MikroTik Router OS V3.0 User Manual

							caller-id(read-only: text) - for PPTP and L2TP it is the IP address the client connected from. For
PPPoE it is the MAC address the client connected from. For ISDN it is the callers number the client
dialed-in from
•- no restrictions on where clients may connect from
encoding(read-only: text) - shows encryption and encoding (separated with / if asymmetric) being
used in this connection
limit-bytes-in(read-only: integer) - maximal amount of bytes the user is allowed to send to the
router
limit-bytes-out(read-only: integer) - maximal amount of bytes the router is allowed to send to the
client
name(read-only: name) - user name supplied at authentication stage
packets(read-only: integerinteger) - amount of packets transfered through tis connection. First
figure represents amount of transmitted traffic from the routers point of view, while the second one
shows amount of received traffic
service(read-only: async|l2tp|ovpn|pppoe|pptp) - the type of service the user is using
session-id(read-only: text) - shows unique client identifier
uptime(read-only: time) - users uptime
Example
[admin@rb13] > /ppp active printFlags: R - radius# NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING0 ex pptp 10.0.11.12 10.0.0.254 1m16s MPPE128...[admin@rb13] > /ppp active print detailFlags: R - radius0 name=ex service=pptp caller-id=10.0.11.12 address=10.0.0.254uptime=1m22s encoding=MPPE128 stateless session-id=0x8180002Blimit-bytes-in=200000000 limit-bytes-out=0[admin@rb13] > /ppp active print statsFlags: R - radius# NAME BYTES PACKETS0 ex 10510/159690614 187/210257[admin@rb13] >
PPP User Remote AAA
Home menu level:/ppp aaa
Property Description
accounting(yes | no; default:yes) - enable RADIUS accounting
interim-update(time; default:0s) - Interim-Update time interval
use-radius(yes | no; default:no) - enable user authentication via RADIUS
Notes
+5*0!  	
		  

 
  
 8 
	  

 
 
 	  	
		
Example
Page 260 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							 
	 +5*0! +++
[admin@MikroTik] ppp aaa> set use-radius=yes[admin@MikroTik] ppp aaa> printuse-radius: yesaccounting: yesinterim-update: 0s[admin@MikroTik] ppp aaa>
Page 261 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Router User AAA
Document revision 2.4 (February 6, 2008, 1:40 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
Description
RouterUserGroups
Description
PropertyDescription
Notes
Example
RouterUsers
Description
PropertyDescription
Notes
Example
MonitoringActiveRouterUsers
Description
PropertyDescription
Example
RouterUserRemoteAAA
Description
PropertyDescription
Notes
Example
SSHkeys
Description
PropertyDescription
CommandDescription
Example
General Information
Summary
 

 ( 	 
	

 
 	
 	 
 
  	
	


Specifications
Packages required:system
License required:level1
Home menu level:/user
Hardware usage:Not significant
Page 262 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Description
 
 ! 
  	
 	
	 
  



 
 
  
 	 
 (	
	 

	 


 !!,  6
   	 	


	
 
 
 	 	
		  
	

+5*0! (
F	   	
 
 	    

 
 
  
  +    	 
	


 
(	  

*
 	 
  	


	

   
 +5*0! 
 +5*0! 

   (

 
 



Router User Groups
Home menu level:/user group
Description
 
   ( 	 
(


 	 
 	
 

 
 	
 	 
 



  	
Property Description
name(name) - the name of the user group
policy(multiple choice: local|telnet|ssh|ftp|reboot|read|write|policy|test|winbox|
password|web|sniff) - group policy item set
•local- policy that grants rights to log in locally via local console
•telnet- policy that grants rights to log in remotely via telnet
•ssh- policy that grants rights to log in remotely via secure shell protocol
•ftp- policy that grants remote rights to log in remotely via FTP and to transfer files from and to
the router. Keep in mind that the user allowed to transfer files, may also upload a new
RouterOS version that will be applied upon the next reboot
•reboot- policy that allows rebooting the router
•read- policy that grants read access to the routers configuration. All console commands that
do not alter routers configuration are allowed
•write- policy that grants write access to the routers configuration, except for user management.
This policy does not allow to read the configuration, so make sure to enable read policy as well
•policy- policy that grants user management rights. Should be used together with write policy
•test- policy that grants rights to run ping, traceroute, bandwidth-test and wireless scan, sniffer
and snooper commands
•winbox- policy that grants rights to connect to the router remotely using WinBox interface
•password- policy that grants user option to change own password
•web- policy that grants rights to log in remotely via WebBox
•sniff- policy that grants access to the packet sniffer facility
Page 263 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Notes
 	 
