Mikrotik How To

MikroTik Router RB951-2n - If you thought the RB751 couldn’t get any cheaper, MikroTik have specs available for download now for the new RB951-2n.

Smaller and cheaper than the 751. No USB port or external antenna though. No date on release yet, but pre-production samples are available soon to distributors.

Now you can build and improve your network security with mikrotik router without high cost.

The RB951-2n is the home wireless AP you have been waiting for. It has five Ethernet ports and a 802.11b/g/n wireless AP with an antenna built in.

This model is much smaller than the more powerful 2HnD model, the RB951-2n looks exactly like our popular RB750 series. The device is very small and will look good in any home or

office, wall mounting anchor holes are provided. 

Heres the specification of RB951-2n :

CPU Atheros AR9331 300MHz

CPU Memory 32MB

DDR SDRAM onboard memory

Ethernet Five independent 10/100 Ethernet ports

LEDs Power, NAND activity, 5 Ethernet LEDs

Power options PoE:  8-30V DC on Ether1 (Non 802.3af).

Jack: 8-30V DC Dimensions 113x89x28mm.

Weight without packaging and cables: 142g

Power consumption Up to 4W

Operating Temp -20C .. +50C

Operating System MikroTik RouterOS, Level4 license

Package contains RouterBOARD in a plastic case, power adapter

Antennas 1x1 MIMO with two onboard PIF antennas, max gain 1.5dBi

TX power 802.11b: 17dBm @ 11Mbps

802.11g: 15dBm @ 6Mbps to 11 dBm @ 54 Mbps

802.11n: 15dBm @ MCS0 to 9dBm @ MCS7 40MHz

RX sensitivity 802.11g: -92dBm @ 6Mbit/s to -73dBm @ 54Mbit/s

802.11n: –92 dBm @ MCS0 to –67 dBm @ MCS7

Modulations OFDM: BPSK, QPSK, 16 QAM, 64QAM

DSSS: DBPSK, DQPSK, CCK

Using Winbox

• Connect to your router with Winbox, Select the downloaded file with your mouse, and drag it to the Files menu. If there are some files already present, make sure to put the package in the root menu, not inside the hotspot folder!:

Advanced Mikrotik Hotspot Setup - You can also go a step further and play with some other available options, as this only skims the surface of the hotspot capabilities.


1. To disable communication between wireless clients (recommended), disable the default forward option on the wireless interface.

interface wireless set wlan1 default-forward=disabled
2. To set up a wallet garden (pages people can access without authenticating), use the following command:

ip hotspot walled-garden add dst-host=www.website.com
3. To limit client bandwidth type the following, replacing profilename with the current hotspot profile in use and speed with the rate limit in bits per second:

ip hotspot profile set profilename rate-limit=”speed“
4. You can customise the login and status pages by editing the files in the hotspot directory of the Mikrotik box. You can access these via FTP.

In addition to monitoring the network, the admin can also identify the various problems that occur on a computer network. With the traffic flow will be able to analyze and optimize network performance.


This is the configuration :

[Admin @ MikroTik]> ip traffic-flow

[Admin @ MikroTik] ip traffic-flow> set enabled = yes interfaces = all

[Admin @ MikroTik] ip traffic-flow> target

[Admin @ MikroTik] ip traffic-flow target> add address = :2055 version = 9

(gb)

This script demonstrates one method of doing automatic failover using the Netwatch function and using scripting to enable or disable gateways. This is probably not the most efficient way, but it works. I would welcome any input on how it can be improved.
The situation:

You have 2 lines going out to the internet - 10.0.0.12 and 10.0.0.13. You have setup a mangle to mark HTTP traffic (optional) and want to route http along the 2 lines using load balancing.
You setup the mangle:

/ip firewall mangle add
chain=prerouting protocol=tcp dst-port=80 action=mark-routing \
new-routing-mark=ecmp-http-route passthrough=yes comment=" Route HTTP \
traffic to ECMP" disabled=no

You set up ECMP (Equal Cost Multipath Routing) by using something like

/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.12,10.0.0.13 \
routing-mark=ecmp-http-route comment="ECMP route for HTTP"

Now you have ECMP for HTTP only. This is nice because MSN messenger, banking websites and other programs and problem sites will not be broken in the same way it might be if you used ECMP for all protocols.
What I then do is for example mark SMTP traffic and route this out through 10.0.0.12:

