Professional Documents
Culture Documents
Mikrotik Part6 PDF
Mikrotik Part6 PDF
Hardware
PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information.
PDF generated at: Thu, 19 Dec 2013 19:57:16 CET
Contents
Articles
RouterBOARD hardware 1
Manual:Grounding 2
RouterBOOT changelog 5
RouterBOARD Troubleshooting 9
Manual:Bootloader upgrade 10
Manual:Netinstall 11
Manual:System/Serial Console 18
Password reset 22
Manual:Switch Chip Features 25
Manual:USB Features 32
Manual:Default Configurations 34
RouterBOARD 500 39
RouterBOARD Feature Request 40
Mini-PCI (In)Compatibility 43
Solar Power HOWTO 43
Manual:User Manager 54
User Manager/Introduction 57
User Manager/Getting started 58
User Manager/Hotspot Example 59
User Manager/PPP Example 61
User Manager/DHCP Example 63
User Manager/Wireless Example 64
User Manager/RouterOS user Example 65
User Manager/Customers 66
User Manager/Users 68
User Manager/Routers 69
User Manager/Sessions 69
User Manager/Payments 70
User Manager/Reports 70
User Manager/Logs 70
User Manager/Permissions 72
User Manager/Character constants 73
User Manager/Active sessions 75
User Manager/Active users 75
User Manager/Public ID 75
User Manager/Profiles 76
User Manager/MAC binding 77
User Manager/Languages 78
User Manager/Subscribers 79
User Manager/Credits 79
User Manager/User prefix 80
User Manager/Limiting 81
User Manager/Prepaid and unlimited users 82
User Manager/Voucher template 83
User Manager/Search patterns 85
User Manager/Tables 86
User Manager/Detail forms 92
User Manager/Printing 94
User Manager/Customer page 94
User Manager/User page 108
User Manager/User sign up 114
User Manager/User payments 116
User Manager/Backup 132
References
Article Sources and Contributors 133
Image Sources, Licenses and Contributors 135
RouterBOARD hardware 1
RouterBOARD hardware
• Grounding and ESD protection
• RouterBOOT changelog
• RouterBOARD Troubleshooting
• Upgrading RouterBOARD Bootloader
• Netinstall- How to install or re-install RouterOS on to a RouterBoard
• Serial Console- How to access the Comand Console via the Serial Port of a RouterBoard
• MikroTik Password Recovery
• RouterBOARD Switch chips
• RouterBOARD USB port capability table
• List of Default Configuration files for RouterBOARD devices
Other
• RouterBOARD 500
• RouterBOARD Feature Request
• Mini-PCI_(In)Compatibility - List of Mini-PCI radios which are known to work well or (and not at all)
• Solar Power HOWTO - How to design and build a solar power system for Routerboard devices (includes
examples).
Manual:Grounding 2
Manual:Grounding
Introduction
The installation infrastructure (towers and masts), as well as antennas and
the router itself must be properly grounded, and lightning arrestors must
be installed on all external antenna cables (near the antennas or on the
antennas themselves) to prevent equipment damage and human injury.
Note that lightning arrestors will not have any effect if not grounded.
Use 1 AWG (7mm in diameter) wire with corrosion-resistant connectors
for grounding. Be sure to check that the grounding infrastructure you use
is indeed functional (as opposed to decorative-only grounding present on
some sites). For smaller devices you can use thinner wire.
1. Only shielded and outdoor usage Ethernet cables should be used,
magnetic shield should be grounded via shielded RJ-45 connector or
via additional wire that is soldered to RJ45 or ground wire.
2. Grounding wire should be connected to RouterBOARD (to the
mounting point where board is fastened to the outdoor box), this wire
is connected to bottom of the tower and connection to the tower is
according to the standards. Antenna grounding wire is connected near
RouterBOARD Outdoor case, this wire could be connected to the same
RouterBOARD grounding wire.
3. Ethernet port ligthing protectors are not recommended, as most of
them are not intended to use for PoE (they are shortening PoE supply).
If protectors are used, they could be placed at the outdoor case, where
RouterBOARD and grounding pads are connected.
Example grounding wire attachment screw on an outdoor case: Shielded cable
Manual:Grounding 3
Note! Even if you don't ground the outdoor wireless device, and only use a shielded cable, you should still ground
the device it's connected to (indoors). Ie. the switch, routerboard or PC.
RouterBOOT changelog
What's new in 3.2.1:
• ) fixed etherboot on p2020,mpc8544,amcc460;
• ) fix possible etherboot problems on ar7100,ar7240,ar9330,ar9342,ar9344;
What's new in 3.1.1 (ar7100,ar7240,ar9330,ar9340,ar9344,tilegx 3.02 release):
• ) ar9344: added new product support;
• ) fixed partition support not to hang bootup process;
What's new in 3.0.3:
• ) finished partition support, requires RouterOS v6.0rc5 or newer;
What's new in 3.0.1 (tilegx 3.0 release):
• ) pass routerboot version to RouterOS;
What's new in 3.0:
• ) reset buton now supports RouterOS reset also on serial-port devices (push button right after power is applied);
What's new in 3.0rc4
• ) ar9344: fix etherboot with ar8327 switch chip;
• ) ar9344: fix ethernet leds on 100MBs links;
• ) ar9344: fix xlna on SXT-2nDr2;
• ) ar9344: added lcd support on RB2011;
• ) tilegx: added support for CCR 1016/1036 boards;
What's new in 2.40.5 (ar9330 2.41 release):
• ) ar9330: fixes few rb951-2n errors;
What's new in 2.40.3 (ar7100 2.41 release):
• ) ar7100: fix RB411L to have configuration reset with button;
• ) fix sw version soft setting not to have multiple copies;
What's new in 2.40.2 (ar9344 2.41 release):
• ) fix for easy ar9344 stale booter detection;
• ) mips: reset some more CP0 registers to 0 on bootup;
What's new in 2.40.1:
• ) AR934x: fixed cache initialization (fixes RB2011 stall on decompressing);
What's new in 2.39.5 (ar9344 2.40 release):
• ) AR9344: added user-led support for RB2011;
• ) added AR8327 rev B support (RB2011, RB433GL);
What's new in 2.39.4 (ar7240 2.39 release):
• ) yaffs kernel load improvement;
• ) P2020: faster kernel loading (ubifs optimization);
What's new in 2.39.3:
• ) AR934x: increase AHB bus speed from DDR / 3 -> CPU / 3;
RouterBOOT changelog 6
• ) fixed RB1000 not to reset configuration all the time (broken in v2.29);
What's new in 2.29:
• ) fixed rare issue with large nand booting;
• ) fixed RB800 and RB1100 to turn on user led during boot-up;
• ) fixed RB711 to turn off user led during boot-up;
What's new in 2.28:
• ) fixed problem - wireless did not show up on some RB411 units with 18V PoE power supply;
What's new in 2.27:
• ) memory fix for RB800/RB1000/RB1100;
• ) fixed problem - sometimes wireless was missing on RB711 after reboot;
• ) fixed pin-hole reset on RB750G;
What's new in 2.26:
• ) added RB816 support on RB600;
• ) fixed router hangup during etherboot if blasted with lots of packets;
• ) added silent boot;
• ) fixed Flashfig;
What's new in 2.25:
• new feature - Flashfig;
• fixed etherboot on RB493;
• fixed occasional lockup of kernel image loading on RB400 series;
• added disable UART feature;
What's new in 2.24:
• added support for RB816;
What's new in 2.23:
• added support for RB750G;
• added support for RB800;
What's new in 2.22:
• fixed support for RB750;
What's new in 2.21:
• added support for RB750;
What's new in 2.20:
• added support for RB450G;
What's new in 2.19:
• fixed support for MLC NAND chip;
• fixed memory issue on RB600;
What's new in 2.18:
• fixed via-rhine disappearing on RB532 and RB564;
• added support for RB493AH;
What's new in 2.17:
• added support for MLC NAND chip;
What's new in 2.16:
• fixed bug - boot from NAND on RB532A could fail (bug introduced in 2.13);
RouterBOOT changelog 8
RouterBOARD Troubleshooting
This page describes methods of testing if a RouterBOARD device has troubles. Before contacting support, or RMA
department, please carefully try ALL of the mentioned methods:
Operational Problems
CPU load 100% or slow traffic speeds: Check traffic coming to/through router with Torch Tool. Disable
interfaces. See if a P2P user, or an attacker is not causing it.
Wireless card disappearing: Check if the pigtail or something else metallic is not touching the wireless card's metal
parts.
References
[1] http:/ / www. mikrotik. com/ support. html
[2] http:/ / www. routerboard. com
Manual:Bootloader upgrade
This page shows how to upgrade the Bootloader firmware of a RouterBOARD device.
Simple Upgrade
• Run command /system routerboard upgrade
• Reboot your router to apply the upgrade (/system reboot)]
Note! If you need to install a different version than included in your "routerboard.npk - Upload the latest
RouterBOOT firmware to your router's FTP, the latest firmware is available on routerboard.com [2] and then follow
above steps.
In this case you see, that there is a newer version of the Bootloader firmware available already inside your current
RouterOS version.
Manual:Bootloader upgrade 11
Xmodem Method
If there is no IP connectivity with your RouterBOARD, you can also use the Serial Console XMODEM transfer to
send the FWF file to the router, while connected via Serial Console. From the Bootloader menu it's possible to
upgrade the firmware with this method. This method is the last resort, and should be used only if the first two
methods are not available.
Manual:Netinstall
Applies to RouterOS: 2.9, v3, v4
NetInstall Description
NetInstall is a program that runs on Windows computer that allows you to install MikroTiK RouterOS onto a PC or
onto a RouterBoard via an Ethernet network.
You can download Netinstall on our download page [1].
NetInstall is also used to re-install RouterOS in cases where the the previous install failed, became damaged or
access passwords were lost.
• Your device must support booting from ethernet, and there must be a direct ethernet link from the Netinstall
computer to the target device. All RouterBOARDs support PXE network booting, it must be either enabled inside
RouterOS "routerboard" menu if RouterOS is operable, or in the bootloader settings. For this you will need a
serial cable.
Note: For RouterBOARD devices with no serial port, and no RouterOS access, the reset button can also start PXE
booting mode. See your RouterBOARD manual PDF for details. For example RB750 PDF [2]
• Netinstall can also directly install RouterOS on a disk (USB/CF/IDE/SATA) that is connected to the Netinstall
Windows machine. After installation just move the disk to the Router machine and boot from it.
Interface
The following options are available in the Netinstall window:
• Routers/Drives - list of PC drives, and in the routers that were detected near the Netinstall PC
• Make floppy - used to create a bootable 1.44" floppy disk for PCs which don't have Etherboot support
• Net booting - used to enable PXE booting over network (your default choice)
• Install/Cancel - after selecting the router and selecting the RouterOS packages below, use this to start install
• SoftID - the SoftID that was generated on the router. Use this to purchase your key
• Key / Browse - apply the purchased key here, or leave blank to install a 24h trial
• Get key - get the key from your mikrotik.com account directly
• Flashfig - launch Flashfig - the mass config utility which works on brand new devices
• Keep old configuration - keeps the configuration that was on the router, just reinstalls software (no reset)
• IP address / "Netmask - enter IP address and netmask in CIDR notation to preconfigure in the router
• Gateway - default gateway to preconfigure in the router
• Baud rate - default serial port baud-rate to preconfigure in the router
Manual:Netinstall 12
• Configure script File that contains RouterOS CLI commands that directly configure router (e.g. commands
produced by export command). Used to apply default configuration
Screenshot
• for installation over network, don't forget to enable the PXE server, and make sure Netinstall is not blocked by
your firewall or antivirus. The connection should be directly from your Windows PC to the Router PC (or
RouterBOARD), or at least through a switch/hub.
NetInstall Example
This is a step by step example of how to install RouterOS on a RouterBoard 532 from a typical notebook computer.
Requirements
The Notebook computer must be equiped with the following ports and contain the following files:
• Ethernet port.
• Serial port.
• Serial communications program (such as Hyper Terminal)
• The .npk RouterOS file(s) (not .zip file) of the RouterOS version that you wish to install onto the Routerboard.
• The NetInstall program available from the Downloads page at www.mikrotik.com
• It is recommended to disable any other Network interfaces in your PC, leave only the one which is connected to
your router
Manual:Netinstall 13
Connection process
1. Connect the routerboard to a switch, a hub or directly to the Notebook computer via Ethernet. The notebook
computer Ethernet port will need to be configured with a usable IP address and subnet. For example: 10.1.1.10/24
2. Connect the routerboard to the notebook computer via serial, and establish a serial communication session with
the RouterBoard. Serial configuration example in in the Serial console manual
3. Run the NetInstall program on your notebook computer.
4. Press the NetInstall "Net Booting" button, enable the Boot Server, and enter a valid, usable IP address (within
the same subnet of the IP address of the Notebook) that the NetInstall program will assign to the RouterBoard to
enable communication with the Notebook computer. For example: 10.1.1.5/24
5. Set the RouterBoard BIOS to boot from the Ethernet interface.
Configuring RouterBOARD
Next Selection: Press the 'e' key to make the RouterBoard to boot from Ethernet interface:
The RouterBoard BIOS will return to the first menu. Press the 'x' key to exit from BIOS. The router will reboot.
• Make sure boot-protocol is bootp.
