AT-WR4500 Series
PN 613-000813 Rev. B
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
Limitation of Liability and Damages
Contents
Routes, Equal Cost Multipath Routing, Policy Routing
IP Addresses and ARP
120
117
118
121
164
Hot Spot Service 222
163
166
Possible Error Messages
10.3.7 Command Description
10.3.8 Service Port
12.1.2 General Settings
Figures
Purpose of This Guide
How This Guide is organized
Document Conventions
Sales or Corporate Information Management Software Updates
Tell Us What You Think
Allied Telesis FTP server ftp//ftp.alliedtelesis.com
Introduction
Features
Admin@AT-WR4541g /system license print software-id NCL8-3TT
Software License
Logging in the AT-WR4500 Router
Accessing theWR4500 throughWinBox
Using WinBox
Downloading WinBox loader
Accessing the CLI
Password can be changed with the /password command
AT-WR4500 Login admin Password
Aaaaaaaaaaa Ttttttt Aaaaaaa Aaaaa Tttt
Command Action
System Backup
General Information
Export Command
Import Command
SoftwareVersion Management
Configuration Reset
Specifications
General Information
Step-by-Step
System Upgrade
To upgrade chosen packages
Property Description
Software Package Management
Submenu level /system upgrade upgrade-package-source
192.168.25.8 Admin
Adding Package Source
Installation Upgrade
Uninstallation
Command name /system package uninstall
Downgrading
Command name /system package downgrade
Admin@AT-WR4562 system package print Flags X disabled
Name Version
Disabling and Enabling
Suppose we need to test ipv6 package features
Command name /system package unschedule
Unscheduling
Admin@AT-WR4562 system package unschedule security
Name Version Scheduled
Download
To upgrade selected packages
Software Package List
Downloading 16 %
Package name Contents Prerequisites Additional License
Package name Contents Prerequisites Additional License
Interface Status
General Interface Settings
Command name /interface monitor-traffic
Traffic Monitoring
RelatedTopics
Ethernet Interface Configuration
Ethernet Interfaces
Additional Resources
Type RX-RATE TX-RATE MTU
Command name /interface ethernet monitor
Monitoring the Interface Status
ARP
Wireless Interfaces
Troubleshooting
Default-cable-setting standard standard
Quick Setup Guide
Ack-timeout Range 5GHz 5GHz-turbo 2.4GHz-G
IP Addresses and ARP Log Management
30km 249
Wireless Interface Configuration
Submenu level /interface wireless
35km 298
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
Page
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
This example shows how configure a wireless client
Submenu level /interface wireless nstreme
Nstreme Settings
To see current interface settings
Signal-to-noise 73dB tx-ccq 79% rx-ccq 46% p-throughput
Nstreme2 Group Settings
Submenu level /interface wireless nstreme-dual
Example
RegistrationTable
Submenu level /interface wireless registration-table
Admin@AT-WR4562 interface wireless nstreme-dual
Then add nstreme2 interface with exact-size framing
Wlan1 000C42185C3D
Admin@AT-WR4562 interface wireless registration-table
# Interface RADIO-NAME MAC-ADDRESS
No -38dBm.. Mbps
Submenu level /interface wireless access-list
Access List
Submenu level /interface wireless connect-list
Connect List
Info command
Submenu level /interface wireless info
Page
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
Example
Virtual Access Point Interface
WDS Interface Configuration
Submenu level /interface wireless wds
Submenu level /interface wireless align
Align
Command name /interface wireless align monitor
Admin@AT-WR4562 interface wireless align
Align Monitor
Submenu level /interface wireless manual-tx-power-table
ManualTransmit PowerTable
Aproximately shows how loaded are the wireless channels
Frequency Monitor
Scan the 5GHz band
Command name /interface wireless scan interfacename
Network Scan
Address Ssid Band Freq SIG RADIO-NAME AB R