/ip firewall mangle add
chain=prerouting protocol=tcp dst-port=25 action=mark-routing \
new-routing-mark=smtp-out passthrough=yes comment="SMTP Traffic" disabled=no

/ip route add
dst-address=0.0.0.0/0 gateway=10.0.0.12 routing-mark=smtp-out \
comment="SMTP Traffic out"

and route all other traffic through 10.0.0.13

/ip route add
dst-address=0.0.0.0/0 gateway=10.0.0.13 comment="Default Route to Internet"

Then I need to setup 2 routes to specific addresses to force the router through specific gateways to "test" the links. These should not be popular addresses with your users! Otherwise when a gateway goes down they will have no access to those sites. The addresses I am using as an example are 1.1.1.12 to test 10.0.0.12, and 1.1.1.13 to test 10.0.0.13.
Next I use the Netwatch Function to switch all traffic to the working gateway should any of the gateways fail:

/ tool netwatch
add host=1.1.1.13 timeout=2s interval=30s up-script="/ip route set \
\[find comment=\"Default Route To Internet\"\] gateway=10.0.0.13" \
down-script="/ip route set \[find comment=\"Default Route To Internet\"\] \
gateway=10.0.0.12 comment="" disabled=no
add host=1.1.1.12 timeout=2s interval=30s up-script="/ip route set \
\[find comment=\"SMTP Traffic out\"\] gateway=1.0.0.12" down-script="/ip \
\n" \route set \[find comment=\"SMTP Traffic out\"\] gateway=10.0.0.13
comment="" disabled=no

The problem is that the ECMP http route will still be active, therefore http traffic wont work, so I have 2 scripts to check if both gateways are up or down and take action accordingly:

/ system script
add name="ecmp-startup" source=":if ([/ping 1.1.1.12 count=1]=1 && \
[/ping 1.1.1.13 count=1]=1 && [/ip route get [find \
comment=\"ECMP Route For HTTP\"] disabled]=true) do={ :log info \"Both gateways up\" \
\n/ip route set [find routing-mark=ecmp-http-route] \
disabled=no}" policy=ftp,reboot,read,write,policy,test,winbox,password
add name="ecmp-shutdown" source=":if ([/ping 1.1.1.12 count=1]=1 && \
[/ping 1.1.1.13 count=1]=0) do={ :log info \"Gateway down\"\
\n/ip route set [find routing-mark=ecmp-http-route] \
disabled=yes}" policy=ftp,reboot,read,write,policy,test,winbox,password

Hi I found this error while trying to use this script, what worked for me was
ecmp start/shut script. Looks like  in the start and shut script (") are missing
from the find, well other the script works wonders for me. Thanks a lot savagedavid

ecmp starthp script
:if ([/ping 1.1.1.13 count=1]=1 && [/ping 1.1.1.12 count=1]=1 && [/ip route get \
[find routing-mark="ecmp-http-route"] disabled]=true) do={:log info "Both Gateways are up" \
/n/ip route set [find routing-mark="ecmp-http-route"] disable=no}

ecmp shutdown script
:if ([/ping 1.1.1.13 count=1]=0 || [/ping 1.1.1.12 count=1]=0) do={:log info \
"Gateway down" /ip route set [find routing-mark="ecmp-http-route"] disabled=yes}

Notice that it first checks to see if the route is enable before trying to re-enable it. Otherwise it will reset the route and users will be dropped momentarily.
Then finally schedule the scripts to check every 30 seconds:

/ system scheduler
add name="gateway-check" on-event="/system script run ecmp-shutdown
script run ecmp-startup" start-date=jan/01/1970 start-time=00:00:00 \
interval=30s comment="" disabled=no

(wimi)

Mikrotik + Squid Web Proxy - Ip Addrees Configuration :

1. IP Mikrotik:
- 192.168.10.15 = to local
- 192.168.12.15 = to squid proxy
- 192.168.5.181 = to public

2. IP squid (use IPCop)
- 192.168.12.1 = squid proxy

3. IP Client: 192.168.10.0/24

Set web proxy port at ip cop with port 878
Set the cache e.g. 15M or 15000

Mikrotik configuration :

setting route:

setting dns:

setting nat:

setting mangle:

Code:

