AT-WR4500 Series, PN 613-000813 Rev. B | Allied Telesis instruction

AT-WR4500 Series

IEEE 802.11abgh Outdoor Wireless Routers

RouterOS v3 Configuration and User Guide

PN 613-000813 Rev. B

Image 1

Allied Telesis manual AT-WR4500 Series, PN 613-000813 Rev. B

Contents

PN 613-000813 Rev. B AT-WR4500 Series RouterOS v3 Configuration and User Guide AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Limitation of Liability and Damages Contents IP Addresses and ARP Routes, Equal Cost Multipath Routing, Policy Routing 118 117120 121 163 Hot Spot Service 222164 166 10.3.8 Service Port 10.3.7 Command DescriptionPossible Error Messages 12.1.2 General Settings Figures How This Guide is organized Purpose of This GuideDocument Conventions Tell Us What You Think Sales or Corporate Information Management Software UpdatesAllied Telesis FTP server ftp//ftp.alliedtelesis.com Introduction Admin@AT-WR4541g /system license print software-id NCL8-3TT FeaturesSoftware License Using WinBox Accessing theWR4500 throughWinBoxLogging in the AT-WR4500 Router Downloading WinBox loader Password can be changed with the /password command Accessing the CLIAT-WR4500 Login admin Password Aaaaaaaaaaa Ttttttt Aaaaaaa Aaaaa Tttt Command Action General Information System Backup Import Command Export Command Specifications Configuration ResetSoftwareVersion Management General Information To upgrade chosen packages System UpgradeStep-by-Step Property Description 192.168.25.8 Admin Submenu level /system upgrade upgrade-package-sourceSoftware Package Management Adding Package Source Uninstallation Installation UpgradeCommand name /system package uninstall Admin@AT-WR4562 system package print Flags X disabled Command name /system package downgradeDowngrading Name Version Command name /system package unschedule Suppose we need to test ipv6 package featuresDisabling and Enabling Unscheduling Name Version Scheduled Admin@AT-WR4562 system package unschedule security Software Package List To upgrade selected packagesDownload Downloading 16 % Package name Contents Prerequisites Additional License Package name Contents Prerequisites Additional License Command name /interface monitor-traffic General Interface SettingsInterface Status Traffic Monitoring Ethernet Interfaces Ethernet Interface ConfigurationRelatedTopics Additional Resources Monitoring the Interface Status Command name /interface ethernet monitorType RX-RATE TX-RATE MTU ARP Troubleshooting Wireless InterfacesDefault-cable-setting standard standard Ack-timeout Range 5GHz 5GHz-turbo 2.4GHz-G Quick Setup GuideIP Addresses and ARP Log Management Submenu level /interface wireless Wireless Interface Configuration30km 249 35km 298 AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Page AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers This example shows how configure a wireless client To see current interface settings Nstreme SettingsSubmenu level /interface wireless nstreme Signal-to-noise 73dB tx-ccq 79% rx-ccq 46% p-throughput Submenu level /interface wireless nstreme-dual Nstreme2 Group Settings Example Admin@AT-WR4562 interface wireless nstreme-dual Submenu level /interface wireless registration-tableRegistrationTable Then add nstreme2 interface with exact-size framing # Interface RADIO-NAME MAC-ADDRESS Admin@AT-WR4562 interface wireless registration-tableWlan1 000C42185C3D No -38dBm.. Mbps Submenu level /interface wireless connect-list Access ListSubmenu level /interface wireless access-list Connect List Submenu level /interface wireless info Info commandPage AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Example Virtual Access Point Interface Submenu level /interface wireless wds WDS Interface Configuration Align Submenu level /interface wireless align Admin@AT-WR4562 interface wireless align Command name /interface wireless align monitorAlign Monitor Aproximately shows