A new interface window will appear, a new name will be created automatically (in this case WDS2)
You can see that the new interface status has changed:
Manual:Winbox
87
Transferring Settings
On Windows Vista/7 Winbox settings are stored in:
%USERPROFILE%\AppData\Roaming\Mikrotik\Winbox\winbox.cfg
Simply copy this file to the same location on the new host.
Troubleshooting
Winbox cannot connect to router's IP address
Make sure that Windows firewall is set to allow Winbox connections or disable windows firewall.
I get an error '(port 20561) timed out' when connecting to routers mac address
Windows (7/8) does not allow mac connection if file and print sharing is disabled.
[ Top | Back to Content ]
Manual:Webfig
88
Manual:Webfig
Summary
WebFig is a web based RouterOS utility which allows you to monitor, configure and troubleshoot the router. It is
designed as an alternative of WinBox, both have similar layouts and both have access to almost any feature of
RouterOS.
WebFig is accessible directly from the router which means that there is no need to install additional software (except
web browser with JavaScript support, of course).
As Webfig is platform independent, it can be used to configure router directly from various mobile devices without
need of a software developed for specific platform.
Some of the tasks that you can perform with WebFig:
Configuration - view and edit current configuration;
Monitoring - display the current status of the router, routing information, interface stats, logs and many more;
Troubleshooting - RouterOS has built in many troubleshooting tools (like ping, traceroute, packet sniffers, traffic
generators and many other) and all of them can be used with WebFig.
Connecting to Router
WebFig can be launched from the
routers home page which is accessible
by entering routers IP address in the
browser. When home page is
successfully loaded, choose webfig
from the list of available icons as
illustrated in screenshot.
After clicking on webfig icon, login
prompt will ask you to enter username
and password. Enter login information
and click connect.
Now you should be able to see webfig
in action.
IPv6 Connectivity
RouterOS http service now listens on ipv6 address, too. To connect to IPv6, in your browser enter ipv6 address in
square brackets, for example [2001:db8:1::4]. If it is required to connect to link local address, don't forget to specify
interface name or interface id on windows, for example [fe80::9f94:9396%ether1].
Manual:Webfig
89
Interface Overview
WebFig interface is designed to be very intuitive especially for WinBox users. It has very similar layout: menu bar
on the left side, undo/redo at the top and work are at the rest of available space.
When connected to router, browsers title bar (tab name on Chrome) displays currently opened menu, user name used
to authenticate, ip address, system identity, ROS version and RouterBOARD model in following format:
[menu] at [username]@[Router's IP] ( [RouterID] ) - Webfig [ROS version] on [RB model] ([platform])
Menu bar has almost the same design as WinBox menu bar. Little arrow on the right side of the menu item indicates
that this menu has several sub-menus.
When clicking on such menu item, sub-menus will be listed and the arrow will
be pointing down, indicating that sub-menus are listed.
At the top you can see three common buttons Undo/Redo buttons similar to
winbox and one additional button Log Out. In the top right corner, you can see
WebFig logo and RouterBOARDS model name.
Work area has tab design, where you can switch between several configuration
tabs, for example in screenshot there are listed all tabs available in Bridge
menu (Bridge, Ports, Filters, NAT, Rules).
Below the tabs are listed buttons for all menu specific commands, for example
Add New and Settings.
The last part is table of all menu items. First column of an item has item
specific command buttons:
- enable current item
- disable current item
- remove current item
Manual:Webfig
90
Item configuration
When clicking on one of the listed items, webfig will open new page showing all configurable parameters, item
specific commands and status.
At the top you can see item type and item name. In example screenshot you can see that item is an interface with
name bypass
There are also item specific command buttons (Ok, Cancel, Apply, Remove and Torch). These can vary between
different items. For example Torch is available only for interfaces.
Common Item buttons:
Ok - apply changes to parameters and exit;
Cancel - exit and do not apply changes;
Apply - apply changes and stay on current page;
Remove - remove current item.
Status bar similar to winbox shows current status of item specific flags (e.g running flag). Grey-ed out flag means
that it is not active. In example screenshot you can see that running is in solid black and slave is grey-ed, which
means that interface is running and is not a slave interface.
List of properties is divided in several sections, for example "General", "STP", "Status", "Traffic". In winbox these
sections are located in separate tabs, but webfig lists them all in one page specifying section name. In screenshotyou
can see "General" section. Grey-edout properties mean that they are read-only and configuration is not possible.
Manual:Webfig
91
Work with Files
Webfig allows to upload files directly to the router, without using FTP services. To upload files, open Files menu,
click on Choose File button, pick file and wait until file is uploaded.
Files also can be easily downloaded from the router, by clicking Download button at the right side of the file entry.
Manual:Webfig
92
Traffic Monitoring
Template:TODO
[ Top | Back to Content ]
Skins
Webfig skins is handy tool to make interface more user friendly. It is not a security tool. If user has sufficient rights
it is possible to access hidden features by other means.
Designing skins
If user has sufficient permissions (group has policy edit permissions) Design Skin button becomes available.
Pressing that toggle button will open interface editing options. Possible operations are:
Hide menu - this will hide all items from menu and its submenus;
Hide submenu - only certain submenu will be hidden
Hide tabs - if submenu details have several tabs, it is possible to hide them this way;
Rename menus, items - make some certain features more obvious or translate them into your launguage;
Add note to to item (in detail view) - to add comments on filed;
Make item read-only (in detail view) - for user safety very sensitive fields can be made read only
Hide flags (in detail view) - while it is only possible to hide flag in detail view, this flag will not be visible in list
view and in detailed view;
Add limits for field - (in detail view) where it is list of times that are comma or newline separated list of allowed
values:
number interval '..' example: 1..10 will allow values from 1 to 10 for fiels with numbers, example, MTU size.
field prefix (Text fields, MAC address, set fields, combo-boxes). If it is required to limit prefix length $ should
be added to the end, for example, limiting wireless interface to "station" only will contain
Add Tab - will add grey ribbon with editable label that will separate the fields. Ribbon will be added before field
it is added to;
Add Separator - will add low height horizontal separator before the field it is added to.
Note: Number interval cannot be set to extend limitations set by RouterOS for that field
Note: Set fields are argument that consist of set of check-boxes, for example, setting up policies for user
groups, RADIUS "Service"
Note: Limitations set for combo-boxes will values selectable from dropdown
Configure wireless interface
To configure
Manual:Webfig
93
Status page
Note: Starting RouterOS 5.7 webfig interface adds capability for users to create status page where fields from
anywhere can be added and arranged.
Satus page can be created by users (with sufficient permissions) and fields on the page can be
reordered.
When status page is created it is default page that opens when logging in the router through webfig
interface.
Addition of fields
To add field to status page user has to enter "Design skin" mode and from drop-down menu at the field choose
option - "Add to status page"
As the result of this action desired field in read-only mode will be added to status page. If at the time Status page is
not present at the time, it will be created for the user automatically.
Two columns
Fields in Status page can be arranged in two columns. Columns are filled from top to bottom.
When you have only one column then first item intended for second should be dragged to the top of the first item
when black line appear on top of the first item, then drag mouse to the left until shorter black line is displayed as
showed in screenshot. Releasing mouse button will create second column. Rest of the fields afterwards can be
dragged and dropped same way as with one column design.
Manual:Webfig
94
Skin design examples
Set field
Setting limits for set field
And the result:
Manual:Webfig
95
Using skins
To use skins you have to assign skin to group, when that is done users of that group will automatically use selected
skin as their default when logging into Webfig.
Note: Webfig is only configuration interface that can use skins
If it is required to use created skin on other router you can copy files to skins folder on the other
router. On new router it is required to add copied skin to user group to use it.
[ Top | Back to Content ]
Manual:License
Overview
RouterBOARD devices come preinstalled with a RouterOS license, if you have purchased a RouterBOARD device,
nothing must be done regarding the license.
For X86 systems (ie. PC devices), you need to obtain a license key.
The license key is a block of symbols that needs to be copied from your mikrotik.com account, or from the email you
received in, and then it can be pasted into the router. You can paste the key anywhere in the terminal, or by clicking
"Paste key" in Winbox License menu. A reboot is required for the key to take effect.
RouterOS licensing scheme is based on SoftwareID number that is bound to storage media (HDD, NAND).
Licensing information can be read from CLI system console:
[admin@RB1100] > /system license print
software-id: "43NU-NLT9"
upgradable-to: v7.x
nlevel: 6
features:
[admin@RB1100] >
or from equivalent winbox, webfig menu.
License Levels
You can purchase a Level 3, 4, 5 and 6. Level 1 is the demo license.
The difference between license levels is shown in the table.
Level 3 is a wireless station (client) only license. Level 3 can only be
obtained in large quantities.
Level 2 was a transitional license from old legacy (pre 2.8) license
format. These licenses are not available anymore, if you have this kind
of license, it will work, but to upgrade it - you will have to purchase a
new license.
Note: current RouterOS version is 6 table modified according to that.
The Upgradable-to below applies only to Keys purchased after release
of v6
Manual:License
96
Level number 0 (Trial mode) 1 (Free Demo) 3 (WISP CPE) 4 (WISP) 5 (WISP) 6 (Controller)
Price
no key
[1]
registration required
[1]
volume only
[2]
$45 $95 $250
Upgradable To - no upgrades ROS v7.x ROS v7.x ROS v8.x ROS v8.x
Initial Config Support - - - 15 days 30 days 30 days
Wireless AP 24h trial - - yes yes yes
Wireless Client and Bridge 24h trial - yes yes yes yes
RIP, OSPF, BGP protocols 24h trial - yes(*) yes yes yes
EoIP tunnels 24h trial 1 unlimited unlimited unlimited unlimited
PPPoE tunnels 24h trial 1 200 200 500 unlimited
PPTP tunnels 24h trial 1 200 200 500 unlimited
L2TP tunnels 24h trial 1 200 200 500 unlimited
OVPN tunnels 24h trial 1 200 200 unlimited unlimited
VLAN interfaces 24h trial 1 unlimited unlimited unlimited unlimited
HotSpot active users 24h trial 1 1 200 500 unlimited
RADIUS client 24h trial - yes yes yes yes
Queues 24h trial 1 unlimited unlimited unlimited unlimited
Web proxy 24h trial - yes yes yes yes
User manager active
sessions
24h trial 1 10 20 50 Unlimited
Number of KVM guests none 1 Unlimited Unlimited Unlimited Unlimited
(*) - BGP is included in License Level3 only for RouterBOARDs, for other devices you need Level4 or above to
have BGP.
All Licenses:
never expire
include 15-30 day free support over e-mail
can use unlimited number of interfaces
are for one installation each
Level3 is not available for purchase individually. For ordering more than 100 L3 licenses, contact
sales[at]mikrotik.com
Licenses and RouterOS upgrades
RouterOS upgrade capabilities are not limited by time, but by version, and this depends on the RouterOS license
level. For example if you are running RouterOS v5, your license could restrict the upgrade only to v6, and not to v7.
The following examples describe how this is determined:
There are two types of keys, Level3/L4 and Level5/L6
The difference between these is that L3 and L4 only allow RouterOS upgrades until the last update of the next
version. L5 and L6 however, give you the ability to use one more major version
There are also differences between all License levels (L3-L6) that are unrelated to RouterOS upgrades, see
License levels
So the math is:
L3/4 = current version + 1 = can use
Manual:License
97
L5/6 = current version + 2 = can use
eg. L5/6 = v3 + 2 = v5.21 you can use
Examples:
If current version is ROS v3, L3 and L4 will work with v3.1, v3.20, v4,1, v4.20 but NOT v5.0 and beyond
If current version is ROS v3, L5 and L6 will work with v3.1, v3.20, v4.1, v4.20 and also v5beta1 but NOT v6.0
and beyond
If current version would be ROS v4, L5 and L6 will work with v4.1, v4.20, v5.1, v5.20 and also v6beta to v6.99
but NOT v7
New 8 symbol SoftID
Since RouterOS 3.25 and 4.0beta3 new
SoftID format is introduced. Your license
menu will show both the old and the new
SoftID. Even by upgrading to a new version,
RouterOS will still work as before, but to
use some of the new features, LICENSE
UPDATE will be necessary. To do this, just
click on "Update license key" button in
Winbox (currently only in Winbox).
New SoftID's are in the form of
XXXX-XXXX (Four symbols, dash, four
symbols).
The following actions will be taken:
1. 1. Winbox will contact www.mikrotik.com
with your old SoftID
2. 2. www.mikrotik.com will check the
database and see details about your key
3. 3. the server will generate a new key as "upgrade" and put it into the same account as old one
4. 4. Winbox will receive the new key and automatically License your router with the new key
5. 5. Reboot will be required
6. 6. New RouterOS features will be unlocked
Important Note!: If you see this button also in v3.24, don't use it, it will not work.
If you ever wish to downgrade RouterOS, you will have to apply the OLD key before doing so. When RouterOS
applies the NEW key, the OLD key is saved to a file, in the FILES folder, to make sure you have the old key handy.
Even more important: Don't downgrade v4.0b3 to v3.23 or older. Use only v3.24 for downgrading, or you might
lose your new format key.
Manual:License
98
Change license Level
1. 1. There are no license level upgrades, if you wish to use a different license Level, please purchase the appropriate
level. Be very careful when purchasing for the first time, choose the correct option.
2. 2. Why is it not possible to change license level (ie. upgrade license)? Just like you can't easily upgrade your car's
engine from 2L to 4L just by paying the difference, you can't switch license levels as easily. This is a policy used
by many software companies, choose wisely when making your purchase! Instead we have lowered the prices,
and removed the software update time limit.
Using the License
Can I Format or Re-Flash the drive?
Formatting, and Re-Imaging the drive with non-mikrotik tools (like DD and Fdisk) will destroy your license! Be
very careful and contact mikrotik support before doing this. It is not recommended, as mikrotik support might deny
your request for a replacement license. For this use MikroTik provided tools Netinstall or CD-install that are freely
available from our download page.
How many computers can I use the License on?
At the same time, the RouterOS license can be used only in one system. The License is bound to the HDD it is
installed on, but you have the ability to move the HDD to another computer system. You cannot move the License to
another HDD, neither can you format or overwrite the HDD with the RouterOS license. It will be erased from the
drive, and you will have to get a new one. If you accidently removed your license, contact the support team for help.
Can I temporary use the HDD for something else, other than RouterOS?
