Manuals / Allied Telesis / Computer Equipment / Network Router

Allied Telesis AT-WR4500 manual Add a L2TP client to the RemoteOffice router

Models: AT-WR4500

1 264

Download 264 pages 44.79 Kb

Page 167

AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers	167
RouterOS v3 Configuration and User Guide

And finally, the server must be enabled:

[admin@HomeOffice] interface l2tp-server server> set enabled=yes

[admin@HomeOffice] interface l2tp-server server> print enabled: yes

mtu: 1460

mru: 1460

authentication: mschap2 default-profile: default

[admin@HomeOffice] interface l2tp-server server>

Add a L2TP client to the RemoteOffice router:

[admin@RemoteOffice] interface l2tp-client> add connect-to=192.168.80.1 user=ex \ \... password=lkjrht disabled=no

[admin@RemoteOffice] interface l2tp-client> print Flags: X - disabled, R - running

0R name="l2tp-out1" mtu=1460 mru=1460 mrru=disabled connect-to=192.168.80.1

user="ex" password="lkjrht" profile=default add-default-route=no allow=pap,chap,mschap1,mschap2

[admin@RemoteOffice] interface l2tp-client>

Thus, a L2TP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It enables 'direct' communication between the routers over third party networks.

Big

Internet

	WISP#1			WISP#2
				WISP#2
	192.168.80.0/24			192.168.81.0/24
				192.168.81.0/24
Home Office		Encrypted L2TP tunnel			Remote Office
To Internet					To Internet
192.168.80.1/24					192.168.81.1/24
	From			To
	From
	10. 0.103.1/24			10. 0.103.2/24
	10. 0.103.1/24
LAN					LAN
10.150.2.254/24					10.150.1.254/24
			Network Setup with L2TP
10.150.2.1/24					10.150.1.1/24

Figure 24: Secure Remote office connection through L2TP tunnel

To route the local Intranets over the L2TP tunnel you need to add these routes:

[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2 [admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

Image 167

Allied Telesis AT-WR4500 manual Add a L2TP client to the RemoteOffice router, Admin@HomeOffice interface l2tp-server server