/ ip firewall mangle
add chain=forward content="X-Cache: HIT" action=mark-connection \
new-connection-mark=squid_con passthrough=yes comment="" disabled=no
add chain=forward connection-mark=squid_con action=mark-packet \
new-packet-mark=squid_pkt passthrough=no comment="" disabled=no
add chain=forward connection-mark=!squid_con action=mark-connection \
new-connection-mark=all_con passthrough=yes comment="" disabled=no
add chain=forward protocol=tcp src-port=80 connection-mark=all_con \
action=mark-packet new-packet-mark=http_pkt passthrough=no comment="" \
disabled=no
add chain=forward protocol=icmp connection-mark=all_con action=mark-packet \
new-packet-mark=icmp_pkt passthrough=no comment="" disabled=no
add chain=forward protocol=tcp dst-port=1973 connection-mark=all_con \
action=mark-packet new-packet-mark=top_pkt passthrough=no comment="" \
disabled=no
add chain=forward connection-mark=all_con action=mark-packet \
new-packet-mark=test_pkt passthrough=no comment="" disabled=no

terus queue :

Code:

/ queue simple
add name="Squid_HIT" dst-address=0.0.0.0/0 interface=all parent=none \
packet-marks=squid_pkt direction=both priority=8 \
queue=default-small/default-small limit-at=0/0 max-limit=0/0 \
total-queue=default-small disabled=no
add name="Main_Link" dst-address=0.0.0.0/0 interface=all parent=none \
direction=both priority=8 queue=default-small/default-small limit-at=0/0 \
max-limit=35000/256000 total-queue=default-small disabled=no
add name="game_tales_of_pirate" dst-address=0.0.0.0/0 interface=all \
parent=none packet-marks=top_pkt direction=both priority=1 \
queue=default-small/default-small limit-at=0/0 max-limit=0/0 \
total-queue=default-small disabled=no
add name="Ping_queue" dst-address=0.0.0.0/0 interface=all parent=none \
packet-marks=icmp_pkt direction=both priority=2 \
queue=default-small/default-small limit-at=0/0 max-limit=0/0 \
total-queue=default-small disabled=no
add name="The_other_port_queue" target-addresses=192.168.12.0/24 \
dst-address=0.0.0.0/0 interface=all parent=Main_Link packet-marks=http_pkt \
direction=both priority=8 queue=default-small/default-small \
limit-at=5000/5000 max-limit=50000/256000 total-queue=default-small \
disabled=no
add name="another_port" target-addresses=192.168.10.0/24 dst-address=0.0.0.0/0 \
interface=all parent=Main_Link packet-marks=test_pkt direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 \
max-limit=0/256000 total-queue=default-small disabled=no

(ad/fm)

Prerequisites:

Make sure that the WRAP board has the latest BIOS.

Notes: The WRAP board and Router OS take different com port settings in HyperTerminal. If you want to see the actual boot text from the WRAP board, not router OS, you have to change your setting to:

Configure your terminal emulator for 38400 8N1 (default baud rate), no handshake. To enter
setup, type S during the memory test. You should see somethink like the following:
PC Engines WRAP platform

tinyBIOS V1.4a (C)1997-2003 PC Engines
640 KB Base Memory
64512 KB Extended Memory
01F0 Master 848A HYPERSTONE FLASH DISK
Phys C/H/S 497/4/32 Log C/H/S 31/32/63
WRAP setup
(9) 9600 baud *3* 38400 baud
(C) CHS mode *L* LBA mode
(X) Xmodem upload (Q) Quit

What you can expect to see from time to time is something that looks like misc characters on HyperTerminal. When you have it set to the RouterOS settings, the misc garbage is the WRAP board information. When you have HyperTerminal configure for the WRAP board com port settings, the misc garbage is the RouterOS software.

The default setting for the RouterOS software is: 9600 8-N-1, with no flow control.

Note: Be absolutely positive that you are installing to the correct removable media.

This screen actually takes quite a bit to do anything, so be patient. After a while you will see the following:


Once it gets to this point, it will reboot. Again, the time for this process can vary, so give it some time. It may actually hang at this point, though. If it does, pull the power and let it recycle. Even with a reboot, though, it may actually take a little longer to boot then you think it would. After it boots, you will see the following:


At this point, you can either work from the command line, or swap to Winbox. If you choose Winbox, just use the appropriate Ethernet cable and plug into your computer, or plug your RouterOS box into the same switch your computer is using. You don't even have to know the IP address, since Winbox will pull up the AP by MAC address:
(q4)

first set web proxy
/ ip web-proxy
set enabled=yes –>> to make ip web proxy enable
set src-address=0.0.0.0 –>> to make source address to access web proxy will allow
set port=8080 –>> to make port for web proxy
set hostname=”proxy.war.net.id” –>> setting for visble hostname web proxy
set transparent-proxy=yes –>> make transparant proxy enable
set parent-proxy=0.0.0.0:0–>> if we used parent proxy x
set cache-administrator=”support@somethink.org” –>> make set administrator info support

We assume that the mikrotik was connect to the internet, so we not have to write in this artilce about setting gateway.

