13 October 2008

لود بلانس 3 خطوط علي الميكروتك

انا شغال بالطريقه دى



المصدر الاول 85.31.88.1 للانترفيس In_Wan1
والمصدر الثاني 86.62.23.1 للانترفيس In_Wan2
للحصول على 192.168.0.1 للانترفيس Out_Lan

تتم اضافة العبارات التالية من النيو تيرمنال



/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Out_Lan comment="" \
disabled=no
add address=85.31.88.2/24 network=85.31.88.0 broadcast=85.31.88.255 interface=In_Wan1 \
comment="" disabled=no
add address=86.62.23.2/24 network=86.62.23.0 broadcast=86.62.23.255 interface=In_Wan2 \
comment="" disabled=no


/ ip firewall mangle
add chain=prerouting in-interface=Out_Lan connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=Out_Lan connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=Out_Lan connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=Out_Lan connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no comment="" disabled=no


/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=85.31.88.2 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=86.62.23.2 \
to-ports=0-65535 comment="" disabled=no


/ ip route
add dst-address=0.0.0.0/0 gateway=85.31.88.1 scope=255 target-scope=10 routing-mark=odd \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=86.62.23.1 scope=255 target-scope=10 routing-mark=even \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=86.62.23.1 scope=255 target-scope=10 comment="" \
disabled=no



مع مراعاة الغاء الاعدادات السابقة للـ:
ip-firewall-nat
ip-routes

ويمكن الاستغناء عن الحقل الخاص بادخال الايبي في السكريبت اعلاه


2- مايكروتك فيرجن 3
لاهمية دمج خطين او اكثر
فقد عملت شركة ماكروتك على تسهيل عملية الدمج في الاصدار الثالث
واختصارها بايعاز واحد





/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Out_Lan comment="" \
disabled=no
add address=85.31.88.2/24 network=85.31.88.0 broadcast=85.31.88.255 interface=In_Wan1 \
comment="" disabled=no
add address=86.62.23.2/24 network=86.62.23.0 broadcast=86.62.23.255 interface=In_Wan2 \
comment="" disabled=no

/ ip route
add gateway=85.31.88.1,86.62.23.1,86.62.23.1



مع مراعاة الغاء الاعدادات السابقة للـ:
ip-routes

ويمكن الاستغناء عن الحقل الخاص بادخال الايبي في السكريبت اعلاه وابقاء حقل الفايروول كما هو

10 October 2008

Tutorial Mikrotik VPN : Point to Point Tunnel Protocol (PPTP)

Summary
PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik RouterOS implementation includes support fot PPTP client and server.
General applications of PPTP tunnels:
* For secure router-to-router tunnels over the Internet
* To link (bridge) local Intranets or LANs (when EoIP is also used)
* For mobile or remote clients to remotely access an Intranet/LAN of a company (see PPTP setup for Windows for more information)
Each PPTP connection is composed of a server and a client. The MikroTik RouterOS may function as a server or client – or, for various configurations, it may be the server for some connections and client for other connections. For example, the client created below could connect to a Windows 2000 server, another MikroTik Router, or another router which supports a PPTP server.
Description
PPTP is a secure tunnel for transporting IP traffic using PPP. PPTP encapsulates PPP in virtual lines that run over IP. PPTP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The purpose of this protocol is to make well-managed secure connections between routers as well as between routers and PPTP clients (clients are available for and/or included in almost all OSs including Windows).

PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

PPTP traffic uses TCP port 1723 and IP protocol GRE (Generic Routing Encapsulation, IP protocol ID 47), as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router.

