MikroTik Router OS V3.0 User Manual

							login-by(multiple choice, read-only: cookie|http-chap|http-pap|https|mac|trial) -
authentication method used by user
mac-address(read-only: MAC address) - actual MAC address of the user
packets-in(read-only: integer) - how many packets did the router receive from the client
packets-out(read-only: integer) - how many packets did the router send to the client
radius(read-only: flag) - whether the user was authenticated via RADIUS
server(read-only: name) - the particular HotSpot server the used is logged on at.
session-time-left(read-only: time) - the exact value of session-time-left that applies to this user.
This property shows how long should the user stay logged-in (see uptime) for it to be logged off
automatically
uptime(read-only: time) - current session time of the user (i.e., how long has the user been logged
in)
user(read-only: name) - name of the user
Example
 
 
 
  	
( 
[admin@MikroTik] ip hotspot active> printFlags: R - radius, B - blocked# USER ADDRESS UPTIME SESSION-TIME-LEFT IDLE-TIMEOUT0 ex 10.0.0.144 4m17s 55m43s[admin@MikroTik] ip hotspot active>
Page 250 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							IP accounting
Document revision 2.2 (February 6, 2008, 1:40 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
LocalIPTrafficAccounting
Description
PropertyDescription
Notes
Example
LocalIPTrafficAccountingTable
Description
PropertyDescription
Notes
Example
WebAccesstotheLocalIPTrafficAccountingTable
Description
PropertyDescription
Example
UncountedConnections
Description
PropertyDescription
Example
General Information
Summary
+


	

 +
2	

 	
 +


 	
 ( 	 
  	 	
1 
 &

+5*0! ( $

7
7$

 	
 ,
!
  	
	

 	
 
	 	


 &	 *$ 
	 	


 
  	

 	 
	 	


  	
 


Specifications
Packages required:system
License required:level1
Home menu level:/user, /ppp, /ip accounting, /radius
Standards and Technologies:RADIUS
Hardware usage:Traffic accounting requires additional memory
Local IP Traffic Accounting
Home menu level:/ip accounting
Page 251 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Description
+ 	 	
 	 
 
 
 
 	
  	
 

	

 	 	 	
 		

	
 *$ 	 
 
 
 	


 
	 	
 
 
	  
	
 	  
	  
	  $$$ $$$
$$$F *!59 	
 ,
!
 

 	
  	

 
 7 	 
 )
 
 
  	
 	


 
  
 	 	


* 
 	

 *$   	 
 	 
 

   	 
 
 
	
 
 
 	
 
	
 

 	
 	( 
 
 	 	

 $	
 
	
 	  
 
 
 	


 

 $	
 
	
 	 9+
 
 
 
   	

  
 
 	
	 *$ 	 

	  $	
 
	
 	 
 
  

	 & 
 
  

	 	 	


 

	 
	
  
 
 
 	
 

 
 
 	 	   	


Property Description
account-local-traffic(yes | no; default:no) - whether to account the traffic to/from the router itself
enabled(yes | no; default:no) - whether local IP traffic accounting is enabled
threshold(integer; default:256) - maximum number of IP pairs in the accounting table (maximal
value is 8192)
Notes
# 

	 



 
 

   	

F	 *$ 	  		
 /.. 

6
 
 
 
  	 
 
 *$ 	   	 
 
 	


 
	 F	 	
 
	
 

 	

 
 
 	


 
	  

  	 
 



M
Example
F
	 *$ 	



[admin@MikroTik] ip accounting> set enabled=yes[admin@MikroTik] ip accounting> printenabled: yesaccount-local-traffic: nothreshold: 256[admin@MikroTik] ip accounting>
Local IP Traffic Accounting Table
Home menu level:/ip accounting snapshot
Description
6
 	 
	
  	  	
	 

 
 	


 
	  	 	
 
 *$ 	 	
 
	
	
	 	 	   8

 
	 	
	  
 
   
	
 
 *$ 	 

Page 252 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							
   	
Property Description
bytes(read-only: integer) - total number of bytes, matched by this entry
dst-address(read-only: IP address) - destination IP address
dst-user(read-only: text) - recipients name (if aplicable)
packets(read-only: integer) - total number of packets, matched by this entry
src-address(read-only: IP address) - source IP address
src-user(read-only: text) - senders name (if aplicable)
Notes
0
	 	 
 
  
  	 


 
 
 
 (	 	 $$$ 


  	 	


	
 
,
!