As stated above, no.
Can I move the license to another HDD ?
If your current HDD drive is destroyed, or can no longer be used, it is possible to transfer the license to another
HDD. You will have to request a replacement key (see below) which will cost 10$
What is a Replacement Key
It is a special key which is issued by the Support Team if you accidently lose the license, and the Mikrotik Support
decides that it is not directly your fault. It costs 10$ and has the same features as the key that you lose. Note that
before issuing such key, the Mikrotik Support can ask you to prove that the old drive is failed, in some cases this
means sending us the dead drive.
Note: We may issue only one replacement key per one original key, using replacement key procedure twice
for one key will not be possible. In cases like this new key for this RouterOS device must be purchased.
Must I type the whole key into the router?
No, simply copy it and paste into the Telnet window, or License menu in Winbox.
Copy license to Telnet Window (or Winbox New Terminal),
Manual:License
99
Another option to use Winbox License Window, click on System ---> License,
Manual:License
100
Can I install another OS on my drive and then install RouterOS again later?
No, because if you use formatting or partitioning utilities, or tools that do something to the MBR, you will lose the
license and you will have to make a new one. This process is not free (see Replacement Key above)
I lost my RouterBOARD, can you give me the license to use on another system?
The RouterBOARD comes with an embedded license. You cannot move this license to a new system in any way,
this includes upgrades applied to the RouterBOARD while it was still working.
Licenses Purchased from Resellers
The keys that you purchase from other vendors and resellers, are not in your account. Your mikrotik.com account
only contains licenses purchased from MikroTik directly. However, you can use the "Request key" link in your
account, to get the key into your account for reference, or for some upgrades (if available).
Obtaining Licenses and working with them
Where can I buy a RouterOS license key?
In the Account Server, which is located on www.mikrotik.com
If I have purchased my key elsewhere
You must contact the company who sold you the license, they will provide support
If I have a license and want to put it on another account?
You can give access to keys with the help of Virtual Folders
References
[1] http:/ / www. mikrotik. com/ download.html
[2] mailto:sales@mikrotik. com
Manual:Purchasing a License for RouterOS
101
Manual:Purchasing a License for RouterOS
First you have to make an account on the Account Server, this can be done on the mikrotik.com main page, and is a
free and easy process.
Important! Before purchasing a key, you have to install RouterOS. It will generate a SoftID that will be required
during the purchase. Before entering the SoftID in the purchase form, make sure it has not changed on your router.
After installation, you have 24 hours to enter a key. If you are close to running out of time - shut down the router.
The timer will stop.
After you have an account, start by logging in, here is an example process:
Log into your account
Click on Purchase a Key
Select your License Level and the number of
licenses you need
Manual:Purchasing a License for RouterOS
102
Enter your SoftIDs and select the system kind,
remember that SoftID will be given to you after
installation of RouterOS. The system kind is a
choice between RouterBOARD and X86.
Basically if you have a RouterBOARD(TM)
device, select RouterBOARD, if you have some
other kind of device - select X86. NOTE!: Older
RouterBOARD 230 model is an X86 device too.
Click on Pay By Credit Card and You will be
presented the bank payment page
In the Bank page you will be asked for your Credit Card Number, CVC/CVV code, expiry date of the card and the
name on the card. The CVC/CVV card can be found on the back of the card and is a three digit code. After you enter
all the details and submit the information, your credit card will be charged. Do not close the browser or push any
buttons until the process is complete. Then you will receive your new key in your email, and it will also appear in the
"work with keys" section of your account.
Instructions how to apply license on your router are here.
Manual:Entering a RouterOS License key
103
Manual:Entering a RouterOS License key
First method
If you have installed the Router OS onto a PC (i.e. it is not a RouterBoard), you will initially have no key, but for 24
hours the router will be fully operable and working. During this period configure the router to have an IP address, for
example 10.1.0.133, then purchase a key on the www.mikrotik.com account server. To enter this key follow this
short guide:
Telnet to the router:
find the email from mikrotik which contains your key
Manual:Entering a RouterOS License key
104
select this key and click copy
in the telnet window right-click the screen and choose paste
Manual:Entering a RouterOS License key
105
type y and hit enter to reboot the router
For fans of the serial console, you may enter the license information via the serial console on certain equipment.
Perform the same operation as in the telnet session above, i.e., at the console prompt, paste the license
information as if it were a command; the paste buffer or clipboard should contain the full text including the lines
containing "BEGIN" and "END" as mentioned above.
Manual:Replacement Key
106
Manual:Replacement Key
If you have been given the so-called "Replacement Key", follow these instructions to take it from your account:
Manual:Replacement Key
107
Manual:Product Naming
Naming details for RouterBOARD products
RouterBOARD (short version RB)
<board name> <board features>-<build-in wireless> <wireless card
features>-<connector type>
-<enclosure type>
Board Name
Currently there can be three types of board names:
3-digit number
1st digit stands for series
2nd digit for indicating number of potential wired interfaces (Ethernet, SFP, SFP+)
3rd digit for indicating number of potential wireless interfaces (build-in and mPCI and mPCIe slots)
Word - currently used names are: OmniTIK, Groove, SXT, SEXTANT, Metal. If board has fundamental
changes in hardware (such as completely different CPU) revision version will be added in the end
Exceptional naming - 600, 800, 1000, 1100, 1200, 2011 boards are standalone representatives of the series or
have more than 9 wired interfaces, so name was simplified to full hundreds or development year.
Manual:Product Naming
108
Board Features
Board features follows immediately after board name section (no spaces or dashes), except when board name is a
word, then board features are separated by space.
Currently used features (listed in order they are used):
U - USB
P - power injection with controller
i - single port power injector without controller
A - more memory (and usually higher license level)
H - more powerful CPU
G - Gigabit (may includes "U","A","H", if not used with "L")
L - light edition
S - SFP port (legacy usage - SwitchOS devices)
e - PCIe interaface extention card
x<N> - where N is number of CPU cores ( x2, x16, x36 etc)
Built-in wireless details
If board has built-in wireless, then all its features are represented in following format:
<band><power_per_chain><protocol><number_of_chains>
band
5 - 5Ghz
2 - 2.4Ghz
52 - dual band 5Ghz and 2.4Ghz
power per chain
(not used) - "Normal" - <23dBm at 6Mbps 802.11a; <24dBm at 6Mbps 802.11g
H - "High" - 23-24dBm at 6Mbps 802.11a; 24-27dBm at 6Mbps 802.11g
HP - "High Power" - 25-26dBm 6Mbps 802.11a; 28-29dBm at 6Mbps 802.11g
SHP - "Super High Power" - 27+dBm at 6Mbps 802.11a; 30+dBm at 6Mbps 802.11g
protocol
(not used) - for cards with only 802.11a/b/g support
n - for cards with 802.11n support
ac - for cards with 802.11ac support
number_of_chains
(not used) - single chain
D - dual chain
T - triple chain
connector type
(not used) - only one connector option on the model
MMCX - MMCX connector type
u.FL - u.FL connector type
Manual:Product Naming
109
Enclosure type
(not used) - main type of enclosure for a product
BU - board unit (no enclosure) - for situation when board-only option is required, but main product already comes
in the case
RM - rack-mount enclosure
IN - indoor enclosure
OUT - outdoor enclosure
SA - sector antenna enclosure
HG - high gain antenna enclosure
EM - extended memory
Example
Lets decode RB912UAG-5HPnD
[1]
naming
RB (RouterBOARD)
912 - 9th series board with 1 wired (ethernet) interface and two wireless interfaces (built-in and miniPCIe)
UAG - has USB port, more memory and gigabit ethernet port
5HPnD - has built in 5GHz high power dual chain wireless card with 802.11n support.
CloudCoreRouter naming details
CloudCoreRouter (short version CCR) naming consists of:
<4 digit number>-<list of ports>-<enclosure type>
4 digit number
1st digit stands for series
2nd (reserved)
3rd-4th digit indicate number of total CPU cores on the device
list of ports
-<n>G - number of Gigabit Ethernet ports
-<n>S - number of SFP ports
-<n>S+ - number of SFP+ ports
enclosure type - same as for RouterBOARD products.
CloudRouterSwitch naming details
CloudRouterSwitch (short version CRS) naming consists of:
<3 digit number>-<list of ports>-<build-in wireless card>-<enclosure type>
3 digit number
1st digit stands for series
2nd-3rd digit - total number of wired interfaces (Ethernet, SFP, SFP+)
list of ports
-<n>G - number of Gigabit Ethernet ports
-<n>S - number of SFP ports
-<n>S+ - number of SFP+ ports
build-in wireless card - same as for RouterBOARD products.
enclosure type - same as for RouterBOARD products.
Manual:Product Naming
110
[ Top | Back to Content ]
References
[1] http:/ / routerboard. com/ RB912UAG-5HPnD
Manual:RouterOS6 news
General
Updated drivers and Kernel (to linux-3.3.5)
Initial OpenFlow support
New LCD Touch screen features
Hotspot mac-cookie login method (mostly used for smartphones)
Configurable Kernel options in /ip settings and /ipv6 settings menu (ip forward, rp filters etc)
ARP timeout can be changed in /ip settings
Neighbor discovery can be disabled by default on dynamic interfaces in /ip neighbor discovery settings menu
To enable/disable discovery on interface you now must use command: "/ip neighbor discovery set (interface
number/name) discover=yes/no".
Show last-logged-in in users list
GRE supports all protocol encapsulation, not just ip and ipv6;
Slave flag shows up for interfaces that are in bridge,bonding or switch group;
SSH client has new property output-to-file, useful for scripting.
Support for API over TLS (SSL)
API is now enabled by default
DNS retry queries with tcp if truncated results received
DNS rotates servers only on failure
DNS cache logs requests to topics "dns" and "packet";
WebFig now supports RADIUS authentication (via MS-CHAPv2)
New Web Proxy parameter max-cache-object-size
Increased Max client/server connection count for Web Proxy
If NTP client is enabled, logs show correct time and date when router was rebooted.
802.1Q Trunking with Atheros switch chip
PPP
SSTP can now force AES encryption instead of default RC4
PPP profile now has bridge-path-cost amd bridge-port-priority parameters
Secrets shows last-logged-out date and time
Hotspot and PPP now support multiple address-lists
Only 2 change mss mangle rules are created for all ppp interfaces;
Manual:RouterOS6 news
111
Firewall
New all-ether,all-wireless,all-vlan,all-ppp interface matchers
Priority matcher
New change-dscp options from-priority and from-priority-to-high-3-bits
New Mangle Actions snif-tzsp,snif-pc
Wireless
Wireless Channels options - creating custom channel lists
DHCP
DHCP client now support custom options
DHCP v4 client now have special-classless option for add-default-route parameter
Possibility to add DHCP relay agent information option (Option 82)
DHCPv6 DNS option support
DHCPv6 Relay support
DHCP server RADIUS framed route support
DHCP option configuration per lease
IpSec
Significantly improved Road Warrior setup usage with Mode Configuration support.
Detailed configuration example can be found in the manual.
Full list of new features:
Mode Conf support (unity split include, address pools, DNS)
Ipsec peer can be set as passive - will not start ISAKMP SA negotiation
Xauth support ( xauth PSK and Hybrid RSA)
Policy templates - allow to generate policy only if src/dst address, protocol and proposal matches the template
Peer groups
Multiple peers with the same IP can be used.
For peers with full IP address specified system will auto-start ISAKMP SA negotiation.
generate-policy now can have port-strict value which will use port from peer's proposal
Source address of phase1 is now configurable
Certificates
CA keys are no more cached, every CA operations now requires a valid CA passphrase. Use
set-ca-passphrase for scep server to cache CA key in encrypted form;
For certificates marked as trusted=yes, CRL will be automatically updated once in an hour from http sources;
Ipsec and SSTP respects CRLs
SCEP server/client support
Certificate manager now can issue self signed certificates.
Manual:RouterOS6 news
112
Routing
New OSPF parameter use-dn. Forces to ignore DN bit in LSAs.
Changed BGP MED propagation logic, now discarded when sending route with non-empty AS_PATH to an
external peer
Connected routes become inactive when Interface goes down. It also means that dynamic routing protocols will
stop distributing connected routes without Active flag.
Queues
improved overall router performance when simple queues are used
improved queue management (/queue simple and /queue tree) - easily handles tens of thousands of queues;
/queue tree entries with parent=global are performed separately from /queue simple and before /queue simple;
new default queue types: pcq-download-default and pcq-upload-default;
simple queues have separate priority setting for download/upload/total;
global-in, global-out, global-total parent in /queue tree is replaced with global that is
equivalent to global-total in v5;
simple queues happen in different place - at the very end of postrouting and local-in chains;
simple queues target-addresses and interface parameters are joined into one target parameter, now
supports multiple interfaces match for one queue;
simple queues dst-address parameter is changed to dst and now supports destination interface matching;
Compact configuration export
Now by default configuration is exported in compact mode.
