6 L2TP Application Examples | Allied Telesis AT-WR4500 instruction

166	AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
	RouterOS v3 Configuration and User Guide

8.5.6 L2TP Application Examples

Router-to-Router Secure Tunnel Example

				Big
				Internet
	WISP#1			WISP#2
				WISP#2
	192.168.80.0/24			192.168.81.0/24
				192.168.81.0/24
Home Office						Remote Office


To Internet						To Internet
192.168.80.1/24				192.168.81.1/24

LAN	LAN
10.150.2.254/24	10.150.1.254/24
	Network Setup without L2TP enabled
10.150.2.1/24	10.150.1.1/24

Figure 23: Router-to-Router Secure Tunnel Example

There are two routers in this example:

[HomeOffice]

Interface LocalHomeOffice 10.150.2.254/24

Interface ToInternet 192.168.80.1/24

[RemoteOffice]

Interface ToInternet 192.168.81.1/24 Interface LocalRemoteOffice 10.150.1.254/24

Each router is connected to a different ISP. One router can access another router through the Internet. On the L2TP server a user must be set up for the client:

[admin@HomeOffice] ppp secret> add name=ex service=l2tp password=lkjrht local-address=10.0.103.1 remote-address=10.0.103.2 [admin@HomeOffice] ppp secret> print detail

Flags: X - disabled

0name="ex" service=l2tp caller-id="" password="lkjrht" profile=default local-address=10.0.103.1 remote-address=10.0.103.2 routes==""

[admin@HomeOffice] ppp secret>

Then the user should be added in the L2TP server list:

[admin@HomeOffice] interface l2tp-server> add user=ex

[admin@HomeOffice] interface l2tp-server> print Flags: X - disabled, D - dynamic, R - running

#	NAME	USER	MTU CLIENT-ADDRESS UPTIME ENC...
0	l2tp-in1	ex

[admin@HomeOffice] interface l2tp-server>

Image 166

Allied Telesis AT-WR4500 manual 6 L2TP Application Examples, Router-to-Router Secure Tunnel Example

