AT-WR4500 Series
PN 613-000813 Rev. B
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
Limitation of Liability and Damages
Contents
Routes, Equal Cost Multipath Routing, Policy Routing
IP Addresses and ARP
117
118
120
121
Hot Spot Service 222
163
164
166
10.3.7 Command Description
10.3.8 Service Port
Possible Error Messages
12.1.2 General Settings
Figures
Purpose of This Guide
How This Guide is organized
Document Conventions
Sales or Corporate Information Management Software Updates
Tell Us What You Think
Allied Telesis FTP server ftp//ftp.alliedtelesis.com
Introduction
Features
Admin@AT-WR4541g /system license print software-id NCL8-3TT
Software License
Accessing theWR4500 throughWinBox
Using WinBox
Logging in the AT-WR4500 Router
Downloading WinBox loader
Accessing the CLI
Password can be changed with the /password command
AT-WR4500 Login admin Password
Aaaaaaaaaaa Ttttttt Aaaaaaa Aaaaa Tttt
Command Action
System Backup
General Information
Export Command
Import Command
Configuration Reset
Specifications
SoftwareVersion Management
General Information
System Upgrade
To upgrade chosen packages
Step-by-Step
Property Description
Submenu level /system upgrade upgrade-package-source
192.168.25.8 Admin
Software Package Management
Adding Package Source
Installation Upgrade
Uninstallation
Command name /system package uninstall
Command name /system package downgrade
Admin@AT-WR4562 system package print Flags X disabled
Downgrading
Name Version
Suppose we need to test ipv6 package features
Command name /system package unschedule
Disabling and Enabling
Unscheduling
Admin@AT-WR4562 system package unschedule security
Name Version Scheduled
To upgrade selected packages
Software Package List
Download
Downloading 16 %
Package name Contents Prerequisites Additional License
Package name Contents Prerequisites Additional License
General Interface Settings
Command name /interface monitor-traffic
Interface Status
Traffic Monitoring
Ethernet Interface Configuration
Ethernet Interfaces
RelatedTopics
Additional Resources
Command name /interface ethernet monitor
Monitoring the Interface Status
Type RX-RATE TX-RATE MTU
ARP
Wireless Interfaces
Troubleshooting
Default-cable-setting standard standard
Quick Setup Guide
Ack-timeout Range 5GHz 5GHz-turbo 2.4GHz-G
IP Addresses and ARP Log Management
Wireless Interface Configuration
Submenu level /interface wireless
30km 249
35km 298
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
Page
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
This example shows how configure a wireless client
Nstreme Settings
To see current interface settings
Submenu level /interface wireless nstreme
Signal-to-noise 73dB tx-ccq 79% rx-ccq 46% p-throughput
Nstreme2 Group Settings
Submenu level /interface wireless nstreme-dual
Example
Submenu level /interface wireless registration-table
Admin@AT-WR4562 interface wireless nstreme-dual
RegistrationTable
Then add nstreme2 interface with exact-size framing
Admin@AT-WR4562 interface wireless registration-table
# Interface RADIO-NAME MAC-ADDRESS
Wlan1 000C42185C3D
No -38dBm.. Mbps
Access List
Submenu level /interface wireless connect-list
Submenu level /interface wireless access-list
Connect List
Info command
Submenu level /interface wireless info
Page
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
Example
Virtual Access Point Interface
WDS Interface Configuration
Submenu level /interface wireless wds
Submenu level /interface wireless align
Align
Command name /interface wireless align monitor
Admin@AT-WR4562 interface wireless align
Align Monitor
ManualTransmit PowerTable
Aproximately shows how loaded are the wireless channels
Submenu level /interface wireless manual-tx-power-table
Frequency Monitor
Command name /interface wireless scan interfacename
Network Scan
Scan the 5GHz band
Address Ssid Band Freq SIG RADIO-NAME AB R
