Manuals / Allied Telesis / Computer Equipment / Network Router

Allied Telesis AT-WR4500 manual RouterOS Router to RouterOS Router, To flush all the SAs installed

Models: AT-WR4500

1 264

Download 264 pages 44.79 Kb

Page 195

AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers	195
RouterOS v3 Configuration and User Guide

Example

To flush all the SAs installed:

[admin@AT-WR4562] ip ipsec installed-sa> flush

[admin@AT-WR4562] ip ipsec installed-sa> print

[admin@AT-WR4562] ip ipsec installed-sa>

8.8.7 Application Examples

RouterOS Router to RouterOS Router

	IP Network
	1.0.0.0/24
[Router1]	[Router2]
1.0.0.1	1.0.0.2

10.2.0.0/24

10.1.0.0/24

Figure 30: transport mode example using ESP with automatic keying

for Router1

[admin@Router1] > ip ipsec policy add sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2 \ \... action=encrypt

[admin@Router1] > ip ipsec peer add address=1.0.0.2 \ \... secret="gvejimezyfopmekun"

for Router2

[admin@Router2] > ip ipsec policy add sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 \ \... action=encrypt

[admin@Router2] > ip ipsec peer add address=1.0.0.1 \ \... secret="gvejimezyfopmekun"

Transport mode example using ESP with automatic keying and automatic policy generating on Router 1 and static policy on Router 2

for Router1

[admin@Router1] > ip ipsec peer add address=1.0.0.0/24 \ \... secret="gvejimezyfopmekun" generate-policy=yes

for Router2

[admin@Router2] > ip ipsec policy add sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 \ \... action=encrypt

[admin@Router2] > ip ipsec peer add address=1.0.0.1 \ \... secret="gvejimezyfopmekun"

tunnel mode example using AH with manual keying

Image 195

Allied Telesis AT-WR4500 RouterOS Router to RouterOS Router, To flush all the SAs installed, For Router1, For Router2

