Summary .com



OverviewAfter you have installed the RouterOS software, or turned on the Router for the first time, there are various ways how to connect to it:Accessing Command Line Interface (CLI) via Telnet, ssh, serial cable or even keyboard and monitor if router has VGA card.Accessing Web based GUI (WebFig)Using?WinBox?configuration utilityEvery router is factory pre-configured with IP address 192.168.88.1/24 on ether1 port. Default username is?adminwith empty password.Additional configuration may be set depending on RouterBoard model. For example, RB750 ether1 is configured as WAN port and any communication with the router through that port is not possible. List of RouterBOARD models and their default configurations can be found in?this?article.WinboxWinbox is configuration utility that can connect to the router via MAC or IP protocol. Latest winbox version can be downloaded from our?demo router.Run Winbox utility, then click the?[...]?button and see if Winbox finds your Router and it's MAC address. Winbox neighbor discovery will discover all routers on the broadcast network. If you see routers on the list, connect to it by clicking on MAC address and pressing?Connect?button.Winbox will try download plugins from the router, if it is connecting for the first time to the router with current version. Note that it may take about one minute to download all plugins if winbox is connected with MAC protocol.This method works with any device that runs RouterOS. Your PC needs to have MTU 1500After winbox have successfully downloaded plugins and authenticated, main window will be displayed:If winbox cannot find any routers, make sure that your Windows computer is directly connected to the router with an Ethernet cable, or at least they both are connected to the same switch. As MAC connection works on Layer2, it is possible to connect to the router even without IP address configuration. Due to the use of broadcasting MAC connection is not stable enough to use continuously, therefore it is not wise to use it on a real production / live network!. MAC connection should be used only for initial configuration.Follow?winbox manual?for more information.WebFigIf you have router with default configuration, then IP address of the router can be used to connect to the Web interface. WebFig has almost the same configuration functionality as?Winbox.Please see following articles to learn more about web interface configuration:Initial Configuration with WebFigGeneral WebFig ManualCLICommand Line Interface (CLI) allows configuration of the router's settings using text commands. Since there is a lot of available commands, they are split into groups organized in a way of hierarchical menu levels. Follow?console manual?for CLI syntax and commands.There are several ways how to access CLI:winbox terminaltelnetsshserial cable etc.Serial CableIf your device has a Serial port, you can use a console cable (or?Null modem cable)Plug one end of the serial cable into the console port (also known as a serial port or DB9 RS232C asynchronous serial port) of the RouterBOARD and the other end in your PC (which hopefully runs Windows or Linux). You can also use a USB-Serial adapter. Run a terminal program (HyperTerminal, or Putty on Windows) with the following parameters for All RouterBOARD models except 230:115200bit/s, 8 data bits, 1 stop bit, no parity, flow control=none by default.RouterBOARD 230 parameters are:9600bit/s, 8 data bits, 1 stop bit, no parity, hardware (RTS/CTS) flow control by default.If parameters are set correctly you should be able to see login prompt. Now you can access router by entering username and password:MikroTik 4.15MikroTik Login: MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 4.15 (c) 1999-2010 [admin@MikroTik] > Detailed description of CLI login is in?login process section.Monitor and KeyboardIf your device has a graphics card (ie. regular PC) simply attach a monitor to the video card connector of the computer(note: RouterBOARD products don't have this, so use Method 1 or 2)?and see what happens on the screen. You should see a login promt like this:MikroTik v3.16Login:Enter?admin?as the login name, and hit?enter?twice (because there is no password yet), you will see this screen: MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 3.16 (c) 2008 ansi detected, using single line input mode[admin@router] >Now you can start configuring the router, by issuing the?setup?command.This method works with any device that has a video card and keyboard connectoSummaryWinbox is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI. It is a native Win32 binary, but can be run on?Linux?and?Mac OSX?using Wine.All Winbox interface functions are as close as possible to Console functions, that is why there are no Winbox sections in the manual.Some of advanced and system critical configurations are not possible from winbox, like MAC address change on an interface.Starting the WinboxWinbox loader can be downloaded directly from the router.Open your browser and enter router's IP address, RouterOS welcome page will be displayed. Click on the link to download?winbox.exeWhen winbox.exe is downloaded, double click on it and winbox loader window will pop up:To connect to the router enter IP or MAC address of the router, specify username and password (if any) and click onConnect?button. You can also enter the port number after the IP address, separating them with a colon, like this 192.168.88.1:9999. The port can be changed in RouterOS?services?menu.Note:?It is recommended to use IP address whenever possible. MAC session uses network broadcasts and is not 100% reliable.You can also use neighbor discovery, to list available routers by clicking on?