Submenu level /interface wireless security-profiles
Security Profiles
Page
Submenu level /interface wireless sniffer
Submenu level /interface wireless sniffer sniff
Wireless Sniffer Sniffs packets
Sniffer
Submenu level /interface wireless snooper
Freq SIGNAL@RATE SRC DST Type
Sniffer Packets
Snooper
Station and AccessPoint
Application Examples
Snoop 802.11b network
Band Freq USE
10.1.0.1/24 10.1.0.0 10.1.0.255 Admin@AccessPoint ip address
54Mbps
Configure the station and add an IP address 10.1.0.2 to it
Check whether you can ping the Access Point from Station
On WDS Access Point
WDS Station
Set wds-default-bridge to bridge1
Virtual Access Point
Virtual-test 4ghz-g
Test 4ghz-g
Nstreme
Nstreme network example
Dual Nstreme
Monitor the link
Ssid nstreme
Configure DualNS-1
Admin@DualNS-1 interface wireless nstreme-dual
Now complete the configuration for DualNS-1
Admin@DualNS-2 interface wireless nstreme-dual
WEP Security
WEP security example
Page
Configure WEPStation1
Admin@WEPStation1 interface wireless
Admin@WEPStationX interface wireless
WPA Security
Test the link between Access point and the client
Admin@WPAAP interface wireless security-profiles
Admin@WPAStation interface wireless security-profiles
Admin@WPAStation interface wireless
Vlan Setup
Vlan Interfaces
Application Example
Vlan example on AT-WR4500 Routers
Name MTU ARP
10.10.10.0 10.10.10.255 Test Admin@AT-WR4562 ip address
Bridge Interfaces
10.0.0.0 10.0.0.255 Ether1
10.20.0.0 10.20.0.255 Pc1
Bridge Interface Setup
Interface bridge add name=MyBridge disabled=no
Add ether1 and ether2 to MyBridge interface
IP Addresses and ARP EoIP
Port Settings
Submenu level /interface bridge port
Command name /interface bridge monitor
Command name /interface bridge port monitor
Bridge Monitoring
Bridge Port Monitoring
Command name /interface bridge host
Bridge Host Monitoring
Bridge Firewall General Description
To monitor a bridge port
Property Description
Page
Bridge Packet Filter
Bridge NAT
Submenu level /interface bridge filter
Submenu level /interface bridge nat
Bridge Brouting Facility
Submenu level /interface bridge broute
Troubleshooting
Configuring Interfaces Dhcp and DNS
IP Addresses and ARP
IP Addressing
Submenu level /ip address
Address Resolution Protocol
10.10.10.0 10.10.10.255 Ether2 Admin@AT-WR4562 ip address
Submenu level /ip arp
2.1/24 2.0 2.255 Ether2
Proxy-ARP feature
Address MAC-ADDRESS
Address MAC-ADDRESS Interface
Proxy ARP
Consider the following configuration
Router setup is as follows
Unnumbered Interfaces
RIP Routing Information Protocol
General Setup
Admin@AT-WR4562 routing rip
Interfaces
Submenu level /routing rip interface
Networks
Neighbors
Routes
Submenu level /routing rip network
0.0.0 Ether1 Admin@AT-WR4562
To view the list of the routes
Ether1 1500 Ether2
10.0.0.174 10.0.0.255 Ether1
Admin@AT-WR4562 routing rip set redistribute-connected=yes
10.0.0.0/24 Admin@AT-WR4562 routing rip network
0.0.0 Ether1 Admin@AT-WR4562 routing rip
Regular routing table is
Alliedware+ Router Configuration
Ospf
Routing table of the Alliedware+ router is
General Setup
Admin@AT-WR4562 routing ospf
Ospf Areas
Submenu level /routing ospf area
Backbone 0.0 None Local10 10.5 Admin@WiFi routing ospf area
Submenu level /routing ospf network
Name AREA-ID
Network Area
Virtual Links
Submenu level /routing ospf interface
Submenu level /routing ospf virtual-link
Virtual link should be configured on both routers
10.0.0.201 Admin@AT-WR4562 routing ospf virtual-link
Submenu level /routing ospf neighbor
NEIGHBOR-ID
Ospf backup without using a tunnel
Ospf Backup
Authentication
Define new Ospf area named local10 with area-id
Add connected networks with area local10 in ospf network
Name Type RX-RATE Rate MTU
Name AREA-ID Stub DEFAULT-COST Authentication
Add the same area as in main router
Add connected networks with area local10