Contents

AT-WR4500 Series PN 613-000813 Rev. B AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Limitation of Liability and Damages Contents Routes, Equal Cost Multipath Routing, Policy Routing IP Addresses and ARP 120 117118 121 164 Hot Spot Service 222163 166 Possible Error Messages 10.3.7 Command Description10.3.8 Service Port 12.1.2 General Settings Figures How This Guide is organized Purpose of This GuideDocument Conventions Tell Us What You Think Sales or Corporate Information Management Software UpdatesAllied Telesis FTP server ftp//ftp.alliedtelesis.com Introduction Admin@AT-WR4541g /system license print software-id NCL8-3TT FeaturesSoftware License Logging in the AT-WR4500 Router Accessing theWR4500 throughWinBoxUsing WinBox Downloading WinBox loader Password can be changed with the /password command Accessing the CLIAT-WR4500 Login admin Password Aaaaaaaaaaa Ttttttt Aaaaaaa Aaaaa Tttt Command Action System Backup General Information Export Command Import Command SoftwareVersion Management Configuration ResetSpecifications General Information Step-by-Step System UpgradeTo upgrade chosen packages Property Description Software Package Management Submenu level /system upgrade upgrade-package-source192.168.25.8 Admin Adding Package Source Uninstallation Installation UpgradeCommand name /system package uninstall Downgrading Command name /system package downgradeAdmin@AT-WR4562 system package print Flags X disabled Name Version Disabling and Enabling Suppose we need to test ipv6 package featuresCommand name /system package unschedule Unscheduling Admin@AT-WR4562 system package unschedule security Name Version Scheduled Download To upgrade selected packagesSoftware Package List Downloading 16 % Package name Contents Prerequisites Additional License Package name Contents Prerequisites Additional License Interface Status General Interface SettingsCommand name /interface monitor-traffic Traffic Monitoring RelatedTopics Ethernet Interface ConfigurationEthernet Interfaces Additional Resources Type RX-RATE TX-RATE MTU Command name /interface ethernet monitorMonitoring the Interface Status ARP Troubleshooting Wireless InterfacesDefault-cable-setting standard standard Ack-timeout Range 5GHz 5GHz-turbo 2.4GHz-G Quick Setup GuideIP Addresses and ARP Log Management 30km 249 Wireless Interface ConfigurationSubmenu level /interface wireless 35km 298 AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Page AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers This example shows how configure a wireless client Submenu level /interface wireless nstreme Nstreme SettingsTo see current interface settings Signal-to-noise 73dB tx-ccq 79% rx-ccq 46% p-throughput Nstreme2 Group Settings Submenu level /interface wireless nstreme-dual Example RegistrationTable Submenu level /interface wireless registration-tableAdmin@AT-WR4562 interface wireless nstreme-dual Then add nstreme2 interface with exact-size framing Wlan1 000C42185C3D Admin@AT-WR4562 interface wireless registration-table# Interface RADIO-NAME MAC-ADDRESS No -38dBm.. Mbps Submenu level /interface wireless access-list Access ListSubmenu level /interface wireless connect-list Connect List Info command Submenu level /interface wireless infoPage AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Example Virtual Access Point Interface WDS Interface Configuration Submenu level /interface wireless wds Submenu level /interface wireless align Align Admin@AT-WR4562 interface wireless align Command name /interface wireless align monitorAlign Monitor Submenu level /interface wireless manual-tx-power-table ManualTransmit PowerTableAproximately shows how loaded are the wireless channels Frequency Monitor Scan the 5GHz band Command name /interface wireless scan interfacenameNetwork Scan Address Ssid Band Freq SIG RADIO-NAME AB R Submenu level /interface wireless security-profiles Security ProfilesPage Wireless Sniffer Sniffs packets Submenu level /interface wireless snifferSubmenu level /interface wireless sniffer sniff Sniffer Sniffer Packets Submenu level /interface wireless snooperFreq SIGNAL@RATE SRC DST Type Snooper Snoop 802.11b network Station and AccessPointApplication Examples Band Freq USE 10.1.0.1/24 10.1.0.0 10.1.0.255 Admin@AccessPoint ip address 54Mbps On WDS Access Point Configure the station and add an IP address 10.1.0.2 to itCheck whether you can ping the Access Point from Station WDS Station Set wds-default-bridge to bridge1 Virtual Access Point Virtual-test 4ghz-g Test 4ghz-g Nstreme Nstreme network example Monitor the link Dual NstremeSsid nstreme Configure DualNS-1 Admin@DualNS-1 interface wireless nstreme-dual Now complete the configuration for DualNS-1 Admin@DualNS-2 interface wireless nstreme-dual WEP Security WEP security