[...]?button:From list of discovered routers you can click on IP or MAC address column to connect to that router. If you click on IP address then IP will be used to connect, but if you click on MAC Address then MAC address will be used to connect to the router.Note:?Neighbor discovery will show also devices which are not compatible with Winbox, like Cisco routers or any other device that uses CDP (Cisco Discovery Protocol)Description of buttons and fields of loader screen[...]?- discovers and shows MNDP (MikroTik Neighbor Discovery Protocol) or CDP (Cisco Discovery Protocol) devices.Connect?- Connect to the routerSave?- Save address, login, password and note. Saved entries are listed at the bottom of loader window.Remove?- Remove selected entry from saved listTools...?- Allows to run various tools: removes all items from the list, clears cache on the local disk, imports addresses from wbx file or exports them to wbx file.Connect To:?- destination IP or MAC address of the routerLogin?- username used for authenticationPassword?- password used for authenticationKeep Password?- if unchecked, password is not saved to the listSecure Mode?- if checked, winbox will use TLS encryption to secure sessionLoad Previous Session?- if checked, winbox will try to restore all previously opened windows.Note?- description of the router that will be saved to the list.Warning:?Passwords are saved in plain text. Anyone with access to your file system will be able to retrieve passwords.It is possible to use command line to pass connect to user and password parameters automatically:winbox.exe [<connect-to> [<login> [<password>]]]For example (with no password):winbox.exe 10.5.101.1 admin ""Will connect to router 10.5.101.1 with username "admin"without password.IPv6 connectivityStarting from v5RC6 Winbox supports IPv6 connectivity. To connect to the routers IPv6 address, it must be placed in square braces the same as in web browsers when connecting to IPv6 server. Example:Winbox neighbor discovery is now capable of discovering IPv6 enabled routers. As you can see from the image below, there are two entries for each IPv6 enabled router, one entry is with IPv4 address and another one with IPv6 link-local address. You can easily choose to which one you want to connect:Interface OverviewWinbox interface has been designed to be intuitive for most of the users. Interface consists of:Main toolbar at the top where users ca add various info fields, like CPU and memory usage.Menu bar on the left - list of all available menus and sub-menus. This list changes depending on what packages are installed. For example if IPv6 package is disabled, then?IPv6?menu and all it's sub-menus will not be displayed.Work area - area where all menu windows are opened.?Title bar shows information to identify with which router Winbox session is opened. Information is displayed in following format:[username]@[Router's IP or MAC] ( [RouterID] ) - Winbox [ROS version] on [RB model] ([platform])From screenshot above we can see that user?admin?is logged into router with IP address?10.1.101.18. Router's ID isMikroTik, currently installed RouterOS version is?v5.0beta1, RouterBoard is?RB800?and platform is?PowerPC.On the Main toolbar's left side is located?undo?and?redo?buttons to quickly undo any changes made to configuration. On the right side is located:winbox traffic indicator displayed as a green bar,indicator that shows whether winbox session uses TLS encryptioncheckbox?Hide password. This checkbox replaces all sensitive information (for example, ppp secret passwords) with '*' asterisk symbols.Work Area and child windowsWinbox has MDI interface meaning that all menu configuration (child) widows are attached to main (parent) Winbox window and are showed in work area.Child windows can not be dragged out of working area. Notice in screenshot above that?Interface?window is dragged out of visible working area and horizontal scroll bar appeared at the bottom. If any window is outside visible work area boundaries the vertical or/and horizontal scrollbars will appear.Child window menu barEach child window has its own toolbar. Most of the windows have the same set of toolbar buttons:?Add?- add new item to the list?Remove?- remove selected item from the list?Enable?- enable selected item (the same as?enable?command from console)?Disable?