Installation
Watch the serial console as the RouterBoard reboots, it will indicate that the RouterBoard is attempting to boot to the
NetInstall program. The NetInstall program will give the RouterBoard the IP address you entered at Step 4 (above),
and the RouterBoard will be ready for software installation. Now you should see the MAC Address of the
RouterBoard appear in the Routers/Drives list of the NetInstall program.
Click on the desired Router/Drive entry and you will be able to configure various installation parameters associated
with that Router/Drive entry.
Manual:Netinstall 15
For most Re-Installations of RouterOS on RouterBoards you will only need to set the following parameter:
Press the "Browse" button on the NetInstall program screen. Browse to the folder containing the .npk RouterOS
file(s) of the RouterOS version that you wish to install onto the Routerboard.
When you have finalized the installation parameters, press the "Install" button to install RouterOS.
Manual:Netinstall 16
When the installation process has finished, press 'Enter' on the console or 'Reboot' button in the NetInstall program.
Manual:Netinstall 17
Cleanup
1. Reset the BIOS Configuration of the RouterBoard to boot from its own memory.
References
[1] http:/ / www. mikrotik. com/ download. html
[2] http:/ / www. routerboard. com/ pricelist/ download_file. php?file_id=118
Manual:System/Serial Console
Applies to RouterOS: v3, v4, v5+
Overview
Sub-menu: /system console, /system serial-terminal
Standards: RS-232
The Serial Console and Terminal are tools, used to communicate with devices and other systems that are
interconnected via serial port. The serial terminal may be used to monitor and configure many devices - including
modems, network devices (including MikroTik routers), and any device that can be connected to a serial
(asynchronous) port.
The Serial Console feature is for configuring direct-access configuration facilities (monitor/keyboard and serial port)
that are mostly used for initial or recovery configuration.
If you do not plan to use a serial port for accessing another device or for data connection through a modem, you can
configure it as a serial console. The first serial port is configured as a serial console, but you can choose to
unconfigure it to free it for other applications. A free serial port can also be used to access other routers' (or other
equipment, like switches) serial consoles from a MikroTik RouterOS router. A special null-modem cable is needed
to connect two hosts (like, two PCs, or two routers; not modems). Note that a terminal emulation program (e.g.,
HyperTerminal on Windows or minicom on linux) is required to access the serial console from another computer.
Several customers have described situations where the Serial Terminal (managing side) feature would be useful:
• on a mountaintop, where a MikroTik wireless installation sits next to equipment (including switches and Cisco
routers) that can not be managed in-band (by telnet through an IP network)
• monitoring weather-reporting equipment through a serial port
• connection to a high-speed microwave modem that needed to be monitored and managed by a serial connection
With the serial-terminal feature of the MikroTik, up to 132 (and, maybe, even more) devices can be monitored and
controlled.
1, 6 CD, DSR IN 4
2 RxD IN 3
3 TxD OUT 2
4 DTR OUT 1, 6
5 GND - 5
7 RTS OUT 8
8 CTS IN 7
Note that the above diagram will not work if the software is configured to do hardware flow control, but the
hardware does not support it (e.g., some RouterBOARD models have reduced seral port functionality). If this is the
case, either turn off the hardware flow control or use a null-modem cable with loopback, which will simulate the
other device's handshake signals with it's own. The diagram for such cable is as follows:
2 RxD IN 3
3 TxD OUT 2
5 GND - 5
Note that although it is recommended to have 5-wire cable for this connection, in many cases it is enough to have 3
wires (for unlooped signals only), leaving both loops to exist only inside the connectors. Other connection schemes
exist as well.
Configuring Console
Sub-menu: /system console
Properties
Property Description
disabled (yes | no; Default: no) Whether serial console is enabled or not.
Read-only properties
Manual:System/Serial Console 20
Property Description
vcno (integer) number of virtual console - [Alt]+[F1] represents '1', [Alt]+[F2] - '2', etc..
Example
To disable all virtual consoles (available through the direct connection with keyboard and monitor) extept for the
first one:
Property Description
The serial port to be used as a serial terminal needs to be free (e.g., there should not be any serial consoles, LCD or
other configuration). Chack the previous chapter to see how to disable serial console on a particular port. Use /port
print command to see if some other application is still using the port.
Ctrl-A have special meaning and is used to provide a possibility of exiting from nested serial-terminal sessions:
To send Ctrl-A to to serial port, press Ctrl-A Ctrl-A
Note: When rebooting a RouterBoard the bootloader (RouterBOOT) will always use the serial console
(serial0 on RouterBoards) to send out some startup messages and offer access to the RouterBOOT menu.
Having text coming out of the serial port to the connected device might confuse your attached device and get
stuck on boot loader. To avoid this you can reconfigure RouterBOOT to enter the RouterBOOT menu only
when a DEL character is received.
Example
To connect to a device connected to the serial1 port:
Console Screen
Sub-menu: /system console screen
This facility is created to change line number per screen if you have a monitor connected to router.
Property Description
Example
To set monitor's resolution from 80x25 to 80x40:
See More
• Special Login
• Sigwatch
[ Top | Back to Content ]
Password reset
RouterOS password can only be reset by reinstalling the router, or using the reset button (or jumper hole) in case the
hardware is RouterBOARD.
For X86 devices, only complete reinstall will clear the password, along with other configuration. For RouterBOARD
devices, several methods exist, depending on our model.
Button reset
Most RouterBOARD devices are fitted with a reset button.
Using: unplug the device power, hold the button, apply power and wait until the USER LED starts flashing. Now
release the button to clear configuration.
Note: If you wait until LED stops flashing, and only then release the button - this will instead launch Netinstall
mode, to reinstall RouterOS.
Password reset 23
Note: Don't forget to remove the jumper after configuration has been reset, or it will be reset every time you reboot.
Manual:Switch Chip Features 25
Introduction
There are several types of switch chips on Routerboards and they have a different set of features. Most of them (from
now on "Other") have only basic "Port Switching" feature, but there are few with more features:
Capabilities of switch chips:
Host table 2048 entries 2048 entries 1024 entries 2048 entries no no
Depending on switch type there might be available or not available some configuration capabilities.
Atheros8316 packet flow diagram [2]
Manual:Switch Chip Features 26
Features
Port Switching
Switching feature allows wire speed traffic passing among a group of ports, like the ports were a regular ethernet
switch. You configure this feature by setting a "master-port" property to one ore more ports in /interface
ethernet menu. A 'master' port will be the port through which the RouterOS will communicate to all ports in the
group. Interfaces for which the 'master' port is specified become inactive - no traffic is received on them and no
traffic can be sent out.
For example consider a router with five ethernet interfaces:
And you configure a switch containing three ports ether3, ether4 and ether5:
ether3 is now the master port of the group. Note: you can see that previously a link was detected only on ether5, but
now as the ether3 is a 'master' the running flag is propagated to master port.
In essence this configuration is the same as if you had a RouterBoard with 3 ethernet interfaces with ether3
connected to ethernet switch that has 4 ports:
Manual:Switch Chip Features 27
A more general diagram of RouterBoard with switch chip that has 5 port switch chip:
Here you can see that, a packet that gets received by one of the ports always passes through the switch logic at first.
Switch logic decides to which ports the packet should be going to. Passing packet 'up' or giving it to RouterOS is
also called sending it to switch chips 'cpu' port. That means that at the point switch forwards the packet to cpu port
the packet starts to get processed by RouterOS as some interfaces incoming packet. While the packet does not have
to go to cpu port it is handled entirely by switch logic and does not require any cpu cycles and happen at wire speed
for any frame size.
Ether1 port on RB450G has a feature that allows it to be removed/added to the default switch group. By default
ether1 port will be included in the switch group. This configuration can be changed with /interface
ethernet switch set switch1 switch-all-ports=no
• switch-all-ports=yes/no -
"yes" means ether1 is part of switch and supports switch grouping, and all other advanced Atheros8316 features
including extended statistics (/interface ethernet print stats).
"no" means ether1 is not part of switch, effectivly making it as stand alone ethernet port, this way increasing its
troughtput to other ports in bridged, and routed mode, but removing the switching possibility on this port.
Manual:Switch Chip Features 28
Port Mirroring
Port mirroring lets switch 'sniff' all traffic that is going in and out of one port (mirror-source) and send a copy of
those packets out of some other port (mirror-target). This feature can be used to easily set up a 'tap' device that
receives all traffic that goes in/out of some specific port. Note that mirror-source and mirror-target ports have to
belong to same switch. (See which port belong to which switch in /interface ethernet switch port
menu). Also mirror-target can have a special 'cpu' value, which means that 'sniffed' packets should be sent out of
switch chips cpu port. Port mirroring happens independently of switching groups that have or have not been set up.
Host Table
Basically the table represents switch chips internal mac address to port mapping. It can contain two kinds of entries:
dynamic and static. Dynamic entries get added automatically, this is also called a learning process: when switch chip
receives a packet from certain port, it adds the packets source mac address X and port it received the packet from to
host table, so when a packet comes in with destination mac address X it knows to which port it should forward the
packet. If the destination mac address is not present in host table then it forwards the packet to all ports in the group.
Dynamic entries take about 5 minutes to time out. Learning is enabled only on ports that are configured as part of
switch group. So you won't see dynamic entries if you have not specified some 'master-ports'. Also you can add
static entries that take over dynamic if dynamic entry with same mac-address already exists. Also by adding a static
entry you get access to some more functionality that is controlled via following params:
• copy-to-cpu=yes/no - a packet can be cloned and sent to cpu port
• redirect-to-cpu=yes/no - a packet can be redirected to cpu port
• mirror=yes/no - a packet can be cloned and sent to mirror-target port configured in "/interface ethernet switch"
• drop=yes/no - a packet with certain mac address coming from certain ports can be dropped
copy-to-cpu, redirect-to-cpu, mirror actions are performed for packets which destination mac matches mac address
specified in entry drop action is performed for packets which source mac address matches mac address specified in
entry
Another possibility for static entries is that mac address can be mapped to more that one port, including 'cpu' port.
Manual:Switch Chip Features 29
Vlan Table
Vlan tables specifies certain forwarding rules for packets that have specific 802.1q tag. Those rules are of higher
priority than switch groups configured using 'master-port' property. Basically the table contains entries that map
specific vlan tag ids to a group of one or more ports. Packets with vlan tags leave switch chip through one or more
ports that are set in corresponding table entry. The exact logic that controls how packets with vlan tags are treated is
controlled by vlan-mode parameter that is changeable per switch port in /interface ethernet switch
port menu. Vlan-mode can take following values:
• disabled - ignore vlan table, treat packet with vlan tags just as if they did not contain a vlan tag;
• fallback - the default mode - handle packets with vlan tag that is not present in vlan table just like packets without
vlan tag. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan
table entry does not get dropped.
• check - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are present in vlan
table, but incoming port does not match any port in vlan table entry does not get dropped.
• secure - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are present in vlan
table, but incoming port does not match any port in vlan table entry get dropped.
Vlan tag id based forwarding also take into account the mac addresses learned or manually added in host table.
Packets without vlan tag are treated just like if they had a vlan tag with vlan id = 0. This means that if
"vlan-mode=check or secure" to be able to forward packets without vlan tags you have to add a special entry to vlan
table with vlan id set to 0.
Vlan-header option (configured in /interface ethernet switch port) sets the VLAN tag mode on
egress port. Starting from RouterOS version 6 this option works with AR8316, AR8327, AR8227 and AR7240
switch chips and takes the following values:
• leave-as-is - packet remains unchanged on egress port;
• always-strip - if VLAN header is present it is removed from the packet;
• add-if-missing - if VLAN header is not present it is added to the packet.
Rule Table
Rule table is very powerful tool allowing wire speed packet filtering, forwarding and vlan tagging based on
L2,L3,L4 protocol header field condition.
Each rule contains a conditions part and an action part. Action part is controlled by following parameters:
• copy-to-cpu=yes/no - clones matching packets and sends them to cpu port;
• redirect-to-cpu=yes/no - redirects matching packets to cpu port;
• mirror=yes/no - clones matching packets and send them to mirror-target port;
• new-dst-ports - if set forces the destination port to be as specified, multiple ports allowed, including cpu port.
Non obvious feature of this parameter is to pass empty list of ports to drop matching packets;
• new-vlan-id (only applies to Atheros8316) - if specified changes the vlan tag id, or add new vlan tag if one was
not present;
• new-vlan-priority - if specified changes the vlan tag priority bits;
• rate (only applies to Atheros8327) - Sets limitation (bits per second) for all matched traffic. Can only be applied
to first 32 rule slots.
Conditions part is controlled by rest of parameters:
• ports - match port that packet came in from (multiple ports allowed);
• mac layer conditions
• dst-mac-address - match by destination mac address and mask;
Manual:Switch Chip Features 30
• src-mac-address - ...;
• vlan-header - match by vlan header presence;
• vlan-id (only applies to Atheros8316) - match by vlan tag id;
• vlan-priority (only applies to Atheros8316) - match by priority in vlan tag;
• mac-protocol - match by mac protocol (skips vlan tags if any);
• ip conditions
• dst-address - match by destination ip and mask;
• src-address - match by source ip and mask;
• dscp - match by ip dscp field;
• protocol - match by ip protocol;
• ipv6 conditions
• dst-address6 - match by destination ip and mask;
• src-address6 - match by source ip and mask;
• flow-label - match by ipv6 flow label;
• traffic-class - match by ipv6 traffic class;
• protocol - match by ip protocol;
• L4 conditions
• src-port - match by tcp/udp source port range;
• dst-port - match by tcp/udp destination port range;
IPv4 and IPv6 specific conditions cannot be present in same rule. Menu contains ordered list of rules just like in
/ip firewall filter. Due to the fact that the rule table is processed entirely in switch chips hardware there is
limitation to how many rules you may have. Depending on the amount of conditions (MAC layer, IP layer, IPv6, L4
layer) you use in your rules the amount of active rules may vary from 8 to 32 for Atheros8316 switch chip and from
24 to 96 for Atheros8327 switch chip. You can always do /interface ethernet switch rule print
after modifying your rule set to see that no rules at the end of the list are 'invalid' which means those rules did not fit
into the switch chip.
