Remote networks can be easily bridged using WDS feature of MikroTik RouterOS™. We will show it for the case when the networks are connected through Atheros wireless interface. Using EoIP, this can be extended to any other type of interfaces, like PPTP and CISCO/Aironet. WDS works only on Prism and Atheros based cards.
Let us assume the following network setup:
Follow the steps below to create transparent bridge using WDS:
1. Create a bridge interface on AP and add ether1 interface to the bridge in WinBox
or in console
[admin@AP]> interface bridge add name=wds-bridge
[admin@AP]> interface bridge port add interface=ether1 bridge=wds-bridge
Do the same on the Station, and add ether1, wlan1 interfaces to the bridge in Winbox
or in console
[admin@Station]> interface bridge add name=wds-bridge
[admin@Station]> interface bridge port add interface=ether1 bridge=wds-bridge
[admin@Station]> interface bridge port add interface=wlan1 bridge=wds-bridge
2. Make sure you have communication between MikroTik routers, i.e., one router is configured as server (AP), the other one as client (station). Configure wireless interface wlan1 on AP in WinBox
or in conslole
[admin@AP]> interface wireless set wlan1 ssid=MikroTik frequency=5805 mode=bridge disabled=no
Do the same configuration on Client wireless interface (wlan1) in Winbox
or in console
[admin@Station] interface wireless set wlan1 mode=station-wds ssid=MikroTik disabled=no
3. Create wds interface on AP and add the interface to the bridge in WinBox
or in console
[admin@AP] interface wireless set wlan1 wds-mode=dynamic wds-default-bridge=wds-bridge
4. Check whether the WDS link is established in WinBox
or in console
[admin@AP] interface wireless wds> print
Flags: X - disabled, R - running, D - dynamic
0 RD name="wds1" mtu=1500 mac-address=00:0B:6B:30:B4:A4 arp=enabled
disable-running-check=yes master-interface=wlan1
wds-address=00:0B:6B:35:E5:5C
4. Add IP address on AP in WinBox
or in console
[admin@AP]> ip address add address=10.1.0.215/24 interface=wds-bridge
And on Station:
[admin@Station]> ip address add address=10.1.0.216/24 interface=wds-bridge
5. Test the bridge by pinging from 10.0.0.215 to 10.0.0.216. Note, that the bridge needs 10...30s to learn addresses and start passing through traffic.
NOTE: If not using NAT/MANGLE nor anything doing with conntrack, remember to turn of it at both link ends.
In the console:
[admin@xx]> ip firewall connection tracking set enabled=no
This will help you get the full bandwidth the wireless link can achive freeing the CPU load.
Saturday, April 19, 2008
How WMM works
WMM works by dividing traffic into 4 access categories: background, best effort, video, voice. QoS policy (different handling of access categories) is applied on transmitted packets, therefore it is transmitting device is treating different packets differently - that is - e.g. AP does not have control over how clients are transmitting packets, and clients do not have control over how AP transmits packets.
Mikrotik AP and client classifies packets based on priority assigned to them, according to table (as per WMM spec): 1,2 - background 0,3 - best effort 4,5 - video 6,7 - voice
To be able to use multiple WMM access categories, not just best effort where all packets with default priority 0 go, priority must be set for those packets. By default all packets (incoming and locally generated) inside router have priority 0.
"Better" access category for packet does not necessarily mean that it will be sent over the air before all other packets with "worse" access category. WMM works by executing DCF method for medium access with different settings for each access category (EDCF), which basically means that "better" access category has higher probability of getting access to medium - WMM enabled station can be considered to be 4 stations, one per access category, and the ones with "better" access category use settings that make them more likely to get chance to transmit (by using shorter backoff timeouts) when all are contending for medium. Details can be studied in 802.11e and WMM specification
How to set priority
Priority of packets can be set using "set priority" action of ip firewall mangle rules and/or bridge firewall filter rules. Priority can be set to specific value or to "ingress priority". Ingress priority is priority value that was detected on incoming packet, if available. Currently there are 2 sources of ingress priority - priority in VLAN header and priority from WMM packets received over wireless interface. For all other packets ingress priority is 0.
