is cyclic, so when the last item reached, next time the first is shown
idle-timeout(timenone; default:none) - idle timeout (maximal period of inactivity) for authorized
clients. It is used to detect, that client is not using outer networks (e.g. Internet), i.e., there is NO
TRAFFIC coming from that client and going through the router. Reaching the timeout, user will be
logged out, dropped of the host list, the address used by the user will be freed, and the session time
accounted will be decreased by this value
•none- do not timeout idle users
incoming-filter(name) - name of the firewall chain applied to incoming packets from the users of
this profile
incoming-packet-mark(name) - packet mark put on all the packets from every user of this profile
automatically
keepalive-timeout(timenone; default:00:02:00) - keepalive timeout for authorized clients. Used to
detect, that the computer of the client is alive and reachable. If check will fail during this period,
user will be logged out, dropped of the host list, the address used by the user will be freed, and the
session time accounted will be decreased by this value
•none- do not timeout unreachable users
name(name) - profile reference name
on-login(text; default:) - script name to launch after a user has logged in
on-logout(text; default:) - script name to launch after a user has logged out
open-status-page(always|http-login; default:always) - whether to show status page also for users
authenticated using mac login method. Useful if you want to put some information (for example,
banners or popup windows) in the alogin.html page so that all users would see it
•http-login- open status page only in case of HTTP login (including cookie and https login
methods)
•always- open the status page in case of mac login as well once the user opens any web page
outgoing-filter(name) - name of the firewall chain applied to outgoing packets to the users of this
profile
Page 246 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							outgoing-packet-mark(name) - packet mark put on all the packets to every user of this profile
automatically
rate-limit(text; default:) - Rate limitation in form of rx-rate[/tx-rate]
[rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]
[priority] [rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so rx is client upload,
and tx is client download). All rates should be numbers with optional k (1,000s) or M
(1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and
tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not
specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both
rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8,
where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not
specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed
rx-rate and tx-rate values.
session-timeout(time; default:0s) - session timeout (maximal allowed session time) for client.
After this time, the user will be logged out unconditionally
•0- no timeout
shared-users(integer; default:1) - maximal number of simultaneously logged in users with the
same username
status-autorefresh(timenone; default:none) - HotSpot servlet status page autorefresh interval
transparent-proxy(yes | no; default:yes) - whether to use transparent HTTP proxy for the
authorized users of this profile
Notes
6
 7

  	(  	 
7
  
	
     
 	
	  

	
(
 
  
 (

 
   
 (	
Example
HotSpot Users
Home menu level:/ip hotspot user
Property Description
address(IP address; default:0.0.0.0) - static IP address. If not 0.0.0.0, client will always get the
same IP address. A configured address implies, that only one simultaneous login for that user is
allowed. Any existing address will be replaced with this one using the embedded one-to-one NAT
bytes-in(read-only: integer) - total amount of bytes received from user
bytes-out(read-only: integer) - total amount of bytes sent to user
email(text) - e-mail address. Only basic syntax checking is done to ensure validity of this field
limit-bytes-in(integer; default:0) - maximum amount of bytes user can transmit (i.e., bytes
received from the user)
•0- no limit
limit-bytes-out(integer; default:0) - maximum amount of bytes user can receive (i.e., bytes sent to
Page 247 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							the user)
•0- no limit
limit-bytes-total(integer; default:0) - maximum aggregate amount of bytes user can receive and
send (i.e., the sum of the amount of bytes sent to the user and received from it)
•0- no limit
limit-uptime(time; default:0s) - total uptime limit for user (pre-paid time)
•0s- no limit
mac-address(MAC address; default:00:00:00:00:00:00) - static MAC address. If not
00:00:00:00:00:00, client is allowed to login only from that MAC address
name(name) - user name. If authentication method is trial, then user name will be set automaticly
after following pattern T-MAC_adress, where MAC_address is trial user Mac address
packets-in(read-only: integer) - total amount of packets received from user (i.e., packets received
from the user)
packets-out(read-only: integer) - total amount of packets sent to user (i.e., packets sent to the user)
password(text) - user password
profile(name; default:default) - user profile
routes(text) - routes that are to be registered on the HotSpot gateway when the client is connected.
The route format is: dst-address [[gateway] [metric]] (for example, 10.1.0.0/24 10.0.0.1 1). Several
routes may be specified separated with commas. If gateway is not specified, the remote address is
used. If metric is not speciefied, the metric of 1 is used
server(nameall; default:all) - which HotSpot server is this user allowed to log in to
uptime(read-only: time) - total time user has been logged in
Notes
*
 	 	


