MikroTik Router OS V3.0 User Manual

							open($(link-logout), hotspot_logout, ...

 

open($(link-logout)?erase-cookie=on, hotspot_logout, ...
 	

	
( 	 
 


 
 


+
 	

 	  	
 ,
!
 
 	


	
 
 	 
 ( & 	  	
 
	 	

•+ 
 	 
 
 

	 ( 
 	7	
 &
 ,$7	  *$7	
• 
 	  
 ,
!
 (
 
 
 
 
 

	 	


	

 (  

	
(   +5*0! 	
		 	 

,  	
 	   	 
 	 
 
 
 
 ,
!
 
 &
  

 



11	
	1
 	 
 
 	
	 	  	
 

	 	


	


(
...
• 

	 ( 	
  
 	 ,
!
 

  

 
 	 
 
 
	 ,
!
 (

 	 
 
 
 
	 	
 	
,  	
 	   	 	 &
  

 
 

11

	1
 	 


 	
	 	  	 ,
!
 
 	 
  	
 
 	
  

	 
 	
 

Hotspot login page
Page 390 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•,

  	 +5*0! ( 
 
 	 
 
  

 * 

 	 	

 	 
 	 &
 	
   
  	


 * 

 	 

 & 

 	  
	   
 

 	 
 
 

	 	


	

 (
•9
 	 
 
 
 	 ,$! 
 	
 $ ! 
 	
   
 

	


Possible Error Messages
Description
 	 
 
   	
	 	
 

7	
	 #	
	  	 
 
 	 		
 ,A 	 	

 9
7	
	  	 		 
	

 

  	

 	
 	 
 
 
 
 
I
	 

7	
	 
•You are not logged in- trying to access the status page or log off while not logged in.
Solution: log in
•already authorizing, retry later- authorization in progress. Client already has issued an
authorization request which is not yet complete. Solution: wait for the current request to be
completed, and then try again
•chap-missing = web browser did not send challenge response (try again, enable
JavaScript)- trying to log in with HTTP-CHAP method using MD5 hash, but HotSpot server
does not know the challenge used for the hash. This may happen if you use BACK buttons in
browser; if JavaScript is not enabled in web browser; if login.html page is not valid; or if
challenge value has expired on server (more than 1h of inactivity). Solution: instructing browser
to reload (refresh) the login page usually helps if JavaScript is enabled and login.html page is
valid
•invalid username ($(username)): this MAC address is not yours- trying to log in using a
MAC address username different from the actual users MAC address. Solution: no - users with
usernames that look like a MAC address (eg., 12:34:56:78:9a:bc) may only log in from the
MAC address specified as their user name
•session limit reached ($(error-orig))- depending on licence number of active HotSpot clients
is limited to some number. The error is displayed when this limit is reached. Solution: try to log
in later when there will be less concurrent user sessions, or buy an another license that allows
more simultaneous sessions
•hotspot service is shutting down- RouterOS is currently being restarted or shut down.
Solution: wait until the service will be available again
I
	 	
	 
•internal error ($(error-orig))- this should never happen. If it will, error page will be shown
displaying this error message (error-orig will describe what has happened). Solution: correct the
error reported
•configuration error ($(error-orig))- the HotSpot server is not configured properly (error-orig
will describe what has happened). Solution: correct the error reported
•cannot assign ip address - no more free addresses from pool- unable to get an IP address
from an IP pool as there is no more free IP addresses in that pool. Solution: make sure there is a
Page 391 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							sufficient amount of free IP addresses in IP pool
A	 ,
!
  	
		 

7	
	 
•invalid username or password- self-explanatory
•user $(username) is not allowed to log in from this MAC address- trying to log in from a
MAC address different from specified in user database. Solution: log in from the correct MAC
address or take out the limitation
•user $(username) has reached uptime limit- self-explanatory
•user $(username) has reached traffic limit- either limit-bytes-in or limit-bytes-out limit is
reached
•no more sessions are allowed for user $(username)- the shared-users limit for the users
profile is reached. Solution: wait until someone with this username logs out, use different login
name or extend the shared-users limit
+5*0! 