E  H
	H 
	
 
  
 ( 
 

 
	
  
 
	  
 

	

) 
 
 
	
 	 
 
	
 
 
	  

Example
 
	 	 
 
	

[admin@MikroTik] ip accounting snapshot> take[admin@MikroTik] ip accounting snapshot> print# SRC-ADDRESS DST-ADDRESS PACKETS BYTES SRC-USER DST-USER0 192.168.0.2 159.148.172.197 474 191301 192.168.0.2 10.0.0.4 3 1202 192.168.0.2 192.150.20.254 32 31423 192.150.20.254 192.168.0.2 26 28574 10.0.0.4 192.168.0.2 2 1175 159.148.147.196 192.168.0.2 2 1366 192.168.0.2 159.148.147.196 1 407 159.148.172.197 192.168.0.2 835 1192962[admin@MikroTik] ip accounting snapshot>
Web Access to the Local IP Traffic Accounting Table
Home menu level:/ip accounting web-access
Description
  	 
 	 
  
  
 
	
	 0
1A
 
 
 
 
 
 
	 	
	 	

	( 
 
 	   
   		 	 3

 
 	 
 
	 * 
  
  
	
	
 
  	  ( 
 
  	 
 



  

	
 
 
  	 
 
  	 
 
  	 3$ 
   

 



 
 
 
 

		

 
	
 

  
 
	 	
	   
  
	   	 
 
 




 
  

	
 6   
  


 
 0A 

P
45

%

Property Description
Page 253 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							accessible-via-web(yes | no; default:no) - wheather the snapshot is available via web
address(IP addressnetmask; default:0.0.0.0) - IP address range that is allowed to access the
snapshot
Example
 
	  	 !+%+%+%!( 

[admin@MikroTik] ip accounting web-access> set accessible-via-web=yes \\... address=10.0.0.1/32[admin@MikroTik] ip accounting web-access> printaccessible-via-web: yesaddress: 10.0.0.1/32[admin@MikroTik] ip accounting web-access>
Uncounted Connections
Home menu level:/ip accounting uncounted
Description
*
 	 
  *$ 	 	
  	 
 
 	


 
	 &
 	


 
 	 
 	
	 
	 
	
  

 
 
 	
  
 

 *$ 	   

 	
 

	 	 
 
 



Property Description
bytes(read-only: integer) - byte count
packets(read-only: integer) - packet count
Example
! 
 


 	

[admin@MikroTik] ip accounting uncounted> printpackets: 0bytes: 0[admin@MikroTik] ip accounting uncounted>
Page 254 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							PPP User AAA
Document revision 2.6 (February 6, 2008, 1:40 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
Description
LocalPPPUserProfiles
Description
PropertyDescription
Notes
Example
LocalPPPUserDatabase
Description
PropertyDescription
Example
MonitoringActivePPPUsers
PropertyDescription
Example
PPPUserRemoteAAA
PropertyDescription
Notes
Example
General Information
Summary
 

 ( 	 
	

 
 	
 	 
 $$$  	
	

 

 	

 $$$ $$$ A-$  
O$9 $$$F 	
 *!59 
Specifications
Packages required:system
License required:level1
Home menu level:/ppp
Description
  
 ! ( 		 +


	

 +
2	

 	
 +


 &+++ 


	

A	 	


	

   
 
 0 5	
		 	
 
 $ 5	
		  	
	

	

  
 (
    
 
(    
 0 5	
		
		
 
  
 $ 5	
		 	
 
 
 
 
 $ 	
		   
 	 	
  	
Page 255 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							(
 ( 
   	


	

 
 5	
  


  
 $ 	
		 	( 

  
  	  


  
 0 5	
		 	( 
 
 
 
 



 
 	
	 *$ 	 
	 
 ( *$  
 
	





   	
 

!
  +5*0! 	