Run the hotspot setup as below. Substitute the values in italics to suit your network. The user account bears no relation to the admin account and is used for the hotspot service only. You may also need to add a host record to your DNS server for the hostname of the hotspot box. Make sure the address pool does not conflict with any devices using static IPs, such as access points.

Mikrotik VPN Client Connection - PPTP - This one will show you how to do a simple PPTP setup on your Mikrotik and even how to configure your Windows machine to connect to said PPTP server. This will allow you to securely access your network remotely by creating a secure tunnel over the internet.

Applies to RouterOS: 2.9, v3, v4

After you have installed the RouterOS software, or turned on the Router for the first time, there are various ways how to connect to it:

Method 1. Console Cable

If your device is a RouterBOARD, it doesn't have a monitor connector. You will have to either find a console cable (or Null modem cable) or see Method 2.

Plug one end of the serial cable into the console port (also known as a serial port or DB9 RS232C asynchronous serial port) of the RouterBOARD and the other end in your PC (which hopefully runs Windows or Linux). You can also use a USB-Serial adapter. Run a terminal program (HyperTerminal, or Putty on Windows) with the following parameters for All RouterBOARD models except 230:

115200bit/s, 8 data bits, 1 stop bit, no parity, flow control=none by default.

Mikrotīkls Ltd., known internationally as MikroTik, is a Latvian manufacturer of computer networking equipment. It sells wireless products and routers. The company was founded in 1995, with the intent to sell in the emerging wireless technology market. As of 2007, the company had more than 70 employees.RouterOS
The main product of MikroTik is a Linux-based operating system known as MikroTik RouterOS. It lets users turn a selected PC-based machine into a software router, allowing features such as firewall rules, VPN Server and Client, bandwidth shaper Quality of Service, wireless access point and other commonly used features for routing and connecting networks together. The system is also able to serve as a captive-portal based hotspot system. The operating system is licensed in escalating levels, each releasing more of the available RouterOS features as the level number rises. Licensing is fee based and escalates with the released features. There is a software called Winbox which provides a sophisticated GUI for the RouterOS operating system. The software also allows connections via FTP, telnet, and SSH. There is also an API which allows creating customised applications for management and monitoring.

Features
RouterOS supports many applications that can be used by medium size to large ISP, for example OSPF, BGP, VPLS/MPLS. All in one, RouterOS is a versatile system, and is very well supported by Mikrotik, both through a forum and a Wiki providing assorted and thematic examples of configurations.
The software provides support for virtually all the network interfaces that the Linux kernel 2.6.16 supports, excepting wireless, where the Atheros and Prism are the only supported chipsets, as of 3.x version. Mikrotik is also working on upgrades to the software which will enable full compatibility between the Mikrotik-specific services and newer networking developments such as IPv6 and MPLS[1]

RouterBOARD
The RouterOS, combined with their hardware product line, known as MikroTik RouterBOARD, is marketed at small to medium sized wireless Internet service providers, typically providing broadband wireless access in remote areas.

Developing IT markets

See also: Information and communication technologies for development
A recent project to build low-cost internet infrastructure in Mali chose MikroTik routers and operating systems because of the system's cost, flexibility, the fact that the system already had "a substantial user base in Mali", and had a user interface deemed "superior to other products".[2] MikroTik routers were also preferred for a WLAN project in Burkina Faso,[3] and MikroTik's proprietary Nstreme protocol performed better than IEEE 802.11 under the project's conditions.[4]
In 2008, it was decided that MikroTik routers would also be used exclusively by the Municipality of Piripiri, Piauí State, Brazil, to build the infrastructure for providing free internet access.[5] MikroTik routers are also popular in the Czech Republic, where they enjoy a good reputation.[6]
Under OLPC program, Uruguay deployed a Nation-wide wireless network in Schools. Probaby the largest Mikrotik deployment in a Country with a total population of 3 Million. Aproximatelly 200.000 Students received a small laptop which connected to Mikrotik Access Points.