PN 613-000813 Rev. B
AT-WR4500 Series
RouterOS v3 Configuration and User Guide
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
Limitation of Liability and Damages
Contents
IP Addresses and ARP
Routes, Equal Cost Multipath Routing, Policy Routing
118
117
120
121
163
Hot Spot Service 222
164
166
10.3.8 Service Port
10.3.7 Command Description
Possible Error Messages
12.1.2 General Settings
Figures
Document Conventions
Purpose of This Guide
How This Guide is organized
Allied Telesis FTP server ftp//ftp.alliedtelesis.com
Sales or Corporate Information Management Software Updates
Tell Us What You Think
Introduction
Software License
Features
Admin@AT-WR4541g /system license print software-id NCL8-3TT
Using WinBox
Accessing theWR4500 throughWinBox
Logging in the AT-WR4500 Router
Downloading WinBox loader
AT-WR4500 Login admin Password
Accessing the CLI
Password can be changed with the /password command
Aaaaaaaaaaa Ttttttt Aaaaaaa Aaaaa Tttt
Command Action
General Information
System Backup
Import Command
Export Command
Specifications
Configuration Reset
SoftwareVersion Management
General Information
To upgrade chosen packages
System Upgrade
Step-by-Step
Property Description
192.168.25.8 Admin
Submenu level /system upgrade upgrade-package-source
Software Package Management
Adding Package Source
Command name /system package uninstall
Installation Upgrade
Uninstallation
Admin@AT-WR4562 system package print Flags X disabled
Command name /system package downgrade
Downgrading
Name Version
Command name /system package unschedule
Suppose we need to test ipv6 package features
Disabling and Enabling
Unscheduling
Name Version Scheduled
Admin@AT-WR4562 system package unschedule security
Software Package List
To upgrade selected packages
Download
Downloading 16 %
Package name Contents Prerequisites Additional License
Package name Contents Prerequisites Additional License
Command name /interface monitor-traffic
General Interface Settings
Interface Status
Traffic Monitoring
Ethernet Interfaces
Ethernet Interface Configuration
RelatedTopics
Additional Resources
Monitoring the Interface Status
Command name /interface ethernet monitor
Type RX-RATE TX-RATE MTU
ARP
Default-cable-setting standard standard
Wireless Interfaces
Troubleshooting
IP Addresses and ARP Log Management
Quick Setup Guide
Ack-timeout Range 5GHz 5GHz-turbo 2.4GHz-G
Submenu level /interface wireless
Wireless Interface Configuration
30km 249
35km 298
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
Page
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
This example shows how configure a wireless client
To see current interface settings
Nstreme Settings
Submenu level /interface wireless nstreme
Signal-to-noise 73dB tx-ccq 79% rx-ccq 46% p-throughput
Submenu level /interface wireless nstreme-dual
Nstreme2 Group Settings
Example
Admin@AT-WR4562 interface wireless nstreme-dual
Submenu level /interface wireless registration-table
RegistrationTable
Then add nstreme2 interface with exact-size framing
# Interface RADIO-NAME MAC-ADDRESS
Admin@AT-WR4562 interface wireless registration-table
Wlan1 000C42185C3D
No -38dBm.. Mbps
Submenu level /interface wireless connect-list
Access List
Submenu level /interface wireless access-list
Connect List
Submenu level /interface wireless info
Info command
Page
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
Example
Virtual Access Point Interface
Submenu level /interface wireless wds
WDS Interface Configuration
Align
Submenu level /interface wireless align
Align Monitor
Command name /interface wireless align monitor
Admin@AT-WR4562 interface wireless align
Aproximately shows how loaded are the wireless channels
ManualTransmit PowerTable
Submenu level /interface wireless manual-tx-power-table
Frequency Monitor
Network Scan
Command name /interface wireless scan interfacename
Scan the 5GHz band
