Allied Telesis AT-WR4500 instruction

196	AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
	RouterOS v3 Configuration and User Guide

for Router1

[admin@Router1] > ip ipsec manual-sa add name=ah-sa1 \ \... ah-spi=0x101/0x100 ah-key=abcfed

[admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24 \ \... dst-address=10.2.0.0/24 action=encrypt ipsec-protocols=ah \ \... tunnel=yes sa-src=1.0.0.1 sa-dst=1.0.0.2 manual-sa=ah-sa1

for Router2

[admin@Router2] > ip ipsec manual-sa add name=ah-sa1 \ \... ah-spi=0x100/0x101 ah-key=abcfed

[admin@Router2] > ip ipsec policy add src-address=10.2.0.0/24 \ \... dst-address=10.1.0.0/24 action=encrypt ipsec-protocols=ah \ \... tunnel=yes sa-src=1.0.0.2 sa-dst=1.0.0.1 manual-sa=ah-sa1

IPsec Between two Masquerading RouterOS Routers

	IP Network
	1.0.0.0/24
[Router1]	[Router2]
1.0.0.1	1.0.0.2

10.2.0.0/24

10.1.0.0/24

Figure 31: Add accept and masquerading rules in SRC-NAT

for Router1

[admin@Router1] > ip firewall nat add chain=srcnat src-address=10.1.0.0/24 \ \... dst-address=10.2.0.0/24

[admin@Router1] > ip firewall nat add chain=srcnat out-interface=public \ \... action=masquerade

for Router2

[admin@Router2] > ip firewall nat chain=srcnat add src-address=10.2.0.0/24 \ \... dst-address=10.1.0.0/24

[admin@Router2] > ip firewall nat chain=srcnat add out-interface=public \ \... action=masquerade

Image 196

Allied Telesis AT-WR4500 IPsec Between two Masquerading RouterOS Routers, Add accept and masquerading rules in SRC-NAT