examplePage Configure WEPStation1 Admin@WEPStation1 interface wireless Admin@WEPStationX interface wireless WPA Security Admin@WPAStation interface wireless security-profiles Test the link between Access point and the clientAdmin@WPAAP interface wireless security-profiles Admin@WPAStation interface wireless Vlan Setup Vlan Interfaces Vlan example on AT-WR4500 Routers Application ExampleName MTU ARP 10.0.0.0 10.0.0.255 Ether1 10.10.10.0 10.10.10.255 Test Admin@AT-WR4562 ip addressBridge Interfaces 10.20.0.0 10.20.0.255 Pc1 Add ether1 and ether2 to MyBridge interface Bridge Interface SetupInterface bridge add name=MyBridge disabled=no IP Addresses and ARP EoIP Port Settings Submenu level /interface bridge port Bridge Monitoring Command name /interface bridge monitorCommand name /interface bridge port monitor Bridge Port Monitoring Bridge Firewall General Description Command name /interface bridge hostBridge Host Monitoring To monitor a bridge port Property Description Page Submenu level /interface bridge filter Bridge Packet FilterBridge NAT Submenu level /interface bridge nat Bridge Brouting Facility Submenu level /interface bridge broute Troubleshooting IP Addressing Configuring Interfaces Dhcp and DNSIP Addresses and ARP Submenu level /ip address Submenu level /ip arp Address Resolution Protocol10.10.10.0 10.10.10.255 Ether2 Admin@AT-WR4562 ip address 2.1/24 2.0 2.255 Ether2 Address MAC-ADDRESS Proxy-ARP featureAddress MAC-ADDRESS Interface Proxy ARP Router setup is as follows Consider the following configurationUnnumbered Interfaces RIP Routing Information Protocol General Setup Interfaces Admin@AT-WR4562 routing ripSubmenu level /routing rip interface Routes NetworksNeighbors Submenu level /routing rip network Ether1 1500 Ether2 0.0.0 Ether1 Admin@AT-WR4562To view the list of the routes 10.0.0.174 10.0.0.255 Ether1 0.0.0 Ether1 Admin@AT-WR4562 routing rip Admin@AT-WR4562 routing rip set redistribute-connected=yes10.0.0.0/24 Admin@AT-WR4562 routing rip network Regular routing table is Ospf Alliedware+ Router ConfigurationRouting table of the Alliedware+ router is General Setup Ospf Areas Admin@AT-WR4562 routing ospfSubmenu level /routing ospf area Name AREA-ID Backbone 0.0 None Local10 10.5 Admin@WiFi routing ospf areaSubmenu level /routing ospf network Network Area Submenu level /routing ospf interface Virtual LinksSubmenu level /routing ospf virtual-link Submenu level /routing ospf neighbor Virtual link should be configured on both routers10.0.0.201 Admin@AT-WR4562 routing ospf virtual-link NEIGHBOR-ID Ospf backup without using a tunnel Ospf Backup Add connected networks with area local10 in ospf network AuthenticationDefine new Ospf area named local10 with area-id Name Type RX-RATE Rate MTU Add connected networks with area local10 Name AREA-ID Stub DEFAULT-COST AuthenticationAdd the same area as in main router Add the needed IP addresses Connect, S static, r rip, o ospf, b bgp Admin@OSPFMAIN ip route printAdd connected networks with the same area DST-ADDRESS Gateway Distance Interface Routing tables with Revised Link Cost Dead-interval=40s Functioning of the Backup On OSPFpeer2 Routes, Equal Cost Multipath Routing, Policy Routing NAT Policy Rules Submenu level /ip route rule Static Equal Cost Multi-Path routing Static Equal Cost Multi-Path Routing example Standard Policy-Based Routing with Failover Standard Policy-Based Routing with Failover 192.168.0.0 192.168.0.255 Local1 DST-ADDRESS Prefsrc Gateway Check whether you have obtained a lease Dhcp Client and ServerFinally, add a Dhcp server Packages required dhcp License required Level1 Dhcp Client Setup Submenu level /ip dhcp-client To add a Dhcp client on ether1 interface Dhcp Server SetupSubmenu level /ip dhcp-server Property Description Store Leases on Disk Submenu level /ip dhcp-server configName Interface Relay Submenu level /ip dhcp-server network Dhcp NetworksDhcp Server Leases Submenu level /ip dhcp-server lease Command Description Submenu level /ip dhcp-server alert Dhcp AlertDhcp Option Submenu level /ip dhcp-server option Submenu level /ip dhcp-relay Dhcp RelayUse this option in Dhcp server network list Name Code Value Questions & Answers Command name /ip dhcp-server setupRelay Ether1 10.0.0.1 Admin@AT-WR4562 ip dhcp-relay Questions Name Interface Relay ADDRESS-POOL LEASE-TIME ADD-ARP Dynamic Addressing, using DHCP-RelayIP addresses of DHCP-Server # Address Gateway DNS-SERVER WINS-SERVER Create Dhcp Servers IP Address assignment, using FreeRADIUS ServerConfigure respective networks DHCP-1 Configure Dhcp networks Configure Radius Client on RouterOSSetup Dhcp Server Create an address pool Clients.conf file DNS Client and Cache IP and Routing Cache Monitoring 5Static DNS EntriesStatic DNS Entries Flush clears internal DNS cache