Submenu level /interface wireless security-profiles
Security Profiles
Page
Wireless Sniffer Sniffs packets
Submenu level /interface wireless sniffer
Submenu level /interface wireless sniffer sniff
Sniffer
Sniffer Packets
Submenu level /interface wireless snooper
Freq SIGNAL@RATE SRC DST Type
Snooper
Snoop 802.11b network
Station and AccessPoint
Application Examples
Band Freq USE
10.1.0.1/24 10.1.0.0 10.1.0.255 Admin@AccessPoint ip address
54Mbps
On WDS Access Point
Configure the station and add an IP address 10.1.0.2 to it
Check whether you can ping the Access Point from Station
WDS Station
Set wds-default-bridge to bridge1
Virtual Access Point
Virtual-test 4ghz-g
Test 4ghz-g
Nstreme
Nstreme network example
Dual Nstreme
Monitor the link
Ssid nstreme
Configure DualNS-1
Admin@DualNS-1 interface wireless nstreme-dual
Now complete the configuration for DualNS-1
Admin@DualNS-2 interface wireless nstreme-dual
WEP Security
WEP security example
Page
Configure WEPStation1
Admin@WEPStation1 interface wireless
Admin@WEPStationX interface wireless
WPA Security
Admin@WPAStation interface wireless security-profiles
Test the link between Access point and the client
Admin@WPAAP interface wireless security-profiles
Admin@WPAStation interface wireless
Vlan Setup
Vlan Interfaces
Application Example
Vlan example on AT-WR4500 Routers
Name MTU ARP
10.0.0.0 10.0.0.255 Ether1
10.10.10.0 10.10.10.255 Test Admin@AT-WR4562 ip address
Bridge Interfaces
10.20.0.0 10.20.0.255 Pc1
Add ether1 and ether2 to MyBridge interface
Bridge Interface Setup
Interface bridge add name=MyBridge disabled=no
IP Addresses and ARP EoIP
Port Settings
Submenu level /interface bridge port
Bridge Monitoring
Command name /interface bridge monitor
Command name /interface bridge port monitor
Bridge Port Monitoring
Bridge Firewall General Description
Command name /interface bridge host
Bridge Host Monitoring
To monitor a bridge port
Property Description
Page
Submenu level /interface bridge filter
Bridge Packet Filter
Bridge NAT
Submenu level /interface bridge nat
Bridge Brouting Facility
Submenu level /interface bridge broute
Troubleshooting
IP Addressing
Configuring Interfaces Dhcp and DNS
IP Addresses and ARP
Submenu level /ip address
Submenu level /ip arp
Address Resolution Protocol
10.10.10.0 10.10.10.255 Ether2 Admin@AT-WR4562 ip address
2.1/24 2.0 2.255 Ether2
Proxy-ARP feature
Address MAC-ADDRESS
Address MAC-ADDRESS Interface
Proxy ARP
Consider the following configuration
Router setup is as follows
Unnumbered Interfaces
RIP Routing Information Protocol
General Setup
Admin@AT-WR4562 routing rip
Interfaces
Submenu level /routing rip interface
Routes
Networks
Neighbors
Submenu level /routing rip network
Ether1 1500 Ether2
0.0.0 Ether1 Admin@AT-WR4562
To view the list of the routes
10.0.0.174 10.0.0.255 Ether1
0.0.0 Ether1 Admin@AT-WR4562 routing rip
Admin@AT-WR4562 routing rip set redistribute-connected=yes
10.0.0.0/24 Admin@AT-WR4562 routing rip network
Regular routing table is
Alliedware+ Router Configuration
Ospf
Routing table of the Alliedware+ router is
General Setup
Admin@AT-WR4562 routing ospf
Ospf Areas
Submenu level /routing ospf area
Name AREA-ID
Backbone 0.0 None Local10 10.5 Admin@WiFi routing ospf area
Submenu level /routing ospf network
Network Area
Virtual Links
Submenu level /routing ospf interface
Submenu level /routing ospf virtual-link
Submenu level /routing ospf neighbor
Virtual link should be configured on both routers
10.0.0.201 Admin@AT-WR4562 routing ospf virtual-link
NEIGHBOR-ID
Ospf backup without using a tunnel
Ospf Backup
Add connected networks with area local10 in ospf network
Authentication
Define new Ospf area named local10 with area-id
Name Type RX-RATE Rate MTU
Add connected networks with area local10
Name AREA-ID Stub DEFAULT-COST Authentication
Add the same area as in main router