Address Ssid Band Freq SIG RADIO-NAME AB R
Security Profiles
Submenu level /interface wireless security-profiles
Page
Submenu level /interface wireless sniffer sniff
Submenu level /interface wireless sniffer
Wireless Sniffer Sniffs packets
Sniffer
Freq SIGNAL@RATE SRC DST Type
Submenu level /interface wireless snooper
Sniffer Packets
Snooper
Application Examples
Station and AccessPoint
Snoop 802.11b network
Band Freq USE
54Mbps
10.1.0.1/24 10.1.0.0 10.1.0.255 Admin@AccessPoint ip address
Check whether you can ping the Access Point from Station
Configure the station and add an IP address 10.1.0.2 to it
On WDS Access Point
WDS Station
Set wds-default-bridge to bridge1
Virtual Access Point
Test 4ghz-g
Virtual-test 4ghz-g
Nstreme network example
Nstreme
Ssid nstreme
Dual Nstreme
Monitor the link
Admin@DualNS-1 interface wireless nstreme-dual
Configure DualNS-1
Admin@DualNS-2 interface wireless nstreme-dual
Now complete the configuration for DualNS-1
WEP security example
WEP Security
Page
Admin@WEPStation1 interface wireless
Configure WEPStation1
WPA Security
Admin@WEPStationX interface wireless
Admin@WPAAP interface wireless security-profiles
Test the link between Access point and the client
Admin@WPAStation interface wireless security-profiles
Admin@WPAStation interface wireless
Vlan Interfaces
Vlan Setup
Name MTU ARP
Application Example
Vlan example on AT-WR4500 Routers
Bridge Interfaces
10.10.10.0 10.10.10.255 Test Admin@AT-WR4562 ip address
10.0.0.0 10.0.0.255 Ether1
10.20.0.0 10.20.0.255 Pc1
Interface bridge add name=MyBridge disabled=no
Bridge Interface Setup
Add ether1 and ether2 to MyBridge interface
IP Addresses and ARP EoIP
Submenu level /interface bridge port
Port Settings
Command name /interface bridge port monitor
Command name /interface bridge monitor
Bridge Monitoring
Bridge Port Monitoring
Bridge Host Monitoring
Command name /interface bridge host
Bridge Firewall General Description
To monitor a bridge port
Property Description
Page
Bridge NAT
Bridge Packet Filter
Submenu level /interface bridge filter
Submenu level /interface bridge nat
Submenu level /interface bridge broute
Bridge Brouting Facility
Troubleshooting
IP Addresses and ARP
Configuring Interfaces Dhcp and DNS
IP Addressing
Submenu level /ip address
10.10.10.0 10.10.10.255 Ether2 Admin@AT-WR4562 ip address
Address Resolution Protocol
Submenu level /ip arp
2.1/24 2.0 2.255 Ether2
Address MAC-ADDRESS Interface
Proxy-ARP feature
Address MAC-ADDRESS
Proxy ARP
Unnumbered Interfaces
Consider the following configuration
Router setup is as follows
RIP Routing Information Protocol
General Setup
Submenu level /routing rip interface
Admin@AT-WR4562 routing rip
Interfaces
Neighbors
Networks
Routes
Submenu level /routing rip network
To view the list of the routes
0.0.0 Ether1 Admin@AT-WR4562
Ether1 1500 Ether2
10.0.0.174 10.0.0.255 Ether1
10.0.0.0/24 Admin@AT-WR4562 routing rip network
Admin@AT-WR4562 routing rip set redistribute-connected=yes
0.0.0 Ether1 Admin@AT-WR4562 routing rip
Regular routing table is
Routing table of the Alliedware+ router is
Alliedware+ Router Configuration
Ospf
General Setup
Submenu level /routing ospf area
Admin@AT-WR4562 routing ospf
Ospf Areas
Submenu level /routing ospf network
Backbone 0.0 None Local10 10.5 Admin@WiFi routing ospf area
Name AREA-ID
Network Area
Submenu level /routing ospf virtual-link
Virtual Links
Submenu level /routing ospf interface
10.0.0.201 Admin@AT-WR4562 routing ospf virtual-link
Virtual link should be configured on both routers
Submenu level /routing ospf neighbor
NEIGHBOR-ID
Ospf Backup
Ospf backup without using a tunnel
Define new Ospf area named local10 with area-id
Authentication
Add connected networks with area local10 in ospf network
Name Type RX-RATE Rate MTU
Add the same area as in main router
Name AREA-ID Stub DEFAULT-COST Authentication
Add connected networks with area local10