how loaded are the wireless channels ManualTransmit PowerTableSubmenu level /interface wireless manual-tx-power-table Frequency Monitor Network Scan Command name /interface wireless scan interfacenameScan the 5GHz band Address Ssid Band Freq SIG RADIO-NAME AB R Security Profiles Submenu level /interface wireless security-profilesPage Submenu level /interface wireless sniffer sniff Submenu level /interface wireless snifferWireless Sniffer Sniffs packets Sniffer Freq SIGNAL@RATE SRC DST Type Submenu level /interface wireless snooperSniffer Packets Snooper Application Examples Station and AccessPointSnoop 802.11b network Band Freq USE 54Mbps 10.1.0.1/24 10.1.0.0 10.1.0.255 Admin@AccessPoint ip address Check whether you can ping the Access Point from Station Configure the station and add an IP address 10.1.0.2 to itOn WDS Access Point WDS Station Set wds-default-bridge to bridge1 Virtual Access Point Test 4ghz-g Virtual-test 4ghz-g Nstreme network example Nstreme Monitor the link Dual NstremeSsid nstreme Admin@DualNS-1 interface wireless nstreme-dual Configure DualNS-1 Admin@DualNS-2 interface wireless nstreme-dual Now complete the configuration for DualNS-1 WEP security example WEP SecurityPage Admin@WEPStation1 interface wireless Configure WEPStation1 WPA Security Admin@WEPStationX interface wireless Admin@WPAAP interface wireless security-profiles Test the link between Access point and the clientAdmin@WPAStation interface wireless security-profiles Admin@WPAStation interface wireless Vlan Interfaces Vlan Setup Vlan example on AT-WR4500 Routers Application ExampleName MTU ARP Bridge Interfaces 10.10.10.0 10.10.10.255 Test Admin@AT-WR4562 ip address10.0.0.0 10.0.0.255 Ether1 10.20.0.0 10.20.0.255 Pc1 Interface bridge add name=MyBridge disabled=no Bridge Interface SetupAdd ether1 and ether2 to MyBridge interface IP Addresses and ARP EoIP Submenu level /interface bridge port Port Settings Command name /interface bridge port monitor Command name /interface bridge monitorBridge Monitoring Bridge Port Monitoring Bridge Host Monitoring Command name /interface bridge hostBridge Firewall General Description To monitor a bridge port Property Description Page Bridge NAT Bridge Packet FilterSubmenu level /interface bridge filter Submenu level /interface bridge nat Submenu level /interface bridge broute Bridge Brouting Facility Troubleshooting IP Addresses and ARP Configuring Interfaces Dhcp and DNSIP Addressing Submenu level /ip address 10.10.10.0 10.10.10.255 Ether2 Admin@AT-WR4562 ip address Address Resolution ProtocolSubmenu level /ip arp 2.1/24 2.0 2.255 Ether2 Address MAC-ADDRESS Proxy-ARP featureAddress MAC-ADDRESS Interface Proxy ARP Router setup is as follows Consider the following configurationUnnumbered Interfaces RIP Routing Information Protocol General Setup Interfaces Admin@AT-WR4562 routing ripSubmenu level /routing rip interface Neighbors NetworksRoutes Submenu level /routing rip network To view the list of the routes 0.0.0 Ether1 Admin@AT-WR4562Ether1 1500 Ether2 10.0.0.174 10.0.0.255 Ether1 10.0.0.0/24 Admin@AT-WR4562 routing rip network Admin@AT-WR4562 routing rip set redistribute-connected=yes0.0.0 Ether1 Admin@AT-WR4562 routing rip Regular routing table is Ospf Alliedware+ Router ConfigurationRouting table of the Alliedware+ router is General Setup Ospf Areas Admin@AT-WR4562 routing ospfSubmenu level /routing ospf area Submenu level /routing ospf network Backbone 0.0 None Local10 10.5 Admin@WiFi routing ospf areaName AREA-ID Network Area Submenu level /routing ospf interface Virtual LinksSubmenu level /routing ospf virtual-link 10.0.0.201 Admin@AT-WR4562 routing ospf virtual-link Virtual link should be configured on both routersSubmenu level /routing ospf neighbor NEIGHBOR-ID Ospf Backup Ospf backup without using a tunnel Define new Ospf area named local10 with area-id AuthenticationAdd connected networks