Manual:Switch Chip Features 31
/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2
• Assign "vlan-mode" and "vlan-header" mode for each port and "default-vlan-id" on ingress for each access port.
Set "vlan-mode=secure" to ensure strict use of VLAN table. Set "vlan-header=always-strip" for access ports - it
removes VLAN header from frame when it leaves the switch chip. Set "vlan-header=add-if-missing" for trunk
port - it adds VLAN header to untagged frames. "Default-vlan-id" specifies what VLAN ID is added for ingress
traffic of the access port.
• Add VLAN table entries to allow frames with specific VLAN IDs between ports.
Management IP Configuration
This example will show one of the possible management IP address configurations. Management IP will be
accessible only through trunk port and it will have a separate VLAN with ID 99.
• Configure the port which connects switch-chip with CPU, set "vlan-header=leave-as-is" because management
traffic already should be tagged.
• Add VLAN table entry to allow management traffic through switch-cpu port and the trunk port.
• Add VLAN 99 and assign IP address to it. Since the master-port receives all the traffic coming from switch-cpu
port, VLAN has to be configured on master-port, in this case "ether2" port.
/interface vlan
add name=vlan99 vlan-id=99 interface=ether2
/ip address
add address=192.168.88.1/24 interface=vlan99 network=192.168.88.0
References
[1] http:/ / wiki. mikrotik. com/ wiki/ Manual:Switch_Chip_Features#switch-all-ports
[2] http:/ / wiki. mikrotik. com/ wiki/ Manual:Packet_flow_through_Atheros8316
Manual:USB Features
Summary
Sub-menu: /system routerboard usb
Package: routerboard (v5) / system (v6)
Not all of the RouterBOARDS with USB ports have the same supported features. This article list all supported USB
features by each RouterBOARD.
Warning: On RB2011 and CRS series boards usb devices may not work first time they are plugged in.
Power cycle (not reboot) is needed.
RB411U 1 no yes
RB411UAHR 1 no no*
RB433UAH 2 no yes
RB435G 2 no yes
RB493G 1 no no*
RB750UP 1 no yes
RB751G-2HnD 1 no yes
RB751U-2HnD 1 no yes
References
[1] http:/ / routerboard. com/ 5VUSB
Manual:Default Configurations
Applies to RouterOS: v5
Integrated Indoors
Wan port Lan port Wireless ht ht extension dhcp-server dhcp-client Firewall NAT Default IP Mac
mode chain Server
RB750 ether1 Switched - - - on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
RB750G ether2-ether5 access wan port on lan port on wan
to wan port
port
RB751 ether1 Switched AP b/g/n 0,1 above-control on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
ether2-ether5, 2412MHz access wan port on lan port on wan
bridged wlan1 to wan port
with switch port
RB951 ether1 Switched AP b/g/n 0 above-control on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
ether2-ether5, 2412MHz access wan port on lan port on wan
bridged wlan1 to wan port
with switch port
RB1100 - - - - - - - - - 192.168.88.1/24 -
AH/AHx2 on ether1
RB1200 - - - - - - - - - 192.168.88.1/24 -
on ether1
Manual:Default Configurations 35
RB2011 sfp1,ether1 two switch - - - on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
gropups access wan port on ether1 on wan
bridged to wan port
(ether2-ether10, port
wlan1 if
present)
Integrated Outdoors
Wan Lan port Wireless ht ht dhcp-server dhcp-client Firewall NAT Default IP Mac
port mode chain extension Server
Groove wlan1 ether1 station 0 above on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
2Hn a/n control access wan port on lan port on wan
2.4GHz to wan port
port
Groove wlan1 ether1 station 0 above on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
5Hn a/n 5GHz control access wan port on lan port on wan
to wan port
port
Metal 5 wlan1 ether1 station 0 above on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
a/n 5GHz control access wan port on lan port on wan
to wan port
port
SXT 5xx, wlan1 ether1 station 0,1 above on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
SXT a/n 5GHz control access wan port on lan port on wan
G-5xx to wan port
port
OmniTik ether1 Switched AP a/n 0,1 - on lan port on wan port - Masquerade 192.168.88.1/24 -
ether2-ether5, 5300MHz wan port on lan port
bridged
wlan1 with
switch
SEXTANT wlan1 ether1 station 0,1 above on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
a/n 5GHz control access wan port on lan port on wan
to wan port
port
Engineered
Manual:Default Configurations 36
Wan Lan port Wireless ht ht dhcp-server dhcp-client Firewall NAT Default IP Mac
port mode chain extension Server
RB411xx, - - - - - - - - - 192.168.88.1/24 -
RB435G, on ether1
RB433xx,
RB495xx,
RB800
RB450xx ether1 Switched - - - on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
ether2-ether5 access wan port on lan port on wan
to wan port
port
RB711-5xx, wlan1 ether1 station 0 above on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
RB711G-5xx a/n 5GHz control access wan port on lan port on wan
to wan port
port
RB711-2xx wlan1 ether1 station 0 above on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled
b/g/n control access wan port on lan port on wan
2.4GHz to wan port
port
Note: To see exact configuration script that will be applied after system reset use following command
/system default-configuration print
Wan Port
When applying configuration WAN port is renamed to "<wan port>-gateway", for example, if wan
port is ether1, it will be renamed to "ether1-gateway".
Local Port
Local port can be:
• single interface
• ethernets configured in switch group
• bridged all interfaces that are not WAN and switch slaves.
If ports are switched then master port is renamed to "<ethernet name>-master-local" and slaves to "<ethernet
name>-slave-local".
Lets take RB751 as an example. Board has ether1 configured as WAN port, it has switch chip and one
pre-configured wireless interface. So in this case all ethernets except ether1 are grouped in switch group and bridged
with wireless interface.
Manual:Default Configurations 37
:local bMACIsSet 0;
:set bMACIsSet 1;
Wireless Config
Wireless configuration depends on market segment for which board is designed. It can be configured as AP or
station in 2GHz and 5GHz frequencies. Default 2GHz frequency is 2412 and default 5GHz frequency is 5300. SSID
is "Mikrotik-" + last 3 bytes in hex from wireless MAC address. Starting from v5.25 and v6rc14 Wireless Security
profile is configured with WPA/WPA2 and security key equal to router's serial number.
For example, If Mac address of the wlan1 interface is 00:0B:6B:30:7F:C2, and serial number of the board is
If board has two chains (letter D in the naming of the board), then both chains are enabled. HT
Extension is enabled on all CPEs.
For example generated config on RB751:
/ip dhcp-server
}
Manual:Default Configurations 39
DNS
Every board allows remote DNS requests and static DNS name is pre-configured.
/ip dns {
set allow-remote-requests=yes
static add name=router address=192.168.88.1
}
RouterBOARD 500
1. Linux installation guide and notes on how to use RouterBOARD 500 specific functions
2. RB500 Power options (Jumpers settings)
3. RB500 BIOS upgrade (over serial port)
RouterBOARD Feature Request 40
• (Votes: 6) RouterBOARD as a PCI card! 1 eth interface available to the host PC (Mac?) via the PCI buss. 2-4
ethernet ports out the back, maybe serial port, Antenna connector for onboard mini pci slot. Inspired by this...
http://www.securecomputing.com/index.cfm?skey=1560
• (Votes: 4) On-Board GPS chip (optional for mobile) with antenna connector and software port to transmit data to
a server (TCP/UDP)
• (Votes: 4) More slots & More watts! Instead of faster CPU's, more miniPCI slots and bigger voltage regulators.
We already got this to some degree with the newest revision of the RB532, but an even bigger model would be
nice. Something on the order of 8 slots, fully populated with XR cards.
• (Votes: 4) New routerboard Crossroads with 5G card / 300MHz cpu / 32MB RAM / L3 / 80usd
• (Votes: 4) Routing hardware acceleration (Use hardware ASIC instead of CPU)
• (Votes: 4) Daughterboard with telephony interfaces (preferably Digium compatible)
• (Votes: 3) Support for NAT64 and DNS64
• (Votes: 3) Longer-term availability (non-obsolescence) e.g. RB112
• (Votes: 3) MPLS hardware acceleration (Use hardware ASIC instead of CPU)
• (Votes: 3) A 12 and 24 port RouterBoard for Layer3 switch use.
• (Votes: 3) Long Term Support, more hardware revisions instead of new models.
• (Votes: 3) Have the capability of a built in adsl+ cablemodem with automatic traffic shaping+wifi (G+N
protocol)+1Gbit ports
• (Votes: 3) 3.65Ghz 802.11 N MIMO Mini PCI Card
• (Votes: 2) API in RB250GS.
• (Votes: 2) "Market change." Integrating ports mini pci express that they are more efficient
• (Votes: 2) Documentation about the mini-ups in board connector and how it works (ie: rb230), package ups with
support it.
• (Votes: 2) Additional (i.e. 2) async serial interfaces
• (Votes: 2) SNMP-TRAP Support would by nice for Receiving events with NET-SNMP's trapd
• (Votes: 2) 5 to 10 binary inputs (maybe a few that detect a break in continuity and a few that detect when voltage
goes high) (MERGE with I2C bus at top, it's the same request)
• (Votes: 2) 4 x 8 bit value input headers (to industry standard data acquisition specifications)
• (Votes: 2) 2 x ( 16 bit value input headers (again, to industry standard data acquisition specs)
• (Votes: 2) MetaRouter on RB600(A)
• (Votes: 2) Support for ERICSSON F3507g mini-pci express card
• (Votes: 2) IGMP Proxy support in RB250GS, RB750 and in comming RB2011
• (Votes: 2) OpenVPN with no auth-user-pass requirement.
• (Votes: 1) SFP Slot on Access Pont and Pont To Point Cards (Eg. RB800, RB433) to solve RF Problems on
ethernet cables on telco towers
• (Votes: 1) a small micro-SD slot for RB750, an extra storage for a small useful device.
• (Votes: 1) Routerboard specifically for routing (e.g. rb1000) with one or more ports SATA for store proxy-cache
• (Votes: 1) Sound interface (AC97 ? on main or daughterboard) (used for telephony, tone for alignment or other
VOIP applications)
• (Votes: 1) Users Manual for RB1000
• (Votes: 1) Introducing Events as triggers for running the scripts
RouterBOARD Feature Request 42
• (Votes: 1) Ability to add custom fields in WinBox Loader and an Export/Import addressbook button for easyer
transfer of connections
• (Votes: 1) Automatic TX-Power on AP-Side (point2point) set by RX-Singnal on the station side. The AP should
be calculated his TX Power on the RX signal of the station in a p2p link. TX should be calculated on 1 time of a
night, so Users are no long offline...
• (Votes: 1) Routerboard as 802.1x authenticator for ethernet-connected clients.
• (Votes: 1) Dynamic VLANs / GVRP for WPA2 / 802.1x
• (Votes: 1) Zeroconf / mdns / avahi for announcing services in lan / wlan
• (Votes: 1) RB1100AHUP (Removes a lot of cables, powersuplies, poe-adapters) from 12-24 volt per port
controlabe.
• (Votes: 0) A digital input/output(tamper switch)
• (Votes: 0) SNMP direct SMS reporting to admin about problems with network. (SIM Card slot with sms service)
• (Votes: 0) Part time working with polling / without polling - to be able to connect mikrotik clients with polling
and Nstream and other devices without this features.
• (Votes: 0) New Router request: Device to be used as UserManager / RADIUS Server. I suggest a device, similar
to the RB1100, but with (at least) 2x microSD slots (would be AWESOME with 2x SATA ports (and power)),
fewer ethernet (even 1x or 2x ethernet should be sufficient), ROS L6 licence, 2x USB (for UM DB backup to
USB drive, additional USB for 3G backup/SMS modem, or even for a USB ticket printer...), miniPCIx with SIM
slot (also for 3G/SMS capability), why not also add miniPCI so small Coffee shops could use it as RADIUS and
Hotspot. Option for 1U or 2U enclosures (2U when SATA drives are used). The selling point would be to have
all the mentioned requests and have the device operate on 12VDC (probably 5A) (with power for SATA 2.5"
HDD's). This device would be excellent for UserManager, but would also be a good platform for a FreeRADIUS
server and many other NON-Mikrotik based OS's (eg small Linux based SME office server with perhaps SMB,
Mail. OS's eg ClearOS (formly Clark Connect), eBox etc).
• (Votes: 0) Change default backup files naming convention to YYYYMMDD so they can sort properly.
• (Votes: 0) Support for OpenVPN server over UDP. Any VPN using TCP transport can result in serious
TCP-meltdown. User-plane TCP and UDP will take care of possible retransmissions anyway. The VPN tunnels
(or any classic Internet transmission) has no need to guarantee packet delivery. Also, loadbalancing and a virtual
interface would be nice. Generally - simply make the most popular VPN services such as perfect-privacy.com
totally usable with RouterOS as a client!