Add the needed IP addresses
Add connected networks with the same area
Admin@OSPFMAIN ip route print
Connect, S static, r rip, o ospf, b bgp
DST-ADDRESS Gateway Distance Interface
Dead-interval=40s
Routing tables with Revised Link Cost
On OSPFpeer2
Functioning of the Backup
Routes, Equal Cost Multipath Routing, Policy Routing
NAT
Submenu level /ip route rule
Policy Rules
Static Equal Cost Multi-Path Routing example
Static Equal Cost Multi-Path routing
Standard Policy-Based Routing with Failover
Standard Policy-Based Routing with Failover
DST-ADDRESS Prefsrc Gateway
192.168.0.0 192.168.0.255 Local1
Finally, add a Dhcp server
Dhcp Client and Server
Check whether you have obtained a lease
Packages required dhcp License required Level1
Submenu level /ip dhcp-client
Dhcp Client Setup
Submenu level /ip dhcp-server
Dhcp Server Setup
To add a Dhcp client on ether1 interface
Property Description
Name Interface Relay
Submenu level /ip dhcp-server config
Store Leases on Disk
Dhcp Server Leases
Dhcp Networks
Submenu level /ip dhcp-server network
Submenu level /ip dhcp-server lease
Command Description
Dhcp Option
Dhcp Alert
Submenu level /ip dhcp-server alert
Submenu level /ip dhcp-server option
Use this option in Dhcp server network list
Dhcp Relay
Submenu level /ip dhcp-relay
Name Code Value
Relay Ether1 10.0.0.1 Admin@AT-WR4562 ip dhcp-relay
Command name /ip dhcp-server setup
Questions & Answers
Questions
IP addresses of DHCP-Server
Dynamic Addressing, using DHCP-Relay
Name Interface Relay ADDRESS-POOL LEASE-TIME ADD-ARP
# Address Gateway DNS-SERVER WINS-SERVER
Configure respective networks
IP Address assignment, using FreeRADIUS Server
Create Dhcp Servers
DHCP-1
Setup Dhcp Server Create an address pool
Configure Radius Client on RouterOS
Configure Dhcp networks
Clients.conf file
IP and Routing
DNS Client and Cache
Static DNS Entries
5Static DNS Entries
Cache Monitoring
6Flushing DNS cache
Command name /ip dns cache flush
Flush clears internal DNS cache
Name Address
Radius client
Radius Client Setup
Ppp,hotspot 10.0.0.3 Admin@AT-WR4562 radius
Service CALLED-ID Domain Address
ConnectionTerminating from Radius
Submenu level /radius incoming
XTRadius does not currently support MS-CHAP
Suggested Radius Servers
Supported Radius Attributes
Page
Page
Page
Name VendorID Value
Name VendorID Value RFC where it is defined
AT-WR4500 Series Ieee 802.11abgh Outdoor Wireless Routers
Local PPP User Profiles
PPP User AAA
L2TP Interface
Submenu level /ppp profile
Page
Submenu level /ppp secret
Local PPP User Database
Name Service CALLER-ID Password Profile
Command name /ppp active print
Name Service CALLER-ID Address Uptime Encoding
Monitoring Active PPP Users
Router User AAA
To enable Radius AAA
PPP User Remote AAA
Submenu level /ppp aaa
Exclamation sign ! just before policy item name means not
Router User Groups
Submenu level /user group
Admin@AT-WR4562 user print Flags X disabled
Admin@rb13 user group
Router Users
Only one, it cannot be removed
When Name Address
Command name /user active print
Monitoring Active Router Users
Router User Remote AAA
SSH keys
To enable Radius AAA, enter the following command
Submenu level /user ssh-keys
Generating key on a linux machine
IP Addresses and ARP Bridge Interfaces
EoIP
Specific Properties
EoIP Setup
Admin@Remote interface pptp-client
Admin@OurGW interface pptp-server server set enable=yes
EoIP Application Example
Name User MTU CLIENT-ADDRESS Uptime ENC
Interface Bridge Priority PATH-COST
Same for the Remote
Interface Bonding General Information
Quick Setup Guide
Summary
Related Documents
Property Description
Isp1 Ether 1500 Isp2
Application Examples
1.1/24 1.0 1.255 Isp2
10.1.0.0 10.1.0.255 Isp1
For Office2 through ISP1
EoIP tunnel configuration For Office1 through ISP1
For Office1through ISP2
For Office2through ISP2
10.1.0.0 10.1.0.255 Isp1 3.1/24 3.0 3.255 Bonding1