To make full config export verbose parameter should be used:
/export verbose file=myConfig
Tools
FastPath support
Renamed e-mail tls to start-tls and added it as a configurable parameter
Fetch tool now has HTTPS support
Added ipv6 header support for traffic generator
Playback pcap files into network using new trafficgen inject-pcap command
NAND Flash can be Partitioned on routerboards and separate RouterOS versions can be installed on each of the
partitions
[ Top | Back to Content ]
Manual:Default Configurations
113
Manual:Default Configurations
Applies to RouterOS: v5, v6+
List of Default Configs
Integrated Indoors
Wan port Lan port Wireless
mode
ht
chain
ht extension dhcp-server dhcp-client Firewall NAT Default IP Mac
Server
RB750
RB750G
ether1 Switched
ether2-ether5
- - - on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
RB751 ether1 Switched
ether2-ether5,
bridged wlan1
with switch
AP b/g/n
2412MHz
0,1 above-control on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
RB951 ether1 Switched
ether2-ether5,
bridged wlan1
with switch
AP b/g/n
2412MHz
0 above-control on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
RB1100
AH/AHx2
- - - - - - - - - 192.168.88.1/24
on ether1
-
RB1200 - - - - - - - - - 192.168.88.1/24
on ether1
-
CCR
series
- - - - - - - - - 192.168.88.1/24
on ether1
-
RB2011 sfp1,ether1 two switch
gropups
bridged
(ether2-ether10,
wlan1 if
present)
- - - on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on ether1
Disabled
on wan
port
CRS - all ports
switched
- - - - - - - 192.168.88.1/24
on ether1
-
CRS with
wireless
sfp1,ether1 all other ports
switched and
bridged with
wireless
- - - on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on ether1
Disabled
on wan
port
Manual:Default Configurations
114
Integrated Outdoors
Wan
port
Lan port Wireless
mode
ht
chain
ht
extension
dhcp-server dhcp-client Firewall NAT Default IP Mac
Server
Groove
2Hn
wlan1 ether1 station
b/g/n
2.4GHz
0 above
control
on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
Groove
5Hn
wlan1 ether1 station
a/n 5GHz
0 above
control
on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
Groove
A-5Hn
- bridged
wlan1,ether1
AP a/n
5300MHz
0 - - - - - 192.168.88.1/24
on lan port
-
Metal 5 wlan1 ether1 station
a/n 5GHz
0 above
control
on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
Metal 2 wlan1 ether1 station
b/g/n
2GHz
0 above
control
on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
SXT 5xx,
SXT
G-5xx
wlan1 ether1 station
a/n 5GHz
0,1 above
control
on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
OmniTik ether1 Switched
ether2-ether5,
bridged
wlan1 with
switch
AP a/n
5300MHz
0,1 - on lan port on wan port - Masquerade
wan port
192.168.88.1/24
on lan port
-
SEXTANT wlan1 ether1 station
a/n 5GHz
0,1 above
control
on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
BaseBox 5 - bridged
wlan1,ether1
AP a/n
5GHz
0,1 - - - - - 192.168.88.1/24
on lan port
-
BaseBox 2 - bridged
wlan1,ether1
AP b/g/n
2GHz
0,1 - - - - - 192.168.88.1/24
on lan port
-
QRT-2 wlan1 ether1 station
b/g/n
2.4GHz
0 above
control
on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
Manual:Default Configurations
115
Engineered
Wan
port
Lan port Wireless
mode
ht
chain
ht
extension
dhcp-server dhcp-client Firewall NAT Default IP Mac
Server
RB411xx,
RB435G,
RB433xx,
RB495xx,
RB800
- - - - - - - - - 192.168.88.1/24
on ether1
-
RB450xx ether1 Switched
ether2-ether5
- - - on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
RB711-5xx,
RB711G-5xx
wlan1 ether1 station
a/n 5GHz
0 above
control
on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
RB711UA-5xx,
RB711GA-5xx
- bridged
wlan1,ether1
AP a/n
5300MHz
0 - - - - - 192.168.88.1/24
on lan port
-
RB711-2xx wlan1 ether1 station
b/g/n
2.4GHz
0 above
control
on lan port on wan port blocked
access
to wan
port
Masquerade
wan port
192.168.88.1/24
on lan port
Disabled
on wan
port
RB711UA-2xx - bridged
wlan1,ether1
AP a/n
2412MHz
0 - - - - - 192.168.88.1/24
on lan port
-
Note: To see exact configuration script that will be applied after system reset use following command
/system default-configuration print
Warning: /system default-configuration print Always shows factory default configuration
even if it is override by different netinstall script.
Wan Port
When applying configuration WAN port is renamed to "<wan port>-gateway", for example, if wan
port is ether1, it will be renamed to "ether1-gateway".
Manual:Default Configurations
116
Local Port
Local port can be:
single interface
ethernets configured in switch group
bridged all interfaces that are not WAN and switch slaves.
If ports are switched then master port is renamed to "<ethernet name>-master-local" and slaves to "<ethernet
name>-slave-local".
Lets take RB751 as an example. Board has ether1 configured as WAN port, it has switch chip and one
pre-configured wireless interface. So in this case all ethernets except ether1 are grouped in switch group and bridged
with wireless interface.
Generated config will be:
/interface set ether2 name=ether2-master-local;
/interface set ether3 name=ether3-slave-local;
/interface set ether4 name=ether4-slave-local;
/interface set ether5 name=ether5-slave-local;
/interface ethernet set ether3-slave-local master-port=ether2-master-local;
/interface ethernet set ether4-slave-local master-port=ether2-master-local;
/interface ethernet set ether5-slave-local master-port=ether2-master-local;
/interface bridge add name=bridge-local disabled=no auto-mac=no protocol-mode=rstp;
:local bMACIsSet 0;
:foreach k in=[/interface find] do={
:local tmpPort [/interface get $k name];
:if ($bMACIsSet = 0) do={
:if ([/interface get $k type] = "ether") do={
/interface bridge set "bridge-local" admin-mac=[/interface ethernet get $tmpPort mac-address];
:set bMACIsSet 1;
}
}
:if (!($tmpPort~"bridge" || $tmpPort~"ether1" || $tmpPort~"slave")) do={
/interface bridge port add bridge=bridge-local interface=$tmpPort;
}
}
Wireless Config
Wireless configuration depends on market segment for which board is designed. It can be configured as AP or
station in 2GHz and 5GHz frequencies. Default 2GHz frequency is 2412 and default 5GHz frequency is 5300. SSID
is "Mikrotik-" + last 3 bytes in hex from wireless MAC address. Starting from v5.25 and v6rc14 Wireless Security
profile is configured with WPA/WPA2 and security key equal to router's serial number.
For example, If Mac address of the wlan1 interface is 00:0B:6B:30:7F:C2, and serial number of the board is
/sys routerboard print
routerboard: yes
serial-number: 0163008F8883
Manual:Default Configurations
117
Then following settings will be applied:
SSID="MikroTik-307FC2"
security settings:
mode=dynamic-keys
authentication-types=wpa-psk,wpa2-psk
wpa-pre-shared-key=0163008F8883
wpa2-pre-shared-key=0163008F8883
Note: security key is case sensitive
If board has two chains (letter D in the naming of the board), then both chains are enabled. HT
Extension is enabled on all CPEs.
For example generated config on RB751:
:if ( $wirelessEnabled = 1) do={
# wait for wireless
:while ([/interface wireless find] = "") do={ :delay 1s; };
/interface wireless set wlan1 mode=ap-bridge band=2ghz-b/g/n ht-txchains=0,1 ht-rxchains=0,1 \
disabled=no country=no_country_set wireless-protocol=any
/interface wireless set wlan1 channel-width=20/40mhz-ht-above ;
}
Default IP and DHCP Config
Default IP address on all boards is 192.168.88.1/24. Boards without specific configuration has IP address set on
ether1, other boards has IP address on LAN interface.
All boards that has WAN port configured, DHCP client is set on WAN port.
Typically on all CPEs DHCP server is set on LAN port, giving out addresses in range from
192.168.88.2-192.168.88.254
As an example RB751 applied DHCP config.
/ip dhcp-client add interface=ether1-gateway disabled=no
/ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
/ip dhcp-server
add name=default address-pool="default-dhcp" interface=bridge-local disabled=no;
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="default configuration";
Manual:Default Configurations
118
Firewall, NAT and MAC server
All boards with configured WAN port has configured protection on that port. Any traffic leaving WAN port is
masqueraded. In forward chain also three rules are added for boards with masquerade rule: accept established, accept
related and drop invalid to prevent packets with local network IP to be leaked on the wan port.
Config example:
/ip firewall {
filter add chain=input action=accept protocol=icmp comment="default configuration"
filter add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
filter add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
filter add chain=input action=drop in-interface=ether1-gateway comment="default configuration"
nat add chain=srcnat out-interface=ether1-gateway action=masquerade comment="default configuration"
}
/tool mac-server remove [find];
/tool mac-server mac-winbox disable [find];
:foreach k in=[/interface find] do={
:local tmpName [/interface get $k name];
:if (!($tmpName~"ether1")) do={
/tool mac-server add interface=$tmpName disabled=no;
/tool mac-server mac-winbox add interface=$tmpName disabled=no;
}
}
/ip neighbor discovery set [find name="ether1-gateway"] discover=no
DNS
Every board allows remote DNS requests and static DNS name is pre-configured.
/ip dns {
set allow-remote-requests=yes
static add name=router address=192.168.88.1
}
[ Top | Back to Content ]
Manual:System/Packages
119
Manual:System/Packages
Summary
RouterOS supports a lot of different features and since every installation requires specific set of features supprted it
is possible to add or remove certain groups of features using package system. As result user is able to control what
features are available and size of installation. Packages are provided only by MikroTik and no 3rd parties are
allowed to make them.
Acquiring packages
Packages can be downloaded from MikroTik download
[1]
page or mirrors listed on that page. Either of provided
download methods can be used.
RouterOS packages
for each architecture
Package Features
advanced-tools (mipsle,
mipsbe, ppc, x86)
advanced ping tools. netwatch, ip-scan, sms tool, wake-on-LAN
calea (mipsle, mipsbe,
ppc, x86)
data gathering tool for specific use due to "Communications Assistance for Law Enforcement Act" in USA
dhcp (mipsle, mipsbe,
ppc, x86)
Dynamic Host Control Protocol client and server
gps (mipsle, mipsbe, ppc,
x86)
Global Positioning System devices support
hotspot (mipsle, mipsbe,
ppc, x86)
HotSpot user management
ipv6 (mipsle, mipsbe,
ppc, x86)
IPv6 addressing support
mpls (mipsle, mipsbe,
ppc, x86)
Multi Protocol Labels Switching support
multicast (mipsle,
mipsbe, ppc, x86)
ProtocolIndependentMulticast-SparseMode; InternetGroupManagingProtocol-Proxy
ntp (mipsle, mipsbe, ppc,
x86)
Network protocol client and service
ppp (mipsle, mipsbe,
ppc, x86)
MlPPP client, PPP, PPTP, L2TP, PPPoE, ISDN PPP clients and servers
routerboard (mipsle,
mipsbe, ppc, x86)
accessing and managing RouterBOOT. RouterBOARD specific imformation.
routing (mipsle, mipsbe,
ppc, x86)
dynamic routing protocols like RIP, BGP, OSPF and routing utilities like BFD, filters for routes.
security (mipsle, mipsbe,
ppc, x86)
IPSEC, SSH, Secure WinBox
system (mipsle, mipsbe,
ppc, x86)
basic router features like static routing, ip addresses, sNTP, telnet, API, queues, firewall, web proxy, DNS cache, TFTP,
IP pool, SNMP, packet sniffer, e-mail send tool, graphing, bandwidth-test, torch, EoIP, IPIP, bridging, VLAN, VRRP
etc.). Also, for RouterBOARD platform - MetaROUTER | Virtualization
Manual:System/Packages
120
ups (mipsle, mipsbe, ppc,
x86)
APC ups
user-manager (mipsle,
mipsbe, ppc, x86)
MikroTik User Manager
wireless (mipsle, mipsbe,
ppc, x86)
wireless interface support
arlan (x86) legacy Aironet Arlan support
isdn (x86) ISDN support
lcd (x86) LCD panel support
radiolan (x86) RadioLan cards support
synchronous (x86) FarSync support
xen ( discontinued x86) XEN Virtualization
kvm (x86) KVM Virtualization
routeros-mipsle (mipsle) combined package for mipsle (RB100, RB500) (includes system, hotspot, wireless, ppp, security, mpls, advanced-tools,
dhcp, routerboard, ipv6, routing)
routeros-mipsbe
(mipsbe)
combined package for mipsbe (RB400) (includes system, hotspot, wireless, ppp, security, mpls, advanced-tools, dhcp,
routerboard, ipv6, routing)
routeros-powerpc (ppc) combined package for powerpc (RB300, RB600, RB1000) (includes system, hotspot, wireless, ppp, security, mpls,
advanced-tools, dhcp, routerboard, ipv6, routing)
routeros-x86 (x86) combined package for x86 (Intel/AMD PC, RB230) (includes system, hotspot, wireless, ppp, security, mpls,
advanced-tools, dhcp, routerboard, ipv6, routing)
mpls-test (mipsle,
mipsbe, ppc, x86)
Multi Protocol Labels Switching support improvements
routing-test (mipsle,
mipsbe, ppc, x86)
routing protocols (RIP, OSPF, BGP) improvements
Working with packages
Menu: /system package
Commands executed in this menu will take place only on restart of the router. Until then, user can freely schedule or
revert set actions.
Command Desciption
disable schedule package to be disabled after next reboot. All features provided by package will not be accessible
downgrade will prompt for reboot. During reboot process will try to downgrade RouterOS to oldest version possible by checking packages that
are uploaded to the router.
print outputs information about packages, like: version, package state, planned state changes etc.
enable schedule package to be enabled after next reboot
uninstall schedule package to be removed from router. That will take place during reboot.
unschedule remove scheduled task for package.
Manual:System/Packages
121
Examples
Upgrade process is described here.
List available packages
/system package print
Flags: X - disabled
# NAME VERSION SCHEDULED
0 X ipv6 3.13
1 system 3.13
2 X mpls 3.13
3 X hotspot 3.13
4 routing 3.13
5 wireless 3.13
6 X dhcp 3.13
7 routerboard 3.13
8 routeros-mipsle 3.13
9 security 3.13
10 X ppp 3.13
11 advanced-tools 3.13
Uninstall package
Schedules package for uninstallation and reboots router.
/system package uninstall ppp; /system reboot;
Reboot, yes? [y/N]:
Disable package
/system package disable hotspot; /system reboot;
Reboot, yes? [y/N]:
Downgrade
/system package downgrade; /system reboot;
Reboot, yes? [y/N]:
Cancel uninstall or disable action
/system package unschedule ipv6
Manual:Upgrading RouterOS
122
Manual:Upgrading RouterOS
It is suggested to always keep your RouterOS installation up to date, MikroTik always keeps adding new
functionality and improving performance and stability by releasing updates.
RouterOS versions are numbered sequentially, when a period is used to separate sequences, it does not represent a
decimal point, and the sequences do not have positional significance. An identifier of 2.5, for instance, is not "two
and a half" or "half way to version three", it is the fifth second-level revision of the second first-level revision.
Therefore v5.2 is older than v5.18, which is newer.
Requirements and suggestions
In this article we assume that youre license allows upgrading. When using a RouterBOARD device, it is always
suggested to upgrade it's RouterBOOT bootloader after RouterOS is upgraded. To do this, issue the command
"/system routerboard upgrade"
Automatic upgrade
In RouterOS v5.21, Automatic Upgrade was added. To upgrade your RouterOS version, all you need to do is click a
button. This feature is available in command line, Winbox GUI, Webfig GUI and QuickSet.