• (Votes: 0) An implementation of the Locator/ID Separation Protocol (LISP) would be very useful. It's still draft
http://datatracker.ietf.org/doc/draft-ietf-lisp/but the possibilitys are outstanding and are a big gain for the
already implemented vrf functions. With the help of LISP, IP portability when changing providers, multi-homing
across different providers, simple ingress traffic engineering without BGP and rapid IPv6 transition can be done
in a snap.
Another thing which talks for LISP is the possibility to use VMotion and VRFs without a BGP-Enabled network,
just with a Layer3-Connection with a aprropiate MTU-size.
• (Votes: 24) Make all boards 48vdc so we do not need different PSU all the time ie RB532 (48v) vs RB333 (24V)
this request is irrelevant now that all new models are the same voltage
• (Votes: 11) Pins with 5v (or other voltage) that can on/off with routeros e.g. on/off a relay of alarm or domo
applications use the Fan headers or user LED connections
• (Votes: 8) FCC approval of Routerboard (rb433 appears to be approved, haven't bought much other new model
variety)
• (Votes: 6) Routerboard that support 3G, HSDPA, UMTS - with mini-PCI
RouterBOARD Feature Request 43
References
[1] http:/ / www. mikrotik. com/ mfm. php
Mini-PCI (In)Compatibility
See Supported Hardware
DISCLAIMER
First I must point out that I am not an electrician or Solar Power "Expert". The contents of this article is the result of
my experiences and lessons learned. I may not have calculated things fully / correctly, and may not have designed
things exactly how they should be. THEREFORE you are reminded of this and that the use of this information is
made entirely at your own risk. If you damage some equipment or yourself, or you find that this desgin doesnt cover
the loads that you have, I can take no responsibility.
REMEMBER working with power and batteries and heights can be dangerous. Observe all industry standard health
and safety rules.
CALL TO GURU'S
Can I request that others who have had successes with Solar Power Installations please edit / review this wiki? If you
dont have time to make changes you can PM me in the forums and I will make the edits.
AIM
To power the following equipment with the use of Solar Power and NO Mains Power. The system must operate
24x7x365 with no downtime due to power.
Equipment to be powered:
• 1 x RB433 Routerboard
• 1 x R52H MiniPCI Radio Card
The system must be installed at the base of the mast and send power (NOT OVER POE) up the mast to the
RouterBoard Mounted in an Outdoor Housing at the top of the Mast.
Mast is 30 Meters High.
Sunlight
How many hours of useable sunlight in a day to you receive in your area. This is called Insolation. Obviously this
varies during the year with the seasons and so you will have fewer useful hours of sunlight in winter months than in
summer months. I recommend that you always use the LOWEST number for your area.
For example in Nairobi, Kenya (where I am) The annual average sunlight is 5.62 Kilowatt Hours per meter squared
per day. During the summer months February has the highest levels of sunlight at 6.24 Kilowatt Hours per meter
squared per day and July has the lowest at 4.88 Kilowatt Hours per meter squared per day.
Therefore when doing my calculations I must use the lowest number of 4.88 kWhours per day. This ensures that in
the winter months my solar system can still charge up the batteries and keep the routerboard running properly during
the dark/gloomy hours.
You can get the sunlight data for your area from many places on the net. I got mine from the NASA website [1]
Solar Power HOWTO 45
Power Consumption
The Power Consumption of your Hisite. This can be tricky to get right in my experience. Start by reading the user
manual for your routerboard, and refer to the power consumption data in the specifications.
The RB433 Manual claims that the RB433 will consume approx. 3 Watts BEFORE you add any radio cards. Radio
Cards power consumption varies according to the power output of the radio and other things.
System Voltage
The voltage that your equipment can use. The Routerboard Manual states the following:
"RouterBOARD 433 series boards are equipped with a reliable 25W onboard power supply with overvoltage
protection. 12..28 V DC input voltages are accepted, but when powered over long cables, it is suggested to use at
least 18V. The system is tested with 24V solar/wind/RV systems with 27.6 charge voltage. Overvoltage protection
starts from about 30V (up to 60V), so the board will not be damaged if connected to a 48 or 60 V power line."
And so because Mikrotik say they tested with 24Volt Systems I based my system on 24 Volts.
There are other opinions on this in the Forums, and I have to admit I don't understand the science enough to really
figure this out. Do your own checking.
Practicalities
The practicality of the system. Do you want many small panels, or one big one? Do you need many physically small
batteries or fewer big ones?
Maybe if you have to carry the batteries up the mountain in your backpack then lots of smaller ones makes more
sense.
You also have to balance your workings with what you can get. I am in Africa, and we cant always get the ideal
items, and so you may have to adjust your design / calculations to suit what you can get.
BUILDING
KIT LIST
The List of equipment that I have used (Please note that costs are in US Dollars and apply to Kenya):
• 2 x 40 Watt 12 Volt Solar Panel @ 193 USD Each
• 1 x 24Volt 15Amp Charge / Load Controller @ 60 USD
• 2 x 12 Volt 44amp hour deep cycle, sealed lowe maintenance lead acid solar batteris @ 95 USD Each
• 30 Metres of 2.5mm Twin Core Flex Copper Cable @ 0.8 USD per Meter
• 10 Metres each of Red and Black 4mm Single Core Copper Cable (20m total) @ 1 USD Per MEter
• 1 x DC Power Plug (to go into the routerboard)
• 1 x ABB IP 55 Rated Outdoor steel housing to contain the batteries and controller @ 35 USD
• A DIY Steel Frame to mount the panel @ 20 USD
• Many Cable Ties
• Various cable lugs and terminators
Solar Power HOWTO 48
SEQUENCE OF CONNECTION
Please observe these rules when connecting up your solar system to ensure that you dont damage any components.
Always make sure you connect the NEGATIVE cable FIRST when working with DC systems.
Always connect the battery first, then the Solar Panels and FINALLY the Load.
Follow the numbered sequencing as shown in the image below:
Solar Power HOWTO 49
PHOTOS OF MY SYSTEM
Housing:
Vents:
The Back Plate
My housing came with a removable back plate that can be drilled and modified to allow you to mount any sort of
equipment in the housing. I used mine to mount the Charge Controller, and the fusing system. You can mount
anyhting else you like here. Maybe even a routerboard.
Solar Power HOWTO 51
Here is my back plate showing the inline fuse on the flex cable to the battery, and the fuse panel for connecting loads
(routerboards) to the system. Using the bus bar for the negative, and the fuse panel for the positive load connections
means that it is easy to connect or disconnect loads. YOu can just remove a fuse to de-power something without
having to get your screwdriver out and remove connections.
All connections are soldered.
Solar Power HOWTO 52
Installed Backplate:
Further Reading
There is a massive amount of info on the internet about solar. Google is your friend with this.
However here are some of the resources that I have found especially useful:
• Dr. Arne Jacobsen is a Solar Guru. A lot of great stuff at his site here: [3]
• One of many online solar calculators: [4]
• A Mikrotik forum article that spawned the writing of this article can be hound [5]here, and there are other articles
in the forums. Do a Search
• Another Mikrotik forum discussing over and under voltage issues is here: [6]
• An article about monitoring the solar system with an Atmega8535 board behind a RB433 wireless router is here :
[7]
Solar Power HOWTO 54
References
[1] http:/ / aom. giss. nasa. gov/ srlocat. html
[2] http:/ / forum. mikrotik. com/ viewtopic. php?f=3& t=27981& start=34
[3] http:/ / www. humboldt. edu/ ~aej1/
[4] http:/ / store. altenergystore. com/ calculators/ off_grid_calculator/ #load-calc
[5] http:/ / forum. mikrotik. com/ viewtopic. php?f=3& t=27981& p=135881#p135881
[6] http:/ / forum. routerboard. com/ viewtopic. php?f=3& t=3894
[7] http:/ / www. lekermeur. net/ lndkavr/ index. html
Manual:User Manager
Introduction
• What is User Manager
• Requirements
• Supported browsers
• Demo
• Differences between version 3 and version 4-test
Getting started
• Download
• Install
• Create first subscriber
• First log on User Manager web
Quick start
• User Manager and HotSpot
• User Manager and PPP servers
• User Manager and DHCP
• User Manager and Wireless
• User Manager and RouterOS user
Concepts explained
Common
• Customers
• Users
• Routers
• Sessions
• Payments
• Reports
• Logs
• Customer permission levels
• Character constants
• Active sessions
• Active users
Manual:User Manager 55
• Customer public ID
Reference
Web interface
• Search patterns
• Tables:
• Sorting
• Filtering
• Division in pages
• Multiple object selection
• Operations with selected objects
• Minimization
• Links to detail form
• Detail forms
• Page printing
Customer page
• Setup
• How to find it?
• Sections
• Status
• Routers
• Credits
• Users
• Sessions
• Customers
• Reports
• Logs
Manual:User Manager 56
User page
• Setup
• How to find it?
• Link to user page
• Sections
• Status
• Payments
• Settings
User sign-up
• Setup
• Sign-up steps
• Creating account
• Activating account
• Login
User payments
• Authorize.Net
• PayPal
User Manager/Introduction
What is User Manager
User manager is a management system that can be used for:
• HotSpot users;
• PPP (PPtP/PPPoE) users;
• DHCP users;
• Wireless users;
• RouterOS users.
It is a separate package for RouterOS.
User Manager is a RADIUS [1] server application.
In RouterOS version 4 User Manager test package was introduced, having major functionality and interface changes.
Requirements
• You should have the same version for RouterOS and the User Manager package.
• The MikroTik User Manager works on x86, MIPS, PowerPC and TILE processor based routers.
• The router should have at least 32MB RAM and 2MB free HDD space.
Supported browsers
All current generation browsers are supported, including:
• Opera [2] (>= 9.0). Probably works fine also on Opera 8.x
• Mozilla Firefox [3] (>= 1.5). Probably works fine also on Mozilla Firefox 1.0.x
• Microsoft Internet Explorer [4] (>= 6.0).
• Safari [5] (>= 2.0)
References
[1] http:/ / en. wikipedia. org/ wiki/ RADIUS
[2] http:/ / www. opera. com/ download/
[3] http:/ / www. mozilla. com/ firefox/
[4] http:/ / www. microsoft. com/ windows/ ie/
[5] http:/ / www. apple. com/ safari
User Manager/Getting started 58
Install
Perform the usual router upgrade steps - upload the User Manager package to the router's FTP server and reboot the
router.
If you are using a version prior to 4-test, Customers were called subscribers, so then the first
subscriber must be added using Mikrotik terminal (console). All the configuration is done under
the /tool user-manager menu.
To create a v3 subscriber or v4-test/v5 Customer you should go to /tool user-manager customer menu and execute
add command. It will ask for the username which you will use.
or you can enter this into the command line:
You can use the following command to change the password for the 'admin' user:
After that you can use print command to see what you have added.
Note: On RouterOS 4.1, User-manger webinterface is unreachable with an HTTP 404 when attempting to navigate
to http:/ / inside_ip/ userman from behind a Hotspot interface where inside_ip is an non-NAT'd IP address on the
router. Two workarounds: change the 'www' service port from 80 to something other than 80 or 8080, such as port
81. Then use http:/ / inside_ip:81/ userman, or use an IP address hotspot users are NAT'd to (http:/ / outside_ip/
userman) instead.
HotSpot configuration
• Set HotSpot to use User Manager for HotSpot server users,
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address. By default this is
127.0.0.1. If using a remotely located Router (perhaps via a VPN) then the IP address entered is the IP address of
that remote Router. The router could be a Radius Server, or another ROS with User Manager installed.
• Note, first local HotSpot Users database is consulted, then User Manager database.
It means that if you have configuration in '/ ip hotspot user print', users will be able to authenticate in HotSpot using
this locally held data.
Delete users configuration from '/ ip hotspot print' to stop using local HotSpot User database for authentication. To
move batch of local HotSpot users to the User Manager database use export and import . Use text editor program to
create appropriate file to import local users to the User Manager database.
If you have multiple Radius entries, then connections are attempted from top to bottom and the first Radius Server
that responds (with ANY response, authenticated or not) aborts any further radius lookups. Therefore this is intended
for the Hotspot to try to obtain a connection to a working Radius Server usually with the same identical database
contents, e.g. a main server and an identical backup. Adding multiple entries is not intended for the scenario of using
different Radius Servers where you wish the Radius Client to attempt to obtain authentication for a user login from
multiple and completely different databases, trying each one in turn, obtaining failures to authenticate on each
(wrong) one until eventually one obtains a valid authenticated response from the one single database that does
contain their Radius record.
User Manager/Hotspot Example 60
'x.x.x.x' is the address of the HotSpot router, 'shared-secret' should match on both User Manager and HotSpot
routers. Adding 'x.x.x.x' as a router allows Radius requests from 'x.x.x.x' to be passed to the Radius Server built into
User Manager. Therefore if you have any remote ROS Hotspots that require access to this Radius Server, then all
their IP addresses must be added to this list.
• Add HotSpot user information, it is equal to 'ip hotspot user' when local HotSpot is used for clients
In version 3:
In version 4:
We discuss only basic configuration example, detailed information about 'user' menu configuration.
• You can use User Manager web interface after first subscriber created.
• To make sure, that client is using User Manager for AAA,
'R' means that client uses User Manager server for AAA services.
User Manager/PPP Example 61
PPP configuration
We consider PPPoE server <-> PPPoE client configuration example, where the PPPoE server uses a remote User
Manager database for PPPoE client authentication, authorization and accounting. Both PPPoE server and PPPoE
client are MikroTik routers, any other PPPoE client might be used instead.
