Manuals / Allied Telesis / Computer Equipment / Network Router

Allied Telesis AT-WR4500 manual Add a Pptp client to the RemoteOffice router

Models: AT-WR4500

1 264

Download 264 pages 44.79 Kb

Page 184

184	AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
	RouterOS v3 Configuration and User Guide

Then the user should be added in the PPTP server list:

[admin@HomeOffice] interface pptp-server> add user=ex

[admin@HomeOffice] interface pptp-server> print Flags: X - disabled, D - dynamic, R - running

#	NAME	USER	MTU CLIENT-ADDRESS UPTIME ENC...
0	pptp-in1	ex

[admin@HomeOffice] interface pptp-server>

And finally, the server must be enabled:

[admin@HomeOffice] interface pptp-server server> set enabled=yes

[admin@HomeOffice] interface pptp-server server> print enabled: yes

max-mtu: 1460

max-mru: 1460 mrru: disabled

authentication: mschap2 keepalive-timeout: 30

default-profile: default [admin@HomeOffice] interface pptp-server server>

Add a PPTP client to the RemoteOffice router:

[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex \ \... password=lkjrht disabled=no

[admin@RemoteOffice] interface pptp-client> print Flags: X - disabled, R - running

0R name="pptp-out1" mtu=1460 mru=1460 connect-to=192.168.80.1 user="ex"

password="lkjrht" profile=default add-default-route=no allow=pap,chap,mschap1,mschap2

[admin@RemoteOffice] interface pptp-client>

Thus, a PPTP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It enables 'direct' communication between the routers over third party networks.

			Internet
ISP #1						ISP #2
ISP #1			Encrypted			ISP #2
192.168.80.0/24			Encrypted			192.168.81.0/24
192.168.80.0/24		PPTP Tunnel				192.168.81.0/24
		PPTP Tunnel
[Home Office]	FromRemoteOffice						[Remote Office]
192.168.80.1/24	FromRemoteOffice						192.168.81.1/24
192.168.80.1/24
	10.0.103.1/24		Tunnel_To_HomeOffice
	10.0.103.1/24		Tunnel_To_HomeOffice
						10.0.103.2/24
10.150.2.254/24						10.150.1.254/24
10.150.2.254/24

10.150.2.1/2410.150.1.1/24

Figure 28: Network Setup with encrypted PPTP Tunnel

To route the local Intranets over the PPTP tunnel you need to add these routes:

[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2 [admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

Image 184

Allied Telesis AT-WR4500 Add a Pptp client to the RemoteOffice router, Admin@HomeOffice interface pptp-server add user=ex