Contents

PN 613-000813 Rev. B AT-WR4500 SeriesRouterOS v3 Configuration and User Guide AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless RoutersLimitation of Liability and Damages Contents IP Addresses and ARP Routes, Equal Cost Multipath Routing, Policy Routing121 117118 120166 Hot Spot Service 222163 16412.1.2 General Settings 10.3.7 Command Description10.3.8 Service Port Possible Error MessagesFigures Purpose of This Guide How This Guide is organizedDocument Conventions Sales or Corporate Information Management Software Updates Tell Us What You ThinkAllied Telesis FTP server ftp//ftp.alliedtelesis.com Introduction Features Admin@AT-WR4541g /system license print software-id NCL8-3TTSoftware License Downloading WinBox loader Accessing theWR4500 throughWinBoxUsing WinBox Logging in the AT-WR4500 RouterAccessing the CLI Password can be changed with the /password commandAT-WR4500 Login admin Password Aaaaaaaaaaa Ttttttt Aaaaaaa Aaaaa Tttt Command Action General Information System BackupImport Command Export CommandGeneral Information Configuration ResetSpecifications SoftwareVersion ManagementProperty Description System UpgradeTo upgrade chosen packages Step-by-StepAdding Package Source Submenu level /system upgrade upgrade-package-source192.168.25.8 Admin Software Package ManagementInstallation Upgrade UninstallationCommand name /system package uninstall Name Version Command name /system package downgradeAdmin@AT-WR4562 system package print Flags X disabled DowngradingUnscheduling Suppose we need to test ipv6 package featuresCommand name /system package unschedule Disabling and EnablingName Version Scheduled Admin@AT-WR4562 system package unschedule securityDownloading 16 % To upgrade selected packagesSoftware Package List DownloadPackage name Contents Prerequisites Additional License Package name Contents Prerequisites Additional License Traffic Monitoring General Interface SettingsCommand name /interface monitor-traffic Interface StatusAdditional Resources Ethernet Interface ConfigurationEthernet Interfaces RelatedTopicsARP Command name /interface ethernet monitorMonitoring the Interface Status Type RX-RATE TX-RATE MTUWireless Interfaces TroubleshootingDefault-cable-setting standard standard Quick Setup Guide Ack-timeout Range 5GHz 5GHz-turbo 2.4GHz-GIP Addresses and ARP Log Management 35km 298 Wireless Interface ConfigurationSubmenu level /interface wireless 30km 249AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Page AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers This example shows how configure a wireless client Signal-to-noise 73dB tx-ccq 79% rx-ccq 46% p-throughput Nstreme SettingsTo see current interface settings Submenu level /interface wireless nstremeSubmenu level /interface wireless nstreme-dual Nstreme2 Group SettingsExample Then add nstreme2 interface with exact-size framing Submenu level /interface wireless registration-tableAdmin@AT-WR4562 interface wireless nstreme-dual RegistrationTableNo -38dBm.. Mbps Admin@AT-WR4562 interface wireless registration-table# Interface RADIO-NAME MAC-ADDRESS Wlan1 000C42185C3DConnect List Access ListSubmenu level /interface wireless connect-list Submenu level /interface wireless access-listSubmenu level /interface wireless info Info commandPage AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Example Virtual Access Point Interface Submenu level /interface wireless wds WDS Interface ConfigurationAlign Submenu level /interface wireless alignCommand name /interface wireless align monitor Admin@AT-WR4562 interface wireless alignAlign Monitor Frequency Monitor ManualTransmit PowerTableAproximately shows how loaded are the wireless channels Submenu level /interface wireless manual-tx-power-tableAddress Ssid Band Freq SIG RADIO-NAME AB R Command name /interface wireless scan interfacenameNetwork Scan Scan the 5GHz bandSecurity Profiles Submenu level /interface wireless security-profilesPage Sniffer Submenu level /interface wireless snifferSubmenu level /interface wireless sniffer sniff Wireless Sniffer Sniffs packetsSnooper Submenu level /interface wireless snooperFreq SIGNAL@RATE SRC DST Type Sniffer PacketsBand Freq USE Station and AccessPointApplication Examples Snoop 802.11b network54Mbps 10.1.0.1/24 10.1.0.0 10.1.0.255 Admin@AccessPoint ip addressWDS Station Configure the station and add an IP address 10.1.0.2 to itCheck whether you can ping the Access Point from Station On WDS Access PointSet wds-default-bridge to bridge1 Virtual Access Point Test 4ghz-g Virtual-test 4ghz-gNstreme network example NstremeDual Nstreme Monitor the linkSsid nstreme Admin@DualNS-1 interface wireless nstreme-dual Configure DualNS-1Admin@DualNS-2 interface wireless nstreme-dual Now complete the configuration for