MikroTik RouterOS V5 中文教程

MikroTik
RouterOS 9
RouterOS

RouterOS MikroTik
Mikrotikls SIAwww.mikrotik.com/www.RouterOS.com MikroTik
RouterOS WLAN
RouterOS
WLAN RouterOS 802.11abgn
Nstrem Nv2
RouterOS RouterOS
VPN RouterOS WLAN
2005
RouterOS
2003 RouterOS 8 , RouterOS RouterOS
RouterOS
WLAN RouterOS
Simple QueuePCQ HTB
RouterOS RouterOS
RouterOS 2006
RouterOS RouterOS
3 RouterOS WLAN
Script
RouterOS 2007 16 RouterOS PPPoE
2 23000 12650 2.4G
2.9 v5.0
CPU RouterOS
MikroTik
1995 WISP
1996 ISP
1997 RouterOS IntelPC
2002 RouterBOARD
WLAN WLAN
WDS Mesh MikroTik WLAN
MikroTik WLAN MikroTik RouterOS RouterOS

IP
- YuSong
-1-
RouterOS
:
:
:
E-mail:
V5.0
RouterOS v3.xv4.xv5.x
yus_sds@yahoo.com.cn
RouterOS
-------------------------------------------------------
10
RouterOS
RouterOS
CLI
-------------------------------------------------------------------
42
RouterOS
RouterOS
RouterOS
RouterOS
RouterBOARD
RouterOS
Supout.rif
MikroTik RouterBOARD ----------------------------------------------
64
RouterBOARD
RouterBOARD Throughput
RouterBOARD
Interface-------------------------------------------------------
70
Interface
RouterBOARD
IP ARP--------------------------------------------------------------
74
IP
ARP
ARP
ARP
ARP
(Route)
---------------------------------------------------------
79
ADSL
PPTP
RouterOS PCC
DHCP -----------------------------------------------------------------
107
DHCP-client
DHCP-server
DNS
-----------------------------------------------------------------
- YuSong
-2-
111
RouterOS
DNS
Firewall Filte ----------------------------------------------
113
RouterOS
P2P
RouterOS 7
DMZ
RouterOS packet flow---------------------------------------
126
Queue -------------------------------------------------------
131
Queue
Queue
Simple Queue
HTB
Queue tree
PCQ
HTB PCQ
PCQ HTB
Connection Rate
nat -------------------------------------------------------
173
nat
nat
nat
Mangle -----------------------------------------------------
180
Mangle
Mangle
RouterOS Nth -------------------------------------------------------
182
Passthrough Nth
Nth
Nth
Bridge-----------------------------------------------------------
189
VRRP --------------------------------------------------------------------
208
VRRP
VRRP
Hotspot ----------------------------------------------------------------Hotspot
HotSpot
Hotspot
HTTP Walled Garden
IP Walled Garden
IP
Hotspot
HotSpot
- YuSong
-3-
211
RouterOS
Hotspot
Hotspot
Hotspot
HotSpot
PPPoE --------------------------------------------------------------
234
PPPoE Client
PPPoE Server
ADSL
802.11g PPPoE
Winbox PPPoE
PPPoE
PPTP --------------------------------------------------------------------
246
PPTP
PPTP
PPTP
PPTP L2TP ------------------------------------------------------
257
PPTP L2TP
VPN
Open VPN-------------------------------------------------------------
262
OVPN
OVPN bridge
SSTP ------------------------------------------------------------------
273
SSTP
EoIP --------------------------------------------------------------
279
EoIP
EoIP
IPSec -------------------------------------------------------------
284
IPSec
Windows L2TP/IPsec
Bonding---------------------------------------------------------------
302
2 EoIP Bonding
VLAN ------------------------------------------------------------------
307
VLAN
VLAN
VLAN PPPoE
web ---------------------------------------------------------------
311
HTTP
Web
MetaRotuer ----------------------------------------------------------
320
MetaRouter
MetaRouter
log ------------------------------------------------------------
- YuSong
-4-
330
RouterOS
Logging
Dude
Log
RouterOS Store ------------------------------------------------------
335
RouterOS U
log
Web-Proxy U
Store
IP --------------------------------------------------------
342
IP
IP
Web IP
Scheduler---------------------------------------------------
345
RouterOS ----------------------------------------------------1Netwatch
2Graphing
3Bandwidth-text
4Torch ()
5E-mail
RouterOS Linux2.6 RouterOS

/
Level 0
Level3
Level 4
Level 5
Level 6
24
4.x
4.x
5.x
6.x
AP
24
24
RIPOSPFBGP
24
EoIP
24
PPTP
24
200
PPPoE
24
200
500
L2TP
24
200
OVPN
24
200
SSTP
24
200
Hotspot 24
200
500
VLAN
24
P2P
24
NAT
24
Radius
24
Queue
24
Web
24
10
20
50
User Manager 24
- YuSong
-5-
348
RouterOS
x86
AMDIntelVIA x86
SMP RouterOS 3.0 RouterOS v5.x
32MBRouterOS v2.9 1G RouterOS v3.0 2G
IDESATA,CF USBDOM SCSI5.x 64MB

80G
Linux v2.6 PCIPCI-ePCI-X
MIPS
4kc RouterBOARD 500 (532, 512 511) RouterBOARD 100 (133133c150192)
24kc RouterBOARD 400(411/411A/411AH433/433AH/433UAH450/450G493/493AH)
24kc RouterBOARD 700(711711A750/750G750UP751751G)
RAM 16MiB
ROM NAND 64Mb
PPC
RouterBOARD1000RouterBOARD1100RouterBOARD800RouterBOARD600RouterBOARD333
RouterBOARD1100AH, RouterBOARD1100AHX2, RouterBOARD1200
Netinstall: PXE EhterBoot
Netinstall: windows U
CD
MAC
WinBox GUI
Web webfig webbox
console telnet ssh
API
Binary configuration backup saving and loading
Exprot import
Firewall
Statefull filtering
NAT
NAT (h323, pptp, quake3, sip, ftp, irc, tftp)
IP IP DSCP
- YuSong
-6-
RouterOS
Layer7
IPv6
PCC
Nth -
Virtual Routing and Forwarding - VRF
ECMP
IPv4 : RIP v1/v2, OSPFv2, BGP v4
IPv6 : RIPng, OSPFv3, BGP
(BFD)
MPLS
IPv4
IPv4
RSVP
VPLS MP-BGP
MP-BGP MPLS IP VPN
VPN
Ipsec , PSK, AH ESP RB1000
(OpenVPNPPTPPPPoEL2TPSSTP)
PPP (MLPPPBCP)
(IPIPEoIP)
6to4 (IPv6 IPv4 )
VLAN IEEE802.1q Q-in-Q
MPLS VPN
Wireless
IEEE802.11a/b/g AP
IEEE802.11n
Nstreme Nstreme2
(WDS)
AP
WEP, WPA, WPA2
WMM
HWMP+ Mesh
MME
DHCP
- YuSong
-7-
RouterOS
DHCP
DHCP
DHCP
RADIUS
DHCP
Hotspot
web
RADIUS
QoS
(HTB)QoS
QoS (Simple queues)
(PCQ)
Proxy
HTTP
HTTP
SOCKS
DNS
Ping, traceroute
Bandwidth test, ping flood
sniffer , torch
Telnet, ssh
E-mail SMS
Fetch
Bridging (STP, RSTP), MAC nat
DDNS
NTP / GPS
VRRP
SNMP
M3P MikroTik
MNDP MikroTik CDP
RADIUS
- YuSong
-8-
RouterOS
TFTP
Synchronous ( Farsync )
Asynchronous PPP dial-in/dial-out
ISDN
RouterOS Windows WinBox

Webfigwebfig winbox
undo/redo
Scripts
teminal console - PS/2 USB VGA
Serial console ( COM1) RS232 9600bit/s, 8 data bits, 1 stop

bit, no parity, hardware (RTS/CTS) flow control
Telnet telnet TCP 23
SSH - SSH ( shell) TCP 22
MAC Telnet - MikroTik MAC Telnet
Winbox Winbox RouterOS Windows TCP 82913.0rc13

winbox MAC
- YuSong
-9-
RouterOS
RouterOS
1.1 RouterOS
1 ISO x86 AMDIntelVIA X86
IDESATA
2 U X86 3.0
3 netinstall RouterBOARDRB100RB300RB500RB400RB600
RB700RB800RB1000
CD
CD MikroTik RouterOS PC x86 PC
Netinstall RouterBOARD Netinstall
CD
o
PC x86
CD-ROM
MikroTik RouterOS ISO
CD
MikroTik RouterOS
1. MikroTik ,
- YuSong
- 10 -
RouterOS
2. ISO PC CD-ROM CD
3. CD RouterOS PC BIOS CD-ROM

CD
4. PC RouterOS CD
- YuSong
- 11 -
RouterOS
5. am
i RouterOS PC RouterOS
Do you want to keep old configuration?ny
6.
- YuSong
- 12 -
RouterOS
7. MikroTik RouterOS CD-ROM
8. RouterOS admin
10. RouterOS 24 software-id

,
- YuSong
- 13 -
RouterOS
USB
U 3.0 netinstall U Windows USB Netinstall
RouterOS-X86
Netinstall RouterOS U
- YuSong
- 14 -
RouterOS
U U PC BIOS USB
NetInstall RouterRoard
RouterBOARD
RouterBOARD RouterOS
RouterBOARD RouterOS
1. ether1 RouteBoard
RouterBoard
NetInstall RouterOS (*.npk )
- YuSong
- 15 -
RouterOS
2. Windows 115200 PC
9600 vista WIN 7 windows xp
vista win 7 hypertrm.dll hypertrm.exe
3. Netinstall Net Booting Boot Server Netinstall

Netinstall IP 10.200.15.18/24 Boot Server
IP RouterBoard IP 10.200.15.19
RouterBoard ether1
- YuSong
- 16 -
RouterOS
4. RouterBoard RouterBoard BIOS ( RouterBOARD

press any key BIOS ):
RouterBoard 450G
CPU frequency: 680 MHz

Memory size: 256 MB
Press any key within 2 seconds to enter setup
RouterBOOT-2.20
What do you want to configure?
d - boot delay
k - boot key
s - serial console
o - boot device
u - cpu mode
f - cpu frequency
r - reset booter configuration
e - format nand
g - upgrade firmware
i - board info
p - boot protocol
t - do memory testing
x - exit setup
your choice:
- YuSong
- 17 -
RouterOS
BIOS boot deviceo

your choice: o - boot device
Select boot device:

e - boot over Ethernet
* n - boot from NAND, if fail then Ethernet
1 - boot Ethernet once, then NAND
o - boot from NAND only
b - boot chosen device
your choice:
e RouterBoard
Select boot device:
e - boot over Ethernet
* n - boot from NAND, if fail then Ethernet
your choice: e - boot over Ethernet
RouterBoard BIOS x BIOS

5. RouterBoard Netinstall Windows
RouterBoard IP RouterBoard
Windows RouterBoard
- YuSong
- 18 -
RouterOS
Netinstall RouterBOARD Netinstall

RB450G RB4xx
Welcome to MikroTik Router Software remote installation

Press Ctrl-Alt-Delete to abort
mac-address: 00:0C:42:3E:8E:A8
mac-address: 00:0C:42:3E:8E:AA
mac-address: 00:0C:42:3E:8E:AB
mac-address: 00:0C:42:3E:8E:AC
software-id: IMIX-B1U1 key:

bNBBSe/onQwGhhk/RW1XBfWTVeOnnja/UsnbuTgcDVckt7fl5zf0Iobz03GWXjCr6vUQ34XSfB9pdGmX
czOmEA==
Waiting for installation server...
1 Keep old configuration

2 ip 115200
3 RouterBOARD
4
- YuSong
- 19 -
RouterOS
Welcome to MikroTik Router Software remote installation

Press Ctrl-Alt-Delete to abort
mac-address: 00:0C:42:3E:8E:AA
mac-address: 00:0C:42:3E:8E:AB
mac-address: 00:0C:42:3E:8E:AC
software-id: IMIX-B1U1 key:

bNBBSe/onQwGhhk/RW1XBfWTVeOnnja/UsnbuTgcDVckt7fl5zf0Iobz03GWXjCr6vUQ34XSfB9pdGmX
czOmEA==
Waiting for installation server...

Found server at 00:1E:EC:B0:B2:17
Formatting disk......
installing routeros-mipsbe-4.4 [############
Netinstall
6. Reboot
- YuSong
- 20 -
RouterOS
RouterBoard BIOS boot from NAND only

RouterBoard RouterOS
Select boot device:
* e - boot over Ethernet
n - boot from NAND, if fail then Ethernet
your choice: n - boot from NAND, if fail then Ethernet
1.2 RouterOS
RouterOS RouterOS RouterOS
1Console
RouterBOARD Console Console
2
PC DB9 PC 9600 bits/s
(RouterBOARD 115200 bits/s), windows
SecureCRTUNIX/Linux minicom
Console Console PC windows linux
PC Console USB-Serial USB

HyperTerminal PuttywindowsXP Vista win7 windowsXP
hypertrm.dll hypertrm.exeRouterBOARD
- YuSong
- 21 -
RouterOS
PC RouterOS
RouterOS
Null-modem
:
- YuSong
- 22 -
RouterOS
MikroTik Router
COM windows
HyperTerminal
PC RouterOS DB9
Router Side (DB9f)
Signal
Direction
Side (DB9f)
1, 6
CD, DSR
IN
RxD
IN
TxD
OUT
DTR
OUT
1, 6
GND
RTS
OUT
CTS
IN
RouterBOARD
DB9f
DB9f
DB25f
1+4+6
CD+DTR+DSR
1+4+6
6+8+20
RxD
xD
GND
7+8
RTS+CTS
7+8
4+5
MikroTik RouterOS
- YuSong
- 23 -
RouterOS
2Winbox MAC telnet

winbox WinBox
winbox
winbox MAC winbox
IP
IP RouterOS
MAC 100%
RouterOS PC MTU 1500
3.+
RouterOS PC +(RouterBOARD
1 2)
MikroTik v5.0
Login:
admin as the login name, and hit enter twice

(because there is no password yet), you will see this screen:
MMM
MMM
KKK
TTTTTTTTTTT
KKK
MMMM
MMMM
KKK
TTTTTTTTTTT
KKK
- YuSong
- 24 -
RouterOS
MMM MMMM MMM III KKK KKK RRRRRR
TTT
III KKK KKK
MMM MM MMM III KKKKK
RRR RRR OOO OOO
TTT
III KKKKK
MMM
MMM III KKK KKK
RRRRRR
OOO OOO
TTT
III KKK KKK
MMM
MMM III KKK KKK RRR RRR
OOOOOO
TTT
III KKK KKK
MikroTik RouterOS 5.0 (c) 1999-2011
OOOOOO
http://www.mikrotik.com/
Terminal ansi detected, using single line input mode

[admin@MikroTik] >
setup
Winbox web
MikroTik RouterOS Telnet, SSH, WinBox Webbox
WinBox
MAC-telnet IP MAC
MAC-telnet
: Winbox MAC
MAC RouterOS
winbox2.2.12 MAC IP
Winbox MikroTik RouterOS GUI MikroTik
HTTPTCP 80 Winbox.exe Windows
Windows Winbox.exe
:
- YuSong
- 25 -
RouterOS
MNDP (MikroTik Neighbor Discovery Protocol) CDP (Cisco Discovery Protocol)
MikroTik Cisco MAC MikroTik

RouterOS
winbox2.2.12 MAC IP MAC

IP
IP 80
MAC
wbx wbx
- YuSong
- 26 -
RouterOS
Secure Mode winbox RouterOS TLSTransport Layer

Security
Keep Password
Winbox TCP 8291 Winbox MikroTik
Winbox
Winbox
- YuSong
- 27 -
RouterOS
Linux Winbox
Wine Winbox RouterOS
Winbox
/ip service print www
/ip service set www port=80 address=0.0.0.0/0 Winbox TCP8291
Webbox
RouterOS IP http://RouterIP RouterOS
web RouterOS webbox
- YuSong
- 28 -
RouterOS
webbox webbox RouterOS

IP NAT simple
PPPoE DHCP
Webfig winbox web RouterOS
- YuSong
- 29 -
RouterOS
MAC (Telnet Winbox)

MAC IP RouterOS . IP .
MAC 2 MikroTik RouterOS .
: /tool mac-server
interface (name | all; : all) MAC

all
.,
mac .
Disabled (disabled=yes) mac . all
interfaces mac .
ether1 interface mac :
[admin@MikroTik] tool mac-server> print
Flags: X - disabled
#
INTERFACE
all
[admin@MikroTik] tool mac-server> remove 0

[admin@MikroTik] tool mac-server> add interface=ether1 disabled=no
[admin@MikroTik] tool mac-server> print
Flags: X - disabled
#
INTERFACE
ether1
[admin@MikroTik] tool mac-server>
MAC WinBox Server

: /tool mac-server mac-winbox
- YuSong
- 30 -
RouterOS
interface (name | all; : all) mac

all
, mac .
Disabled (disabled=yes) mac .
ether1 MAC
[admin@MikroTik] tool mac-server mac-winbox> print
Flags: X - disabled
#
INTERFACE
all
[admin@MikroTik] tool mac-server mac-winbox> remove 0

[admin@MikroTik] tool mac-server mac-winbox> add interface=ether1 disabled=no
[admin@MikroTik] tool mac-server mac-winbox> print
Flags: X - disabled
#
INTERFACE
ether1
[admin@MikroTik] tool mac-server mac-winbox>
: /tool mac-server sessions
interface (: name)
src-address (: MAC address) mac
uptime (: )
mac :
[admin@MikroTik] tool mac-server sessions> print
# INTERFACE SRC-ADDRESS
0 wlan1
UPTIME
00:0B:6B:31:08:22 00:03:01
[admin@MikroTik] tool mac-server sessions>
MAC telnet
: /tool mac-telnet
(MAC address) mac
MAC RouterOS
[admin@MikroTik] > /tool mac-telnet 00:02:6F:06:59:42
Login: admin
Password:
Trying 00:02:6F:06:59:42...
Connected to 00:02:6F:06:59:42
- YuSong
- 31 -
RouterOS
MMM
MMM
KKK
TTTTTTTTTTT
KKK
MMMM
MMMM
KKK
TTTTTTTTTTT
KKK
MMM MMMM MMM III KKK KKK RRRRRR
OOOOOO
TTT
III KKK KKK
MMM MM MMM
III KKKKK
RRR RRR OOO OOO
TTT
III KKKKK
MMM
MMM
III KKK KKK
RRRRRR
OOO OOO
TTT
III KKK KKK
MMM
MMM
III KKK KKK RRR RRR
OOOOOO
TTT
III KKK KKK
MikroTik RouterOS 3.0beta10 (c) 1999-2007
http://www.mikrotik.com/
Terminal linux detected, using multiline input mode

[admin@MikroTik] >
1.3 CLIcommand Line interface
[admin@MikroTik] >
[admin@MikroTik] interface>/ip address
[admin@MikroTik] ip address>
[admin@MikroTik] >
log/ --
quit
radius/ -- Radius
certificate/ --
special-login/ --
redo
driver/ --
ping ping
setup
interface/ --
password
undo
port/ --
import
snmp/ -- SNMP
user/ --
file/ --
system/ --
queue/ --
ip/ -- IP
tool/ --
ppp/ --
- YuSong
- 32 -
RouterOS
routing/ --
export --
[admin@MikroTik] >
[admin@MikroTik] ip>
..
service/ -- IP
socks/ -- SOCKS 4
arp/ -- ARP
upnp/ -- UPNP
dns/ -- DNS
address/ --
accounting/ --
the-proxy/ -vrrp/ --
pool/ -- IP
packing/ --
neighbor/ --
route/ --
firewall/ --
dhcp-client/ -- DHCP
dhcp-relay/ -- DHCP
dhcp-server/ -- DHCP
hotspot/ -- HotSpot
ipsec/ -- IP
web-proxy/ -- HTTP
export -[admin@MikroTik] ip>
[admin@MikroTik] >
[admin@MikroTik] > driver
| 'driver'
[admin@MikroTik] driver> /
| '/'
[admin@MikroTik] > interface
| 'interface'
[admin@MikroTik] interface> /ip
| '/ip' IP
[admin@MikroTik] ip>
interface in int[Tab]
[admin@MikroTik] ip route> print
[admin@MikroTik] ip route> .. address print
IP
[admin@MikroTik] ip route> /ip address print
IP
- YuSong
- 33 -
RouterOS
Command
command [Enter]
[?]
command [?]
command argument [?]

[Tab]
/ [Tab]
/command
..
""
IP 'address''netmask' IP
/ip address add address 10.0.0.1/24 interface ether1

/ip address add address 10.0.0.1 netmask 255.255.255.0 interface ether1
Interface Management
IP /interface
/interface print
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
RX-RATE
TX-RATE
MTU
0 R ether1
ether
1500
1 R ether2
ether
1500
2 X wavelan1
wavelan
1500
3 X prism1
wlan
1500
[admin@MikroTik] interface>
/interface enable name

#
NAME
TYPE
RX-RATE
TX-RATE
MTU
0 X ether1
ether
1500
1 X ether2
ether
1500
[admin@MikroTik] interface> enable 0

[admin@MikroTik] interface> enable ether2
- YuSong
- 34 -
RouterOS
#
NAME
TYPE
RX-RATE
TX-RATE
MTU
0 R ether1
ether
1500
1 R ether2
ether
1500
/interface set
[admin@MikroTik] interface> set ether1 name=Local; set ether2 name=Public
#
NAME
TYPE
RX-RATE
TX-RATE
MTU
0 R Local
ether
1500
1 R Public
ether
1500
add IP
[admin@Office] /ip address> prin
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
10.200.15.1/24
10.200.15.0
10.200.15.255
lan
0.0.0.0
ADSL
1 D 222.212.60.227/32 222.212.48.1
INTERFACE
[admin@Office] /ip address> add address=192.168.10.1/24 interface=lan

[admin@Office] /ip address> prin
#
ADDRESS
10.200.15.1/24
NETWORK
10.200.15.0
BROADCAST
10.200.15.255
INTERFACE
lan
1 D 222.212.60.227/32 222.212.48.1
0.0.0.0
ADSL
192.168.10.255
lan
192.168.10.1/24
192.168.10.0
[admin@Office] /ip address>
remove
[admin@Office] /ip firewall filter> prin
0 X chain=forward action=drop layer7-protocol=qq
1 X chain=forward action=drop dst-address-list=qq
2 X chain=forward action=log log-prefix=""

[admin@Office] /ip firewall filter> remove 2
[admin@Office] /ip firewall filter> prin
0 X chain=forward action=drop layer7-protocol=qq
1 X chain=forward action=drop dst-address-list=qq
- YuSong
- 35 -
RouterOS
[admin@Office] /ip firewall filter>
Setup
/setup
IP
DHCP
DHCP
pppoe
pptp
Setup IP /setup
[admin@MikroTik] > setup
Setup uses Safe Mode. It means that all changes that are made during setup
are reverted in case of error, or if Ctrl-C is used to abort setup. To keep
changes exit setup using the 'x' key.
[Safe Mode taken]
Choose options by pressing one of the letters in the left column, before
dash. Pressing 'x' will exit current menu, pressing Enter key will select the
entry that is marked by an '*'. You can abort setup at any time by pressing
Ctrl-C.
Entries marked by '+' are already configured.
Entries marked by '-' cannot be used yet.
Entries marked by 'X' cannot be used without installing additional packages.
r - reset all router configuration
+ l - load interface driver
* a - configure ip address and gateway
d - setup dhcp client
s - setup dhcp server
p - setup pppoe client
t - setup pptp client
x - exit menu
your choice [press Enter to configure ip address and gateway]: a
IP a [Enter]
* a - add ip address
- g - setup default gateway
x - exit menu
your choice [press Enter to add ip address]: a
a IP IP
[Tab] IP
your choice: a
enable interface:
- YuSong
- 36 -
RouterOS
ether1 ether2 wlan1
enable interface: ether1
ip address/netmask: 10.1.0.66/24
#Enabling interface
/interface enable ether1
#Adding IP address
/ip address add address=10.1.0.66/24 interface=ether1 comment="added by setup"
+ a - add ip address
* g - setup default gateway
x - exit menu
your choice: x
1.4 RouterOS
MikroTik router
192.168.0.0 24-bit255.255.255.0
192.168.0.254
ISP 10.0.0.0 24-bit255.255.255.0 10.0.0.217
DNS 61.139.2.69202.98.68.96
interface
IP
- YuSong
- 37 -
RouterOS
nat
DNS
/interfaces ether1 ether1-wan ether2 ether2-lan
ether2 ether2-lan
IP
/ip address IP IP
- YuSong
- 38 -
RouterOS
/ip routes 10.0.0.1 check-gateway=ping ping
NAT
/ip firewall nat +
NAT chain srcnat
- YuSong
- 39 -
RouterOS
action action=masquerade
DNS
/ip dns settings DNS DNS allow remote requests
- YuSong
- 40 -
RouterOS
http http IP 192.168.0.88

ip firewall nat chain=dstnat IP 10.0.0.217
dst-addressdst-port tcp 80
action dst-nat to-address http IP 80
- YuSong
- 41 -
RouterOS
Queue simple queue IP 192.168.0.3 IP03

(upload)256kbps(download)512kbps
2.1 RouterOS
- YuSong
- 42 -
RouterOS
RouterOS backup FTP winbox file
RouterOS FTP winbox file
RouterOS
/system backup
Save /file /system
backup load
load name=[filename]
save name=[filename]
test
[admin@MikroTik] system backup> save name=test
Saving system configuration
Configuration backup saved
[admin@MikroTik] system backup>
[admin@MikroTik] > file print

# NAME
0 test.backup
TYPE
backup
SIZE
12567
CREATION-TIME
aug/12/2002 21:07:50
[admin@MikroTik] >
test:
[admin@MikroTik] system backup> load name=test
Restore and reboot? [y/N]: y
...
Winbox files backup restore
- YuSong
- 43 -
RouterOS
Export
export
Export export file
FTP winbox
from=[number]
file=[filename]
[admin@MikroTik] > ip address print

#
ADDRESS
NETWORK
BROADCAST
INTERFACE
10.1.0.172/24
10.1.0.0
10.1.0.255
bridge1
10.5.1.1/24
10.5.1.0
10.5.1.255
ether1
[admin@MikroTik] >
[admin@MikroTik] ip address> export file=address

[admin@MikroTik] > file print

# NAME
0 address.rsc
TYPE
script
SIZE
315
CREATION-TIME
dec/23/2003 13:21:48
[admin@MikroTik] >
- YuSong
- 44 -
RouterOS
[admin@MikroTik] ip address> export from=0,1

# dec/23/2003 13:25:30 by RouterOS 2.8beta12
# software id = MGJ4-MAN
#
/ ip address
add address=10.1.0.172/24 network=10.1.0.0 broadcast=10.1.0.255 \
interface=bridge1 comment="" disabled=no
add address=10.5.1.1/24 network=10.5.1.0 broadcast=10.5.1.255 \
interface=ether1 comment="" disabled=no
/import
import /import file_name ip
firewall filterqueue simple
file=[filename]
[admin@MikroTik] > import address.rsc

Opening script file address.rsc
Script file loaded successfully
[admin@MikroTik] >
Winbox .rsc
- YuSong
- 45 -
RouterOS
/system> reset-configuration
adminIP
reset RouterOS v3.x ether1 IP
192.168.88.1/24
[admin@Office] /system> reset-configuration

Dangerous! Reset anyway? [y/N]: y
2.2
/system reboot
[admin@MikroTik] > system reboot

Reboot, yes? [y/N]: y
system will reboot shortly
[admin@MikroTik] >
: /system shutdown
- YuSong
- 46 -
RouterOS
10 5
[admin@MikroTik] > system shutdown
Shutdown, yes? [y/N]: y
system will shutdown promptly
[admin@MikroTik] >
2.3 RouterOS
: /system identity
DHCP host name
Wlan SSID :
[admin@MikroTik] > system identity print
name: "MikroTik"
[admin@MikroTik] >
[admin@MikroTik] > system identity set name=Gateway