Command name /ip dns cache flush6Flushing DNS cache Name Address Radius Client Setup Radius client ConnectionTerminating from Radius Service CALLED-ID Domain AddressPpp,hotspot 10.0.0.3 Admin@AT-WR4562 radius Submenu level /radius incoming Supported Radius Attributes Suggested Radius ServersXTRadius does not currently support MS-CHAP Page Page Page Name VendorID Value Name VendorID Value RFC where it is defined AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers L2TP Interface PPP User AAALocal PPP User Profiles Submenu level /ppp profilePage Local PPP User Database Submenu level /ppp secret Name Service CALLER-ID Address Uptime Encoding Command name /ppp active printName Service CALLER-ID Password Profile Monitoring Active PPP Users PPP User Remote AAA To enable Radius AAARouter User AAA Submenu level /ppp aaa Submenu level /user group Router User GroupsExclamation sign ! just before policy item name means not Router Users Admin@rb13 user groupAdmin@AT-WR4562 user print Flags X disabled Only one, it cannot be removed Monitoring Active Router Users Command name /user active printWhen Name Address Router User Remote AAA Submenu level /user ssh-keys To enable Radius AAA, enter the following commandSSH keys Generating key on a linux machine Specific Properties EoIPIP Addresses and ARP Bridge Interfaces EoIP Setup EoIP Application Example Admin@OurGW interface pptp-server server set enable=yesAdmin@Remote interface pptp-client Name User MTU CLIENT-ADDRESS Uptime ENC Same for the Remote Interface Bridge Priority PATH-COST Summary Quick Setup GuideInterface Bonding General Information Related Documents Property Description 1.1/24 1.0 1.255 Isp2 Application ExamplesIsp1 Ether 1500 Isp2 10.1.0.0 10.1.0.255 Isp1 For Office1through ISP2 EoIP tunnel configuration For Office1 through ISP1For Office2 through ISP1 For Office2through ISP2 For Office2 IPIPTunnel Interfaces10.1.0.0 10.1.0.255 Isp1 3.1/24 3.0 3.255 Bonding1 Ipip Setup Add an IP address to created ipip1 interface Configuration of the R2 is shown below Name MTU LOCAL-ADDRESS Configuration on L2TP client router Add a L2TP client Enable the L2TP serverL2TP Interface IP Addresses and ARP AAA Configuration EoIP IP Security 2 L2TP Client SetupSubmenu level /interface l2tp-client Monitoring L2TP Client Command name /interface l2tp-client monitorExample of an established connection 5 L2TP Server Users 4 L2TP Server SetupTo enable L2TP server Submenu level /interface l2tp-server server Name User MTU CLIENT-ADDRESS Uptime To add a static entry for ex1 userInterface l2tp-server add user=ex1 ENC Router-to-Router Secure Tunnel Example 6 L2TP Application ExamplesThen the user should be added in the L2TP server list Admin@HomeOffice interface l2tp-server server Add a L2TP client to the RemoteOffice router Admin@HomeOffice ppp secret print detail Flags X disabled Connecting a Remote Client via L2TPTunnelTest the L2TP tunnel connection FromLaptop Admin@RemoteOffice interface l2tp-server Server must be enabledAdmin@RemoteOffice ppp secret Admin@RemoteOffice interface l2tp-server server PPPoE L2TP Setup for WindowsAdmin@RemoteOffice interface ethernet ToInternet 1500 Now add a pppoe server Add a user with username mike and passwordIp pool add name=pppoe-pool ranges=10.1.1.62-10.1.1.72 PPPoE Client Setup Submenu level /interface pppoe-client Monitoring PPPoE Client PPPoE Server Setup Access ConcentratorCommand name /interface pppoe-client monitor To monitor the pppoe-out1connection Admin@AT-WR4562 interface pppoe-server server Submenu level /interface pppoe-server PPPoE UsersPPPoE Server User Interfaces To view the currently connected users First of all, the wireless interface should be configured PPPoE in a multipoint wireless 802.11g networkAdmin@PPPoE-Server interface wireless We should add PPPoE server to the wireless interface Finally, we can set up PPPoE clients Pptp Admin@MT interface pppoe-server serverMy Windows XP client cannot connect to the PPPoE server Configuration on Pptp client router Add the Pptp client Enable the Pptp serverIP Addresses and ARP PPP User AAA EoIP Pptp Client Setup Submenu level /interface pptp-client Monitoring Pptp Client Pptp Server SetupCommand name /interface pptp-client monitor Submenu level /interface pptp-server server PPTPTunnel Interfaces To enable Pptp serverPptp Users Submenu level /interface pptp-server Interface pptp-server add user=ex1 Pptp Application Examples1460 10.0.0.202 6m32s None Pptp-in1 Ex1 Admin@RemoteOffice interface pptp-client Admin@HomeOffice interface pptp-server add user=exPptp-in1 Admin@HomeOffice interface pptp-server Add a Pptp client to the RemoteOffice router Connecting a Remote Client via Pptp Tunnel Test the Pptp tunnel connection Connecting a Remote Client via and Encrypted Pptp