PPTP connections may be limited or impossible to setup though a masqueraded/NAT IP connection. Please see the Microsoft and RFC links at the end of this section for more information.
PPTP Client Setup
Submenu level : /interface pptp-client
Property Description
name (name; default: pptp-out1) - interface name for reference
mtu (integer; default: 1460) - Maximum Transmit Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU to 1460 to avoid fragmentation of packets)
connect-to (IP address)- the IP address of the PPTP server to connect to
user (string)- user name to use when logging on to the remote server
password (string; default: “”)- user password to use when logging to the remote server
profile (name; default: default) - profile to use when connecting to the remote server
add-default-route (yes | no; default: no) - whether to use the server which this client is connected to as its default router (gateway)
Example
To set up PPTP client named test2 using username john with password john to connect to the 10.1.1.12 PPTP server and use it as the default gateway:

[admin@MikroTik] interface pptp-client> add name=test2 connect-to=10.1.1.12 \
\… user=john add-default-route=yes password=john
[admin@MikroTik] interface pptp-client> print
Flags: X - disabled, R - running
0 X name=”test2″ mtu=1460 mru=1460 connect-to=10.1.1.12 user=”john”
password=”john” profile=default add-default-route=yes

[admin@MikroTik] interface pptp-client> enable 0

Monitoring PPTP Client
Command name : /interface pptp-client monitor
Property Description
Statistics:

uptime (time) - connection time displayed in days, hours, minutes, and seconds
encoding (string) - encryption and encoding (if asymmetric, separated with ‘/’) being used in this connection
status (string) - status of the client:
# Dialing – attempting to make a connection
# Verifying password… - connection has been established to the server, password verification in progress
# Connected – self-explanatory
# Terminated – interface is not enabled or the other side will not establish a connection

Example
Example of an established connection:

[admin@MikroTik] interface pptp-client> monitor test2
uptime: 4h35s
encoding: MPPE 128 bit, stateless
status: Connected
[admin@MikroTik] interface pptp-client>

PPTP Server Setup
Submenu level : /interface pptp-server server

[admin@MikroTik] interface pptp-server server> print
enabled: no
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@MikroTik] interface pptp-server server>

Description
The PPTP server supports unlimited connections from clients. For each current connection, a dynamic interface is created.
Property Description
enabled (yes | no; default: no) - defines whether PPTP server is enabled or not
mtu (integer; default: 1460) - Maximum Transmit Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
authentication (multiple choice: pap | chap | mschap1 | mschap2; default: mschap2) - authentication algorithm
default-profile (name; default: default) - default profile to use
Example
To enable PPTP server:

[admin@MikroTik] interface pptp-server server> set enabled=yes
[admin@MikroTik] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@MikroTik] interface pptp-server server>

PPTP Server Users
Submenu level : /interface pptp-server
Description
There are two types of items in PPTP server configuration - static users and dynamic connections. A dynamic connection can be established if the user database or the default-profile has its local-address and remote-address set correctly. When static users are added, the default profile may be left with its default values and only P2P user (in /ppp secret) should be configured. Note that in both cases P2P users must be configured properly.
Property Description
name - interface name
user - the name of the user that is configured statically or added dynamically

Statistics:

mtu - shows (cannot be set here) client’s MTU
client-address - shows (cannot be set here) the IP of the connected client
uptime - shows how long the client is connected
encoding (string) - encryption and encoding (if asymmetric, separated with ‘/’) being used in this connection
Example
To add a static entry for ex1 user:

[admin@MikroTik] interface pptp-server> add user=ex1
[admin@MikroTik] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC…
0 DR ex 1460 10.0.0.202 6m32s none
1 pptp-in1 ex1
[admin@MikroTik] interface pptp-server>

In this example an already connected user ex is shown besides the one we just added.
PPTP Router-to-Router Secure Tunnel Example
The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet.

There are two routers in this example:

* [HomeOffice]
Interface LocalHomeOffice 10.150.2.254/24
Interface ToInternet 192.168.80.1/24

* [RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface LocalRemoteOffice 10.150.1.254/24

Each router is connected to a different ISP. One router can access another router through the Internet.