DualNS-1WEP security example WEP SecurityPage Admin@WEPStation1 interface wireless Configure WEPStation1WPA Security Admin@WEPStationX interface wirelessAdmin@WPAStation interface wireless Test the link between Access point and the clientAdmin@WPAAP interface wireless security-profiles Admin@WPAStation interface wireless security-profilesVlan Interfaces Vlan SetupApplication Example Vlan example on AT-WR4500 RoutersName MTU ARP 10.20.0.0 10.20.0.255 Pc1 10.10.10.0 10.10.10.255 Test Admin@AT-WR4562 ip addressBridge Interfaces 10.0.0.0 10.0.0.255 Ether1IP Addresses and ARP EoIP Bridge Interface SetupInterface bridge add name=MyBridge disabled=no Add ether1 and ether2 to MyBridge interfaceSubmenu level /interface bridge port Port SettingsBridge Port Monitoring Command name /interface bridge monitorCommand name /interface bridge port monitor Bridge MonitoringTo monitor a bridge port Command name /interface bridge hostBridge Host Monitoring Bridge Firewall General DescriptionProperty Description Page Submenu level /interface bridge nat Bridge Packet FilterBridge NAT Submenu level /interface bridge filterSubmenu level /interface bridge broute Bridge Brouting FacilityTroubleshooting Submenu level /ip address Configuring Interfaces Dhcp and DNSIP Addresses and ARP IP Addressing2.1/24 2.0 2.255 Ether2 Address Resolution Protocol10.10.10.0 10.10.10.255 Ether2 Admin@AT-WR4562 ip address Submenu level /ip arpProxy-ARP feature Address MAC-ADDRESSAddress MAC-ADDRESS Interface Proxy ARP Consider the following configuration Router setup is as followsUnnumbered Interfaces RIP Routing Information Protocol General Setup Admin@AT-WR4562 routing rip InterfacesSubmenu level /routing rip interface Submenu level /routing rip network NetworksNeighbors Routes10.0.0.174 10.0.0.255 Ether1 0.0.0 Ether1 Admin@AT-WR4562To view the list of the routes Ether1 1500 Ether2Regular routing table is Admin@AT-WR4562 routing rip set redistribute-connected=yes10.0.0.0/24 Admin@AT-WR4562 routing rip network 0.0.0 Ether1 Admin@AT-WR4562 routing ripAlliedware+ Router Configuration OspfRouting table of the Alliedware+ router is General Setup Admin@AT-WR4562 routing ospf Ospf AreasSubmenu level /routing ospf area Network Area Backbone 0.0 None Local10 10.5 Admin@WiFi routing ospf areaSubmenu level /routing ospf network Name AREA-IDVirtual Links Submenu level /routing ospf interfaceSubmenu level /routing ospf virtual-link NEIGHBOR-ID Virtual link should be configured on both routers10.0.0.201 Admin@AT-WR4562 routing ospf virtual-link Submenu level /routing ospf neighborOspf Backup Ospf backup without using a tunnelName Type RX-RATE Rate MTU AuthenticationDefine new Ospf area named local10 with area-id Add connected networks with area local10 in ospf networkAdd the needed IP addresses Name AREA-ID Stub DEFAULT-COST AuthenticationAdd the same area as in main router Add connected networks with area local10DST-ADDRESS Gateway Distance Interface Admin@OSPFMAIN ip route printAdd connected networks with the same area Connect, S static, r rip, o ospf, b bgpDead-interval=40s Routing tables with Revised Link CostOn OSPFpeer2 Functioning of the BackupRoutes, Equal Cost Multipath Routing, Policy Routing NAT Submenu level /ip route rule Policy RulesStatic Equal Cost Multi-Path Routing example Static Equal Cost Multi-Path routingStandard Policy-Based Routing with Failover Standard Policy-Based Routing with FailoverDST-ADDRESS Prefsrc Gateway 192.168.0.0 192.168.0.255 Local1Packages required dhcp License required Level1 Dhcp Client and ServerFinally, add a Dhcp server Check whether you have obtained a leaseSubmenu level /ip dhcp-client Dhcp Client SetupDhcp Server Setup To add a Dhcp client on ether1 interfaceSubmenu level /ip dhcp-server Property Description Submenu level /ip dhcp-server config Store Leases on DiskName Interface Relay Submenu level /ip dhcp-server lease Dhcp NetworksDhcp Server Leases Submenu level /ip dhcp-server networkCommand Description Submenu level /ip dhcp-server option Dhcp AlertDhcp Option Submenu level /ip dhcp-server alertName Code Value Dhcp RelayUse this option in Dhcp server network list Submenu level /ip dhcp-relayQuestions Command name /ip dhcp-server setupRelay Ether1 10.0.0.1 Admin@AT-WR4562 ip dhcp-relay Questions & Answers# Address Gateway DNS-SERVER WINS-SERVER Dynamic Addressing, using DHCP-RelayIP addresses of DHCP-Server Name Interface Relay ADDRESS-POOL LEASE-TIME ADD-ARPDHCP-1 IP Address assignment, using FreeRADIUS ServerConfigure respective networks Create Dhcp ServersClients.conf file Configure Radius Client on RouterOSSetup Dhcp Server Create an address pool Configure Dhcp networksIP and Routing DNS Client and Cache5Static DNS Entries Cache MonitoringStatic DNS Entries Name Address