 
   	


  

[admin@rb13] > /user group print0 name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,!ftp,!write,!policy
1 name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,!ftp,!policy
2 name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff[admin@rb13] >
F		

 
 %6% 4
   
 
	 	
 add name=reboot policy=telnet,reboot,read,local[admin@rb13] user group> print0 name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,!ftp,!write,!policy
1 name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,!ftp,!policy
2 name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff3 name=reboot policy=local,telnet,reboot,read,!ssh,!ftp,!write,!policy,!test,!winbox,!password,!web,!sniff[admin@rb13] user group>
Router Users
Home menu level:/user
Description

  	
		 
 
 
	

  	 
	 	 	 	 	 	

 	
 
 	
	

 


Property Description
address(IP addressnetmask; default:0.0.0.0/0) - host or network address from which the user is
allowed to log in
group(name) - name of the group the user belongs to
name(name) - user name. Although it must start with an alphanumeric character, it may contain
*, _, . and @ symbols
password(text; default:) - user password. If not specified, it is left blank (hit [Enter] when
logging in). It conforms to standard Unix characteristics of passwords and may contain letters,
digits, * and _ symbols
Page 264 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Notes
  
 
  
  	 

[admin@MikroTik] user> printFlags: X - disabled# NAME GROUP ADDRESS0 ;;; system default useradmin full 0.0.0.0/0
[admin@MikroTik] user>
 		   	
 	
 
  
  	 
 * 
  
  	 
  
 


 
 	


  (
Example
 	 =
 	=!&2

 
$

 

 
 
 	

[admin@MikroTik] user> add name=joe password=j1o2e3 group=write[admin@MikroTik] user> printFlags: X - disabled0 ;;; system default username=admin group=full address=0.0.0.0/0
1 name=joe group=write address=0.0.0.0/0
[admin@MikroTik] user>
Monitoring Active Router Users
Command name:/user active print
Description
 	
  
 

 	
(  	
 
 
( 
	
 
	


Property Description
address(read-only: IP address) - host IP address from which the user is accessing the router
•0.0.0.0- the user is logged in locally from the console
name(read-only: name) - user name
radius(read-only: flag) - the user has been authenticated through a RADIUS server
via(read-only: console|telnet|ssh|winbox) - users access method
•console- user is logged in locally
•telnet- user is logged in remotely via telnet
•ssh- user is logged in remotely via secure shell protocol
•winbox- user is logged in remotely via WinBox tool
when(read-only: date) - log in date and time
Page 265 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Example
 

 

 	
(  

 
 
 	

[admin@rb13] user> active printFlags: R - radius# WHEN NAME ADDRESSVIA0 feb/27/2004 00:41:41 admin 1.1.1.200ssh1 feb/27/2004 01:22:34 admin 1.1.1.200winbox[admin@rb13] user>
Router User Remote AAA
Home menu level:/user aaa
Description

  
 +++ 
	 
  	


	

 	
 	


 (	 +5*0! (
Property Description
accounting(yes | no; default:yes) - whether to use RADIUS accounting
default-group(name; default:read) - user group used for the users authenticated via a RADIUS
server by default (if the server did not specify a different user group)
interim-update(time; default:0s) - RADIUS Interim-Update interval
use-radius(yes | no; default:no) - specifies whether a user database on a RADIUS server should
be consulted
Notes
 +5*0!  	
		  