The automatic upgrade feature connects to the MikroTik download servers, and checks if there is a new RouterOS
version for your device. If yes, a Changelog is displayed, and Upgrade button is shown. Clicking the Upgrade button,
software packages are automatically downloaded, and device will be rebooted.
Even if you have a custom set of packages installed, only the correct packages will be downloaded. The process is
easy and fast, and will save you trips to our download page, and use of FTP utilities.
Upgrade button in QuickSet:
Upgrade button in the Packages menu:
Manual:Upgrading RouterOS
123
After clicking the Upgrade button, Changelog is shown:
By clicking "Download & Upgrade", downloads will start, and router will reboot. After the reboot, your router will
be running the latest RouterOS version. You can then click the Upgrade button again, to confirm that your router is
running the latest RouterOS.
Manual:Upgrading RouterOS
124
Manual upgrade methods
You can upgrade RouterOS in the following ways:
Winbox drag and drop files to the Files menu
FTP - upload files to root directory
The Dude See manual here
Note: RouterOS cannot be upgraded through serial cable. Using this method only RouterBOOT can be
upgraded.
Upgrade process
First step - visit www.mikrotik.com
[1]
and head to the download page, there choose the type of
system you have the RouterOS installed on.
Download the Combined package, it will include all the functionality of RouterOS:
Using Winbox
Choose your system type, and download the upgrade package:
Connect to your router with Winbox, Select the downloaded file with your mouse, and drag it to the Files menu. If
there are some files already present, make sure to put the package in the root menu, not inside the hotspot
folder!:
Manual:Upgrading RouterOS
125
The upload will start:
After it finishes - REBOOT and that's all! The New version number will be seen in the Winbox Title and in
the Packages menu
Manual:Upgrading RouterOS
126
Using FTP
Open your favourite FTP program (in this case it is Filezilla
[1]
), select the package and upload it to your router
(demo2.mt.lv is the address of my router in this example). note that in the image I'm uploading many packages,
but in your case - you will have one file that contains them all
if you wish, you can check if the file is successfully transferred onto the router (optional):
[normis@Demo_v2.9] > file print
# NAME TYPE SIZE CREATION-TIME
0 supout.rif .rif file 285942 nov/24/2005 15:21:54
1 dhcp-2.9.8.npk package 138846 nov/29/2005 09:55:42
2 ppp-2.9.8.npk package 328636 nov/29/2005 09:55:43
3 advanced-tools-2.9.... package 142820 nov/29/2005 09:55:42
4 web-proxy-2.9.8.npk package 377837 nov/29/2005 09:55:43
5 wireless-2.9.8.npk package 534052 nov/29/2005 09:55:43
6 routerboard-2.9.8.npk package 192628 nov/29/2005 09:55:45
7 system-2.9.8.npk package 5826498 nov/29/2005 09:55:54
and reboot your router for the upgrade process to begin:
[normis@Demo_v2.9] > system reboot
Reboot, yes? [y/N]: y
after the reboot, your router will be up to date, you can check it in this menu:
/system package print
if your router did not upgrade correctly, make sure you check the log
/log print without-paging
Manual:Upgrading RouterOS
127
RouterOS massive auto-upgrade
You can upgrade multiple MikroTik routers within few clicks. Let's have a look on simple network with 3 routers
(the same method works on networks with infinite numbers of routers),
RouterOS auto-upgrade
Sub-menu: /system package update
RouterOS version 6 has new auto upgrade option. RouterOS checks amazon servers for information if new version is
available and upgrades after upgrade command is executed.
You can automatize upgrade process by running script in scheduler:
/system package update
check-for-updates
:delay 1s;
:if ( [get current-version] != [get latest-version]) do={ upgrade }
Older option
RouterOS can download software packages from a remote MikroTik router.
Make one router as network upgrade central point, that will update MikroTik RouterOS on other routers.
Upload necessary RouterOS packages to this router (in the example, mipsbe for RB751U and powerpc for
RB1100AHx2).
Manual:Upgrading RouterOS
128
Add upgrade router (192.168.100.1) information to a router that you want to update (192.168.100.253), required
settings IP address/Username/Password
Click on Refresh to see available packages, download newest packages and reboot the router to finalize the
upgrade.
Manual:Upgrading RouterOS
129
Manual:Upgrading RouterOS
130
The Dude auto-upgrade
Dude application can help you to upgrade entire RouterOS network with one click per router.
Set type RouterOS and correct password for any device on your Dude map, that you want to upgrade
automatically,
Upload required RouterOS packages to Dude files,
Upgrade RouterOS version on devices from RouterOS list. Upgrade process is automatic, after click on upgrade
(or force upgrade), package will be uploaded and router will be rebooted by the Dude automatically.
Manual:Upgrading RouterOS
131
The Dude hierarchical upgrade
For complicated networks, when routers are connected sequentially, the simplest example is 1router-2router-3router
connection. You might get an issue, 2router will go to reboot before packages are uploaded to the 3router. The
solution is Dude groups, the feature allows to group routers and upgrade all of them by one click!
Select group and click Upgrade (or Force Upgrade),
Manual:Upgrading RouterOS
132
License issues
When upgrading from older versions, there could be issues with your license key. Possible scenarios:
When upgrading from RouterOS v2.8 or older, the system might complain about expired upgrade time. To
override this, use Netinstall to upgrade. Netinstall will ignore old license restriction and will upgrade
When upgrading to RouterOS v4 or newer, the system will ask you to update license to a new format. To do this,
ensure your Winbox PC (not the router) has a working internet connection without any restrictions to reach
www.mikrotik.com and click "update license" in the license menu.
References
[1] http:/ / filezilla.sourceforge. net/
Manual:CD Install
Applies to RouterOS: 2.9, v3, v4
CD Install Description
CD-Install allows to install MikroTik RouterOS to x86 boxes, which do not support Netinstall (all the
RouterBOARDs should be reinstalled with Netinstall).
Note: RouterOS installation will erase all data on your HDD, it will only work as the only operating system
in your PC. Remove any drives that you don't want to be erased
CD Install Requirements
Manual:CD Install
133
Router
x86 box with hard drive
CD-ROM
Additional PC
CD-ROM
CD burning application
MikroTik RouterOS CD installation ISO image
CD Install Example
Prepare MikroTik RouterOS CD Installation Disk
1. Download CD installation Image from MikroTik download page
[1]
,
2. Burn ISO image to disk, you need PC with CD-ROM and application to write ISO files to CD. For Linux (the
latest Ubuntu release) you can use built-in application. Mouse right-click on the .iso file and specify 'Write to Disk'.
You got MikroTik RouterOS installation disk after process is finished.
Manual:CD Install
134
Router Preconfiguration
3. Switch on the x86 box, where you want to install MikroTik RouterOS, it should be with CD-ROM as well. Put
MikroTik RouterOS installation disk to CD-ROM and set to boot from CD-ROM in BIOS settings,
4. x86 will boot from MikroTik RouterOS installation disk and should offer you to select the RouterOS Packages to
install,
Manual:CD Install
135
Package Selection
5. Select the packages you want to install, it is possible to select all packages with a or minimum with m, then Press i
to install the RouterOS.
Installation
6. If you have previous installation of the RouterOS and want to reset the configuration, then answer no for the
question 'Do you want to keep old configuration ?' and click y to proceed,
7. You will the process of the packages installation. Router will ask for the reboot after installation is finished,
Manual:CD Install
136
Post Installation procedures
8. MikroTik RouterOS is successfully installed, do not forget to eject CD installation disk and set PC to boot from
Hard Drive,
9. MikroTik RouterOS is booted and you are ready to login. Default login is admin without any password,
10. The last of the installation to license the router, use the software-id to purchase the license,
Manual:CD Install
137
Reset RouterOS configuration with CD Intstall
To reset the RouterOS configuration with CD Install, follow the procedure and on the step 6, set no for the answer
'Do you want to keep old configuration ?'.
Manual:Netinstall
Applies to RouterOS: 2.9, v3, v4
NetInstall Description
NetInstall is a program that runs on Windows computer that allows you to install MikroTiK RouterOS onto a PC or
onto a RouterBoard via an Ethernet network.
You can download Netinstall on our download page
[1]
.
NetInstall is also used to re-install RouterOS in cases where the the previous install failed, became damaged or
access passwords were lost.
Your device must support booting from ethernet, and there must be a direct ethernet link from the Netinstall
computer to the target device. All RouterBOARDs support PXE network booting, it must be either enabled inside
RouterOS "routerboard" menu if RouterOS is operable, or in the bootloader settings. For this you will need a
serial cable.
Note: For RouterBOARD devices with no serial port, and no RouterOS access, the reset button can also start PXE
booting mode. See your RouterBOARD manual PDF for details. For example RB750 PDF
[1]
Netinstall can also directly install RouterOS on a disk (USB/CF/IDE/SATA) that is connected to the Netinstall
Windows machine. After installation just move the disk to the Router machine and boot from it.
Manual:Netinstall
138
Interface
The following options are available in the Netinstall window:
Routers/Drives - list of PC drives, and in the routers that were detected near the Netinstall PC
Make floppy - used to create a bootable 1.44" floppy disk for PCs which don't have Etherboot support
Net booting - used to enable PXE booting over network (your default choice)
Install/Cancel - after selecting the router and selecting the RouterOS packages below, use this to start install
SoftID - the SoftID that was generated on the router. Use this to purchase your key
Key / Browse - apply the purchased key here, or leave blank to install a 24h trial
Get key - get the key from your mikrotik.com account directly
Flashfig - launch Flashfig - the mass config utility which works on brand new devices
Keep old configuration - keeps the configuration that was on the router, just reinstalls software (no reset)
IP address / "Netmask - enter IP address and netmask in CIDR notation to preconfigure in the router
Gateway - default gateway to preconfigure in the router
Baud rate - default serial port baud-rate to preconfigure in the router
Configure script File that contains RouterOS CLI commands that directly configure router (e.g. commands
produced by export command). Used to apply default configuration
Screenshot
for installation over network, don't forget to enable the PXE server, and make sure Netinstall is not blocked by
your firewall or antivirus. The connection should be directly from your Windows PC to the Router PC (or
RouterBOARD), or at least through a switch/hub.
Manual:Netinstall
139
NetInstall Example
This is a step by step example of how to install RouterOS on a RouterBoard 532 from a typical notebook computer.
Requirements
The Notebook computer must be equiped with the following ports and contain the following files:
Ethernet port.
Serial port.
Serial communications program (such as Hyper Terminal)
The .npk RouterOS file(s) (not .zip file) of the RouterOS version that you wish to install onto the Routerboard.
The NetInstall program available from the Downloads page at www.mikrotik.com
It is recommended to disable any other Network interfaces in your PC, leave only the one which is connected to
your router
Connection process
1. 1. Connect the routerboard to a switch, a hub or directly to the Notebook computer via Ethernet. The notebook
computer Ethernet port will need to be configured with a usable IP address and subnet. For example: 10.1.1.10/24
2. Connect the routerboard to the notebook computer via serial, and establish a serial communication session with
the RouterBoard. Serial configuration example in in the Serial console manual
3. 3. Run the NetInstall program on your notebook computer.
4. Press the NetInstall "Net Booting" button, enable the Boot Server, and enter a valid, usable IP address (within
the same subnet of the IP address of the Notebook) that the NetInstall program will assign to the RouterBoard to
enable communication with the Notebook computer. For example: 10.1.1.5/24
5. 5. Set the RouterBoard BIOS to boot from the Ethernet interface.
Configuring RouterBOARD
Configuring RouterBOARD without COM port
To boot RouterBOARD withtout COM port from Network, you can use reset button. Consult RouterBOARD.com
and specific RouterBOARD User Guide to find reset button location and usage instructions. For example
RB751U-2HnD etherboot instructions,
RouterBOARD 751U-2HnD RouterBOOT reset button (RES, front panel) has two functions to reset RouterOS
configuration and boot it from Etherboot: - Connect Netinstall PC to "ether1" port and hold this button during boot
time longer, until LED turns off, then release it to make the RouterBOARD look for Netinstall servers.
As well Etherboot can be configured by RouterOS (when you have access to it),
system routerboard settings set boot-device=try-ethernet-once-then-nand
Configuring RouterBOARD with COM port
To access Routerboard BIOS configuration: reboot the Routerboard while observing the activity on the Serial
Console. You will see the following prompt on the Serial Console Press any key within 2 seconds to enter setup
indicating that you have a 1 or 2 second window of time when pressing any key will give you access to Routerboard
BIOS configuration options.
(press any key when prompted):
You will see the following list of available BIOS Configuration commands. To set up the boot device, press the 'o'
key:
Manual:Netinstall
140
What do you want to configure?
d - boot delay
k - boot key
s - serial console
l - debug level
o - boot device
b - beep on boot
v - vga to serial
t - ata translation
p - memory settings
m - memory test
u - cpu mode
f - pci back-off
r - reset configuration
g - bios upgrade through serial port
c - bios license information
x - exit setup
Next Selection: Press the 'e' key to make the RouterBoard to boot from Ethernet interface:
Select boot device:
* i - IDE
e - Etherboot
1 - Etherboot (timeout 15s), IDE
2 - Etherboot (timeout 1m), IDE
3 - Etherboot (timeout 5m), IDE
4 - Etherboot (timeout 30m), IDE
5 - IDE, try Etherboot first on next boot (15s)
6 - IDE, try Etherboot first on next boot (1m)
7 - IDE, try Etherboot first on next boot (5m)
8 - IDE, try Etherboot first on next boot (30m)
The RouterBoard BIOS will return to the first menu. Press the 'x' key to exit from BIOS. The router will reboot.
Make sure boot-protocol is bootp.
Manual:Netinstall
141
Installation
Watch the serial console as the RouterBoard reboots, it will indicate that the RouterBoard is attempting to boot to the
NetInstall program. The NetInstall program will give the RouterBoard the IP address you entered at Step 4 (above),
and the RouterBoard will be ready for software installation. Now you should see the MAC Address of the
RouterBoard appear in the Routers/Drives list of the NetInstall program.
Click on the desired Router/Drive entry and you will be able to configure various installation parameters associated
with that Router/Drive entry.
For most Re-Installations of RouterOS on RouterBoards you will only need to set the following parameter:
Press the "Browse" button on the NetInstall program screen. Browse to the folder containing the .npk RouterOS
file(s) of the RouterOS version that you wish to install onto the Routerboard.