Add the needed IP addresses
Admin@OSPFMAIN ip route print
Add connected networks with the same area
Connect, S static, r rip, o ospf, b bgp
DST-ADDRESS Gateway Distance Interface
Routing tables with Revised Link Cost
Dead-interval=40s
Functioning of the Backup
On OSPFpeer2
Routes, Equal Cost Multipath Routing, Policy Routing
NAT
Policy Rules
Submenu level /ip route rule
Static Equal Cost Multi-Path routing
Static Equal Cost Multi-Path Routing example
Standard Policy-Based Routing with Failover
Standard Policy-Based Routing with Failover
192.168.0.0 192.168.0.255 Local1
DST-ADDRESS Prefsrc Gateway
Dhcp Client and Server
Finally, add a Dhcp server
Check whether you have obtained a lease
Packages required dhcp License required Level1
Dhcp Client Setup
Submenu level /ip dhcp-client
Dhcp Server Setup
To add a Dhcp client on ether1 interface
Submenu level /ip dhcp-server
Property Description
Submenu level /ip dhcp-server config
Store Leases on Disk
Name Interface Relay
Dhcp Networks
Dhcp Server Leases
Submenu level /ip dhcp-server network
Submenu level /ip dhcp-server lease
Command Description
Dhcp Alert
Dhcp Option
Submenu level /ip dhcp-server alert
Submenu level /ip dhcp-server option
Dhcp Relay
Use this option in Dhcp server network list
Submenu level /ip dhcp-relay
Name Code Value
Command name /ip dhcp-server setup
Relay Ether1 10.0.0.1 Admin@AT-WR4562 ip dhcp-relay
Questions & Answers
Questions
Dynamic Addressing, using DHCP-Relay
IP addresses of DHCP-Server
Name Interface Relay ADDRESS-POOL LEASE-TIME ADD-ARP
# Address Gateway DNS-SERVER WINS-SERVER
IP Address assignment, using FreeRADIUS Server
Configure respective networks
Create Dhcp Servers
DHCP-1
Configure Radius Client on RouterOS
Setup Dhcp Server Create an address pool
Configure Dhcp networks
Clients.conf file
DNS Client and Cache
IP and Routing
5Static DNS Entries
Cache Monitoring
Static DNS Entries
Command name /ip dns cache flush
6Flushing DNS cache
Flush clears internal DNS cache
Name Address
Radius Client Setup
Radius client
Service CALLED-ID Domain Address
Ppp,hotspot 10.0.0.3 Admin@AT-WR4562 radius
ConnectionTerminating from Radius
Submenu level /radius incoming
Suggested Radius Servers
Supported Radius Attributes
XTRadius does not currently support MS-CHAP
Page
Page
Page
Name VendorID Value
Name VendorID Value RFC where it is defined
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
PPP User AAA
Local PPP User Profiles
L2TP Interface
Submenu level /ppp profile
Page
Local PPP User Database
Submenu level /ppp secret
Command name /ppp active print
Name Service CALLER-ID Password Profile
Name Service CALLER-ID Address Uptime Encoding
Monitoring Active PPP Users
To enable Radius AAA
Router User AAA
PPP User Remote AAA
Submenu level /ppp aaa
Router User Groups
Submenu level /user group
Exclamation sign ! just before policy item name means not
Admin@rb13 user group
Admin@AT-WR4562 user print Flags X disabled
Router Users
Only one, it cannot be removed
Command name /user active print
When Name Address
Monitoring Active Router Users
Router User Remote AAA
To enable Radius AAA, enter the following command
SSH keys
Submenu level /user ssh-keys
Generating key on a linux machine
EoIP
Specific Properties
IP Addresses and ARP Bridge Interfaces
EoIP Setup
Admin@OurGW interface pptp-server server set enable=yes
Admin@Remote interface pptp-client
EoIP Application Example
Name User MTU CLIENT-ADDRESS Uptime ENC
Same for the Remote
Interface Bridge Priority PATH-COST
Quick Setup Guide
Interface Bonding General Information
Summary
Related Documents
Property Description
Application Examples
Isp1 Ether 1500 Isp2
1.1/24 1.0 1.255 Isp2
10.1.0.0 10.1.0.255 Isp1
EoIP tunnel configuration For Office1 through ISP1
For Office2 through ISP1
For Office1through ISP2
For Office2through ISP2
IPIPTunnel Interfaces
For Office2