IPIPTunnel Interfaces
For Office2
Add an IP address to created ipip1 interface
Ipip Setup
Name MTU LOCAL-ADDRESS
Configuration of the R2 is shown below
L2TP Interface
Enable the L2TP server
Configuration on L2TP client router Add a L2TP client
Submenu level /interface l2tp-client
2 L2TP Client Setup
IP Addresses and ARP AAA Configuration EoIP IP Security
Example of an established connection
Command name /interface l2tp-client monitor
Monitoring L2TP Client
To enable L2TP server
4 L2TP Server Setup
5 L2TP Server Users
Submenu level /interface l2tp-server server
Interface l2tp-server add user=ex1
To add a static entry for ex1 user
Name User MTU CLIENT-ADDRESS Uptime
ENC
Then the user should be added in the L2TP server list
6 L2TP Application Examples
Router-to-Router Secure Tunnel Example
Add a L2TP client to the RemoteOffice router
Admin@HomeOffice interface l2tp-server server
Test the L2TP tunnel connection
Connecting a Remote Client via L2TPTunnel
Admin@HomeOffice ppp secret print detail Flags X disabled
Admin@RemoteOffice ppp secret
Server must be enabled
FromLaptop Admin@RemoteOffice interface l2tp-server
Admin@RemoteOffice interface l2tp-server server
Admin@RemoteOffice interface ethernet
L2TP Setup for Windows
PPPoE
ToInternet 1500
Ip pool add name=pppoe-pool ranges=10.1.1.62-10.1.1.72
Add a user with username mike and password
Now add a pppoe server
Submenu level /interface pppoe-client
PPPoE Client Setup
Command name /interface pppoe-client monitor
PPPoE Server Setup Access Concentrator
Monitoring PPPoE Client
To monitor the pppoe-out1connection
Admin@AT-WR4562 interface pppoe-server server
PPPoE Server User Interfaces
PPPoE Users
Submenu level /interface pppoe-server
To view the currently connected users
Admin@PPPoE-Server interface wireless
PPPoE in a multipoint wireless 802.11g network
First of all, the wireless interface should be configured
Finally, we can set up PPPoE clients
We should add PPPoE server to the wireless interface
My Windows XP client cannot connect to the PPPoE server
Admin@MT interface pppoe-server server
Pptp
IP Addresses and ARP PPP User AAA EoIP
Enable the Pptp server
Configuration on Pptp client router Add the Pptp client
Submenu level /interface pptp-client
Pptp Client Setup
Command name /interface pptp-client monitor
Pptp Server Setup
Monitoring Pptp Client
Submenu level /interface pptp-server server
Pptp Users
To enable Pptp server
PPTPTunnel Interfaces
Submenu level /interface pptp-server
1460 10.0.0.202 6m32s None Pptp-in1 Ex1
Pptp Application Examples
Interface pptp-server add user=ex1
Pptp-in1 Admin@HomeOffice interface pptp-server
Admin@HomeOffice interface pptp-server add user=ex
Admin@RemoteOffice interface pptp-client
Add a Pptp client to the RemoteOffice router
Test the Pptp tunnel connection
Connecting a Remote Client via Pptp Tunnel
FromLaptop Admin@RemoteOffice interface pptp-server
Connecting a Remote Client via and Encrypted Pptp Tunnel
IP Addresses and ARP Firewall and QoS
Pptp Setup for Windows
IP Security
Description
Submenu level /ip ipsec policy
Policy Settings
Diffie-Hellman Group Modulus Reference
Page
Peers
Flags X disabled, D dynamic, I inactive
To view the policy statistics, do the following
Submenu level /ip ipsec peer
Local-addressread-only IP address local Isakmp SA address
Remote Peer Statistics
Submenu level /ip ipsec remote-peers
To see currently estabilished SAs
Installed SAs
Submenu level /ip ipsec installed-sa
Sample printout looks as follows
Flushing Installed SATable
Command name /ip ipsec installed-sa flush
Tunnel mode example using AH with manual keying
To flush all the SAs installed
RouterOS Router to RouterOS Router
For Router1
Add accept and masquerading rules in SRC-NAT
IPsec Between two Masquerading RouterOS Routers
For Router2
Firewall Filter
Filter
Submenu level /ip firewall filter
Mangle Packet Flow