[admin@Gateway] >
2.4
/system resource
RouterOS
monitor
CPU
[admin@MikroTik] system resource> print

uptime: 5h26m12s
version: "3.0"
free-memory: 17000kB
total-memory: 30200kB
model: "RouterBOARD 500"
cpu: "MIPS 4Kc V0.10"
cpu-count: 1
cpu-frequency: 333MHz
cpu-load: 3
free-hdd-space: 14208kB
total-hdd-space: 61440kB
write-sect-since-reboot: 1047
write-sect-total: 379983
bad-blocks: 0
- YuSong
- 47 -
RouterOS
[admin@MikroTik] system resource>
CPU
[admin@MikroTik] > system resource monitor
cpu-used: 0
free-memory: 115676
[admin@MikroTik] >
winbox
RouterOS 5.0 CPU CPU
- YuSong
- 48 -
RouterOS
tool CPU tool profile RouterOS CPU windows
IRQ
: /system resource irq print
IRQ
[admin@MikroTik] > system resource irq print
Flags: U - unused
IRQ OWNER
1
keyboard
APIC
- YuSong
- 49 -
RouterOS
U 3
4
serial port
[Ricoh Co Ltd RL5c476 II (#2)]
U 6
U 7
U 8
U 9
U 10
11 ether1
12 [Ricoh Co Ltd RL5c476 II]
U 13
14 IDE 1
[admin@MikroTik] >
IO
: /system resource io print
IO (Input/Output)
[admin@MikroTik] > system resource io print
PORT-RANGE
OWNER
0x20-0x3F
APIC
0x40-0x5F
timer
0x60-0x6F
keyboard
0x80-0x8F
DMA
0xA0-0xBF
APIC
0xC0-0xDF
DMA
0xF0-0xFF
FPU
0x1F0-0x1F7
IDE 1
0x2F8-0x2FF
serial port
0x3C0-0x3DF
VGA
0x3F6-0x3F6
IDE 1
0x3F8-0x3FF
serial port
0xCF8-0xCFF
[PCI conf1]
0x4000-0x40FF
[PCI CardBus #03]
0x4400-0x44FF
[PCI CardBus #03]
0x4800-0x48FF
[PCI CardBus #04]
0x4C00-0x4CFF
[PCI CardBus #04]
0x5000-0x500F
[Intel Corp. 82801BA/BAM SMBus]
0xC000-0xC0FF
[Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+]
0xC000-0xC0FF
[8139too]
0xC400-0xC407
[Cologne Chip Designs GmbH ISDN network controller [HFC-PCI]
0xC800-0xC87F
[Cyclades Corporation PC300/TE (1 port)]
0xF000-0xF00F
[Intel Corp. 82801BA IDE U100]
[admin@MikroTik] >
USB
- YuSong
- 50 -
RouterOS
: /system resource usb print

USB
device (: )
name (: ) USB
speed (: )
vendor (: ) USB
USB
[admin@MikroTik] system resource usb> print
# DEVICE VENDOR
0 1:1
NAME
SPEED
USB OHCI Root Hub
12 Mbps
[admin@MikroTik] system resource usb>
PCI
: /system resource pci print
category (: )
device (: )
device-id (: ) ID
irq (: ) IRQ
memory (: )
name (: )
vendor (: )
vendor-id (: )
PCI
[admin@MikroTik] system resource pci> print
# DEVICE
VENDOR
0 00:13.0 Compaq
NAME
IRQ
ZFMicro Chipset USB (rev... 12
1 00:12.5 National Semi
SC1100 XBus (rev: 0)
SC1100 Video (rev: 1)
SCx200 Audio (rev: 0)
SCx200 IDE (rev: 1)
SC1100 SMI (rev: 0)
SC1100 Bridge (rev: 0)
7 00:0e.0 Atheros Communications
AR5212 (rev: 1)
10
8 00:0d.1 Texas Instruments
PCI1250 PC card Cardbus ... 11
9 00:0d.0 Texas Instruments
PCI1250 PC card Cardbus ... 11
10 00:0c.0 National Semi
DP83815 (MacPhyter) Ethe... 10
11 00:0b.0 National Semi
DP83815 (MacPhyter) Ethe... 9
12 00:00.0 Cyrix Corporation
PCI Master (rev: 0)
[admin@MikroTik] system resource pci>
2.5 Watchdog
- YuSong
- 51 -
RouterOS
Watchdog
: system
: Level1
: /system watchdog
IP ,
() . RouterBOARD
auto-send-supout (yes | no; : no)

automatic-supout (yes | no; : yes) , "autosupout.rif"
. "autosupout.rif" "autosupout.old.rif"
no-ping-delay (; : 5m) ping watch-address.
watch-address 6 .
send-email-from (; : "") .
/tool e-mail
send-email-to (; : "")
send-smtp-server (; : "") SMTP .
/tool e-mail
6 ping ip
watch-address (IP ; : none)
10
none
watchdog-timer (yes | no; : no)

supout.rif 192.0.2.1
support@example.com:
[admin@MikroTik] system watchdog> set auto-send-supout=yes \
\... send-to-email=support@example.com send-smtp-server=192.0.2.1
[admin@MikroTik] system watchdog> print
watch-address: none
watchdog-timer: yes
no-ping-delay: 5m
automatic-supout: yes
auto-send-supout: yes
send-smtp-server: 192.0.2.1
send-email-to: support@example.com
[admin@MikroTik] system watchdog>
RouterOS CPU
/system hardware
CPU hardware CPU x86
CPU CPU
[admin@MikroTik] > system hardware
- YuSong
- 52 -
RouterOS
[admin@MikroTik] /system hardware>
.. / : edit export get print set
[admin@MikroTik] /system hardware> set multi-cpu=yes ;
[admin@MikroTik] /system hardware> prin
multi-cpu: yes
[admin@MikroTik] /system hardware>
2.6 RouterOS Packages

RouterOS MikroTik download
RouterOS
advanced-tools (mipsle,
mipsbe, ppc, x86)
pingnetwatchip-scansms tool wake-on-LAN
calea (mipsle, mipsbe, ppc, "Communications

x86)
dhcp (mipsle, mipsbe, ppc,
x86)
gps (mipsle, mipsbe, ppc,
x86)
hotspot (mipsle, mipsbe,
ppc, x86)
Assistance for Law Enforcement Act"
HotSpot
ipv6 (mipsle, mipsbe, ppc, IPv6
- YuSong
- 53 -
RouterOS
x86)
mpls (mipsle, mipsbe, ppc,
x86)
Multi Protocol Labels Switching
multicast (mipsle, mipsbe, ;

ppc, x86)
ntp (mipsle, mipsbe, ppc,
x86)
IGMPInternet Group Managing Protocol- Proxy
ppp (mipsle, mipsbe, ppc,
MlPPP PPPPPTPL2TPPPPoE, ISDN PPP
x86)
routerboard (mipsle,
mipsbe, ppc, x86)
routing (mipsle, mipsbe,
ppc, x86)
security (mipsle, mipsbe,
ppc, x86)
RouterBOOT RouterBOARD
RIP, BGP, OSPF BFD
IPSECSSH winbox
system (mipsle, mipsbe,
ip sNTPtelnetAPIqueue
ppc, x86)
firewallweb-proxyDNS TFTPIP SNMPsniffer

e-mail graphingBandwidth torchEoIPIPIP
VLANVRRP RouterBOARD MetaROUTER
ups (mipsle, mipsbe, ppc,

x86)
user-manager (mipsle,
mipsbe, ppc, x86)
wireless (mipsle, mipsbe,
ppc, x86)
APC ups
MikroTik User Manager Radius
Wireless 802.11abgn
arlan (x86)
Aironet Arlan
isdn (x86)
ISDN
lcd (x86)
LCD
radiolan (x86)
RadioLan
synchronous (x86)
FarSync
xen ( discontinued x86)
XEN 4.0
kvm (x86)
KVM
routeros-mipsle (mipsle)
mipsle (RB100 RB500 ) system

hotspot,
wireless ppp security mpls advanced-tools dhcp
routerboardipv6 routing)
routeros-mipsbe (mipsbe) mipsbe (RB400 700 ) systemhotspot,

routeros-powerpc (ppc)
PowerPC (RB333RB600/ARB800 RB1000 )

system hotspot, wireless ppp security mpls
- YuSong
- 54 -
RouterOS
advanced-toolsdhcp routerboardipv6 routing)

x86 (Intel/AMD PC, RB230) system hotspot,
routeros-x86 (x86)

: /system package
disable
downgrade
RouterOS
RouterOS
print
enable
uninstall
unschedule
winbox system packetage
[admin@MikroTik] > /system package print

Flags: X - disabled
#
NAME
VERSION
0 X ipv6
3.13
3.13
system
2 X mpls
3 X hotspot
4
routing
SCHEDULED
3.13
3.13
3.13
- YuSong
- 55 -
RouterOS
5
wireless
6 X dhcp
7
routerboard
routeros-mipsle
security
10 X ppp
11
advanced-tools
3.13
3.13
3.13
3.13
3.13
3.13
3.13
[admin@MikroTik] > /system package uninstall ppp;

[admin@MikroTik] >/system reboot;
Reboot, yes? [y/N]:
[admin@MikroTik] > /system package disable hotspot;

Reboot, yes? [y/N]:
RouterOS
[admin@MikroTik] > /system package downgrade;
Reboot, yes? [y/N]:
[admin@MikroTik] > /system package unschedule ipv6
2.7 RouterOS
BT RouterOS routeros-ALL-3.30
BT
all_packages_mipsbe Atheros RB400 700
all_packages_mipsle RB100 RB500 RB133RB133cRB150RB192RB532MIPS 4Kc
all_packages_ppc RB300RB600RB800 RB1000 RB333RB600RB800RB1000 RB1100 PowerPC
all_packages_x86 x86 PC AMDIntelVIA x86 PC
mikrotik-x.x.iso , x86
2.9 BT
all_packages_ns RB100 RB500 RB133RB133cRB150RB192RB532MIPS 4Kc
all_packages_x86 x86 PC AMDIntelVIA x86 PC
- YuSong
- 56 -
RouterOS
2 RouterOS system-x.x.x.npk
system package>
( wirelessPPPoE PPP )
system package ,systemg

3 RouterOS FTP// IP Winbox
Files RouterOS
4 System Reboot
- YuSong
- 57 -
RouterOS
RouterOS 1
PC RB
system package Downgrade

RouterOS FTP files
2.8 RouterBOARD
RouterBOARD BOIS RouterBOARD
RouterBOARD .fwf RouterBOARD
www.routerboard.com
RB
RB1000RB1100
mpc8548
RB800
mpc8343
RB600
mpc8343
RB333
mpc8323
RB400 (411/A/AH433/AH433AH450/G493/AH ) ar7100

RB700 750750G
ar7100
RB532
rc32434
RB100 112133/C150192
adm5120
RouterBOARD RouterOS RouterBOARD

RouterBOARD
[admin@Office] /system> routerboard
- YuSong
- 58 -
RouterOS
[admin@Office] /system routerboard> prin
routerboard: yes
model: "450"
serial-number: "188901ED9E57"
current-firmware: "2.16"
upgrade-firmware: "2.18"
[admin@Office] /system routerboard>
current-firmware 2.16 2.18 RouterOS
file winbox file list RouterBOARD RB450 ar7100
upgrade
[admin@Office] /system routerboard> upgrade
Do you really want to upgrade firmware? [y/n]
y
firmware upgraded successfully, please reboot for changes to take effect!
[admin@Office] /system routerboard>
RouterBOARD
upgrade
2.9 RouterOS
MikroTik RouterOS MikroTik
/
: /ip service
name -
port (: 1..65535) -
laddress (IP ; : 0.0.0.0/0) - IP
certificate (; : none) -
- YuSong
- 59 -
RouterOS
WWW 10.10.10.0/24 8081
[admin@MikroTik] > ip service
[admin@MikroTik] /ip service> prin
Flags: X - disabled, I - invalid
#
NAME
PORT ADDRESS
telnet
23
0.0.0.0/0
ftp
21
0.0.0.0/0
www
80
0.0.0.0/0
3 X www-ssl
443
4 X api
8728 0.0.0.0/0
8291 0.0.0.0/0
winbox
0.0.0.0/0
CERTIFICATE
none
[admin@MikroTik] /ip service>

[admin@MikroTik] ip service> set www port=8081 address=10.10.10.0/24
[admin@MikroTik] ip service> print
#
NAME
PORT ADDRESS
telnet
23
0.0.0.0/0
ftp
21
0.0.0.0/0
www
8081 10.10.10.0/24
3 X www-ssl
443
4 X api
8728 0.0.0.0/0
8291 0.0.0.0/0
winbox
0.0.0.0/0
CERTIFICATE
none
[admin@MikroTik] ip service>
MikoTik RouterOS
20/tcp
FTP []
21/tcp
FTP []
22/tcp
SSH ()
23/tcp
53/tcp
DNS
53/udp
DNS
67/udp
DHCP ( dhcp )
68/udp
DHCP ( dhcp )
80/tcp
WWWHTTP
123/udp
NTP ( ntp )
161/udp
SNMP ( snmp )
- YuSong
- 60 -
RouterOS
443/tcp
SSL HTTP( hotspot )
500/udp
Internet Key Exchange IKE protocol ( ipsec )
520/udp
RIP ()
521/udp
RIP ( routing )
179/tcp
BGP ( routing )
1080/tcp
SOCKS
1701/udp
Layer 2 Tunnel Protocol L2TP ( ppp )
1718/udp
H.323 Gatekeeper Discovery ( telephony )
1719/tcp
H.323 Gatekeeper RAS ( telephony )
1720/tcp
H.323 ( telephony e)
1723/tcp
PPTP ( ppp )
1731/tcp
H.323 ( telephony )
1900/udp
uPnP
2828/tcp
uPnP
2000/tcp
3986/tcp
Winbox
3987/tcp
winbox SSL ()
5678/udp
MikroTik Neighbor Discovery Protocol
8080/tcp
HTTP ( WEB )
8291/tcp
Winbox
20561/udp
MAC winbox
5000+/udp
H.323 RTP ( telephony )
/1
ICMP
/4
IP - IP in IP (encapsulation)
/47
GRE ( PPTP EoIP)
/50
ESP - IPv4 ()
/51
AH - IPv4 ()
/89
OSPFIGP - OSPF
/112
VRRP
2.10 Supout.rif
- YuSong
- 61 -
RouterOS
RouterOS Make supout.rif MikroTik

RouterOS supout.rif FTP
winbox
MikroTik support@mikrotik.com
Support
Winbox
support Output file Make Supout.rif,
supout files
Console
suppout.rif console
- YuSong
- 62 -
RouterOS
console done.
FTP FTP RouterOS FTP

FTP
/ ip service set ftp disabled=no
e-mail MikroTik (support@mikrotik.com)
- YuSong
- 63 -
RouterOS
MikroTik RouterBOARD
RouterBOARD MikroTik RouterOS RouterOS
RouterOScisco IOSMikroTik RouterOS
RouterBOARD
PC RouterOS PC
PC RouterOS
ARMMIPS Intel IXP
Linux FreeBSD RouterOS
PC
RouterBOARD USB 4-5w
PowerPC 5-12w MiniPCI MiniPCI-e
RouterBOARD 3
1 RouterBOARD RouterBOARD RB411RB711
2 RouterBOARD RouterBOARD RB450,RB750RB1100
3 RouterBOARD RB433RB493
RouterBOARD RB
3.1 RouterBOARD
RB RB230 x86 2002
2006 RB112 RB 5 RB100RB300RB400RB500
RB600RB700RB800RB1000RB1100RB1200
2006
RB112RB150RB153RB532RB502 RB133RB133cRB532rc5 RB192
RB RB100 RB500 RB MIPS 4kc
2007
RB333 RB600 PowerPC
2008-2009
RB400 RB411RB433RB450RB493 RB
RB1000 08
2010
- YuSong
- 64 -
RouterOS
RouterOS4.0 11n RB 11n RB700 RB711 11n 5G

RB750
2011
RB 711 RBSXT 5G11n 400 RB435G2.4G
11n RB711-2Hn USB POE RB750UP 2.4G 11n RB751 USB RB751U
RB751G RB1100RB1100AH RB1100AH2 RB1200
SFP RB
MiniPCI
WLAN
RB100
RB112
MIPS 4kc 175Mhz16MB RAM
1100M
RB133c
1100M
RB133
3100M
RB150
5100M
RB153
5100M
RB192
9100M
RB502
1100M
RB532
3100M
RB532rc5
3100M
PowerPC 333MHz, 64MB DDR RAM
3100M
3100M
802.11bg
RB411
Atheros 300Mhz , 32MB RAM (CPE)
1100M
RB411R
Atheros 300Mhz , 32MB RAM (CPE )
1100M
802.11bg
RB411A
Atheros 300Mhz , 64MB RAM
1100M
RB411AR
1100M
802.11bg
RB411U
1100M
1+1pci-e
RB411AH
Atheros 680MHz 800MHz
1100M
RB411UAHR
Atheros 680MHz 800MHz, 64MB RAM,1 USB
1100M
1+1pci-e
802.11bg
RB433
3100M
RB433AH
Atheros 680MHz 800MHz, 128MB RAM
3100M
RB433UAH
Atheros 680MHz , 128MB RAM,2 USB
3100M
RB435G
Atheros 680MHz , 128MB RAM,2 USB
31G
RB493AH
9100M
RB493G
Atheros 680Mhz , 256MB RAM.1USB
91G
RB450
5100M
RB450G
Atheros 680Mhz 800MHz, 256MB RAM
51G
RB600
PowerPC 400MHz 533MHz, 64MB DDR RAM
31G
RB600A
PowerPC 400MHz 533MHz, 128MB DDR RAM
31G
Atheros 400MHz , 32MB RAM(CPE)
1100M
802.11an
RB500
RB300
RB333
RBCRD
RB/CRD
RB400
RB600
RB700
RB711
- YuSong
- 65 -
RouterOS
RB711A
Atheros 400MHz , 64MB RAM
1100M
802.11an
RB711-2Hn
Atheros 400MHz , 32MB RAM(CPE), 1 USB
1100M
802.11bgn
RB750
Atheros 300Mhz CPU, 32MB RAM
5100M
RB750G
Atheros 680Mhz CPU, 32MB RAM
51G
RB750UP
Atheros 300Mhz CPU, 32MB RAM, 1 USB ,
5100M
RB751
Atheros 300Mhz CPU, 32MB RAM,
5100M
802.11bgn
RB751U
Atheros 300Mhz CPU, 32MB RAM, 1 USB
5100M
802.11bgn
RB751G
Atheros 680Mhz CPU, 32MB RAM, 1 USB
51G
802.11bgn
RBSXT
Atheros 400MHz , 32MB RAM(CPE), 1 USB
1100M
802.11an
PowerPC 800MHz 256M DDR RAM,1 CF
31G
4+1pci-e
RB1000
PowerPC 1.3GHz 512M DDR RAM
41G
RB1100
PowerPC 800MHz 512M DDR RAM
131G
RB1100AH
PowerPC 1066MHz 2G DDR RAM
131G
RB1100AH2
PowerPC 2G DDR RAM
131G
RB1200
PowerPC 1066MHz 2G DDR RAM
1010G
RB800
RB800
RB1000
RB
RB100 -
RB200 -
RB/CRD-
RB300 -
RB400 RB411-RB411A-RB411UAHR-RB411R-
RB500 -
RB600 -
RB1000 RB1000
RouterBOARD RB600RB800 RB1000
RB1XX RB100
RB133 100 3 3 MiniPCI
RB493 400 9 3 MiniPCI
AHA H CPU
G
U USB
R
PPOE
RouterBOARD www.routerboard.com
3.2 RouterBOARD Throughput

Throughput Throughput
RouterBOARD nat
- YuSong
- 66 -
RouterOS
throughput CPU CPU
128Byte 10000 64 Byte

20000 10000 10100 1518Byte
8000 1518Byte 100M 8127 Throughput
100M*8000/8127=98.44M Throughput 98.44M
64Byte 11000
64Byte 100M 148810
Throughput 100M*11000/148810=7.39M 13
4 1 20 80
20 80
20 80
4 4 20
80
80
- YuSong
- 67 -
RouterOS
CPU
CPU
64byte ppsper packet seconds
Cisco 3745 64 225018pps 225kpps
RB1100AH 1333MHz 262kpps 400kpps
RouterBOARD
y
64byte CPU
1500byte
512byte CPU
RouterBOARD
http://www.routerboard.com/pdf/routerboard_performance_tests.pdf
through the router
RouterBOARD system
Agilent N2X
RouterBOARD 64byte
3.3 RouterBOARD
- YuSong
- 68 -
RouterOS
RB411 RB433
RB411 RB433 miniPCi
RB411 RB433
433
411
RB411AR RB711
RB411AR WiFi RB711 RB711A 5G
RB711/A 5G-a/n 23dBm 5G 2.4G 802.11a
802.11n MiniPCI
RB411R/AR 2.4G 2.4G 5G 802.11bg
RB411R MiniPCI RB411AR 1 MiniPCI
RB711-2Hn 11n WiFi
RB450 RB750
RB450 RB450G 5 CPU 300MHz 680MHz
RB750 RB750G RB450 RB450G RB411R/AR

2.4G 2.4G 5G 802.11bg
RB450 CPU AR7130 300MHz RB750 AR7240 400MHz MikroTik
RB450 RB750 CPU 300MHz
RB450G RB750G RB750G CPU
RB450G RB750G RB750G
RB750 RB450 50 RB450G CPU
180 RB750G 150
RB750 MikroTik RB751 USB 11n
RB400 switch IC CPU RB100
RB1100
RB1100 13 12
12
RB1100AH RB1100AH2 13
RB1200 CPU RB1100AH 10
RB1000 MikroTik 1.3G 10

4-5 MikroTik 800MHz RB1100 RB1100
RB1100RB1100AH RB1100AH2 13
MikroTik
- YuSong
- 69 -
RouterOS
Interface
4.1 Interface
interface EthernetwirelessISDN
PPPPPPoEPPTPL2TPSSTPEoIPIPIP Bonding
MikroTik RouterOS VLANBridge
/interface
name ()
status
type (: arlan | bridge | cyclades | eoip | ethernet | farsync | ipip | isdn-client | isdn-server | l2tp-client
| l2tp-server | moxa-c101 | moxa-c502 | mtsync | pc | ppp-client | ppp-server | pppoe-client | pppoe-server
| pptp-client | pptp-server | pvc | radiolan | sbe | vlan | wavelan | wireless | xpeed)
mtu () (bytes)
rx-rate (; : 0)
0 - no limits
tx-rate (; : 0)
0 - no limits
- YuSong
- 70 -
RouterOS
#
NAME
TYPE
RX-RATE
TX-RATE
MTU
0 R ether1
ether
1500
1 R bridge1
bridge
1500
2 R ether2
ether
1500
3 R wlan1
wlan
1500
/interface bridge
[admin@MikroTik] /interface bridge> add
[admin@MikroTik] /interface bridge> prin
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@MikroTik] /interface bridge>
4.2
/interface monitor-traffic
[admin@MikroTik] interface> monitor-traffic ether1,wlan1

received-packets-per-second: 1
received-bits-per-second: 475bps
sent-packets-per-second: 1
0
0bps
1
sent-bits-per-second: 2.43kbps 198bps

-- [Q quit|D dump|C-z pause]
4.3 Ethernet
MikroTik RouterOS mikrotik.com.cn
system
Level1
/interface ethernet
: IEEE 802.3
- YuSong
- 71 -
RouterOS
/interface ethernet
arp (disabled | enabled | proxy-arp | reply-only; : enabled) -

auto-negotiation (yes | no; : yes)
: Auto-negotiation
2: Gigabit auto-negotiation
bandwidth(/: unlimited/unlimited) rx/tx
RouterBOARD
cable-setting (default | short | standard; : default) ( NS DP83815/6
)
disable-running-check (yes | no; : yes)
no
full-duplex (yes | no; : yes)
l2mtu (; : )
mac-address (MAC; : )
master-port (name | none; : none)
mdix-enable (yes | no; : ) MDI/X
mtu (integer; : 1500)
name (string; : )
speed (10Mbps | 100Mbps | 1Gbps; : )
interface
[admin@MikroTik] /interface ethernet> print detail

Flags: X - disabled, R - running, S - slave
0 R name="ether1" mtu=1500 l2mtu=1526 mac-address=00:0C:42:37:58:66
arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps
name="ether2" mtu=1500 l2mtu=1522 mac-address=00:0C:42:37:58:67

master-port=none bandwidth=unlimited/unlimited switch=switch1


name="ether5" mtu=1500 l2mtu=1522 mac-address=00:0C:42:37:58:6A

[admin@MikroTik] /interface ethernet>
- YuSong
- 72 -
RouterOS
/interface ethernet monitor
status (link-ok | no-link | unknown)

link-ok
no-link
unknown
rate (10 Mbps | 100 Mbps | 1000 Mbps)
auto-negotiation (done | incomplete)
done
incomplete
full-duplex (yes | no)
Monitor link-ok :
[admin@MikroTik] interface ethernet> monitor ether1,ether2
status: link-ok link-ok
auto-negotiation: done
done
rate: 100Mbps 100Mbps

full-duplex: yes
yes
mac
[admin@MikroTik] interface ethernet>set 0 mac-address=00:0C:42:03:11:0A
4.4 RouterBOARD
RB100 RB400 RB700 Master
bridge CPU
RB450 5 ether3ether4 ether2
ether3 ether4 Master Port ether2
- YuSong
- 73 -
RouterOS
interface
IP ARP
IP TCP/IP IP
ARP
system
Level1
/ip address, /ip arp
IP, ARP
- YuSong
- 74 -
RouterOS
5.1 IP
/ip address
Internet (Host) IP IP Internet
IP 32 4 8 0255
IP IP
RouterOS IP IP
RouterOS 2.8 IP
/ip address print detail
MikroTik RouterOS
Static
Dynamic ppp, ppptp, pppoe
address (IP ) IP X.X.X./

broadcast (IP ; : 255.255.255.255) IP IP
disabled (yes | no; : no)
interface ()
actual-interface (: ) bridgestunnels
netmask (IP ; : 0.0.0.0) IP
network (IP ; : 0.0.0.0) IP
IP 10.0.0.1/24 ether1 10.0.0.132/24

ether2 10.0.0.0/24
IP 10.10.10.1/24
ether2
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=ether2

[admin@MikroTik] ip address> print
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
2.2.2.1/24
10.5.7.244/24
2.2.2.0
10.5.7.0
2.2.2.255
10.5.7.255
ether2
10.10.10.1/24
10.10.10.0
10.10.10.255
ether1
ether2
5.2 ARP
/ip arp
- YuSong
- 75 -
RouterOS
IP MAC
OSI IP MAC ARP ARP
ARP ARP
address (IP ) IP
interface () IP
mac-address (MAC ; : 00:00:00:00:00:00) MAC
ARP 8192.
ARP arp=disabled ARP
ARP arp IP MAC windows
C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09
arp reply-only ARP MAC /ip arp
ARP
[admin@MikroTik] ip arp> add address=10.10.10.10 interface=ether2

mac-address=06:21:00:56:00:12
[admin@MikroTik] ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
#
ADDRESS
0 D 2.2.2.2
MAC-ADDRESS
INTERFACE
00:30:4F:1B:B3:D9 ether2
1 D 10.5.7.242
00:A0:24:9D:52:A4 ether1
06:21:00:56:00:12 ether2
10.10.10.10
[admin@MikroTik] ip arp>
ARP arp 'reply-only'
/interface
[admin@MikroTik] ip arp> /interface ethernet set ether2 arp=reply-only
[admin@MikroTik] ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
#
ADDRESS
MAC-ADDRESS
INTERFACE
0 D 10.5.7.242
00:A0:24:9D:52:A4 ether1
06:21:00:56:00:12 ether2
10.10.10.10
5.3 ARP
Atheros Prism (wireless), Aironet (PC), WaveLAN
ARP ARP
ARP ARP (ProxyARP) ARP
- YuSong
- 76 -
RouterOS
Router
admin@MikroTik] ip arp> /interface ethernet print
Flags: X - disabled, R - running, S slave
#
NAME
0 R ether1
MTU
MAC-ADDRESS
ARP
1500 00:0C:42:11:54:F5 enabled
MA.. SWITCH
none 0
[admin@MikroTik] ip arp> /interface print

Flags: X - disabled, R - running, D - dynamic, S - slave
#
NAME
0 R ether1
1
prism1
prism
2 D pppoe-in25
pppoe-in
3 D pppoe-in26
pppoe-in
TYPE
MTU
ether
1500
1500
[admin@MikroTik] ip arp> /ip address print

#
ADDRESS
10.0.0.217/24
NETWORK
10.0.0.0
BROADCAST
INTERFACE
10.0.0.255
eth-LAN
1 D 10.0.0.217/32
10.0.0.230
0.0.0.0
pppoe-in25
2 D 10.0.0.217/32
10.0.0.231
0.0.0.0
pppoe-in26
[admin@MikroTik] ip arp> /ip route print

Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
0 S 0.0.0.0/0
G GATEWAY
DISTANCE INTERFACE
r 10.0.0.1
eth-LAN
1 DC 10.0.0.0/24
r 0.0.0.0
eth-LAN
2 DC 10.0.0.230/32
r 0.0.0.0
pppoe-in25
3 DC 10.0.0.231/32
r 0.0.0.0
pppoe-in26
- YuSong
- 77 -
RouterOS
5.4 ARP
IP IP MAC
Address resolution protocol (ARP) IP ARP ARP
IP MAC ARP IP MAC ARP
ARP ARP ARP
IP ARP
1. WinBox ARP ARP
[admin@MikroTik] ip arp> add address=192.168.1.248 interface=ether1-lan

mac-address=00:21:00:56:00:12
ARP
2. ether1-lan interface ARP arp=reply-only
- YuSong
- 78 -
RouterOS
[admin@RB230] > interface ethernet set ether2 arp=reply-only
ARP
/ip arp LAN ARP
ARP
:foreach i in [/ip arp find dynamic=yes interface=LAN] do={
/ip arp add copy-from=$i}
LAN disabled
ARP arp=disabled ARP
ARP arp IP MAC windows
[admin@MikroTik] ip arp> /interface ethernet set LAN arp=disabled
IP Windows
C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09
windows .dat
Route
RouterOS
- YuSong
- 79 -
RouterOS
: system
: Level1
: /ip route, /ip route rules
6.1 RouterOS
RouterOS
IP
IP
TCP UDP
Nth PCC
IP
RouterOS
IP PPPoE-Client
PPTP-Client DHCP-Client
IP
PPPoE-ClientPPTP-Client DHCP-Client
RIP OSPF
Equal-Cost Multi-Path
Routing 10
Equal-Cost Multi-Path Routing
Equal-Cost Multi-Path Routing ip route

gateway=x.x.x.x,y.y.y.y
N
IP IP
PCCPer connection classified
Nth
- YuSong
- 80 -
RouterOS
RouterOS
routing-mark
ip route ip route rules
address-list routing-mark
: /ip route
IP 10.1.12.0/24 0.0.0.0/0
[admin@MikroTik] ip route> add dst-address=10.1.12.0/24 gateway=192.168.0.253
[admin@MikroTik] ip route> add gateway=10.5.8.1
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
#
DST-ADDRESS
0 A S 10.1.12.0/24
G GATEWAY
DISTANCE INTERFACE
r 192.168.0.253
Local
1 ADC 10.5.8.0/24
Public
2 ADC 192.168.0.0/24
Local
3 A S 0.0.0.0/0
r 10.5.8.1
Public
[admin@MikroTik] ip route>
6.2
www.mikrotik.com.cn
import
[admin@MikroTik] > import cnc1.rsc
/ip route add gatewall="" check-gateway=ping routing-mark=telecom cnc
cnc ip route rules
- YuSong
- 81 -
RouterOS
ip route routing-mark cnc
6.3
distance distance 1
2
- YuSong
- 82 -
RouterOS
distance 1 check-gateway=ping ping :
- YuSong
- 83 -
RouterOS
6.4
192.168.10.2-192.168.10.127 A IP B
IP 127 B
RouterOS address-list IP
IP A IP B
1 IP
2 ip firewall address-list
3 ip firewall mangle src-address-list
4 ip route
1 IP A BA IP 172.16.0.2
172.16.0.1B IP 10.200.15.20 10.200.15.1
ip route A 172.16.0.1
- YuSong
- 84 -
RouterOS
2 IP ip firewall address-list
odd IP
3 IP ip firewall mangle chain=prerouting

[admin@CDNAT] /ip firewall mangle> add chain=prerouting action=mark-routing new
-routing-mark=odd src-address-list=odd
[admin@CDNAT] /ip firewall mangle> print
0
chain=prerouting action=mark-routing new-routing-mark=odd passthrough=yes

src-address-list=odd
- YuSong
- 85 -
RouterOS
ip
4 ip route IP B
- YuSong
- 86 -
RouterOS
gateway=10.200.15.1 routing-mark=odd
IP B 10.200.15.1 IP A 172.16.0.1
6.5 ADSL
Internet
2M
ADSL
2M NAT 3 WAN1 WAN2
ADSL LAN
WAN1 WAN2 IP ADSL PPPoE
- YuSong
- 87 -
RouterOS
ADSL
/interface pppoe-client ADSL
/interface pppoe-client add name pppoe-line1 service CHN-Telecom/ user c999@166 password
123 interface WAN2 use-peer-dns yes mtu 1942 mru 1942
pppoe-client ADSL pppoe-client add-default-route=yes

add-default-route=no
[admin@MikroTik] ip address> add address 61.193.77.77/24 interface WAN1
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
61.193.77.77/24
61.193.77.0
61.193.77.255
WAN1
D 1
218.88.32.10/24
218.88.32.1
0.0.0.0
pppoe-out1
192.168.0.1/24
[admin@MikroTik] ip address> add address 192.168.0.1/24 interface LAN
#
ADDRESS
61.193.77.77/24
61.193.77.0
61.193.77.255
WAN1
D 1
218.88.32.10/24
218.88.32.1
0.0.0.0
pppoe-out1
192.168.0.1/24
NETWORK
192.168.0.0
BROADCAST
192.168.0.255
INTERFACE
LAN
61.193.77.1
[admin@MikroTik] ip route> add gateway=61.193.77.1
#
DST-ADDRESS
0 ADC 61.193.77.0/24
1 ADC 218.88.32.1/32
2 ADC 192.168.0.0/24
PREFSRC
G GATEWAY
DISTANCE INTERFACE
61.193.77.77
WAN1
218.88.32.10
pppoe-out1
192.168.0.1
3 A S 0.0.0.0/0
LAN
r 61.193.77.1
WAN1
www.mikrotik.com.cn
- winbox Terminal
Terminalpaste
.rsc files import
218.88.32.1 IP
218.88.32.1 Terminal
- YuSong
- 88 -
RouterOS
[hcf@NAT] ip route> prin
#
DST-ADDRESS
PREFSRC
G GATEWAY
DIS
INTERFACE
0 ADC 61.193.77.0/24
61.193.77.77
WAN1
1 ADC 218.88.32.1/32
218.88.32.10
pppoe-out1
2 ADC 192.168.0.0/24
192.168.0.1
LAN
3 A S 0.0.0.0/0
r 61.193.77.1
4 A S 218.4.0.0/15
r 218.88.32.1
pppoe-out1
WAN1
5 A S 218.6.0.0/16
r 218.88.32.1
pppoe-out1
6 A S 218.13.0.0/16
r 218.88.32.1
pppoe-out1
7 A S 218.14.0.0/15
r 218.88.32.1
pppoe-out1
8 A S 218.16.0.0/14
r 218.88.32.1
pppoe-out1
9 A S 218.20.0.0/16
r 218.88.32.1
pppoe-out1
10 A S 218.21.0.0/17
r 218.88.32.1
pppoe-out1
11 A S 218.22.0.0/15
r 218.88.32.1
pppoe-out1
12 A S 218.30.0.0/15
r 218.88.32.1
pppoe-out1
13 A S 218.62.128.0/17
r 218.88.32.1
pppoe-out1
14 A S 218.63.0.0/16
r 218.88.32.1
pppoe-out1
15 A S 218.64.0.0/15
r 218.88.32.1
pppoe-out1
16 A S 218.66.0.0/16
r 218.88.32.1
pppoe-out1
.....
/tool netwatch
Network
,
222.212.48.1
:foreach i in=[/ip route find gateway=218.88.32.1] do={/ip rout disable $i}
:foreach i in=[/ip route find gateway=218.88.32.1] do={/ip rout enable $i}
6.6 http
MikroTik RouterOS
- YuSong
- 89 -
RouterOS
ISP ISP1 ISP2 PPPoE

PPPoE ISP1
TCP 80 /ip firewall mangle

web passthrough
/ip route 80 pppoe-out1
- YuSong
- 90 -
RouterOS
ip route rule /ip route rule 80
ip route rules web web
6.7 PPTP
- YuSong
- 91 -
RouterOS
A B
PPTP A
A B 10ms
B B A PPTP A
PPTP B A IP 202.112.12.10B
202.112.12.12
PPPTP-Server
A PPTP-Server
Default-Profile default-encryption PPTP-Server profiles

Keepalive-Timeout PPTP-Server ICMP
ICMP Server
Profile
- YuSong
- 92 -
RouterOS
PPTP-Server IP 192.168.100.1(local-address)
192.168.100.2(remote-address) IP Secrets
profile /ip pool DHCP
limit
limit idle-timeout 1
Rate-limit
512K 1M only-one
yes
- YuSong
- 93 -
RouterOS
secret name password service pptp

profile default-encryption PPTP-Server
PPTP-Client
PPTP B PPTP-Client PPP PPTP-Client
dial-out PPTP server-address 202.112.12.10 A
- YuSong
- 94 -
RouterOS
cdnat A PPTP-Server
A B IP NAT A A
A B AB PPTP
A PPTP IP 192.168.100.1
PPTP A
6.8 RouterOS
RouterOS
/ip firewall mangle mark-routing
/ip route routing-mark
/ip route rule table
mark-routing
routing-mark
table
ip firewall manglerouting-mark table ip

route
- YuSong
- 95 -
RouterOS
route1route2 route3
- YuSong
- 96 -
RouterOS
ip route rules table
ip route
RouterOS Main ip route

rule
6.9 PCC
PCC ( src-address, src-port,
dst-address,dst-port)
PCC
PCC IP 32bit
DenominatorRemainder
src-address, dst-address, src-port, dst-port
per-connection-classifier=
PerConnectionClassifier ::= [!]ValuesToHash:Denominator/Remainder
Remainder ::= 0..4294967295
Denominator ::= 1..4294967295
(integer number)
(integer number)
- YuSong
- 97 -
RouterOS
ValuesToHash ::= src-address|dst-address|src-port|dst-port[,ValuesToHash*]
per-connection-classifier
: 3
/ip firewall mangle add chain=prerouting action=mark-connection
new-connection-mark=1st_conn per-connection-classifier=both-addresses:3/0
new-connection-mark=2nd_conn per-connection-classifier=both-addresses:3/1
new-connection-mark=3rd_conn per-connection-classifier=both-addresses:3/2
per-connection-classifier=both-addresses:3/03/0
3 3/1
PCC RouterOS v3.24

PCC

2 WAN wan1 wan2
ISP1 10.200.15.99/2410.200.15.1
ISP2 10.200.100.99/2410.200.100.2
IP 192.168.100.1/24
DNS 192.168.100.1 DNS
- YuSong
- 98 -
RouterOS
ip address IP
ip dns setting DNS DNS 61.139.2.69
Mangle
ip firewall mangle per-connection-classifier
mangle advanced per-connection-classifier

both-addresses
- YuSong
- 99 -
RouterOS
dst-address-type=!local
2 2/0 2/1
- YuSong
- 100 -
RouterOS
1st_conn 1st_route
per-connection-classifier=both-addresses:2/0, in-interface=lan
/ip firewall mangle

add action=mark-connection chain=prerouting comment="" disabled=no \
in-interface=lan new-connection-mark=1st_conn passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting comment="" connection-mark=1st_conn \
disabled=no in-interface=lan new-routing-mark=1st_route passthrough=yes
2nd_conn 2nd_route
per-connection-classifier=both-addresses:2/1 in-interface=lan:
/ip firewall mangle

add action=mark-connection chain=prerouting comment="" disabled=no \
in-interface=lan new-connection-mark=2nd_conn passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=2nd_conn \
disabled=no in-interface=lan new-routing-mark=2nd_route passthrough=yes
winbox mangle
- YuSong
- 101 -
RouterOS
/ ip firewall mangle
add chain=input in-interface=wan1 action=mark-connection
new-connection-mark=1st_conn
add chain=input in-interface=wan2 action=mark-connection
new-connection-mark=2nd_conn
winbox
add chain=output connection-mark=1st_conn action=mark-routing

new-routing-mark=1st_route
add chain=output connection-mark=2nd_conn action=mark-routing
new-routing-mark=2nd_route
winbox
- YuSong
- 102 -
RouterOS
ip route
routing-mark=1st_route
routing-mark=2nd_route
- YuSong
- 103 -
RouterOS
distance 1 check-gateway=ping ping

:
- YuSong
- 104 -
RouterOS
nat
nat ip firewall nat action=masquerade 2
/ip firewall nat

add action=masquerade chain=srcnat out-interface=wan1
add action=masquerade chain=srcnat out-interface=wan2
- YuSong
- 105 -
RouterOS
PCC
6 PCC
both addresses
6
6 ADSL mangle prerouting
ip route PPPoE
- YuSong
- 106 -
RouterOS
DHCP
DHCP() IP
RouterOS Server Client, DHCP-relay
7.1 DHCP-Client
: /ip dhcp-client
MikroTik RouterOS DHCP-client WLAN client
DNS IP
DHCP-client
add-default-route (yes | no; : yes) DHCP

client-id () administraor ISP
enabled (yes | no; : no) DHCP
host-name ()
interface (; : (unknown)) interface ( wireless EoIP )
use-peer-dns (yes | no; : yes) DHCP DNS (/ip dns )
default-route-distance (integer:0..255; : )
add-default-route yes
status (bound | error | rebinding... | requesting... | searching... | stopped) DHCP-Client
renewid
release (id) DHCP DHCP
- YuSong
- 107 -
RouterOS
ether1 interface DHCP-client

/ip dhcp-client add interface=ether1 disabled=no
[admin@MikroTik] ip dhcp-client> print detail
0
interface=ether1 add-default-route=yes use-peer-dns=yes use-peer-ntp=yes

status=bound address=192.168.0.65/24 gateway=192.168.0.1
dhcp-server=192.168.0.1 primary-dns=192.168.0.1 primary-ntp=192.168.0.1
expires-after=9m44s
[admin@MikroTik] ip dhcp-client>
Winbox
7.2 DHCP-Server
: /ip dhcp-server
: /ip pool
dhcp server interface () DHCP interface

dhcp address space (IP /; : 192.168.0.0/24) DHCP
gateway (IP ; : 0.0.0.0)
dhcp relay (IP ; : 0.0.0.0) DHCP DHCP DHCP IP
addresses to give out () DHCP IP
dns servers (IP ) DHCP DNS
lease time (; : 3d)
DHCP ether1 interface 10.0.0.2 10.0.0.254 10.0.0.1
DNS 159.148.60.2 3
- YuSong
- 108 -
RouterOS
[admin@MikroTik] ip dhcp-server> setup
DHCP interface
dhcp server interface: ether1

DHCP
dhcp address space: 10.0.0.0/24
gateway for dhcp network: 10.0.0.1

IP DHCP
addresses to give out: 10.0.0.2-10.0.0.254

DNS
dns servers: 159.148.60.2
lease time: 3d
[admin@MikroTik] ip dhcp-server>
[admin@MikroTik] ip dhcp-server> print

#
NAME
INTERFACE RELAY
ADDRESS-POOL LEASE-TIME ADD-ARP
dhcp1
ether1
dhcp_pool1
0.0.0.0
3d
no
[admin@MikroTik] ip dhcp-server> network print

# ADDRESS
0 10.0.0.0/24
GATEWAY
10.0.0.1
DNS-SERVER
WINS-SERVER
DOMAIN
159.148.60.2
[admin@MikroTik] ip dhcp-server> /ip pool print

# NAME
0 dhcp_pool1
RANGES
10.0.0.2-10.0.0.254
[admin@MikroTik] ip dhcp-server>
Winbox DHCP /ip pool
- YuSong
- 109 -
RouterOS
/ip dhcp-server DHCP ether1
/ip dhcp-server network DNS
- YuSong
- 110 -
RouterOS
DNS
DNS DNS DNS DNS
: system
: Level1
: /ip dns
8.1 DNS
allow-remote-requests (yes | no)

primary-dns (IP ; : 0.0.0.0) DNS
secondary-dns (IP ; : 0.0.0.0) DNS
cache-size (: 512..10240; : 2048 kB) DNS KB
cache-max-ttl (; : 7d)
cache-used (:) KB
/ip dhcp-client use-peer-dns yes/ip dns primary-dns

DHCP DNS
DNS 61.139.2.69
[admin@MikroTik] ip dns> set primary-dns=61.139.2.69
[admin@MikroTik] ip dns> print
- YuSong
- 111 -
RouterOS
resolve-mode: remote-dns
primary-dns: 61.139.2.69
secondary-dns: 0.0.0.0
[admin@MikroTik] ip dns>
4.6 DNS
allow remote requests DNS cashe size
: /ip dns cache

name (: ) DNS
address (: IP ) IP
ttl ()
8.2 DNS
: /ip dns static
MikroTik RouterOS DNS DNS DNS IP
name () IP DNS
address (IP ) IP
www.example.com DNSIP 10.0.0.1
[admin@MikroTik] ip dns static> add name www.example.com address=10.0.0.1
[admin@MikroTik] ip dns static> print
- YuSong
- 112 -
RouterOS
# NAME
ADDRESS
0 aaa.aaa.a
TTL
123.123.123.123 1d
1 www.example.com
10.0.0.1
1d
[admin@MikroTik] ip dns static>
DNS
: /ip dns cache flush
flush DNS clears internal DNS cache

[admin@MikroTik] ip dns> cache flush
[admin@MikroTik] ip dns> print
primary-dns: 159.148.60.2
secondary-dns: 0.0.0.0
allow-remote-requests: no
cache-size: 2048 kB
cache-max-ttl: 7d
cache-used: 10 kB
[admin@MikroTik] ip dns>
Firewall Filte
RouterOS ip firewall IP P2P IPIP ICMP
TCPMSS ToS
...
inputforeward output chain
RouterOS address-list L7-protocol
firewall TCP 135
/ip firewall filter add chain=forward dst-port=135 protocol=tcp action=drop
Telnet ( TCP, 23)
/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop
9.1 Firewall
: /ip firewall filter
LAN
- YuSong
- 113 -
RouterOS
MikroTik RouterOS
P2P
IPv6
MAC
IP
IP
(ICMP TCP IP MSS)
Interface
ToS (DSCP)
Connection-rate
PCC
IP
Chains
chainsinput, forward output
action=jump jump-target
chains
input IP IP
input-chains
forward
output
IP input
- YuSong
- 114 -
RouterOS
IP output
IP forward
chain chain
- YuSong
- 115 -
RouterOS
9.2
input
- YuSong
- 116 -
RouterOS
input
;;;
IP (src-address= IP,)
chain=input src-address=192.168.100.2 action=accept

1
;;;
chain=input connection-state=invalid action=drop

2
;;;
chain=input action=drop
forward
forward 7 ICMP virus
0 ;;;
chain=forward connection-state=established action=accept

1 ;;;
chain=forward connection-state=related action=accept

2 ;;;
- YuSong
- 117 -
RouterOS
chain=forward connection-state=invalid action=drop
3
;;;
TCP 80
chain=forward protocol=tcp connection-limit=80,32 action=drop

4
;;;
chain=forward src-address-type=!unicast action=drop

5
;;;
ICMP
chain=forward protocol=icmp action=jump jump-target=ICMP

6
;;;
chain=forward action=jump jump-target=virus

forward
ICMP ICMPInternet ICMP IP

ICMP IP TCP UDPpingtraceroute
trace TTL ICMP ICMP
ICMP
;;; Ping 5
chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
;;; Traceroute 5
- YuSong
- 118 -
RouterOS
chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept
;;; MTU 5
chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept

;;; Ping 5

;;; Trace TTL 5

5
;;;
ICMP
chain=ICMP protocol=icmp action=drop
ICMP
ICMP
ICMP
ICMP ICMP
Ping
o
8:0
0:0
Trace
o
11:0 TTL
3:3
MTU
o
3:4 Fragmentation-DF-Set
ICMP
pingICMP
tracerouteTTL
MTUICMP Fragmentation-DF-Set
virus
- YuSong
- 119 -
RouterOS
IP
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
chains
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
tcp-chain tcp
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
udp-chain udp Deny udp ports in udp chain:
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
- YuSong
- 120 -
RouterOS
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
icmp-chain icmp
add chain=icmp protocol=icmp icmp-options=0:0 action=accept
comment="drop invalid connections"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="allow established connections"
comment="allow already established connections"
comment="allow source quench"
comment="allow echo request"
comment="allow time exceed"
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
8.3 Peer-to-Peer
Peer-to-peer p2p Skype
http e-mail RouterOS
P2P QOS P2P
[admin@MikroTik] /ip firewall filter> add chain=forward p2p=all-p2p action=drop
[admin@MikroTik] /ip firewall filter> print chain=forward
0
chain=forward action=drop p2p=all-p2p
Fasttrack (Kazaa, KazaaLite, Diet Kazaa, Grokster, iMesh, giFT, Poisoned, mlMac)
Gnutella (Shareaza, XoLoX, , Gnucleus, BearShare, LimeWire (java), Morpheus, Phex,

Swapper, Gtk-Gnutella (linux), Mutella (linux), Qtella (linux), MLDonkey, Acquisition (Mac
OS), Poisoned, Swapper, Shareaza, XoloX, mlMac)
Gnutella2 (Shareaza, MLDonkey, Gnucleus, Morpheus, Adagio, mlMac)
DirectConnect (DirectConnect (AKA DC++), MLDonkey, NeoModus Direct Connect,

BCDC++, CZDC++ )
eDonkey (eDonkey2000, eMule, xMule (linux), Shareaza, MLDonkey, mlMac, Overnet)
Soulseek (Soulseek, MLDonkey)
BitTorrent (BitTorrent, BitTorrent++, uTorrent, Shareaza, MLDonkey, ABC, Azureus,

BitAnarch, SimpleBT, BitTorrent.Net, mlMac)
Blubster (Blubster, Piolet)
WPNP (WinMX)
Warez (Warez, Ares; starting from 2.8.18) drop
- YuSong
- 121 -
RouterOS
9.4 RouterOS 7
RouterOS V3.0 7 skypeQQMSN
Layer7-protocol filter
10 2kb
7 ip firewall Layer7 Protocols
7 Regexp Regexp
7
http://www.mikrotik.com.cn/download/m3dex.htm MikroTik RouterOS 3.0 7
FTP Files
(Terminal) 7 import 17-protos.rsc
- YuSong
- 122 -
RouterOS
[admin@MikroTik] > import l7-protos.rsc
Opening script file l7-protos.rsc
Script file loaded and executed successfully
[admin@MikroTik] >
Layer7 Protocols
ip firewall Layer7 Protocols Filter

Rules L7
- YuSong
- 123 -
RouterOS
QQ QQ Advanced Layer7
Protocols qq Action drop L7 QQ
IP IP src-address dst-address
9.5 DMZ
- YuSong
- 124 -
RouterOS
DMZ demilitarized zone
Web FTP
DMZ
3 Public Local DMZ-Zone :

[admin@gateway] interface> print
#
NAME
TYPE
RX-RATE
TX-RATE
MTU
0 R Public
ether
1500
1 R Local
ether
1500
1500
2 R DMZ-zone
ether
[admin@gateway] interface>
Interface IP
[admin@gateway] ip address> print

#
ADDRESS
192.168.0.2/24
NETWORK
192.168.0.0
BROADCAST
INTERFACE
192.168.0.255
Public
10.0.0.254/24
10.0.0.0
10.0.0.255
Local
10.1.0.1/32
10.1.0.2
10.1.0.2
DMZ-zone
192.168.0.3/24
192.168.0.0
192.168.0.255
Public
[admin@gateway] ip address>

Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
0 S 0.0.0.0/0
1 DC 10.0.0.0/24
G GATEWAY
DISTANCE INTERFACE
r 10.0.0.254
ether1
ether1
r 0.0.0.0
DMZ IP IP 10.1.0.2 10.1.0.1/24 10.1.0.1
DMZ dst-nat 192.168.0.3 DMZ
[admin@gateway] ip firewall nat> add chain=dst-nat action=dst-nat \

\... dst-address=192.168.0.3 to-dst-address=10.1.0.2
[admin@gateway] ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D dynamic
0 Chain=dst-nat dst-address=192.168.0.3 action=dst-nat to-dst-address=10.1.0.2
[admin@gateway] ip firewall nat>
- YuSong
- 125 -
RouterOS
RouterOS (Packet Flow)

RouterOS IP RouterOS RouterOS
IP
9.1 IP
RouterOS 3.0 2
Bridging(MAC) Layer-3
Routing or Layer-3 (IP) Bridging
- YuSong
- 126 -
RouterOS
9.2
RouterOS
- /ip firewall connection tracking

- /ip firewall filter
- YuSong
- 127 -
RouterOS
- /ip firewall nat

- /ip firewall mangle
- /queue simple
/queue tree
- /ip ipsec policy

- /ip accounting
- /interface bridge settings Use IP Firewall Yes
Layer-3
- /interface bridge filter
- /interface bridge nat
Hotspot
MAC MAC
out-bridge-port
IP
mangle output
TTL 1 TTL 0
IPsec
- YuSong
- 128 -
RouterOS
Hotspot-in
use-ip-firewall=yes
Ethernet Ethernet
- YuSong
- 129 -
RouterOS
IPsec
IPsec
- YuSong
- 130 -
RouterOS
Queue
(delivery) MikroTik RouterOS
:
PFIFO -
BFIFO
SFQ -
RED
PCQ
HTB
: system
: Level1 ( 1 ) Level3
: /queue
11.1 Queue
(QoS) QoS
RouterOS :
IP
P2P
WEB
(:)
( global-in global-out global-total)
- YuSong
- 131 -
RouterOS
QoS TCP TCP
QoS :
Queuing discipline (qdisc) - (

)
CIR (Committed Information Rate) -
MIR (Maximal Information Rate) -
Priority -
Contention Ratio - ()
: 1:4 4
/queue interface (
)(/queue tree)/queue interface
qdiscs
:
(schedulers) -
: PFIFO BFIFO SFQ PCQ RED
(shapers) - PCQ HTB
RouterOS :
global-in - (INGRESS ) global-in

global-in mangle dst-nat
global-out -
global-total - qdisc global-total

total-max-limit 256000
upload+download=256kbps()
11.2 Queue Type

: /queue type
/queue tree /queue simple /queue
interface
PFIFO BFIFO
(FIFOFirst-In First-Out)PFIFO BFIFO
pfifo-limit (bfifo-limit) FIFO
- YuSong
- 132 -
RouterOS
FIFO
SFQ
SFQTCP UDP
SFQ round-robin sfq-perturb
Round-robin pcq-allot
SFQ 128 1024 SFQ

starve
PCQ
SFQ Per Connection Queuing (PCQ)
SFQPCQ pcq-classifier
pcq-rate pcq-limit PCQ pcq-total-limit
PCQ
- YuSong
- 133 -
RouterOS
src-address IP pcq-rate
src-address
src-address
pcq-classifier pcq-rate 0 PCQ
RED
RED red-min-threshold
RED
red-max-threshold red-max-threshold
red-limit
RED TCP UDP
bfifo-limit (; : 15000) - BFIFO

kind (bfifo | pcq | pfifo | red | sfq)
bfifo -
pcq
pfifo
red
sfq -
name () -
pcq-classifier (dst-address | dst-port | src-address | src-port; : "") - PCQ
src-addresssrc-port
pcq-limit (; : 50) - PCQ

pcq-rate (; : 0) - 0
pcq-total-limit (; : 2000) - PCQ
pfifo-limit () - PFIFP
red-avg-packet (; : 1000) - RED
red-burst () - RED
red-limit () -
red-max-threshold () -
red-min-threshold () - RED
- YuSong
- 134 -
RouterOS
sfq-allot (; : 1514) - round-robin

sfq-perturb (; : 5) - SFQ
Bursts
1/16 burst-time burst-time
burst-threshold burst-limit bps
max-limit limit-at
max-limit=256000 burst-time=8 burst-threshold=192000
burst-limit=512000 HTTP
8 0bps burst-threshold
(192kbps)(0+0+0+0+0+0+0+512)/8=64kbps
burst-threshold(0+0+0+0+0+0+512+512)/8=128kbps
burst-threshold max-limit (256kbps)
11.3 Simple Queue

IP QoS
P2P
FIFO
/ip firewall mangle
burst-limit (/) - in/out/

burst-threshold (/) - burst-threshold
burst-limit in/out/
burst-time (/) - in/out/
direction () -
none
both
- YuSong
- 135 -
RouterOS
upload
download -
dst-address (IP /) -
dst-netmask () - dst-address
interface () -
limit-at (/) in/out/
max-limit (/) - in/out/
name () -
p2p (any | all-p2p | bit-torrent | blubster | direct-connect | edonkey | fasttrack | gnutella | soulseek | winmx)
P2P
all-p2p P2P
any
packet-marks (; : "") - /ip firewall
mangle ("")
parent () -
priority (: 1..8) - 1 8
queue (/; : default/default) - in/out//queue type
target-addresses (IP /) - IP
time (sat | fri | thu | wed | tue | mon | sun{+}; : "") -
total-burst-limit () - global-total
total-burst-threshold () - global-total
total-burst-time () - global-total
total-limit-at () - total-limit-at bps
total-max-limit () - global-total ( total-max-limit bps)
total-queue () - global-total
192.168.0.0/24 1Mb 512kb 192.168.0.1
- YuSong
- 136 -
RouterOS
simple queue RouterOS IP NAT
Flags: X disabled, I invalid, D - dynamic
#
ADDRESS
192.168.0.254/24
10.5.8.104/24
NETWORK
BROADCAST
192.168.0.0
10.5.8.0
INTERFACE
192.168.0.255
10.5.8.255
Local
Public

Flags: X disabled, A active, D dynamic,
C connect, S static, r rip, b bgp, o - ospf
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 ADC 10.5.8.0/24
Public
1 ADC 192.168.0.0/24
Local
2 A S 0.0.0.0/0
r 10.5.8.1
Public
ip firewall nat src-nat nat
192.168.0.0/24 2Mb 1Mb
[admin@MikroTik] queue simple> add name=Limit-Local target-address=192.168.0.0/24
max-limit=1000000/2000000
[admin@MikroTik] queue simple> print
Flags: X - disabled I - invalid D - dynamic
0
name="Limit-Local" target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0

parent=none priority=8 queue=default/default limit-at=0/0 max-limit=1000000/2000000
total-queue=default
[admin@MikroTik] queue simple>
max-limit target-addresses
max-limit=0/0
[admin@MikroTik] queue simple> add name=Server target-addresses=192.168.0.1/32