On the PPTP server a user must be set up for the client:

[admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name=”ex” service=pptp caller-id=”" password=”lkjrht” profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==”"

[admin@HomeOffice] ppp secret>

Then the user should be added in the PPTP server list:

[admin@HomeOffice] interface pptp-server> add user=ex
[admin@HomeOffice] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC…
0 pptp-in1 ex
[admin@HomeOffice] interface pptp-server>

And finally, the server must be enabled:

[admin@HomeOffice] interface pptp-server server> set enabled=yes
[admin@HomeOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@HomeOffice] interface pptp-server server>

Add a PPTP client to the RemoteOffice router:

[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex \
\… password=lkjrht disabled=no
[admin@RemoteOffice] interface pptp-client> print
Flags: X - disabled, R - running
0 R name=”pptp-out1″ mtu=1460 mru=1460 connect-to=192.168.80.1 user=”ex”
password=”lkjrht” profile=default add-default-route=no

[admin@RemoteOffice] interface pptp-client>

Thus, a PPTP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It enables ‘direct’ communication between the routers over third party networks.

To route the local Intranets over the PPTP tunnel – add these routes:

[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

On the PPTP server it can alternatively be done using routes parameter of the user configuration:

[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name=”ex” service=pptp caller-id=”" password=”lkjrht” profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==”"

[admin@HomeOffice] ppp secret> set 0 routes=”10.150.1.0/24 10.0.103.2 1″
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name=”ex” service=pptp caller-id=”" password=”lkjrht” profile=default
local-address=10.0.103.1 remote-address=10.0.103.2
routes=”10.150.1.0/24 10.0.103.2 1″

[admin@HomeOffice] ppp secret>

Test the PPTP tunnel connection:

[admin@RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Test the connection through the PPTP tunnel to the LocalHomeOffice interface:

[admin@RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

To bridge a LAN over this secure tunnel, please see the example in the ‘EoIP’ section of the manual. To set the maximum speed for traffic over this tunnel, please consult the ‘Queues’ section.

Connecting a Remote Client via PPTP Tunnel
The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over eoip tunnels)

Please, consult the respective manual on how to set up a PPTP client with the software You are using.

The router in this example:

* [RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface Office 10.150.1.254/24

The client computer can access the router through the Internet.

On the PPTP server a user must be set up for the client:

[admin@RemoteOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0 name=”ex” service=pptp caller-id=”" password=”lkjrht” profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==”"

[admin@RemoteOffice] ppp secret>

Then the user should be added in the PPTP server list:

[admin@RemoteOffice] interface pptp-server> add name=FromLaptop user=ex
[admin@RemoteOffice] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC…
0 FromLaptop ex
[admin@RemoteOffice] interface pptp-server>

And the server must be enabled:

[admin@RemoteOffice] interface pptp-server server> set enabled=yes
[admin@RemoteOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@RemoteOffice] interface pptp-server server>

Finally, the proxy APR must be enabled on the ‘Office’ interface:

[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>

08 September 2008

Mikrotik Load Balancing

/ ip address
add address=10.0.160.254/24 network=10.0.160.0 broadcast=10.0.160.255 interface=ether1 comment="" \
disabled=no
add address=10.0.150.155/24 network=10.0.150.0 broadcast=10.0.150.255 interface=ether2 \
comment="" disabled=no
add address=192.168.100.188/24 network=192.168.100.0 broadcast=192.168.100.255 interface=ether3 \
comment="" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=ether1 connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=ether1 connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=ether1 connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=ether1 connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.0.150.155 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=192.168.100.188 \
to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.0.150.254 scope=255 target-scope=10 routing-mark=odd \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.100.254 scope=255 target-scope=10 routing-mark=even \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.100.254 scope=255 target-scope=10 comment="" \
disabled=no

Load Balancing over Multiple Gateways

The typical situation where you got one router and want to connect to two ISPs:

Image:dual_gw_01.jpg

Of course, you want to do load balancing! There are several ways how to do it. Depending on the particular situation, you may find one best suited for you.