Page
Property Description
Page
Page
Protect your RouterOS router
Filter Applications
Protecting the Customers Network
Block IP addreses called bogons
Create tcp chain and deny some tcp ports in it
Mangle
Deny udp ports in udp chain
Allow only needed icmp codes in icmp chain
Filter Packet Flow
Mangle
Submenu level /ip firewall mangle
Page
Page
Page
Mark by MAC address
Admin@AT-WR4562 /ip firewall mangle add chain=forward \
Peer-to-PeerTraffic Marking
Packet Flow
Packet Flow
Change MSS
Mangle Filter
Packet Flow Diagram
Submenu level /ip firewall connection
ConnectionTracking
Submenu level /ip firewall connection tracking
ConnectionTimeouts
Submenu level /ip firewall service-port
Service Ports
General Firewall Information
Submenu level /ip firewall nat
NAT
2 NAT
Address-list parameter
Page
Page
Example of Source NAT Masquerading
NAT Applications
Example of Destination NAT
Example of one to one mapping
HotSpot Gateway
Hot Spot Service
HotSpot example network
Page
Page
Command name /ip hotspot setup
Question&Answer-Based Setup
Name Interface
HotSpot Interface Setup
Hs-local Local HS-real Default Admin@AT-WR4562 ip hotspot
0s same as received
HotSpot Server Profiles
Submenu level /ip hotspot profile
HotSpot Users
HotSpot User Profiles
Description
HotSpot Cookies
To get the list of valid cookies
HTTP-levelWalled Garden
Submenu level /ip hotspot walled-garden
# User Domain MAC-ADDRESS
One-to-one NAT static address bindings
IP-level Walled Garden
Submenu level /ip hotspot walled-garden ip
Submenu level /ip hotspot ip-binding
Active Host List
Command Description
Service Port
Customizing HotSpot Firewall Section
Ftp Admin@AT-WR4562 ip hotspot service-port
To set the FTP protocol uses both 20 and 21 TCP port
Chain=hotspot action=jump jump-target=pre-hotspot
Https proxy is listening on the 64875 port
Packets from the authorized clients through the hs-authchain
Chain=hs-input action=jump jump-target=pre-hs-input
Reject all packets to the clients with Icmp reject message
Serving Servlet Pages
Customizing HotSpot Http Servlet Pages
Href=$link-loginlogin/a
Page
Hey, your username is john $elif username == dizzy
Add the following line
To this line
Before this one
To this
Or alternatively add this line
Possible Error Messages
HotSpot How-tos
Name Interface ADDRESS-POOL Profile IDLE-TIMEOUT
Then we can use that certificate for hotspot
MAC-ADDRESS Address TO-ADDRESS Server
10.11.12.3 Hs-local
MAC-ADDRESS Address TO-ADDRESS Server IDLE-TIMEOUT
HotSpot User AAA
Page
Submenu level /ip hotspot user
Server Name Address Profile Uptime
HotSpot Active Users
Submenu level /ip hotspot active
User Address Uptime
10.0.0.144 4m17s 55m43s Admin@AT-WR4562 ip hotspot active
To get the list of active users
Vrrp Routers
Vrrp
Property Description
Virtual IP addresses
Flags X disabled, a active
Simple example of Vrrp fail over
Submenu level /ip vrrp address
Now this address should appear in /ip address list
Submenu level /system watchdog
SystemWatchdog
Hardware Watchdog Management
Automatic-supout yes Auto-send-supout yes
Admin@AT-WR4562 system watchdog set auto-send-supout=yes \
Admin@AT-WR4562 system watchdog
Log Management
General Settings
Submenu level /system logging
Topics
Log Messages
Actions
Submenu level /system logging action
Submenu level /log
To view the local logs
Snmp Service
To monitor the system log
Timemessage
Related Documents
General Configuration
Traffic Flow
Admin@AT-WR4562 ip traffic-flow target
Admin@AT-WR4562 ip traffic-flow
Traffic-FlowTarget
Traffic-Flow Example
Network Load Statistics Matrix
Host Information
Network load profile by time
To store information on system drive every hour
Graphing
General Options
Simple Queue Graphing
Health Graphing
Interface Graphing
Resource Graphing
192.168.0.0/24 Yes Admin@AT-WR4562 tool graphing resource
Submenu level /tool graphing resource
ALLOW-ADDRESS