0

total-queue=default
name="Server" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0

total-queue=default
[admin@MikroTik] queue simple> move 1 0
- YuSong
- 137 -
RouterOS
0
name="Server" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0

parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=0/0 total-queue=default

parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
[admin@MikroTik] queue simple>
11.4 HTB
HTB
Child inner() Children Leaf
,, Leaf RouterOS Parent()
HTB 2
CIR ( Committed Information Rate) ( RouterOS limit-at)

CIR ()
MIR ( Maximal Information Rate) ( RouterOS max-limit)
Limit-atCIR
max-limit (MIR).
CIR ( max-limit )
CIR
CIR(parent)* CIR(child1) +...+ CIR(childN)

* CIR(parent)=MIR(parent)
MIR (parent) MIR(child1) & MIR (parent) MIR(child2) & ... & MIR (parent) MIR(childN)
winbox
0% - 50%
51% - 75%
76% - 100%
- YuSong
- 138 -
RouterOS
limit-at (CIR) Child

max-limit max-limit8 1
:
leaf inner, inner leaf
max-limit 0
HTB HTB HTB 5
Queue01 2 - Queue02 Queue03
Queue02 2 - Queue04 Queue05
Queue03
Queue04
Queue05
Queue03Queue04 Queue05 10Mbps 10Mbps
1:
Queue01 limit-at=0Mbps max-limit=10Mbps
Queue03 limit-at=6Mbps max-limit=10Mbps priority=1
- YuSong
- 139 -
RouterOS
Queue03 6Mbps
Queue04 2Mbps
Queue05 2Mbps
HTB limit-at
2max-limit
Queue03 2Mbps
Queue04 6Mbps
Queue05 2Mbps
limit-at HTB
3: inner limit-at
- YuSong
- 140 -
RouterOS
Queue03 2Mbps
Queue04 6Mbps
Queue05 2Mbps
limit-at HTB
Queue02 Limit-at 8Mbps Queue04 Queue05Queue04
4leaf Limit-at
- YuSong
- 141 -
RouterOS
Queue03 3Mbps
Queue04 1Mbps
Queue05 6Mbps
Limit-atHTB 20MbpsQueue03 6Mbps Queue04 2MbpsQueue05

12Mbps 10Mbps FIFO 6:2:12
3:1:6
RouterOS HTB
RouterOS 4 HTB :
global-in
global-total
global-out
interface queue
3 HTB (in global-in global-total and global-out)
4 HTB global-in global-total global-out interface queue

global-in global-total HTB global-total
global-out interface
- YuSong
- 142 -
RouterOS
11.5 Queue tree

: /queue tree
IP /ip firewall mangle
burst-limit () -
burst-threshold () - burst-threshold
burst-limit
burst-time () -
flow () - /ip firewall mangle
limit-at () -
max-limit () -
name () -
parent () - HTB
priority (: 1..8) - 1 8
queue () - /queue type
Queue tree HTB

3 VIPWeb Other VIP 1
web 2 Other 7 1M ADSL HTB
new-connection-mark mark-connection
new-packet-mark mark-packet
VIP ip firewall address-list VIP src-address-list
[admin@Office] /ip firewall mangle> print
0
;;; vip
- YuSong
- 143 -
RouterOS
chain=forward action=mark-connection new-connection-mark=vip
passthrough=yes src-address-list=vip
chain=forward action=mark-packet new-packet-mark=vip passthrough=no

connection-mark=vip
web tcp/80 DNS tcp/53 udp/53
;;; web
chain=forward action=mark-connection new-connection-mark=web
passthrough=yes protocol=tcp dst-port=80

passthrough=yes protocol=tcp dst-port=53

passthrough=yes protocol=udp dst-port=53
chain=forward action=mark-packet new-packet-mark=web passthrough=no

connection-mark=web
Other VIP Web

Other
6
;;; other
chain=forward action=mark-connection new-connection-mark=other
passthrough=yes
chain=forward action=mark-packet new-packet-mark=other passthrough=no

connection-mark=other
queue tree ADSL 1Mbps 250kps
VIP Max-limit=800k limit-at=400k Max-limit=2200k limit-at=200k 1
- YuSong
- 144 -
RouterOS
WebMax-limit=800k limit-at=400k Max-limit=200k limit-at=200k 2
OtherMax-limit=600k limit-at=200k Max-limit=150k limit-at=50k 7
queue tree
[admin@Office] /queue tree> print
0
name="totalup" parent=ADSL packet-mark="" limit-at=0 queue=default

priority=1 max-limit=250000 burst-limit=0 burst-threshold=0 burst-time=0s
name="totaldown" parent=ether2 packet-mark="" limit-at=0 queue=default

priority=8 max-limit=1000000 burst-limit=0 burst-threshold=0
burst-time=0s
name="vipdown" parent=totaldown packet-mark=vip limit-at=0 queue=default

name="vipup" parent=totalup packet-mark=vip limit-at=0 queue=default

name="otherdown" parent=totaldown packet-mark=other limit-at=0 queue=down

name="otherup" parent=totalup packet-mark=other limit-at=0 queue=up

name="webup" parent=totalup packet-mark=web limit-at=0 queue=default

name="webdown" parent=totaldown packet-mark=web limit-at=0 queue=default

11.6 PCQ
- YuSong
- 145 -
RouterOS
PCQ
FIFO FIFO PCQ :
pcq-classifier (dst-address | dst-port | src-address | src-port; : "") :
pcq-rate () :
pcq-limit () :
pcq-total-limit () : FIFO
100 1000kbps 1 PCQ PCQ 100
IP
PCQ 18 PCQ
PCQ
- YuSong
- 146 -
RouterOS
RouterOS PCQ ,
- YuSong
- 147 -
RouterOS
PCQ 128k 128k

PCQ PCQ 0k
2 73k
192.168.10.0/24 PCQ
100
Queue Type
PCQ 512k 1m
- YuSong
- 148 -
RouterOS
1m 100 limit
total-limit 50*100=5000 dst-address
src-address 512k
- YuSong
- 149 -
RouterOS
Limit Total-Limit
total-limit 2000 40 total-limit/limit=2000/50=40
total-limit limit
(limit) 10-20
Queue Type Simple Queue General

10M 5M 192.168.10.0/24
Queue-type advanced PCQ Up Down
PCQ simple queue
11.7 HTB PCQ

MikroTik RouterOS PPPoE ADSL
- YuSong
- 150 -
RouterOS
WiFi bridge
ADSL PPPoE . ether1 ether1 ADSL-modem
IP 192.168.10.1/24 WiFi
NAT/Masquerad
ADSL 3Mbps
IP
192.168.10.6
VIP
192.168.10.7
192.168.10.0/24
8 icmp
ICMP
icmp
ADSL RouterOS
90%
VIP
ICMP
CIR Limit-atMIR Max-limit

CIR MIR
- YuSong
- 151 -
RouterOS
ether2-wan ADSL ether1-lan wlan1 bridge1
[admin@MikroTik] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
#
NAME
0 R ADSL
TYPE
MTU
pppoe-out
1480
L2MTU
1 R bridge1
bridge
1500
2 R ether1-lan
ether
1500 1526
3 R ether2-wan
ether
1500 1524
ether
1500 1524
ether
1500 1524
ether3
5 R wlan1
65535
[admin@MikroTik] /interface>
HTB
HTB parents HTB
ADSL 2850/420kbps, queue tree 90%
parent bridge1 ADSL
/queue tree add name=Download parent=bridge1 max-limit=2600k

/queue tree add name=Upload parent=ADSL max-limit=360k
ICMP
ICMP ICMP ICMP mangle
/ip firewall mangle add protocol=icmp action=mark-connection new-connection-mark=icmp-con

chain=forward
/ip firewall mangle add connection-mark=icmp-con action=mark-packet new-packet-mark=icmp
chain=forward
Queue tree, ICMP CIR 100kbps MIR
500kbps ICMP
/queue tree add name=icmp-down parent=Download packet-mark=icmp limit-at=100k max-limit=500k
priority=1
/queue tree add name=icmp-up parent=Upload packet-mark=icmp limit-at=100k max-limit=500k
priority=1
VIP
192.168.10.7 VIP CIR VIP
800kbps 200kbps MIR 2600kbps
VIP
- YuSong
- 152 -
RouterOS
/ip firewall mangle add src-address=192.168.10.7/32 action=mark-connection
new-connection-mark=vip-con chain=forward
/ip firewall mangle add connection-mark=vip-con action=mark-packet new-packet-mark=vip
chain=forward
Queue tree VIP
/queue tree add name=vip-down parent=Download limit-at=1024 packet-mark=vip max-limit=5000k
priority=2
/queue tree add name=vip-up parent=Upload limit-at=512 packet-mark=vip max-limit=100k
priority=2
192.168.10.6 HTB
/ip firewall mangle add src-address=192.168.10.6/32 action=mark-connection
new-connection-mark=server-con chain=forward
/ip firewall mangle add connection-mark=server-con action=mark-packet new-packet-mark=server
chain=forward
Queue tree
/queue tree add name=server-down parent=Download limit-at=1024 packet-mark=server
max-limit=2600k priority=4
/queue tree add name=server-up parent=Upload limit-at=512 packet-mark=server max-limit=300k
priority=4
192.168.10.0/24 src-address
users-conusers
/ip firewall mangle add chain=forward src-address=192.168.10.0/24 action=mark-connection
new-connection-mark=users-con
/ip firewall mangle add connection-mark=users-con action=mark-packet new-packet-mark=users
chain=forward passthrough=no
2 PCQ ADSL-down dst-address ADSL pcq-rate
0 ADSL-up ADSL src-address
pcq-rate=100kbps ADSL
/queue type add name=ADSL-down kind=pcq pcq-classifier=dst-address
/queue type add name=ADSL-up kind=pcq pcq-rate=100k pcq-classifier=src-address
queue tree
/queue tree add parent=Download queue=users-down packet-mark=users
/queue tree add parent=Upload queue=users-up packet-mark=users
- YuSong
- 153 -
RouterOS
11.8 PCQ HTB

6M 12M
1 ip firewall mangle
2 queue type
3 queue tree
1 Mangle
2 Queue Type 200 PCQ
3 Queue Tree 2M 1.2M
- YuSong
- 154 -
RouterOS
HTB
HTB HTB+PCQ
1 PCQ gamesdown
- YuSong
- 155 -
RouterOS
11M 2M 9M HTB 1
8 3M 2M
6M
PCQ PCQ Queue-type
11.9 Connection Rate

Connection Rate
Connection Rate
connection tracking IP
Connection-bytesConnection-bytes
Connection Rate "connection-bytes"Connection Rate
"connection-bytes" "connection-rate" TCP UDP ()

"connection-rate"
100kbps TCP/UDP
/ip firewall filter
add action=accept chain=forward connection-rate=0-100k protocol=tcp
add action=accept chain=forward connection-rate=0-100k protocol=udp
Connection Rate 3.30
Connection-rate HTB heavy

connectionsP2PHTTPFTP
VOIPHTTP
connection-rate "heavy connections" HTTP
500kB(4Mb connection-bytes )VOIP 200kbps 500kB
200kbps "heavy connections"
- YuSong
- 156 -
RouterOS
( HTTP VOIP "connection-bytes"
)
6Mbps
per-connection-classifier=
PerConnectionClassifier ::= [!]ValuesToHash:Denominator/Remainder
Remainder ::= 0..4294967295
Denominator ::= 1..4294967295
(integer number)
(integer number)
ValuesToHash ::= src-address|dst-address|src-port|dst-port[,ValuesToHash*]
/ip firewall mangle

add chain=forward action=mark-connection connection-mark=!heavy_traffic_conn
new-connection-mark=all_conn
add chain=forward action=mark-connection connection-bytes=500000-0 \
connection-mark=all_conn connection-rate=200k-100M \
new-connection-mark=heavy_traffic_conn protocol=tcp
new-connection-mark=heavy_traffic_conn protocol=udp
add chain=forward action=mark-packet connection-mark=heavy_traffic_conn \
new-packet-mark=heavy_traffic passthrough=no
add chain=forward action=mark-packet connection-mark=all_conn \
new-packet-mark=other_traffic passthrough=no
/queue tree
add name=upload parent=public max-limit=6M
add name=other_upload parent=upload limit-at=4M max-limit=6M \
packet-mark=other_traffic priority=1
add name=heavy_upload parent=upload limit-at=2M max-limit=6M \
packet-mark=heavy_traffic priority=8
add name=download parent=local max-limit=6M
add name=other_download parent=download limit-at=4M max-limit=6M \
add name=heavy_download parent=download limit-at=2M max-limit=6M \
mangle 2 2
forward
heavy max-limitheavy
connection-rate
heavy"heavy"
Mangel
- YuSong
- 157 -
RouterOS
/ip firewall mangle

add chain=forward action=mark-connection connection-mark=!heavy_traffic_conn
new-connection-mark=all_conn
"heavy"heavy

new-connection-mark=heavy_traffic_conn protocol=tcp
new-connection-mark=heavy_traffic_conn protocol=udp
heavy 500KB 200kbps
heavy
add chain=forward action=mark-packet connection-mark=heavy_traffic_conn \

new-packet-mark=heavy_traffic passthrough=no
add chain=forward action=mark-packet connection-mark=all_conn \
new-packet-mark=other_traffic passthrough=no
2 mangle
HTBThis is a simple queue tree that is placed on the Interface HTB

ISP wanlan wan lan
/queue tree
add name=upload parent=public max-limit=6M
add name=other_upload parent=upload limit-at=4M max-limit=6M \
add name=heavy_upload parent=upload limit-at=2M max-limit=6M \
add name=download parent=local max-limit=6M
add name=other_download parent=download limit-at=4M max-limit=6M \
add name=heavy_download parent=download limit-at=2M max-limit=6M \
Connection-rate HTB
Connection-rate HTB tcp/80
HTB
Mangle
- YuSong
- 158 -
RouterOS
mangle
games_v2.rsc RouterOS files
import
[admin@MikroTik] > import games_v2.rsc

Opening script file games_v2.rsc
[admin@MikroTik] >
ip firewall mangle dstgames
forward prerouting
tcp/3724
- YuSong
- 159 -
RouterOS
connection-rate 1-59k 1-59kps
action mark-connection dstgamespassthrough=yes
Forward
forward forward dstgames
/ip firewall mangle add chain=forward action=jump jump-target=dstgames
- YuSong
- 160 -
RouterOS
forward
192.168.88.0/24
dstgames
dstgames mark-packet queue

packet dst-address
passthrough=no
connection-rate 4
- YuSong
- 161 -
RouterOS
chain=forward action=mark-connection new-connection-mark=web_video passthrough=yes protocol=tcp

dst-port=80 connection-bytes=700000-0 connection-rate=70k-10M
- YuSong
- 162 -
RouterOS
tcp/80 connection-bytes 700k 700K

70kbps~10Mbps web_video
192.168.88.0/24
action=mark-packet web_video web_video web_video
passthrough=no
tcp/80 connection-mark web_video
chain=forward action=mark-connection new-connection-mark=low_web passthrough=yes protocol=tcp

dst-port=80 connection-mark=!webhighspeed
- YuSong
- 163 -
RouterOS
web_brows
web_brows web_browspassthrough=no
- YuSong
- 164 -
RouterOS
chain=forward action=mark-packet new-packet-mark=download passthrough=no

dst-address=192.168.88.0/24
- YuSong
- 165 -
RouterOS
all_up HTB PCQ
HTB PCQ
HTB PCQ queue tree HTB
PCQ
queue type PCQ down PCQkind=pcqrate
0 k m dst-address
- YuSong
- 166 -
RouterOS
PCQ rate=200k 200k

2M ADSL 512kbps src-address
- YuSong
- 167 -
RouterOS
PCQ HTBHTB HTB

PCQ HTB
1 down up
2 down up forward global-out parent global-out
3 down 4 down
priority1 8 1web 2web 7 8.
4 max-limit limit-at
limi-at max-limit
5 2M ADSL 2Mbps
1900kbps 400kbps 10Mbps 2M
- YuSong
- 168 -
RouterOS
HTB packet marks
parent=down down
packet-mark games queue type PCQ down
priority 1 1M 400kbps
1Mbps
- YuSong
- 169 -
RouterOS
priority 2max-limit 1200k 700k
- YuSong
- 170 -
RouterOS
7 1800k 500k
8 1800k 200k
- YuSong
- 171 -
RouterOS
PCQ up PCQ global-out packet-mark

all_upqueue-type PCQ up 200kbps max-limit 400k 2M
ADSL 512k
- YuSong
- 172 -
RouterOS
nat
(NAT) IP ()
IP
: system
: Level1Level3
: /ip firewall nat
: IP RFC1631 RFC2663
: CPU NAT
12.1 nat
IP IP
natted() natted
nat nat / IP
srcnat natted nat

IP IP
dstnat natted
dstnat IP IP
IP
nat
UDP TCP
NAT IPsec AH
- YuSong
- 173 -
RouterOS
nat nat
to-addresses
to-ports
web
dst-nat action=nat action=redirect
web
web web
IP web IP web
HTTP/1.1 HTTP web
IP HTTP
web
HTTP
web
action (accept | add-dst-to-address-list | add-src-to-address-list | dst-nat | jump | log |

masquerade | netmap | passthrough | redirect | return | same | src-nat; : accept) -
action
accept -
add-dst-to-address-list - address-list IP
add-src-to-address-list - address-list IP
dst-nat - to-addresses to-ports IP
jump - jump-target
log - action
masquerade - IP IP
netmap - IP 11 IP
passthrough -
redirect - IP
return -
same - / IP
src-nat - IP to-addresses to-ports

address-list () - action=add-dst-to-address-list
action=add-src-to-address-list IP
address-list-timeout (; : 00:00:00) - address-list
add-dst-to-address-list add-src-to-address-list
00:00:00 -
chain (dstnat | srcnat | name)
srcnat dstnat
- YuSong
- 174 -
RouterOS
dstnat - IP
srcnat - IP
comment () -
connection-bytes (-) -
0 - connection-bytes=2000000-0 2MB
connection-limit (, ) -
connection-mark () - mangle
connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) -
/ip firewall service-port
content () -
dst-address (IP / | IP address-IP address) - IP
address/netmask 1.1.1.1/24 1.1.1.0/24
dst-address-list () -
dst-address-type (unicast | local | broadcast | multicast) - IP
unicast - IP
local -
broadcast - IP IP
multicast - IP
dst-limit (/{0,1},, dst-address | dst-port | src-address{+},time{0,1}) -
IP pps limit IP /
Count - pps Time

Time -
Burst -
Mode -
Expire - IP /
dst-port (: 0..65535-: 0..65535{*}) -
hotspot (: from-client | auth | local-dst) - Hot-Spot
from-client - HotSpot
auth -
local-dst - IP
icmp-options (:) - ICMP Type:Code
in-interface (name) - interface the packet has entered the router through
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing
| no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - ipv4
any - ipv4
loose-source-routing -
no-record-route -
no-router-alert -
no-source-routing -
no-timestamp -
record-route -
router-alert -
strict-source-routing -
timestamp -
- YuSong
- 175 -
RouterOS
jump-target (dstnat | srcnatname) - action=jump

limit (/{01}) -
Count - pps Time
Time -
Burst -
log-prefix () - action=log
nth (, : 0..15{0,1}) - N 16
Every - Every+1 Every=1

Counter -
Packet - 0 Every
Every+1 0 Every
out-interface (name) -
packet-size (: 0..65535-: 0..65535{0,1}) -
Min -
Max -
phys-in-interface (name) -
phys-out-interface (name) -
protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah
| ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | ) -
IP
psd () - TCP UDP
FTP
WeightThreshold - TCP/UDP
DelayThreshold -
LowPortWeight - <=1024
HighPortWeight <=1024
random () -
routing-mark (name) - mangle
same-not-by-dst (yes | no) - action=same IP
IP
src-address (IP / | IP - IP ) - IP
src-address-list (name) -
src-address-type (unicast | local | broadcast | multicast) - IP
unicast - IP
local -
broadcast - IP IP
multicast - IP
src-mac-address (MAC address) - MAC
src-port (: 0..65535-: 0..65535{*}) -
tcp-mss (: 0..65535) - IP TCP MSS
time (-sat | fri | thu | wed | tue | mon | sun{+}) -
to-addresses (IP address-IP address{0,1}; default: 0.0.0.0) - IP

to-ports (: 0..65535-: 0..65535{0,1}) - IP
- YuSong
- 176 -
RouterOS
tos (max-reliability | max-throughput | min-cost | min-delay | normal) - IP ToS
max-reliability (ToS=4)
max-throughput (ToS=8)
min-cost (ToS=2)
min-delay (ToS=16)
normal (ToS=0)
12.2 nat
ISP 10.5.8.109 192.168.0.0/24 MikroTik
192.168.0.0/24 IP
10.5.8.109 nat
/ip firewall nat add chain=srcnat action=masquerade out-interface=Public

192.168.0.0/24 10.5.8.109 1024
nat
RouterOS masqueradesrc-nat IP Masquerade
source nat nat
masquerade IP
src-natto-address
Masquerade
add chain=srcnat src-address=192.168.0.0/24 action=masquerade out-interface=WAN

Src-nat
add chain=srcnat src-address=192.168.0.0/24 action=src-nat to-address=10.5.8.109

out-interface=WAN
12.3 nat
IP 10.5.8.200 192.168.0.109 MikroTik
IP
IP
/ip address add address=10.5.8.200/24 interface=Public
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \

to-addresses=192.168.0.109
- YuSong
- 177 -
RouterOS
10.5.8.200
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \

to-addresses=10.5.8.200
dst-nat
dst-nat IP tcp/80
192.168.0.100
/ip firewall nat chain=dst-nat protocol=tcp dst-port=80 action=dst-nat

to-address=192.168.0.100
dst-nat
Redirect IP IP dst-nat Redirect
to-address tcp/80
chain=dstnat action=redirect protocol=tcp dst-port=80
11nat
IP 11.11.11.1/32 2.2.2.2/32
action=netmap
/ip firewall nat add chain=dstnat dst-address=11.11.11.1 \

action=netmap to-addresses=2.2.2.2
/ip firewall nat add chain=srcnat src-address=2.2.2.2 \
action=netmap to-addresses=11.11.11.1
12.4
: /ip firewall connection
IP
estabilished new related
FTP ICMP invalid
prerouting output
nat NAT
P2P IP
/ip firewall connection 64M RAM
65536 128M RAM 130000
- YuSong
- 178 -
RouterOS
connection-mark (: ) - mangle
dst-address (: IP address:port) -
protocol (: ) IP
p2p (: ) P2P
reply-src-address (: IP address:port) -
reply-dst-address (: IP address:port) -
src-address (: IP address:port) -
tcp-state (: ) - TCP
timeout (: ) -
assured (: true | false) -
icmp-id (: ) - ICMP ID ICMP
ICMP ID ICMP
icmp-option (: ) - ICMP
reply-icmp-id (: ) - ICMP ID
reply-icmp-option (: ) - ICMP
unreplied (: true | false) -
: /ip firewall connection tracking

timeout
TCP TCP
count-curent (: ) -
count-max (: ) -
enable (yes | no; : yes) - nat
- YuSong
- 179 -
RouterOS
generic-timeout (; : 10m) - TCP UDP
icmp-timeout (; : 10s) - ICMP

tcp-close-timeout (; : 10s) TCP RST
ACK
tcp-close-wait-timeout (; : 10s) FIN
tcp-established-timeout (; : 1d)
tcp-fin-wait-timeout (; : 10s) FIN
tcp-syn-received-timeout (; : 1m) SYN

tcp-syn-sent-timeout (; : 1m) SYN
tcp-time-wait-timeout (; : 10s) SYNFIN
FIN
udp-timeout (; : 10s)
udp-stream-timeout (; : 3m) -
H323VoIP
1/16 1
3/16 1
1/2 10
13/16 1
nat statefull-firewalling
tracking nat nat tracking
Mangle
mangle IP mangle IP IP
IPTCP IP Mangle
: system
: Level1
: /ip firewall mangle
: IP
13.1 Mangle
Mangle RouterOS queue-trees
natMangle
- YuSong
- 180 -
RouterOS
Prerouting
Input
Foreward TTLTCP-MSS
Output
Prostrouting
IP Queue ip route
Mark-connection IP
Mark-packet IP
Mark-routing IP IP
IP TCP/UDP IP
Mangle
13.2 Mangle
Peer-to-Peer
VoIP HTTP
P2P RouterOS QOS mangle
queues P2P 1Mbps
[admin@NAT] > /ip firewall mangle add chain=forward p2p=all-p2p

action=mark-connection new-connection-mark=p2p_conn
[admin@NAT] > /ip firewall mangle add chain=forward connection-mark=p2p_conn
action=mark-packet new-packet-mark=p2p
[admin@NAT] > /ip firewall mangle add chain=forward packet-mark=!p2p_conn
action=mark-packet new-packet-mark=other
[admin@NAT] > /ip firewall mangle print
0
chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
- YuSong
- 181 -
RouterOS
chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
chain=forward packet-mark=!p2p_conn action=mark-packet new-packet-mark=other
[admin@NAT] >
[admin@NAT] > /queue tree add parent=Public packet-mark=p2p limit-at=1000000
max-limit=100000000 priority=8
[admin@NAT] > /queue tree add parent=Local packet-mark=p2p limit-at=1000000
[admin@NAT] > /queue tree add parent=Public packet-mark=other limit-at=1000000
[admin@NAT] > /queue tree add parent=Local packet-mark=other limit-at=1000000
Mangle 2
mangle 2 http in-interface IP
dst-address
[admin@MikroTik] /ip firewall mangle> add chain=forward out-interface=lan action

=change-ttl new-ttl=set:1
[admin@MikroTik] /ip firewall mangle>print chain=forward
8
chain=forward action=change-ttl new-ttl=set:1 out-interface=lan
RouterOS Nth
Nth RouterOS IP
nat
14.1 Nth
v3.0 Nth everypacket
1every
0 Nth
nth N 16
Every every Counter
Packet Nth=3,1 3 1
- YuSong
- 182 -
RouterOS
In
10,9,8,7,6,5,4,3,2,1
Nth
Every=3
Packet=1
Packet=2
Packet=3
...n
...n+1
...n+2
Out1
Out2
Out3
1-n Nth 3 Packet Nth

ftp
14.2 Passthrough Nth

Nth Passthrough Passthrough no
yes Mangle Mangle
Mangle Nth
1/2 1/21
- YuSong
- 183 -
RouterOS
3 1/3
Passthrough
Nth mangle
Passthrough=no Nth 50%
/ip firewall mangle
add chain=prerouting new-connection-mark=AAA nth=2,1 action=mark-connection
passthrough=no;
50%
add chain=prerouting new-connection-mark=BBB action=mark-connection
3 1/3 2/3
50% 1/3
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=AAA nth=3,1
passthrough=no;
add action=mark-connection chain=prerouting new-connection-mark=BBB nth=2,1
passthrough=no;
add action=mark-connection chain=prerouting new-connection-mark=CCC ;
3
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=AAA nth=3,1
passthrough=yes;
- YuSong
- 184 -
RouterOS
add action=mark-connection chain=prerouting new-connection-mark=BBB nth=3,2

passthrough=yes;
add action=mark-connection chain=prerouting new-connection-mark=CCC nth=3,3
passthrough=yes;
14.3 Nth
Nth ISP Nth
2 ISP
Nth
new
connection=new Nth
oddevenISP1 ISP2
wan1: ip 10.11.0.2/24 10.11.0.1
wan2ip 10.12.0.2/24 10.12.0.1
lan192.168.10.1/24
IP
- YuSong
- 185 -
RouterOS
ip firewall mangle Nth Nth odd

even ISP1 ISP2
[admin@MikroTik] /ip firewall mangle> print

0 chain=prerouting action=mark-connection new-connection-mark=odd passthrough=yes
connection-state=new in-interface=lan nth=2,1
1
chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=yes
in-interface=lan connection-mark=odd
2 chain=prerouting action=mark-connection new-connection-mark=even passthrough=yes
connection-state=new in-interface=lan nth=2,2
3
chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes
in-interface=lan connection-mark=even
NAT
- YuSong
- 186 -
RouterOS
ip route 10.12.0.1 ISP2 10.11.0.1 ISP1

10.11.0.1
/ ip route
add gateway=10.11.0.1 routing-mark=ISP1
add gateway=10.12.0.1 routing-mark=ISP2
Nth ISP
Nth TCP
443 8443 IP
Nth 16 12 passthrough=yes Nth