Note that ingress priority value is not automatically copied to priority value, correct rule needs to be set up to do this!
So there are basically 2 ways to control/set priority (remember, that both require setting up correct rule(s)!): - assign priority with rules with particular matchers (protocol, addresses, etc), - set it from ingress priority.
This essentialy means that if it is not possible or wanted to classify packets by rules, configuration of network must be such that router can extract ingress priority from incoming frames. Remember there are currently 2 sources for this - VLAN tag in packets and received WMM packets.
Do not mix priority of queues with priority assigned to packets. Priorities of queues work separately and specify "importance" of queue and has meaning only within particular queue setup. Think of packet priority as of some kind of mark, that gets attached to packet by rules. Also take into account that this mark currently is only used for outgoing packets when going over WMM enabled link, and in case VLAN tagged packet is sent out (no matter if that packet is tagged locally or bridged).
Example
For example, in setup
PPPoE server -> WMM AP -> client,
if AP is just forwarding PPPoE traffic (therefore inspecting encapsulated IP packets to match e.g. by protocol is not possible, as packets can be encrypted and compressed), priority must come to AP from PPPoE server in VLAN tag, so you have to use VLAN (between PPPoE server and AP) for this, just to communicate priority information.
Note that you do not have to forward VLAN encapsulated traffic to client - VLAN can be terminated at AP, VLAN tag is needed only when entering AP.
In case AP is PPPoE server itself, there is no need to use VLAN - priority can be set by rules before it is encapsulated in PPPoE.
Priority from DSCP
Another way of setting priority is by using DSCP field in IP header, this can only be done by firewall mange rule "set priority" action. Note that DSCP in IP header can have values 0-63, but priority only 0-7. Effective priority after set from DSCP value will be 3 low bits of DSCP value which is the same as reminder of division by 8. So for example, priority from DSCP values 0,8,16,etc will be 0, from DSCP values 7,15,...,63 - 7.
Remember that DSCP can only be accessed on IP packets!
Note, that to use this feature, DSCP value in IP header should be set somewhere.
It is best to set DSCP value in IP header of packets on some border router (e.g. main router used for connection to internet), based on traffic type. E.g. set DSCP value for packets coming from internet belonging to sip connections to 7, and 0 for the rest. This way packets must be marked only at one place. Then all APs in network set packet priority from DSCP value with just one rule.
In setup:
- border router - - WMM AP - client
border router sets DSCP value for sip traffic, and WMM AP sets priority from DSCP value. Note that in this setup DSCP is set only for traffic _to_ client. Sometimes it can be useful to set also DSCP on traffic coming _from_ client (e.g. if 2 clients connected to different APs are talking between themselves) - this can be done on APs.
Combining priority setting and handling solutions
Complex networks and different situations can be handled by combining different approaches of carrying priority information to ensure QoS and optimize use of resources, based on "building blocks" described above. Several suggestions:
- the less number of filter rules in whole network, the better (faster) - try to classify packets only when necessary, prefer to do that on fast routers as most probably connection tracking will be required.
- use DSCP to carry priority information in IP packets forwarded in your network, this way you can use it when needed.
- use VLANs where necessary, as they also carry priority information, make sure ethernet bridges and switches in the way, if any, are not clearing priority information in VLAN tag. In MT bridges you have to setup bridge firewall rule to set priority from ingress priority for this!
- remember that QoS does not improve throughput of links, it just treats different packets differently, and also that WMM traffic over wireless link will discriminate regular traffic in the air.
Mikrotik AP and client classifies packets based on priority assigned to them, according to table (as per WMM spec): 1,2 - background 0,3 - best effort 4,5 - video 6,7 - voice
To be able to use multiple WMM access categories, not just best effort where all packets with default priority 0 go, priority must be set for those packets. By default all packets (incoming and locally generated) inside router have priority 0.