- disable selected item (the same as?disable?command from console)?Comment?- add or edit comment?Sort?- allows to sort out items depending on various parameters.?Read more >>Almost all windows have quick search input field at the right side of the toolbar. Any text entered in this field is searched through all the items and highlighted as illustrated in screenshot belowNotice that at the right side next to quick find input filed there is a dropdown box. For currently opened (IP Route) window this dropdown box allows to quickly sort out items by routing tables. For example if?main?is selected, then only routes from main routing table will be listed.?Similar dropdown box is also in all firewall windows to quickly sort out rules by chains.Sorting out displayed itemsAlmost every window has a?Sort?button. When clicking on this button several options appear as illustrated in screenshot belowExample shows how to quickly filter out routes that are in 10.0.0.0/8 rangePress?Sort?buttonChose?Dst.Address?from the first dropdown box.Chose?in?form the second dropdown box. "in" means that filter will check if dst address value is in range of specified network.Enter network against which values will be compared (in our example enter "10.0.0.0/8")These buttons are to add or remove another filter to the stack.Press?Filter?button to apply our filter.As you can see from screenshot winbox sorted out only routes that are within 10.0.0.0/8 parison operators (Number?3?in screenshot) may be different for each window. For example "Ip Route" window has only two?is?and?in. Other windows may have operators such as "is not", "contains", "contains not".Winbox allows to build stack of filters. For example if there is a need to filter by destination address and gateway, thenset first filter as described in example above,press?[+]?button to add another filter bar in stack.set up seconf filter to filter by gatewaypress?Filter?button to apply filters.You can also remove unnecessary filter from the stack by pressing?[-]?button.Customizing list of displayed columnsBy default winbox shows most commonly used parameters. However sometimes it is needed to see another parameters, for example "BGP AS Path" or other BGP attributes to monitor if routes are selected properly.Winbox allows to customize displayed columns for each individual window. For example to add BGP AS path column:Click on little arrow button (1) on the right side of the column titles or right mouse click on the route list.From popped up menu move to?Show Columns?(2) and from the sub-menu pick desired column, in our case click on?BGP AS Path?(3)Changes made to window layout are saved and next time when winbox is opened the same column order and size is applied.Detail modeIt is also possible to enable?Detail mode. In this mode all parameters are displayed in columns, first column is parameter name, second column is parameter's value.To enable detail mode right mouse click on the item list and from the popupmenu pick?Detail modeCategory viewIt is possible to list items by categories. In tis mode all items will be grouped alphabetically or by other category. For example items may be categorized alphabetically if sorted by name, items can also be categorized by type like in screenshot below.To enable Category view, right mouse click on the item list and from the popupmenu pick?Show CategoriesDrag & DropIt is possible to upload and download files to/from router using winbox drag & drop functionality.Note:?Drag & Drop does not work if winbox is running on Linux using wine. This is not a winbox problem, wine does not support drag & drop.Traffic monitoringWinbox can be used as a tool to monitor traffic of every interface, queue or firewall rule in real-time. Screenshot below shows ethernet traffic monitoring graphs.Item copyThis shows how easy it is to copy an item in Winbox. In this example, we will use the COPY button to make a Dynamic WDS interface into a Static interface.This image shows us the initial state, as you see DRA indicates "D" which means Dynamic:Double-Click on the interface and click on COPY:A new interface window will appear, a new name will be created automatically (in this case WDS2)You can see that the new interface status has changed:Transferring SettingsOn Windows Vista/7 Winbox settings are stored in: ?