[every,packet]=[12,1][12,2][12,3][12,4][12,5][12,6][12,7][12,8][12,9]
[12,10][12,11][12,12]
14.4 Nth
Nth FTP
FTP
FTP Nth 3 ftp 3 FTP
- YuSong
- 187 -
RouterOS
3 nat 3 nat Passthrough

nat 1/3 1/2
3
Wanip 10.200.15.158/24 10.200.15.1
Lanip 192.168.10.1/24
3 FTP IP 192.168.10.2192.168.10.3192.168.10.4
IP ip firewall nat nat nat

IP IP
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=wan
FTP TCP20-21 3 nat Nth
192.168.10.2192.168.10.3 192.168.10.4 IP
1/3
- YuSong
- 188 -
RouterOS
add action=dst-nat chain=dstnat dst-address=10.200.15.158 dst-port=20-21

in-interface=wan nth=3,1 protocol=tcp to-addresses=192.168.10.2 to-ports=20-21
1/2
in-interface=wan nth=2,1 protocol=tcp to-addresses=192.168.10.3 to-ports=20-21
1/3
in-interface=wan protocol=tcp to-addresses=192.168.10.4 to-ports=20-21
Nth Nth
Bridge
MAC EoIPEthernet over IPPrism, Atheros 802.11a, 802.11b,
and 802.11g ad-hoc, infrastructure station 802.11
Prism Atheros WDS Atheros Prism EoIP
STP/RSTP
(STP)
RSTP
MAC
IP
ether1 ether2
1.
MyBridge
/interface bridge add name="MyBridge" disabled=no

2.
ether1 ether2 MyBridge
/interface bridge port add interface=ether1 bridge=MyBridge

/interface bridge port add interface=ether2 bridge=MyBridge
- YuSong
- 189 -
RouterOS
: system
: Level3
: /interface bridge
: IEEE801.1D
Ethernet, Ethernet over IP, IEEE802.11 in ap-bridge bridge , WDS, VLAN
MAC EoIP IP
STP
BPDUBridge Protocol Data Unit

STP ID
15.1
: /interface bridge
MAC
MAC
ageing-time (; : 5m) -
arp (disabled | enabled | proxy-arp | reply-only; : enabled) -
forward-delay (; : 15s) -
/
garbage-collection-interval (; : 4s) -
ageing-time
hello-time (; : 2s) - hello
mac-address (: MAC ) MAC
max-message-age (; : 20s) - hello
mtu (; : 1500) -
name (; : bridgeN) -
priority (: 0..65535; : 32768) - STP
stp (no | yes; no) -
[admin@MikroTik] interface bridge> add; print

0 R name="bridge1" mtu=1500 arp=enabled mac-address=61:64:64:72:65:73 stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@MikroTik] interface bridge> enable 0
- YuSong
- 190 -
RouterOS
: /interface bridge port

Port
bridge (; : none) bridge

none
interface (: ) -
path-cost (: 0..65535; : 10) - STP
priority (: 0..255; : 128) -
V2.9.9 add(set)
ether1 ether2 bridge1 V2.9.9
[admin@MikroTik] interface bridge port> set ether1,ether2 bridge=bridge1

[admin@MikroTik] interface bridge port> print
# INTERFACE
BRIDGE PRIORITY PATH-COST
HORIZON
0 ether1
bri... 0x80
10
none
1 ether2
bri... 0x80
10
none
2 wlan1
none
128
10
none
[admin@MikroTik] interface bridge port>

ether1 ether2 bridge1 V2.9.9 :
[admin@MikroTik] interface bridge port> add interfae=ether1 bridge=bridge1

[admin@MikroTik] interface bridge port> add interfae=ether2 bridge=bridge1
[admin@MikroTik] interface bridge port> print
# INTERFACE
BRIDGE PRIORITY PATH-COST
HORIZON
0 ether1
bri... 0x80
none
1 ether2
bri... 0x80
10
10
none
[admin@MikroTik] interface bridge port>
Bridge setting
ip firewall 2.9 ip firewall
RouterOS WLAN
- YuSong
- 191 -
RouterOS
ip firewall filtermanglenat queue
[admin@MikroTik] /interface bridge settings>set use-ip-firewall=yes

[admin@MikroTik] /interface bridge settings>print
use-ip-firewall: yes
use-ip-firewall-for-vlan: no
use-ip-firewall-for-pppoe: no
[admin@MikroTik] /interface bridge settings>
IP P2P 80 HTTP IP
15.2
: /interface bridge monitor
bridge-id () ID, bridge-prioritybridge-MAC-address

designated-root () - ID
path-cost () -
root-port () -
[admin@MikroTik] interface bridge> monitor bridge1

state: enabled
current-mac-address: 00:00:00:00:00:00
root-bridge: yes
root-bridge-id: 0x8000.00:00:00:00:00:00
root-path-cost: 0
root-port: none
port-count: 2
- YuSong
- 192 -
RouterOS
designated-port-count: 0
[admin@MikroTik] interface bridge>
15.3
: /interface bridge port monitor
designated-port () -
designated-root () - ID
port-id () - ID
status (disabled | blocking | listening | learning | forwarding) -
disabled - BPDUs
blocking - BPDU
listening - the port does not forward any frames, but listens to them
learning - MAC
forwarding - MAC
[admin@MikroTik] interface bridge port> mo 0

state: enabled
current-mac-address: 00:00:00:00:00:00
root-bridge: yes
root-bridge-id: 0x8000.00:00:00:00:00:00
root-path-cost: 0
root-port: none
port-count: 2
designated-port-count: 0
-- [Q quit|D dump|C-z pause]
15.4
: /interface bridge host
age (:) -
bridge (: ) - entry
local (: ) -
mac-address (: MAC ) - MAC
on-interface (: ) -
[admin@MikroTik] interface bridge host> print
- YuSong
- 193 -
RouterOS
Flags: L - local, E - external-fdb

BRIDGE
MAC-ADDRESS
ON-INTERFACE
AGE
bridge1
00:00:B4:5B:A6:58 ether1
4m48s
bridge1
00:30:4F:18:58:17 ether1
4m50s
L bridge1
00:50:08:00:00:F5 ether1
0s
L bridge1
00:50:08:00:00:F6 ether2
0s
bridge1
00:60:52:0B:B4:81 ether1
4m50s
bridge1
00:C0:DF:07:5E:E6 ether1
4m46s
bridge1
00:E0:C5:6E:23:25 prism1
4m48s
bridge1
00:E0:F7:7F:0A:B8 ether1
1s
[admin@MikroTik] interface bridge host>
15.5
: /interface bridge filter, /interface bridge nat, /interface bridge broute
IP /ip firewall IP /NAT

IP output/
filter -
input - MAC
output -
forward
nat - / MAC
scnat - MAC
dstnat -
broute -
broutingBridging Decision
use-ip-firewall
filter, broute and NAT mangle IP

IP nat,broute
filter rules
802.3-sap () - DSAP SSAP 1

SAP
802.3-type () - IEEE 802.2 802.3-sap 0xAASNAP
AppleTalk 0x8098 SNAP 0xAA SAP
- YuSong
- 194 -
RouterOS
arp-dst-address (IP ; : 0.0.0.0/0) - ARP

arp-dst-mac-address (MAC ; : 00:00:00:00:00:00) - ARP MAC
arp-hardware-type (; : 1) - ARP
arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-request | reply |
reply-reverse | request | request-reverse) - ARP opcode ()
arp-nak ARP ( ATM )
drarp-error RARP , saying that an IP address for the given MAC address can not
be allocated MAC IP
drarp-reply RARP
drarp-request - RARP MAC IP
reply - MAC ARP
reply-reverse - IP ARPRARP
request - IP MAC ARP
request-reverse - reverse ARP (RARP) request to a known MAC address to find out unknown IP
MAC IP ARPRARP(intended to be used by hosts to find out
their own IP address IP DHCP )
arp-src-address (IP ; : 0.0.0.0/0) ARP IP
arp-src-mac-address (MAC ; : 00:00:00:00:00:00) ARP MAC
chain () -
dst-address (IP ; : 0.0.0.0/0) IP ( MAC IPv4 )
dst-mac-address (MAC ; : 00:00:00:00:00:00) MAC
dst-port (: 0..65535) - TCP UDP
in-bridge () -
in-interface () -
ip-protocol (ipsec-ah | ipsec-esp | ddp | egp | ggp | gre | hmp | idpr-cmtp | icmp | igmp | ipencap
| encap | ipip | iso-tp4 | ospf | pup | rspf | rdp | st | tcp | udp | vmtp | xns-idp | xtp) IP (
MAC IPv4)
ipsec-ah - IPsec AH
ipsec-esp - IPsec ESP
ddp -
egp -
ggp -
gre -
hmp -
idpr-cmtp - idp
icmp -
igmp -
ipencap - ip ip
encap - ip
ipip - ip
iso-tp4 - iso 4
ospf -
pup - parc
rspf -
rdp -
st - st
tcp -
udp -
vmtp -
- YuSong
- 195 -
RouterOS
xns-idp - xerox ns idp

xtp xpress
jump-target () action=jump
limit (/{0,1},) -
Count - Time pps
Time -
Burst - 8
log-prefix () -
mac-protocol ( | 802.2 | arp | ip | ipv6 | ipx | rarp | vlan) - (MAC
)
mark-flow () - marks existing flow
packet-type (broadcast | host | multicast | other-host) MAC :
broadcast MAC
host -
multicast MAC
other-host -
src-address (IP ; : 0.0.0.0/0) IP ( MAC IPv4 )
src-mac-address (MAC ; : 00:00:00:00:00:00) MAC
src-port (: 0..65535) - ( TCP UDP )
stp-flags (topology-change | topology-change-ack) - BPDU ()
BPDU
topology-change -
topology-change-ack -
stp-forward-delay (time: 0..65535) - forward delay timer
stp-hello-time (time: 0..65535) - stp hello
stp-max-age (time: 0..65535) STP
stp-msg-age (time: 0..65535) STP
stp-port (: 0..65535) stp
stp-root-address (MAC ) MAC
stp-root-cost (: 0..65535)
stp-root-priority (: 0..65535)
stp-sender-address (MAC ) stp MAC
stp-sender-priority (: 0..65535)
stp-type (config | tcn) - BPDU
config BPDU
tcn -
vlan-encap (802.2 | arp | ip | ipv6 | ipx | rarp | vlan) - VLAN MAC
vlan-id (: 0..4095) VLAN
vlan-priority (: 0..7)
MAC 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (), stp stp

mac-protocol arp rarp ARP VLAN vlan IP
mac-protocol ipv4
IEEE 802.2 IEEE 802.3 802.3
- YuSong
- 196 -
RouterOS
: /interface bridge filter
action (accept | drop | jump | log | mark | passthrough | return; default: accept) -
accept - /
drop ( ICMP )
jump - jump-target
log -
mark
passthrough -
return -
out-bridge () -
out-interface () -
15.6 Bridge nat

: /interface bridge nat
nat
action (accept | arp-reply | drop | dst-nat | jump | log | mark | passthrough | redirect | return |
src-nat; : accept) -
accept - /
arp-reply - MAC ARP ( dstnat
)
drop ( ICMP )
dst-nat - MAC ( dstnat )
jump - jump-target
log -
mark
passthrough -
redirect - dstnat
return -
src-nat - MAC ( srcnat )
out-bridge () -
to-arp-reply-mac-address (MAC ) - action=arp-reply MAC
ARP
to-dst-mac-address (MAC ) - action=dst-nat MAC
to-src-mac-address (MAC ) - action= src-nat MAC
: /interface bridge broute
- YuSong
- 197 -
RouterOS
action (accept | drop | dst-nat | jump | log | mark | passthrough | redirect | return; : accept)
- action to undertake if the packet matches the rule, one of the:
accept -
drop -
dst-nat - MAC dstnat

jump - jump-target
log -
mark
passthrough -
redirect - dstnat
return -
to-dst-mac-address (MAC ) - action=dst-nat MAC
in-interface, in-bridge ( in-bridge-port)
action=mark-packet new-packet-mark
action=mark-connection new-connection-mark
action=mark-routing new-routing-mark
15.7
Bridge
RouterOS Bridge
RouterOS birdge filter Bridge
RB450 Bridge bridge1
- YuSong
- 198 -
RouterOS
bridge rstp
rstp
bridge1 Port 3 ether3ether4

ether5 bridge1
- YuSong
- 199 -
RouterOS
RB450 3 3
ether3ether4 ether5 filter
ether3 ether4 interface In-interface Out-interfaceIn-interface
Out-interface
action action drop
- YuSong
- 200 -
RouterOS
RouterBOARD Switch
RouterOS 3.0 RouterBOARD
RouterBOARD450 5 5
RouterOS Switch RouterBOARD100 400
3.0
RB433 RB433 3 ether1ether2 ether3
1 Master port
Slave port ether1 Master ether2 ether3
ether2
- YuSong
- 201 -
RouterOS
ether3
ether1ether2 ether3 switch

interface Bandwidth
15.8
MikroTik RouterOS
RouterOS
1. int ext
/interface set ether1,ether2 disabled=no
- YuSong
- 202 -
RouterOS
/interface set ether1 name=int

/interface set ether2 name=ext
2. 10.0.0.1 IP IP 10.0.0.2/24 (
) ping
ext int
/ip address add interface=ext address=10.0.0.2/24

3. int ext
/interface bridge add name=bridge
/interface bridge port add interface=ext bridge=bridge
/interface bridge port add interface=int bridge=bridge
IP bridge
/ip address set [/ip address find] interface=bridge
256Kbit/s
128Kbit/s
/queue simple add limit-at=131072 interface=ext
/queue simple add limit-at=262144 interface=int
15.9 Bridge Filter MAC

bridge filter MAC RouterOS MAC
PC
bridge MAC bridge bridge port
Port bridge
1 bridge bridge bridge1 RSTP
- YuSong
- 203 -
RouterOS
bridge bridge
2 ether1 wlan1 bridge1 2
MAC
1 MAC
bridge bridge filter PC
MAC00:E2:67:32:B4:81 bridge
MAC src-mac-address bridge chain=forward

action=dropRouterOS Winbox
- YuSong
- 204 -
RouterOS
Action drop MAC
src-mac-address MAC IP MAC

FF IP 255
MAC MAC FF:FF:FF:FF:FF:FF
2 MAC
MAC scr-mac-address
MAC dst-mac-address MAC
- YuSong
- 205 -
RouterOS
MAC dst-mac-address=00:E2:67:32:B4:81dst-mac-address
FF
Action drop MAC

filter 2
00:E2:67:32:B4:81
MAC
6 MAC 3 3
RouterOS Bridge MAC
MAC RouterOS RouterOS
- YuSong
- 206 -
RouterOS
RouterBOARD RouterBOARD brigde fiter

RouterBOARD MAC 3 00:0C:42
3 MAC 00:0C:42 MAC
bridge filter 2 input MAC 3 00:0C:42
RouterOS
RouterOS MAC 3 00:0C:42 MAC
MAC
src-mac-address=00:0C:42:00:00:00/src-mac-mask=FF:FF:FF:00:00:00
action accpet
MAC
- YuSong
- 207 -
RouterOS
(VRRP)
Virtual Router Redundancy Protocol (VRRP)MikroTik RouterOS VRRP RFC2338
VRRP
255
()
VRRP ping
: system
: Level1
: /interface vrrp
VRRP VRID ID255

VRRP VRRP
VRRP VRRP Master running
backup VRRP
IP
MASTER , IP MASTER
VRRP backup
BACKUP , VRRP Master IP MASTER

VRRP MASTER
VRRP VLAN VLAN MAC MAC
16.1 VRRP
: /interface vrrp
- YuSong
- 208 -
RouterOS
arp (disabled | enabled | proxy-arp | reply-only;: enabled) Address Resolution

Protocol
authentication (none | simple | ah; default: none) VRRP
none
simple
ah HMAC-MD5-96
backup (: flag)
interface (name)
interval (: 1..255; t: 1) VRRP VRRP
mac-address (MAC address) VRRP MAC address RFC VRRP
MAC
master (: flag) master
mtu (; : 1500)
name (name) VRRP
on-backup (name; : "") backup
on-master (name; : "") - master
password (; : "") 8
16 128 key AH
preemption-mode (yes | no; : yes)
no backup master master backup master
yes
vrid (: 0-255; : 1) (interface)
priority (: 1-255; : 100) ()
vrid, interval, preemption-mode, authentication
password.
255 IP
VRRP ether1 vrid 1 255
[admin@MikroTik] interface vrrp> add interface=ether1 vrid=1 priority=255

[admin@MikroTik] interface vrrp> print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
0
RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled

interface=ether1 vrid=1 priority=255 interval=1 preemption-mode=yes
authentication=none password="" on-backup="" on-master=""
[admin@MikroTik] ip vrrp>
16.2 VRRP
- YuSong
- 209 -
RouterOS
VRRP Internet 192.168.1.0/24

Internet NATVRRP IP BGP OSPF
ISP().
VRRP IP
SRC-NAT masquerading
192.168.0/24 local VRRP
Master VRRP
VRRP 255
[admin@MikroTik] interface vrrp> add interface=local priority=255
0

interface=local vrid=1 priority=255 interval=1 preemption-mode=yes
[admin@MikroTik] interface vrrp>

IP VRRP
[admin@MikroTik] ip address> add address=192.168.1.1/24 interface=vrrp1
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
10.0.0.1/24
10.0.0.0
192.168.1.2/24
192.168.1.0
192.168.1.255
local
192.168.1.1/24
192.168.1.0
192.168.1.255
vrrp1
10.0.0.255
public
Backup VRRP
VRRP 100 backup
- YuSong
- 210 -
RouterOS
[admin@MikroTik] interface vrrp> add interface=local

[admin@MikroTik] ip vrrp> print
0
B name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled


VRRP
[admin@MikroTik] ip address> add address=192.168.1.1/24 interface=vrrp1
master master
0

HotSpot
17.1 HotSpot
HotSpot HTTP HTTPS
RouterOS
RADIUS HotSpot
Hotspot web web
Walled Garden
IP IP DHCP IP
DHCP IP MAC
HotSpot IP Hotspot IP
IP Hotspot Hotspot ARP
IP hotspot
host NAT RouterOS 2.8
- YuSong
- 211 -
RouterOS
NAT
NAT IP
IP NAT
NAT arp
HotSpot NAT
HotSpot HTTP HTTPS
HotSpot servlet
Hotspot HTTP HotSpot servlet
Hotspot HotSpot DNS
Walled Garden
Walled Garden
Walled Garden HotSpot HTTP
Walled Garden HTTP web

system
web-proxy /ip proxy
HTTP PAP - HotSpot
HTTP CHAP - CHAP CHAP MD5

HotSpot HotSpot
IP MD5 JavaScript applet
JavaScriptInternet Explorer 2.0 PDA
HTTP PAP
HTTPS - HTTP PAP SSL HotSpot

HTTP POST
HTTP GET HotSpot
HTTP cookie - cookie web HTTP cookie

cookie HotSpot MAC ID
HTTP PAP HTTP CHAP HTTPS
cookie
MAC address - MAC
HotSpot RADIUS RADIUS

RADIUS HTTP cookie cookie
- YuSong
- 212 -
RouterOS
RADIUS RADIUS
Radius
HTTP PAP /login?username=username&password=password telnet
HTTP GET /login?username=username&password=password HTTP/1.0
/ip hotspot - HotSpot HotSpot HotSpot
/ip hotspot profile - HotSpot HotSpot HotSpot
/ip hotspot host - HotSpot IP NAT
/ip hotspot ip-binding - IP HotSpot
/ip hotspot service-port - NAT
/ip hotspot walled-garden HTTP Walled Garden DNS HTTP )
/ip hotspot walled-garden ip IP Walled Garden (IP IP )
/ip hotspot user HotSpot
/ip hotspot user profile HotSpot
/ip hotspot active - HotSpot
/ip hotspot cookie - HTTP cookie
Hotspot HotSpot
1.
HotSpot HotSpot
2.
LAN/WAN DNS RADIUS
HotSpot
HotSpot IP HotSpot
AP NIC
- YuSong
- 213 -
RouterOS
ISP Hotspot Hotspot
2.9 RouterOS Hotspot Hotspot UpNp

/ip hotspot host
17.2 HotSpot
: /ip hotspot
HotSpot HotSpot
addresses-per-mac ( | unlimited; : 2) - MAC IP IP

MAC
unlimited - MAC IP
address-pool ( | none; : none) - NAT IP NAT

none - HotSpot NAT
HTTPS (: flag) - HTTPS
idle-timeout ( | none; : 00:05:00) -
none
interface () - HotSpot
ip-of-dns-name (: IP address) - HotSpot HotSpot DNS IP
keepalive-timeout ( | none;: none) -
none -
profile (; : default) - HotSpot

reset-html () - HTML HotSpot servlet servlet
addresses-per-mac -
HotSpot NAT HS-real NAT
[admin@MikroTik] ip hotspot> add interface=local address-pool=HS-real

[admin@MikroTik] ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
#
NAME
hs-local
INTERFACE
local
ADDRESS-POOL PROFILE IDLE-TIMEOUT

HS-real
default 00:05:00
[admin@MikroTik] ip hotspot>
17.3 HotSpot
: /ip hotspot profile
- YuSong
- 214 -
RouterOS
dns-name () - HotSpot DNS HotSpot DNS

DNS DNS
hotspot-address (IP address; default: 0.0.0.0) - HotSpot IP
html-directory (; default: "") - FTP HTML servlet
http-cookie-lifetime (; : 3d) - HTTP cookies

http-proxy (IP s; : 0.0.0.0) - HotSpot
/ip proxy direct /ip proxy parent-proxy
login-by (: cookie | http-chap | http-pap | https | mac | trial; default: cookie,http-chap) -
cookie - HTTPcookie cookie

HTTP (HTTP-PAP, HTTP-CHAP HTTPS)
cookie
http-chap - MD5 CHAP -
http-pap -
https - SSL HotSpot
mac - MAC RADIUS
trial -
radius-accounting (yes | no; : yes) - RADIUS
radius-interim-update
radius-interim-update (time | received; : received) -
0s received
received - RADIUS
rate-limit (; : "") - rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate]
[rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]]]](
"rx" "tx")k(1,000s)M (1,000,000s) tx-rate
rx-rate tx-rate tx-burst-rate tx-burst-threshold tx-burst-time
rx-burst-threshold tx-burst-threshold ( burst-rate ) rx-rate tx-rate burst
threshold rx-burst-time tx-burst-time 1s
smtp-server (IP ; : 0.0.0.0) - SMTP
split-user-domain (yes | no; : no) - "user@domain""domain\user"
ssl-certificate ( | none; : none) - HTTPS SSL

trial-uptime (/; : 30m/1d) -
trial-user-profile (; : default) -
use-radius (yes | no; : no) - RADIUS HotSpot
dns-name hotspot-address hotspot-address

RADIUS /radius
- YuSong
- 215 -
RouterOS
domain (: ) - ()
expires-in (: ) - cookie
user (: )
MAC cookie web cookie

Cookie cookie 3 72 HotSpot
/ip hotspot profile set default http-cookie-lifetime=1d

cookie
[admin@MikroTik] ip hotspot cookie> print

# USER
DOMAIN
0 ex
MAC-ADDRESS
EXPIRES-IN
01:23:45:67:89:AB 23h54m16s
[admin@MikroTik] ip hotspot cookie>
17.4 Walled Garden

HTTP Walled Garden
: /ip hotspot walled-garden
Walled garden HotSpot
HTTP HTTPS Walled Garden Walled Garden

/ip hotspot walled-garden ip
action (allow | deny; : allow) -

allow -
deny -
dst-address (IP ) - web IP
dst-host (wildcard; : "") - web
dst-port (; : "") - TCP
method () HTTP
path (; : "") - ()
server () - HotSpot
src-address (IP ) -
IP
(dst-host dst-path)
"example"
"example.com")'*' () '?' ()
(':')
:
- YuSong
- 216 -
RouterOS
\\ \
\. . ()
HTTPS path HTTPS
www.example.com /paynow.html
[admin@MikroTik] ip hotspot walled-garden> add path="/paynow.html" \

\... dst-host="www.example.com"
[admin@MikroTik] ip hotspot walled-garden> print
Flags: X - disabled, D - dynamic
0
dst-host="www.example.com" path="/paynow.html" action=allow
[admin@MikroTik] ip hotspot walled-garden>
IP Walled Garden
: /ip hotspot walled-garden ip
IP Walled Garden HTTP HTTPS DNS HTTP
action (allow | deny; default: allow) -

allow -
deny -
reject - ICMP
dst-address (IP ) - web IP
dst-host (wildcard; : "") - web
dst-port (; default: "") - TCP
protocol ( | ddp egp encap ggp gre hmp icmp idpr-cmtp igmp ipencap ipip ipsec-ah ipsec-esp iso-tp4
ospf pup rdp rspf st tcp udp vmtp xns-idp xtp) - IP
server () - HotSpot
src-address (IP ) -
IP
17.5 IP
: /ip hotspot ip-binding
IP IP MAC NAT HotSpot
address (IP /; : "") - IP

mac-address (MAC ; : "") - MAC
- YuSong
- 217 -
RouterOS
server (|all; : all) -
to-address (IP ; : "") - IP address
address to-addressaddress+1 to-address+1
type (regular | bypassed | blocked) -

regular - NAT
bypassed HotSpot ,
blocked -
192.168.10.8
17.6 Hotspot
: /ip hotspot host
HotSpot NAT
address (: IP address) - IP
authorized (: flag) - HotSpot
blocked (: flag) - walled-garden
bridge-port (: ) - HotSpot
bypass-hotspot (: flag) - HotSpot

bytes-in (: ) -
bytes-out (: ) -
host-dead-time (: ) - ARP
idle-time (: )
idle-timeout (: ) - idle-timeout
keepalive-timeout (: ) - keepalive-timeout
mac-address (: MAC ) - MAC
- YuSong
- 218 -
RouterOS
packets-in (: ) -
packets-out (: ) -
server (: ) -
static (: flag) - IP
to-address (: IP ) - IP
uptime (: ) -
make-binding - IP
unnamed ()
comment () -
type (regular | bypassed | blocked) -
17.7 HotSpot
Hotspot
: /ip hotspot user
: /ip hotspot user profile
profile
address-pool ( | none; : none) - IP IP MikroTik RouterOS

dhcp-pool
none - IP
advertise (yes | no; : no) -
advertise-interval (: time; : 30m,10m) -
advertise-timeout (time | immediately never; : 1m) - walled-garden
advertise-url (: ; : http://www.mikrotik.com/,http://www.routerboard.com/) -
URL
idle-timeout (time | none; : none) -
hotspot
none
incoming-filter () -
incoming-packet-mark () -
keepalive-timeout (time | none; : 00:02:00) -
none
name () -
on-login (; : "") -
on-logout (; : "") -
open-status-page (always | http-login; : always) - MAC
alogin.html
- YuSong
- 219 -
RouterOS
http-login - http cookie http
always - mac http
outgoing-filter () -
outgoing-packet-mark () -
rate-limit (; : "") rx-rate[/tx-rate]
[rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold]
[rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]] ( "rx"
"tx")'k' (1,000s) 'M' (1,000,000s) tx-rate rx-rate
tx-rate tx-burst-rate tx-burst-threshold tx-burst-time both rx-burst-threshold
tx-burst-threshold burst-rate rx-rate tx-rate
rx-burst-time tx-burst-time 1s 1 8 1 8
rx-rate-min tx-rate-min rx-rate tx-rate rx-rate-min
tx-rate-min rx-rate tx-rate
session-timeout (time; : 0s) - session timeout (maximal allowed session time) for client. After this
time, the user will be logged out unconditionally
0
shared-users (; : 1) -
status-autorefresh (time | none; : none) servlet
transparent-proxy (yes | no; : yes) - HTTP
idle-timeout session-timeout Hotspot
: /ip hotspot user
address (IP ; : 0.0.0.0) - IP 0.0.0.0 IP

NAT
bytes-in (: ) -
bytes-out (: ) -
limit-bytes-in (; : 0) -
0
limit-bytes-out (; : 0) -
0
limit-uptime (; : 0s) -
0s
mac-address (MAC ; : 00:00:00:00:00:00) - MAC 00:00:00:00:00:00
MAC
name () -
packets-in (: ) -
packets-out (: ) -
password () -
profile (; : defualt)
routes () - dst-address
10.1.0.0/24
10.0.0.1 1
server ( | all; : all) -
uptime (: time) -
- YuSong
- 220 -
RouterOS
MAC MAC
/ip hotspot active
-minus 100MB
30MB/ip hotspot active 100MB - 30MB = 70MB
bytes-in >= limit-bytes-in bytes-out >= limit-bytes-out
/ip hotspot active

IP
01:23:45:67:89:AB MAC ex 1
[admin@MikroTik] ip hotspot user> add name=ex password=ex \

\... mac-address=01:23:45:67:89:AB limit-uptime=1h
[admin@MikroTik] ip hotspot user> print
Flags: X - disabled
#
SERVER
NAME
ADDRESS
ex
PROFILE
UPTIME
default 00:00:00
[admin@MikroTik] ip hotspot user> print detail