Command name /ip dns cache flush6Flushing DNS cache Flush clears internal DNS cacheRadius client Radius Client SetupSubmenu level /radius incoming Service CALLED-ID Domain AddressPpp,hotspot 10.0.0.3 Admin@AT-WR4562 radius ConnectionTerminating from RadiusSuggested Radius Servers Supported Radius AttributesXTRadius does not currently support MS-CHAP Page Page Page Name VendorID Value Name VendorID Value RFC where it is defined AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Submenu level /ppp profile PPP User AAALocal PPP User Profiles L2TP InterfacePage Submenu level /ppp secret Local PPP User DatabaseMonitoring Active PPP Users Command name /ppp active printName Service CALLER-ID Password Profile Name Service CALLER-ID Address Uptime EncodingSubmenu level /ppp aaa To enable Radius AAARouter User AAA PPP User Remote AAARouter User Groups Submenu level /user groupExclamation sign ! just before policy item name means not Only one, it cannot be removed Admin@rb13 user groupAdmin@AT-WR4562 user print Flags X disabled Router UsersRouter User Remote AAA Command name /user active printWhen Name Address Monitoring Active Router UsersGenerating key on a linux machine To enable Radius AAA, enter the following commandSSH keys Submenu level /user ssh-keysEoIP Specific PropertiesIP Addresses and ARP Bridge Interfaces EoIP Setup Name User MTU CLIENT-ADDRESS Uptime ENC Admin@OurGW interface pptp-server server set enable=yesAdmin@Remote interface pptp-client EoIP Application ExampleInterface Bridge Priority PATH-COST Same for the RemoteRelated Documents Quick Setup GuideInterface Bonding General Information SummaryProperty Description 10.1.0.0 10.1.0.255 Isp1 Application ExamplesIsp1 Ether 1500 Isp2 1.1/24 1.0 1.255 Isp2For Office2through ISP2 EoIP tunnel configuration For Office1 through ISP1For Office2 through ISP1 For Office1through ISP2IPIPTunnel Interfaces For Office210.1.0.0 10.1.0.255 Isp1 3.1/24 3.0 3.255 Bonding1 Add an IP address to created ipip1 interface Ipip SetupName MTU LOCAL-ADDRESS Configuration of the R2 is shown belowEnable the L2TP server Configuration on L2TP client router Add a L2TP clientL2TP Interface 2 L2TP Client Setup IP Addresses and ARP AAA Configuration EoIP IP SecuritySubmenu level /interface l2tp-client Command name /interface l2tp-client monitor Monitoring L2TP ClientExample of an established connection Submenu level /interface l2tp-server server 4 L2TP Server SetupTo enable L2TP server 5 L2TP Server UsersENC To add a static entry for ex1 userInterface l2tp-server add user=ex1 Name User MTU CLIENT-ADDRESS Uptime6 L2TP Application Examples Router-to-Router Secure Tunnel ExampleThen the user should be added in the L2TP server list Add a L2TP client to the RemoteOffice router Admin@HomeOffice interface l2tp-server serverConnecting a Remote Client via L2TPTunnel Admin@HomeOffice ppp secret print detail Flags X disabledTest the L2TP tunnel connection Admin@RemoteOffice interface l2tp-server server Server must be enabledAdmin@RemoteOffice ppp secret FromLaptop Admin@RemoteOffice interface l2tp-serverToInternet 1500 L2TP Setup for WindowsAdmin@RemoteOffice interface ethernet PPPoEAdd a user with username mike and password Now add a pppoe serverIp pool add name=pppoe-pool ranges=10.1.1.62-10.1.1.72 Submenu level /interface pppoe-client PPPoE Client SetupTo monitor the pppoe-out1connection PPPoE Server Setup Access ConcentratorCommand name /interface pppoe-client monitor Monitoring PPPoE ClientAdmin@AT-WR4562 interface pppoe-server server To view the currently connected users PPPoE UsersPPPoE Server User Interfaces Submenu level /interface pppoe-serverPPPoE in a multipoint wireless 802.11g network First of all, the wireless interface should be configuredAdmin@PPPoE-Server interface wireless Finally, we can set up PPPoE clients We should add PPPoE server to the wireless interfaceAdmin@MT interface pppoe-server server PptpMy Windows XP client cannot connect to the PPPoE server Enable the Pptp server Configuration on Pptp client router Add the Pptp clientIP Addresses and ARP PPP User AAA EoIP Submenu level /interface pptp-client Pptp Client SetupSubmenu level /interface pptp-server server Pptp Server SetupCommand name /interface pptp-client monitor Monitoring Pptp ClientSubmenu level /interface pptp-server To enable Pptp serverPptp Users PPTPTunnel InterfacesPptp Application Examples Interface pptp-server add user=ex11460 10.0.0.202 6m32s None Pptp-in1 Ex1 Add a Pptp client to the RemoteOffice router Admin@HomeOffice interface pptp-server add user=exPptp-in1 Admin@HomeOffice interface pptp-server Admin@RemoteOffice interface pptp-clientTest the Pptp tunnel connection Connecting a Remote Client via Pptp TunnelFromLaptop Admin@RemoteOffice interface