Tunnel FromLaptop Admin@RemoteOffice interface pptp-server IP Security Pptp Setup for WindowsIP Addresses and ARP Firewall and QoS Description Diffie-Hellman Group Modulus Reference Policy SettingsSubmenu level /ip ipsec policy Page To view the policy statistics, do the following Flags X disabled, D dynamic, I inactivePeers Submenu level /ip ipsec peer Submenu level /ip ipsec remote-peers Remote Peer StatisticsLocal-addressread-only IP address local Isakmp SA address Submenu level /ip ipsec installed-sa Installed SAsTo see currently estabilished SAs Command name /ip ipsec installed-sa flush Flushing Installed SATableSample printout looks as follows RouterOS Router to RouterOS Router To flush all the SAs installedTunnel mode example using AH with manual keying For Router1 IPsec Between two Masquerading RouterOS Routers Add accept and masquerading rules in SRC-NAT For Router2 Submenu level /ip firewall filter FilterFirewall Filter Mangle Packet FlowPage Property Description Page Page Protecting the Customers Network Filter ApplicationsProtect your RouterOS router Block IP addreses called bogons Deny udp ports in udp chain MangleCreate tcp chain and deny some tcp ports in it Allow only needed icmp codes in icmp chain Submenu level /ip firewall mangle MangleFilter Packet Flow Page Page Page Peer-to-PeerTraffic Marking Admin@AT-WR4562 /ip firewall mangle add chain=forward \Mark by MAC address Change MSS Packet FlowPacket Flow Mangle Filter Packet Flow Diagram ConnectionTracking Submenu level /ip firewall connection ConnectionTimeouts Submenu level /ip firewall connection tracking Service Ports Submenu level /ip firewall service-port General Firewall Information NAT Submenu level /ip firewall nat 2 NAT Address-list parameter Page Page Example of Destination NAT NAT ApplicationsExample of Source NAT Masquerading Example of one to one mapping Hot Spot Service HotSpot Gateway HotSpot example network Page Page Question&Answer-Based Setup Command name /ip hotspot setup Hs-local Local HS-real Default Admin@AT-WR4562 ip hotspot HotSpot Interface SetupName Interface Submenu level /ip hotspot profile HotSpot Server Profiles0s same as received Description HotSpot User ProfilesHotSpot Users HotSpot Cookies Submenu level /ip hotspot walled-garden HTTP-levelWalled GardenTo get the list of valid cookies # User Domain MAC-ADDRESS Submenu level /ip hotspot walled-garden ip IP-level Walled GardenOne-to-one NAT static address bindings Submenu level /ip hotspot ip-binding Service Port Command DescriptionActive Host List To set the FTP protocol uses both 20 and 21 TCP port Ftp Admin@AT-WR4562 ip hotspot service-portCustomizing HotSpot Firewall Section Chain=hotspot action=jump jump-target=pre-hotspot Packets from the authorized clients through the hs-authchain Https proxy is listening on the 64875 port Reject all packets to the clients with Icmp reject message Chain=hs-input action=jump jump-target=pre-hs-input Customizing HotSpot Http Servlet Pages Serving Servlet Pages Href=$link-loginlogin/a Page Hey, your username is john $elif username == dizzy To this line Add the following line Or alternatively add this line To thisBefore this one Possible Error Messages Then we can use that certificate for hotspot Name Interface ADDRESS-POOL Profile IDLE-TIMEOUTHotSpot How-tos MAC-ADDRESS Address TO-ADDRESS Server HotSpot User AAA MAC-ADDRESS Address TO-ADDRESS Server IDLE-TIMEOUT10.11.12.3 Hs-local Page Submenu level /ip hotspot user Submenu level /ip hotspot active HotSpot Active UsersServer Name Address Profile Uptime To get the list of active users 10.0.0.144 4m17s 55m43s Admin@AT-WR4562 ip hotspot activeUser Address Uptime Vrrp Vrrp Routers Property Description Simple example of Vrrp fail over Flags X disabled, a activeVirtual IP addresses Submenu level /ip vrrp address Now this address should appear in /ip address list Hardware Watchdog Management SystemWatchdogSubmenu level /system watchdog Admin@AT-WR4562 system watchdog Admin@AT-WR4562 system watchdog set auto-send-supout=yes \Automatic-supout yes Auto-send-supout yes Submenu level /system logging General SettingsLog Management Topics Submenu level /system logging action ActionsLog Messages Submenu level /log To monitor the system log Snmp ServiceTo view the local logs Timemessage Traffic Flow General ConfigurationRelated Documents Traffic-FlowTarget Admin@AT-WR4562 ip traffic-flowAdmin@AT-WR4562 ip traffic-flow target Traffic-Flow Example Host Information Network Load Statistics Matrix Network load profile by time General Options GraphingTo store information on system drive every hour Interface Graphing Health GraphingSimple Queue Graphing Submenu level /tool graphing resource 192.168.0.0/24 Yes Admin@AT-WR4562 tool graphing resourceResource Graphing ALLOW-ADDRESS