%USERPROFILE%\AppData\Roaming\Mikrotik\Winbox\winbox.cfgSimply copy this file to the same location on the new host.TroubleshootingWinbox cannot connect to router's IP addressMake sure that Windows firewall is set to allow Winbox connections or disable windows firewall.I get an error '(port 20561) timed out' when connecting to routers mac addressWindows (7/8) does not allow mac connection if file and print sharing is disabledWebFigSummaryCongratulations, you have got hold of MikroTik router for your home network. This guide will help you to do initial configuration of the router to make your home network a safe place to be.The guide is mostly intended in case if default configuration did not get you to the internet right away, however some parts of the guide is still useful.Connecting wiresRouter's initial configuration should be suitable for most of the cases. Description of the configuration is on the back of the box and also described in the?online manual.The best way to connect wires as described on the box:Connect ethernet wire from your internet service provider (ISP) to port?ether1, rest of the ports on the router are for local area network (LAN). At this moment, your router is protected by default firewall configuration so you should not worry about that;Connect LAN wires to the rest of the ports.Configuring routerInitial configuration has DHCP client on WAN interface (ether1), rest of the ports are considered your local network with DHCP server configured for automatic address configuration on client devices. To connect to the router you have to set your computer to accept DHCP settings and plug in the ethernet cable in one of the LAN ports (please check for port numbering of the product you own, or check front panel of the router).Logging into the routerTo access the router enter address?192.168.88.1?in your browser. Main RouterOS page will be shown as in the screen shot below. Click on?WebFig?from the list.You will be prompted for login and password to access configuration interface. Default login name is?admin?and blank password (leave empty field as it is already).Router user accountsIt is good idea to start with password setup or add new user so that router is not accessible by anyone on your network. User configuration is done form?System -> Users?menu.To access this menu, click on?System?on the left panel and from the dropdown menu chooseUsers?(as shown in screenshot on the left)You will see this screen, where you can manage users of the router. In this screen you can edit or add new users:When you click on account name (in this case?admin), edit screen for the user will be displayed.If you click on?Add new?button, new user creation screen will be displayed.Both screens are similar as illustrated in screenshot below. After editing user's data click?OK?(to accept changes) orCancel. It will bring you back to initial screen of user management.In user?edit/Add new?screen you can alter existing user or create new. Field marked with?2.?is the user name, field?1.will open password screen, where old password for the user can be changed or added new one (see screenshot below).Configure access to internetIf initial configuration did not work (your ISP is not providing DHCP server for automatic configuration) then you will have to have details from your ISP for static configuration of the router. These settings should includeIP address you can useNetwork mask for the IP addressDefault gateway addressLess important settings regarding router configuration:DNS address for name resolutionNTP server address for time automatic configurationYour previous MAC address of the interface facing ISPDHCP ClientDefault configuration is set up using DHCP-Client on interface facing your ISP or wide area network (WAN). It has to be disabled if your ISP is not providing this service in the network. Open 'IP -> DHCP Client' and inspect field?1.?to see status of DHCP Client, if it is in state as displayed in screenshot, means your ISP is not providing you with automatic configuration and you can use button in selection?2.?to remove DHCP-Client configured on the interface.Static IP AddressTo manage IP addresses of the router open 'IP -> Address'You will have one address here - address of your local area network (LAN)?192.168.88.1?one you are connected to router. Select?Add new?to add new static IP address to your router's configuration.You have to fill only fields that are marked. Field?1.?should contain?IP address?provided by your ISP and?network mask'. Examples:172.16.88.67/24both of these notations mean the same, if your ISP gave you address in one notation, or in the other, use one provided and router will do the rest of calculation.Other field of interest is?interface?this address is going to be assigned. This should be interface your ISP is connected to, if you followed this guide - interface contains name -?ether1Note:?While you type in the address, webfig will calculate if address you have typed is acceptable, if it is not label of the field will turn red, otherwise it will be blueNote:?It is good practice to add comments on the items to give some additional information for the future, but that is not requiredConfiguring network address translation (NAT)Since you are using local and global networks, you have to set up network masquerade, so that your LAN is hidden behind IP address provided by your ISP. That should be so, since your ISP does not know what LAN addresses you are going to use and your LAN will not be routed from global network.To check if you have the source NAT open 'IP -> Firewall -> tab NAT' and check if item highlighted (or similar) is in your configuration.Essential fields for masquerade to work:enabled is checked;chain - should be?srcnat;out-interface is set to interface connected to your ISP network, Following this guide?ether1;action should be set to?masquerade.In screenshot correct rule is visible, note that irrelevant fields that should not have any value set here are hidden (and can be ignored)?Default gatewayunder 'IP -> Routes' menu you have to add routing rule called default route. And select?Add new?to add new route.?In screen presented you will see the following screen:here you will have to press button with?