pptp-server Connecting a Remote Client via and Encrypted Pptp TunnelPptp Setup for Windows IP SecurityIP Addresses and ARP Firewall and QoS Description Policy Settings Diffie-Hellman Group Modulus ReferenceSubmenu level /ip ipsec policy Page Submenu level /ip ipsec peer Flags X disabled, D dynamic, I inactivePeers To view the policy statistics, do the followingRemote Peer Statistics Submenu level /ip ipsec remote-peersLocal-addressread-only IP address local Isakmp SA address Installed SAs Submenu level /ip ipsec installed-saTo see currently estabilished SAs Flushing Installed SATable Command name /ip ipsec installed-sa flushSample printout looks as follows For Router1 To flush all the SAs installedTunnel mode example using AH with manual keying RouterOS Router to RouterOS RouterAdd accept and masquerading rules in SRC-NAT IPsec Between two Masquerading RouterOS RoutersFor Router2 Mangle Packet Flow FilterFirewall Filter Submenu level /ip firewall filterPage Property Description Page Page Block IP addreses called bogons Filter ApplicationsProtect your RouterOS router Protecting the Customers NetworkAllow only needed icmp codes in icmp chain MangleCreate tcp chain and deny some tcp ports in it Deny udp ports in udp chainMangle Submenu level /ip firewall mangleFilter Packet Flow Page Page Page Admin@AT-WR4562 /ip firewall mangle add chain=forward \ Peer-to-PeerTraffic MarkingMark by MAC address Mangle Filter Packet FlowPacket Flow Change MSSPacket Flow Diagram Submenu level /ip firewall connection ConnectionTrackingSubmenu level /ip firewall connection tracking ConnectionTimeoutsSubmenu level /ip firewall service-port Service PortsGeneral Firewall Information Submenu level /ip firewall nat NAT2 NAT Address-list parameter Page Page Example of one to one mapping NAT ApplicationsExample of Source NAT Masquerading Example of Destination NATHotSpot Gateway Hot Spot ServiceHotSpot example network Page Page Command name /ip hotspot setup Question&Answer-Based SetupHotSpot Interface Setup Hs-local Local HS-real Default Admin@AT-WR4562 ip hotspotName Interface HotSpot Server Profiles Submenu level /ip hotspot profile0s same as received HotSpot Cookies HotSpot User ProfilesHotSpot Users Description# User Domain MAC-ADDRESS HTTP-levelWalled GardenTo get the list of valid cookies Submenu level /ip hotspot walled-gardenSubmenu level /ip hotspot ip-binding IP-level Walled GardenOne-to-one NAT static address bindings Submenu level /ip hotspot walled-garden ipCommand Description Service PortActive Host List Chain=hotspot action=jump jump-target=pre-hotspot Ftp Admin@AT-WR4562 ip hotspot service-portCustomizing HotSpot Firewall Section To set the FTP protocol uses both 20 and 21 TCP portHttps proxy is listening on the 64875 port Packets from the authorized clients through the hs-authchainChain=hs-input action=jump jump-target=pre-hs-input Reject all packets to the clients with Icmp reject messageServing Servlet Pages Customizing HotSpot Http Servlet PagesHref=$link-loginlogin/a Page Hey, your username is john $elif username == dizzy Add the following line To this lineTo this Or alternatively add this lineBefore this one Possible Error Messages MAC-ADDRESS Address TO-ADDRESS Server Name Interface ADDRESS-POOL Profile IDLE-TIMEOUTHotSpot How-tos Then we can use that certificate for hotspotMAC-ADDRESS Address TO-ADDRESS Server IDLE-TIMEOUT HotSpot User AAA10.11.12.3 Hs-local Page Submenu level /ip hotspot user HotSpot Active Users Submenu level /ip hotspot activeServer Name Address Profile Uptime 10.0.0.144 4m17s 55m43s Admin@AT-WR4562 ip hotspot active To get the list of active usersUser Address Uptime Vrrp Routers VrrpProperty Description Submenu level /ip vrrp address Flags X disabled, a activeVirtual IP addresses Simple example of Vrrp fail overNow this address should appear in /ip address list SystemWatchdog Hardware Watchdog ManagementSubmenu level /system watchdog Admin@AT-WR4562 system watchdog set auto-send-supout=yes \ Admin@AT-WR4562 system watchdogAutomatic-supout yes Auto-send-supout yes Topics General SettingsLog Management Submenu level /system loggingSubmenu level /log ActionsLog Messages Submenu level /system logging actionTimemessage Snmp ServiceTo view the local logs To monitor the system logGeneral Configuration Traffic FlowRelated Documents Traffic-Flow Example Admin@AT-WR4562 ip traffic-flowAdmin@AT-WR4562 ip traffic-flow target Traffic-FlowTargetNetwork Load Statistics Matrix Host InformationNetwork load profile by time Graphing General OptionsTo store information on system drive every hour Health Graphing Interface GraphingSimple Queue Graphing ALLOW-ADDRESS 192.168.0.0/24 Yes Admin@AT-WR4562 tool graphing resourceResource Graphing Submenu level /tool graphing resource