10.1.0.0 10.1.0.255 Isp1 3.1/24 3.0 3.255 Bonding1
Ipip Setup
Add an IP address to created ipip1 interface
Configuration of the R2 is shown below
Name MTU LOCAL-ADDRESS
Enable the L2TP server
Configuration on L2TP client router Add a L2TP client
L2TP Interface
2 L2TP Client Setup
IP Addresses and ARP AAA Configuration EoIP IP Security
Submenu level /interface l2tp-client
Command name /interface l2tp-client monitor
Monitoring L2TP Client
Example of an established connection
4 L2TP Server Setup
To enable L2TP server
5 L2TP Server Users
Submenu level /interface l2tp-server server
To add a static entry for ex1 user
Interface l2tp-server add user=ex1
Name User MTU CLIENT-ADDRESS Uptime
ENC
6 L2TP Application Examples
Router-to-Router Secure Tunnel Example
Then the user should be added in the L2TP server list
Admin@HomeOffice interface l2tp-server server
Add a L2TP client to the RemoteOffice router
Connecting a Remote Client via L2TPTunnel
Admin@HomeOffice ppp secret print detail Flags X disabled
Test the L2TP tunnel connection
Server must be enabled
Admin@RemoteOffice ppp secret
FromLaptop Admin@RemoteOffice interface l2tp-server
Admin@RemoteOffice interface l2tp-server server
L2TP Setup for Windows
Admin@RemoteOffice interface ethernet
PPPoE
ToInternet 1500
Add a user with username mike and password
Now add a pppoe server
Ip pool add name=pppoe-pool ranges=10.1.1.62-10.1.1.72
PPPoE Client Setup
Submenu level /interface pppoe-client
PPPoE Server Setup Access Concentrator
Command name /interface pppoe-client monitor
Monitoring PPPoE Client
To monitor the pppoe-out1connection
Admin@AT-WR4562 interface pppoe-server server
PPPoE Users
PPPoE Server User Interfaces
Submenu level /interface pppoe-server
To view the currently connected users
PPPoE in a multipoint wireless 802.11g network
First of all, the wireless interface should be configured
Admin@PPPoE-Server interface wireless
We should add PPPoE server to the wireless interface
Finally, we can set up PPPoE clients
Admin@MT interface pppoe-server server
Pptp
My Windows XP client cannot connect to the PPPoE server
Enable the Pptp server
Configuration on Pptp client router Add the Pptp client
IP Addresses and ARP PPP User AAA EoIP
Pptp Client Setup
Submenu level /interface pptp-client
Pptp Server Setup
Command name /interface pptp-client monitor
Monitoring Pptp Client
Submenu level /interface pptp-server server
To enable Pptp server
Pptp Users
PPTPTunnel Interfaces
Submenu level /interface pptp-server
Pptp Application Examples
Interface pptp-server add user=ex1
1460 10.0.0.202 6m32s None Pptp-in1 Ex1
Admin@HomeOffice interface pptp-server add user=ex
Pptp-in1 Admin@HomeOffice interface pptp-server
Admin@RemoteOffice interface pptp-client
Add a Pptp client to the RemoteOffice router
Connecting a Remote Client via Pptp Tunnel
Test the Pptp tunnel connection
Connecting a Remote Client via and Encrypted Pptp Tunnel
FromLaptop Admin@RemoteOffice interface pptp-server
Pptp Setup for Windows
IP Security
IP Addresses and ARP Firewall and QoS
Description
Policy Settings
Diffie-Hellman Group Modulus Reference
Submenu level /ip ipsec policy
Page
Flags X disabled, D dynamic, I inactive
Peers
To view the policy statistics, do the following
Submenu level /ip ipsec peer
Remote Peer Statistics
Submenu level /ip ipsec remote-peers
Local-addressread-only IP address local Isakmp SA address
Installed SAs
Submenu level /ip ipsec installed-sa
To see currently estabilished SAs
Flushing Installed SATable
Command name /ip ipsec installed-sa flush
Sample printout looks as follows
To flush all the SAs installed
Tunnel mode example using AH with manual keying
RouterOS Router to RouterOS Router
For Router1
IPsec Between two Masquerading RouterOS Routers
Add accept and masquerading rules in SRC-NAT
For Router2
Filter
Firewall Filter
Submenu level /ip firewall filter
Mangle Packet Flow