	

 ( 
 *!$  

 	

	
 
 	
 
 	
	 $$$ 
	 	
 	


  
 ( 

 	 	 

   
 ! 	 	 +5*0!


  	
 	


	
  $$$ $$$F $$$ A-$  
O$9 	
 *!59 



  	



(  +5*0! ( ( 
 
 
 
 
 	
  
   		
 	 

( 
 	 
	
  
 
( 	
 
Local PPP User Profiles
Home menu level:/ppp profile
Description
$$$  	  
 
 	
 (	   	  
 
 


!


 
 
0 5	
		 ( 

 	



 
 
	
 
 *$
	 		 
	 
 ( *$  
  	

		

Property Description
bridge(name) - bridge interface name, which the PPP tunnel will automatically be added in case
BCP negotiation will be successful (i.e., in case both peers support BCP and have this parameter
configured)
change-tcp-mss(yes|no|default; default:default) - modifies TCP connection MSS settings
•yes- adjust connection MSS value
•no- do not atjust connection MSS value
•default- derive this value from the interface default profile; same as no if this is the interface
default profile
dns-server(IP address) - IP address of the DNS server to supply to clients
idle-timeout(time) - specifies the amount of time after which the link will be terminated if there
was no activity present. There is no timeout set by default
•0s- no link timeout is set
incoming-filter(name) - firewall chain name for incoming packets. Specified chain gets control for
each packet coming from the client. The ppp chain should be manually added and rules with
action=jump jump-target=ppp should be added to other relevant chains in order for this feature to
work. For more information look at the Examples section
local-address(IP addressname) - IP address or IP address pool name for PPP server
name(name) - PPP profile name
only-one(yes|no|default; default:default) - defines whether a user is allowed to have more then
one connection at a time
•yes- a user is not allowed to have more than one connection at a time
Page 256 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•no- the user is allowed to have more than one connection at a time
•default- derive this value from the interface default profile; same as no if this is the interface
default profile
outgoing-filter(name) - firewall chain name for outgoing packets. Specified chain gets control for
each packet going to the client. The ppp chain should be manually added and rules with
action=jump jump-target=ppp should be added to other relevant chains in order for this feature to
work. For more information look at the Examples section
rate-limit(text; default:) - rate limitation in form of rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate]
[rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority]
[rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so rx is client upload, and tx
is client download). All rates are measured in bits per second, unless followed by optional k suffix
(kilobits per second) or M suffix (megabits per second). If tx-rate is not specified, rx-rate serves as
tx-rate too. The same applies for tx-burst-rate, tx-burst-threshold and tx-burst-time. If both
rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and
tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is
used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If
rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min
and tx-rate-min values can not exceed rx-rate and tx-rate values.
remote-address(IP addressname) - IP address or IP address pool name for PPP clients
session-timeout(time) - maximum time the connection can stay up. By default no time limit is set
•0s- no connection timeout
use-compression(yes|no|default; default:default) - specifies whether to use data compression or
not
•yes- enable data compression
•no- disable data compression
•default- derive this value from the interface default profile; same as no if this is the interface
default profile
use-encryption(yes|no|required|default; default:default) - specifies whether to use data
encryption or not
•yes- enable data encryption
•no- disable data encryption
•requided- enable and require encryption
•default- derive this value from the interface default profile; same as no if this is the interface
default profile
use-vj-compression(yes|no|default; default:default) - specifies whether to use Van Jacobson
header compression algorithm
•yes- enable Van Jacobson header compression
•no- disable Van Jacobson header compression
•default- derive this value from the interface default profile; same as no if this is the interface
default profile
wins-server(IP address) - IP address of the WINS server to supply to Windows clients
Notes
Page 257 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							 	 
 	
  
	
 	


  (
[admin@rb13] ppp profile> printFlags: * - default0 * name=default use-compression=default use-vj-compression=defaultuse-encryption=default only-one=default change-tcp-mss=yes
1 * name=default-encryption use-compression=defaultuse-vj-compression=default use-encryption=yes only-one=defaultchange-tcp-mss=yes[admin@rb13] ppp profile>
0 O	
 P	
 
 
   	( 
 	 
 	  
 
 
	

 
 	 


 	




	

	


	

	

 	 
	= 
 	
  

=

	

   8	 


	



	

	

 
 	

 	
  	
	 	  	

 
 	


		
  
  +5*0! 	