Manual:Netinstall
142
When you have finalized the installation parameters, press the "Install" button to install RouterOS.
When the installation process has finished, press 'Enter' on the console or 'Reboot' button in the NetInstall program.
Manual:Netinstall
143
Cleanup
1. Reset the BIOS Configuration of the RouterBoard to boot from its own memory.
2. Reboot the RouterBoard.
Manual:Netinstall
144
Reset RouterOS Password
Netinstall can be used to reset password of RouterOS by erasing all configuration from the router. Uncheck 'Keep
Old Configuration' during Netinstall and proceed with standard procedure,
[ Top | Back to Content ]
References
[1] http:/ / www. routerboard.com/ pricelist/ download_file.php?file_id=118
Manual:Configuration Management
145
Manual:Configuration Management
Applies to RouterOS: ALL
Summary
This manual introduces you with commands which are used to perform the following functions:
system backup;
system restore from a backup;
configuration export;
configuration import;
system configuration reset.
Description
The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary file, which can
be stored on the router or downloaded from it using FTP for future use. The configuration restore can be used for
restoring the router's configuration, exactly as it was at the backup creation moment, from a backup file. The
restoration procedure assumes the cofiguration is restored on the same router, where the backup file was originally
created, so it will create partially broken configuration if the hardware has been changed.
The configuration export can be used for dumping out complete or partial MikroTik RouterOS configuration to the
console screen or to a text (script) file, which can be downloaded from the router using FTP protocol. The
configuration dumped is actually a batch of commands that add (without removing the existing configuration) the
selected configuration to a router. The configuration import facility executes a batch of console commands from a
script file.
System reset command is used to erase all configuration on the router. Before doing that, it might be useful to
backup the router's configuration.
System Backup
Submenu level: /system backup
Description
The backup save command is used to store the entire router configuration in a backup file. The file is shown in the
/file submenu. It can be downloaded via ftp to keep it as a backup for your configuration.
Important! The backup file contains sensitive information, do not store your backup files inside the router's Files
directory, instead, download them, and keep them in a secure location.
To restore the system configuration, for example, after a /system reset-configuration, it is possible to upload that file
via ftp and load that backup file using load command in /system backup submenu. Command Description
load name=[filename] - Load configuration backup from a file
save name=[filename] - Save configuration backup to a file
Warning: If TheDude and user-manager is installed on the router then backup will not take care of
configuration used by these tools. Therefore additional care should be taken to save configuration from these.
Use provided tool mechanisms to save/export configuration if you want to save it.
Manual:Configuration Management
146
Example
To save the router configuration to file test:
[admin@MikroTik] system backup> save name=test
Configuration backup saved
[admin@MikroTik] system backup>
To see the files stored on the router:
[admin@MikroTik] > file print
# NAME TYPE SIZE CREATION-TIME
0 test.backup backup 12567 sep/08/2004 21:07:50
[admin@MikroTik] >
To load the saved backup file test:
[admin@MikroTik] > system backup load name=test
Restore and reboot? [y/N]:
y
Restoring system configuration
System configuration restored, rebooting now
Exporting Configuration
Command name: /export
The export command prints a script that can be used to restore configuration. The command can be invoked at any
menu level, and it acts for that menu level and all menu levels below it. The output can be saved into a file, available
for download using FTP.
Command Description
file=[filename] - saves the export to a file
Example
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.1.0.172/24 10.1.0.0 10.1.0.255 bridge1
1 10.5.1.1/24 10.5.1.0 10.5.1.255 ether1
[admin@MikroTik] >
To make an export file:
[admin@MikroTik] ip address> export file=address
[admin@MikroTik] ip address>
To see the files stored on the router:
[admin@MikroTik] > file print
# NAME TYPE SIZE CREATION-TIME
0 address.rsc script 315 dec/23/2003 13:21:48
[admin@MikroTik] >
Manual:Configuration Management
147
Compact Export
Starting from v5.12 compact export was added. It allows to export only part of configuration that is not default
RouterOS config.
Note: Starting from v6rc1 "export compact" is default behavior. To do old style export use export verbose
For example compact OSPF export:
[admin@SXT-ST] /routing ospf> export compact
# jan/02/1970 20:16:32 by RouterOS 5.12
# software id = JRB7-9UGC
#
/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1
/routing ospf interface
add disabled=yes interface=wlan1 network-type=point-to-point
/routing ospf network
add area=backbone network=10.255.255.36/32
add area=backbone disabled=yes network=10.5.101.0/24
add area=backbone network=10.10.10.0/24
[admin@SXT-ST] /routing ospf>
Compact export introduces another feature that indicates which part of config is default on RouterOS and cannot be
deleted. As in example below '*' indicates that this OSPF instance is part of default configuration.
[admin@SXT-ST] /routing ospf instance> print
Flags: X - disabled, * - default
0 * name="default" router-id=0.0.0.0 distribute-default=never
redistribute-connected=as-type-1 redistribute-static=no
redistribute-rip=no redistribute-bgp=no redistribute-other-ospf=no
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20
metric-bgp=auto metric-other-ospf=auto in-filter=ospf-in
out-filter=ospf-out
List of default config by menus that cannot be removed:
Menu Entries
/interface wireless
security-profiles
default
/ppp profile "default", "default-encryption"
/ip hotspot profile "default"
/ip hotspot user profile "default"
/ip ipsec proposal "default"
/ip smb shares "pub"
/ip smb users "guest"
/ipv6 nd "all"
Manual:Configuration Management
148
/mpls interface "all"
/routing bfd interface "all"
/routing bgp instance "default"
/routing ospf instance "default"
/routing ospf area "backbone"
/routing ospf-v3 instance "default"
/routing ospf-v3 area "backbone"
/snmp community "public"
/tool mac-server
mac-winbox
"all"
/tool mac-server "all"
/system logging "info", "error", "warning", "critical"
/system logging action "memory", "disk", "echo", "remote"
/queue type "default", "ethernet-default", "wireless-default", "synchronous-default", "hotspot-default", "only-hardware-queue",
"multi-queue-ethernet-default", "default-small"
Importing Configuration
Command name: /import
The root level command /import [file_name] executes a script, stored in the specified file adds the configuration
from the specified file to the existing setup. This file may contain any console comands, including scripts. is used to
restore configuration or part of it after a /system reset event or anything that causes configuration data loss.
Command Description
file=[filename] - loads the exported configuration from a file to router
Automatic Import
Since RouterOS v3rc it is possible to automatically execute scripts - your script file has to be called
anything.auto.rsc - once this file is uploaded with FTP to the router, it will automatically be executed, just like with
the Import command. This method only works with FTP.
Once the file is uploaded, commands in the file are executed, and the file is replaced by anything.auto.log which
contains information about the success of the commands that were executed.
Example
To load the saved export file use the following command:
[admin@MikroTik] > import address.rsc
Opening script file address.rsc
Script file loaded and executed successfully
[admin@MikroTik] >
Manual:Configuration Management
149
Configuration Reset
Command name: /system reset-configuration
Description
The command clears all configuration of the router and sets it to the default including the login name and password
('admin' and no password), IP addresses and other configuration is erased, interfaces will become disabled. After the
reset command router will reboot.
Command Description
keep-users: keeps router users and passwords
no-defaults: doesn't load any default cofigurations, just clears everything
skip-backup: automatic backup is not created before reset, when yes is specified
run-after-reset: specify export file name to run after reset
Warning: If the router has been installed using netinstall and had a script specified as the initial
configuration, the reset command executes this script after purging the configuration. To stop it doing so, you
will have to reinstall the router.
Example
[admin@MikroTik] > system reset-configuration
Dangerous! Reset anyway? [y/N]: n
action cancelled
[admin@MikroTik] >
Manual:Interface
150
Manual:Interface
Applies to RouterOS: v3, v4 +
Sub Categories
List of reference sub-pages Case studies List of examples
<splist showparent=yes />
Summary
Sub-menu: /interface
MikroTik RouterOS supports a variety of Network Interface Cards as well as virtual interfaces (e.g. Bonding,
Bridge, VLAN etc.). Each of them have their own sub-menu, but common properties of all interfaces can be
configured and read in the general interface menu.
Properties
Property Description
l2mtu (integer; Default: ) Layer2 Maximum transmission unit. Note that this property can not be configured on all interfaces. Read more>>
mtu (integer; Default: ) Layer3 Maximum transmission unit
name (string; Default: ) Name of an interface
Read-only properties
Property Description
bindstr ()
bindstr2 ()
caps ()
default-name ()
dynamic (yes|no) Whether interface is dynamically created
default-name ()
fast-path (yes |
no)
flags ()
id (integer) interface id
ifindex (integer) interface index
ifname (string) interface name in Linux kernel
Manual:Interface
151
mac-address
(MAC)
max-l2mtu (integer) Max supported L2MTU
running (yes|no) Whether interface is running. Note that some interfaces may not have a 'running check' and they will always be reported as
"running" (e.g. EoIP)
rx-byte (integer) Number of received bytes. Read more>>
rx-drop (integer) Number of received packets being dropped Read more>>
rx-errors (integer) Packets received with some kind of an error. Read more>>
rx-packet (integer) Number of packets received. Read more>>
slave (yes|no) Whether interface is configured as a slave of another interface (for example Bonding)
status (string)
tx-byte (integer) Number of transmitted bytes. Read more>>
tx-drop (integer) Number of transmitted packets being dropped Read more>>
tx-errors (integer) Packets transmitted with some kind of an error. Read more>>
tx-packet (integer) Number of transmitted packets. Read more>>
Traffic monitor
The traffic passing through any interface can be monitored using following command:
/interface monitor-traffic [id | name]
For example monitor ether2 and aggregate traffic. Aggregate is used to monitor total ammount of traffic handled
by the router:
[maris@maris_main] > /interface monitor-traffic ether2,aggregate
rx-packets-per-second: 9 14
rx-drops-per-second: 0 0
rx-errors-per-second: 0 0
rx-bits-per-second: 6.6kbps 10.2kbps
tx-packets-per-second: 9 12
tx-drops-per-second: 0 0
tx-errors-per-second: 0 0
tx-bits-per-second: 13.6kbps 15.8kbps
Stats
RouterOS v3.22 introduces a new command:
/interface print stats
This command prints total packets, bytes, drops and errors.
All interfaces that support this feature will be displayed. Some interfaces are not supporting Error and Drop counters
at the moment (RB4XX except RB450G ether 2-5), these devices will not display these counters.
Traffic monitor now also displays errors per second, in addition to the usual stats:
/interface monitor-traffic
/interface ethernet print stats will display all kinds of other statistics if the interface is supporting
them (currently only RB450G ether2-ether5 and also RB750 ether2-ether5).
Manual:Interface
152
[ Top | Back to Content ]
Manual:Interface/Bonding
Applies to RouterOS: v3, v4
Summary
Bonding is a technology that allows aggregation of multiple ethernet-like interfaces into a single virtual link, thus
getting higher data rates and providing failover.
Specifications
Packages required: system
License required: Level1
Submenu level: /interface bonding
Standards and Technologies: None
Hardware usage: Not significant
Quick Setup Guide
Let us assume that we have 2 NICs in each router (Router1 and Router2) and want to get maximum data rate
between 2 routers. To make this possible, follow these steps:
Make sure that you do not have IP addresses on interfaces which will be enslaved for bonding interface!
Add bonding interface on Router1:
[admin@Router1] interface bonding> add slaves=ether1,ether2
And on Router2:
[admin@Router2] interface bonding> add slaves=ether1,ether2
Add addresses to bonding interfaces:
[admin@Router1] ip address> add address=172.16.0.1/24 interface=bonding1
[admin@Router2] ip address> add address=172.16.0.2/24 interface=bonding1
Test the link from Router1:
[admin@Router1] interface bonding> /pi 172.16.0.2
172.16.0.2 ping timeout
172.16.0.2 ping timeout
172.16.0.2 ping timeout
172.16.0.2 64 byte ping: ttl=64 time=2 ms
172.16.0.2 64 byte ping: ttl=64 time=2 ms
Manual:Interface/Bonding
153
Note: bonding interface needs a couple of seconds to get connectivity with its peer.
Link monitoring
It is critical that one of the available link monitoring options is enabled. In the above example, if
one of the bonded links were to fail, the bonding driver will still continue to send packets over the
failed link which will lead to network degradation. Bonding in RouterOS currently supports two schemes for
monitoring a link state of slave devices: MII and ARP monitoring. It is not possible to use both methods at the same
time due to restrictions in the bonding driver.
ARP Monitoring
ARP monitoring sends ARP queries and uses the response as an indication that the link is operational. This also
gives assurance that traffic is actually flowing over the links. If balance-rr and balance-xor modes are set, then the
switch should be configured to evenly distribute packets across all links. Otherwise all replies from the ARP targets
will be received on the same link which could cause other links to fail. ARP monitoring is enabled by setting three
properties link-monitoring, arp-ip-targets and arp-interval. Meaning of each option is described
later in this article. It is possible to specify multiple ARP targets that can be useful in High Availability setups. If
only one target is set, the target itself may go down. Having additional targets increases the reliability of the ARP
monitoring.
Enable ARP monitoring
[admin@Router1] interface bonding> set 0 link-monitoring=arp arp-ip-targets=172.16.0.2
[admin@Router2] interface bonding> set 0 link-monitoring=arp arp-ip-targets=172.16.0.1
We will not change arp-interval value in our example, RouterOS sets arp-interval to 100ms by default.
Unplug one of the cables to test if the link monitoring works correctly, you will notice some ping timeouts until arp
monitoring detects link failure.
[admin@Router1] interface bonding> /pi 172.16.0.2
172.16.0.2 ping timeout
172.16.0.2 64 byte ping: ttl=64 time=2 ms
172.16.0.2 ping timeout
172.16.0.2 64 byte ping: ttl=64 time=2 ms
172.16.0.2 ping timeout
172.16.0.2 64 byte ping: ttl=64 time=2 ms
172.16.0.2 64 byte ping: ttl=64 time=2 ms
172.16.0.2 64 byte ping: ttl=64 time=2 ms
MII monitoring
MII monitoring monitors only the state of the local interface. In RouterOS it is possible to configure MII monitoring
in two ways:
MII Type 1 - device driver determines whether link is up or down. If device driver does not support this option
then link will appear as always up.