Page
Property Description
Page
Page
Filter Applications
Protect your RouterOS router
Protecting the Customers Network
Block IP addreses called bogons
Mangle
Create tcp chain and deny some tcp ports in it
Deny udp ports in udp chain
Allow only needed icmp codes in icmp chain
Mangle
Submenu level /ip firewall mangle
Filter Packet Flow
Page
Page
Page
Admin@AT-WR4562 /ip firewall mangle add chain=forward \
Peer-to-PeerTraffic Marking
Mark by MAC address
Packet Flow
Packet Flow
Change MSS
Mangle Filter
Packet Flow Diagram
ConnectionTracking
Submenu level /ip firewall connection
ConnectionTimeouts
Submenu level /ip firewall connection tracking
Service Ports
Submenu level /ip firewall service-port
General Firewall Information
NAT
Submenu level /ip firewall nat
2 NAT
Address-list parameter
Page
Page
NAT Applications
Example of Source NAT Masquerading
Example of Destination NAT
Example of one to one mapping
Hot Spot Service
HotSpot Gateway
HotSpot example network
Page
Page
Question&Answer-Based Setup
Command name /ip hotspot setup
HotSpot Interface Setup
Hs-local Local HS-real Default Admin@AT-WR4562 ip hotspot
Name Interface
HotSpot Server Profiles
Submenu level /ip hotspot profile
0s same as received
HotSpot User Profiles
HotSpot Users
Description
HotSpot Cookies
HTTP-levelWalled Garden
To get the list of valid cookies
Submenu level /ip hotspot walled-garden
# User Domain MAC-ADDRESS
IP-level Walled Garden
One-to-one NAT static address bindings
Submenu level /ip hotspot walled-garden ip
Submenu level /ip hotspot ip-binding
Command Description
Service Port
Active Host List
Ftp Admin@AT-WR4562 ip hotspot service-port
Customizing HotSpot Firewall Section
To set the FTP protocol uses both 20 and 21 TCP port
Chain=hotspot action=jump jump-target=pre-hotspot
Packets from the authorized clients through the hs-authchain
Https proxy is listening on the 64875 port
Reject all packets to the clients with Icmp reject message
Chain=hs-input action=jump jump-target=pre-hs-input
Customizing HotSpot Http Servlet Pages
Serving Servlet Pages
Href=$link-loginlogin/a
Page
Hey, your username is john $elif username == dizzy
To this line
Add the following line
To this
Or alternatively add this line
Before this one
Possible Error Messages
Name Interface ADDRESS-POOL Profile IDLE-TIMEOUT
HotSpot How-tos
Then we can use that certificate for hotspot
MAC-ADDRESS Address TO-ADDRESS Server
MAC-ADDRESS Address TO-ADDRESS Server IDLE-TIMEOUT
HotSpot User AAA
10.11.12.3 Hs-local
Page
Submenu level /ip hotspot user
HotSpot Active Users
Submenu level /ip hotspot active
Server Name Address Profile Uptime
10.0.0.144 4m17s 55m43s Admin@AT-WR4562 ip hotspot active
To get the list of active users
User Address Uptime
Vrrp
Vrrp Routers
Property Description
Flags X disabled, a active
Virtual IP addresses
Simple example of Vrrp fail over
Submenu level /ip vrrp address
Now this address should appear in /ip address list
SystemWatchdog
Hardware Watchdog Management
Submenu level /system watchdog
Admin@AT-WR4562 system watchdog set auto-send-supout=yes \
Admin@AT-WR4562 system watchdog
Automatic-supout yes Auto-send-supout yes
General Settings
Log Management
Submenu level /system logging
Topics
Actions
Log Messages
Submenu level /system logging action
Submenu level /log
Snmp Service
To view the local logs
To monitor the system log
Timemessage
General Configuration
Traffic Flow
Related Documents
Admin@AT-WR4562 ip traffic-flow
Admin@AT-WR4562 ip traffic-flow target
Traffic-FlowTarget
Traffic-Flow Example
Host Information
Network Load Statistics Matrix
Network load profile by time
Graphing
General Options
To store information on system drive every hour
Health Graphing
Interface Graphing
Simple Queue Graphing
192.168.0.0/24 Yes Admin@AT-WR4562 tool graphing resource
Resource Graphing
Submenu level /tool graphing resource
ALLOW-ADDRESS