Policy Routing based on Client IP Address

If you have a number of hosts, you may group them by IP addresses. Then, depending on the source IP address, send the traffic out through Gateway #1 or #2. This is not really the best approach, giving you perfect load balancing, but it's easy to implement, and gives you some control too.

Let us assume we use for our workstations IP addresses from network 192.168.100.0/24. The IP addresses are assigned as follows:

  • 192.168.100.1-127 are used for Group A workstations
  • 192.168.100.128-253 are used for Group B workstations
  • 192.168.100.254 is used for the router.

All workstations have IP configuration with the IP address from the relevant group, they all have network mask 255.255.255.0, and 192.168.100.254 is the default gateway for them. We will talk about DNS servers later.

Now, when we have workstations divided into groups, we can refer to them using subnet addressing:

  • Group A is 192.168.100.0/25, i.e., addresses 192.168.100.0-127
  • Group B is 192.168.100.128/25, i.e., addresses 192.168.100.128-255
If you do not understand this, take the TCP/IP Basics course,
or, look for some resources about subnetting on the Internet!

We need to add two IP Firewall Mangle rules to mark the packets originated from Group A or Group B workstations.

For Group A, specify

  • Chain prerouting and Src. Address 192.168.100.0/25
  • Action mark routing and New Routing Mark GroupA.

Image:dual_gw_22.jpg

It is a good practice to add a comment as well. Your mangle rules might be interesting for someone else and for yourself as well after some time.

For Group B, specify

  • Chain prerouting and Src. Address 192.168.100.128/25
  • Action mark routing and New Routing Mark GroupB

Image:dual_gw_25.jpg

All IP traffic coming from workstations is marked with the routing marks GroupA or GroupB. We can use these marks in the routing table.

Next, we should specify two default routes (destination 0.0.0.0/0) with appropriate routing marks and gateways:

Image:dual_gw_26.jpg

This thing is not going to work, unless you do masquerading for your LAN! The simplest way to do it is by adding one NAT rule for Src. Address 192.168.100.0/24 and Action masquerade:

Image:dual_gw_28.jpg

Test the setup by tracing the route to some IP address on the Internet!

From a workstation of Group A, it should go like this:

C:\>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 2 ms 2 ms 2 ms 192.168.100.254
2 10 ms 4 ms 3 ms 10.1.0.1
...

From a workstation of Group B, it should go like this:

C:\>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 2 ms 2 ms 2 ms 192.168.100.254
2 10 ms 4 ms 3 ms 10.5.8.1
...

You can specify the DNS server for workstations quite freely, just make it can be reached (test it by tracing the route to DNS server's IP address)!

03 August 2008

Setting up a basic MikroTik hotspot

Setting up a basic MikroTik hotspot

Mikrotik RouterOS includes an excellent hotspot solution. Read on for details on getting a basic hotspot going using RouterOS on any standard x86 PC hardware or a RouterBOARD.

The RouterOS hotspot solution is very powerful and only the very basics of the solution are covered here; just enough to get you started.

Introduction

This article assumes you want to set up a basic hotspot as shown in the diagram below. If you have a DNS server integrated into your router the same rule applies, just use the router IP for your DNS server as well.

To help get you started MikroTik now include a combined RADIUS server and si

mple web administration package for RouterOS called the User Manager. This provides a much simpler means of user administration then the command line or Winbox. The User Manager package is included standard with all versions of RouterOS from about 2.9.35 onwards.

Advanced users might wish to provide their own RADIUS server, however this is outside the scope of this article.

Getting the Hotspot to Work

First of all you will need to have a copy of RouterOS. You can purchase a license or download a 24-hour trial from Mikrotik. RouterBOARDs also usually come with RouterOS pre-licensed and installed. You will also need a computer with at least a 100MHz CPU, 32MB RAM and an IDE hard disk, or a RouterBOARD. Either method you choose will need a compatible wireless card and Ethernet adapter, or two Ethernet adapters with one connected to a standard wireless access point. You should check your hardware against the RouterOS compatibility list.