"Better" access category for packet does not necessarily mean that it will be sent over the air before all other packets with "worse" access category. WMM works by executing DCF method for medium access with different settings for each access category (EDCF), which basically means that "better" access category has higher probability of getting access to medium - WMM enabled station can be considered to be 4 stations, one per access category, and the ones with "better" access category use settings that make them more likely to get chance to transmit (by using shorter backoff timeouts) when all are contending for medium. Details can be studied in 802.11e and WMM specification
How to set priority
Priority of packets can be set using "set priority" action of ip firewall mangle rules and/or bridge firewall filter rules. Priority can be set to specific value or to "ingress priority". Ingress priority is priority value that was detected on incoming packet, if available. Currently there are 2 sources of ingress priority - priority in VLAN header and priority from WMM packets received over wireless interface. For all other packets ingress priority is 0.
Note that ingress priority value is not automatically copied to priority value, correct rule needs to be set up to do this!
So there are basically 2 ways to control/set priority (remember, that both require setting up correct rule(s)!): - assign priority with rules with particular matchers (protocol, addresses, etc), - set it from ingress priority.
This essentialy means that if it is not possible or wanted to classify packets by rules, configuration of network must be such that router can extract ingress priority from incoming frames. Remember there are currently 2 sources for this - VLAN tag in packets and received WMM packets.
Do not mix priority of queues with priority assigned to packets. Priorities of queues work separately and specify "importance" of queue and has meaning only within particular queue setup. Think of packet priority as of some kind of mark, that gets attached to packet by rules. Also take into account that this mark currently is only used for outgoing packets when going over WMM enabled link, and in case VLAN tagged packet is sent out (no matter if that packet is tagged locally or bridged).
Example
For example, in setup
PPPoE server -> WMM AP -> client,
if AP is just forwarding PPPoE traffic (therefore inspecting encapsulated IP packets to match e.g. by protocol is not possible, as packets can be encrypted and compressed), priority must come to AP from PPPoE server in VLAN tag, so you have to use VLAN (between PPPoE server and AP) for this, just to communicate priority information.
Note that you do not have to forward VLAN encapsulated traffic to client - VLAN can be terminated at AP, VLAN tag is needed only when entering AP.
In case AP is PPPoE server itself, there is no need to use VLAN - priority can be set by rules before it is encapsulated in PPPoE.
Priority from DSCP
Another way of setting priority is by using DSCP field in IP header, this can only be done by firewall mange rule "set priority" action. Note that DSCP in IP header can have values 0-63, but priority only 0-7. Effective priority after set from DSCP value will be 3 low bits of DSCP value which is the same as reminder of division by 8. So for example, priority from DSCP values 0,8,16,etc will be 0, from DSCP values 7,15,...,63 - 7.
Remember that DSCP can only be accessed on IP packets!
Note, that to use this feature, DSCP value in IP header should be set somewhere.
It is best to set DSCP value in IP header of packets on some border router (e.g. main router used for connection to internet), based on traffic type. E.g. set DSCP value for packets coming from internet belonging to sip connections to 7, and 0 for the rest. This way packets must be marked only at one place. Then all APs in network set packet priority from DSCP value with just one rule.
In setup:
border router sets DSCP value for sip traffic, and WMM AP sets priority from DSCP value. Note that in this setup DSCP is set only for traffic _to_ client. Sometimes it can be useful to set also DSCP on traffic coming _from_ client (e.g. if 2 clients connected to different APs are talking between themselves) - this can be done on APs.
Combining priority setting and handling solutions
Complex networks and different situations can be handled by combining different approaches of carrying priority information to ensure QoS and optimize use of resources, based on "building blocks" described above. Several suggestions:
- the less number of filter rules in whole network, the better (faster) - try to classify packets only when necessary, prefer to do that on fast routers as most probably connection tracking will be required.
- use DSCP to carry priority information in IP packets forwarded in your network, this way you can use it when needed.
- use VLANs where necessary, as they also carry priority information, make sure ethernet bridges and switches in the way, if any, are not clearing priority information in VLAN tag. In MT bridges you have to setup bridge firewall rule to set priority from ingress priority for this!