Contents

PN 613-000813 Rev. B AT-WR4500 SeriesRouterOS v3 Configuration and User Guide AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless RoutersLimitation of Liability and Damages Contents IP Addresses and ARP Routes, Equal Cost Multipath Routing, Policy Routing121 117118 120166 Hot Spot Service 222163 16412.1.2 General Settings 10.3.7 Command Description10.3.8 Service Port Possible Error MessagesFigures Document Conventions Purpose of This GuideHow This Guide is organized Allied Telesis FTP server ftp//ftp.alliedtelesis.com Sales or Corporate Information Management Software UpdatesTell Us What You Think Introduction Software License FeaturesAdmin@AT-WR4541g /system license print software-id NCL8-3TT Downloading WinBox loader Accessing theWR4500 throughWinBoxUsing WinBox Logging in the AT-WR4500 RouterAT-WR4500 Login admin Password Accessing the CLIPassword can be changed with the /password command Aaaaaaaaaaa Ttttttt Aaaaaaa Aaaaa Tttt Command Action General Information System BackupImport Command Export CommandGeneral Information Configuration ResetSpecifications SoftwareVersion ManagementProperty Description System UpgradeTo upgrade chosen packages Step-by-StepAdding Package Source Submenu level /system upgrade upgrade-package-source192.168.25.8 Admin Software Package ManagementCommand name /system package uninstall Installation UpgradeUninstallation Name Version Command name /system package downgradeAdmin@AT-WR4562 system package print Flags X disabled DowngradingUnscheduling Suppose we need to test ipv6 package featuresCommand name /system package unschedule Disabling and EnablingName Version Scheduled Admin@AT-WR4562 system package unschedule securityDownloading 16 % To upgrade selected packagesSoftware Package List DownloadPackage name Contents Prerequisites Additional License Package name Contents Prerequisites Additional License Traffic Monitoring General Interface SettingsCommand name /interface monitor-traffic Interface StatusAdditional Resources Ethernet Interface ConfigurationEthernet Interfaces RelatedTopicsARP Command name /interface ethernet monitorMonitoring the Interface Status Type RX-RATE TX-RATE MTUDefault-cable-setting standard standard Wireless InterfacesTroubleshooting IP Addresses and ARP Log Management Quick Setup GuideAck-timeout Range 5GHz 5GHz-turbo 2.4GHz-G 35km 298 Wireless Interface ConfigurationSubmenu level /interface wireless 30km 249AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Page AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers This example shows how configure a wireless client Signal-to-noise 73dB tx-ccq 79% rx-ccq 46% p-throughput Nstreme SettingsTo see current interface settings Submenu level /interface wireless nstremeSubmenu level /interface wireless nstreme-dual Nstreme2 Group SettingsExample Then add nstreme2 interface with exact-size framing Submenu level /interface wireless registration-tableAdmin@AT-WR4562 interface wireless nstreme-dual RegistrationTableNo -38dBm.. Mbps Admin@AT-WR4562 interface wireless registration-table# Interface RADIO-NAME MAC-ADDRESS Wlan1 000C42185C3DConnect List Access ListSubmenu level /interface wireless connect-list Submenu level /interface wireless access-listSubmenu level /interface wireless info Info commandPage AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Example Virtual Access Point Interface Submenu level /interface wireless wds WDS Interface ConfigurationAlign Submenu level /interface wireless alignAlign Monitor Command name /interface wireless align monitorAdmin@AT-WR4562 interface wireless align Frequency Monitor ManualTransmit PowerTableAproximately shows how loaded are the wireless channels Submenu level /interface wireless manual-tx-power-tableAddress Ssid Band Freq SIG RADIO-NAME AB R Command name /interface wireless scan interfacenameNetwork Scan Scan the 5GHz bandSecurity Profiles Submenu level /interface wireless security-profilesPage Sniffer Submenu level /interface wireless snifferSubmenu level /interface wireless sniffer sniff Wireless Sniffer Sniffs packetsSnooper Submenu level /interface wireless snooperFreq SIGNAL@RATE SRC DST Type Sniffer PacketsBand Freq USE Station and AccessPointApplication Examples Snoop 802.11b network54Mbps 10.1.0.1/24 10.1.0.0 10.1.0.255 Admin@AccessPoint ip addressWDS Station Configure the station and add an IP address 10.1.0.2 to itCheck whether you can ping the Access Point from Station On WDS Access PointSet wds-default-bridge to bridge1 Virtual Access Point Test 4ghz-g Virtual-test 4ghz-gNstreme network example NstremeSsid nstreme Dual NstremeMonitor the link Admin@DualNS-1 interface wireless nstreme-dual Configure DualNS-1Admin@DualNS-2 interface wireless nstreme-dual Now complete the configuration for