If you are installing RouterOS for the first time, download the ISO image from Mikrotik and burn it to CD. Note that installation of RouterOS will completely wipe the contents of the hard disk! Boot the PC off this CD and install the following packages:

  • System
  • DHCP
  • Wireless
  • Hotspot
  • Proxy
  • User Manager (optional)
  • Security (optional - recommended)
  • Advanced tools (optional)

Now to get started. Log onto the PC as admin with no password. If this box intended for deployment, change set a password by typing in password at the prompt. Change the hostname by typing in name.

Assign an IP address to each interface. As this is going to be set up as a router, they will need to be on a different subnet. Substitute wlan1 with ether2 if you have a separate access point.

Now we need to add a default route to the IP of the internet router.

Enable the wireless interface and set it to run as an access point as below. If you have an access point instead, ignore the command below, make sure it is running with no security enabled, use a suitable SSID and channel and change its admin password.

    [admin@Mikrotik]> interface wireless set wlan1 ssid="My HotSpot" band=2.4ghz-b mode=ap-bridge

Run the hotspot setup as below. Substitute the values in italics to suit your network. The user account bears no relation to the admin account and is used for the hotspot service only. You may also need to add a host record to your DNS server for the hostname of the hotspot box. Make sure the address pool does not conflict with any devices using static IPs, such as access points.

    [admin@MikroTik] > ip hotspot setup
    hotspot interface: wlan1
    local address of network: 192.168.30.1/24
    masquerade network: yes
    address pool of network: 192.168.30.2-192.168.30.99
    select certificate: none
    ip address of smtp server: 0.0.0.0
    dns servers: 192.168.24.2
    dns name: hotspot.mydomain.net (or leave this blank)
    name of local hotspot user: user
    password for the user: password

That’s the guts of it there. Fire up your laptop, associate to the network and try to access a web page. You should be redirected to the hotspot login page instead where you can enter the user credentials you set up earlier. Click the thumbnails for a full view of the default page.

You should now be able to access the web normally and a pop-up window will display your connection time and data usage as you go.

Bear in mind I have left out the certificate so usernames and passwords will be sent as plain text. If you intend on deploying the hotspot, you should install a certificate on it and set up SSL to protect account data from being sniffed.

Setting up User Manager

The User Manager is a nice and simple web administration for setting up user account for the MikroTik hotspot and other services. It can be hosted on either the same box as the hotspot or located in a separate box on the same local network. One User Manager package can control multiple hotspots.

Before getting the User Manager set up, check for any existing hotspot account and remove them. To do this, run the following command:

    [admin@MikroTik] > ip hotspot user print
    Flags: X - disabled, D - dynamic
    # SERVER NAME ADDRESS PROFILE UPTIME
    0 fred default 0s

If any items are listed (in this case bob), run the following command to remove them:

    [admin@MikroTik] > ip hotspot user remove 0

You can delete multiple items at the same time, simply separate each item number with a comma.

To get the User Manager working we first need to add a customer login. This is used to access the UM web administration. Make sure you substitute the values in italics to suit.

[admin@MikroTik] > tool user-manager customer add login=hs_admin password=password

Now we need to add the hotspot as a RADIUS client to the user manager. This is done under the user manager router section. The shared secret can be any string of text and should be reasonably long and complex. If you are setting the user manager up on the same box as the hotspot, use 127.0.0.1 for the IP address.

[admin@MikroTik] > tool user-manager router add ip-address=hotspot-ip shared-secret=12345 subscriber=hs_admin

In return, we need to set up the hotspot to use RADIUS for user authentication. First this involves creating a RADIUS client to communicate with the UM. Remember that if you have both services on the same box, the IP address should be set to 127.0.0.1. The secret should be the same as you set up above.