with area local10 in ospf network Name Type RX-RATE Rate MTU Add the same area as in main router Name AREA-ID Stub DEFAULT-COST AuthenticationAdd connected networks with area local10 Add the needed IP addresses Add connected networks with the same area Admin@OSPFMAIN ip route printConnect, S static, r rip, o ospf, b bgp DST-ADDRESS Gateway Distance Interface Dead-interval=40s Routing tables with Revised Link Cost On OSPFpeer2 Functioning of the Backup Routes, Equal Cost Multipath Routing, Policy Routing NAT Submenu level /ip route rule Policy Rules Static Equal Cost Multi-Path Routing example Static Equal Cost Multi-Path routing Standard Policy-Based Routing with Failover Standard Policy-Based Routing with Failover DST-ADDRESS Prefsrc Gateway 192.168.0.0 192.168.0.255 Local1 Finally, add a Dhcp server Dhcp Client and ServerCheck whether you have obtained a lease Packages required dhcp License required Level1 Submenu level /ip dhcp-client Dhcp Client Setup To add a Dhcp client on ether1 interface Dhcp Server SetupSubmenu level /ip dhcp-server Property Description Store Leases on Disk Submenu level /ip dhcp-server configName Interface Relay Dhcp Server Leases Dhcp NetworksSubmenu level /ip dhcp-server network Submenu level /ip dhcp-server lease Command Description Dhcp Option Dhcp AlertSubmenu level /ip dhcp-server alert Submenu level /ip dhcp-server option Use this option in Dhcp server network list Dhcp RelaySubmenu level /ip dhcp-relay Name Code Value Relay Ether1 10.0.0.1 Admin@AT-WR4562 ip dhcp-relay Command name /ip dhcp-server setupQuestions & Answers Questions IP addresses of DHCP-Server Dynamic Addressing, using DHCP-RelayName Interface Relay ADDRESS-POOL LEASE-TIME ADD-ARP # Address Gateway DNS-SERVER WINS-SERVER Configure respective networks IP Address assignment, using FreeRADIUS ServerCreate Dhcp Servers DHCP-1 Setup Dhcp Server Create an address pool Configure Radius Client on RouterOSConfigure Dhcp networks Clients.conf file IP and Routing DNS Client and Cache Cache Monitoring 5Static DNS EntriesStatic DNS Entries 6Flushing DNS cache Command name /ip dns cache flushFlush clears internal DNS cache Name Address Radius client Radius Client Setup Ppp,hotspot 10.0.0.3 Admin@AT-WR4562 radius Service CALLED-ID Domain AddressConnectionTerminating from Radius Submenu level /radius incoming Supported Radius Attributes Suggested Radius ServersXTRadius does not currently support MS-CHAP Page Page Page Name VendorID Value Name VendorID Value RFC where it is defined AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Local PPP User Profiles PPP User AAAL2TP Interface Submenu level /ppp profilePage Submenu level /ppp secret Local PPP User Database Name Service CALLER-ID Password Profile Command name /ppp active printName Service CALLER-ID Address Uptime Encoding Monitoring Active PPP Users Router User AAA To enable Radius AAAPPP User Remote AAA Submenu level /ppp aaa Submenu level /user group Router User GroupsExclamation sign ! just before policy item name means not Admin@AT-WR4562 user print Flags X disabled Admin@rb13 user groupRouter Users Only one, it cannot be removed When Name Address Command name /user active printMonitoring Active Router Users Router User Remote AAA SSH keys To enable Radius AAA, enter the following commandSubmenu level /user ssh-keys Generating key on a linux machine Specific Properties EoIPIP Addresses and ARP Bridge Interfaces EoIP Setup Admin@Remote interface pptp-client Admin@OurGW interface pptp-server server set enable=yesEoIP Application Example Name User MTU CLIENT-ADDRESS Uptime ENC Interface Bridge Priority PATH-COST Same for the Remote Interface Bonding General Information Quick Setup GuideSummary Related Documents Property Description Isp1 Ether 1500 Isp2 Application Examples1.1/24 1.0 1.255 Isp2 10.1.0.0 10.1.0.255 Isp1 For Office2 through ISP1 EoIP tunnel configuration