Flags: X - disabled
0
name="ex" password="ex" mac-address=01:23:45:67:89:AB profile=default

limit-uptime=01:00:00 uptime=00:00:00 bytes-in=0 bytes-out=0
packets-in=0 packets-out=0
[admin@MikroTik] ip hotspot user>
17.8 Hotspot
/ip hotspot active
remove
address (: IP ) - IP
blocked (: flag) -
bytes-in (: ) -
bytes-out (: ) -
domain (: ) -
idle-time (: ) -
idle-timeout (: ) - idle-timeout
keepalive-timeout (: ) - keepalive-timeout
limit-bytes-in (: ) -
limit-bytes-out (: ) -
login-by (, : cookie | http-chap | http-pap | https | mac | trial) -
- YuSong
- 221 -
RouterOS
packets-in (: ) -
packets-out (: ) -
radius (: yes | no) - RADIUS
server (: ) -
session-time-left (: time) - session-time-left
uptime (: time) - ()
user (: ) -
17.9 Hotspot
WAN IP 10.200.15.119/24 10.200.15.1

LAN IP 192.168.10.1/24
DNS61.139.2.69
IP DNS DNS
ip address IP
- YuSong
- 222 -
RouterOS
ip route
ip firewall nat NAT
ip dns DNS
- YuSong
- 223 -
RouterOS
Hotspot Hotspot
1 ip hotspot user profile

2 ip hotspot user
3 ip hotspot server profile
4 ip pool IP DHCP
5 ip hotspot server hotspot
ip hotspot ip hotspot use profile
- YuSong
- 224 -
RouterOS
user profile
Idle-Timeout
Keepalive-Timeout ICMP
Shared-users 1
Rate-Limit /
Transparent-proxy Hotspot
Hotspot
Address pool DHCP IP ip pool RouterOS

DHCP
user profile
- YuSong
- 225 -
RouterOS
server all
Name cdnat
Passwordcdnat
Profile default
ip hotspot server profile
General HTML Directory hotspot

login http chap
- YuSong
- 226 -
RouterOS
Radius
Hotspot
web
www.mydrivers.com Hotspot web
- YuSong
- 227 -
RouterOS
cdnat cdnat ok www.mydrivers.com
ip hotspot active
[admin@MikroTik] ip hotspot active> print

Flags: R - radius, B - blocked
#
USER
cdnat
ADDRESS
192.168.10.88
UPTIME
4m17s
SESSION-TIMEOUT IDLE-TIMEOUT
55m43s
[admin@MikroTik] ip hotspot active>
- YuSong
- 228 -
RouterOS
192.168.10.1 Hotspot log off
Hotspot RouterOS files Hotspot files

Hotspot
login.htmllogout.html status.html web log
- YuSong
- 229 -
RouterOS
17. 10 Hotspot
2.7 upnp Hotspot
IP IP DNS Hotspot Hotspot
Host IP NAT Hotspot
Hotspot ARP
IP IP Hotspot
2.9 3.0 Hotspot server Hotstop hotspot server

address pool
Addresses Per MAC IP MAC 1 IP MAC

windows IP
- YuSong
- 230 -
RouterOS
Hotspot host windows Hotspot IP
Hotspot
/ip dns DNS tools ping /ping

www.mikrotik.com.cn
DNS
/ip firewall connection tracking set enabled=yes
17.11 HotSpot
/ip hotspot HotSpot
RouterOS 2.8
nat
nat
/ip firewall nat print dynamic
- YuSong
- 231 -
RouterOS
0 D chain=dstnat hotspot=from-client action=jump jump-target=hotspot
HotSpot HotSpot
1 D chain=hotspot protocol=udp dst-port=53 action=redirect to-ports=64872

2 D chain=hotspot protocol=tcp dst-port=53 action=redirect to-ports=64872
DNS HotSpot 64872 HotSpot DNS HotSpot

dst-port
3 D chain=hotspot protocol=tcp dst-port=80 hotspot=local-dst action=redirect

to-ports=64873
HTTP HTTP servlet64873 HotSpot HTTP servlet
4 D chain=hotspot protocol=tcp dst-port=443 hotspot=local-dst action=redirect

to-ports=64875
HTTPS HTTPS servlet64875 HotSpot
HTTPS servlet
5 D chain=hotspot protocol=tcp action=jump hotspot=!auth jump-target=hs-unauth
DNS hs-unauth
6 D chain=hotspot protocol=tcp action=jump hotspot=auth jump-target=hs-auth
hs-auth
7 D ;;; www.mikrotik.com
chain=hs-unauth dst-address=159.148.147.196 protocol=tcp dst-port=80
action=return
hs-unauth TCP /ip hotspot walled-garden ip

www.mikrotik.com
8 D chain=hs-unauth protocol=tcp dst-port=80 action=redirect to-ports=64874
HTTP 64874 Walled Garden /ip hotspot walled-garden

HTTP allow HotSpot servlet
64873
- YuSong
- 232 -
RouterOS
HotSpot HTTP
HotSpot
http hotspot
64874#8 HTTP HTTP HTTP
HTTPS 64875
12 D chain=hs-unauth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
SMTP HotSpot hs-smtp

SMTP SMTP
SMTP
13 D chain=hs-auth protocol=tcp hotspot=http action=redirect to-ports=64874
HTTP http
HotSpot HTTP HTTP 64874
HotSpot
HTTP
14 D chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
SMTP #12
/ip firewall filter print dynamic
0 D chain=forward hotspot=from-client,!auth action=jump jump-target=hs-unauth
hs-unauth hs-unauth IP Walled Garden
1 D chain=forward hotspot=to-client,!auth action=jump jump-target=hs-unauth-to
hs-unauth-to
- YuSong
- 233 -
RouterOS
2 D chain=input hotspot=from-client action=jump jump-target=hs-input
hs-input
3 D chain=hs-input protocol=udp dst-port=64872 action=accept

4 D chain=hs-input protocol=tcp dst-port=64872-64875 action=accept
5 D chain=hs-input hotspot=!auth action=jump jump-target=hs-unauth
6 D chain=hs-unauth protocol=icmp action=return

7 D ;;; www.mikrotik.com
chain=hs-unauth dst-address=159.148.147.196 protocol=tcp dst-port=80
action=return
TCP Walled Garden NAT hs-unauth /ip

hotspot walled-garden ip NAT
8 D chain=hs-unauth protocol=tcp action=reject reject-with=tcp-reset

9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
Walled Garden TCP TCP
10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
ICMP
PPPoE
PPPoE (Point to Point Protocol over Ethernet) PPPOE ISP xDSL
cable modems PPPoE (PPP)
PPPoE modem , PPPoE IP
RouterOS RADIUS RADIUS PPPoE
- YuSong
- 234 -
RouterOS
PPPoE PPPoE windows PPPoE
interface - wireless 802.11 (Aironet, Cisco, WaveLan,
Prism, Atheros), 10/100/1000 Mbit/s Ethernet, RadioLan EoIP (Ethernet over IP tunnel)
MikroTik RouterOS PPPoE PPPoE (access concentrator)
MikroTik RouterOS PPPoE (access concentrator) PPPoE (

)
PPP MP MRRU 1500 PPP bridging

BCP PPP EoIP
RADIUS CHAPMS-CHAPv1 MS-CHAPv2RADIUS

shared secretauthentication replyRADIUS
/radius monitor bad-replies
: ppp
Level1 ( 1 ) , Level3 ( 200 ) , Level4 ( 200 ) , Level5 ( 500
) , Level6 ()
/interface pppoe-server, /interface pppoe-client
PPPoE (RFC 2516)
: PPPoE RAM CPU 9KiB 10KiB
18.1 PPPoE Client

: /interface pppoe-client
name (; : pppoe-out1) PPPoE

interface () PPPoE
mtu (; : 1480) . MTU 1500-byte 1480
mru (; : 1480) MRU 1500-byte 1480
user (; : "") PPPoE

password (; : "") PPPoE
profile ()
allow (: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap)
service-name (; : "") AC
ac-name (; : "")
add-default-route (yes | no; : no)
- YuSong
- 235 -
RouterOS
dial-on-demand (yes | no; : no) AC
idle-timeout
use-peer-dns (yes | no; : no) DNS ppp DNS
pppoe add-default-route
gig AC testSN john password
[admin@RemoteOffice] interface pppoe-client> add interface=gig \

\... service-name=testSN user=john password=password disabled=no
[admin@RemoteOffice] interface pppoe-client> print
0 R name="pppoe-out1" mtu=1480 mru=1480 interface=gig user="john"
password="password" profile=default service-name="testSN" ac-name=""
add-default-route=no dial-on-demand=no use-peer-dns=no
PPPoE
: /interface pppoe-client monitor
status ()
Dialing
Verifying password...
Terminated
encoding ()
uptime ()
service-name ()
ac-name () AC
ac-mac (MAC ) ACMAC
pppoe-out1
[admin@MikroTik] interface pppoe-client> monitor pppoe-out1

status: "connected"
uptime: 10s
encoding: "none"
service-name: "testSN"
ac-name: "10.0.0.1"
ac-mac: 00:C0:DF:07:5E:E6
[admin@MikroTik] interface pppoe-client>
18.2 ADSL
- YuSong
- 236 -
RouterOS
ADSL : user@169
: 1234
Service Name: CHN-Telecom
1 PPPOE Clients
[admin@Router] interface pppoe-client>

[admin@Router] interface pppoe-client> add interface=ether1 mtu=1492 mru=1492
service-name=CHN-Telecom user= user@169 password=1234
add-default-route=yesuse-peer-dns=yes
[admin@ROUTER] interface pppoe-client> print
0 X name="pppoe-out1" mtu=1492 mru=1492 interface=ether1 user=user@169
password=1234 profile=default service-name=CHN-Telecom ac-name=""
add-default-route=yes dial-on-demand=no use-peer-dns=yes
PPPOE ADSL MODEM
[admin@Router] interface pppoe-client>enable 0

[admin@Router] interface pppoe-client> monitor pppoe-out1
status: "connected"
uptime: 10s
encoding: "none"
service-name: "CHN-Telecom"
ac-name: ""
ac-mac: 00:C0:DF:07:5E:E6
ip firewall mangle
[admin@Router] ip firewall mangle> add chain=forward protocol=tcp tcp-flags=syn

action=change-mss new-mss=1440
[admin@Router] ip firewall mangle> print
Flags: X - disabled, I invalid
0
chain=forward protocol=tcp tcp-flags=syn action=change-mss

new-mss=1440
nat ip firewall nat IP
18.3 PPPoE Server

: /interface pppoe-server server
PPPoE server (access concentrator) service PPPoE server
Celeron 600 CPU 160 Mb/s CPU
- YuSong
- 237 -
RouterOS
service-name () PPPoE
mtu (; : 1480) MTU 1500-byte 1480
mru (; default: 1480) MRU 1500-byte 1480
mrru (: 512..65535; : disabled)

MTU IP
authentication (mschap2 | mschap1 | chap | pap; : mschap2, mschap1, chap, pap)
keepalive-timeout () keepalive
keepalive
one-session-per-host (yes | no; : no) (MAC ).
default-profile (; : default)
max-sessions (; : 0) AC
0
interface ()
keepalive-timeout 10 0
one-session-per-host
IP PPPoE PPPoE
MRRU MP windows
MRRU 1614 MTU
MP
802.11g PPPoE
- YuSong
- 238 -
RouterOS
Access Point, RouterOS Windows
PPPoE MTU 1600 MTU 1500
1500byte MTU 1500
MikroTik AP :
[admin@PPPoE-Server] interface wireless> set 0 mode=ap-bridge \

frequency=2442 band=2.4ghz-b/g ssid=mt disabled=no
[admin@PPPoE-Server] interface wireless> print
0
name="wlan1" mtu=1500 mac-address=00:01:24:70:53:04 arp=enabled

disable-running-check=no interface-type=Atheros AR5211
radio-name="000124705304" mode=station ssid="mt" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2412 band=2.4ghz-b scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
- YuSong
- 239 -
RouterOS
[admin@PPPoE-Server] interface wireless>
IP
[admin@PPPoE-Server] ip address> add address=10.1.0.3/24 interface=Local

[admin@PPPoE-Server] ip address> print
#
ADDRESS
10.1.0.3/24
NETWORK
BROADCAST
10.1.0.0
INTERFACE
10.1.0.255
Local
[admin@PPPoE-Server] ip address> /ip route

[admin@PPPoE-Server] ip route> add gateway=10.1.0.1
[admin@PPPoE-Server] ip route> print
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 ADC 10.1.0.0/24
1 A S 0.0.0.0/0
Local
r 10.1.0.1
Local
[admin@PPPoE-Server] ip route> /interface ethernet

[admin@PPPoE-Server] interface ethernet> set Local arp=proxy-arp
[admin@PPPoE-Server] interface ethernet> print
#
NAME
0 R Local
MTU
MAC-ADDRESS
ARP
1500 00:0C:42:03:25:53 proxy-arp
[admin@PPPoE-Server] interface ethernet>
PPPoE server :
[admin@PPPoE-Server] interface pppoe-server server> add interface=wlan1 \

service-name=mt one-session-per-host=yes disabled=no
[admin@PPPoE-Server] interface pppoe-server server> print
Flags: X - disabled
0
service-name="mt" interface=wlan1 max-mtu=1480 max-mru=1480

authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10
one-session-per-host=yes max-sessions=0 default-profile=default
[admin@PPPoE-Server] interface pppoe-server server>
PPPoE clients:
[admin@PPPoE-Server] ip pool> add name=pppoe ranges=10.1.0.100-10.1.0.200

[admin@PPPoE-Server] ip pool> print
# NAME
RANGES
0 pppoe
10.1.0.100-10.1.0.200
[admin@PPPoE-Server] ip pool> /ppp profile

[admin@PPPoE-Server] ppp profile> set default use-encryption=yes \
local-address=10.1.0.3 remote-address=pppoe
[admin@PPPoE-Server] ppp profile> print
- YuSong
- 240 -
RouterOS
Flags: * - default
0 * name="default" local-address=10.1.0.3 remote-address=pppoe
use-compression=no use-vj-compression=no use-encryption=yes only-one=no
change-tcp-mss=yes
1 * name="default-encryption" use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=default
[admin@PPPoE-Server] ppp profile> .. secret
[admin@PPPoE-Server] ppp secret> add name=w password=wkst service=pppoe
[admin@PPPoE-Server] ppp secret> add name=l password=ltp service=pppoe
[admin@PPPoE-Server] ppp secret> print
Flags: X - disabled
#
NAME
SERVICE CALLER-ID PASSWORD PROFILE
REMOTE-ADDRESS
pppoe
wkst
default
0.0.0.0
pppoe
ltp
default
0.0.0.0
[admin@PPPoE-Server] ppp secret>
: Windows XP PPoE RASPPPOE Windows XP

Windows default require-encryption yes
18.4 Winbox PPPoE

Winbox PPPoE PPP PPPoE Server Service Name cdnat
PPPoE PPPoE ether2
- YuSong
- 241 -
RouterOS
default-encryption profile profiles loacl-address
IPremote-address IP local-address 192.168.10.1
remote-address ip pool pppoe DNS
Limits
profile ppp secrets
- YuSong
- 242 -
RouterOS
Name Password Profile default-encryption

profile PPPoE
18.5 PPPoE
PPPoE OSI IP ARP
ARP PPPoE MAC
IP Web
ARP PPPoE ARP
WindowsXP PPPoE
PPPoE
- YuSong
- 243 -
RouterOS
1 RouterOS RB1000 RouterOS

x86PC nat
PPPoE
2 PPPoE PPPoE
PC 1000 PPPoE
PC
3 VLAN Trunk PPPoE

VLAN
AP
4 PPPoE Radius PPPoE

PPPoE Radius
RouterOS
Ping web
DNS /ip dns /ppp profile dns-server
PPPoE ( pings)
PPPoE mss 1440
- YuSong
- 244 -
RouterOS
[admin@MT] interface pppoe-server server> set 0 max-mtu=1440 max-mru=1440
[admin@MT] interface pppoe-server server> print
Flags: X - disabled
0
service-name="mt" interface=wlan1 max-mtu=1440 max-mru=1440

authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10
one-session-per-host=yes max-sessions=0 default-profile=default
[admin@MT] interface pppoe-server server>
windows PPPoE MikroTik PPPoE server IP

PPPoE
server .
PPPoE PPPoE masquerading
, Proxy-ARP ( IP Address
Resolution Protocol (ARP) )
Windows XP PPPoE
XP pppoe "Service Name" MikroTik PPPoE service
nameline is busy"verifying password - unknown error"
/system logging facility ppp
PPTP
PPTP IP MikroTik RouterOS PPTP PPTP
LAN EoIP
/ LAN Windows PPTP
PPTP MikroTik RouterOS

Windows 2000
MikroTik Router PPTP
IP 10.5.8.104PPTP 10.1.0.172 PPTP MikroTik PPTP
PPTP
1.
- YuSong
- 245 -
RouterOS
[admin@PPTP-Server] ppp secret> add name=jack password=pass local-address=10.0.0.1
remote-address=10.0.0.2
2.
PPTP
[admin@PPTP-Server] interface pptp-server server> set enabled=yes
PPTP
1.
PPTP
[admin@PPTP-Client] interface pptp-client> add user=jack password=pass

connect-to=10.5.8.104 disabled=no
: ppp
: Level1 ( 1 ) , Level3 ( 1 ) , Level4 ( 200 )Level5
: /interface pptp-server, /interface pptp-client
: PPTP (RFC 2637)
PPTP windows
ISP Internet
PPTP PPP PPTP RADIUS

MPPE 40bit RC4 MPPE 128bit RC4
PPTP TCP 1723 IP GREIP ID 47PPTP TCP
1723 47 PPTP
19.1 PPTP
: /interface pptp-client
add-default-route (yes | no; default: no) -

allow (: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) -
connect-to (IP address) - PPTP IP

mru (; default: 1460) - MRU 401500
MRU 1460
mtu (; default: 1460) - MTU 401500
MTU 1460
name (; default: pptp-outN) -
password (; default: "") -
- YuSong
- 246 -
RouterOS
profile (; default: default) -
user () -
john john PPTP test2 10.1.1.12PPTP
[admin@MikroTik] interface pptp-client> add name=test2 connect-to=10.1.1.12 \

\... user=john add-default-route=yes password=john
[admin@MikroTik] interface pptp-client> print
0 X name="test2" mtu=1460 mru=1460 connect-to=10.1.1.12 user="john"
password="john" profile=default add-default-route=yes
[admin@MikroTik] interface pptp-client> enable 0
encoding () -/
status () - status of the client
Dialing
Verifying password... -
Connected -
Terminated -
uptime (time) -
: /interface pptp-client monitor
[admin@MikroTik] interface pptp-client> monitor test2

uptime: 4h35s
encoding: MPPE 128 bit, stateless
status: Connected
[admin@MikroTik] interface pptp-client>
19.2 PPTP
: /interface pptp-server server
PPTP PPTP PPTP Level1
PPTP Level3 Level4 200 Level5 Level6 PPTP
PPTP PPP secret PPP Profile MikroTik RADIUS
PPTP
authentication (: pap | chap | mschap1 | mschap2; default: mschap2) -

default-profile -
- YuSong
- 247 -
RouterOS
enabled (yes | no; default: no) - PPTP
keepalive-timeout (time; default: 30) -
2 * keepalive-timeout
mru (; default: 1460) - MRU 401500

MRU 1460
mtu (; default: 1460) - MTU 401500
MTU 1460
PPTP
[admin@MikroTik] interface pptp-server server> set enabled=yes

[admin@MikroTik] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2,mschap1
keepalive-timeout: 30
default-profile: default
[admin@MikroTik] interface pptp-server server>
19.3 PPTP
Router to Router
PPTP
[HomeOffice]
- YuSong
- 248 -
RouterOS
LocalHomeOffice 10.150.2.254/24
ToInternet 192.168.80.1/24
[RemoteOffice]
ToInternet 192.168.81.1/24
LocalRemoteOffice 10.150.1.254/24
ISP
HomeOffice
HomeOffice PPTP /ppp secret
[admin@HomeOffice] ppp secret> add name=ex service=pptp password=123456

local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0
name="ex" service=pptp caller-id="" password="123456" profile=default

local-address=10.0.103.1 remote-address=10.0.103.2 routes==""
[admin@HomeOffice] ppp secret>
Winbox
interface pptp-server server pptp
[admin@HomeOffice] interface pptp-server server> set enabled=yes

[admin@HomeOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
- YuSong
- 249 -
RouterOS
mru: 1460
authentication: mschap2
[admin@HomeOffice] interface pptp-server server>
Winbox ppp pptp server
RemoteOffice
RemoteOffice PPTP
[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex \

\... password=123456 disabled=no
[admin@RemoteOffice] interface pptp-client> print
0 R name="pptp-out1" mtu=1460 mru=1460 connect-to=192.168.80.1 user="ex"
password="123456" profile=default add-default-route=no
[admin@RemoteOffice] interface pptp-client>
Winbox interface pptp-client
- YuSong
- 250 -
RouterOS
PPTP IP 10.0.103.1 10.0.103.2
pptp
pptp
PPTP
[admin@HomeOffice] > ip route add dst-address=10.150.1.0/24 gateway=10.0.103.2
- YuSong
- 251 -
RouterOS
[admin@RemoteOffice] > ip route add dst-address=10.150.2.0/24 gateway=10.0.103.1
PPTP HomeOffice routes RemoteOffice

/ip route

Flags: X - disabled
0

[admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.2 1"

Flags: X - disabled
0

routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret>
10.150.1.0/24
pptp 10.0.103.2
Distance 1
Winbox routes
PPTP
[admin@RemoteOffice]> /ping 10.0.103.1

10.0.103.1 pong: ttl=255 time=3 ms
- YuSong
- 252 -
RouterOS
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms
PPTP LocalHomeOffice
[admin@RemoteOffice]> /ping 10.150.2.254

10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
19.4 PPTP
PPTP
[RemoteOffice]
ToInternet 192.168.81.1/24
Office 10.150.1.254/24
PPTP
- YuSong
- 253 -
RouterOS
[admin@RemoteOffice] ppp secret> add name=ex service=pptp password=123456
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0

[admin@RemoteOffice] ppp secret>
pptp
[admin@RemoteOffice] interface pptp-server server> set enabled=yes

[admin@RemoteOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
[admin@RemoteOffice] interface pptp-server server>
1 ARP 'Office' arp

DHCP
[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp

[admin@RemoteOffice] interface ethernet> print
#
NAME
0 R ToInternet
1 R Office
MTU
MAC-ADDRESS
ARP
1500 00:30:4F:0B:7B:C1 enabled

1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>
winbox interface office arp proxy-arp
- YuSong
- 254 -
RouterOS
2 nat masquerade
[admin@RemoteOffice] /ip firewall nat> add chain=srcnat action=masquerade

[admin@RemoteOffice] /ip firewall nat> print
0
chain=srcnat action=masquerade
winbox masquerade
Windows PPTP
Windows NT200098SE 98 PPTP Windows 98SE2000 ME Windows
PPTP 95NT 98 Microsoft ISP Windows
PPTP
PPTP (VPN) - Windows 98SE

- YuSong
- 255 -
RouterOS
VPNPPTP'Dial-up Networking' 'Create a new connection' VPN
VPN VPN IP IP
'new'
'connect' 9 'NetBEUI', 'IPX/SPX compatible'
'Log on to network''connect' 2
Windows 98SE VPN 'Start''Setting''Control Panel''Add/Remove
Program''Windows setup' 'Communications''Details''Virtual
Private Networking'
PPTP
TCP 1723 TCP 47
PPTP L2TP
PPTP L2TP PPP
PPTP IP L2TP PPTP

L2TP L2TPL2TP
overhead 4 PPTP 6 L2TP
PPTP L2TP PPTP IPSEC IPSEC 2
20.1 PPTP L2TP

PPTP L2TP PPP PPTP L2TP
- YuSong
- 256 -
RouterOS
Profile VPN Autentication

VPN PPTP L2TP IP
172.16.0.10-172.16.0.100 172.16.0.11 VPN IP
ip pool
PPP Profiles VPN IP 172.16.0.1

remote-address VPN DNS 172.16.0.1,
- YuSong
- 257 -
RouterOS
limits Idle-timeoutRate-limit Only-one
PPP secret service cdnat pptp

L2TP PPTP profile VPN
- YuSong
- 258 -
RouterOS
PPTP L2TP RouterOS VPN windows PPTP

RouterOS VPN L2TP windows L2TP IPsec
windows
L2TP Windows
L2TP Windows XP L2TP L2TP IPSec Windows XP
1) Windows XP Regedt32
HKEY_Local_Machine \ System \ CurrentControl Set \ Services \ RasMan \Parameters
2)
ProhibitIpSec
reg_dword
windows L2TP
20.2 VPN
MikroTik VPN VPN
VPN VPN VoIP ISP VoIP
VPN
- YuSong
- 259 -
RouterOS
VPN PPTPL2TP IPIP

PPP IP PPP IP
IP PPTP
PPTP L2TP
- YuSong
- 260 -
RouterOS
RouterOS PPTP L2TP windows
VoIP IP
Open VPN
OpenVPN Linux WindowsRouterOS v3.x OpenVPN
ppp RouterOS OpenVPN tcp udp
Windows GUI windows OpenVPN GUI
http://www.openvpn.se/download.html .
OpenVPN SSL linux OpenVPN
http://cacert.org
21.1 OVPN
OVPN OVPN
OVPN linux
- YuSong
- 261 -
RouterOS
file list
system certificates crt key
- YuSong
- 262 -
RouterOS
import ca.crt
ca.key KR key
OVPN enable OVPN certificate cer1

1194
- YuSong
- 263 -
RouterOS
require-client-certificate
- YuSong
- 264 -
RouterOS
OVPN 192.168.10.2-192.168.10.254
IP
ppp profile local-address=192.168.10.1 remote-address=OVPN
/ppp secret
- YuSong
- 265 -
RouterOS
OVPN
OVPN 2 OVPN
OVPN Server WAN 10.200.15.228

OVPN Client WAN 10.200.15.30
WAN OVPN OVPN Client ovpn-client PPP interface
ovpn-client
- YuSong
- 266 -
RouterOS
Dial-out Connect-to=10.200.15.228user=123password=123
OVPN DR
- YuSong
- 267 -
RouterOS
OVPN Client R
21.2 OVPN bridge

RouterOS bridge OVPN ethernet
OVPN Server OVPN Client ethernet
- YuSong
- 268 -
RouterOS
bridge
ports ether2-lan
- YuSong
- 269 -
RouterOS
ppp profile default-encryption bridge bridge1
OVPN Client OVPN Server bridge port 123

port
- YuSong
- 270 -
RouterOS
OVPN Server ether2-lan ovpn-123
OVPN Client
ovpn-out1 mode ethernet
OVPN Client bridge bridge1 port ether2-lan

ovpn-out1 bridge1
- YuSong
- 271 -
RouterOS
EoIP
nat nat Server Client nat
/ip firewall nat add out-interface=ether1-wan action=masquerade
SSTP
Secure Socket Tunneling Protocol (SSTP) SSL3.0 PPP
TCP 443
SSL SSTP
SSTP PPTP L2TP
PPTP L2TP VPN
NATWEB PROXY
PPTP
TCP GRE
ISP
; NAT NAT GRE
PPTP TCP GRE ;WEB PROXY
PPTP
L2TP OVER IPSEC IKE ESP
WEB PROXY L2TP OVER IPSEC
SSTP VPN VPN SSL3.0
SSTP TCP 443
SSTP
/interface sstp-client
add-default-route (yes | no; : no) SSTP

authentication (mschap2 | mschap1 | chap | pap; : mschap2, mschap1, chap, pap)
certificate ( | none; : none)
comment (; : )
connect-to (IP:Port; : 0.0.0.0:443) SSTP
dial-on-demand (yes | no; : no)
disabled (yes | no; : yes)
keepalive-timeout ( | ; : 60)
max-mru (; : 1500)
max-mtu (; : 1500)
mrru (disabled | ; : disabled) MTU
IP
name (; : )
password (; : "")
profile (name; Default: default-encryption) PPP profile
proxy (IP:Port; : 0.0.0.0:443)HTTP
- YuSong
- 272 -
RouterOS
user (; : )
SSTP 10.1.101.1sstp-test123
[admin@MikroTik] /interface sstp-client>add user=sstp-test password=123 \
\... connect-to=10.1.101.1 disabled=no
[admin@MikroTik] /interface sstp-client> print
0 R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=10.1.101.1:443
user="sstp-test" password="123" proxy=0.0.0.0:443 profile=default
certificate=none keepalive-timeout=60 add-default-route=no dial-on-demand=no
authentication=pap,chap,mschap1,mschap2
SSTP
: /interface sstp-server
SSTP PPTP
PPP PPP
: /interface sstp-server server
authentication (pap | chap | mschap1 | mschap2; : pap,chap,mschap1,mschap2)
certificate (; : none)SSTP SSTP

default-profile (; : default) Profile
enabled (yes | no; : no) SSTP
keepalive-timeout ( | disabled; : 60) Keepalive
max-mru (; : 1500)
max-mtu (; : 1500)
mrru ( | ; : disabled) MTU
IP
require-client-certificate (yes | no; : no) yes
SSTP
- YuSong
- 273 -
RouterOS
[admin@MikroTik] /interface sstp-server server> set certificate=server
[admin@MikroTik] /interface sstp-server server> set enabled=yes
[admin@MikroTik] /interface sstp-server server> print
enabled: yes
port: 443
max-mtu: 1500
max-mru: 1500
mrru: disabled
certificate: server
require-client-certificate: no
authentication: pap,chap,mschap1,mschap2
[admin@MikroTik] /interface sstp-server server>
Monitor
[admin@dzeltenais_burkaans] /interface sstp-server> monitor 0
status: "connected"
uptime: 17m47s
idle-time: 17m47s
user: "sstp-test"
caller-id: "10.1.101.18:43886"
mtu: 1500
status () SSTP connected

uptime ()
idle-time ()
user ()
mtu () MTU
caller-id (IP:ID) IP
22.1
SSTP SSTP
IP ( EoIP )
- YuSong
- 274 -
RouterOS
Office ether1 ether2 office