Add the needed IP addresses
Connect, S static, r rip, o ospf, b bgp
Admin@OSPFMAIN ip route print
Add connected networks with the same area
DST-ADDRESS Gateway Distance Interface
Routing tables with Revised Link Cost
Dead-interval=40s
Functioning of the Backup
On OSPFpeer2
Routes, Equal Cost Multipath Routing, Policy Routing
NAT
Policy Rules
Submenu level /ip route rule
Static Equal Cost Multi-Path routing
Static Equal Cost Multi-Path Routing example
Standard Policy-Based Routing with Failover
Standard Policy-Based Routing with Failover
192.168.0.0 192.168.0.255 Local1
DST-ADDRESS Prefsrc Gateway
Check whether you have obtained a lease
Dhcp Client and Server
Finally, add a Dhcp server
Packages required dhcp License required Level1
Dhcp Client Setup
Submenu level /ip dhcp-client
Dhcp Server Setup
To add a Dhcp client on ether1 interface
Submenu level /ip dhcp-server
Property Description
Submenu level /ip dhcp-server config
Store Leases on Disk
Name Interface Relay
Submenu level /ip dhcp-server network
Dhcp Networks
Dhcp Server Leases
Submenu level /ip dhcp-server lease
Command Description
Submenu level /ip dhcp-server alert
Dhcp Alert
Dhcp Option
Submenu level /ip dhcp-server option
Submenu level /ip dhcp-relay
Dhcp Relay
Use this option in Dhcp server network list
Name Code Value
Questions & Answers
Command name /ip dhcp-server setup
Relay Ether1 10.0.0.1 Admin@AT-WR4562 ip dhcp-relay
Questions
Name Interface Relay ADDRESS-POOL LEASE-TIME ADD-ARP
Dynamic Addressing, using DHCP-Relay
IP addresses of DHCP-Server
# Address Gateway DNS-SERVER WINS-SERVER
Create Dhcp Servers
IP Address assignment, using FreeRADIUS Server
Configure respective networks
DHCP-1
Configure Dhcp networks
Configure Radius Client on RouterOS
Setup Dhcp Server Create an address pool
Clients.conf file
DNS Client and Cache
IP and Routing
5Static DNS Entries
Cache Monitoring
Static DNS Entries
Flush clears internal DNS cache
Command name /ip dns cache flush
6Flushing DNS cache
Name Address
Radius Client Setup
Radius client
ConnectionTerminating from Radius
Service CALLED-ID Domain Address
Ppp,hotspot 10.0.0.3 Admin@AT-WR4562 radius
Submenu level /radius incoming
Suggested Radius Servers
Supported Radius Attributes
XTRadius does not currently support MS-CHAP
Page
Page
Page
Name VendorID Value
Name VendorID Value RFC where it is defined
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
L2TP Interface
PPP User AAA
Local PPP User Profiles
Submenu level /ppp profile
Page
Local PPP User Database
Submenu level /ppp secret
Name Service CALLER-ID Address Uptime Encoding
Command name /ppp active print
Name Service CALLER-ID Password Profile
Monitoring Active PPP Users
PPP User Remote AAA
To enable Radius AAA
Router User AAA
Submenu level /ppp aaa
Router User Groups
Submenu level /user group
Exclamation sign ! just before policy item name means not
Router Users
Admin@rb13 user group
Admin@AT-WR4562 user print Flags X disabled
Only one, it cannot be removed
Monitoring Active Router Users
Command name /user active print
When Name Address
Router User Remote AAA
Submenu level /user ssh-keys
To enable Radius AAA, enter the following command
SSH keys
Generating key on a linux machine
EoIP
Specific Properties
IP Addresses and ARP Bridge Interfaces
EoIP Setup
EoIP Application Example
Admin@OurGW interface pptp-server server set enable=yes
Admin@Remote interface pptp-client
Name User MTU CLIENT-ADDRESS Uptime ENC
Same for the Remote
Interface Bridge Priority PATH-COST
Summary
Quick Setup Guide
Interface Bonding General Information
Related Documents
Property Description
1.1/24 1.0 1.255 Isp2
Application Examples
Isp1 Ether 1500 Isp2
10.1.0.0 10.1.0.255 Isp1
For Office1through ISP2
EoIP tunnel configuration For Office1 through ISP1
For Office2 through ISP1
For Office2through ISP2
IPIPTunnel Interfaces
For Office2