For Office1 through ISP1For Office1through ISP2 For Office2through ISP2 For Office2 IPIPTunnel Interfaces10.1.0.0 10.1.0.255 Isp1 3.1/24 3.0 3.255 Bonding1 Add an IP address to created ipip1 interface Ipip Setup Name MTU LOCAL-ADDRESS Configuration of the R2 is shown below Configuration on L2TP client router Add a L2TP client Enable the L2TP serverL2TP Interface IP Addresses and ARP AAA Configuration EoIP IP Security 2 L2TP Client SetupSubmenu level /interface l2tp-client Monitoring L2TP Client Command name /interface l2tp-client monitorExample of an established connection To enable L2TP server 4 L2TP Server Setup5 L2TP Server Users Submenu level /interface l2tp-server server Interface l2tp-server add user=ex1 To add a static entry for ex1 userName User MTU CLIENT-ADDRESS Uptime ENC Router-to-Router Secure Tunnel Example 6 L2TP Application ExamplesThen the user should be added in the L2TP server list Add a L2TP client to the RemoteOffice router Admin@HomeOffice interface l2tp-server server Admin@HomeOffice ppp secret print detail Flags X disabled Connecting a Remote Client via L2TPTunnelTest the L2TP tunnel connection Admin@RemoteOffice ppp secret Server must be enabledFromLaptop Admin@RemoteOffice interface l2tp-server Admin@RemoteOffice interface l2tp-server server Admin@RemoteOffice interface ethernet L2TP Setup for WindowsPPPoE ToInternet 1500 Now add a pppoe server Add a user with username mike and passwordIp pool add name=pppoe-pool ranges=10.1.1.62-10.1.1.72 Submenu level /interface pppoe-client PPPoE Client Setup Command name /interface pppoe-client monitor PPPoE Server Setup Access ConcentratorMonitoring PPPoE Client To monitor the pppoe-out1connection Admin@AT-WR4562 interface pppoe-server server PPPoE Server User Interfaces PPPoE UsersSubmenu level /interface pppoe-server To view the currently connected users First of all, the wireless interface should be configured PPPoE in a multipoint wireless 802.11g networkAdmin@PPPoE-Server interface wireless Finally, we can set up PPPoE clients We should add PPPoE server to the wireless interface Pptp Admin@MT interface pppoe-server serverMy Windows XP client cannot connect to the PPPoE server Configuration on Pptp client router Add the Pptp client Enable the Pptp serverIP Addresses and ARP PPP User AAA EoIP Submenu level /interface pptp-client Pptp Client Setup Command name /interface pptp-client monitor Pptp Server SetupMonitoring Pptp Client Submenu level /interface pptp-server server Pptp Users To enable Pptp serverPPTPTunnel Interfaces Submenu level /interface pptp-server Interface pptp-server add user=ex1 Pptp Application Examples1460 10.0.0.202 6m32s None Pptp-in1 Ex1 Pptp-in1 Admin@HomeOffice interface pptp-server Admin@HomeOffice interface pptp-server add user=exAdmin@RemoteOffice interface pptp-client Add a Pptp client to the RemoteOffice router Test the Pptp tunnel connection Connecting a Remote Client via Pptp Tunnel FromLaptop Admin@RemoteOffice interface pptp-server Connecting a Remote Client via and Encrypted Pptp Tunnel IP Security Pptp Setup for WindowsIP Addresses and ARP Firewall and QoS Description Diffie-Hellman Group Modulus Reference Policy SettingsSubmenu level /ip ipsec policy Page Peers Flags X disabled, D dynamic, I inactiveTo view the policy statistics, do the following Submenu level /ip ipsec peer Submenu level /ip ipsec remote-peers Remote Peer StatisticsLocal-addressread-only IP address local Isakmp SA address Submenu level /ip ipsec installed-sa Installed SAsTo see currently estabilished SAs Command name /ip ipsec installed-sa flush Flushing Installed SATableSample printout looks as follows Tunnel mode example using AH with manual keying To flush all the SAs installedRouterOS Router to RouterOS Router For Router1 Add accept and masquerading rules in SRC-NAT IPsec Between two Masquerading RouterOS Routers For Router2 Firewall