- remember that QoS does not improve throughput of links, it just treats different packets differently, and also that WMM traffic over wireless link will discriminate regular traffic in the air.
Monday, April 7, 2008
IPSec VPN with Dynamic Routing / Mikrotik and Cisco
This example shows how to setup an IPSec VPN using dynamic routing protocol (RIP), it can be use also another protocol. In this exaple you can find setup between Mikrotik and Cisco routers, but it can be done also just between Mikrotik routers, but to be more colorfull I decided to use Mikrotik and Cisco. Below are the steps to complete the configuration of IPSec VPN with Dynamic Routing.
[edit] Mikrotik RouterOS
If you are using ROS v3.0 or above, be sure to check the end of this list to see a list of necessary mod.
First should configure a Tunnel Interface:
/ interface ipip
add name="Tunnel1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.1.200 comment="" disabled=no
After that all interfaces are configured, than should asign IP addresses for interfaces:
/ ip address
add address=10.10.1.100/24 network=10.10.1.0 broadcast=10.10.1.255 interface=WAN comment="" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN comment="" disabled=no
add address=172.16.0.1/30 network=172.16.0.0 broadcast=192.168.0.3 interface=Tunnel1 comment="" disabled=no
Enable Routing in Mikrotik Router, in this case RIP:
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \
metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
/ routing rip interface
add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" prefix-list-in="" prefix-list-out=""
/ routing rip neighbor
add address=172.16.0.2
/ routing rip network
add address=192.168.1.0/24
add address=172.16.0.0/30
IPSec setup, here should be defined the ipsec policy, peer and proposal. Make sure that policy should not have enabled option tunnel, in this case tunel should be set to NO, because it will be used the transport mode of IPSec not the tunnel mode:
/ ip ipsec proposal
add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no
/ ip ipsec peer
add address=10.10.1.200 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes \
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
/ ip ipsec policy
add src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any protocol=all action=encrypt level=require \
ipsec-protocols=esp tunnel=no sa-src-address=10.10.1.100 sa-dst-address=10.10.1.200 \
proposal=IPSec manual-sa=none dont-fragment=clear disabled=no
In V3.0 the bolded line will change on:
/ routing rip interface
add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" in-prefix-list="" out-prefix-list=""
/ ip ipsec proposal
add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 disabled=no
/ ip ipsec peer
add address=10.10.1.200/32:500 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes \
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
[edit] Cisco IOS
Cisco Interfaces and addresses:
FastEthernet 0/0
description *** WAN ***
ip address 10.10.1.200 255.255.255.0
crypto map vpn
FastEthernet 0/1
description *** LAN ***
ip address 192.168.2.1 255.255.255.0
Cisco Tunnel Interface:
interface Tunnel1
description **Cisco Peer**
ip address 172.16.0.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1480
ip rip v2-broadcast
ip tcp adjust-mss 1400
load-interval 30
tunnel source 10.10.1.200
tunnel destination 10.10.1.100
tunnel mode ipip
hold-queue 1024 in
hold-queue 1024 out
Routing in Cisco:
router rip
version 2
timers basic 30 60 90 90
redistribute connected metric 1 route-map connected-to-rip
redistribute static metric 5 route-map static-to-rip
network 172.16.0.2
network 192.168.2.0
distribute-list prefix LAN out
no auto-summary
Setup the prefix-list to match the Local subnet:
ip prefix-list LAN seq 10 permit 192.168.2.0/24
Setup route-maps to match interfaces to be advertised by RIP:
route-map connected-to-rip permit 10
match interface FastEthernet0/0
!
route-map static-to-rip permit 10
match ip address prefix-list LAN
IPSec and Crypto setup in Cisco, also here trasnport mode of IPSec should be setup:
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key ipsec address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association idle-time 600
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 1 ipsec-isakmp
description **To Mikrotik Peer**
set peer 10.10.1.100
set transform-set vpn
set pfs group2
match address mikrotik_peer
!