MII Type 2 - deprecated calling sequences within the kernel are used to determine if link is up. This method is
less efficient but can be used on all devices. This mode should be set only if MII type 1 is not supported.
Main disadvantage is that MII monitoring can't tell if the link can actually pass packets or not, even if the link is
detected as being up.
Manual:Interface/Bonding
154
MII monitoring is configured by setting the variables link-monitoring mode and mii-interval.
Enable MII Type2 monitoring:
[admin@Router1] interface bonding> set 0 link-monitoring=mii-type-2
[admin@Router2] interface bonding> set 0 link-monitoring=mii-type-2
We will leave mii-interval to it's default value (100ms)
When unplugging one of the cables, the failure will be detected almost instantly compared to ARP link monitoring.
Bonding modes
802.3ad
802.3ad mode is an IEEE standard also called LACP (Link Aggregation Control Protocol). It includes automatic
configuration of the aggregates, so minimal configuration of the switch is needed. This standard also mandates that
frames will be delivered in order and connections should not see mis-ordering of packets. The standard also
mandates that all devices in the aggregate must operate at the same speed and duplex mode and works only with MII
link monitoring.
LACP balances outgoing traffic across the active ports based on hashed protocol header information and accepts
incoming traffic from any active port. The hash includes the Ethernet source and destination address and if available,
the VLAN tag, and the IPv4/IPv6 source and destination address. How this is calculated depends on
transmit-hash-policy parameter.
Note: layer-3-and-4 transmit hash mode is not fully compatible with LACP.
Configuration example
Example connects two ethernet interfaces on a router to the Edimax switch as a single, load balanced and fault
tolerant link. More interfaces can be added to increase throughput and fault tolerance. Since frame ordering is
mandatory on Ethernet links then any traffic between two devices always flows over the same physical link limiting
the maximum speed to that of one interface. The transmit algorithm attempts to use as much information as it can to
distinguish different traffic flows and balance across the available interfaces.
Router R1 configuration:
/inteface bonding add slaves=ether1,ether2 mode=802.3ad lacp-rate=30secs link-monitoring=mii-type1 \
transmit-hash-policy=layer-2-and-3
Configuration on a switch:
Manual:Interface/Bonding
155
Intelligent Switch : Trunk Configuration
==================
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 M1 M2
1 - v - v - - - - - - - - - - - - - - - - - - - - - -
2 - - - - - - - - - - - - - - - - - - - - - - - - - -
3 - - - - - - - - - - - - - - - - - - - - - - - - - -
4 - - - - - - - - - - - - - - - - - - - - - - - - - -
5 - - - - - - - - - - - - - - - - - - - - - - - - - -
6 - - - - - - - - - - - - - - - - - - - - - - - - - -
7 - - - - - - - - - - - - - - - - - - - - - - - - - -
TRK1 LACP
TRK2 Disable
TRK3 Disable
TRK4 Disable
TRK5 Disable
TRK6 Disable
TRK7 Disable
Notice that LACP is enabled on first trunk group (TRK1) and switch ports on first trunk group are bound with 'v'
flag. In our case port 2 and port4 will run LACP.
Verify if LACP is working: On the switch we should first verify if LACP protocol is enabled and running:
Intelligent Switch : LACP Port State Active Configuration
==================
Port State Activity Port State Activity
--------------------------- ---------------------------
2 Active
4 Active
After that we can ensure that LACP negotiated with our router. If you don't see both ports on the list then something
is wrong and LACP is not going to work.
Intelligent Switch : LACP Group Status
==================
Group
[Actor] [Partner]
Priority: 1 65535
MAC : 000E2E2206A9 000C42409426
Port_No Key Priority Active Port_No Key Priority
2 513 1 selected 1 9 255
4 513 1 selected 2 9 255
Manual:Interface/Bonding
156
After we verified that switch successfully negotiated LACP with our router, we can start traffic from Client1 and
Client2 to the Server and check how traffic is evenly forwarded through both bonding slaves:
[admin@test-host] /interface> monitor-traffic ether1,ether2,bonding1
rx-packets-per-second: 8158 8120 16278
rx-drops-per-second: 0 0 0
rx-errors-per-second: 0 0 0
rx-bits-per-second: 98.8Mbps 98.2Mbps 197.0Mbps
tx-packets-per-second: 4833 4560 9394
tx-drops-per-second: 0 0 0
tx-errors-per-second: 0 0 0
tx-bits-per-second: 2.7Mbps 3.0Mbps 5.8Mbps
Note: On some switches you need to set correct link aggregation protocol, to make balancing work in both
directions
balance-rr
If this mode is set, packets are transmitted in sequential order from the first available slave to the
last.
Balance-rr is the only mode that will send packets across multiple interfaces that belong to the same TCP/IP
connection.
When utilizing multiple sending and multiple receiving links, packets are often received out of order, which result in
segment retransmission, for other protocols such as UDP it is not a problem if client software can tolerate
out-of-order packets.
If switch is used to aggregate links together, then appropriate switch port configuration is required, however many
switches do not support balance-rr.
Quick setup guide demonstrates use of the balance-rr bonding mode. As you can see, it is quite simple to set up.
Balance-rr is also useful for bonding several wireless links, however it requires equal bandwidth for all bonded links.
If bandwidth of one bonded link drops, then total bandwidth of bond will be equal to the bandwidth of the slowest
bonded link.
active-backup
This mode uses only one active slave to transmit packets. The additional slave only becomes active if the primary
slave fails. The MAC address of the bonding interface is presented onto the active port to avoid confusing the switch.
Active-backup is the best choice in high availability setups with multiple switches that are interconnected.
ARP monitoring in this mode will not work correctly if both routers are directly connected. In such setups
mii-type1 or mii-type2 monitoring must be used or a switch should be put between routers.
Manual:Interface/Bonding
157
balance-xor
This mode balances outgoing traffic across the active ports based on the hashed protocol header information and
accepts incoming traffic from any active port. Mode is very similar to LACP except that it is not standardized and
works with layer-3-and-4 hash policy.
broadcast
When ports are configured with broadcast mode, all slave ports transmit the same packets to the destination to
provide fault tolerance. This mode does not provide load balancing.
balance-tlb
This mode balances outgoing traffic by peer. Each link can be a different speed and duplex mode and no specific
switch configuration is required as for the other modes. Downside of this mode is that only MII link monitoring is
supported and incoming traffic is not balanced. Incoming traffic will use the link that is configured as "primary".
Configuration example
Lets assume than router has two links - ether1 max bandwidth is 10Mbps and ether2 max bandwidth is 5Mbps.
First link has more bandwidth so we set it as primary link
/interface bonding add mode=balance-tlb slaves=ether1,ether2 primary=ether1
No additional configuration is required for the switch.
Image above illustrates how balance-tlb mode works. As you can see router can communicate to all the clients
connected to the switch with a total bandwidth of both links (15Mbps). But as you already know, balance-tlb is not
balancing incoming traffic. In our example clients can communicate to router with total bandwidth of primary link
which is 10Mbps in our configuration.
Manual:Interface/Bonding
158
balance-alb
Mode is basically the same as balance-tlb but incoming traffic is also balanced. Only additional downside of
this mode is that it requires device driver capability to change MAC address. Most of the cheap cards do not support
this mode.
Image above illustrates how balance-alb mode works. Compared to balance-tlb mode, traffic from clients
can also use the secondary link to communicate with the router.
Property Description
Property Description
arp (disabled | enabled | proxy-arp |
reply-only; Default: enabled)
Address Resolution Protocol for the interface.
disabled - the interface will not use ARP
enabled - the interface will use ARP
proxy-arp - the interface will use the ARP proxy feature
reply-only - the interface will only reply to requests originated from matching IP address/MAC
address combinations which are entered as static entries in the "/ip arp" table. No dynamic entries
will be automatically stored in the "/ip arp" table. Therefore for communications to be successful, a
valid static entry must already exist.
arp-interval (time; Default:
00:00:00.100)
time in milliseconds which defines how often to monitor ARP requests
arp-ip-targets (IP address;
Default: )
IP target address which will be monitored if link-monitoring is set to arp. You can specify
multiple IP addresses, separated by comma
down-delay (time; Default: 00:00:00) if a link failure has been detected, bonding interface is disabled for down-delay time. Value should
be a multiple of mii-interval
lacp-rate (1sec | 30secs; Default:
30secs)
Link Aggregation Control Protocol rate specifies how often to exchange with LACPDUs between
bonding peer. Used to determine whether link is up or other changes have occurred in the network.
LACP tries to adapt to these changes providing failover.
Manual:Interface/Bonding
159
link-monitoring (arp | mii-type1 |
mii-type2 | none; Default: none)
method to use for monitoring the link (whether it is up or down)
arp - uses Address Resolution Protocol to determine whether the remote interface is reachable
mii-type1 - uses Media Independent Interface type1 to determine link status. Link status
determination relies on the device driver
mii-type2 - similar as mii-type1, but status determination does not rely on the device driver
none - no method for link monitoring is used.
Note: some bonding modes require specific link monitoring to work properly.
mii-interval (time; Default:
00:00:00.100)
how often to monitor the link for failures (parameter used only if link-monitoring is mii-type1 or
mii-type2)
mode (802.3ad | active-backup |
balance-alb | balance-rr | balance-tlb |
balance-xor | broadcast; Default:
balance-rr)
Specifies one of the bonding policies
802.3ad - IEEE 802.3ad dynamic link aggregation. In this mode, the interfaces are aggregated in a
group where each slave shares the same speed. Provides fault tolerance and load balancing. Slave
selection for outgoing traffic is done according to the transmit-hash-policy more>
active-backup - provides link backup. Only one slave can be active at a time. Another slave
only becomes active, if first one fails. more>
balance-alb - adaptive load balancing. The same as balance-tlb but received traffic is also
balanced. Device driver should have support for changing it's MAC address. more>
balance-rr - round-robin load balancing. Slaves in bonding interface will transmit and receive
data in sequential order. Provides load balancing and fault tolerance. more>
balance-tlb - Outgoing traffic is distributed according to the current load on each slave.
Incoming traffic is not balanced and is received by the current slave. If receiving slave fails, then
another slave takes the MAC address of the failed slave. more>
balance-xor - Transmit based on the selected transmit-hash-policy. This mode provides
load balancing and fault tolerance. more>
broadcast - Broadcasts the same data on all interfaces at once. This provides fault tolerance but
slows down traffic throughput on some slow machines. more>
mtu (integer; Default: 1500) Maximum Transmit Unit in bytes
name (string; Default: ) descriptive name of bonding interface
primary (string; Default: ) Interface is used as primary output interface. If primary interface fails, only then are other slaves used.
This value works only with active-backup mode
slaves (string; Default: none) at least two ethernet-like interfaces separated by a comma, which will be used for bonding
up-delay (time; Default: 00:00:00) if a link has been brought up, bonding interface is disabled for up-delay time and after this time it is
enabled. Value should be a multiple of mii-interval
transmit-hash-policy (layer-2 |
layer-2-and-3 | layer-3-and-4; Default:
layer-2)
Selects the transmit hash policy to use for slave selection in balance-xor and 802.3ad modes
layer-2 - Uses XOR of hardware MAC addresses to generate the hash. This algorithm will place
all traffic to a particular network peer on the same slave. This algorithm is 802.3ad compliant.
layer-2-and-3 - This policy uses a combination of layer2 and layer3 protocol information to
generate the hash. Uses XOR of hardware MAC addresses and IP addresses to generate the hash.
This algorithm will place all traffic to a particular network peer on the same slave. For non-IP traffic,
the formula is the same as for the layer2 transmit hash policy. This policy is intended to provide a
more balanced distribution of traffic than layer2 alone, especially in environments where a layer3
gateway device is required to reach most destinations. This algorithm is 802.3ad compliant.
layer-3-and-4 - This policy uses upper layer protocol information, when available, to generate
the hash. This allows for traffic to a particular network peer to span multiple slaves, although a single
connection will not span multiple slaves. For fragmented TCP or UDP packets and all other IP
protocol traffic, the source and destination port information is omitted. For non-IP traffic, the formula
is the same as for the layer2 transmit hash policy. This algorithm is not fully 802.3ad compliant.
Manual:Interface/Bonding
160
Notes
Link failure detection and failover is working significantly better with expensive network cards, for example, made
by Intel, then with more cheap ones. On Intel cards for example, failover is taking place in less than a second after
link loss, while on some other cards, it may require up to 20 seconds. Also, the Active load balancing
(mode=balance-alb) does not work on some cheap cards.
L2 MTU of bonding interface is determined by taking smallest value of all slaves.
Manual:Interface/Bridge
Applies to RouterOS: v3, v4+
Summary
Sub-menu: /interface bridge
Standards: IEEE802.1D
[1]
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 in ap-bridge or bridge mode, WDS, VLAN) can be
connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate
LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network
interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do
not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host
working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and
data rate between hosts may vary).
Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would
prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge
runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate
with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise
form loops, are put to standby, so that should the main connection fail, another connection could take its place. This
algorithm exchanges configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges
are updated with the newest information about changes in network topology. (R)STP selects a root bridge which is
responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the
bridge with the lowest bridge ID.
Manual:Interface/Bridge
161
Bridge Interface Setup
Sub-menu: /interface bridge
To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired
interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the smallest
MAC address will be chosen automatically).