IP ( IP 192.168.80.1).
SSTP windows2008
OVPN
[admin@RemoteOffice] ppp secret> add name=Laptop service=sstp password=123

Flags: X - disabled
0
name="Laptop" service=sstp caller-id="" password="123" profile=default

[admin@RemoteOffice] ppp secret>
SSTP local-address remote-address

(10.1.101.0/24).
SSTP
[admin@RemoteOffice] /interface sstp-server server> set certificate=server
[admin@RemoteOffice] /interface sstp-server server> set enabled=yes
[admin@RemoteOffice] /interface sstp-server server> print
enabled: yes
port: 443
max-mtu: 1500
max-mru: 1500
mrru: disabled
- YuSong
- 275 -
RouterOS
certificate: server
[admin@RemoteOffice] /interface sstp-server server>
SSTP IP IP 192.168.80.1.
SSTP SSTP windows2008,windows vista
vista sp1
SSTP
[admin@RemoteOffice] /interface sstp-server> print
#
NAME
USER
0 DR <sstp-... Laptop
MTU
CLIENT-ADDRESS
UPTIME
1500
10.1.101.18:43886 1h47s
ENCODING
[admin@RemoteOffice] /interface sstp-server>monitor 0

status: "connected"
uptime: 1h45s
idle-time: 1h45s
user: "Laptop"
caller-id: "192.168.99.1:43886"
mtu: 1500
SSTP ping timeout

ARP arp proxy-arp
[admin@RemoteOffice] /interface ethernet> set ether2 arp=proxy-arp
[admin@RemoteOffice] /interface ethernet> print
#
NAME
MTU
MAC-ADDRESS
ARP
0 R ether1
1500 00:30:4F:0B:7B:C1 enabled
1 R ether2
1500 00:30:4F:06:62:12 proxy-arp
proxy-arp ping
22.2 SSTP
SSTP
- YuSong
- 276 -
RouterOS
Office Home ether1 ether2

BCP SSTP
[admin@RemoteOffice] /ppp secret> add name=Home service=sstp password=123

local-address=172.16.1.1 remote-address=172.16.1.2 routes="10.1.202.0/24 172.16.1.2 1"
Flags: X - disabled
0
name="Home" service=sstp caller-id="" password="123" profile=default

local-address=172.16.1.1 remote-address=172.16.1.2 routes=="10.1.101.0/24 172.16.1.1
1"
[admin@RemoteOffice] /ppp secret>
SSTP
SSTP Office Home SSTP

[admin@RemoteOffice] /interface sstp-server server> set certificate=server
[admin@RemoteOffice] /interface sstp-server server> set enabled=yes
[admin@RemoteOffice] /interface sstp-server server> print
enabled: yes
port: 443
max-mtu: 1500
max-mru: 1500
mrru: disabled
certificate: server
- YuSong
- 277 -
RouterOS
Home SSTP
[admin@Home] /interface sstp-client> add user=Home password=123 connect-to=192.168.80.1
disabled=no
[admin@Home] /interface sstp-client> print
0 R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=192.168.80.1:443
user="Home" password="123" proxy=0.0.0.0:443 profile=default certificate=none
keepalive-timeout=60 add-default-route=no dial-on-demand=no
authentication=pap,chap,mschap1,mschap2
[admin@Home] /interface sstp-client>
Home Office
[admin@Home] /ip route> add dst-address=10.1.101.0/24 gateway=172.16.1.1
ping
EoIP
EoIPEthernet over IP IP MikroTik RouterOS
EoIP
EoIP
LAN
LAN
802.11b 'ad-hoc' LAN
IP 10.5.8.1 10.1.0.1 EoIP

1.
IP 10.5.8.1 EoIP MAC
/interface eoip add remote-address=10.1.0.1 tunnel-id=1 mac-address=00-00-5E-80-00-01

disabled=no
2.
IP 10.1.0.1 EoIP MAC
/interface eoip add remote-address=10.5.8.1 tunnel-id=1 mac-address=00-00-5E-80-00-02

disabled=no
- YuSong
- 278 -
RouterOS
IP EoIP
: system
: Level3
: /interface eoip
EoIP IP EoIP IPIP PPTP 128bit PPPoE IP
ID
EoIP
IP
EoIP GREIP 47 EoIP
EoIP 65536
WDS EoIP 10-20% RouterBOARD 500

WDS
23.1 EoIP
: /interface eoip
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) -
mac-address (MAC ) - EoIP MAC 00-00-5E-80-00-00
00-00-5E-FF-FF-FF MAC
mtu (; default: 1500) -
name (; : eoip-tunnelN)
remote-address - EoIP IP MikroTik
tunnel-id ()
tunnel-id tunnel-id
tunnel-id
mtu 1500
EoIP MAC EoIP

00-00-5E-80-00-00 00-00-5E-FF-FF-FF MAC IANA
MAC
to_mt2 10.5.8.1 EoIP tunnel-id 1
[admin@MikroTik] interface eoip> add name=to_mt2 remote-address=10.5.8.1 \

\... tunnel-id 1
[admin@MikroTik] interface eoip> print
0 X name="to_mt2" mtu=1500 arp=enabled remote-address=10.5.8.1 tunnel-id=1
- YuSong
- 279 -
RouterOS
[admin@MikroTik] interface eoip> enable 0

[admin@MikroTik] interface eoip> print
0 R name="to_mt2" mtu=1500 arp=enabled remote-address=10.5.8.1 tunnel-id=1
[admin@MikroTik] interface eoip>
23.2 EoIP
officeA officeB Eoip 2
OfficeA IP 222.212.61.208 10.0.0.1
OfficeB IP 222.212.59.45 10.0.0.2
1 Eoip Tunnel ID 8 Interface Eoip
- YuSong
- 280 -
RouterOS
officeB Eoip
2OfficeA OfficeB officeA interface Eoip Tunnel

Eoip
bridge bridge bridge1 port ether5 Eoip officeA

Bridge1
- YuSong
- 281 -
RouterOS
3 ip address IP 10.0.0.1/24 OfficeB 10.0.0.2/24
NAT EoIP
EOIP out-interface WAN
ping EoIP
EoIP MAC MAC
- YuSong
- 282 -
RouterOS
IPSec
IPSec
(replay)
IP IP
AHESP Internet IKE
IP AH ESP
IKE AH ESP
IPSec
IPSec IPSec
24.1 IPSec
RouterOS IPsec VPN
IPsec VPN :
192.168.88.1/24--R1---192.168.11.11/24 -------- 192.168.11.18/24---R2---192.168.103.1/24
R1
ip address :
- YuSong
- 283 -
RouterOS
ip routes
- YuSong
- 284 -
RouterOS
ip ipsec policies general ipsec
action tunnel
ip ipsec peers ip secert
- YuSong
- 285 -
RouterOS
ip firewall nat
- YuSong
- 286 -
RouterOS
nat chain srcnat
- YuSong
- 287 -
RouterOS
action masquerade
R1 winbox R1 R2
R2
ip address :
- YuSong
- 288 -
RouterOS
ip routes
- YuSong
- 289 -
RouterOS
ip ipsec policies general ipsec :
action tunnel :
ip ipsec peers ip secert
- YuSong
- 290 -
RouterOS
ip firewall nat
action accept
- YuSong
- 291 -
RouterOS
nat :
acion masquerade
- YuSong
- 292 -
RouterOS
R2
NAT accept masquerade
24.2 Windows L2TP/IPsec

Microsoft Windows XP/Vista/win7 PPTP L2TP/IPSec PPTP IPsec
windows L2TP/IPsec IPsec L2TP
windows windows IPsec
windows L2TP/IPsec RouterOS RouterOS IPsec
Windows L2TP/IPSec IPSes IPSec L2TP
IPSec L2TP IPSec
- YuSong
- 293 -
RouterOS
RouterOS IP 10.200.15.228 PC IP 10.200.15.59, 10.200.15.60

PC IP IPsec nat
L2TP IP
IPSec
IPsec windows PC IP L2TP IP /ip ipsec
security peer address PC IP secret yusongHash-algorithm
shagenerate-policy
10.200.15.60 peer
/ip ipsec peer add address=10.200.15.59:500 auth-method=pre-shared-key \
- YuSong
- 294 -
RouterOS
secret=yusong hash-algorithm=sha enc-algorithm=3des generate-policy=yes

/ip ipsec peer add address=10.200.15.60:500 auth-method=pre-shared-key \
secret=yusong hash-algorithm=sha enc-algorithm=3des generate-policy=yes
IPSec peer
o
address=10.200.15.59 windows
:500 ;
hash-algorithm=sha enc-algorithm=3des windows
generate-policy=yes IPSec
RouterOS
RouterOS L2TP PPTP PPP L2TP
/ interface l2tp-server server set enabled=yes

ip pool
- YuSong
- 295 -
RouterOS
/ip pool add name=L2TP ranges=192.168.10.2-192.168.10.254

/ppp profile default-encryption :
DNS limit rate-limitonly one
- YuSong
- 296 -
RouterOS
/ppp profile> set 1 local-address=192.168.10.1 remote-address=L2TP

/ppp secret
/ ppp secret add name=123 password=123 profile=default-encryption

L2TP
Windows
Windows 2 IPSec
Win7
\ Internet\
VPN
10.200.15.228
VPN
- YuSong
- 297 -
RouterOS
10.200.15.228
VPN ipsec 2 L2TP/IPSec
- YuSong
- 298 -
RouterOS
yusong
123 123
- YuSong
- 299 -
RouterOS
remote peers IP
Policies
Installed SAs L2TP Installed SAs

Flush
PPP active
- YuSong
- 300 -
RouterOS
Bonding
Bonding
Bongding IP
25.1 Bonding
2 Router1 Router2
bonding
1. IP bonding
2. Router1 bonding
[admin@Router1] interface bonding> add slaves=ether1,ether2
Router2
[admin@Router2] interface bonding> add slaves=ether1,ether2
3. bonding
[admin@Router1] ip address> add address=172.16.0.1/24 interface=bonding1

[admin@Router2] ip address> add address=172.16.0.2/24 interface=bonding1
4. Router1
[admin@Router1] interface bonding> /pi 172.16.0.2

172.16.0.2 ping timeout
172.16.0.2 64 byte ping: ttl=64 time=2 ms
- YuSong
- 301 -
RouterOS
bonding
: system
: Level1
: /interface bonding
link-monitoring :
MII ( Media Independent Interface) type1 or type2 -

NIC
ARP arp-interval
link-monitoring
arp (disabled | enabled | proxy-arp | reply-only; : enabled)

disabled ARP
enabled ARP
proxy-arp ARP
reply-only /ip arp MAC
arp-interval (time; : 00:00:00.100) ARP

arp-ip-targets (IP ; : "") IP link-monitoring arp IP
IP
down-delay (; : 00:00:00) bonding down-delay
lacp-rate (1sec | 30secs; : 30secs) bonding

LACPDUs LACP
link-monitoring (arp | mii-type1 | mii-type2 | none; : none) (
)
arp
mii-type1 MII type1 bonding up
bonding
mii-type2 MII type2 mii-type1 NIC
none
mac-address (: MAC address) bonding MAC

mii-interval (; : 00:00:00.100)
link-monitoring mii-type1 mii-type2
mode (802.3ad | active-backup | balance-alb | balance-rr | balance-tlb | balance-xor | broadcast;
: balance-rr)
802.3ad - IEEE 802.3ad slave
bonding IEEE 802.3adactive-backup
slave slave
balance-alb balance-tlb MAC
balance-rr bonding Slaves

balance-tlb slave salve slave
- YuSong
- 302 -
RouterOS
slave MAC
balance-xor XOR
broadcast
mtu (: 68..1500; : 1500) btyes

name () bonding
primary (; : none)
mode=active-backup
slaves () 2 ethernet bonding
up-delay (; : 00:00:00) bonding up-delay
bonding
25.2 EoIP Bonding

MikroTik 2 2 ISP
2
2 ISP Internet
office1
[admin@office1] > /interface print

#
TYPE
MTU
0 R isp1
NAME
ether
1500
1 R isp2
ether
1500
[admin@office1] > /ip address print

#
ADDRESS
1.1.1.1/24
10.1.0.111/24
NETWORK
BROADCAST
1.1.1.0
1.1.1.255
10.1.0.0
INTERFACE
isp2
10.1.0.255
isp1
Office2
[admin@office2] interface> print

#
NAME
TYPE
- YuSong
MTU
- 303 -
RouterOS
0 R isp2
ether
1500
1 R isp1
ether
1500
[admin@office2] interface> /ip add print

#
ADDRESS
2.2.2.1/24
10.1.0.112/24
NETWORK
BROADCAST
2.2.2.0
2.2.2.255
10.1.0.0
10.1.0.255
INTERFACE
isp2
isp1
EoIP bonding bonding
2 Office1 ISP1 EoIP
[admin@office1] > interface eoip add remote-address=10.1.0.112 tunnel-id=2

\... mac-address=FE:FD:00:00:00:04
[admin@office1] > interface eoip print
0 R name="eoip-tunnel2" mtu=1500 mac-address==FE:FD:00:00:00:04 arp=enabled
\... remote-address=10.1.0.112 tunnel-id=2
Office2 ISP1 EoIP

[admin@office2] > interface eoip print
0 R name="eoip-tunnel2" mtu=1500 mac-address=FE:FD:00:00:00:02 arp=enabled
\... remote-address=10.1.0.111 tunnel-id=2
Office1 ISP2 EoIP

[admin@office1] interface eoip> print
remote-address=2.2.2.1 tunnel-id=1

Office2 ISP2 EoIP

[admin@office2] interface eoip> print
- YuSong
- 304 -
RouterOS

Bonding Office1
[admin@office1] interface bonding> add slaves=eoip-tunnel1,eoip-tunnel2

[admin@office1] interface bonding> print
0 R name="bonding1" mtu=1500 mac-address=00:0C:42:03:20:E7 arp=enabled
slaves=eoip-tunnel1,eoip-tunnel2 mode=balance-rr primary=none link-monitoring=none
arp-interval=00:00:00.100 arp-ip-targets="" mii-interval=00:00:00.100 down-delay=00:00:00
up-delay=00:00:00 lacp-rate=30secs
[admin@office1] ip address> add address=3.3.3.1/24 interface=bonding1
[admin@office1] ip address> print
#
ADDRESS
1.1.1.1/24
10.1.0.111/24
3.3.3.1/24
NETWORK
BROADCAST
1.1.1.0
1.1.1.255
10.1.0.0
3.3.3.0
10.1.0.255
3.3.3.255
INTERFACE
isp2
isp1
bonding1
Office2
[admin@office2] interface bonding> add slaves=eoip-tunnel1,eoip-tunnel2

[admin@office2] interface bonding> print
0 R name="bonding1" mtu=1500 mac-address=00:0C:42:03:20:E7 arp=enabled
slaves=eoip-tunnel1,eoip-tunnel2 mode=balance-rr primary=none
link-monitoring=none arp-interval=00:00:00.100 arp-ip-targets=""
mii-interval=00:00:00.100 down-delay=00:00:00 up-delay=00:00:00
lacp-rate=30secs
[admin@office2] ip address> add address=3.3.3.2/24 interface=bonding1
[admin@office2] ip address> print
#
ADDRESS
2.2.2.1/24
10.1.0.112/24
3.3.3.2/24
NETWORK
BROADCAST
2.2.2.0
2.2.2.255
10.1.0.0
3.3.3.0
10.1.0.255
3.3.3.255
INTERFACE
isp2
isp1
bonding1
[admin@office2] ip address> /ping 3.3.3.1

- YuSong
- 305 -
RouterOS
bonding RouterOS
VLAN
VLAN 802.1Q VLAN LAN LAN
4095 VLAN VLAN ID Cisco
VLAN LAN VLAN
: system
: Level1 (limited to 1 vlan) , Level3
: /interface vlan
: VLAN (IEEE 802.1Q)
VLAN
VLAN VLAN
MikroTik RouterOS ( Cisco IOS Linux)
VLAN OSI VLAN MikroTik
RouterOS forward-protocols ip, arp other
VLAN VLAN VLAN
MAC VLAN
VLAN VLAN
VLAN VLAN
Realtek 8139
Intel PRO/100
Intel PRO1000 server adapter
National Semiconductor DP83816 based cards (RouterBOARD200 onboard Ethernet, RouterBOARD

24 card)
National Semiconductor DP83815 (Soekris onboard Ethernet)
VIA VT6105M based cards (RouterBOARD 44 card)
VIA VT6105
VIA VT6102 (VIA EPIA onboard Ethernet)
VLAN >1496
- YuSong
- 306 -
RouterOS
3Com 3c59x PCI
DEC 21140 (tulip)
26.1 VLAN
: /interface vlan
arp (disabled | enabled | proxy-arp | reply-only; : enabled)

disabled ARP
enabled - ARP l
proxy-arp ARP
reply-only - IPD MAC /ip arp
interface () - VLAN
mtu (; : 1500)
name () -
vlan-id (; : 1) - LAN VLAN VLAN
MTU 1500 / VLAN

1500 +4 VLAN +14
MTU1496 MTU
MTU1496
ether1 test
vlan-id=1 VLAN
[admin@MikroTik] interface vlan> add name=test vlan-id=1 interface=ether1

[admin@MikroTik] interface vlan> print
#
NAME
0 X test
MTU ARP
VLAN-ID INTERFACE
1500 enabled
ether1
[admin@MikroTik] interface vlan> enable 0

#
NAME
0 R test
MTU ARP
1500 enabled
VLAN-ID INTERFACE
1
ether1
[admin@MikroTik] interface vlan>
26.2 VLAN
hub MikroTik RouterOS VLAN ether1
VLAN IP ping
VLAN
- YuSong
- 307 -
RouterOS
[admin@MikroTik] interface vlan> add name=test vlan-id=32 interface=ether1
#
NAME
0 R test
MTU ARP
VLAN-ID INTERFACE
1500 enabled
32
ether1
[admin@MikroTik] interface vlan>
VLAN
IP VLAN
Router 1 :
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=test

#
ADDRESS
NETWORK
BROADCAST
INTERFACE
10.0.0.204/24
10.0.0.0
10.0.0.255
ether1
10.20.0.1/24
10.20.0.0
10.20.0.255
pc1
10.10.10.1/24
10.10.10.0
10.10.10.255
test
Router 2 :
[admin@MikroTik] ip address> add address=10.10.10.2/24 interface=test

#
ADDRESS
NETWORK
BROADCAST
10.0.0.201/24
10.0.0.0
10.0.0.255
10.10.10.2/24
10.10.10.0
10.10.10.255
INTERFACE
ether1
test
Router 1 ping Router 2
[admin@MikroTik] ip address> /ping 10.10.10.1

10.10.10.1 64 byte pong: ttl=255 time=3 ms
[admin@MikroTik] ip address> /ping 10.10.10.2
- YuSong
- 308 -
RouterOS
round-trip min/avg/max = 10/11/13 ms
26.3 VLAN PPPoE

VLAN track PPPoE VLAN
VLAN RouterOS VLAN PPPoE
VLAN PPPoE-Server VLAN PPPoE
interface VLAN PPPoE
- YuSong
- 309 -
RouterOS
Web
MikroTik RouterOS
HTTP
URL
()
()
1GiB web 8000
[admin@MikroTik] ip proxy> set enabled=yes port=8000 max-cache-size=1048576

[admin@MikroTik] ip proxy> print
enabled: yes
src-address: 0.0.0.0
port: 8000
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: system
cache-administrator: "webmaster"
max-cache-size: 1048576KiB
cache-on-disk: no
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
[admin@MikroTik] ip proxy>
NAT
[admin@MikroTik] ip firewall nat> add chain=dstnat protocol=tcp dst-port=80 action=redirect

to-ports=8000
[admin@MikroTik] ip firewall nat>
: web-proxy
: Level3
: /ip proxywinboxip web-proxy
: HTTP/1.0, HTTP/1.1, FTP
: ()
- YuSong
- 310 -
RouterOS
HTTP HTTP FTPHTTP HTTPS Web
HTTP FTP Web
web HTTP FTP mp3
cache-administrator (; default: webmaster) e-mail

cache-drive (system | name; default: system) -
cache-only-on-disk (yes | no; default: yes) -
enabled (yes | no; default: no) -

max-disk-cache-size (none | unlimited | : 0..4294967295; default: none) -
kb
max-fresh-time (; default: 3d) -
maximal-client-connecions (; default: 1000) -

maximal-server-connectons (; default: 1000) -
max-object-size (; default: 2000KiB) - kb

2MiB 2048 1KiB
max-ram-cache-size (none | unlimited | : 0..4294967295; default: none) - RAM

kb
parent-proxy (IP address:port; default: 0.0.0.0:0) - IP HTTP
"direct access"
0.0.0.0:0
port (port; default: 8080) - TCP HTTP
NAT IP HTTP
src-address (IP address; default: 0.0.0.0) - Web web
0.0.0.0 src-address
web IP IP
8000
[admin@MikroTik] ip proxy> set enabled=yes port=8000

[admin@MikroTik] ip proxy> print
enabled: yes
port: 8000
parent-proxy: 0.0.0.0:0
cache-drive: system
- YuSong
- 311 -
RouterOS
cache-administrator: "dmitry@mikrotik.com"
max-disk-cache-size: none
max-ram-cache-size: 100000KiB
cache-only-on-disk: yes
maximal-client-connections: 1000
maximal-server-connections: 1000
max-object-size: 2000KiB
max-fresh-time: 3d
[admin@MikroTik] ip proxy>
27.1
: /ip proxy access
6
action
action (allow | deny; default: allow) -

dst-address (IP address/netmask) - IP
dst-host (wildcard) - IP DNS
dst-port (port{1,10}) -
hits (: ) -
local-port (port) - web web
method (any | connect | delete | get | head | options | post | put | trace) - HTTP
HTTP
path (wildcard) -
redirect-to () - URL
src-address (IP address/netmask) - IP
dst-host
dst-path"example"
"example.com"'*''?'
(':')
\\ \
\. . ()
[ or ]
- YuSong
- 312 -
RouterOS
IP internal-use-onlyweb
Firewall Manual
27.2
: /ip proxy direct
parent-proxy
action

allow -
deny - allow
dst-address (IP address/netmask) - IP
dst-port (port{1,10}) -
hits (: ) -
local-port (port) - web web
method (any | connect | delete | get | head | options | post | put | trace) - HTTP (
HTTP )
path (wildcard) - web
src-address (IP address/netmask) - IP
deny
27.3
: /ip web-proxy cache
web web

allow
deny
dst-address (IP /) - IP
dst-port ({1,10}) -
hits (: ) -
local-port () - web web
- YuSong
- 313 -
RouterOS
method (any | connect | delete | get | head | options | post | put | trace) - HTTP (
HTTP )
path (wildcard) - web
src-address (IP /) - IP
27.4
: /ip proxy monitor
cache-used (: ) -
hits (: )
hits-sent-to-clients (: )
ram-cache-used (: ) RAM
received-from-servers (: )
requests (: )
sent-to-clients (: )
status (: ; default: stopped)
stopped
rebuilding-cache
running -
stopping - 10s
clearing-cache
creating-cache
dns-missing DNS /ip dns
invalid-address -
invalid-cache-administrator - e-mail
invalid-hostname
error-logged
reserved-for-cache () web
total-ram-used (: ) RAM
uptime (: ) -
27.5
: /ip proxy connections
dst-address (: IP ) IP
protocol (: )
rx-bytes (: ) -
- YuSong
- 314 -
RouterOS
src-address (: IP ) IP
state (: closing | connecting | converting | hotspot | idle | resolving | rx-header | tx-body | tx-eof |
tx-header | waiting | )
closing -
connecting - toe
hotspot hotspot hotspot
idle -
resolving DNS
rx-header HTTP
tx-body HTTP
tx-eof - ()
tx-header HTTP
waiting
tx-bytes (: ) -
27.6
: /ip proxy inserts
()
denied (: ) -
errors (: )
no-memory (: )
successes (: ) -
too-large (: )
27.7
: /ip proxy lookups
denied (: ) -
expired (: ) -
no-expiration-info (: ) -
non-cacheable (: ) -
not-found (: ) -
successes (: ) -
: /ip proxy
- YuSong
- 315 -
RouterOS
web
check-drive -
clear-cache -
format-drive -
27.8 HTTP
OPTIONS
Request-URI
GET
Request-URI Request-URI GET
If-Modified-SinceIf-Unmodified-SinceIf-Match If-None-Match If-Range

GET GET GET
Range GET GET GET
HTTP GET
HEAD
GET
HEAD Request-URI
POST
Request-URI
POST Request-URI
POST Cache-Control Expires
PUT
Request-URI Request-URI
Request-URI
URI
- YuSong
- 316 -
RouterOS
Request-URI
TRACE
200OK
0 Max-Forwards
TRACE
27.9 Web
web-proxy
web-proxy
[admin@MikroTik] /ip proxy> prin

enabled: yes
port: 8080
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: system
cache-administrator: "webmaster"
max-cache-size: none
cache-on-disk: no
max-client-connections: 1200
max-server-connections: 1200
max-fresh-time: 1d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
- YuSong
- 317 -
RouterOS
80 web-proxy 8080
/ip firewall nat

chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
Proxy
/ip firewall filter

chain=input in-interface=<Your WAN Port> src-address=0.0.0.0/0 protocol=tcp dst-port=8080
action=drop
http://www.163.com
/ip proxy access

dst-host=www.163.com action=deny
.mp3, .exe, .dat, .avi
- YuSong
- 318 -
RouterOS
/ip proxy access
path=*.exe action=deny
path=*.mp3 action=deny
path=*.zip action=deny
path=*.rar action=deny
mail
/ip proxy access

dst-host=:mail action=deny
MetaRouter
RouterOS v3.30 Xen v3.30 KVM Xen RouterOS v4.0 2
MetaRouter KVM
Metarouter
MetaRouter MikroTik RouterBOARD 400 (mips-be) RouterOS
MikroTik MetaRouter MetaRouter
Xen
Xen
- YuSong
- 319 -
RouterOS
Xen Linux Xen RouterOS x86 PCXen
KVM
Kernel-based Virtual MachineKVM x86 RouterOS PC
KVM CPU
Intel VT-x AMD-V
16MB
28.1
Xen MetaRouter
VOIP
LDAP
RouterOS MailHttpFtp
VPN
VPN
ISP
WISP
()
The Dude
28.2 MetaRouter
MetaRouter RouterOS 4.0beta1 3.21 MetaRouter, RB400
Metarouter
RouterOS Metarouter 16M RAM16M
Metarouter RAM
- YuSong
- 320 -
RouterOS
8 Metarouter 16 8
MetaRouter VLAN MetaRouter
MetaRouter
ISP
/metarouter
add
print
enable
disable
console
interface
MetaRouter
[admin@RB_Meta] /metarouter> add name=mr0 memory-size=32 disk-size=32000 disabled=no

[admin@RB_Meta] /metarouter> print
Flags: X - disabled
#
NAME
MEMORY-SIZE DISK-SIZE
mr0
16MiB
0kiB
USED-DISK
377kiB
STATE
running
name:
memory-size: RAM
disk-size: HDD KB 0, ) *
used-disk: currently used disk space
state: MetaRouter
MetaRouter HDD HDD
MetaRouter HDD 16M RAM
[admin@RB_Meta] /metarouter> add name=mr1

[admin@RB_Meta] /metarouter> print
Flags: X - disabled
#
NAME
mr1
16MiB
0kiB
USED-DISK
3kiB
STATE
running
Interface Interface
[admin@MikroTik] /metarouter> interface add
- YuSong
- 321 -
RouterOS
comment
disabled
dynamic-mac-address type
copy-from dynamic-bridge static-interface
virtual-machine
vm-mac-address
[admin@MikroTik] /metarouter> interface add virtual-machine=mr1 type=dynamic
interface
[admin@MikroTik] > /interface print

#
NAME
TYPE
MTU
8 R ether9
ether
1500
9 R test
bridge
1500
10 DR vif1
vif
1500
console :
/metarouter console 0
[admin@mr0] > interface print