 

7	
	 
•invalid username or password- RADIUS server has rejected the username and password sent
to it without specifying a reason. Cause: either wrong username and/or password, or other error.
Solution: should be clarified in RADIUS servers log files
•- this may be any message (any text string) sent
back by RADIUS server. Consult with your RADIUS servers documentation for further
information
+5*0! 

 	
	 
•RADIUS server is not responding- user is being authenticated by RADIUS server, but no
response is received from it. Solution: check whether the RADIUS server is running and is
reachable from the HotSpot router
Application Examples
Description
 

   
   	   
   ,
!
 
 	  	 ( 
 	
Setting up HTTPS authorization
+
 
 
	
 
  

 
 
 (	
 
[admin@MikroTik] > /certificate printFlags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa0 KR name=hotspot.example.netsubject=C=LV,L=Riga,O=MT,OU=dev,CN=hotspot.example.net,[email protected]=C=LV,L=Riga,O=MT,OU=dev,CN=hotsot.example.net,[email protected]=0 [email protected]=oct/27/2004 11:43:22 invalid-after=oct/27/2005 11:43:22ca=yes
Page 392 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							
  	
  
	
 
	
  ,
!

/ip hotspot profile set default login-by=cookie,http-chap,https \ssl-certificate=hotsot.example.net
+
 
	
  	
  
	
 ,$!  


 
 ,
!
 

	
[admin@MikroTik] > /ip hotspot printFlags: X - disabled, I - invalid, S - HTTPS# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT0 S hs-local local default 00:05:00
Bypass HotSpot for some devices in HotSpot network
+ *$ 

 

 


 
 
  

  	 
 	
2 7 
 	
 
	

  	( 
7 	
[admin@MikroTik] ip hotspot ip-binding> printFlags: X - disabled, P - bypassed, B - blocked# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER0 P 10.11.12.3
* 	  	 
  
 
 7

 
	 	

	 
 
 
 

 
 *$ 	
 
 

   	   

	 	

[admin@MikroTik] ip hotspot ip-binding> printFlags: X - disabled, P - bypassed, B - blocked# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER0 P 10.11.12.31 P 00:01:02:03:04:05 10.11.12.3 10.11.12.3 hs-local[admin@MikroTik] ip hotspot ip-binding> .. host printFlags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER IDLE-TIMEOUT0 P 00:01:02:03:04:05 10.11.12.3 10.11.12.3 hs-local
Page 393 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Web Proxy
Document revision 1.5 (December 12, 2007, 11:44 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
QuickSetupGuide
Specifications
Description
Setup
PropertyDescription
Notes
Example
ProxyMonitoring
PropertyDescription
AccessList
Description
PropertyDescription
Notes
DirectAccessList
Description
PropertyDescription
Notes
CacheManagement
Description
PropertyDescription
ConnectionList
Description
PropertyDescription
CacheContents
Description
PropertyDescription
Cacheinserts
Description
PropertyDescription
CacheLookups
Description
PropertyDescription
ComplementaryTools
Description
CommandDescription
TransparentMode
Description
Notes
Example
Page 394 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							HTTPMethods
Description
General Information
Summary
  
 ! 

 
 
  ( 	

•	 ,$ 
•	
	

  3	
  
	
	

 	
 	 	
 
 	 

•+ 
   

	

 0A 	
 8
 

•3	 	 
 &  4
 
 	 	
  

•5
 + A
 &     	 
 	
  7 
 	


 (
•A
 	

Quick Setup Guide
 
  	 / I) 	  	   

 
 
 C...  
 

[admin@MikroTik] ip proxy> set enabled=yes port=8000 max-cache-size=1048576[admin@MikroTik] ip proxy> printenabled: yessrc-address: 0.0.0.0port: 8000parent-proxy: 0.0.0.0parent-proxy-port: 0cache-drive: systemcache-administrator: webmastermax-cache-size: 1048576KiBcache-on-disk: nomax-client-connections: 600max-server-connections: 600max-fresh-time: 3dserialize-connections: noalways-from-cache: nocache-hit-dscp: 4[admin@MikroTik] ip proxy>
 
     (


 
	
2 	 
 
 
 
 	   	 	


  +  
 
 
 

	

 9+ 
  
 
2 
	
	

 
 	