Contents

AT-WR4500 Series PN 613-000813 Rev. BAT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User GuideLimitation of Liability and Damages Contents Routes, Equal Cost Multipath Routing, Policy Routing IP Addresses and ARP117 118120 121Hot Spot Service 222 163164 16610.3.7 Command Description 10.3.8 Service PortPossible Error Messages 12.1.2 General SettingsFigures How This Guide is organized Purpose of This GuideDocument Conventions Tell Us What You Think Sales or Corporate Information Management Software UpdatesAllied Telesis FTP server ftp//ftp.alliedtelesis.com Introduction Admin@AT-WR4541g /system license print software-id NCL8-3TT FeaturesSoftware License Accessing theWR4500 throughWinBox Using WinBoxLogging in the AT-WR4500 Router Downloading WinBox loaderPassword can be changed with the /password command Accessing the CLIAT-WR4500 Login admin Password Aaaaaaaaaaa Ttttttt Aaaaaaa Aaaaa Tttt Command Action System Backup General InformationExport Command Import CommandConfiguration Reset SpecificationsSoftwareVersion Management General InformationSystem Upgrade To upgrade chosen packagesStep-by-Step Property DescriptionSubmenu level /system upgrade upgrade-package-source 192.168.25.8 AdminSoftware Package Management Adding Package SourceUninstallation Installation UpgradeCommand name /system package uninstall Command name /system package downgrade Admin@AT-WR4562 system package print Flags X disabledDowngrading Name VersionSuppose we need to test ipv6 package features Command name /system package unscheduleDisabling and Enabling UnschedulingAdmin@AT-WR4562 system package unschedule security Name Version ScheduledTo upgrade selected packages Software Package ListDownload Downloading 16 %Package name Contents Prerequisites Additional License Package name Contents Prerequisites Additional License General Interface Settings Command name /interface monitor-trafficInterface Status Traffic MonitoringEthernet Interface Configuration Ethernet InterfacesRelatedTopics Additional ResourcesCommand name /interface ethernet monitor Monitoring the Interface StatusType RX-RATE TX-RATE MTU ARPTroubleshooting Wireless InterfacesDefault-cable-setting standard standard Ack-timeout Range 5GHz 5GHz-turbo 2.4GHz-G Quick Setup GuideIP Addresses and ARP Log Management Wireless Interface Configuration Submenu level /interface wireless30km 249 35km 298AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Page AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers This example shows how configure a wireless client Nstreme Settings To see current interface settingsSubmenu level /interface wireless nstreme Signal-to-noise 73dB tx-ccq 79% rx-ccq 46% p-throughputNstreme2 Group Settings Submenu level /interface wireless nstreme-dualExample Submenu level /interface wireless registration-table Admin@AT-WR4562 interface wireless nstreme-dualRegistrationTable Then add nstreme2 interface with exact-size framingAdmin@AT-WR4562 interface wireless registration-table # Interface RADIO-NAME MAC-ADDRESSWlan1 000C42185C3D No -38dBm.. MbpsAccess List Submenu level /interface wireless connect-listSubmenu level /interface wireless access-list Connect ListInfo command Submenu level /interface wireless infoPage AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Example Virtual Access Point Interface WDS Interface Configuration Submenu level /interface wireless wdsSubmenu level /interface wireless align AlignAdmin@AT-WR4562 interface wireless align Command name /interface wireless align monitorAlign Monitor ManualTransmit PowerTable Aproximately shows how loaded are the wireless channelsSubmenu level /interface wireless manual-tx-power-table Frequency MonitorCommand name /interface wireless scan interfacename Network ScanScan the 5GHz band Address Ssid Band Freq SIG RADIO-NAME AB RSubmenu level /interface wireless security-profiles Security ProfilesPage Submenu level /interface wireless sniffer Submenu level /interface wireless sniffer sniffWireless Sniffer Sniffs packets SnifferSubmenu level /interface wireless snooper Freq SIGNAL@RATE SRC DST TypeSniffer Packets SnooperStation and AccessPoint Application ExamplesSnoop 802.11b network Band Freq USE10.1.0.1/24 10.1.0.0 10.1.0.255 Admin@AccessPoint ip address 54MbpsConfigure the station and add an IP address 10.1.0.2 to it Check whether you can ping the Access Point from StationOn WDS Access Point WDS StationSet wds-default-bridge to bridge1 Virtual Access Point Virtual-test 4ghz-g Test 4ghz-gNstreme Nstreme network exampleMonitor the link Dual NstremeSsid nstreme Configure DualNS-1 Admin@DualNS-1 interface wireless nstreme-dualNow complete the configuration for DualNS-1 Admin@DualNS-2 interface wireless nstreme-dualWEP Security WEP security