Property Description
admin-mac (MAC address; Default: ) Static MAC address of the bridge (takes effect if auto-mac=no)
ageing-time (time; Default: 00:05:00) How long a host's information will be kept in the bridge database
arp (disabled | enabled | proxy-arp |
reply-only; Default: enabled)
Address Resolution Protocol setting
disabled - the interface will not use ARP
enabled - the interface will use ARP
proxy-arp - the interface will use the ARP proxy feature
reply-only - the interface will only reply to requests originated from matching IP
address/MAC address combinations which are entered as static entries in the "/ip arp" table. No
dynamic entries will be automatically stored in the "/ip arp" table. Therefore for
communications to be successful, a valid static entry must already exist.
auto-mac (yes | no; Default: yes) Automatically select the smallest MAC address of bridge ports as a bridge MAC address
forward-delay (time; Default: 00:00:15) Time which is spent during the initialization phase of the bridge interface (i.e., after router startup
or enabling the interface) in listening/learning state before the bridge will start functioning normally
l2mtu (integer; read-only) Layer2 Maximum transmission unit. read more
max-message-age (time; Default:
00:00:20)
How long to remember Hello messages received from other bridges
mtu (integer; Default: 1500) Maximum Transmission Unit
name (text; Default: bridgeN) Name of the bridge interface
priority (integer: 0..65535 decimal
format or 0x0000-0xffff hex format; Default:
32768 / 0x8000)
Spanning tree protocol priority for bridge interface. Bridge with the smallest (lowest) bridge ID
becomes a Root-Bridge. Bridge ID consists of two numbers - priority and MAC address of the
bridge. To compare two bridge IDs, the priority is compared first. If two bridges have equal
priority, then the MAC addresses are compared.
protocol-mode (none | rstp | stp; Default:
none)
Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free
topology for any bridged LAN. RSTP provides for faster spanning tree convergence after a
topology change.
transmit-hold-count (integer: 1..10;
Default: 6)
The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate
http:/ / en. wikipedia. org/ wiki/ Spanning_Tree_Protocol
[2]
To add and enable a bridge interface that will forward all the protocols:
[admin@MikroTik] /interface bridge> add
[admin@MikroTik] /interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
[admin@MikroTik] /interface bridge>
Manual:Interface/Bridge
162
Bridge Settings
Sub-menu: /interface bridge settings
Property Description
allow-fast-path (yes | no; Default: yes) Allows fast path
use-ip-firewall (yes | no; Default: no) Send bridged traffic to also be processed by 'IP firewall'
use-ip-firewall-for-pppoe (yes | no;
Default: no)
Send bridged un-encrypted PPPoE traffic to also be processed by 'IP firewall' (requires
use-ip-firewall=yes to work)
use-ip-firewall-for-vlan (yes | no;
Default: no)
Send bridged VLAN traffic to also be processed by 'IP firewall' (requires
use-ip-firewall=yes to work)
Port Settings
Sub-menu: /interface bridge port
Port submenu is used to enslave interfaces in a particular bridge interface.
Property Description
bridge (name; Default: none) The bridge interface the respective interface is grouped in
edge (auto | no | no-discover | yes |
yes-discover; Default: auto)
Set port as edge port or non-edge port, or enable automatic detection. Edge ports are connected to a LAN that
has no other bridges attached. If the port is configured to discover edge port then as soon as the bridge detects
a BPDU coming to an edge port, the port becomes a non-edge port.
external-fdb (auto | no | yes;
Default: auto)
Whether to use wireless registration table to speed up bridge host learning
horizon (none | integer
0..429496729; Default: none)
Use split horizon bridging to prevent bridging loops. read more
interface (name; Default: none) Name of the interface
path-cost (integer: 0..65535;
Default: 10)
Path cost to the interface, used by STP to determine the "best" path
point-to-point (auto | yes |
no; Default: auto)
priority (integer: 0..255;
Default: 128)
The priority of the interface in comparison with other going to the same subnet
To group ether1 and ether2 in the already created bridge1 bridge
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2
[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether1 bridge1 0x80 10 none
1 ether2 bridge1 0x80 10 none
[admin@MikroTik] /interface bridge port>
Manual:Interface/Bridge
163
Bridge Monitoring
Sub-menu: /interface bridge monitor
Used to monitor the current status of a bridge.
Property Description
current-mac-address (MAC address) Current MAC address of the bridge
designated-port-count (integer) Number of designated bridge ports
port-count (integer) Number of the bridge ports
root-bridge (yes | no) Shows whether bridge is the root bridge of the spanning tree
root-bridge-id (text) The root bridge ID, which is in form of bridge-priority.bridge-MAC-address
root-path-cost (integer) The total cost of the path to the root-bridge
root-port (name) Port to which the root bridge is connected to
state (enabled | disabled) State of the bridge
To monitor a bridge:
[admin@MikroTik] /interface bridge> monitor bridge1
state: enabled
current-mac-address: 00:0C:42:52:2E:CE
root-bridge: yes
root-bridge-id: 0x8000.00:00:00:00:00:00
root-path-cost: 0
root-port: none
port-count: 2
designated-port-count: 0
[admin@MikroTik] /interface bridge>
Bridge Port Monitoring
Sub-menu: /interface bridge port monitor
Statistics of an interface that belongs to a bridge.
Property Description
edge-port (yes | no) Whether port is an edge port or not
edge-port-discovery (yes | no) Whether port is set to automatically detect edge ports
external-fdb (yes | no) Shows whether registration table is used instead of forwarding data base
forwarding (yes | no) Port state
learning (yes | no) Port state
port-number (integer 1..4095) Port identifier
point-to-point-port (yes | no)
Manual:Interface/Bridge
164
role (designated | root port | alternate | backup |
disabled)
(R)STP algorithm assigned role of the port:
Disabled port - not strictly part of STP, a network administrator can manually disable
a port
Root port a forwarding port that is the best port from Nonroot-bridge to Rootbridge
Alternative port an alternate path to the root bridge. This path is different than using
the root port
Designated port a forwarding port for every LAN segment
Backup port a backup/redundant path to a segment where another bridge port
already connects.
sending-rstp (yes | no) Whether the port is sending BPDU messages
status (in-bridge | inactive) Port status
To monitor a bridge port:
[admin@MikroTik] /interface bridge port> monitor 0
status: in-bridge
port-number: 1
role: designated-port
edge-port: no
edge-port-discovery: yes
point-to-point-port: no
external-fdb: no
sending-rstp: no
learning: yes
forwarding: yes
[admin@MikroTik] /interface bridge port>
Bridge Host Monitoring
Sub-menu: /interface bridge host
Property Description
age (read-only: time) The time since the last packet was received from the host
bridge (read-only: name) The bridge the entry belongs to
external-fdb (read-only: flag) Whether the host was learned using wireless registration table
local (read-only: flag) Whether the host entry is of the bridge itself (that way all local interfaces are shown)
mac-address (read-only: MAC address) Host's MAC address
on-interface (read-only: name) Which of the bridged interfaces the host is connected to
To get the active host table:
[admin@MikroTik] /interface bridge host> print
Flags: L - local, E - external-fdb
BRIDGE MAC-ADDRESS ON-INTERFACE AGE
bridge1 00:00:00:00:00:01 ether2 3s
bridge1 00:01:29:FF:1D:CC ether2 0s
L bridge1 00:0C:42:52:2E:CF ether2 0s
bridge1 00:0C:42:52:2E:D0 ether2 3s
bridge1 00:0C:42:5C:A5:AE ether2 0s
Manual:Interface/Bridge
165
[admin@MikroTik] /interface bridge host>
Bridge Firewall
Sub-menu: /interface bridge filter, /interface bridge nat
The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data
flow to, from and through bridge.
Packet flow diagram shows how packets are processed through router. It is possible to force bridge traffic to go
through /ip firewall filter rules (see: Bridge Settings)
There are two bridge firewall tables:
filter - bridge firewall with three predefined chains:
input - filters packets, where the destination is the bridge (including those packets that will be routed, as they
are destined to the bridge MAC address anyway)
output - filters packets, which come from the bridge (including those packets that has been routed normally)
forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be
routed through the router, just to those that are traversing between the ports of the same bridge)
nat - bridge network address translation provides ways for changing source/destination MAC addresses of the
packets traversing a bridge. Has two built-in chains:
srcnat - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the
packets leaving the router through a bridged interface
dstnat - used for redirecting some packets to other destinations
You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall
put by '/ip firewall mangle'. In this way, packet marks put by bridge firewall can be used in 'IP firewall',
and vice versa.
General bridge firewall properties are described in this section. Some parameters that differ between nat and filter
rules are described in further sections.
Property802.3-sap (integer)802.3-type (integer)arp-dst-address (IP address; default:
)arp-dst-mac-address (MAC address; default: )arp-gratuitous (yes | no; default:
)arp-hardware-type (integer; default: 1)arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request |
inarp-reply | inarp-request | reply | reply-reverse | request | request-reverse)arp-packet-type (integer:
0..65535 decimal format or 0x0000-0xffff hex format)arp-src-address (IP address; default:
)arp-src-mac-address (MAC address; default: )chain (text)dst-address (IP address; default:
)dst-mac-address (MAC address; default: )dst-port (integer 0..65535)in-bridge
(name)in-interface (name)ingress-priority (integer 0..63)ip-protocol (ddp | egp | encap |
etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag |
ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | st | tcp | udp | vmtp | vrrp |
xns-idp | xtp)jump-target (name)limit (integer/time,integer)log-prefix (text)mac-protocol (802.2
| arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp | vlan or integer:
0..65535 decimal format or 0x0000-0xffff hex format)out-bridge (name)out-interface
(name)packet-mark (name)packet-type (broadcast | host | multicast | other-host)src-address (IP
address; default: )src-mac-address (MAC address; default: )src-port (integer 0..65535)stp-flags
(topology-change | topology-change-ack)stp-forward-delay (time 0..65535)stp-hello-time (time
0..65535)stp-max-age (time 0..65535)stp-msg-age (time 0..65535)stp-port (integer
0..65535)stp-root-address (MAC address)stp-root-cost (integer 0..65535)stp-root-priority
(integer 0..65535)stp-sender-address (MAC address)stp-sender-priority (integer
0..65535)stp-type (config | tcn)vlan-encap (802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast |
Manual:Interface/Bridge
166
mpls-unicast | pppoe | pppoe-discovery | rarp | vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex
format)vlan-id (integer 0..4095)vlan-priority (integer 0..7)DescriptionDSAP (Destination Service Access
Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities
which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to
match a SAP byteEthernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is
0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of
0xAA followed by a SNAP type code of 0x809BARP destination addressARP destination MAC addressMatches
ARP gratuitous packetsARP hardware type. This is normally Ethernet (Type 1) ARP opcode (packet type)
arp-nak - negative ARP reply (rarely used, mostly in ATM networks)
drarp-error - Dynamic RARP error code, saying that an IP address for the given MAC address can not be
allocated
drarp-reply - Dynamic RARP reply, with a temporaty IP address assignment for a host
drarp-request - Dynamic RARP request to assign a temporary IP address for the given MAC address
inarp-reply - InverseARP Reply
inarp-request - InverseARP Request
reply - standard ARP reply with a MAC address
reply-reverse - reverse ARP (RARP) reply with an IP address assigned
request - standard ARP request to a known IP address to find out unknown MAC address
request-reverse - reverse ARP (RARP) request to a known MAC address to find out unknown IP address
(intended to be used by hosts to find out their own IP address, similarly to DHCP service)
ARP Packet TypeARP source addressARP source MAC addressBridge firewall chain, which the filter is functioning
in (either a built-in one, or a user defined)Destination IP address (only if MAC protocol is set to IPv4)Destination
MAC addressDestination port number or range (only for TCP or UDP protocols)Bridge interface through which the
packet is coming inPhysical interface (i.e., bridge port) through which the packet is coming inMatches ingress
priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. read more IP protocol (only
if MAC protocol is set to IPv4)
ddp - datagram delivery protocol
egp - exterior gateway protocol
encap - ip encapsulation
etherip -
ggp - gateway-gateway protocol
gre - general routing encapsulation
hmp - host monitoring protocol
icmp - IPv4 internet control message protocol
icmpv6 - IPv6 internet control message protocol
idpr-cmtp - idpr control message transport
igmp - internet group management protocol
ipencap - ip encapsulated in ip
ipip - ip encapsulation
ipsec-ah - IPsec AH protocol
ipsec-esp - IPsec ESP protocol
ipv6 -
ipv6-frag -
ipv6-nonxt -
ipv6-opts -
ipv6-route -
iso-tp4 - iso transport protocol class 4
Manual:Interface/Bridge
167
l2tp -
ospf - open shortest path first
pim - protocol independent multicast
pup - parc universal packet protocol
rspf - radio shortest path first
rsvp -
rdp - reliable datagram protocol
st - st datagram mode
tcp - transmission control protocol
udp - user datagram protocol
vmtp - versatile message transport
vrrp - Virtual Router Redundancy Protocol
xns-idp - xerox ns idp
xtp xpress transfer protocol
If action=jump specified, then specifies the user-defined firewall chain to process the packet Restricts packet
match rate to a given limit.
count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
Defines the prefix to be printed before the logging informationEthernet payload type (MAC-level protocol)
802.2
arp - Type 0x0806 - ARP
ip - Type 0x0800 - IPv4
ipv6 - Type 0x86dd - IPv6
ipx - Type 0x8137 - "Internetwork Packet Exchange"
length
mpls-multicast - Type 0x8848 - MPLS Multicast
mpls-unicast - Type 0x8847 - MPLS Unicast
ppoe - Type 0x8864 - PPPoE Session
ppoe-discovery - Type 0x8863 - PPPoE Discovery
rarp - Type 0x8035 - Reverse ARP
vlan - Type 0x8100 - 802.1Q tagged VLAN
Outgoing bridge interfaceInterface that the packet is leaving the bridge throughMatch packets with certain packet
mark MAC frame type:
broadcast - broadcast MAC packet
host - packet is destined to the bridge itself
multicast - multicast MAC packet
other-host - packet is destined to some other unicast address, not to the bridge itself
Source IP address (only if MAC protocol is set to IPv4)Source MAC addressSource port number or range (only for
TCP or UDP protocols) The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages
named BPDU periodically for preventing loops
topology-change - topology change flag is set when a bridge detects port state change, to force all other bridges
to drop their host tables and recalculate network topology
topology-change-ack - topology change acknowledgement flag is sen in replies to the notification packets
Manual:Interface/Bridge
168
Forward delay timerSTP hello packets timeMaximal STP message ageSTP message ageSTP port identifierRoot
bridge MAC addressRoot bridge costRoot bridge prioritySTP message sender MAC addressSTP sender priority The
BPDU type:
config - configuration BPDU
tcn - topology change notification
the MAC protocol type encapsulated in the VLAN frameVLAN identifier fieldThe user priority field
STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group
address), also stp should be enabled.
ARP matchers are only valid if mac-protocol is arp or rarp
VLAN matchers are only valid for vlan ethernet protocol
IP-related matchers are only valid if mac-protocol is set as ipv4
802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards
(note: it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers
are ignored for other packets.
Bridge Packet Filter
Sub-menu: /interface bridge filter
This section describes bridge packet filter specific filtering options, that are specific to '/interface bridge
filter'.