Setup access-list to match the IPSec peer:
ip access-list extended mikrotik_peer
permit ipinip host 10.10.1.200 host 10.10.1.100
Type this in "enable" mode to view your routing table (after succesfull RIP update):
sh ip route
or
sh ip rip database
This example can be implemented also with another routing protocol like OSPF, and also very simply we can setup here a failover connection. Regarding the failover, the setup is very easy, all that we need is to create another set of tunnels via another ISP or gateway, but again the remote peer is the same router. Instead of the routing protocol for the second set of tunnels, it needs static routes to be configured, only that the static routes should have higher distance than the dynamic protocol. The idea is that, when the primary link will go down (dynamic routing distance=120) than the backup link becomes active (static routes distance=200), as soon as the primary link will come up, it will put the failover link in inactive mode.Titolo del collegamento
[edit] Mikrotik RouterOS
If you are using ROS v3.0 or above, be sure to check the end of this list to see a list of necessary mod.
First should configure a Tunnel Interface:
/ interface ipip
add name="Tunnel1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.1.200 comment="" disabled=no
After that all interfaces are configured, than should asign IP addresses for interfaces:
/ ip address
add address=10.10.1.100/24 network=10.10.1.0 broadcast=10.10.1.255 interface=WAN comment="" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN comment="" disabled=no
add address=172.16.0.1/30 network=172.16.0.0 broadcast=192.168.0.3 interface=Tunnel1 comment="" disabled=no
Enable Routing in Mikrotik Router, in this case RIP:
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \
metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
/ routing rip interface
add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" prefix-list-in="" prefix-list-out=""
/ routing rip neighbor
add address=172.16.0.2
/ routing rip network
add address=192.168.1.0/24
add address=172.16.0.0/30
IPSec setup, here should be defined the ipsec policy, peer and proposal. Make sure that policy should not have enabled option tunnel, in this case tunel should be set to NO, because it will be used the transport mode of IPSec not the tunnel mode:
/ ip ipsec proposal
add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no
/ ip ipsec peer
add address=10.10.1.200 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes \
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
/ ip ipsec policy
add src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any protocol=all action=encrypt level=require \
ipsec-protocols=esp tunnel=no sa-src-address=10.10.1.100 sa-dst-address=10.10.1.200 \
proposal=IPSec manual-sa=none dont-fragment=clear disabled=no
In V3.0 the bolded line will change on:
/ routing rip interface
add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" in-prefix-list="" out-prefix-list=""
/ ip ipsec proposal
add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 disabled=no
/ ip ipsec peer
add address=10.10.1.200/32:500 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes \
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
[edit] Cisco IOS
Cisco Interfaces and addresses:
FastEthernet 0/0
description *** WAN ***
ip address 10.10.1.200 255.255.255.0
crypto map vpn
FastEthernet 0/1
description *** LAN ***
ip address 192.168.2.1 255.255.255.0
Cisco Tunnel Interface:
interface Tunnel1
description **Cisco Peer**
ip address 172.16.0.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1480
ip rip v2-broadcast
ip tcp adjust-mss 1400
load-interval 30
tunnel source 10.10.1.200
tunnel destination 10.10.1.100
tunnel mode ipip
hold-queue 1024 in
hold-queue 1024 out
Routing in Cisco:
router rip
version 2
timers basic 30 60 90 90
redistribute connected metric 1 route-map connected-to-rip
redistribute static metric 5 route-map static-to-rip
network 172.16.0.2
network 192.168.2.0
distribute-list prefix LAN out
no auto-summary
Setup the prefix-list to match the Local subnet:
ip prefix-list LAN seq 10 permit 192.168.2.0/24
Setup route-maps to match interfaces to be advertised by RIP:
route-map connected-to-rip permit 10
match interface FastEthernet0/0
!
route-map static-to-rip permit 10
match ip address prefix-list LAN
IPSec and Crypto setup in Cisco, also here trasnport mode of IPSec should be setup:
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key ipsec address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association idle-time 600
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 1 ipsec-isakmp
description **To Mikrotik Peer**
set peer 10.10.1.100
set transform-set vpn
set pfs group2
match address mikrotik_peer
!