10.1.0.0 10.1.0.255 Isp1 3.1/24 3.0 3.255 Bonding1
Ipip Setup
Add an IP address to created ipip1 interface
Configuration of the R2 is shown below
Name MTU LOCAL-ADDRESS
Enable the L2TP server
Configuration on L2TP client router Add a L2TP client
L2TP Interface
2 L2TP Client Setup
IP Addresses and ARP AAA Configuration EoIP IP Security
Submenu level /interface l2tp-client
Command name /interface l2tp-client monitor
Monitoring L2TP Client
Example of an established connection
5 L2TP Server Users
4 L2TP Server Setup
To enable L2TP server
Submenu level /interface l2tp-server server
Name User MTU CLIENT-ADDRESS Uptime
To add a static entry for ex1 user
Interface l2tp-server add user=ex1
ENC
6 L2TP Application Examples
Router-to-Router Secure Tunnel Example
Then the user should be added in the L2TP server list
Admin@HomeOffice interface l2tp-server server
Add a L2TP client to the RemoteOffice router
Connecting a Remote Client via L2TPTunnel
Admin@HomeOffice ppp secret print detail Flags X disabled
Test the L2TP tunnel connection
FromLaptop Admin@RemoteOffice interface l2tp-server
Server must be enabled
Admin@RemoteOffice ppp secret
Admin@RemoteOffice interface l2tp-server server
PPPoE
L2TP Setup for Windows
Admin@RemoteOffice interface ethernet
ToInternet 1500
Add a user with username mike and password
Now add a pppoe server
Ip pool add name=pppoe-pool ranges=10.1.1.62-10.1.1.72
PPPoE Client Setup
Submenu level /interface pppoe-client
Monitoring PPPoE Client
PPPoE Server Setup Access Concentrator
Command name /interface pppoe-client monitor
To monitor the pppoe-out1connection
Admin@AT-WR4562 interface pppoe-server server
Submenu level /interface pppoe-server
PPPoE Users
PPPoE Server User Interfaces
To view the currently connected users
PPPoE in a multipoint wireless 802.11g network
First of all, the wireless interface should be configured
Admin@PPPoE-Server interface wireless
We should add PPPoE server to the wireless interface
Finally, we can set up PPPoE clients
Admin@MT interface pppoe-server server
Pptp
My Windows XP client cannot connect to the PPPoE server
Enable the Pptp server
Configuration on Pptp client router Add the Pptp client
IP Addresses and ARP PPP User AAA EoIP
Pptp Client Setup
Submenu level /interface pptp-client
Monitoring Pptp Client
Pptp Server Setup
Command name /interface pptp-client monitor
Submenu level /interface pptp-server server
PPTPTunnel Interfaces
To enable Pptp server
Pptp Users
Submenu level /interface pptp-server
Pptp Application Examples
Interface pptp-server add user=ex1
1460 10.0.0.202 6m32s None Pptp-in1 Ex1
Admin@RemoteOffice interface pptp-client
Admin@HomeOffice interface pptp-server add user=ex
Pptp-in1 Admin@HomeOffice interface pptp-server
Add a Pptp client to the RemoteOffice router
Connecting a Remote Client via Pptp Tunnel
Test the Pptp tunnel connection
Connecting a Remote Client via and Encrypted Pptp Tunnel
FromLaptop Admin@RemoteOffice interface pptp-server
Pptp Setup for Windows
IP Security
IP Addresses and ARP Firewall and QoS
Description
Policy Settings
Diffie-Hellman Group Modulus Reference
Submenu level /ip ipsec policy
Page
To view the policy statistics, do the following
Flags X disabled, D dynamic, I inactive
Peers
Submenu level /ip ipsec peer
Remote Peer Statistics
Submenu level /ip ipsec remote-peers
Local-addressread-only IP address local Isakmp SA address
Installed SAs
Submenu level /ip ipsec installed-sa
To see currently estabilished SAs
Flushing Installed SATable
Command name /ip ipsec installed-sa flush
Sample printout looks as follows
RouterOS Router to RouterOS Router
To flush all the SAs installed
Tunnel mode example using AH with manual keying
For Router1
IPsec Between two Masquerading RouterOS Routers
Add accept and masquerading rules in SRC-NAT
For Router2
Submenu level /ip firewall filter
Filter
Firewall Filter
Mangle Packet Flow