	

 
 

% +3 	 	
   	 
	 &

	
 
 
 	 

	 
  	  &

  	 
 	 	

  

 
 !  	 
	 		 
	 

 

 
 
   
 

	 
 7 &
 		 
	
# 	  
	 
  	   /..) 	
 
  	 		 
	 :.) 

 


	 
 	
 
 	

  

 
  /..) 7 :.) J N.)
! 	  	 1 
 &
7
 XJ 
7
7
  
7
 XJ 
7
7
 1 


  	 
  
 	

 
	

  	
  	   	


	
 (	 	  	
		 	 
 1  
 *
	
 
	
  	   

  
 

 
 
	

  

  

 

	 (	 0

 

 

 
 ( 
 
	

 
 
 

  

* 
  	 *$ 	  
 
 
	
 
  	 * 
 	 

	 	 
		
 
 
   
 	
( 
 	
( 
   	
	
	  
	   	( 
	   
 



 	 H7=	>H & =	>  
 %
+3 	 

 
 	


 
 
 	 
  	 7 



% +3 		
	




7 
 
( (	 

	
	





 
  
 ,
!
 (   

   	
	
	 ( 

Page 248 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							
 
	  
 
 &	




 

Example
 	 
 	
	
  	 
  
 
 
+!P&2P1*P)9P(P.I+3 	 	

 
 
 /   
[admin@MikroTik] ip hotspot user> add name=ex password=ex \\... mac-address=01:23:45:67:89:AB limit-uptime=1h[admin@MikroTik] ip hotspot user> printFlags: X - disabled# SERVER NAME ADDRESS PROFILE UPTIME0 ex default 00:00:00[admin@MikroTik] ip hotspot user> print detailFlags: X - disabled, D - dynamic0 name=ex password=ex mac-address=01:23:45:67:89:AB profile=defaultlimit-uptime=1h uptime=0s bytes-in=0 bytes-out=0 packets-in=0 packets-out=0[admin@MikroTik] ip hotspot user>
HotSpot Active Users
Home menu level:/ip hotspot active
Description
 	
(  
  
 
  

  
  9

 	
  	
  
  	

  
 
 
	

Property Description
address(read-only: IP address) - IP address of the user
blocked(read-only: flag) - whether the user is blocked by advertisement (i.e., usual due
advertisement is pending)
bytes-in(read-only: integer) - how many bytes did the router receive from the client
bytes-out(read-only: integer) - how many bytes did the router send to the client
domain(read-only: text) - domain of the user (if split from username)
idle-time(read-only: time) - the amount of time has the user been idle
idle-timeout(read-only: time) - the exact value of idle-timeout that applies to this user. This
property shows how long should the user stay idle for it to be logged off automatically
keepalive-timeout(read-only: time) - the exact value of keepalive-timeout that applies to this user.
This property shows how long should the users computer stay out of reach for it to be logged off
automatically
limit-bytes-in(read-only: integer) - maximal amount of bytes the user is allowed to send to the
router
limit-bytes-out(read-only: integer) - maximal amount of bytes the router is allowed to send to the
client
limit-bytes-total(read-only: integer) - maximal aggregate amount of bytes the router is allowed to
send to the client and receive form it
Page 249 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.