examplePage Configure WEPStation1 Admin@WEPStation1 interface wirelessAdmin@WEPStationX interface wireless WPA SecurityTest the link between Access point and the client Admin@WPAAP interface wireless security-profilesAdmin@WPAStation interface wireless security-profiles Admin@WPAStation interface wirelessVlan Setup Vlan InterfacesVlan example on AT-WR4500 Routers Application ExampleName MTU ARP 10.10.10.0 10.10.10.255 Test Admin@AT-WR4562 ip address Bridge Interfaces10.0.0.0 10.0.0.255 Ether1 10.20.0.0 10.20.0.255 Pc1Bridge Interface Setup Interface bridge add name=MyBridge disabled=noAdd ether1 and ether2 to MyBridge interface IP Addresses and ARP EoIPPort Settings Submenu level /interface bridge portCommand name /interface bridge monitor Command name /interface bridge port monitorBridge Monitoring Bridge Port MonitoringCommand name /interface bridge host Bridge Host MonitoringBridge Firewall General Description To monitor a bridge portProperty Description Page Bridge Packet Filter Bridge NATSubmenu level /interface bridge filter Submenu level /interface bridge natBridge Brouting Facility Submenu level /interface bridge brouteTroubleshooting Configuring Interfaces Dhcp and DNS IP Addresses and ARPIP Addressing Submenu level /ip addressAddress Resolution Protocol 10.10.10.0 10.10.10.255 Ether2 Admin@AT-WR4562 ip addressSubmenu level /ip arp 2.1/24 2.0 2.255 Ether2Address MAC-ADDRESS Proxy-ARP featureAddress MAC-ADDRESS Interface Proxy ARP Router setup is as follows Consider the following configurationUnnumbered Interfaces RIP Routing Information Protocol General Setup Interfaces Admin@AT-WR4562 routing ripSubmenu level /routing rip interface Networks NeighborsRoutes Submenu level /routing rip network0.0.0 Ether1 Admin@AT-WR4562 To view the list of the routesEther1 1500 Ether2 10.0.0.174 10.0.0.255 Ether1Admin@AT-WR4562 routing rip set redistribute-connected=yes 10.0.0.0/24 Admin@AT-WR4562 routing rip network0.0.0 Ether1 Admin@AT-WR4562 routing rip Regular routing table isOspf Alliedware+ Router ConfigurationRouting table of the Alliedware+ router is General Setup Ospf Areas Admin@AT-WR4562 routing ospfSubmenu level /routing ospf area Backbone 0.0 None Local10 10.5 Admin@WiFi routing ospf area Submenu level /routing ospf networkName AREA-ID Network AreaSubmenu level /routing ospf interface Virtual LinksSubmenu level /routing ospf virtual-link Virtual link should be configured on both routers 10.0.0.201 Admin@AT-WR4562 routing ospf virtual-linkSubmenu level /routing ospf neighbor NEIGHBOR-IDOspf backup without using a tunnel Ospf BackupAuthentication Define new Ospf area named local10 with area-idAdd connected networks with area local10 in ospf network Name Type RX-RATE Rate MTUName AREA-ID Stub DEFAULT-COST Authentication Add the same area as in main routerAdd connected networks with area local10 Add the needed IP addressesAdmin@OSPFMAIN ip route print Add connected networks with the same areaConnect, S static, r rip, o ospf, b bgp DST-ADDRESS Gateway Distance InterfaceRouting tables with Revised Link Cost Dead-interval=40sFunctioning of the Backup On OSPFpeer2Routes, Equal Cost Multipath Routing, Policy Routing NAT Policy Rules Submenu level /ip route ruleStatic Equal Cost Multi-Path routing Static Equal Cost Multi-Path Routing exampleStandard Policy-Based Routing with Failover Standard Policy-Based Routing with Failover192.168.0.0 192.168.0.255 Local1 DST-ADDRESS Prefsrc GatewayDhcp Client and Server Finally, add a Dhcp serverCheck whether you have obtained a lease Packages required dhcp License required Level1Dhcp Client Setup Submenu level /ip dhcp-clientTo add a Dhcp client on ether1 interface Dhcp Server SetupSubmenu level /ip dhcp-server Property Description Store Leases on Disk Submenu level /ip dhcp-server configName Interface Relay Dhcp Networks Dhcp Server LeasesSubmenu level /ip dhcp-server network Submenu level /ip dhcp-server leaseCommand Description Dhcp Alert Dhcp OptionSubmenu level /ip dhcp-server alert Submenu level /ip dhcp-server optionDhcp Relay Use this option in Dhcp server network listSubmenu level /ip dhcp-relay Name Code ValueCommand name /ip dhcp-server setup Relay Ether1 10.0.0.1 Admin@AT-WR4562 ip dhcp-relayQuestions & Answers QuestionsDynamic Addressing, using DHCP-Relay IP addresses of DHCP-ServerName Interface Relay ADDRESS-POOL LEASE-TIME ADD-ARP # Address Gateway DNS-SERVER WINS-SERVERIP Address assignment, using FreeRADIUS Server Configure respective networksCreate Dhcp Servers DHCP-1Configure Radius Client on RouterOS Setup Dhcp Server Create an address poolConfigure Dhcp networks Clients.conf fileDNS Client and Cache IP and RoutingCache Monitoring 5Static DNS EntriesStatic DNS Entries Command name /ip dns cache flush 