Page
Property Description
Page
Page
Protecting the Customers Network
Filter Applications
Protect your RouterOS router
Block IP addreses called bogons
Deny udp ports in udp chain
Mangle
Create tcp chain and deny some tcp ports in it
Allow only needed icmp codes in icmp chain
Mangle
Submenu level /ip firewall mangle
Filter Packet Flow
Page
Page
Page
Admin@AT-WR4562 /ip firewall mangle add chain=forward \
Peer-to-PeerTraffic Marking
Mark by MAC address
Change MSS
Packet Flow
Packet Flow
Mangle Filter
Packet Flow Diagram
ConnectionTracking
Submenu level /ip firewall connection
ConnectionTimeouts
Submenu level /ip firewall connection tracking
Service Ports
Submenu level /ip firewall service-port
General Firewall Information
NAT
Submenu level /ip firewall nat
2 NAT
Address-list parameter
Page
Page
Example of Destination NAT
NAT Applications
Example of Source NAT Masquerading
Example of one to one mapping
Hot Spot Service
HotSpot Gateway
HotSpot example network
Page
Page
Question&Answer-Based Setup
Command name /ip hotspot setup
HotSpot Interface Setup
Hs-local Local HS-real Default Admin@AT-WR4562 ip hotspot
Name Interface
HotSpot Server Profiles
Submenu level /ip hotspot profile
0s same as received
Description
HotSpot User Profiles
HotSpot Users
HotSpot Cookies
Submenu level /ip hotspot walled-garden
HTTP-levelWalled Garden
To get the list of valid cookies
# User Domain MAC-ADDRESS
Submenu level /ip hotspot walled-garden ip
IP-level Walled Garden
One-to-one NAT static address bindings
Submenu level /ip hotspot ip-binding
Command Description
Service Port
Active Host List
To set the FTP protocol uses both 20 and 21 TCP port
Ftp Admin@AT-WR4562 ip hotspot service-port
Customizing HotSpot Firewall Section
Chain=hotspot action=jump jump-target=pre-hotspot
Packets from the authorized clients through the hs-authchain
Https proxy is listening on the 64875 port
Reject all packets to the clients with Icmp reject message
Chain=hs-input action=jump jump-target=pre-hs-input
Customizing HotSpot Http Servlet Pages
Serving Servlet Pages
Href=$link-loginlogin/a
Page
Hey, your username is john $elif username == dizzy
To this line
Add the following line
To this
Or alternatively add this line
Before this one
Possible Error Messages
Then we can use that certificate for hotspot
Name Interface ADDRESS-POOL Profile IDLE-TIMEOUT
HotSpot How-tos
MAC-ADDRESS Address TO-ADDRESS Server
MAC-ADDRESS Address TO-ADDRESS Server IDLE-TIMEOUT
HotSpot User AAA
10.11.12.3 Hs-local
Page
Submenu level /ip hotspot user
HotSpot Active Users
Submenu level /ip hotspot active
Server Name Address Profile Uptime
10.0.0.144 4m17s 55m43s Admin@AT-WR4562 ip hotspot active
To get the list of active users
User Address Uptime
Vrrp
Vrrp Routers
Property Description
Simple example of Vrrp fail over
Flags X disabled, a active
Virtual IP addresses
Submenu level /ip vrrp address
Now this address should appear in /ip address list
SystemWatchdog
Hardware Watchdog Management
Submenu level /system watchdog
Admin@AT-WR4562 system watchdog set auto-send-supout=yes \
Admin@AT-WR4562 system watchdog
Automatic-supout yes Auto-send-supout yes
Submenu level /system logging
General Settings
Log Management
Topics
Submenu level /system logging action
Actions
Log Messages
Submenu level /log
To monitor the system log
Snmp Service
To view the local logs
Timemessage
General Configuration
Traffic Flow
Related Documents
Traffic-FlowTarget
Admin@AT-WR4562 ip traffic-flow
Admin@AT-WR4562 ip traffic-flow target
Traffic-Flow Example
Host Information
Network Load Statistics Matrix
Network load profile by time
Graphing
General Options
To store information on system drive every hour
Health Graphing
Interface Graphing
Simple Queue Graphing
Submenu level /tool graphing resource
192.168.0.0/24 Yes Admin@AT-WR4562 tool graphing resource
Resource Graphing
ALLOW-ADDRESS