+?near red?Gateway?label and enter in the field default gateway, or simply gateway given by your ISP.This should look like this, when you have pressed the?+?button and enter gateway into the field displayed.After this, you can press OK button to finish creation of the default route.At this moment, you should be able to reach any globally available host on the Internet using IP address.To check weather addition of default gateway was successful use?Tools -> PingDomain name resolutionTo be able to open web pages or access Internet hosts by domain name DNS should be configured, either on your router or your computer. In scope of this guide, i will present only option of router configuration, so that DNS addresses are given out by DHCP-Server that you are already using.This can be done in 'IP -> DNS ->Settings', first Open 'IP ->DNS':Then select?Settings?to set up DNS cacher on the router. You have to add field to enter DNS IP address, section?1.?in image below. and check?Allow Remote Requests?marked with?2.The result of pressing?+?twice will result in 2 fields for DNS IP addresses:Note:?Filling acceptable value in the field will turn field label blue, other way it will be marked red.SNTP ClientRouterBOARD routers do not keep time between restarts or power failuers. To have correct time on the router set up SNTP client if you require that.To do that, go to 'System -> SNTP' where you have to enable it, first mark, change mode from broadcast to unicast, so you can use global or ISP provided NTP servers, that will allow to enter NTP server IP addresses in third area.Setting up WirelessFor ease of use bridged wireless setup will be used, so that your wired hosts will be in same ethernet broadcast domain as wireless clients.To make this happen several things has to be checked:Ethernet interfaces designated for LAN are swtiched or bridged, or they are separate ports;If bridge interface exists;Wireless interface?mode?is set to?ap-bridge?(in case, router you have has level 4 or higher license level), if not, then?mode?has to be set to?bridge?and only one client (station) will be able to connect to the router using wireless network;There is appropriate security profile created and selected in interface settings.Check Ethernet interface stateWarning:?Changing settings may affect connectivity to your router and you can be disconnected from the router. Use?Safe Mode?so in case of disconnection made changes are reverted back to what they where before you entered safe modeTo check if ethernet port is switched, in other words, if ethernet port is set as slave to another port go to 'Interface' menu and open Ethernet interface details. They can be distinguished by Type column displaying?Ethernet.When interface details are opened, look up?Master Port?setting.Available settings for the attribute are none, or one of Ethernet interface names. If name is set, that mean, that interface is set as slave port. Usually RouterBOARD routers will come with?ether1?as intended WAN port and rest of ports will be set as slave ports of?ether2?for LAN use.Check if all intended LAN Ethernet ports are set as slave ports of the rest of one of the LAN ports. For example, ifether2. ether3, ether4?and?ether5?are intended as LAN ports, set on ether3 to ether5 attribute?Master Port?to?ether2.In case this operation fails - means that Ethernet interface is used as port in bridge, you have to remove them from bridge to enable hardware packet switching between Ethernet ports. To do this, go to?Bridge -> Ports?and remove slave ports (in example,?ether3?to?ether5) from the tab.Note:?If master port is present as bridge port, that is fine, intended configuration requires it there, same applies to wireless interface (wlan)Security profileIt is important to protect your wireless network, so no malicious acts can be performed by 3rd parties using your wireless access-point.To edit or create new security profile head to 'Wireless -> tab 'Security Prodiles' and choose one of two options:Using?Add new?create new profile;Using highlighted path in screenshot edit default profile that is already assigned to wireless interface.In This example i will create new security profile, editing it is quite similar. Options that has to be set are highlighted with read and recommended options are outlined by red boxes and pre-set to recommended values. WPA and WPA2 is used since there are still legacy equipment around (Laptops with Windows XP, that do not support WPA2 etc.)WPA Pre- shared key and WPA2 Pre- shared key