DualNS-1WEP security example WEP SecurityPage Admin@WEPStation1 interface wireless Configure WEPStation1WPA Security Admin@WEPStationX interface wirelessAdmin@WPAStation interface wireless Test the link between Access point and the clientAdmin@WPAAP interface wireless security-profiles Admin@WPAStation interface wireless security-profilesVlan Interfaces Vlan SetupName MTU ARP Application ExampleVlan example on AT-WR4500 Routers 10.20.0.0 10.20.0.255 Pc1 10.10.10.0 10.10.10.255 Test Admin@AT-WR4562 ip addressBridge Interfaces 10.0.0.0 10.0.0.255 Ether1IP Addresses and ARP EoIP Bridge Interface SetupInterface bridge add name=MyBridge disabled=no Add ether1 and ether2 to MyBridge interfaceSubmenu level /interface bridge port Port SettingsBridge Port Monitoring Command name /interface bridge monitorCommand name /interface bridge port monitor Bridge MonitoringTo monitor a bridge port Command name /interface bridge hostBridge Host Monitoring Bridge Firewall General DescriptionProperty Description Page Submenu level /interface bridge nat Bridge Packet FilterBridge NAT Submenu level /interface bridge filterSubmenu level /interface bridge broute Bridge Brouting FacilityTroubleshooting Submenu level /ip address Configuring Interfaces Dhcp and DNSIP Addresses and ARP IP Addressing2.1/24 2.0 2.255 Ether2 Address Resolution Protocol10.10.10.0 10.10.10.255 Ether2 Admin@AT-WR4562 ip address Submenu level /ip arpAddress MAC-ADDRESS Interface Proxy-ARP featureAddress MAC-ADDRESS Proxy ARP Unnumbered Interfaces Consider the following configurationRouter setup is as follows RIP Routing Information Protocol General Setup Submenu level /routing rip interface Admin@AT-WR4562 routing ripInterfaces Submenu level /routing rip network NetworksNeighbors Routes10.0.0.174 10.0.0.255 Ether1 0.0.0 Ether1 Admin@AT-WR4562To view the list of the routes Ether1 1500 Ether2Regular routing table is Admin@AT-WR4562 routing rip set redistribute-connected=yes10.0.0.0/24 Admin@AT-WR4562 routing rip network 0.0.0 Ether1 Admin@AT-WR4562 routing ripRouting table of the Alliedware+ router is Alliedware+ Router ConfigurationOspf General Setup Submenu level /routing ospf area Admin@AT-WR4562 routing ospfOspf Areas Network Area Backbone 0.0 None Local10 10.5 Admin@WiFi routing ospf areaSubmenu level /routing ospf network Name AREA-IDSubmenu level /routing ospf virtual-link Virtual LinksSubmenu level /routing ospf interface NEIGHBOR-ID Virtual link should be configured on both routers10.0.0.201 Admin@AT-WR4562 routing ospf virtual-link Submenu level /routing ospf neighborOspf Backup Ospf backup without using a tunnelName Type RX-RATE Rate MTU AuthenticationDefine new Ospf area named local10 with area-id Add connected networks with area local10 in ospf networkAdd the needed IP addresses Name AREA-ID Stub DEFAULT-COST AuthenticationAdd the same area as in main router Add connected networks with area local10DST-ADDRESS Gateway Distance Interface Admin@OSPFMAIN ip route printAdd connected networks with the same area Connect, S static, r rip, o ospf, b bgpDead-interval=40s Routing tables with Revised Link CostOn OSPFpeer2 Functioning of the BackupRoutes, Equal Cost Multipath Routing, Policy Routing NAT Submenu level /ip route rule Policy RulesStatic Equal Cost Multi-Path Routing example Static Equal Cost Multi-Path routingStandard Policy-Based Routing with Failover Standard Policy-Based Routing with FailoverDST-ADDRESS Prefsrc Gateway 192.168.0.0 192.168.0.255 Local1Packages required dhcp License required Level1 Dhcp Client and ServerFinally, add a Dhcp server Check whether you have obtained a leaseSubmenu level /ip dhcp-client Dhcp Client SetupSubmenu level /ip dhcp-server Dhcp Server SetupTo add a Dhcp client on ether1 interface Property Description Name Interface Relay Submenu level /ip dhcp-server configStore Leases on Disk Submenu level /ip dhcp-server lease Dhcp NetworksDhcp Server Leases Submenu level /ip dhcp-server networkCommand Description Submenu level /ip dhcp-server option Dhcp AlertDhcp Option Submenu level /ip dhcp-server alertName Code Value Dhcp RelayUse this option in Dhcp server network list Submenu level /ip dhcp-relayQuestions Command name /ip dhcp-server setupRelay Ether1 10.0.0.1 Admin@AT-WR4562 ip dhcp-relay Questions & Answers# Address Gateway DNS-SERVER WINS-SERVER Dynamic Addressing, using DHCP-RelayIP addresses of DHCP-Server Name Interface Relay ADDRESS-POOL LEASE-TIME ADD-ARPDHCP-1 IP Address assignment, using FreeRADIUS ServerConfigure respective networks Create Dhcp ServersClients.conf file Configure Radius Client on RouterOSSetup Dhcp Server Create an address pool Configure Dhcp networksIP and Routing DNS Client and CacheStatic DNS Entries 5Static DNS EntriesCache Monitoring Name Address