Contents

AT-WR4500 Series PN 613-000813 Rev. B AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers RouterOS v3 Configuration and User Guide Limitation of Liability and Damages Contents Routes, Equal Cost Multipath Routing, Policy Routing IP Addresses and ARP 117 118120 121 Hot Spot Service 222 163164 166 10.3.7 Command Description 10.3.8 Service PortPossible Error Messages 12.1.2 General Settings Figures How This Guide is organized Purpose of This GuideDocument Conventions Tell Us What You Think Sales or Corporate Information Management Software UpdatesAllied Telesis FTP server ftp//ftp.alliedtelesis.com Introduction Admin@AT-WR4541g /system license print software-id NCL8-3TT FeaturesSoftware License Accessing theWR4500 throughWinBox Using WinBoxLogging in the AT-WR4500 Router Downloading WinBox loader Password can be changed with the /password command Accessing the CLIAT-WR4500 Login admin Password Aaaaaaaaaaa Ttttttt Aaaaaaa Aaaaa Tttt Command Action System Backup General Information Export Command Import Command Configuration Reset SpecificationsSoftwareVersion Management General Information System Upgrade To upgrade chosen packagesStep-by-Step Property Description Submenu level /system upgrade upgrade-package-source 192.168.25.8 AdminSoftware Package Management Adding Package Source Uninstallation Installation UpgradeCommand name /system package uninstall Command name /system package downgrade Admin@AT-WR4562 system package print Flags X disabledDowngrading Name Version Suppose we need to test ipv6 package features Command name /system package unscheduleDisabling and Enabling Unscheduling Admin@AT-WR4562 system package unschedule security Name Version Scheduled To upgrade selected packages Software Package ListDownload Downloading 16 % Package name Contents Prerequisites Additional License Package name Contents Prerequisites Additional License General Interface Settings Command name /interface monitor-trafficInterface Status Traffic Monitoring Ethernet Interface Configuration Ethernet InterfacesRelatedTopics Additional Resources Command name /interface ethernet monitor Monitoring the Interface StatusType RX-RATE TX-RATE MTU ARP Troubleshooting Wireless InterfacesDefault-cable-setting standard standard Ack-timeout Range 5GHz 5GHz-turbo 2.4GHz-G Quick Setup GuideIP Addresses and ARP Log Management Wireless Interface Configuration Submenu level /interface wireless30km 249 35km 298 AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Page AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers This example shows how configure a wireless client Nstreme Settings To see current interface settingsSubmenu level /interface wireless nstreme Signal-to-noise 73dB tx-ccq 79% rx-ccq 46% p-throughput Nstreme2 Group Settings Submenu level /interface wireless nstreme-dual Example Submenu level /interface wireless registration-table Admin@AT-WR4562 interface wireless nstreme-dualRegistrationTable Then add nstreme2 interface with exact-size framing Admin@AT-WR4562 interface wireless registration-table # Interface RADIO-NAME MAC-ADDRESSWlan1 000C42185C3D No -38dBm.. Mbps Access List Submenu level /interface wireless connect-listSubmenu level /interface wireless access-list Connect List Info command Submenu level /interface wireless infoPage AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers Example Virtual Access Point Interface WDS Interface Configuration Submenu level /interface wireless wds Submenu level /interface wireless align Align Admin@AT-WR4562 interface wireless align Command name /interface wireless align monitorAlign Monitor ManualTransmit PowerTable Aproximately shows how loaded are the wireless channelsSubmenu level /interface wireless manual-tx-power-table Frequency Monitor Command name /interface wireless scan interfacename Network ScanScan the 5GHz band Address Ssid Band Freq SIG RADIO-NAME AB R Submenu level /interface wireless security-profiles Security ProfilesPage Submenu level /interface wireless sniffer Submenu level /interface wireless sniffer sniffWireless Sniffer Sniffs packets Sniffer Submenu level /interface wireless snooper Freq SIGNAL@RATE SRC DST TypeSniffer Packets Snooper Station and AccessPoint Application ExamplesSnoop 802.11b network Band Freq USE 10.1.0.1/24 10.1.0.0 10.1.0.255 Admin@AccessPoint ip address 54Mbps Configure the station and add an IP address 10.1.0.2 to it Check whether you can ping the Access Point from StationOn WDS Access Point WDS Station Set wds-default-bridge to bridge1 Virtual Access Point Virtual-test 4ghz-g Test 4ghz-g Nstreme Nstreme network example Monitor the link Dual NstremeSsid nstreme Configure DualNS-1 Admin@DualNS-1 interface wireless nstreme-dual Now complete the configuration for DualNS-1 Admin@DualNS-2 interface wireless