should be entered with sufficient length. If key length is too short field label will indicate that by turning red, when sufficient length is reached it will turn blue.?Note:?WPA and WPA2 pre-shared keys should be differentNote:?When configuring this, you can deselect?Hide passwords?in page header to see the actual values of the fields, so they can be successfully entered into device configuration that are going to connect to wireless access-pointWireless settingsAdjusting wireless settings. That can be done here:?In?General?section adjust settings to settings as shown in screenshot. Consider these safe, however it is possible, that these has to be adjusted slightly.Interface mode has to be set to?ap-bridge, if that is not possible (license resctrictions) set to bridge, so one client will be able to connect to device.WiFI devices usually are designed with 2.4GHz modes in mind, setting band to 2GHz-b/g/n will enable clients with 802.11b, 802.11g and 802.11n to connect to the access pointAdjust channel width to enable faster data rates for 802.11n clients. In example channel 6 is used, as result,20/40MHz HT Above?or?20/40 MHz HT Below?can be used. Choose either of them.Set SSID - the name of the access point. It will be visible when you scan for networks using your WiFi equipment.?In section?HT?set change HT transmit and receive chains. It is good practice to enable all chains that are available?When settings are set accordingly it is time to enable our protected wireless access-point?Bridge LAN with WirelessOpen?Bridge?menu and check if there are any bridge interface available first mark. If there is not, select?Add Newmarked with second mark and in the screen that opens just accept the default settings and create interface. When bridge interface is availbe continue to?Ports?tab where master LAN interface and WiFI interface have to be added.First marked area is where interfaces that are added as ports to bridge interface are visible. If there are no ports added, choose?Add New?to add new ports to created bridge interfaces.When new bridge port is added, select that it is enabled (part of active configuration), select correct bridge interface, following this guide - there should be only 1 interface. And select correct port - LAN interface master port and WiFi portFinished look of bridge configured with all ports requiredTroubleshooting & Advanced configurationThis section is here to make some deviations from configuration described in the guide itself. It can require more understanding of networking, wireless networks in general.GeneralCheck IP addressAdding IP address with wrong network mask will result in wrong network setting. To correct that problem it is required to change?address?field, first section, with correct address and network mask and?network?field with correct network, or unset it, so it is going to be recalculated againChange password for current userTo change password of the current user, safe place to go isSystem -> PasswordWhere all the fields has to be filled. There is other place where this can be done in case you have full privileges on the router.Change password for existing userIf you have full privileges on the router, it is possible to change password for any user without knowledge of current one. That can be done under?System -> Users?menu.Steps are:Select user;type in password and re-type it to know it is one you intend to setNo access to the Internet or ISP networkIf you have followed this guide to the letter but even then you can only communicate with your local hosts only and every attempt to connect to Internet fails, there are certain things to check:If masquerade is configured properly;If setting MAC address of previous device on WAN interface changes anythingISP has some captive portal in place.Respectively, there are several ways how to solve the issue, one - check configuration if you are not missing any part of configuration, second - set MAC address. Change of mac address is available only from CLI -?New Terminal?from the left side menu. If new window is not opening check your browser if it is allowing to open popup windows for this place. There you will have to write following command by replacing MAC address to correct one: /interface ethernet set ether1 mac-address=XX:XX:XX:XX:XX:XXOr contact your ISP for details and inform that you have changed device.Checking linkThere are certain things that are required for Ethernet link to work:Link activity lights are on when Ethernet wire is plugged into the portCorrect IP address is set on the interfaceCorrect route is set on the routerWhat to look for using ping tool:If all packets are replied;If all packets have approximately same round trip time (RTT) on non-congested Ethernet linkIt is located here:?Tool -> Ping?menu. Fill in?Ping To?field and press start to initiate sending of ICMP packets.WirelessWireless unnamed features in the guide that are good to know about. Configuration adjustments.Channel frequencies and widthIt is possible to choose different