6Flushing DNS cacheFlush clears internal DNS cache Name AddressRadius Client Setup Radius clientService CALLED-ID Domain Address Ppp,hotspot 10.0.0.3 Admin@AT-WR4562 radiusConnectionTerminating from Radius Submenu level /radius incomingSupported Radius Attributes Suggested Radius ServersXTRadius does not currently support MS-CHAP Page Page Page Name VendorID Value Name VendorID Value RFC where it is defined AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers PPP User AAA Local PPP User ProfilesL2TP Interface Submenu level /ppp profilePage Local PPP User Database Submenu level /ppp secretCommand name /ppp active print Name Service CALLER-ID Password ProfileName Service CALLER-ID Address Uptime Encoding Monitoring Active PPP UsersTo enable Radius AAA Router User AAAPPP User Remote AAA Submenu level /ppp aaaSubmenu level /user group Router User GroupsExclamation sign ! just before policy item name means not Admin@rb13 user group Admin@AT-WR4562 user print Flags X disabledRouter Users Only one, it cannot be removedCommand name /user active print When Name AddressMonitoring Active Router Users Router User Remote AAATo enable Radius AAA, enter the following command SSH keysSubmenu level /user ssh-keys Generating key on a linux machineSpecific Properties EoIPIP Addresses and ARP Bridge Interfaces EoIP Setup Admin@OurGW interface pptp-server server set enable=yes Admin@Remote interface pptp-clientEoIP Application Example Name User MTU CLIENT-ADDRESS Uptime ENCSame for the Remote Interface Bridge Priority PATH-COSTQuick Setup Guide Interface Bonding General InformationSummary Related DocumentsProperty Description Application Examples Isp1 Ether 1500 Isp21.1/24 1.0 1.255 Isp2 10.1.0.0 10.1.0.255 Isp1EoIP tunnel configuration For Office1 through ISP1 For Office2 through ISP1For Office1through ISP2 For Office2through ISP2For Office2 IPIPTunnel Interfaces10.1.0.0 10.1.0.255 Isp1 3.1/24 3.0 3.255 Bonding1 Ipip Setup Add an IP address to created ipip1 interfaceConfiguration of the R2 is shown below Name MTU LOCAL-ADDRESSConfiguration on L2TP client router Add a L2TP client Enable the L2TP serverL2TP Interface IP Addresses and ARP AAA Configuration EoIP IP Security 2 L2TP Client SetupSubmenu level /interface l2tp-client Monitoring L2TP Client Command name /interface l2tp-client monitorExample of an established connection 4 L2TP Server Setup To enable L2TP server5 L2TP Server Users Submenu level /interface l2tp-server serverTo add a static entry for ex1 user Interface l2tp-server add user=ex1Name User MTU CLIENT-ADDRESS Uptime ENCRouter-to-Router Secure Tunnel Example 6 L2TP Application ExamplesThen the user should be added in the L2TP server list Admin@HomeOffice interface l2tp-server server Add a L2TP client to the RemoteOffice routerAdmin@HomeOffice ppp secret print detail Flags X disabled Connecting a Remote Client via L2TPTunnelTest the L2TP tunnel connection Server must be enabled Admin@RemoteOffice ppp secretFromLaptop Admin@RemoteOffice interface l2tp-server Admin@RemoteOffice interface l2tp-server serverL2TP Setup for Windows Admin@RemoteOffice interface ethernetPPPoE ToInternet 1500Now add a pppoe server Add a user with username mike and passwordIp pool add name=pppoe-pool ranges=10.1.1.62-10.1.1.72 PPPoE Client Setup Submenu level /interface pppoe-clientPPPoE Server Setup Access Concentrator Command name /interface pppoe-client monitorMonitoring PPPoE Client To monitor the pppoe-out1connectionAdmin@AT-WR4562 interface pppoe-server server PPPoE Users PPPoE Server User InterfacesSubmenu level /interface pppoe-server To view the currently connected usersFirst of all, the wireless interface should be configured PPPoE in a multipoint wireless 802.11g networkAdmin@PPPoE-Server interface wireless We should add PPPoE server to the wireless interface Finally, we can set up PPPoE clientsPptp Admin@MT interface pppoe-server serverMy Windows XP client cannot connect to the PPPoE server Configuration on Pptp client router Add the Pptp client Enable the Pptp serverIP Addresses and ARP PPP User AAA EoIP Pptp Client Setup Submenu level /interface pptp-clientPptp Server Setup Command name /interface pptp-client monitorMonitoring Pptp Client Submenu level /interface pptp-server serverTo enable Pptp server Pptp UsersPPTPTunnel Interfaces Submenu level /interface pptp-serverInterface pptp-server add user=ex1 Pptp Application Examples1460 10.0.0.202 6m32s None Pptp-in1 Ex1 Admin@HomeOffice interface pptp-server add user=ex Pptp-in1 Admin@HomeOffice interface pptp-serverAdmin@RemoteOffice interface pptp-client Add a Pptp client to the RemoteOffice routerConnecting a Remote Client via Pptp Tunnel Test the Pptp tunnel connectionConnecting a Remote Client via and Encrypted Pptp