[admin@MikroTik] > radius add service=hotspot address=ip-address secret=12345

Now we tell the hotspot itself to use a RADIUS client. First bring up a list of hotspot profiles:

admin@MikroTik] > ip hotspot profile print

Locate the profile in use and type the following command where 1 is the number of the profile to configure:

[admin@MikroTik] > ip hotspot profile set 1 use-radius=yes

Now we are done with configuration. Browse to http://router-ip/userman where router-ip is the IP address of the box you are configuring UM on. Login using the customer username and password created earlier.

Click on the User menu and select Add. Enter in a username, password and any other details you wish. You can limit the speed the client can access the internet by selecting the Rate limits checkbox and typing in a suitable speed (e.g. for a flat 128kBps download/64kBps upload speed limit simply type in 128k in the RX field and 64k in the TX field).

Click Add and you should be able to now access the hotspot using the username and password you specified. If you want to generate a printable ticket for the users you set up, click on the Users link, select the users to make a ticket for, click Generate and select the number of tickets per page.

Other Tips

You can also go a step further and play with some other available options, as this only skims the surface of the hotspot capabilities. I’ll post more notes as I play with additional options.

  • To disable communication between wireless clients (recommended), disable the default forward option on the wireless interface.
      interface wireless set wlan1 default-forward=disabled
  • To set up a walled garden (pages people can access without authenticating), use the following command:
  • To limit client bandwidth type the following, replacing profilename with the current hotspot profile in use and speed with the rate limit in bits per second:
      ip hotspot profile set profilename rate-limit=”speed
  • You can customise the login and status pages by editing the files in the hotspot directory of the Mikrotik box. You can access these via FTP.

DNS Mikrotik

ALTERNATIVE PROCEDURE IF YOU WANT TO INPUT A FIXED IP/GATEWAY/DNS SERVER ADDRESS
(instead of using DHCP on the ether1 port)

Caution:
Use care in selecting the DNS SERVER IP address in the setup below. You MUST select an actual DNS server or a router which provides DNS services. Some routers (such as the Hawking FR24) provide a "DNS RELAY" feature on the gateway address which redirects DNS service requests that are sent to the router Gateway Address to some downstream DNS Server. Such "dns relay" service is not always compatible with the Mikrotik system. Other routers (such as the NexLand 800 Turbo and many other router setups) do provide normal DNS Services on the gateway address. In many routers it may depend on user programming.

The Mikrotik router will NOT resolve DNS properly for the Hotspot unless the pointer to a DNS server source points to a "real" DNS Server or a router which actually provides DNS SERVICES on the Gateway address. The result of no DNS service will be that your hotspot login screen will not be loaded when "any URL" is transmitted to the ether2 (Hotspot) port via your browser. This problem can be very confusing to diagnose.

You can test what DNS address you should setup in the Mikrotik unit by running an ip configuration test on a Windows equipped computer connected to your router that you also intend your Mikrotik to use for internet access. Proceed as follows:

b) In your windows computer, in network settings, select tcp/ip properties, and select "obtain an IP address automatically" and "obtain DNS server address automatically". Click OK and exit and reboot if necessary to activate the new settings. Then execute Setup>Run>
then enter <winipcfg>, click OK, (windows 95/98), or <ipconfig>, (or perhaps wntipcfg), click OK, (windows XP/NT/2000), In Windows , you may have to download the winipcfg.exe (or similar) module from the resources folder on the install disk to get this to work. You will get a display such as the image below when you get the ip configuration display and click
Note in this example, the DNS SERVER reported is 192.168.168.1 which IS the same as the Default Gateway and the downstream router (not Mikrotik) IP address. THIS IS NOT ALWAYS SO! The DNS server found by the DHCP operation of your windows computer may be in an entirely different range from the default gateway IP address. Thus, if you use a fixed IP address/Gateway/DNS Server selection, your Mikrotik router DNS Server setup MUST use the DNS Server found by a computer with DHCP Client operating as above. You cannot assume it is the same as your router's default gateway address.