nstreme-dual WEP Security WEP security examplePage Configure WEPStation1 Admin@WEPStation1 interface wireless Admin@WEPStationX interface wireless WPA Security Test the link between Access point and the client Admin@WPAAP interface wireless security-profilesAdmin@WPAStation interface wireless security-profiles Admin@WPAStation interface wireless Vlan Setup Vlan Interfaces Vlan example on AT-WR4500 Routers Application ExampleName MTU ARP 10.10.10.0 10.10.10.255 Test Admin@AT-WR4562 ip address Bridge Interfaces10.0.0.0 10.0.0.255 Ether1 10.20.0.0 10.20.0.255 Pc1 Bridge Interface Setup Interface bridge add name=MyBridge disabled=noAdd ether1 and ether2 to MyBridge interface IP Addresses and ARP EoIP Port Settings Submenu level /interface bridge port Command name /interface bridge monitor Command name /interface bridge port monitorBridge Monitoring Bridge Port Monitoring Command name /interface bridge host Bridge Host MonitoringBridge Firewall General Description To monitor a bridge port Property Description Page Bridge Packet Filter Bridge NATSubmenu level /interface bridge filter Submenu level /interface bridge nat Bridge Brouting Facility Submenu level /interface bridge broute Troubleshooting Configuring Interfaces Dhcp and DNS IP Addresses and ARPIP Addressing Submenu level /ip address Address Resolution Protocol 10.10.10.0 10.10.10.255 Ether2 Admin@AT-WR4562 ip addressSubmenu level /ip arp 2.1/24 2.0 2.255 Ether2 Address MAC-ADDRESS Proxy-ARP featureAddress MAC-ADDRESS Interface Proxy ARP Router setup is as follows Consider the following configurationUnnumbered Interfaces RIP Routing Information Protocol General Setup Interfaces Admin@AT-WR4562 routing ripSubmenu level /routing rip interface Networks NeighborsRoutes Submenu level /routing rip network 0.0.0 Ether1 Admin@AT-WR4562 To view the list of the routesEther1 1500 Ether2 10.0.0.174 10.0.0.255 Ether1 Admin@AT-WR4562 routing rip set redistribute-connected=yes 10.0.0.0/24 Admin@AT-WR4562 routing rip network0.0.0 Ether1 Admin@AT-WR4562 routing rip Regular routing table is Ospf Alliedware+ Router ConfigurationRouting table of the Alliedware+ router is General Setup Ospf Areas Admin@AT-WR4562 routing ospfSubmenu level /routing ospf area Backbone 0.0 None Local10 10.5 Admin@WiFi routing ospf area Submenu level /routing ospf networkName AREA-ID Network Area Submenu level /routing ospf interface Virtual LinksSubmenu level /routing ospf virtual-link Virtual link should be configured on both routers 10.0.0.201 Admin@AT-WR4562 routing ospf virtual-linkSubmenu level /routing ospf neighbor NEIGHBOR-ID Ospf backup without using a tunnel Ospf Backup Authentication Define new Ospf area named local10 with area-idAdd connected networks with area local10 in ospf network Name Type RX-RATE Rate MTU Name AREA-ID Stub DEFAULT-COST Authentication Add the same area as in main routerAdd connected networks with area local10 Add the needed IP addresses Admin@OSPFMAIN ip route print Add connected networks with the same areaConnect, S static, r rip, o ospf, b bgp DST-ADDRESS Gateway Distance Interface Routing tables with Revised Link Cost Dead-interval=40s Functioning of the Backup On OSPFpeer2 Routes, Equal Cost Multipath Routing, Policy Routing NAT Policy Rules Submenu level /ip route rule Static Equal Cost Multi-Path routing Static Equal Cost Multi-Path Routing example Standard Policy-Based Routing with Failover Standard Policy-Based Routing with Failover 192.168.0.0 192.168.0.255 Local1 DST-ADDRESS Prefsrc Gateway Dhcp Client and Server Finally, add a Dhcp serverCheck whether you have obtained a lease Packages required dhcp License required Level1 Dhcp Client Setup Submenu level /ip dhcp-client To add a Dhcp client on ether1 interface Dhcp Server SetupSubmenu level /ip dhcp-server Property Description Store Leases on Disk Submenu level /ip dhcp-server configName Interface Relay Dhcp Networks Dhcp Server LeasesSubmenu level /ip dhcp-server network Submenu level /ip dhcp-server lease Command Description Dhcp Alert Dhcp OptionSubmenu level /ip dhcp-server alert Submenu level /ip dhcp-server option Dhcp Relay Use this option in Dhcp server network listSubmenu level /ip dhcp-relay Name Code Value Command name /ip dhcp-server setup Relay Ether1 10.0.0.1 Admin@AT-WR4562 ip dhcp-relayQuestions & Answers Questions Dynamic Addressing, using DHCP-Relay IP addresses of DHCP-ServerName Interface Relay ADDRESS-POOL LEASE-TIME ADD-ARP # Address Gateway DNS-SERVER WINS-SERVER IP Address assignment, using FreeRADIUS Server Configure respective networksCreate Dhcp Servers DHCP-1 Configure Radius Client on RouterOS Setup Dhcp Server Create an address poolConfigure Dhcp networks Clients.conf file DNS Client and Cache IP and Routing Cache Monitoring 5Static DNS EntriesStatic DNS Entries Command