frequency, here are frequencies that can be used and channel width settings to use 40MHz HT channel (for 802.11n). For example, using?channel 1 or 2412MHz frequency?setting?20/40MHz HT below?will not yield any results, since there are no 20MHz channels available below set frequency.Channel #FrequencyBelowAbove12412 MHznoyes22417 MHznoyes32422 MHznoyes42427 MHznoyes52432 MHzyesyes62437 MHzyesyes72442 MHzyesyes82447 MHzyesyes92452 MHzyesyes102457 MHzyesyes112462 MHzyesno122467 MHzyesno132472 MHzyesnoWarning:?You should check how many and what frequencies you have in your regulatory domain before. If there are 10 or 11 channels adjust settings accordingly. With only 10 channels, channel #10 will have no sense of setting20/40MHz HT above?since no full 20MHz channel is availableWireless frequency usageIf wireless is not performing very well even when data rates are reported as being good, there might be that your neighbours are using same wireless channel as you are. To make sure follow these steps:Open frequency usage monitoring tool?Freq. Usage...?that is located in wireless interface details;Wait for some time as scan results are displayed. Do that for minute or two. Smaller numbers in?Usage?column means that channel is less crowded.Note:?Monitoring is performed on default channels for?Country?selected in configuration. For example, if selected country would be Latvia, there would have been 13 frequencies listed as at that country have 13 channels allowed.Change Country settingsBy default?country?attribute in wireless settings is set to?no_country_set. It is good practice to change this (if available) to change country you are in. To do that do the following:Go to wireless menu and select?Advanced mode;Look up?Country?attribute and from drop-down menu select countryNote:?Advanced mode is toggle button that changes from Simple to Advanced mode and back.Port forwardingTo make services on local servers/hosts available to general public it is possible to forward ports from outside to inside your NATed network, that is done from?/ip firewall nat?menu. For example, to make possible for remote helpdesk to connect to your desktop and guide you, make your local file cache available for you when not at location etc.Static configurationA lot of users prefer to configure these rules statically, to have more control over what service is reachable from outside and what is not. This also has to be used when service you are using does not support dynamic configuration.Following rule will forward all connections to port 22 on the router external ip address to port 86 on your local host with set IP address:if you require other services to be accessible you can change protocol as required, but usually services are running TCP and dst-port. If change of port is not required, eg. remote service is 22 and local is also 22, then to-ports can be left parable command line command: /ip firewall nat add chain=dstnat dst-address=172.16.88.67 protocol=tcp dst-port=22 \ action=dst-nat to-address=192.168.88.22 to-ports=86Note:?Screenshot contain only minimal set of settings are left visibleDynamic configurationuPnP is used to enable dynamic port forwarding configuration where service you are running can request router using uPnP to forward some ports for it.Warning:?Services you are not aware of can request port forwarding. That can compromise security of your local network, your host running the service and your dataConfiguring uPnP service on the router:Set up what interfaces should be considered external and what internal; /ip upnp interface add interface=ether1 type=external /ip upnp interface add interface=ether2 type=internalEnable service itself /ip upnp set allow-disable-external-interface=no show-dummy-rule=no enabled=yesLimiting access to web pagesUsing?IP?->?Web Proxy?it is possible to limit access to unwanted web pages. This requires some understanding of use of WebFig interface.Set up Web Proxy for page filteringFrom?IP?->?Web Proxy?menu?Access?tab open?Web Proxy Settings?and make sure that these attributes are set follows: Enabled -> checked Port -> 8080 Max. Cache Size -> none Cache on disk -> unchecked Parent proxy -> unsetWhen required alterations are done?applysettings to return to?Access?tab.Set up Access rulesThis list will contain all the rules that are required to limit access to sites on the Internet.To add sample rule to deny access to any host that contain do the following when adding new entry: Dst. Host -> .*example\.com.* Action -> DenyWith this rule any host that has will be unaccessible.Limitation strategiesThere are two main approaches to this problemdeny only pages you know you want to deny?(A)allow only certain pages and deny everything else?(B)For approach?A?each site that has to be denied is added with?Action?set to?DenyFor approach?B?each site that has to be allowed should be added with?Action?set to?Allow?and in the end is rule, that matches everything with?Action?set to?Deny. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download