• Set IP address of the PPPoE server, IP address might not be assigned to the interface of PPPoE server. Moreover
static IP address or DHCP should not be used on the same interfaces as the PPPoE server for security reasons.
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
• Note, first the local PPP database is consulted, then the User Manager database.
In version 4:
'x.x.x.x' is the address of the PPPoE-server router, 'shared-secret' should match on both User Manager and
PPPoE-server routers.
• Add PPPoE client information,
In version 3:
/ tool user-manager user add username=demo password=demo subscriber=MikroTik ip-address=192.168.0.2
In version 4:
/ tool user-manager user add username=demo password=demo customer=MikroTik ip-address=192.168.0.2
• Let us verify, that PPPoE client is connected and using User Manager for authentication, authorization and
accounting. First we monitor if PPPoE client is connected, then we verify that User Manager was used. The first
command is executed on PPPoE client router, second on PPPoE server:
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
• Note, first local router database is consulted, then User Manager database. User will be unable to obtain DHCP
lease, if DHCP router and User Manager server will not contain any information about user's data.
In version 4:
'x.x.x.x' is the address of the DHCP router, 'shared-secret' should match on both User Manager and DHCP routers.
• Add DHCP user information, that client with MAC address 00:01:29:27:81:95 will always receive 192.168.100.2
address. User will receive dynamic address from the DHCP ip pool, if ip-address is not specified.
In version 3:
/ tool user-manager user add add subscriber=MikroTik username="00:01:29:27:81:95" ip-address=192.168.100.2
In version 4:
/ tool user-manager user add add customer=MikroTik username="00:01:29:27:81:95" ip-address=192.168.100.2
We discuss only basic configuration example, detailed information about user menu configuration.
• To make sure, that user is receiving lease from User Manager,
User Manager/DHCP Example 64
'R' means that lease has been received from User Manager server.
References
[1] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ ip/ dhcp. php
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
• Note, first local router database is consulted, then User Manager database. Wireless client will be unable to
connect to Access Point, if Access Points router does not contain any entry in the 'interface wireless access-list'
for the particular configuration and User Manager server will not have any information about user's data.
• Make sure you do not have any entry in the 'interface wireless access-list', remove all hosts from 'access-list' to
ensure wireless client MAC authentication only via User Manager,
In version 4:
'x.x.x.x' is the address of the Access Point router, 'shared-secret' must match on both User Manager and Access Point
routers.
• Add wireless client information, client MAC-address that is allowed to establish connection to the Access Point,
In version 3:
References
[1] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ interface/ wireless. php
RouterOS configuration
• Set RouterOS to use User Manager server for checking login and password information,
• '/user aaa' has 'default-group' option, that define type of the default group. Default is read permissions, if you need
to allow full permissions for users stored in User Manager database
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
• Note, first local router database is consulted, then User Manager database.
User Manager/RouterOS user Example 66
In version 4:
'x.x.x.x' is the address of the RouterOS router, 'shared-secret' must match on both User Manager and RouterOS
routers.
• Add login/password information, that account will be able to access RouterOS. login is MikroTik, password is
MikroTik.
In version 3:
User Manager/Customers
• Customers are service providers. They use web interface to manage users, credits, routers;
• Customers are hierarchically ordered in a tree structure [1] - each can have zero or more sub-customers and
exactly one parent-customer;
• Each customer can have same or weaker permission level than it's parent;
• Each customer has exactly one owner-subscriber.
• Customer with owner permissions is called subscriber. Subscriber's parent is himself;
• Customer data contains:
• Login and password. Used for web interface;
• Parent. Enumerator over customers. Used to keep the hierarchy of customers;
• Permissions. Specifies permission level;
• Public ID. It's an ID used to identify customer. When a user wants to log on the user page or to sign up he/she
needs to specify, which customer to use (because user login names are allowed to be equal among several
subscribers). To keep customer login names in secret (for security reasons) this field is used to identify
customers ( subscribers);
• Public host. Only for subscribers. IP address or DNS name [2] specifying public address of this User Manager
router. Payment gateways use this address to send transaction status response. This field has sense only if users
access User Manager site through local IP address (for, example, http://192.168.0.250/user) and another
address is used for public access (for example, http://userman.mt.lv/user).
• Company, city, country. Informational;
• Email address. Used to send emails (for ex., sign up information) to users;
User Manager/Customers 67
References
[1] http:/ / en. wikipedia. org/ wiki/ Tree_structure
[2] http:/ / en. wikipedia. org/ wiki/ Domain_name
User Manager/Users 68
User Manager/Users
• Users are people who use services provided by customers;
• Each user can have time, traffic and speed limitations;
• Users belong to specific subscriber, not to customer. Customers can create, modify and delete users but the owner
is the subscriber who is also owner of these customers;
• To separate users among customers of one subscriber, user prefix is used.
• User data contains:
• Username and password - used to identify user. Different subscribers can have users with the same username;
• First name, last name, phone, location. Informational;
• Email. Used to send notifications to user (for ex., sign-up email);
• IP address. If not blank, user will get this IP address on successful authorization;
• Pool name. If not blank, user will get IP address from this IP pool on successful authorization;
• Group. Sent to Radius client as Mikrotik-Group attribute. Indicates group (/user group) for RouterOS users and
profile for HotSpot users. See Radius client documentation [1] for further details, search for "Mikrotik-Group".
• Address list. Sent to Radius client as Mikrotik-Address-List attribute. Used only for PPP (not hotspot) -
indicates to which "ip firewall address-list" should the remote address be added.
•
Download limit. Limit of download traffic, in bytes;
•
Upload limit. Limit of upload traffic, in bytes;
•
Transfer limit. Limit of total traffic (download + upload), in bytes;
•
Uptime limit. Limit of total time the user can use services. When left blank, user is limited in time only by
credits. Note that this value only takes effect when a user is logged on. When they log off the clock is stopped.
If you want to limit the time whether or not the user is logged in, you have to use credits.
• Rate limits. Has several parts. For more detailed description see HotSpot User AAA [2], search for "rate-limit".
• User also have read-only counters:
• Uptime used;
• Download used;
• Upload used.
Note: RouterOS users have nothing to do with User Manager user. If you have RouterOS user admin, it doesn't mean
it will also be a customer/subscriber in User Manager.
References
[1] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ guide/ aaa_radius. php
[2] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ guide/ aaa_hotspot. php
User Manager/Routers 69
User Manager/Routers
User Manager must know with which routers (IP addresses) to communicate. User Manager is like a judge - it
receives questions and must give answers. For example:
HotSpot: "Is user 'nick' allowed to use hotspot?"
User Manager: "Yes, but only 2 hours. And give him IP 192.168.0.40".
If an unknown router asks something, User Manager ignores it.
Router table contains information about known routers which are allowed to ask User Manager questions.
Router data contains:
• Name. Name of the router. Informational, must be unique per subscriber;
• IP address. Address of the router;
• Shared secret. Password used for authentication;
• Log events. Specifies which events must be written to log.
User Manager/Sessions
The term session refers to a period when a user is using customer's services (HotSpot). It has nothing to do with User
Manager web-page sessions.
Fields:
• Username. Session owner;
• NAS Port. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• NAS Port Type. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• Calling Station ID. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• Status. Session status, composition of several facts;
• User IP. User's IP address;
• Host IP. Router's IP address;
• NAS Port ID. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• From Time. Session start time;
• Till Time. Session end time;
• Terminate Cause. Session termination reason;
• Uptime. = EndTime - StartTime;
• Download. Downloaded traffic amount;
• Upload. Uploaded traffic amount.
User Manager/Payments 70
User Manager/Payments
Users can buy credits using payment methods allowed by the subscriber. Subscribers can define accessible payment
methods on the customer page.
Payments hold history of user's transactions.
Attributes:
• Created. Transaction start-time;
• Finished. Transaction end-time;
• Price. Transaction amount ( credit price);
• Credit time. Credit prepaid-time bought;
• Status. Current status of transaction. Can be one of the following:
• Started - transaction is in progress;
• Approved - transaction completed successfully;
• Error - transaction failed;
• Timeout - transaction failed (not finished in required time);
• Status description - message describing transaction status;
User Manager/Reports
TODO
User Manager/Logs
Logs are written when Authorization (auth) or Accounting (acct) requests from routers are received.
It is configurable per router which logs must be written (See: HOWTO).
Log data contains:
• Username. Can differ from those registered in user table;
• User IP;
• Host IP. Router's IP;
• Status;
• Time;
• Description;
• NAS Port;
• NAS Port type;
• NAS Post ID;
• ACCT Session ID;
• Calling station ID.
User Manager/Logs 71
[1]
More information on what these fields mean can be found in Mikrotik RouterOS Radius client documentation ,
Supported RADIUS Attributes.
, where 1.2.3.4 and 514 is IP address and UDP port of the remote host, which will receive the logs.
3) Configure your remote host to listen on port 514 (any other port can be used, but it MUSt be UDP port and MUST
match the one entered in router's system logging action);
4) Test, if logs are successfully received at the remote host:
4.1) Generate some logs by logging in and out using HotSpot/PPP users;
4.2) Check the Log page. The logs must appear here. Logs are sent to syslog only if they are logged in the User
Manager database;
4.3) Check, if logs are received remotely. If you are running Linux, nc [2] can be used:
nc -l -u -p 514
, where 514 is the UDP port used. Could be, that root permissions are required to run listening on a UDP port.
Another alternative is Wireshark [3] - a multi platform tool for network packet "sniffing". Start a new session and
enter
<user-ip>,<username>,<log-type>,<message>
, where:
• user-ip - IP of user (NOT the routers IP!): four number in the range 0-255, separated by commas. 0.0.0.0 means
"empty address";
• username - username of the user or MAC address, when MAC-authentication used;
• log type: string describing type of the log. Takes one of the following values: "auth ok", "auth fail", "acct ok",
"acct fail". Fail means - the user was not successful to authorize or the accounting log was malicious. To track
user session activity, only logs having "auth ok" and "acct ok" must be taken in account.
• message - contains message, describing error, in case of failure. can be empty. SysLog messages are limited in
size, therefore it could happend, that the end of the message has been cut off.
References
[1] http:/ / www. mikrotik. com/ docs/ ros/ 2. 9/ guide/ aaa_radius
[2] http:/ / netcat. sourceforge. net/
[3] http:/ / www. wireshark. org/
User Manager/Permissions
This table lists customer permissions:
View
Routers + + + +
Credits + + + +
Users + + + +
Sessions + + + +
Customers + +
Reports + + + +
Logs + + + +
Add
Routers + + +
Credits + + +
Users + + +
Customers +
Edit
Routers + + +
Credits + +
Users + + +
Customers +
User Manager/Permissions 73
Remove
Routers + +
Credits + +
Users + +
Customers +
Sessions + +
Logs + +
Specific actions
Date constants
In date constant following characters will be replaced with proper values:
• %Y - four digit year representation
• %b - verbal (short) month representation
• %m - two digit month representation
• %d - two digit day-of-the-month representation
Examples (representing October 5, 2006):
• %d/%m/%Y - 05/10/2006
• %Y-%b-%d - 2006-Oct-05
User Manager/Character constants 74
User Manager/Public ID
Each subscriber already has an unique field - login. But for security reasons another field - Public ID is used. Note:
In earlier versions (until version 2.9.31) login is used to identify subscriber.
Each customer has a Public ID. It can be configured in the customer section. But there is no need to specify public
ID for each customer. Because the subscriber search procedure occurs as follows:
• Search for a customer with specified public ID. If no customer found, the default (first) subscriber is used.
Otherwise proceed to the next step;
• Search for a subscriber (owner) of the customer just found. Every customer has its subscriber, so this procedure
always finds the result.
So only one customer per subscriber must have a public ID defined. Usually the subscriber itself has a public ID and
all the other customers can live without it.
Public ID for customers is significant in user sign-up process to use different user prefix and sign-up-credit for
different customers.
Only subscribers have permissions to edit customers. That means, subscriber must configure public IDs for all
sub-customers.
User Manager/Profiles 76
User Manager/Profiles
Applies to RouterOS: v4.x test and v5.x packages
Profiles are used to control user session time. Each Profile has:
• Name. Unique ID for the Profile - also used in signup page for dropdown menu of payments;
• Name for Users. Descriptive name for the Profile that is displayed to the end user when they login to their user
page;
• Owner. The 'Owner' of the Profile (usually 'admin');
• Validity. Defines the period of time the Profile is valid for. (Note: NOT the same as the online time that could be
set in Limitations);
• Starts. When the Profile is activated. Chose from 'At first logon', or 'Now';
• Price. How much it will cost for the user or if left blank, there is no payment required;
• Shared Users. Simultaneous session limits for each user
Profiles
Profiles can be assigned to users manually or allocated by the user when they make a successful payment.
If the Profile property 'Starts' is set to 'At first Logon', the Profile assigned to a user is inactive until that user logs on
to the system (e.g. via a Hotspot). When the user starts a new session, that User's 'start time' is fixed and accordingly
the 'end time' is calculated. The 'end time' cannot then be changed, no matter if the session remains active until the
'end time' or the session closes sooner.
If the user has several profiles, the next inactive profile is then started (it's activated as the 'actual profile') when the
previous actual profile reaches it's 'end time'. If there are no more inactive profiles to start, the user is forced to log
off.
If there is already one active profile when a user logs on, this profile is used instead of starting the next one (if one is
available).
If the user logs off before the profile's 'end time', the next inactive profile is started only when the user logs on again
after the 'end time' of the earlier profile.