name /ip dns cache flush 6Flushing DNS cacheFlush clears internal DNS cache Name Address Radius Client Setup Radius client Service CALLED-ID Domain Address Ppp,hotspot 10.0.0.3 Admin@AT-WR4562 radiusConnectionTerminating from Radius Submenu level /radius incoming Supported Radius Attributes Suggested Radius ServersXTRadius does not currently support MS-CHAP Page Page Page Name VendorID Value Name VendorID Value RFC where it is defined AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers PPP User AAA Local PPP User ProfilesL2TP Interface Submenu level /ppp profilePage Local PPP User Database Submenu level /ppp secret Command name /ppp active print Name Service CALLER-ID Password ProfileName Service CALLER-ID Address Uptime Encoding Monitoring Active PPP Users To enable Radius AAA Router User AAAPPP User Remote AAA Submenu level /ppp aaa Submenu level /user group Router User GroupsExclamation sign ! just before policy item name means not Admin@rb13 user group Admin@AT-WR4562 user print Flags X disabledRouter Users Only one, it cannot be removed Command name /user active print When Name AddressMonitoring Active Router Users Router User Remote AAA To enable Radius AAA, enter the following command SSH keysSubmenu level /user ssh-keys Generating key on a linux machine Specific Properties EoIPIP Addresses and ARP Bridge Interfaces EoIP Setup Admin@OurGW interface pptp-server server set enable=yes Admin@Remote interface pptp-clientEoIP Application Example Name User MTU CLIENT-ADDRESS Uptime ENC Same for the Remote Interface Bridge Priority PATH-COST Quick Setup Guide Interface Bonding General InformationSummary Related Documents Property Description Application Examples Isp1 Ether 1500 Isp21.1/24 1.0 1.255 Isp2 10.1.0.0 10.1.0.255 Isp1 EoIP tunnel configuration For Office1 through ISP1 For Office2 through ISP1For Office1through ISP2 For Office2through ISP2 For Office2 IPIPTunnel Interfaces10.1.0.0 10.1.0.255 Isp1 3.1/24 3.0 3.255 Bonding1 Ipip Setup Add an IP address to created ipip1 interface Configuration of the R2 is shown below Name MTU LOCAL-ADDRESS Configuration on L2TP client router Add a L2TP client Enable the L2TP serverL2TP Interface IP Addresses and ARP AAA Configuration EoIP IP Security 2 L2TP Client SetupSubmenu level /interface l2tp-client Monitoring L2TP Client Command name /interface l2tp-client monitorExample of an established connection 4 L2TP Server Setup To enable L2TP server5 L2TP Server Users Submenu level /interface l2tp-server server To add a static entry for ex1 user Interface l2tp-server add user=ex1Name User MTU CLIENT-ADDRESS Uptime ENC Router-to-Router Secure Tunnel Example 6 L2TP Application ExamplesThen the user should be added in the L2TP server list Admin@HomeOffice interface l2tp-server server Add a L2TP client to the RemoteOffice router Admin@HomeOffice ppp secret print detail Flags X disabled Connecting a Remote Client via L2TPTunnelTest the L2TP tunnel connection Server must be enabled Admin@RemoteOffice ppp secretFromLaptop Admin@RemoteOffice interface l2tp-server Admin@RemoteOffice interface l2tp-server server L2TP Setup for Windows Admin@RemoteOffice interface ethernetPPPoE ToInternet 1500 Now add a pppoe server Add a user with username mike and passwordIp pool add name=pppoe-pool ranges=10.1.1.62-10.1.1.72 PPPoE Client Setup Submenu level /interface pppoe-client PPPoE Server Setup Access Concentrator Command name /interface pppoe-client monitorMonitoring PPPoE Client To monitor the pppoe-out1connection Admin@AT-WR4562 interface pppoe-server server PPPoE Users PPPoE Server User InterfacesSubmenu level /interface pppoe-server To view the currently connected users First of all, the wireless interface should be configured PPPoE in a multipoint wireless 802.11g networkAdmin@PPPoE-Server interface wireless We should add PPPoE server to the wireless interface Finally, we can set up PPPoE clients Pptp Admin@MT interface pppoe-server serverMy Windows XP client cannot connect to the PPPoE server Configuration on Pptp client router Add the Pptp client Enable the Pptp serverIP Addresses and ARP PPP User AAA EoIP Pptp Client Setup Submenu level /interface pptp-client Pptp Server Setup Command name /interface pptp-client monitorMonitoring Pptp Client Submenu level /interface pptp-server server To enable Pptp server Pptp UsersPPTPTunnel Interfaces Submenu level /interface pptp-server Interface pptp-server add user=ex1 Pptp Application Examples1460 10.0.0.202 6m32s None Pptp-in1 Ex1 Admin@HomeOffice interface pptp-server add user=ex Pptp-in1 Admin@HomeOffice interface pptp-serverAdmin@RemoteOffice interface pptp-client Add a Pptp client to the RemoteOffice router Connecting a Remote Client via Pptp Tunnel Test the Pptp tunnel connection Connecting a Remote Client via and