Tunnel FromLaptop Admin@RemoteOffice interface pptp-serverIP Security Pptp Setup for WindowsIP Addresses and ARP Firewall and QoS Description Diffie-Hellman Group Modulus Reference Policy SettingsSubmenu level /ip ipsec policy Page Flags X disabled, D dynamic, I inactive PeersTo view the policy statistics, do the following Submenu level /ip ipsec peerSubmenu level /ip ipsec remote-peers Remote Peer StatisticsLocal-addressread-only IP address local Isakmp SA address Submenu level /ip ipsec installed-sa Installed SAsTo see currently estabilished SAs Command name /ip ipsec installed-sa flush Flushing Installed SATableSample printout looks as follows To flush all the SAs installed Tunnel mode example using AH with manual keyingRouterOS Router to RouterOS Router For Router1IPsec Between two Masquerading RouterOS Routers Add accept and masquerading rules in SRC-NATFor Router2 Filter Firewall FilterSubmenu level /ip firewall filter Mangle Packet FlowPage Property Description Page Page Filter Applications Protect your RouterOS routerProtecting the Customers Network Block IP addreses called bogonsMangle Create tcp chain and deny some tcp ports in itDeny udp ports in udp chain Allow only needed icmp codes in icmp chainSubmenu level /ip firewall mangle MangleFilter Packet Flow Page Page Page Peer-to-PeerTraffic Marking Admin@AT-WR4562 /ip firewall mangle add chain=forward \Mark by MAC address Packet Flow Packet FlowChange MSS Mangle FilterPacket Flow Diagram ConnectionTracking Submenu level /ip firewall connectionConnectionTimeouts Submenu level /ip firewall connection trackingService Ports Submenu level /ip firewall service-portGeneral Firewall Information NAT Submenu level /ip firewall nat2 NAT Address-list parameter Page Page NAT Applications Example of Source NAT MasqueradingExample of Destination NAT Example of one to one mappingHot Spot Service HotSpot GatewayHotSpot example network Page Page Question&Answer-Based Setup Command name /ip hotspot setupHs-local Local HS-real Default Admin@AT-WR4562 ip hotspot HotSpot Interface SetupName Interface Submenu level /ip hotspot profile HotSpot Server Profiles0s same as received HotSpot User Profiles HotSpot UsersDescription HotSpot CookiesHTTP-levelWalled Garden To get the list of valid cookiesSubmenu level /ip hotspot walled-garden # User Domain MAC-ADDRESSIP-level Walled Garden One-to-one NAT static address bindingsSubmenu level /ip hotspot walled-garden ip Submenu level /ip hotspot ip-bindingService Port Command DescriptionActive Host List Ftp Admin@AT-WR4562 ip hotspot service-port Customizing HotSpot Firewall SectionTo set the FTP protocol uses both 20 and 21 TCP port Chain=hotspot action=jump jump-target=pre-hotspotPackets from the authorized clients through the hs-authchain Https proxy is listening on the 64875 portReject all packets to the clients with Icmp reject message Chain=hs-input action=jump jump-target=pre-hs-inputCustomizing HotSpot Http Servlet Pages Serving Servlet PagesHref=$link-loginlogin/a Page Hey, your username is john $elif username == dizzy To this line Add the following lineOr alternatively add this line To thisBefore this one Possible Error Messages Name Interface ADDRESS-POOL Profile IDLE-TIMEOUT HotSpot How-tosThen we can use that certificate for hotspot MAC-ADDRESS Address TO-ADDRESS ServerHotSpot User AAA MAC-ADDRESS Address TO-ADDRESS Server IDLE-TIMEOUT10.11.12.3 Hs-local Page Submenu level /ip hotspot user Submenu level /ip hotspot active HotSpot Active UsersServer Name Address Profile Uptime To get the list of active users 10.0.0.144 4m17s 55m43s Admin@AT-WR4562 ip hotspot activeUser Address Uptime Vrrp Vrrp RoutersProperty Description Flags X disabled, a active Virtual IP addressesSimple example of Vrrp fail over Submenu level /ip vrrp addressNow this address should appear in /ip address list Hardware Watchdog Management SystemWatchdogSubmenu level /system watchdog Admin@AT-WR4562 system watchdog Admin@AT-WR4562 system watchdog set auto-send-supout=yes \Automatic-supout yes Auto-send-supout yes General Settings Log ManagementSubmenu level /system logging TopicsActions Log MessagesSubmenu level /system logging action Submenu level /logSnmp Service To view the local logsTo monitor the system log TimemessageTraffic Flow General ConfigurationRelated Documents Admin@AT-WR4562 ip traffic-flow Admin@AT-WR4562 ip traffic-flow targetTraffic-FlowTarget Traffic-Flow ExampleHost Information Network Load Statistics MatrixNetwork load profile by time General Options GraphingTo store information on system drive every hour Interface Graphing Health GraphingSimple Queue Graphing 192.168.0.0/24 Yes Admin@AT-WR4562 tool graphing resource Resource GraphingSubmenu level /tool graphing resource ALLOW-ADDRESS