	

  
* 
 	  
	
 /. 
	
 $$$ 



 	

 
  
 
 

 

 
  	
  
 
	 !! 	

  
 	
 
	 

	 
  3$0

2	


) 



  
	 
 )3$ 
 
 
 
 *
   
 
	 0 	 

   
 
 
  		  
	



 72 F


 	 * 
 )3$ 

	

 
 
 
  	
	
	  	 
 
   9
 
	
 
  
 	( 

	 (	 	

	
( +3 	  	

 F


7 
 
 	 (	 +3 	 	 
 $$$ 

 

 	( 	
 +3 	
3

   	 	 *$ 	 &/.//-//- 	 	 
 
 	  
 
 	  

 *

%
   
 
 
 	 	
 
    	 	 	
	  
 & 	
 


   I!1I$! 
  	7
 (   	
  

 	(
 
  	
Example
 	 
 
	
 	
 
 
 
 
!+%+%+%!	 	
 
 	  

 
 
 

 

 
	 
  

 


	

[admin@rb13] ppp profile> add name=ex local-address=10.0.0.1 remote-address=exincoming-filter=mypppclients[admin@rb13] ppp profile> printFlags: * - default0 * name=default use-compression=default use-vj-compression=defaultuse-encryption=default only-one=default change-tcp-mss=yes
1 * name=default-encryption use-compression=defaultuse-vj-compression=default use-encryption=yes only-one=defaultchange-tcp-mss=yes2 name=ex local-address=10.0.0.1 remote-address=ex use-compression=defaultuse-vj-compression=default use-encryption=default only-one=defaultchange-tcp-mss=default incoming-filter=mypppclients[admin@rb13] ppp profile>
Local PPP User Database
Home menu level:/ppp secret
Page 258 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Description
$$$ 0 5	
		 
 $$$  	  
 $$$   	
 
 	 
Property Description
caller-id(text; default:) - for PPTP and L2TP it is the IP address a client must connect from. For
PPPoE it is the MAC address (written in CAPITAL letters) a client must connect from. For ISDN it
is the callers number (that may or may not be provided by the operator) the client may dial-in from
•- no restrictions on where clients may connect from
limit-bytes-in(integer; default:0) - maximal amount a client can upload, in bytes, for a session
limit-bytes-out(integer; default:0) - maximal amount a client can download, in bytes, for a session
local-address(IP addressname) - IP address or IP address pool name for PPP server
name(name) - users name used for authentication
password(text; default:) - users password used for authentication
profile(name; default:default) - profile name to use together with this access record for user
authentication
remote-address(IP addressname) - IP address or IP address pool name for PPP clients
routes(text) - routes that appear on the server when the client is connected. The route format is:
dst-address [[gateway] [metric]] (for example, 10.1.0.0/24 10.0.0.1 1). Several routes may be
specified separated with commas. If gateway is not specified, the remote address is used. If metric
is not speciefied, the metric of 1 is used
service(any|async|l2tp|ovpn|pppoe|pptp; default:any) - specifies the services available to a
particular user
Example
 	 
 
 	= 
	
 	(		  $$$ ( 
 

 
 

	

[admin@rb13] ppp secret> add name=ex password=lkjrht service=pptp profile=ex[admin@rb13] ppp secret> printFlags: X - disabled# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS0 ex pptp lkjrht ex 0.0.0.0[admin@rb13] ppp secret>
Monitoring Active PPP Users
Command name:/ppp active print
Property Description
address(read-only: IP address) - IP address the client got from the server
bytes(read-only: integerinteger) - amount of bytes transfered through this connection. First figure
represents amount of transmitted traffic from the routers point of view, while the second one shows
amount of received traffic
Page 259 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.