Command name /ip dns cache flush6Flushing DNS cache Flush clears internal DNS cacheRadius client Radius Client SetupSubmenu level /radius incoming Service CALLED-ID Domain AddressPpp,hotspot 10.0.0.3 Admin@AT-WR4562 radius ConnectionTerminating from RadiusXTRadius does not currently support MS-CHAP Suggested Radius ServersSupported Radius Attributes Page Page Page Name VendorID Value Name VendorID Value RFC where it is defined AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Submenu level /ppp profile PPP User AAALocal PPP User Profiles L2TP InterfacePage Submenu level /ppp secret Local PPP User DatabaseMonitoring Active PPP Users Command name /ppp active printName Service CALLER-ID Password Profile Name Service CALLER-ID Address Uptime EncodingSubmenu level /ppp aaa To enable Radius AAARouter User AAA PPP User Remote AAAExclamation sign ! just before policy item name means not Router User GroupsSubmenu level /user group Only one, it cannot be removed Admin@rb13 user groupAdmin@AT-WR4562 user print Flags X disabled Router UsersRouter User Remote AAA Command name /user active printWhen Name Address Monitoring Active Router UsersGenerating key on a linux machine To enable Radius AAA, enter the following commandSSH keys Submenu level /user ssh-keysIP Addresses and ARP Bridge Interfaces EoIPSpecific Properties EoIP Setup Name User MTU CLIENT-ADDRESS Uptime ENC Admin@OurGW interface pptp-server server set enable=yesAdmin@Remote interface pptp-client EoIP Application ExampleInterface Bridge Priority PATH-COST Same for the RemoteRelated Documents Quick Setup GuideInterface Bonding General Information SummaryProperty Description 10.1.0.0 10.1.0.255 Isp1 Application ExamplesIsp1 Ether 1500 Isp2 1.1/24 1.0 1.255 Isp2For Office2through ISP2 EoIP tunnel configuration For Office1 through ISP1For Office2 through ISP1 For Office1through ISP210.1.0.0 10.1.0.255 Isp1 3.1/24 3.0 3.255 Bonding1 IPIPTunnel InterfacesFor Office2 Add an IP address to created ipip1 interface Ipip SetupName MTU LOCAL-ADDRESS Configuration of the R2 is shown belowL2TP Interface Enable the L2TP serverConfiguration on L2TP client router Add a L2TP client Submenu level /interface l2tp-client 2 L2TP Client SetupIP Addresses and ARP AAA Configuration EoIP IP Security Example of an established connection Command name /interface l2tp-client monitorMonitoring L2TP Client Submenu level /interface l2tp-server server 4 L2TP Server SetupTo enable L2TP server 5 L2TP Server UsersENC To add a static entry for ex1 userInterface l2tp-server add user=ex1 Name User MTU CLIENT-ADDRESS UptimeThen the user should be added in the L2TP server list 6 L2TP Application ExamplesRouter-to-Router Secure Tunnel Example Add a L2TP client to the RemoteOffice router Admin@HomeOffice interface l2tp-server serverTest the L2TP tunnel connection Connecting a Remote Client via L2TPTunnelAdmin@HomeOffice ppp secret print detail Flags X disabled Admin@RemoteOffice interface l2tp-server server Server must be enabledAdmin@RemoteOffice ppp secret FromLaptop Admin@RemoteOffice interface l2tp-serverToInternet 1500 L2TP Setup for WindowsAdmin@RemoteOffice interface ethernet PPPoEIp pool add name=pppoe-pool ranges=10.1.1.62-10.1.1.72 Add a user with username mike and passwordNow add a pppoe server Submenu level /interface pppoe-client PPPoE Client SetupTo monitor the pppoe-out1connection PPPoE Server Setup Access ConcentratorCommand name /interface pppoe-client monitor Monitoring PPPoE ClientAdmin@AT-WR4562 interface pppoe-server server To view the currently connected users PPPoE UsersPPPoE Server User Interfaces Submenu level /interface pppoe-serverAdmin@PPPoE-Server interface wireless PPPoE in a multipoint wireless 802.11g networkFirst of all, the wireless interface should be configured Finally, we can set up PPPoE clients We should add PPPoE server to the wireless interfaceMy Windows XP client cannot connect to the PPPoE server Admin@MT interface pppoe-server serverPptp IP Addresses and ARP PPP User AAA EoIP Enable the Pptp serverConfiguration on Pptp client router Add the Pptp client Submenu level /interface pptp-client Pptp Client SetupSubmenu level /interface pptp-server server Pptp Server SetupCommand name /interface pptp-client monitor Monitoring Pptp ClientSubmenu level /interface pptp-server To enable Pptp serverPptp Users PPTPTunnel Interfaces1460 10.0.0.202 6m32s None Pptp-in1 Ex1 Pptp Application ExamplesInterface pptp-server add user=ex1 Add a Pptp client to the RemoteOffice router Admin@HomeOffice interface pptp-server add user=exPptp-in1 Admin@HomeOffice interface pptp-server Admin@RemoteOffice interface pptp-clientTest the Pptp tunnel connection Connecting a Remote Client via Pptp TunnelFromLaptop Admin@RemoteOffice interface