 
  
 8 
	  

 
 
 
 	  	
		
Example
 
	 +5*0! +++ 

 
 
 	

[admin@MikroTik] user aaa> set use-radius=yes[admin@MikroTik] user aaa> printuse-radius: yesaccounting: yesinterim-update: 0sdefault-group: read[admin@MikroTik] user aaa>
SSH keys
Home menu level:/user ssh-keys
Description
Page 266 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							
  	  	 
  
 

 
 	 	


	

 	
 (
 ( 


 

	 
  
 
	
 5!+ 
 !!,  

	 9
 
	
    


 
(

	
  
 
 

Property Description
key-owner(read-only: text) - emote user, as specified in the key file
user(name) - the user that is allowed to log in using this key (must exist in the user list)
Command Description
import- import the uploaded DSA key
•user- the user the imported key is linked to
•file- filename of the DSA key to import
Example
I
	

  
 	 
 	

sh-3.00$ ssh-keygen -t dsa -f ./id_dsaGenerating public/private dsa key pair.Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in ./id_dsa.Your public key has been saved in ./id_dsa.pub.The key fingerprint is:91:d7:08:be:b6:a1:67:5e:81:02:cb:4d:47:d6:a0:3b admin-ssh@test
*

 
 
	
 &	
 	 
[admin@MikroTik] user ssh-keys> print# USER KEY-OWNER[admin@MikroTik] user ssh-keys> import file=id_dsa.pub user=admin-ssh[admin@MikroTik] user ssh-keys> print# USER KEY-OWNER0 admin-ssh admin-ssh@test[admin@MikroTik] user ssh-keys>
Page 267 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Traffic Flow
Document revision 1.1 (February 6, 2008, 1:40 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
GeneralInformation
Specifications
RelatedDocuments
Description
GeneralConfiguration
Description
PropertyDescription
Traffic-FlowTarget
Description
PropertyDescription
Traffic-FlowExample
General Information
Specifications
Packages required:system
License required:level1
Home menu level:/ip traffic-flow
Hardware usage:Not significant
Related Documents
•39
#
•9
•*

	




9
#
Description
 	7#  	 
 
	
 ( 
	

 
	

 	
 	
  	 
 


 ) 

 


 	
 	


 
 	

	
 	
 

 (	  
	
	  
 
 

 6
   	7# 
   
 	
	2 	
 
2 
 (	


 	
 + 	7#  	
 
 3 9
# 
 	
   
 (	 


 	 
  3% 9
#
	7# 
 
 
 9
# 	

•version 1- the first version of NetFlow data format, do not use it, unless you have to
•version 5- in addition to version 1, version 5 has the BGP AS and flow sequence number
Page 268 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							information included
•version 9- a new format which can be extended with new fields and record types, thanks to its
template-style design
General Configuration
Description
 

  
 	 
	

  	7#
Property Description
active-flow-timeout(time; default:30m) - maximum life-time of a flow
cache-entries(1k|2k|4k|8k|16k|32k|64k|128k|256k|512k; default:1k) - number of flows
which can reside in the routers memory simultaneously
enabled(yes | no) - whether to enable traffic-flow service or not
inactive-flow-timeout(time; default:15s) - how long to keep the flow active, if it is idle
interfaces(name) - names of those interfaces which will be used to gather statistics for traffic-flow.
To specify more than one interface, separate them with a comma (,)
Traffic-Flow Target
Home menu level:/ip traffic-flow target
Description
6
 	7# 
	
   
 
   	
 
 	7# 
	

  

Property Description
address(IP addressport) - IP address and UDP port of the host which receives Traffic-Flow
statistics packets from the router
v9-template-refresh(integer; default:20) - number of packets after which the template is sent to
the receiving host (only for NetFlow version 9)
v9-template-timeout- after how long to send the template, if it has not been sent
version(1|5|9) - which version format of NetFlow to use
Application Examples
Traffic-Flow Example
 	   
 
 	7# 
 	 

1.F
	 	7# 
 
 

[admin@MikroTik] ip traffic-flow> set enabled=yes
Page 269 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.