#
NAME
TYPE
0 R ether1
ether
MTU
1500
MetaRouter CTRL + A Q
[admin@MikroTik] >
[Q - quit connection]
[A - send Ctrl-A prefix]
[B - send break]
[R - autoconfigure rate]
Welcome back!
28.3 MetaRouter
- YuSong
- 322 -
RouterOS
interface vif1 metarouter

ether1 2 IP bridge
winbox
MetaRouter RouterOS RB450

MetaRouter Client
MetaRouter nat
- YuSong
- 323 -
RouterOS
1. MetaRouter
[admin@CDNAT] /metarouter> add name=client1 memory-size=16

[admin@CDNAT] /metarouter> print
Flags: X - disabled
#
NAME
client1
16MiB
0kiB
USED-DISK
221kiB
STATE
running
[admin@CDNAT] /metarouter>
- YuSong
- 324 -
RouterOS
2. MetaRouter
[admin@CDNAT] /metarouter interface> add virtual-machine=client1

[admin@CDNAT] /metarouter interface> add virtual-machine=client1
[admin@CDNAT] /metarouter interface> print
Flags: X - disabled, A - active
#
VIRTUAL-MACHINE
TYPE
VM-MAC-ADDRESS
0 A client1
dynamic 02:01:9A:28:66:9C
1 A client1
dynamic 02:78:49:4F:90:19
[admin@CDNAT] /metarouter interface>
3. MetaRouter vif2
()
[admin@CDNAT] /interface bridge> add

[admin@CDNAT] /interface bridge> print
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none
priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
[admin@CDNAT] /interface bridge port> add interface=ether2 bridge=bridge1

[admin@CDNAT] /interface bridge port> add interface=vif2 bridge=bridge1
[admin@CDNAT] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic
#
INTERFACE
ether2
bridge1
BRIDGE
PRIORITY PATH-COST HORIZON

0x80
10
none
vif2
bridge1
0x80
10
none
- YuSong
- 325 -
RouterOS
4. MetaRouter IP ether1
vif1 MetaRouter vif1 lan
[admin@CDNAT] /ip address> add address=10.0.1.1/24 interface=vif1

[admin@CDNAT] /ip address> print
#
ADDRESS
NETWORK
10.200.15.56/24
10.200.15.0
10.0.1.1/24
10.0.1.0
BROADCAST
10.200.15.255
10.0.1.255
INTERFACE
ether1
vif1
[admin@CDNAT] /ip address>
5. metarouter console
[admin@CDNAT] /metarouter> console client1
[Ctrl-A is the prefix key]
Starting...
Starting services...
MikroTik 3.22
MikroTik Login: admin
Password:
[admin@MikroTik] > /sys identity set name=Client1
- YuSong
- 326 -
RouterOS
6. metarouter
[admin@Client1] /interface ethernet> print

#
NAME
MTU
MAC-ADDRESS
ARP
0 R ether1
1500 02:49:E8:55:8E:E8
enabled
1 R ether2
1500 02:16:16:90:EF:0E
enabled
[admin@Client1] /interface ethernet> set 0 name=wan

[admin@Client1] /interface ethernet> set 1 name=lan
[admin@Client1] /interface ethernet> print
#
NAME
MTU
MAC-ADDRESS
ARP
0 R wan
1500 02:49:E8:55:8E:E8 enabled
1 R lan
1500 02:16:16:90:EF:0E enabled
[admin@Client1] /interface ethernet>
IP
[admin@Client1] /ip address> add address=10.0.1.2/24 interfae=wan

[admin@Client1] /ip address> add address=10.0.2.1/24 interface=l
[admin@Client1] /ip address> print
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
10.0.1.2/24
10.0.1.0
10.0.1.255
wan
10.0.2.1/24
10.0.2.0
10.0.2.255
lan
[admin@Client1] /ip route> add gateway=10.0.1.1

[admin@Client1] /ip route> print
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
#
DST-ADDRESS
0 A S 0.0.0.0/0
PREF-SRC
G GATEWAY
DISTANCE INTERFACE
r 10.0.1.1
wan
1 ADC 10.0.1.0/24
10.0.1.2
wan
2 ADC 10.0.2.0/24
10.0.2.1
lan
[admin@Client1] /ip route>
nat
[admin@Client1] /ip firewall nat> add action=masquerade out-interface=wan chain=srcnat
winbox metarouter
- YuSong
- 327 -
RouterOS
winbox MetarRouter
RouterOS 1 client1
MetaRotuer
10.0.3.0/24 MetaRouter RouterBOARD
- YuSong
- 328 -
RouterOS
Log
RouterOS log
email syslog
RouterOS
/log
: /system logging
action (; : memory) /system logging action

prefix ()
topics (info | critical | firewall | keepalive | packet | read | timer | write | ddns | hotspot | l2tp |
ppp | route | update | account | debug | ike | manager | pppoe | script | warning | async | dhcp
| notification | pptp | state | watchdog | bgp | error | ipsec | radius | system | web-proxy | calc |
event | isdn | ospf | raw | telephony | wireless | e-mail | gsm | mme | ntp | open | ovpn | pim |
radvd | rip | sertcp | ups; : info)
logging firewall
[admin@MikroTik] system logging> add topics=firewall action=memory

[admin@MikroTik] system logging> print
#
TOPICS
ACTION PREFIX
info
memory
error
memory
warning
memory
critical
echo
firewall
memory
[admin@MikroTik] system logging>
29.1 Logging
: /system logging action
disk-lines (; : 100) ( action disk)

disk-stop-on-full (yes | no; : no) disk-lines
email-to () email ( action email)
memory-lines (; : 100) ( action memory)
memory-stop-on-full (yes | no; : no) - memory-lines
name () action
remember (yes | no; : yes) ( action echo)
- YuSong
- 329 -
RouterOS
remote (IP address:port ; : 0.0.0.0:514) IP UDP ( action
remote)
target (disk | echo | email | memory | remote; : memory)
disk
echo
email email
memory
remote
action
action long 1000 /log
1000
[admin@MikroTik] system logging action> add name=long \

\... target=memory memory-lines=50 memory-stop-on-full=yes
[admin@MikroTik] system logging action> print
Flags: * - default
#
NAME
TARGET REMOTE
0 * memory
memory
1 * disk
disk
2 * echo
echo
3 * remote
remote 0.0.0.0:514
long
memory
[admin@MikroTik] system logging action>
ip firewall filter 80 log 80port
[admin@MikroTik] /ip firewall filter> add chain=forward protocol=tcp dst-port=80

action=log log-prefix=80port
[admin@MikroTik] /ip firewall filter> print
chain=forward action=log protocol=tcp dst-port=80 log-prefix="80port"
29.2 Dude
MikroTik syslog RouterOS 1000
The Dude
The Dude RouterOS
The Dude 3.0beta8 RouterOS system logging
- YuSong
- 330 -
RouterOS
system logging actions remote Remote Address

The Dude IP
remote
10.200.15.234 The Dude

IP
- YuSong
- 331 -
RouterOS
The Dude
The Dude log IP 10.200.15.1 RouterOS
- YuSong
- 332 -
RouterOS
The Dude log
The Dude RouterOS
29.3 Log
: /log
/system logging
message (: )
time (: )
topics (: )
- YuSong
- 333 -
RouterOS
[admin@MikroTik] > log print

TIME
MESSAGE
dec/24/2003 08:20:36 log configuration changed by admin

-- [Q quit|D dump]
[admin@MikroTik] > log print follow

TIME
MESSAGE

dec/24/2003 08:35:56 system started
dec/24/2003 08:35:57 isdn-out1: initializing...
dec/24/2003 08:35:57 isdn-out1: dialing...
dec/24/2003 08:35:58 Prism firmware loading: OK
dec/24/2003 08:37:48 user admin logged in from 10.1.0.60 via telnet
-- Ctrl-C to quit. New entries will appear at bottom.
RouterOS Store
RouterOS 3.15 store Web-proxy
User-Manager The Dude 3.23 RouterOS log Store
RouterOS PC RouterBOARD
RouterBOARD CF/MircoSD PC U winbox
store
- YuSong
- 334 -
RouterOS
30.1 RouterOS U
U PC 1 16G U RouterOS PC
USB Store Disk usb1
invalid RouterOS U
usb1 U Format Driver
- YuSong
- 335 -
RouterOS
usb1 ready
30.2 log
RouterOS3.23 log RouterOS
U
system logging Action files type disk
- YuSong
- 336 -
RouterOS
Disk
Typelog disk
File Name usb1 U usb1/log
Lines Per File
File Countlog log0
Stop on Full log log
<filename>.0.txt<filename>.1.txt<filename>.n.txt
logging info files usb1
- YuSong
- 337 -
RouterOS
log
file list usb1 log txt
- YuSong
- 338 -
RouterOS
CPU
30.3 Web-Proxy U
Web
U
Store Proxy web-proxy usb1
- YuSong
- 339 -
RouterOS
Web-Proxy Cache Drive Store usb1
30.4 Store
Store The Dude
- YuSong
- 340 -
RouterOS
Store User-Manager User-Manager
IP
IP
Hotspot PPP RouterOS
: system
: Level1
: /user, /ppp, /ip accounting, /radius
:
30.1 IP
: /ip accounting
IP PPPPPTPPPPoE
ISDN HotSpot
IP
enabled (yes | no; : no) - IP
- YuSong
- 341 -
RouterOS
account-local-traffic (yes | no; : no) - /
threshold (; : 256) - IP 8192
IP uncounted
IP
[admin@MikroTik] ip accounting> set enabled=yes

[admin@MikroTik] ip accounting> print
enabled: yes
account-local-traffic: no
threshold: 256
[admin@MikroTik] ip accounting>
30.2 IP
: /ip accounting snapshot
IP
bytes (: ) -
dst-address (: IP address) - IP
dst-user (: ) ()
packets (: ) -
src-address (: IP address) - IP
src-user (: )
PPP HotSpot
IP
[admin@MikroTik] ip accounting snapshot> take

[admin@MikroTik] ip accounting snapshot> print
# SRC-ADDRESS
DST-ADDRESS
PACKETS
BYTES
0 192.168.0.2
159.148.172.197 474
19130
1 192.168.0.2
10.0.0.4
120
2 192.168.0.2
192.150.20.254
32
3142
3 192.150.20.254
192.168.0.2
26
2857
4 10.0.0.4
192.168.0.2
117
5 159.148.147.196 192.168.0.2
136
6 192.168.0.2
159.148.147.196 1
7 159.148.172.197 192.168.0.2
835
SRC-USER
DST-USER
40
1192962
[admin@MikroTik] ip accounting snapshot>
30.3 Web IP
- YuSong
- 342 -
RouterOS
: /ip accounting web-access
web Unix/Linux wget MikroTik
web web web snapshot Snapshot web
wget http TCP Snapshot wget
Web wget URLhttp://routerIP/accounting/ip.cgi
accessible-via-web (yes | no; : no) snapshot web

address (IP /; : 0.0.0.0) - snapshot IP
192.168.10.10 web
[admin@MikroTik] ip accounting web-access> set accessible-via-web=yes \

\... address=192.168.10.10/32
[admin@MikroTik] ip accounting web-access> print
accessible-via-web: yes
address: 192.168.10.10/32
[admin@MikroTik] ip accounting web-access>
Log Downloader winbox

Log Downloader RouterOS IP
RotuerOS ip accounting
- YuSong
- 343 -
RouterOS
RouterOS web web 80
Scheduler
.
: system
: Level1
: /system scheduler
32.1
interval (; : 0s) -
name ()
on-event () /system script
run-count (: ) , 1
start-date ()
start-time ()
startup 3 .
run-count
start-time startup 3
start-time=startup interval=0
1 1 logtest
- YuSong
- 344 -
RouterOS
[admin@MikroTik] system script> add name=logtest source=:log info test
[admin@MikroTik] system script> print
0
name="script1" owner="admin"
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff
last-started=may/16/2008 21:32:51 run-count=3 source=:log info " test"
[admin@MikroTik] system script> .. scheduler
[admin@MikroTik] system scheduler> add name=run-1h interval=1h on-event=logtest
[admin@MikroTik] system scheduler> print
Flags: X - disabled
#
NAME
ON-EVENT START-DATE START-TIME INTERVAL
run-1h
logtest
mar/30/2004 06:11:35
1h
RUN-COUNT
0
[admin@MikroTik] system scheduler>
Schedule Winbox
2 2 cust0 9 64kb/s
5 128kb/s( 2.9 cust0
3.0 cust0)
[admin@MikroTik] queue simple> add name=Cust0 interface=ether1 \

\... target-address=192.168.0.0/24 limit-at=64000
0
name="Cust0" target-address=192.168.0.0/24 dst-address=0.0.0.0/0

interface=ether1 limit-at=64000 queue=default priority=8 bounded=yes
[admin@MikroTik] queue simple> /system script

[admin@MikroTik] system script> add name=start_limit source={/queue simple set \
- YuSong
- 345 -
RouterOS
\... Cust0 limit-at=64000}
[admin@MikroTik] system script> add name=stop_limit source={/queue simple set \
\... Cust0 limit-at=128000}
0 name="start_limit" source="/queue simple set Cust0 limit-at=64000"
owner=admin run-count=0
1 name="stop_limit" source="/queue simple set Cust0 limit-at=128000"

owner=admin run-count=0

[admin@MikroTik] system scheduler> add interval=24h name="set-64k" \
\... start-time=9:00:00 on-event=start_limit
[admin@MikroTik] system scheduler> add interval=24h name="set-128k" \
\... start-time=17:00:00 on-event=stop_limit
Flags: X - disabled
#
NAME
set-64k

start... oct/30/2008 09:00:00
1d
RUN-COUNT
set-128k stop_... oct/30/2008 17:00:00
1d
3
[admin@MikroTik] system script> add name=e-backup source={/system backup
save name=email; /tool e-mail send to="root@host.com" subject=([/system
{... identity get name] . " Backup") file=email.backup}
0 name="e-backup" source="/system backup save name=ema... owner=admin
run-count=0

[admin@MikroTik] system scheduler> add interval=7d name="email-backup" \
\... on-event=e-backup
Flags: X - disabled
#
NAME
email-... e-backup oct/30/2008 15:19:28
7d
RUN-COUNT
1
SMTP /tool e-mail SMTP
[admin@MikroTik] tool e-mail> set server=159.148.147.198 from=SysAdmin@host.com

[admin@MikroTik] tool e-mail> print
server: 159.148.147.198
from: SysAdmin@host.com
- YuSong
- 346 -
RouterOS
[admin@MikroTik] tool e-mail>
4
12 12 x:
[admin@MikroTik] system script> add name=enable-x source={/system scheduler

{... enable x}
[admin@MikroTik] system script> add name=disable-x source={/system scheduler
{... disable x}
[admin@MikroTik] system script> add name=log-x source={:log info x}
[admin@MikroTik] system scheduler> add name=x-up start-time=00:00:00 \
\... interval=24h on-event=enable-x
[admin@MikroTik] system scheduler> add name=x-down start-time=12:00:00
\... interval=24h on-event=disable-x
[admin@MikroTik] system scheduler> add name=x start-time=00:00:00 interval=1h \
\... on-event=log-x
Flags: X - disabled
#
NAME
x-up
enable-x oct/30/2008 00:00:00
1d
x-down
disab... oct/30/2008 12:00:00
1d
log-x
oct/30/2008 00:00:00
1h
RUN-COUNT
RouterOS
33.1Netwatch
Netwatch ping
: advanced-tools
: Level1
: /tool netwatch
: none
Netwatch IP ICMP ping
netwatch
- YuSong
- 347 -
RouterOS
down-script () unknown up down
host (IP ; : 0.0.0.0) IP
interval (; : 1s) ping
status (: up | down | unknown)
up up
down down
unknown
timeout (; : 1s) ping timeout
down
up-script () - unknown down up
gw_1 gw_2
[admin@MikroTik] system script> add name=gw_1 source={/ip route set

{... [/ip route find dst 0.0.0.0] gateway 10.0.0.1}
[admin@MikroTik] system script> add name=gw_2 source={/ip route set
{.. [/ip route find dst 0.0.0.0] gateway 10.0.0.217}
[admin@MikroTik] system script> /tool netwatch
[admin@MikroTik] tool netwatch> add host=10.0.0.217 interval=10s timeout=998ms \\...
up-script=gw_2 down-script=gw_1
[admin@MikroTik] tool netwatch> print
Flags: X - disabled
#
HOST
TIMEOUT
INTERVAL
STATUS
10.0.0.217
997ms
10s
up
[admin@MikroTik] tool netwatch> print detail

Flags: X - disabled
0
host=10.0.0.217 timeout=997ms interval=10s since=feb/27/2003 14:01:03

status=up up-script=gw_2 down-script=gw_1
[admin@MikroTik] tool netwatch>
up "gw_2"
[admin@MikroTik] > /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.217
/ip route find dst 0.0.0.0 dst-address 0.0.0.0

/ip route set
down "gw_1"
[admin@MikroTik] > /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.1
10.0.0.217
- YuSong
- 348 -
RouterOS
10.0.0.215 e-mail
[admin@MikroTik] system script> add name=e-down source={/tool e-mail send

{... from="rieks@mt.lv" server="159.148.147.198" body="Router down"
{... subject="Router at second floor is down" to="rieks@latnet.lv"}
[admin@MikroTik] system script> add name=e-up source={/tool e-mail send
{... from="rieks@mt.lv" server="159.148.147.198" body="Router up"
{.. subject="Router at second floor is up" to="rieks@latnet.lv"}
[admin@MikroTik] system script>
[admin@MikroTik] system script> /tool netwatch
[admin@MikroTik] system netwatch> add host=10.0.0.215 timeout=999ms \
\... interval=20s up-script=e-up down-script=e-down
[admin@MikroTik] tool netwatch> print detail
Flags: X - disabled
0
host=10.0.0.215 timeout=998ms interval=20s since=feb/27/2003 14:15:36

status=up up-script=e-up down-script=e-down
[admin@MikroTik] tool netwatch>
33.2Graphing
Graphing RouterOS
: system, routerboard(optional)
: Level1
: /tool graphing
Graphing
Routerboard ()
(CPU, Disk usage)
Interfaces
simple queues
Graphing - Web page

http://[Router_IP_address]/graphs/ RouterOS
5 store-every
RouterOS generates four graphics for each item:
"Daily" Graph (5 Minute Average)
"Weekly" Graph (30 Minute Average)
"Monthly" Graph (2 Hour Average)
"Yearly" Graph (1 Day Average)
allow-address
- YuSong
- 349 -
RouterOS
: /tool graphing
store-every (5min | hour | 24hours; : 5min)
/tool graphing set store-every=hour

[admin@NAT] tool graphing> print
store-every: hour
[admin@NAT] tool graphing>
: /tool graphing health

RouterBoard routerboard RouterBoard
allow-address (IP /; : 0.0.0.0/0)

store-on-disk (yes | no; : yes) no RAM
: /tool graphing interface

interface
allow-address (IP /; : 0.0.0.0/0) -

http://[Router_IP_address]/graphs/,
interface (; : all) interface
store-on-disk (yes | no; : yes) -no RAM
192.168.0.0/24 ether1 :
[admin@NAT] tool graphing interface> add interface=ether1

allow-address=192.168.0.0/24 store-on-disk=yes
[admin@NAT] tool graphing interface> print
Flags: X - disabled
#
INTERFACE ALLOW-ADDRESS
ether1
192.168.0.0/24
STORE-ON-DISK
yes
- YuSong
- 350 -
RouterOS
[admin@NAT] tool graphing interface>
Graphing
: /tool graphing queue
/queue simple

allow-target (yes | no; : yes) /queue simple target-address IP graphing web
simple-queue (; : all) simple queue
simple queue simple-queue queue1:
[admin@NAT] tool graphing queue> add simple-queue=queue1 allow-address=192.168.0.0/24

store-on-disk=yes
: /tool graphing resource
CPU usage
Memory usage
Disk usage

IP 192.168.0.0/24
[admin@NAT] tool graphing resource> add allow-address=192.168.0.0/24 store-on-disk=yes

[admin@NAT] tool graphing resource> print
Flags: X - disabled
#
ALLOW-ADDRESS
STORE-ON-DISK
192.168.0.0/24
yes
[admin@NAT] tool graphing resource>
- YuSong
- 351 -
RouterOS
33.3Bandwidth-text
MikroTik
TCP TCP TCP TCP

TCP TCP TCP
UDP
UDP 110%
MTU 1500 UDP
Bandwidth Test (by default)

Bandwidth Test bandwidth test
Bandwidth Testing Router Bandwidth :
UDP Bandwidth Test IP header+UDP header+UDP TCP

Bandwidth Test TCP TCP IP
Server
: /tool bandwidth-server
allocate-udp-ports-from UDP
authenticate (yes | no; : yes)
enable (yes | no; : no)
max-sessions bandwidth-test
Bandwidth :
[admin@MikroTik] tool bandwidth-server> print

enabled: yes
authenticate: yes
allocate-udp-ports-from: 2000
max-sessions: 10
[admin@MikroTik] tool>
- YuSong
- 352 -
RouterOS
[admin@MikroTik] tool> bandwidth-server session print
# CLIENT
PROTOCOL DIRECTION USER
0 35.35.35.1
udp
send
admin
1 25.25.25.1
udp
send
admin
2 36.36.36.1
udp
send
admin
bandwidth-test
[admin@MikroTik] tool bandwidth-server> set enabled=yes authenticate=no

[admin@MikroTik] tool bandwidth-server> print
enabled: yes
authenticate: no
allocate-udp-ports-from: 2000
max-sessions: 10
Client
: /tool bandwidth-test
(IP address) - IP
assume-lost-time (; : 0s) Bandwidth Server
direction (receive / transmit / both; : receive) -
do ( | string; : "") -
duration (; : 0s) -
0s
interval (: 20ms..5s; : 1s)
local-tx-speed (; : 0) (bits per second)
0
local-udp-tx-size (: 40..64000) UDP
password (; : "")
protocol (udp | tcp; : udp)
random-data (yes | no; : no) yesBandwidth
( CPUrandom-data no)
remote-tx-speed (; : 0) (bits per second)
0
remote-udp-tx-size (: 40..64000) UDP
user (; : "") -
10.0.0.211 15 1000-byte UDP admin.
[admin@MikroTik] tool> bandwidth-test 10.0.0.211 duration=15s direction=both

\... size=1000 protocol=udp user=admin
status: done testing
- YuSong
- 353 -
RouterOS
duration: 15s
tx-current: 3.62Mbps
tx-10-second-average: 3.87Mbps
tx-total-average: 3.53Mbps
rx-current: 3.33Mbps
rx-10-second-average: 3.68Mbps
rx-total-average: 3.49Mbps
33.4Torch ()
torch .
. Torch .
: /tool torch
()
dst-address (IP address/netmask) : 0.0.0.0/0 .
freeze-frame-interval () -
port ( | )
protocol (any | any-ip | ddp | egp | encap | ggp | gre | hmp | icmp | idpr-cmtp | igmp | ipencap | ipip |
ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp)
any -
any-ip
src-address (IP address/netmask) : 0.0.0.0/0
, tcp udp , any any-ip tcp udp.

, (,).
telnet ether1 :
[admin@MikroTik] tool> torch ether1 port=telnet

SRC-PORT
DST-PORT
1439
23 (telnet)
TX
1.7kbps
RX
368bps
IP ether1
[admin@MikroTik] tool> torch ether1 protocol=any-ip

PRO.. TX
RX
tcp
1.06kbps
608bps
udp
896bps
3.7kbps
icmp 480bps
480bps
- YuSong
- 354 -
RouterOS
ospf 0bps
192bps
IP 10.0.0.144/32 ether1
[admin@MikroTik] tool> torch ether1 src-address=10.0.0.144/32 protocol=any

PRO.. SRC-ADDRESS
tcp
10.0.0.144
TX
RX
1.01kbps
608bps
480bps
480bps
icmp 10.0.0.144
tcp/udp ether1
[admin@MikroTik] tool> torch ether1 protocol=any-ip port=any

PRO.. SRC-PORT
DST-PORT
TX
1.06kbps
RX
tcp
3430
22 (ssh)
608bps
udp
2812
1813 (radius-acct)
512bps
2.11kbps
tcp
1059
139 (netbios-ssn)
248bps
360bps
QQ
QQ QQ QQ QQ
QQ
RouterOS QQ IP RouterOS torch
Torch /tool Torch
interface QQ 8000 dst-port 8000
8000 QQ 80
- YuSong
- 355 -
RouterOS
8000 dst-address QQ ip firewall address-list QQ

IP 220.133.40.11 QQ address-list qq address220.133.40.0/24
QQ IP ip firewall filter forward
/ip firewall filter add chain=forward dst-address-list=qq action=drop
- YuSong
- 356 -
RouterOS
Winbox
torch QQ IP QQ
33.5 E-mail
E-mail e-mailEmail
TLS
: /tool e-mail
SMTP
from (; : <>) email
password (; : "")SMTP
server (IP:Port; : 0.0.0.0:25)SMTP IP
username (; : "")SMTP
Email /tool e-mail send
:
body (; : )
file (; : ) Email
- YuSong
- 357 -
RouterOS
from (; : ) email .
password (; : ) SMTP
server (IP:Port; : ) IP SMTP
subject (; : ).
tls (yes|no; : yes) TLS
to (; : ) emial
user (; : ) SMTP
24 email
1. SMTP
[admin@MikroTik] /tool e-mail> set server=10.1.1.1:25 from="router@mydomain.com"
2. export-send
/export file=export
/tool e-mail send to="config@mydomain.com" subject="$[/system identity get name] export)
\
body="$[/system clock get date] configuration file" file=export.rsc
3.scheduler export-send
/system scheduler
add on-event="export-send" start-time=00:00:00 interval=24h

#
NAME
TYPE
RX-RATE
TX-RATE
MTU
0 R ether1
ether
1500
1 R bridge1
bridge
1500
2 R ether2
ether
1500
3 R wlan1
wlan
1500
/interface bridge
[admin@MikroTik] /interface bridge> add
[admin@MikroTik] /interface bridge> prin
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@MikroTik] /interface bridge>
- YuSong
- 358 -
RouterOS
E-mail winbox
- YuSong
- 359 -

MikroTik RouterOS V5 中文教程

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MikroTik RouterOS V5 中文教程

Uploaded by

Copyright:

Available Formats

MikroTik

1997 RouterOS IntelPC

MikroTik WLAN MikroTik RouterOS RouterOS

MikroTik RouterBOARD ----------------------------------------------

Firewall Filte ----------------------------------------------

RouterOS packet flow---------------------------------------

RouterOS Nth -------------------------------------------------------

PPTP L2TP ------------------------------------------------------

RouterOS Store ------------------------------------------------------

RouterOS Linux2.6 RouterOS

SMP RouterOS 3.0 RouterOS v5.x

32MBRouterOS v2.9 1G RouterOS v3.0 2G

IDESATA,CF USBDOM SCSI5.x 64MB

Linux v2.6 PCIPCI-ePCI-X

4kc RouterBOARD 500 (532, 512 511) RouterBOARD 100 (133133c150192)

24kc RouterBOARD 400(411/411A/411AH433/433AH/433UAH450/450G493/493AH)

24kc RouterBOARD 700(711711A750/750G750UP751751G)

ROM NAND 64Mb

RouterBOARD1100AH, RouterBOARD1100AHX2, RouterBOARD1200

Netinstall: PXE EhterBoot

Web webfig webbox

console telnet ssh

Binary configuration backup saving and loading

NAT (h323, pptp, quake3, sip, ftp, irc, tftp)

Virtual Routing and Forwarding - VRF

IPv4 : RIP v1/v2, OSPFv2, BGP v4

IPv6 : RIPng, OSPFv3, BGP

MP-BGP MPLS IP VPN

Ipsec , PSK, AH ESP RB1000

6to4 (IPv6 IPv4 )

VLAN IEEE802.1q Q-in-Q

WEP, WPA, WPA2

QoS (Simple queues)

Bandwidth test, ping flood

Bridging (STP, RSTP), MAC nat

MNDP MikroTik CDP

Asynchronous PPP dial-in/dial-out

RouterOS Windows WinBox

teminal console - PS/2 USB VGA

Serial console ( COM1) RS232 9600bit/s, 8 data bits, 1 stop

Telnet telnet TCP 23

SSH - SSH ( shell) TCP 22

MAC Telnet - MikroTik MAC Telnet

Winbox Winbox RouterOS Windows TCP 82913.0rc13

MikroTik RouterOS ISO

3. CD RouterOS PC BIOS CD-ROM

7. MikroTik RouterOS CD-ROM

10. RouterOS 24 software-id

NetInstall RouterOS (*.npk )

3. Netinstall Net Booting Boot Server Netinstall

4. RouterBoard RouterBoard BIOS ( RouterBOARD

CPU frequency: 680 MHz

Press any key within 2 seconds to enter setup

BIOS boot deviceo

Select boot device:

RouterBoard BIOS x BIOS

Netinstall RouterBOARD Netinstall

Welcome to MikroTik Router Software remote installation

software-id: IMIX-B1U1 key:

Waiting for installation server...

1 Keep old configuration

Welcome to MikroTik Router Software remote installation

software-id: IMIX-B1U1 key:

Waiting for installation server...