Once you have the downstream router's Gateway address and DNS Server address defined, select an IP address for your Mikrotik unit and proceed as follows. (Here, we are assuming that your Mikrotik System's IP address and mask is 128.1.1.120/255.255.255.0, Gateway of the downstream router is 128.1.1.1 and that the DNS Server's IP address is 207.69.188.186. Make any changes you deem necessary.)
29a)
[admin@MikroTik] interface>
/ip

(Note: The address 128.1.1.120 (below) represents the PUBLIC INTERNET side IP address of the Mikrotik Router. Change to your own suitable address as may be required.)
(All commands must be all in one continuous string (no carriage returns even if the red command characters are shown on multiple lines) when input and followed at the end by a carriage return. Be careful to look for parts of commands on second and even third lines in the listings below. The /24 after the IP address is equivalent to stating that the mask is 255.255.255.0)
29b) [admin@MikroTik] ip> address add address=128.1.1.120/24 comment="TechNet LAN to Internet" interface=ether1
29c) [admin@MikroTik] ip> route add gateway=128.1.1.1
(The following test will locate your public ethernet port . Proceed as follows. You may PING your gateway address (128.1.1.1 in the example) which pinging will occur out the ether1 NIC port. Notes: You may also ping some other address if you wish. You can stop the PING command by entering at any time.) Now we test to see that we are connected to the internet by pinging "some" known IP address such as:)

(Note: This next command normally sets your system up so that all DNS calls go directly to the ISP's DNS servers. If you are behind another router/firewall you could (probably) use the gateway address of your router (as is done in the example) as many do provide DNS service. However, pointing directly to the ISP's DNS servers is usually faster.)
29d) [admin@MikroTik] ip> /ip dns set primary-dns=128.1.1.1 (Change to YOUR ISPs DNS servers. Or- This may be the gateway IP address of a LAN router (as this actually is) which has DNS services. You may be able to change to YOUR ISP's recommended DNS server IP address if permitted by your router and operation will likely be faster.)
29e) [admin@MikroTik] ip> /ip dns set secondary-dns=207.69.188.186 (Add a secondary DNS server if your ISP has one. This example is one of earthlink's DNS servers.)

IF you wish to install a DNS Cache in your Hotspot router so DNS requests will be handled out of the local cache instead of going to the router (or external ISP) each time, enter the following line.
29f) [admin@MikroTik] ip> /ip dns-cache set primary-server=128.1.1.1 (This sets up the dns-cache to access from the LOCAL ROUTER’s DNS server. You may wish to change the above two IP addresses to your ISP’s DNS IP address if permitted by your router. You can also use the
/ip dns-cache set secondary-server=xxx.xxx.xxx.xxx
to set up a secondary DNS-CACHE server if you wish.
)

29g) [admin@MikroTik] ip> dns print
resolve-mode:
remote-dns
primary-dns: 128.1.1.1 (This should be your primary DNS server IP address.)
secondary-dns: 207.69.188.186 (You should setup a secondary-dns server if you have one.)
and then:
29h) [admin@MikroTik] ip> dns-cache print
enabled: no (You get to enable it later when you setup the hotspot.)
primary-server: 128.1.1.1 (This should be your primary DNS server IP address.)
secondary-dns: 0.0.0.0 (You should setup a secondary-dns server (in step #19) if you have one.)
running: no (It will start running if you enable "use DNS CACHE" when you setup the hotspot.)
usage: 0%
entries: 0
مكتبة كتب وشروحات مهمة ومتنوعة وبرامج للميكروتك


للتحميل المجاني


http://www.4shared.com/dir/3328214/9e71809/MikroTik.html


عاطف المصري


0020189501941