Setup access-list to match the IPSec peer:
ip access-list extended mikrotik_peer
permit ipinip host 10.10.1.200 host 10.10.1.100
Type this in "enable" mode to view your routing table (after succesfull RIP update):
sh ip route
or
sh ip rip database
This example can be implemented also with another routing protocol like OSPF, and also very simply we can setup here a failover connection. Regarding the failover, the setup is very easy, all that we need is to create another set of tunnels via another ISP or gateway, but again the remote peer is the same router. Instead of the routing protocol for the second set of tunnels, it needs static routes to be configured, only that the static routes should have higher distance than the dynamic protocol. The idea is that, when the primary link will go down (dynamic routing distance=120) than the backup link becomes active (static routes distance=200), as soon as the primary link will come up, it will put the failover link in inactive mode.Titolo del collegamento
PPTPClient
PPtp Client / VPN
Now lets configure the remote client to connect to the above VPN
/interface pptp-client
add name="vpn-to-server" connect-to: 192.168.x.x user="user-1" password="********" allow=mschap1,mschap2
>print
Flags: X - disabled, R - running
0 X name="vpn-to-server" max-mtu=1460 max-mru=1460 connect-to=192.168.x.x
user="user-1" password="*******" profile=default-encryption
add-default-route=no allow=mschap1,mschap2
>enable 0
Now lets configure the remote client to connect to the above VPN
/interface pptp-client
add name="vpn-to-server" connect-to: 192.168.x.x user="user-1" password="********" allow=mschap1,mschap2
Flags: X - disabled, R - running
0 X name="vpn-to-server" max-mtu=1460 max-mru=1460 connect-to=192.168.x.x
user="user-1" password="*******" profile=default-encryption
add-default-route=no allow=mschap1,mschap2
>enable 0
PPTPServer
A minimalistic HowTo for using a MT Router OS as PPTP-Server, based on 2.9.x. Use it on your own risk.
I prefer bridge-groups as they are always up and one can add physical interfaces later. The arp=proxy-arp is important.
N.B. 8 Oct 2007: "set gre disabled=no" is not active on RouterOS 3.0rc5
/ interface ethernet
set ether1 name="ether1"
/ interface bridge
add name="lan" arp=proxy-arp
/ interface bridge port
add interface=ether1 bridge=lan
/ ip address
add address=192.168.0.1/24 interface=lan
/ ip dns
allow-remote-requests=yes
/ ip firewall service-port
set gre disabled=no
set pptp disabled=no
/ ip pool
add name="pptp" ranges=192.168.0.200-192.168.0.229
/ ppp profile
add name="pptp-in" local-address=192.168.0.1 remote-address=pptp use-encryption=required only-one=yes change-tcp-mss=yes dns-server=192.168.0.1
/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 authentication=chap,mschap1,mschap2 default-profile=pptp-in
/ ppp secret
add name="user-1" service=pptp password="******" profile=pptp-in
add name="user-2" service=pptp password="******" profile=pptp-in
I prefer bridge-groups as they are always up and one can add physical interfaces later. The arp=proxy-arp is important.
N.B. 8 Oct 2007: "set gre disabled=no" is not active on RouterOS 3.0rc5
/ interface ethernet
set ether1 name="ether1"
/ interface bridge
add name="lan" arp=proxy-arp
/ interface bridge port
add interface=ether1 bridge=lan
/ ip address
add address=192.168.0.1/24 interface=lan
/ ip dns
allow-remote-requests=yes
/ ip firewall service-port
set gre disabled=no
set pptp disabled=no
/ ip pool
add name="pptp" ranges=192.168.0.200-192.168.0.229
/ ppp profile
add name="pptp-in" local-address=192.168.0.1 remote-address=pptp use-encryption=required only-one=yes change-tcp-mss=yes dns-server=192.168.0.1
/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 authentication=chap,mschap1,mschap2 default-profile=pptp-in
/ ppp secret
add name="user-1" service=pptp password="******" profile=pptp-in
add name="user-2" service=pptp password="******" profile=pptp-in
Subscribe to:
Posts (Atom)