[admin@MikroTik] ip firewall nat> add chain=dstnat protocol=tcp dst-port=80action=redirect to-ports=8000[admin@MikroTik] ip firewall nat>
Specifications
Packages required:web-proxy
License required:level3
Home menu level:/ip web-proxy
Standards and Technologies:HTTP/1.0,HTTP/1.1,FTP
Hardware usage:uses memory and disk space, if available (see description below)
Page 395 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Description
6   *



 4
 	 


  

 8
 *



 4
  	
	 	(		
(	 ,$ 	
 #$ 
 
 	 
 

  
 
 

 
	
 
 
 
 	
	  
	

 , %% 	
 
	 	
 	
   
 6  	
 

  
 	
 	 
   	 	
 

	  	

 



6
 


  6  	  
 ( 
  

 	
  

  	 	 $	 	

 
 

 
 
 + A
 !

M
9
 
	
 
 	   
 	( 6  


 (
 
 
 	 
  	

 
  
 	


  ,$ 	
 #$ 	 & 	 

 	 
 :   
 
 8
 



	  
 	 	 ( 
	
	


Setup
Home menu level:/ip proxy
Property Description
always-from-cache(yes | no; default:no) - ignore client refresh requests if the content is
considered fresh
cache-administrator(text; default:webmaster) - administrators e-mail displayed on proxy error
page
cache-drive(systemname; default:system) - specifies the target disk drive to be used for storing
cached objects. You can use console completion to see the list of available drives
cache-hit-dscp(integer: 0..63) - automatically mark cache hit with the provided DSCP value
cache-on-disk(yes | no; default:no) - whether to store cache files on disk or in RAM filesystem
enabled(yes | no; default:no) - specifies whether the web proxy is enabled
max-cache-size(none|unlimitedinteger: 0..4294967295; default:none) - specifies the maximal
disk cache size, measured in kibibytes
max-client-connections(integer; default:600) - maximum number of concurrent client
connections accepted by the proxy. All further connections will be rejected
max-fresh-time(time; default:3d) - an upper limit on how long objects without an explicit expiry
time will be considered fresh
max-server-connections(integer; default:600) - maximum number of concurrent proxy
connections to external servers. All further connections will be put on hold until some of the
existing server connections will terminate
parent-proxy(IP addressport; default:0.0.0.0) - IP address of the upper-level (parent) proxy
parent-proxy-port(port) - TCP port the parent proxy is active on
port(port; default:3128) - specifies the port(s) the web proxy will be listening on
serialize-connections(yes | no; default:no) - Do not make multiple connections to server for
multiple client connections, if possible (i.e. server supports persistent HTTP connections). Clients
will be served on FIFO principle; next client is processed when response transfer to the previous
one is completed. If a client is idle for too long (max 5 seconds by default), it will give up waiting
Page 396 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							and open another connection to the server
src-address(IP address; default:0.0.0.0) - the web-proxy will use this address connecting to the
parent proxy or web site.
•0.0.0.0- appropriate src-address will be automatically taken from the routing table (preferred
source of the respective route)
Notes
   

 
 	 *$ 	 
	
 
 
 	 
 
 *$ 	 

Example
 
	  
 
 C.C. 
 		 	(		 	 2
[admin@MikroTik] ip proxy> set enabled=yes port=8080 \\... max-cache-size=unlimited[admin@MikroTik] ip proxy> printenabled: yessrc-address: 0.0.0.0port: 8000parent-proxy: 0.0.0.0parent-proxy-port: 0cache-drive: systemcache-administrator: webmastermax-cache-size: 21000KiBcache-on-disk: nomax-client-connections: 600max-server-connections: 600max-fresh-time: 3dserialize-connections: noalways-from-cache: nocache-hit-dscp: 4[admin@MikroTik] ip proxy>
9
  
 
B(	 	 
 		
  




 	
 		