Encrypted Pptp Tunnel FromLaptop Admin@RemoteOffice interface pptp-server IP Security Pptp Setup for WindowsIP Addresses and ARP Firewall and QoS Description Diffie-Hellman Group Modulus Reference Policy SettingsSubmenu level /ip ipsec policy Page Flags X disabled, D dynamic, I inactive PeersTo view the policy statistics, do the following Submenu level /ip ipsec peer Submenu level /ip ipsec remote-peers Remote Peer StatisticsLocal-addressread-only IP address local Isakmp SA address Submenu level /ip ipsec installed-sa Installed SAsTo see currently estabilished SAs Command name /ip ipsec installed-sa flush Flushing Installed SATableSample printout looks as follows To flush all the SAs installed Tunnel mode example using AH with manual keyingRouterOS Router to RouterOS Router For Router1 IPsec Between two Masquerading RouterOS Routers Add accept and masquerading rules in SRC-NAT For Router2 Filter Firewall FilterSubmenu level /ip firewall filter Mangle Packet FlowPage Property Description Page Page Filter Applications Protect your RouterOS routerProtecting the Customers Network Block IP addreses called bogons Mangle Create tcp chain and deny some tcp ports in itDeny udp ports in udp chain Allow only needed icmp codes in icmp chain Submenu level /ip firewall mangle MangleFilter Packet Flow Page Page Page Peer-to-PeerTraffic Marking Admin@AT-WR4562 /ip firewall mangle add chain=forward \Mark by MAC address Packet Flow Packet FlowChange MSS Mangle Filter Packet Flow Diagram ConnectionTracking Submenu level /ip firewall connection ConnectionTimeouts Submenu level /ip firewall connection tracking Service Ports Submenu level /ip firewall service-port General Firewall Information NAT Submenu level /ip firewall nat 2 NAT Address-list parameter Page Page NAT Applications Example of Source NAT MasqueradingExample of Destination NAT Example of one to one mapping Hot Spot Service HotSpot Gateway HotSpot example network Page Page Question&Answer-Based Setup Command name /ip hotspot setup Hs-local Local HS-real Default Admin@AT-WR4562 ip hotspot HotSpot Interface SetupName Interface Submenu level /ip hotspot profile HotSpot Server Profiles0s same as received HotSpot User Profiles HotSpot UsersDescription HotSpot Cookies HTTP-levelWalled Garden To get the list of valid cookiesSubmenu level /ip hotspot walled-garden # User Domain MAC-ADDRESS IP-level Walled Garden One-to-one NAT static address bindingsSubmenu level /ip hotspot walled-garden ip Submenu level /ip hotspot ip-binding Service Port Command DescriptionActive Host List Ftp Admin@AT-WR4562 ip hotspot service-port Customizing HotSpot Firewall SectionTo set the FTP protocol uses both 20 and 21 TCP port Chain=hotspot action=jump jump-target=pre-hotspot Packets from the authorized clients through the hs-authchain Https proxy is listening on the 64875 port Reject all packets to the clients with Icmp reject message Chain=hs-input action=jump jump-target=pre-hs-input Customizing HotSpot Http Servlet Pages Serving Servlet Pages Href=$link-loginlogin/a Page Hey, your username is john $elif username == dizzy To this line Add the following line Or alternatively add this line To thisBefore this one Possible Error Messages Name Interface ADDRESS-POOL Profile IDLE-TIMEOUT HotSpot How-tosThen we can use that certificate for hotspot MAC-ADDRESS Address TO-ADDRESS Server HotSpot User AAA MAC-ADDRESS Address TO-ADDRESS Server IDLE-TIMEOUT10.11.12.3 Hs-local Page Submenu level /ip hotspot user Submenu level /ip hotspot active HotSpot Active UsersServer Name Address Profile Uptime To get the list of active users 10.0.0.144 4m17s 55m43s Admin@AT-WR4562 ip hotspot activeUser Address Uptime Vrrp Vrrp Routers Property Description Flags X disabled, a active Virtual IP addressesSimple example of Vrrp fail over Submenu level /ip vrrp address Now this address should appear in /ip address list Hardware Watchdog Management SystemWatchdogSubmenu level /system watchdog Admin@AT-WR4562 system watchdog Admin@AT-WR4562 system watchdog set auto-send-supout=yes \Automatic-supout yes Auto-send-supout yes General Settings Log ManagementSubmenu level /system logging Topics Actions Log MessagesSubmenu level /system logging action Submenu level /log Snmp Service To view the local logsTo monitor the system log Timemessage Traffic Flow General ConfigurationRelated Documents Admin@AT-WR4562 ip traffic-flow Admin@AT-WR4562 ip traffic-flow targetTraffic-FlowTarget Traffic-Flow Example Host Information Network Load Statistics Matrix Network load profile by time General Options GraphingTo store information on system drive every hour Interface Graphing Health GraphingSimple Queue Graphing 192.168.0.0/24 Yes Admin@AT-WR4562 tool graphing resource Resource GraphingSubmenu level /tool graphing resource ALLOW-ADDRESS