Only one profile (for the same user) can be active at a time.
The last profile of a user can be removed by customer only if it is inactive.
Validity
If the 'Starts' value is set to 'At first logon', then the Validity value starts counting. E.g. If Validity is set to 1d, then 1
day after first logon, regardless if the user has used all their online time or not, the profile will become invalid and
they will be unable to log on again unless a new profile is available in their list of valid profiles.
Limitations
Pre-defined Limitations can be attached to any profile. A total allowed user online/uptime limit for example, is set in
the Limitations of a profile, not in the Validity field.
User Manager/MAC binding 77
Description
MAC binding is a feature, when users MAC address is not specified beforehand, but is fixed (bound) when the user
connects for the first time. Further the user is allowed to use only this MAC address.
In User Manager MAC address can be re-bound also for users with previously fixed one. In this case MAC address
is re-fixed at next user logon.
To specify a particular MAC address, un-check this box and type in the MAC address manually.
User Manager/Languages
In RouterOS v4, User Manager supports multiple languages.
User translations
Currently no ready-to-use translations are available here. But, if you made one, please post it here: choose "Upload
file" from menu on the left side of this wiki, upload the file and then post a direct link to it here.
Spanish translation http:/ / wiki. mikrotik. com/ images/ b/ be/ Sp_SP_def. txt author: Jose Salazar, Spain. Change
txt extension for lng and upload it via FTP to Router.
Portuguese-BR translation http:/ / wiki. mikrotik. com/ images/ 2/ 2c/ Pt_BR. lng. txt author: Antonio Junior, Brazil.
Change extension for lng and upload it via FTP to Router.
Italian translation http:/ / wiki. mikrotik. com/ images/ 2/ 23/ It_IT_def. txt author: Renato Bernardi, Italy. Change
txt extension for lng and upload it via FTP to Router.
Russian translation http:/ / wiki. mikrotik. com/ images/ 1/ 1f/ Ru_RU. txt authors: Alexander Zotov and Eugene
Nurullin, Russia. Change txt extension for lng and upload it via FTP to Router.
Arabic translation http:/ / wiki. mikrotik. com/ images/ 9/ 9c/ AR_AR. lng. txt Change txt extension for lng and
upload it via FTP to Router.
Turkish translation http:/ / wiki. mikrotik. com/ images/ 5/ 5c/ Tr_TR_def. lng. txt Author: Bulent KUSVA and
Umut Can YILDIZ
References
[1] http:/ / wiki. mikrotik. com/ images/ 5/ 59/ En_EN_def. txt
[2] http:/ / www. poedit. net/
User Manager/Subscribers 79
User Manager/Subscribers
Applies to RouterOS: v3.x
References
[1] http:/ / en. wikipedia. org/ wiki/ Domain
User Manager/Credits
Applies to RouterOS: v3.x
Credits are used to control user session time. Each credit has:
• Name. Unique ID;
• Time. How long services can be used;
• Full Price. How much it will cost if this is the first credit for the user or user has free credits
(with zero-price) only;
• Extended Price. How much it will cost if the user already has (at least) one credit (with price other than zero) and
buys this as additional credit;
Credits belong to subscribers. If a customer creates credit, it belongs to subscriber which is owner of that customer.
User credits
Credits can be assigned to users. First credit (with non-zero price) costs full price. When a user already has a credit
with a non-zero price, another credit can be bought at extend price.
Credits are inactive until user logs on to the system (Hotspot). When the user starts a new session, credit start time is
fixed and according end time is calculated. The end time then cannot be changed, no matter if the session remains
active until the end time or closes sooner.
If the user has several credits, the next inactive credit is started (it's been activated) when the previous active reaches
it's end time. If there are no more inactive credits to start, the user is forced to log off.
If there is already one active credit when a user logs on, this credit is used instead of starting a new one.
If the user logs off before the credit end time, next inactive credit is started only when the user logs on again after the
end time of the first credit.
Only one credit (for the same user) can be active at a time.
User Manager/Credits 80
Note: In version 4, each user belongs to a particular customer, there is no need to use prefixes anymore
Every user belongs to specific subscriber. To separate users among customers of the same
subscriber, a specific customer property called user prefix is used. (See the meaning of word prefix
[1]
in Wikipedia [2]).
It is a customer's string field which specifies initial part of user login (username). Only users with
such initial part of username will be accessible to this customer.
Example (insignificant parts skipped):
[admin@USERMAN] tool user-manager customer> print
0 subscriber=owner username="differentUser"
1 subscriber=owner username="publicUser1"
2 subscriber=owner username="publicUser2"
3 subscriber=owner username="privateUser1"
4 subscriber=owner username="privateUser2"
5 subscriber=owner username="pztuxy"
6 subscriber=owner username="klztt8xs"
According to the situation described above, customer owner is subscriber with two sub-customers: manager and
reader. User accessibility can be shown in following table:
differentUser +
publicUser1 + + +
publicUser2 + + +
privateUser1 + +
privateUser2 + +
pztuxy + +
klztt8xs +
User Manager/User prefix 81
References
[1] http:/ / en. wikipedia. org/ wiki/ Prefix
[2] http:/ / wikipedia. org/
User Manager/Limiting
Applies to RouterOS: v3.x
Introduction
User actions can be limited in several dimensions:
• time
• traffic amount (download and upload)
• rate limits (speed)
Time
Time can be managed in two ways: user's uptime-limit field and credit's time field.
Uptime limit
Uptime limit is maximum time amount a user is allowed to be active (to have active sessions). If the user's
uptime-limit field is left blank, he/she has no uptime limit. See the example below.
Used-uptime for a user is sum of durations of all sessions this user has. Used-uptime can not exceed uptime-limit.
User's request to start a new session is processed as follows:
• uptime-limit for the user is checked. If it is not specified, start a new session, otherwise proceed to next step.
• uptime-left is calculated (left = allowed - used). If uptime-left is not positive, raise an error, otherwise proceed to
next step.
• session-timeout is set and a new session is started.
Credit time
Subscriber can define available credit vouchers. User can buy those vouchers, customers can assign available credits
to users. User credits are valid specific time. This means, when a credit is started, it must be used within a time
specified. User can have active sessions only while he/she has valid credits. See the example below.
Example
If a user must be allowed to use 2 hours of Internet access and he/she must use these 2 hours within one week, then
the uptime-limit field must be set to 2h and the user must be assigned a credit with time equal to 1w (See character
constants for more information about time limit constants).
User Manager/Limiting 82
Traffic amount
User has fields download-limit and upload-limit. To specify unlimited amount, leave blank the proper field. Limits
are specified in bytes. For example, to allow download 1GB, download-limit field must have value of 1073741824
(1073741824 bytes = 1024 x 1024 x 1024 bytes = 1 gigabyte).
Rate limits
User has field rate-limit. This field is available straight in the console, but is divided in several fields in
web-interface, to ease the input process. For more detailed description about the meaning of these fields see Mikrotik
HotSpot User AAA documentation [2], HotSpot User Profiles, Property description, rate-limit.
Prepaid users
Prepaid users have at least one credits assigned. They can also have uptime-limit.
Unlimited users
Unlimited users don't have any credits assigned. Word unlimited comes from the fact that they have unlimited credit.
However uptime-limit can be assigned to unlimited users. It means, unlimited users can have limited duration for
active sessions but these sessions can be started in an unlimited period of time.
User Manager/Voucher template 83
Recommendations
• If basic knowledge of HTML [1] and CSS [2] is present, the template can be redesigned completely, having
different look and information. Otherwise it is recommended to leave the default structure and only translate or
edit phrases displayed on original voucher;
• Don't leave open HTML tags. This means, if you have <div>, then also </div> must be present. Otherwise
vouchers can damage the entire page and browser content refresh will be required;
• Be careful with tags. As template editing is only accessible to customers (and router console users) there is no
restriction in tag use. This means more flexibility and responsibility at the same time;
• Table is recommended for formatting data;
• Table should be centered using the way it is done in default template;
• Vertical centering is not a very simple thing. Default template uses workaround - rows (having class "space1" and
"space2") with fixed height for this reason.
• Images are not be printed by default. To show images in printable form, width and display attributes must be
explicitly specified for image, i.e., you must write <img src="url_to_image.jpg" style="display: inline; width:
auto" />
Examples
Example posted in forum [3] by airforce1:
</td>
</tr>
<tr>
<td bordercolorlight="#000000" bordercolordark="#000000">
<font face="Arial" size="2"><b>Validity</b></font>
</td>
<td bordercolorlight="#000000" bordercolordark="#000000">
<b><font size="2" face="Arial">%u_prep_time%</font></b>
</td>
</tr>
<tr>
<td bordercolorlight="#000000" bordercolordark="#000000">
<b><font size="2" face="Arial">Price:</font></b>
</td>
<td bordercolorlight="#000000" bordercolordark="#000000">
<b><font size="2" face="Arial">%u_tot_price%</font></b>
</td>
</tr>
<tr>
<td bordercolorlight="#000000" bordercolordark="#000000">
<b><font size="2" face="Arial">Username:</font></b>
</td>
<td bordercolorlight="#000000" bordercolordark="#000000">
</font><b><font size="2" face="Arial">%u_username%</font></b>
</td>
</tr>
<tr>
<td bordercolorlight="#000000" bordercolordark="#000000">
<b><font size="2" face="Arial">Password:</font></b>
</td>
<td bordercolorlight="#000000" bordercolordark="#000000">
<font face="Arial"><b><font size="2">%u_password%</font></b></font>
</td>
</tr>
</table>
References
[1] http:/ / en. wikipedia. org/ wiki/ HTML
[2] http:/ / en. wikipedia. org/ wiki/ Cascading_Style_Sheets
[3] http:/ / forum. mikrotik. com/ viewtopic. php?f=10& t=20397
[4] http:/ / info. microage. com/ Campaigns/ MicroAge/ HotSpot. bmp
Examples
• "spot" matches hotspot, hotSpot, HotSpot, HotSpots, HOTSPOT, ...
• "r%m" matches rm, arm, armor, ram, rome, aroma, Mikrotik manager ...
References
[1] http:/ / en. wikipedia. org/ wiki/ Case_insensitive
User Manager/Tables 86
User Manager/Tables
Tables are used to display a list of objects: users, routers, credits, sessions, customers or logs.
In one table are displayed only objects of one type. Each type of objects has specific fields to display.
If the object contains many parameters, not all of them are displayed in the table. To see all parameters the object
detail form can be used.
Tables have several options:
• Sorting;
• Filtering (Search);
• Division in pages;
• Multiple object selection;
• Operations with selected objects;
• Minimization;
• Links to detail form.
Sorting
Sorting can be done by almost all fields. But there are some "non-sortable" fields, mostly because they are calculated
fields.
Sorting can be ascending (1, 2, 3, ...) or descending (5, 4, 3, ...).
There are triangular sort buttons for each column - on sides of column's title (at the top). Ascending sort - on the left,
descending - on the right:
Sorting decreases data reading performance - sorted data reads take more time than non-sorted reads. However
sorting affects only reads in the current table, tables are independent to each other.
User Manager/Tables 87
Filtering
Each table can be filtered only by one field:
• Users, sessions, logs: by username;
• Routers, credits: by name;
• Customers: by login.
Some tables cannot be filtered (for example, specific user's sessions).
Enter pattern in the search form at the bottom of the table and press search. To cancel filtering, clear value of the
search form and press search:
Division in pages
A table can contain plenty of records. It could be a very long operation to display them all. Therefor records are
divided in pages and only one page, called active page, at a time is displayed.
Record count per page is changeable on the top-right corner:
The active page can be changed using the link on the upper-left corner:
User Manager/Tables 88
Each object can be selected and actions can be performed on selected objects.
On the top of all checkboxes is the select-all checbox which toggles selection of all objects in the current page:
User Manager/Tables 89
The total count of selected objects and selected objects in the active page is displayed.
There is also a button which unchecks all selected objects in other (inactive) pages (affects only this table). This
button is very useful if you select some objects and then change sorting criteria for the table - selected objects get
scattered between many pages but you can still uncheck them all by one click.
Minimization
Tables can be minimized with a click on the minimize button on the top-right corner:
Visual appearance:
• Popup-window has a title-bar. Click on the titlebar and hold down the mouse to drag the window;
• There is a close button on the upper-right corner which closes the popup-window;
• Multiple popup-windows can be open at the same time;
• If one window is behind another, it can be brought to the top by clicking on it's title-bar;
• Some fiels are grouped together and hidden by default. For example, user has field groups named "Private
information" and "Rate limits". There is a show/hide chechbox for each such group.
Options:
• Contents of a detail form may differ depending on permissions. One customer may have read-only access to the
object while other customer may be allowed to edit it;
• Option buttons are located at the bottom of a form.
• Read-only fields are displayed as simple text labels. Read-write fields are displayed as text inputs, select boxes
etc.
Detail forms can also be informational and contain read-only fields. For example, session detail form:
User Manager/Detail forms 93
References
[1] http:/ / en. wikipedia. org/ wiki/ Javascript
User Manager/Printing 94
User Manager/Printing
Applies to RouterOS: v3.x
User Manager has different style definitions for screen and for printer. You can see the printable form
in Print preview mode (can be found under File > Print Preview in browsers main menu).
By default nothing is to be printed. People mostly print reports. So reports are the only thing that is
visible in printing mode. There are different kinds of reports: user time/traffic reports over a period of time, single
user report and user vouchers (print page). The last one is not really a report but could be treated as such, because it
is meant to be printed.