 (	 



Proxy Monitoring
Command name:/ip proxy monitor
Property Description
cache-used(read-only: integer) - the amount of disk (or RAM if the cache is stored only in RAM)
used by the cache
free-disk-space(read-only: integer) - the amount of free space on the cache drive
hits(read-only: integer) - number of client requests resolved from the cache
hits-sent-to-clients(read-only: integer) - the amount of cache hits sent to client
received-from-servers(read-only: integer) - total amount of data received from the external
servers
requests(read-only: integer) - total number of client requests to the proxy
sent-to-clients(read-only: integer) - total amount of data sent to the clients
status(read-only: text; default:stopped) - display status information of the proxy server
Page 397 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•stopped- proxy is disabled and is not running
•running- proxy is enabled and running
•formatting-disk- the cache drive is being formatted
•checking-disk- the cache drive is being checked for errors and cache inconsistencies
•invalid-address- proxy is enabled, but not running because of invalid address (you should
change address or port)
total-disk-size(read-only: integer) - size of the cache drive
total-ram-used(read-only: integer) - the amount of memory used by the proxy (excluding RAM
cache size)
uptime(read-only: time) - the time since the proxy has been started last time
Access List
Home menu level:/ip proxy access
Description
+ 
  
 
 
 	 	 	  
 ! 	   	   


 
 
 

 #
 	

   
  	
 
  
 
 



   	 

	
 G 	 
	
  	

 

	

 * 

  
 	   
 	
	 
 	
 	
 




* 



  	
  	 

  
   
 



   	
 

 *  



  

 	
 	
  
   	
Property Description
action(allow|deny; default:allow) - specifies whether to pass or deny matched packets
dst-address(IP addressnetmask) - destination address of the IP packet
dst-host(wildcard) - IP address or DNS name used to make connection the target server (this is the
string user wrote in his/her browser before specifying port and path to a particular web page)
dst-port(port) - a list or range of ports the packet is destined to
hits(read-only: integer) - the number of requests that were policed by this rule
local-port(port) - specifies the port of the web proxy via which the packet was received. This
value should match one of the ports web proxy is listening on.
method(any|connect|delete|get|head|options|post|put|trace) - HTTP method used in the
request (see HTTP Methods section at the end of this document)
path(wildcard) - name of the requested page within the target server (i.e. the name of a particular
web page or document without the name of the server it resides on)
redirect-to(text) - in case access is denied by this rule, the user shall be redirected to the URL
specified here
src-address(IP addressnetmask) - source address of the IP packet
Notes
Page 398 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							*
  

 
 
 
 	 *$ 	 
 
 
 
 
 	 
  
 	 
 
 	  


	77
 &

	

  ( + 

 	 
 #	 	
	 

 
 

  

6	 
	
 	 
 

 & 
  

 	
 H	H  
 	 
 

H	H +(		 	 	 %\% &	
 	
 
  	
 		
 	
 %S% &	
 	
 

		
 	 
 	 	 	
  
  
 
   
	
 	 	 	

 
  
	
 
 	 
 &%%
!	 
 
 
 	 

•MM 8
   
 

M		
 
 

•M%	


 	
%
 &
 	 
 
 
 
 	


 	
 	
 
•
  
	
 
  	 	  
 (
 	


  S 	
 
 


 

 	



•
  
	
 
  	 	 	
 
 (
 	


  T 	
 
 
  

	



•
 

   	 
 
 		M
Direct Access List
Home menu level:/ip proxy direct
Description
*

   
   
 
 
  ( 
 
 
 
 	 

8
 
 
 	

   
 ( 
 



 
 
 8
 ( 
 5
 + A
 
	
	 4
  $ + A
  
 
 ( 	
 
 

	


Property Description
action(allow|deny; default:allow) - specifies the action to perform on matched packets
•allow- always resolve matched requests directly bypassing the parent router
•deny- resolve matched requests through the parent proxy. If no one is specified this has the
same effect as allow
dst-address(IP addressnetmask) - destination address of the IP packet
dst-host(wildcard) - IP address or DNS name used to make connection the target server (this is the
string user wrote in his/her browser before specifying port and path to a particular web page)
dst-port(port) - a list or range of ports the packet is destined to
local-port(port) - specifies the port of the web proxy via which the packet was received. This
value should match one of the ports web proxy is listening on.
method(any|connect|delete|get|head|options|post|put|trace) - HTTP method used in the
request (see HTTP Methods section in the end of this document)
path(wildcard) - name of the requested page within the target server (i.e. the name of a particular
web page or document without the name of the server it resides on)
Page 399 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.