pptp-server Connecting a Remote Client via and Encrypted Pptp TunnelIP Addresses and ARP Firewall and QoS Pptp Setup for WindowsIP Security Description Submenu level /ip ipsec policy Policy SettingsDiffie-Hellman Group Modulus Reference Page Submenu level /ip ipsec peer Flags X disabled, D dynamic, I inactivePeers To view the policy statistics, do the followingLocal-addressread-only IP address local Isakmp SA address Remote Peer StatisticsSubmenu level /ip ipsec remote-peers To see currently estabilished SAs Installed SAsSubmenu level /ip ipsec installed-sa Sample printout looks as follows Flushing Installed SATableCommand name /ip ipsec installed-sa flush For Router1 To flush all the SAs installedTunnel mode example using AH with manual keying RouterOS Router to RouterOS RouterAdd accept and masquerading rules in SRC-NAT IPsec Between two Masquerading RouterOS RoutersFor Router2 Mangle Packet Flow FilterFirewall Filter Submenu level /ip firewall filterPage Property Description Page Page Block IP addreses called bogons Filter ApplicationsProtect your RouterOS router Protecting the Customers NetworkAllow only needed icmp codes in icmp chain MangleCreate tcp chain and deny some tcp ports in it Deny udp ports in udp chainFilter Packet Flow MangleSubmenu level /ip firewall mangle Page Page Page Mark by MAC address Admin@AT-WR4562 /ip firewall mangle add chain=forward \Peer-to-PeerTraffic Marking Mangle Filter Packet FlowPacket Flow Change MSSPacket Flow Diagram Submenu level /ip firewall connection ConnectionTrackingSubmenu level /ip firewall connection tracking ConnectionTimeoutsSubmenu level /ip firewall service-port Service PortsGeneral Firewall Information Submenu level /ip firewall nat NAT2 NAT Address-list parameter Page Page Example of one to one mapping NAT ApplicationsExample of Source NAT Masquerading Example of Destination NATHotSpot Gateway Hot Spot ServiceHotSpot example network Page Page Command name /ip hotspot setup Question&Answer-Based SetupName Interface HotSpot Interface SetupHs-local Local HS-real Default Admin@AT-WR4562 ip hotspot 0s same as received HotSpot Server ProfilesSubmenu level /ip hotspot profile HotSpot Cookies HotSpot User ProfilesHotSpot Users Description# User Domain MAC-ADDRESS HTTP-levelWalled GardenTo get the list of valid cookies Submenu level /ip hotspot walled-gardenSubmenu level /ip hotspot ip-binding IP-level Walled GardenOne-to-one NAT static address bindings Submenu level /ip hotspot walled-garden ipActive Host List Command DescriptionService Port Chain=hotspot action=jump jump-target=pre-hotspot Ftp Admin@AT-WR4562 ip hotspot service-portCustomizing HotSpot Firewall Section To set the FTP protocol uses both 20 and 21 TCP portHttps proxy is listening on the 64875 port Packets from the authorized clients through the hs-authchainChain=hs-input action=jump jump-target=pre-hs-input Reject all packets to the clients with Icmp reject messageServing Servlet Pages Customizing HotSpot Http Servlet PagesHref=$link-loginlogin/a Page Hey, your username is john $elif username == dizzy Add the following line To this lineBefore this one To thisOr alternatively add this line Possible Error Messages MAC-ADDRESS Address TO-ADDRESS Server Name Interface ADDRESS-POOL Profile IDLE-TIMEOUTHotSpot How-tos Then we can use that certificate for hotspot10.11.12.3 Hs-local MAC-ADDRESS Address TO-ADDRESS Server IDLE-TIMEOUTHotSpot User AAA Page Submenu level /ip hotspot user Server Name Address Profile Uptime HotSpot Active UsersSubmenu level /ip hotspot active User Address Uptime 10.0.0.144 4m17s 55m43s Admin@AT-WR4562 ip hotspot activeTo get the list of active users Vrrp Routers VrrpProperty Description Submenu level /ip vrrp address Flags X disabled, a activeVirtual IP addresses Simple example of Vrrp fail overNow this address should appear in /ip address list Submenu level /system watchdog SystemWatchdogHardware Watchdog Management Automatic-supout yes Auto-send-supout yes Admin@AT-WR4562 system watchdog set auto-send-supout=yes \Admin@AT-WR4562 system watchdog Topics General SettingsLog Management Submenu level /system loggingSubmenu level /log ActionsLog Messages Submenu level /system logging actionTimemessage Snmp ServiceTo view the local logs To monitor the system logRelated Documents General ConfigurationTraffic Flow Traffic-Flow Example Admin@AT-WR4562 ip traffic-flowAdmin@AT-WR4562 ip traffic-flow target Traffic-FlowTargetNetwork Load Statistics Matrix Host InformationNetwork load profile by time To store information on system drive every hour GraphingGeneral Options Simple Queue Graphing Health GraphingInterface Graphing ALLOW-ADDRESS 192.168.0.0/24 Yes Admin@AT-WR4562 tool graphing resourceResource Graphing Submenu level /tool graphing resource