How to find?
Type the following address in your web browser: http://Router_IP_address/userman
where "Router_IP_address" must be replaced with IP address of your router.
Sections
Here are described customer page sections. Use menu on the left side to navigate:
User Manager/Customer page 95
Status
This page has several components:
• User search;
• Active user listing;
• Active session listing;
• User batch-add form.
User search
Type in the search pattern and press the button "Search". Results will be displayed in a new table.
Active users
Active user count displayed here. To see a full list of active users, click on "Show":
Active sessions
Active sessions count displayed here. To see a full list of active sessions, click on "Show":
Fields:
• Number of users. How many users to add;
• Login starts with. Displays user prefix;
• Rate limits. hidden by default. Check the box on the right to show rate limit field group;
• Uptime limit;
User Manager/Customer page 96
• Prepaid. Credit that will be assigned to users. Unlimited users can also be created by selecting unlimited as a
value.
• Generate CSV [1] file. When checked a CSV-file [1] will be generated containing just created user data;
• Generate vouchers. When checked printable vouchers for just created users will be generated.
Routers
View routers
Table displaying routers:
Add router
Opens router add form. The same form is used to edit routers:
Fields:
• Name. Router's name. Must be unique per subscriber;
• IP Address. Address of the router;
• Shared secret. Password used for authentication;
• Log events. Specifies which events must be written to log.
User Manager/Customer page 97
Credits
View credits
Table displaying credits:
Add credit
Opens credit add form. The same form is used to edit credits:
Fields:
• Name. Credit's name. Must be unique per subscriber;
• Time. How long this credit is valid when started;
• Full price. The price of this as the first credit for a user. When the checkbox at the right is empty, full price is
unavailable - this credit can not be used as a base credit;
• Extended price. The price of this as extended credit for a user (user already has credits before this on). When the
checkbox at the right is empty, extended price is unavailable - this credit can not be used as an extended credit;
User Manager/Customer page 98
Users
View users
Table displaying users:
Only part of user's attributes are shown here. To see all details of specific user, open user detail form by clicking on
username in the table.
User Manager/Customer page 99
If the user has credits assigned the total prepaid time is shown at the bottom. To see credit details click on the plus
sign ("+") under Prepaid time:
New credits can also be assigned (if permitted) to user. At the bottom is a select-box called "Extend" (called "Add
time" when user has no credits yet). The price depends on what kind of credit this is for a user - first or extended.
Price is shown in braces:
User Manager/Customer page 100
.
To assign credit to the user, choose the desired credit and click Save.
Options (buttons at the bottom):
• Save - saves edited information, assigns credit, if one selected;
• View report - opens single user report.
• Remove last credit - removes last credit that's not started yet;
• Show sessions - opens window with all sessions this user has;
Add user
Detail form for filling in information about the new user. Very similar to user detail form. This form does not have
read-only counters and other user statistics:
User Manager/Customer page 101
Sessions
View sessions
Table displaying sessions:
Only part of session's attributes are shown here. To see all details of specific session, open session detail form by
clicking on ID in the table.
To see details of session user click on the username in the table.
User Manager/Customer page 102
Customers
View customers
Table displaying customers:
Only part of customer's attributes are shown here. To see all details of specific customer, open customer detail form
by clicking on login in the table.
User Manager/Customer page 103
There are fields which are accessible only for subscribers: Public Host and Authorize.Net fields. These fields are not
shown for customers who are not subscribers:
User Manager/Customer page 104
There are sensitive-data fields (Authorize.Net) which are visible only when using secure connection (https):
There are sensitive-data fields (Authorize.Net) whose values are not shown. Whether the field has value specified or
not is visible by the title standing before it: if the title says "Set ...", this field has no value set; the title saying
"Change ..." means that this field has some value:
User Manager/Customer page 105
In the example above Login ID and Transaction Key fields have values (titles are "Change ...") while MD5 Value
field has no value specified (title is "Set ...").
Add customer
Detail form for filling in information about the new customer. Very similar to customer detail form. This form does
not have subscriber fields since subscribers cannot be added here:
Reports
This section refers to user time and traffic reports.
Reports generated here can be printed directly.
Configurable options:
• Users - which users to show: prepaid, unlimited or all;
• Type - time (contains prepaid time, extend time and price) or amount (contains upload and download amount)
report;
• Period - total (whole history) or with specific time boundaries;
See user time and traffic reports for further detail.
Sample report:
User Manager/Customer page 106
Logs
View logs
Table displaying logs:
Only part of log's attributes are shown here. To see all details of specific log, open log detail form by clicking on ID
in the table.
User Manager/Customer page 107
References
[1] http:/ / en. wikipedia. org/ wiki/ Comma-separated_values
User Manager/User page 108
Textual link
To get a textual link to user page, replace this template with your own values:
<a href="http://%hostname%/user?subs=%subid%">%caption%</a>
And it looks like this: This is an example link to Mikrotik User Manager demo User page [1]
Link button
To get a button, which leads to user page, replace this template with your own values:
<button onclick="document.location='http://%hostname%/user?subs=%subid%'">%caption%</button>
Example: To get a button-link to userman.mt.lv router's demo subscriber user page, use the following link:
<button onclick="document.location='http://userman.mt.lv/user?subs=demo'">Check</button>
The visual representation cannot be shown here because of the wiki security so you have to pretend how it looks like.
The same button-link is used in HotSpot page templates. By default it looks like this:
$(hostname) here is replaced with the hostname of the HotSpot router (so the default link works only if HotSpot and
User Manager are running on the same router). And "subs=" means that first subscriber will be used (works fine
when there's only one subscriber on the router). Hostname and subscriber id can be replaced with desired values.
Sections
This par of a document describes sections available in user page. For navigation use the menu on the left side:
Status
Here the user can see account's status:
• Summary;
• Credits;
• Sessions.
Sample screenshot:
This information is also formatted for printing. See print preview in the browser (Usually under File > Print preview
in the browser's toolbar). Credits and sessions are formed in tables. These tables can be "minimized" - the button on
the upper right corner of the table. A minimized table will not be printed (see print preview).
User Manager/User page 110
Summary
Here the user can see:
• Prepaid time - duration of all the credits bought (See: time constants). Or the word unlimited (See prepaid and
unlimited users);
• Total price - how much all the credits cost;
• Uptime limit - the maximum allowed duration of user's sessions;
• Uptime used - current duration of user's sessions;
• Download used
• Upload used
Credits
Table with all credits this user has bought. No data for unlimited users.
Sample screenshot:
If there are credits that are not started yet (see: credits), start-time and end-time fields contain values "awaiting
login".
User Manager/User page 111
Sessions
Table with all user's sessions.
Sample screenshot:
Payments
Here the user can view payment history and buy a new credit . This section is only available if the subscriber has
allowed any payments.
View payments
Table with all user payments.
Sample screenshot:
To see all details of specific payment, open payment detail form by clicking on ID in the table.
User Manager/User page 112
Buy credit
A new credit can be bought here using payment methods which are allowed by the subscriber.
There are a number of restrictions for this sub-section to be accessible:
• Secure connection (https [2]) must be used to access the site. Otherwise a notification with a link to secure page
will be shown;
• At least one payment method must be allowed by the subscriber;
• Subscriber must have configured all required payment attributes;
Sample screenshot:
Here user can see his/her current balance and choose a credit to buy. After click on the "Buy" button user will be
redirected to payment gateway where he/she will have to enter required data to process payment.
User Manager/User page 113
Important - payment data (such as credit card number and expiry date) is sent directly from user's computer to
payment gateway and is not captured by User Manager. User Manager processes only response about the payment
result from the payment gateway. This response does not contain any sensitive user's data.
When the payment is successful, the selected credit is added to user's account.
Settings
In this section user can configure his/her parameters:
• Private information (informational, not used by User Manager):
• First name;
• Last name;
• Phone;
• Location.
• Email - used to send emails to user. Must be unique.
If values provided in "New password" and "Retype new password" fields, the password will be changed.
Sample screenshot:
References
[1] http:/ / userman. mt. lv/ user?subs=demo
[2] http:/ / en. wikipedia. org/ wiki/ Https
User Manager/User sign up 114
Setup
User sign-up can be enabled per customer. I.e., some customers can allow it while others don't.
Sign-up is disabled by default. To enable it several requirements must be met:
• Note: All the attributes mentioned above can be configured in customer section of the customer web-page;
• Customer, who wants to allow sign-up, must have public ID. Since Only subscribers have permissions to edit
customers, this public ID must be assigned by the subscriber. In other words - subscriber must configure public
IDs for its customers.
• Subscriber must have at least one credit with full price specified;
• In the case when users access sign-up page from a local address which is not accessible from outside (global
Internet) subscriber must have public host address configured. This address is needed by PayPal, payment
response will be sent to this it;
• The customer has to enable sign-up by checking the "Signup allowed" box in Signup options section;
• The subscriber must have at least one payment method enabled and configured;
• The customer should have email address specified. Email will be send to users who sign up (if the user specifies
his/her email address) using this as the from-address;
• SMTP-server should be specified. It can be done via console, under tool email, command "set
server=xxx.xxx.xxx.xxx". This SMTP server will be used to send email reminding user's account data. Users can
however log on to the HotSpot after a successful payment without receiving this email;
• Signup email subject and body can be personalized. There are defaults defined, but one can customize them.
However there are constant strings (will be replaced by actual values) that must be present within the message
body. See sign-up email body field definition.
Sign-up steps
User sign-up can divided in following steps:
• Subscriber configures required parameters (described above);
• User creates an account:
• User opens sign-up page URL in the browser;
• User fills in the sign-up form;
• User chooses credit;
• User chooses payment method;
• An inactive account is created for the user;
• User activates the account (executes payment):
• User is redirected to Payment Gateway;
• The payment is being processed;
• Payment gateway sends response (was the payment successful or not) to User Manager router;
• The account gets activated (if the payment was successful);
• User can start using services. Status check and setting change can be done in the user web-page.
May seem a little confusing, but all these steps are simple and can be done in several minutes.
User Manager/User sign up 115
Creating account
User opens http:/ / routerIP/ user?signup=publicID, where routerIP must be replaced with the IP address of the User
Manager router and publicID must be replaced with subscribers public id.
Sign-up form will be shown:
Input fields:
• email. Email address for user account. must be unique per subscriber. Account data will be sent to this address if
one specified;
• login. Desired username. If user prefix is defined, it is shown at the left and cannot be changed. So the prefix is
already predefined (may be empty), the remaining part of username can be chosen. IT must be at least 3
characters long. Example: if the prefix is "cu" (shown on the left) and "test" is entered as the remaining part, the
username will be "cutest";
• password. Self explanatory;
• confirm password. Password once again to reduce possibility to mistype it;
• time. The initial credit for the user account;
• pay with. Payment method selector.
After the "sign up" button is pressed, authorization data is show to the user. He/She must remember this data as it
will be required to log in later:
Activating account
On a successful payment, the account is activated and the user is returned to User Manager/User page where he/she
can check the status of the account.
If the email address was specified in sign-up form, an email with authorization information is sent to it. The text is
customizable in customer web-page. By default it looks like this:
Your authorization data:
login: userLogin
password: userPassword
here:
• userLogin is the username (login);
• userPassword is the password.
• http://userman.mt.lv/'' is the hostname of the User Manager router;
Login
After successful account activation user is able to start using services (Hotspot). Status and settings are available in
user web-page.
Authorize.Net
Authorize.Net requirements
To allow Authorize.Net payments for users the following requirements must be met:
• User Manager v3.0 (or v2.9.x, >= 2.9.40) package installed on the router. See: Getting started;
• User Manager subscriber created (See: Getting started);
• Subscriber must have merchant account in Authorize.Net [3] gateway;
• Web server on the router must be configured to support secure SSL connections (See HTTPS connection
enabling);
• HotSpot router should contain entries in 'walled-garden to User Manager router and Authorize.net webpage,
Authorize.Net setup
Relay URL
Relay URL list must either be empty or contain URL to the User Manager router. For example, if you are using
userman.mt.lv as User Manager router, then Relay URL list must contain URL https:/ / userman. mt. lv/ (works with
and without trailing slash). Relay URL list can be configured in Authorize.Net [3] merchant gateway under Account
> Settings > Response/Receipt URLs
API Login ID
[3]
API Login ID is shown in Authorize.Net merchant gateway under Account > Settings > API Login ID and
Transaction Key.
Transaction Key
Transaction Key can be obtained in Authorize.Net [3] merchant gateway under Account > Settings > API Login ID
and Transaction Key > Create New Transaction Key.
MD5-Hash value
MD5-Hash value can be set in Authorize.Net [3] merchant gateway under Account > Settings > MD5-Hash.
WARNING!: Standard MD5 hash values are 32 characters long, however, the Authorize.net MD5-Hash input fields
only allow 20 characters. Best chance of success if you paste your md5sum into the Authorize.net input field, then
copy it back out to paste into User Manager configuration. By re-copying from the Authorize.net input field, you are
selecting only the 20 characters that the field length allows.
Payment Form
Payment Form configuration can be found in Authorize.Net [3] merchant gateway under Account > Settings >
Payment Form. The look of this form is customizable here. While the only required fields for processing transaction
are credit card number and expiration date, another fields are allowed to be shown in the form. Form customization
is up to merchant.