Filter FilterSubmenu level /ip firewall filter Mangle Packet FlowPage Property Description Page Page Protect your RouterOS router Filter ApplicationsProtecting the Customers Network Block IP addreses called bogons Create tcp chain and deny some tcp ports in it MangleDeny udp ports in udp chain Allow only needed icmp codes in icmp chain Submenu level /ip firewall mangle MangleFilter Packet Flow Page Page Page Peer-to-PeerTraffic Marking Admin@AT-WR4562 /ip firewall mangle add chain=forward \Mark by MAC address Packet Flow Packet FlowChange MSS Mangle Filter Packet Flow Diagram Submenu level /ip firewall connection ConnectionTracking Submenu level /ip firewall connection tracking ConnectionTimeouts Submenu level /ip firewall service-port Service Ports General Firewall Information Submenu level /ip firewall nat NAT 2 NAT Address-list parameter Page Page Example of Source NAT Masquerading NAT ApplicationsExample of Destination NAT Example of one to one mapping HotSpot Gateway Hot Spot Service HotSpot example network Page Page Command name /ip hotspot setup Question&Answer-Based Setup Hs-local Local HS-real Default Admin@AT-WR4562 ip hotspot HotSpot Interface SetupName Interface Submenu level /ip hotspot profile HotSpot Server Profiles0s same as received HotSpot Users HotSpot User ProfilesDescription HotSpot Cookies To get the list of valid cookies HTTP-levelWalled GardenSubmenu level /ip hotspot walled-garden # User Domain MAC-ADDRESS One-to-one NAT static address bindings IP-level Walled GardenSubmenu level /ip hotspot walled-garden ip Submenu level /ip hotspot ip-binding Service Port Command DescriptionActive Host List Customizing HotSpot Firewall Section Ftp Admin@AT-WR4562 ip hotspot service-portTo set the FTP protocol uses both 20 and 21 TCP port Chain=hotspot action=jump jump-target=pre-hotspot Https proxy is listening on the 64875 port Packets from the authorized clients through the hs-authchain Chain=hs-input action=jump jump-target=pre-hs-input Reject all packets to the clients with Icmp reject message Serving Servlet Pages Customizing HotSpot Http Servlet Pages Href=$link-loginlogin/a Page Hey, your username is john $elif username == dizzy Add the following line To this line Or alternatively add this line To thisBefore this one Possible Error Messages HotSpot How-tos Name Interface ADDRESS-POOL Profile IDLE-TIMEOUTThen we can use that certificate for hotspot MAC-ADDRESS Address TO-ADDRESS Server HotSpot User AAA MAC-ADDRESS Address TO-ADDRESS Server IDLE-TIMEOUT10.11.12.3 Hs-local Page Submenu level /ip hotspot user Submenu level /ip hotspot active HotSpot Active UsersServer Name Address Profile Uptime To get the list of active users 10.0.0.144 4m17s 55m43s Admin@AT-WR4562 ip hotspot activeUser Address Uptime Vrrp Routers Vrrp Property Description Virtual IP addresses Flags X disabled, a activeSimple example of Vrrp fail over Submenu level /ip vrrp address Now this address should appear in /ip address list Hardware Watchdog Management SystemWatchdogSubmenu level /system watchdog Admin@AT-WR4562 system watchdog Admin@AT-WR4562 system watchdog set auto-send-supout=yes \Automatic-supout yes Auto-send-supout yes Log Management General SettingsSubmenu level /system logging Topics Log Messages ActionsSubmenu level /system logging action Submenu level /log To view the local logs Snmp ServiceTo monitor the system log Timemessage Traffic Flow General ConfigurationRelated Documents Admin@AT-WR4562 ip traffic-flow target Admin@AT-WR4562 ip traffic-flowTraffic-FlowTarget Traffic-Flow Example Network Load Statistics Matrix Host Information Network load profile by time General Options GraphingTo store information on system drive every hour Interface Graphing Health GraphingSimple Queue Graphing Resource Graphing 192.168.0.0/24 Yes Admin@AT-WR4562 tool graphing resourceSubmenu level /tool graphing resource ALLOW-ADDRESS