• If users access User Manager page through a local IP address, public host attribute must be specified. It must
contain a public address of User Manager router which is acceptable as Relay URL for Authorize.Net gateway
(See: Authorize.Net Merchant account configuration). Domain name or IP address can be used. Only the address
must be specified, not URL (for example, userman.mt.lv, not https://userman.mt.lv/and not https://userman.
mt.lv/userman):
User Manager/User payments 119
Authorize.Net usage
• User can buy credits in User Manager page. First he/she has to log on the page. See: User page.
• Secure connection must be used for web page, so user has to use https://router_IP/user instead of http://
router_IP/user (https instead of http).
• Payment section is available on main menu only if subscriber has allowed any payment method.
• To buy credit user chooses "Buy credit" from "Payments" section:
• If https connection is not used for web session, a message with error and link to https site will be opened:
• When the credit is chosen, "Buy" button must be pressed to start payment transaction:
User Manager/User payments 121
• User is redirected to Authorize.Net gateway payment form, which should look similar to following:
• The actual look of this form can be configured in Authorize.Net merchant gateway
• User fills in credit card number and expiry date. Other fields are optional:
User Manager/User payments 122
• The data is transmitted directly to Authorize.Net gateway via secure connection. Neither credit card number nor
expiry date is submitted to User Manager router.
• Authorize.Net gateway processes the data and sends response to specified User Manager router. This response
contains only data required to identify payment in User Manager and detect result status of transaction - was it
successful or not. It does not contain any information about the user - credit card number, expiry date or other
sensitive data.
• User Manager processes the response and updates payment record status;
• If the transaction was successful requested credit is added to user's account;
• A message describing payment result is shown to user:
• Click on the button redirects the user back to User Manager page:
PayPal
PayPal requirements
To allow PayPal payments for users the following requirements must be met:
• User Manager v3.0 (>= 3.0beta6) or v2.9.x (>= 2.9.41) package installed on the router. See: Getting started;
• User Manager subscriber created (See: Getting started);
• Subscriber must have merchant PayPal [4] account;
• Web server on the router must be configured to support secure SSL connections (See HTTPS connection
enabling);
• HotSpot router should contain entries in 'walled-garden to User Manager router and Paypal webpage,
• version v3
/ ip hotspot walled-garden add dst-host=":^www\\.paypal\\.com\$" dst-port=443 action=allow
These four entries are required to allow reliable access to the Paypal system.
PayPal setup
• If users access User Manager page through a local IP address, public host attribute must be specified. It must
contain a public address of User Manager router which is acceptable as response URL for PayPal gateway
(PayPal will send payment result to this address). Domain name or IP address can be used. Only the address must
be specified, not complete URL (for example, userman.mt.lv, not https://userman.mt.lv/and not https://
userman.mt.lv/userman):
PayPal usage
• User can buy credits in User Manager page. First he/she has to log on the page. See: User page.
• Secure connection must be used for web page, so user has to use https://router_IP/user instead of http://
router_IP/user (https instead of http).
• Payment section is available on main menu only if subscriber has allowed any payment method.
• To buy credit user chooses "Buy credit" from "Payments" section:
• If https connection is not used for web session, a message with error and link to https site will be opened:
• When the credit is chosen, "Buy" button must be pressed to start payment transaction:
• User is redirected to PayPal gateway payment form, which should look similar to following (PayPal web site can
change, these screen shots may differ from actual page):
User Manager/User payments 128
• User logs on to the account. Payment is now displayed with the Pay button:
• When user presses Pay button, PayPal starts to process data. On successful payment result page is displayed:
• This page contains button "Return to merchant" pressing which returns user to User Manager payment history
page:
User Manager/User payments 129
PayPal chargeback
When a payment changes status from "Approved" to "Aborted" (For example, "Reversed") User Manager tries to
remove credit bought for this money. This is however possible only if the two following requirements are met:
• The credit is not started yet;
• The credit is last for current user, i.e., no other credit is bought after this one.
Related activities
HTTPS connection enabling
Creating certificate
Trusted SSL Certificate can be bought from trusted authorities, for example, VeriSign [7]. An unsigned certificate
can be generated by hand, using OpenSSL on a Linux box. To do it issue following commands in the shell:
Importing certificate
Certificate file can be then uploaded to the router and imported with command
certificates-imported: 1
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
If it doesn't, could happen that the file contains private key and certificate sections in incorrect order. In this situation
the output should be
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 1
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
where cert1 must be replaced by a correct certificate name (from /certificate section)
Troubleshooting
1. Authorize.net requires that time time on the server be within 15 minutes of UTC or you will get a failed
transaction, use NTP client.
2. Your user manager must be accessible from the internet on port 443, make sure you have DNS setup properly or
use the IP address for all of your references. Don't forget to open your firewall for port 443 and use NAT to get to
your user manager if behind a firewall.
3. You must put the URL of your UserManager instance in your Authorize.net control panel. For example: Response
Reason Code: 14
Response Reason Text: The Referrer or Relay Response URL is invalid.
User Manager/User payments 132
Notes: Applicable only to SIM and WebLink APIs. The Relay Response or Referrer URL does not match the
merchant?s configured value(s) or is absent.
4. When inputting the above URL, use only the base URL, not /userman or it won't work.
References
[1] http:/ / authorize. net/
[2] https:/ / www. paypal. com/
[3] https:/ / authorize. net
[4] https:/ / www. paypal. com
[5] http:/ / en. wikipedia. org/ wiki/ Man_in_the_middle
[6] http:/ / en. wikipedia. org/ wiki/ Certification_authority
[7] http:/ / www. verisign. com
User Manager/Backup
Use the MikroTik Winbox Terminal or connect over Telnet/Serial Console etc. and enter:
To backup...
RouterBOARD Troubleshooting Source: http://wiki.mikrotik.com/index.php?oldid=20907 Contributors: Chupaka, Dragijasikova, Macarev, Maximan, Normis
Manual:Bootloader upgrade Source: http://wiki.mikrotik.com/index.php?oldid=23708 Contributors: Cmit, Eep, Girts, Janisk, Marisb, Normis, SergejsB, XlnEax
Manual:Netinstall Source: http://wiki.mikrotik.com/index.php?oldid=25852 Contributors: Becs, Janisk, Marisb, MarkSorensen, Normis, SergejsB
Password reset Source: http://wiki.mikrotik.com/index.php?oldid=16409 Contributors: Fbsd, Golden, Janisk, Marisb, Normis, Sizwan
Manual:Switch Chip Features Source: http://wiki.mikrotik.com/index.php?oldid=25724 Contributors: Becs, Janisk, Kirshteins, Marisb, Megis, Normis
RouterBOARD 500 Source: http://wiki.mikrotik.com/index.php?oldid=2657 Contributors: Erwin, Eugene, Normis, Rock on all you f little dudes
RouterBOARD Feature Request Source: http://wiki.mikrotik.com/index.php?oldid=24795 Contributors: A, A2i, Ahthrift, Airnet, Ajm, Albarnaz, Altecom, Amarburg, AnRkey, Anontrol,
Apap100, Areskaro, Axtell, Backsubzero, Bauer, Bbm, Beans, Beko, Bintang, Bluefox8080, Brauser, Calman, Camozzato, Carl, Cata02, Certtik, Chasedat, Chironex, Cholegm, Ciccio, Ckgth,
Cotswold, Ctech4285, DL9SAU, Dada, Daffster, Dalikin, Daniel.szilagyi, DannyPZ, Deggler, Dezsi, Digicomtech, Dingsingo, Discus, Dman1q, Docteh, Dog, Doteasy, Dsobin, Dzove, Eising,
Ejansson, Ekka, Elnagar ali, Elvis1, Enginejibola, Enk, Equis, Eraser, Etocalini, Fnkysknky, Fuzzz, GLR, Gandalf, Geneb, Geneb846, Ghaseri, Giepie, Gkoufoud, Glendale2x, Gpaterno,
Graimondi, Grin, GuJack20, Hawkeyebj, Heathrwil, Hecthork, Hellbound, Hevilath, Highonsnow, Hjoelr, Ibersystems, Ilium007, Inco, Ipinfotelecom, Isi, JShadow, Jacsa, Jandafields, Jase,
Jcuena, Jetsystems, Jgau4879, Jianingy, Jimmy, Jmedinas, Jochristian, Jolival, Jonot, Jorgeamaral, Josemarti, Jp, Jupi2, Jwilson995, Kirshteins, Kolega, Korsakoff, Kvjajoo, Labenza, Lamgata,
Laurinkus, Legikaloz, Leosmendes, Loopback, Lorzelek, Madengineer, Madmouse, Mag, Malpi, Maphost, Mapunda, MarkSorensen, Markom, Mateng, Matt way, Matthew, Maxrate, Mazpiroz,
McAron, Mhugo, Michaelp, Michell, Mike.jenkins, Mike95826, Mmorier, Moly, Motolaoshin, Mr.BS, Mstead, Msundman, Muadib, Muso, Najzlijiji, Nasaneunet, Nbright, Ncmalan, Nest,
Netonline, NetworkPro, Ngds, Ni3ls, Nickblame, NicolasF, Nicopretorius, Normis, Nuclearcat, Nz monkey, Omega-00, Ondrejhome, OpiumDream, P.L., Patt, Paulskit, Pelish, Pilillo, Pingus,
Pluteus, Priidik, Procad, QpoX, RFischer, Raf, Ragomez, Ralloway, Rdo911, Remorse, Rgjacob, Richard s, Richi, Rige, Rjickity, Robertoiee, Rpengineering, Rplecko, Rus123, Russian, Ryan,
SSD, Sdb0311, Sdrenner, Seanos, Shados, Si, Smakodak, Smarag, Sreed@nwwnet.net, Ss4, Stephenpatrick, Stephouse, Sterb, Steveee, Stormshaker, Strike, Subxtech, Swissiws, Sygoras,
Ta2mzl, Techsimp, Theredia, Tom, TomjNorthIdaho, Tplecko, Ukasz, Ummelmann, Viceft, Vmiro, Walkeer, Wildbill442, Willempretorius, Winet, Wireless user, WirelessRudy, Wlevels,
Wpeople, XPucTu4, Xezen, Yarda, Yoniel, Zicol, Zsirmo
Solar Power HOWTO Source: http://wiki.mikrotik.com/index.php?oldid=23622 Contributors: Aizukanne, Alex rhys-hurn, Marc Dilasser, Maychill101, Nest, Normis
Manual:User Manager Source: http://wiki.mikrotik.com/index.php?oldid=19155 Contributors: Akangage, Bhhenry, Binhtanngo2003, Cmit, Comnetisp, Eep, Girts, Hellbound, Janisk,
Levipatick, Marisb, Nest, Normis, Polokus, Rtkrh10, SergejsB, Uldis
User Manager/Introduction Source: http://wiki.mikrotik.com/index.php?oldid=25758 Contributors: Asaleh75, EotThj, Girts, Jandrade28, Janisk, Nest, Ni3ls, Normis, SergejsB, WcjZrv
User Manager/Getting started Source: http://wiki.mikrotik.com/index.php?oldid=24810 Contributors: Ctech4285, Fewi, Girts, HarvSki, Janisk, MwdNx0, Nest, Normis, Vitell, Xhimimavraj,
Xm0Vlj
User Manager/Hotspot Example Source: http://wiki.mikrotik.com/index.php?oldid=24809 Contributors: Girts, Mital das, Nest, Normis, SergejsB, Vitell
User Manager/PPP Example Source: http://wiki.mikrotik.com/index.php?oldid=15590 Contributors: Bney, Cmit, Girts, SergejsB
User Manager/Customers Source: http://wiki.mikrotik.com/index.php?oldid=21565 Contributors: DanielBlake, Girts, LukeKennedy, Marisb, MatildaBolton, Mw0Jme, Normis
User Manager/Character constants Source: http://wiki.mikrotik.com/index.php?oldid=24815 Contributors: Girts, Linkwave, Nest, SergejsB
User Manager/Public ID Source: http://wiki.mikrotik.com/index.php?oldid=5237 Contributors: Girts, Normis, NzvKqo, Vw3Bfw, Yo8Zyo
User Manager/Languages Source: http://wiki.mikrotik.com/index.php?oldid=25303 Contributors: Anjunior, Girts, Josemari, Medianet, Normis, SergejsB, Unsigned
User Manager/User prefix Source: http://wiki.mikrotik.com/index.php?oldid=15625 Contributors: AfpD2v, Bc3Xuh, DzeS3b, Girts, Normis, PnyDk9, Radiosn00p
Article Sources and Contributors 134
User Manager/Prepaid and unlimited users Source: http://wiki.mikrotik.com/index.php?oldid=5239 Contributors: CdaYxz, Girts, Normis
User Manager/Voucher template Source: http://wiki.mikrotik.com/index.php?oldid=7103 Contributors: Atis, Csickles, Girts, Normis, Pl3Tk8
User Manager/Customer page Source: http://wiki.mikrotik.com/index.php?oldid=12984 Contributors: Girts, Infoservi, Normis, WpyOj4, Xhimimavraj
User Manager/User page Source: http://wiki.mikrotik.com/index.php?oldid=23325 Contributors: Addam, Ahmed allam, Brianpalmer2010, Girts, Henryford, Ipph, Jasonbourne, Jasonwebb,
Jasonwhite, Liudngquan, Mala, Marisb, MollyRodriguez, Prence iraq, Randybosh, SergejsB
User Manager/User payments Source: http://wiki.mikrotik.com/index.php?oldid=14296 Contributors: Girts, Nest, Normis, Sdischer, SergejsB, Stutteringp0et, WruAqo