Property Description
action (accept | drop | jump | log |
mark-packet | passthrough | return |
set-priority)
accept - accept the packet. No action, i.e., the packet is passed through without undertaking any
action, and no more rules are processed in the relevant list/chain
drop - silently drop the packet (without sending the ICMP reject message)
jump - jump to the chain specified by the value of the jump-target argument
log - log the packet
mark - mark the packet to use the mark later
passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule,
except for ability to count packets
return - return to the previous chain, from where the jump took place
set-priority - set priority specified by the new-priority parameter on the packets sent out through
a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). Read
more>
Bridge NAT
Sub-menu: /interface bridge nat
This section describes bridge NAT options, that are specific to '/interface bridge nat'.
Manual:Interface/Bridge
169
Property Description
action (accept | drop | jump | mark-packet | redirect |
set-priority | arp-reply | dst-nat | log | passthrough | return |
src-nat)
accept - accept the packet. No action, i.e., the packet is passed through
without undertaking any action, and no more rules are processed in the
relevant list/chain
arp-reply - send a reply to an ARP request (any other packets will be ignored
by this rule) with the specified MAC address (only valid in dstnat chain)
drop - silently drop the packet (without sending the ICMP reject message)
dst-nat - change destination MAC address of a packet (only valid in dstnat
chain)
jump - jump to the chain specified by the value of the jump-target argument
log - log the packet
mark - mark the packet to use the mark later
passthrough - ignore this rule and go on to the next one. Acts the same way
as a disabled rule, except for ability to count packets
redirect - redirect the packet to the bridge itself (only valid in dstnat chain)
return - return to the previous chain, from where the jump took place
set-priority - set priority specified by the new-priority parameter on the
packets sent out through a link that is capable of transporting priority (VLAN
or WMM-enabled wireless interface). Read more>
src-nat - change source MAC address of a packet (only valid in srcnat chain)
to-arp-reply-mac-address (MAC address) Source MAC address to put in Ethernet frame and ARP payload, when
action=arp-reply is selected
to-dst-mac-address (MAC address) Destination MAC address to put in Ethernet frames, when action=dst-nat
is selected
to-src-mac-address (MAC address) Source MAC address to put in Ethernet frames, when action=src-nat is
selected
[ Top | Back to Content ]
References
[1] http:/ / standards.ieee. org/ getieee802/ download/ 802.1D-2004. pdf
[2] http:/ / en. wikipedia. org/ wiki/ Spanning_Tree_Protocol
Manual:Interface/EoIP
170
Manual:Interface/EoIP
Applies to RouterOS: 2.9, v3, v4+
Summary
Sub-menu: /interface eoip
Standards: GRE RFC 1701
Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel between two
routers on top of an IP connection. The EoIP tunnel may run over IPIP tunnel, PPTP tunnel or any other connection
capable of transporting IP.
When the bridging function of the router is enabled, all Ethernet traffic (all Ethernet protocols) will be bridged just
as if there where a physical Ethernet interface and cable between the two routers (with bridging enabled). This
protocol makes multiple network schemes possible.
Network setups with EoIP interfaces:
Possibility to bridge LANs over the Internet
Possibility to bridge LANs over encrypted tunnels
Possibility to bridge LANs over 802.11b 'ad-hoc' wireless networks
The EoIP protocol encapsulates Ethernet frames in GRE (IP protocol number 47) packets (just like PPTP) and sends
them to the remote side of the EoIP tunnel.
Properties
Property Description
arp (disabled | enabled |
proxy-arp | reply-only; Default:
enabled)
Address Resolution Protocol mode.
disabled - the interface will not use ARP
enabled - the interface will use ARP
proxy-arp - the interface will use the ARP proxy feature
reply-only - the interface will only reply to requests originated from matching IP address/MAC address
combinations which are entered as static entries in the "/ip arp" table. No dynamic entries will be
automatically stored in the "/ip arp" table. Therefore for communications to be successful, a valid static
entry must already exist.
keepalive (integer; Default:
not set)
keep-alive timer, sets time interval (seconds) in what keep-alive messages should be received. If 3 messages are
missed, interface running flag is removed. For this to work, keepalive has to be set to same value on both ends
of the tunnel, since one end is expecting messages from the other one and is sending keepalive messages in that
direction.
l2mtu (integer; Default: ) Layer2 Maximum transmission unit. Not configurable for EoIP. Read more>>
local-address (IP; Default:
)
Source address of the tunnel packets, local on the router.
mac-address (MAC; Default:
)
Media Access Control number of an interface. The address numeration authority IANA allows the use of MAC
addresses in the range from 00:00:5E:80:00:00 - 00:00:5E:FF:FF:FF freely
mtu (integer; Default: 1500) Layer3 Maximum transmission unit
name (string; Default: ) Interface name
Manual:Interface/EoIP
171
remote-address (IP;
Default: )
IP address of remote end of EoIP tunnel
tunnel-id (integer: 65536;
Default: )
Unique tunnel identifier, which must match other side of the tunnel
Notes
tunnel-id is method of identifying tunnel. It must be unique for each EoIP tunnel.
mtu should be set to 1500 to eliminate packet refragmentation inside the tunnel (that allows transparent bridging of
Ethernet-like networks, so that it would be possible to transport full-sized Ethernet frame over the tunnel).
When bridging EoIP tunnels, it is highly recommended to set unique MAC addresses for each tunnel for the bridge
algorithms to work correctly. For EoIP interfaces you can use MAC addresses that are in the range from
00:00:5E:80:00:00 - 00:00:5E:FF:FF:FF , which IANA has reserved for such cases. Alternatively, you can set the
second bit of the first byte to modify the auto-assigned address into a 'locally administered address', assigned by the
network administrator and thus use any MAC address, you just need to ensure they are unique between the hosts
connected to one bridge.
Note: EoIP tunnel adds at least 42 byte overhead (8byte GRE + 14 byte Ethernet + 20 byte IP)
Setup examples
Let us assume we want to bridge two networks: 'Office LAN' and 'Remote LAN'. By using EoIP
setup can be made so that Office and Remote LANs are in the same Layer2 broadcast domain.
Consider following setup:
As you know wireless station cannot be bridged, to overcome this limitation (not involving WDS) we will create
EoIP tunnel over the wireless link and bridge it with interfaces connected to local networks.
We will not cover wireless configuration in this example, lets assume that wireless link is already established
At first we create EoIP tunnel on our gateway ...
[admin@Our_GW] interface eoip> add name="eoip-remote" tunnel-id=0 \
\... remote-address=10.0.0.2
Manual:Interface/EoIP
172
[admin@Our_GW] interface eoip> enable eoip-remote
[admin@Our_GW] interface eoip> print
Flags: X - disabled, R - running
0 name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0
[admin@Our_GW] interface eoip>
... and on Remote router
[admin@Remote] interface eoip> add name="eoip" tunnel-id=0 \
\... remote-address=10.0.0.1
[admin@Remote] interface eoip> enable eoip-main
[admin@Remote] interface eoip> print
Flags: X - disabled, R - running
0 name=eoip mtu=1500 arp=enabled remote-address=10.0.0.1 tunnel-id=0
[admin@Remote] interface eoip>
Next step is to bridge local interfaces with EoIP tunnel On Our GW ...
[admin@Our_GW] interface bridge> add
[admin@Our_GW] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=eoip-remote
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=office-eth
[admin@Our_GW] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 eoip-remote bridge1 128 10
1 office-eth bridge1 128 10
[admin@Our_GW] interface bridge>
... and Remote router:
[admin@Remote] interface bridge> add
[admin@Remote] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@Remote] interface bridge> port add bridge=bridge1 interface=ether
[admin@Remote] interface bridge> port add bridge=bridge1 interface=eoip-main
[admin@Remote] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 ether bridge1 128 10
Manual:Interface/EoIP
173
1 eoip-main bridge1 128 10
[admin@Remote] interface bridge>
Now both sites are in the same Layer2 broadcast domain. You can set up IP addresses from the same network on
both sites.
[ Top | Back to Content ]
Article Sources and Contributors
174
Article Sources and Contributors
Manual:TOC Source: http://wiki.mikrotik.com/index.php?oldid=26201 Contributors: Becs, Marisb
Manual:First time startup Source: http://wiki.mikrotik.com/index.php?oldid=22160 Contributors: Jandrade28, Janisk, Kirshteins, Marisb, MarkSorensen, Nest, Normis, Rock on all you f little
dudes!, SergejsB
Manual:Initial Configuration Source: http://wiki.mikrotik.com/index.php?oldid=22340 Contributors: Janisk, Marisb
Manual:Console login process Source: http://wiki.mikrotik.com/index.php?oldid=21955 Contributors: Eep, Janisk, Marisb, Normis
Manual:Troubleshooting tools Source: http://wiki.mikrotik.com/index.php?oldid=22862 Contributors: Andriss, Janisk, Marisb, Normis
Manual:Support Output File Source: http://wiki.mikrotik.com/index.php?oldid=22202 Contributors: Janisk, Marisb, Maximan, Normis, SergejsB
Manual:RouterOS features Source: http://wiki.mikrotik.com/index.php?oldid=25703 Contributors: Janisk, Marisb, Megis, Normis, SergejsB, Uldis
Manual:RouterOS FAQ Source: http://wiki.mikrotik.com/index.php?oldid=21957 Contributors: B.Gates, Dsdee, Eep, Eugene, Grimp, Marisb, Nest, Normis, Rieks
Manual:Connection oriented communication (TCP/IP) Source: http://wiki.mikrotik.com/index.php?oldid=19069 Contributors: Andriss, Marisb
Manual:Console Source: http://wiki.mikrotik.com/index.php?oldid=22857 Contributors: Eep, Janisk, Marisb, Normis
Manual:Winbox Source: http://wiki.mikrotik.com/index.php?oldid=26174 Contributors: Janisk, Marisb, Normis, Nz monkey
Manual:Webfig Source: http://wiki.mikrotik.com/index.php?oldid=23656 Contributors: Janisk, Marisb, Normis
Manual:License Source: http://wiki.mikrotik.com/index.php?oldid=26274 Contributors: Becs, Eep, Janisk, Krisjanis, Marisb, Maximan, NathanA, Nest, Normis, SergejsB
Manual:Purchasing a License for RouterOS Source: http://wiki.mikrotik.com/index.php?oldid=21858 Contributors: Eep, Janisk, Marisb, Normis, SergejsB, Sunfire
Manual:Entering a RouterOS License key Source: http://wiki.mikrotik.com/index.php?oldid=16869 Contributors: Eep, Janisk, Ldvaden, Marisb, Nest, Normis
Manual:Replacement Key Source: http://wiki.mikrotik.com/index.php?oldid=17470 Contributors: Eep, Marisb, Normis
Manual:Product Naming Source: http://wiki.mikrotik.com/index.php?oldid=25605 Contributors: Marisb, Megis
Manual:RouterOS6 news Source: http://wiki.mikrotik.com/index.php?oldid=25854 Contributors: Janisk, Krisjanis, Marisb, Normis
Manual:Default Configurations Source: http://wiki.mikrotik.com/index.php?oldid=26108 Contributors: Marisb, Normis
Manual:System/Packages Source: http://wiki.mikrotik.com/index.php?oldid=21218 Contributors: Enk, Janisk, Marisb, Normis, SergejsB
Manual:Upgrading RouterOS Source: http://wiki.mikrotik.com/index.php?oldid=25844 Contributors: Axtell, Eep, Janisk, Marisb, Normis, SergejsB
Manual:CD Install Source: http://wiki.mikrotik.com/index.php?oldid=22698 Contributors: Janisk, Marisb, Normis, SergejsB
Manual:Netinstall Source: http://wiki.mikrotik.com/index.php?oldid=25852 Contributors: Becs, Janisk, Marisb, MarkSorensen, Normis, SergejsB
Manual:Configuration Management Source: http://wiki.mikrotik.com/index.php?oldid=26239 Contributors: Janisk, Marisb, Normis, SergejsB
Manual:Interface Source: http://wiki.mikrotik.com/index.php?oldid=26135 Contributors: Janisk, Marisb, Nest
Manual:Interface/Bonding Source: http://wiki.mikrotik.com/index.php?oldid=25946 Contributors: Janisk, Marisb, Nest, Normis
Manual:Interface/Bridge Source: http://wiki.mikrotik.com/index.php?oldid=25947 Contributors: Janisk, Kirshteins, Marisb, Nest
Manual:Interface/EoIP Source: http://wiki.mikrotik.com/index.php?oldid=25948 Contributors: Eugene, HarvSki, Huri, Janisk, Kirshteins, Marisb, Nest
Image Sources, Licenses and Contributors
175
Image Sources, Licenses and Contributors
Image:Version.png Source: http://wiki.mikrotik.com/index.php?title=File:Version.png License: unknown Contributors: Normis
File:Winbox-loader2.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-loader2.png License: unknown Contributors: Marisb
File:Winbox-workarea.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-workarea.png License: unknown Contributors: Marisb
File:Webfig-2.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-2.png License: unknown Contributors: Marisb
File:initial_screen_webfig.png Source: http://wiki.mikrotik.com/index.php?title=File:Initial_screen_webfig.png License: unknown Contributors: Janisk
File:webfig_login.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig_login.png License: unknown Contributors: Janisk
File:goto_system.png Source: http://wiki.mikrotik.com/index.php?title=File:Goto_system.png License: unknown Contributors: Janisk, Marisb
File:users_management.png Source: http://wiki.mikrotik.com/index.php?title=File:Users_management.png License: unknown Contributors: Janisk
File:ediit_create_user.png Source: http://wiki.mikrotik.com/index.php?title=File:Ediit_create_user.png License: unknown Contributors: Janisk
File:change_password_user_edit.png Source: http://wiki.mikrotik.com/index.php?title=File:Change_password_user_edit.png License: unknown Contributors: Janisk
File:DHCP_client.png Source: http://wiki.mikrotik.com/index.php?title=File:DHCP_client.png License: unknown Contributors: Janisk
File:add_new_address.png Source: http://wiki.mikrotik.com/index.php?title=File:Add_new_address.png License: unknown Contributors: Janisk
File:adding_new_address.png Source: http://wiki.mikrotik.com/index.php?title=File:Adding_new_address.png License: unknown Contributors: Janisk
Image:Icon-note.png Source: http://wiki.mikrotik.com/index.php?title=File:Icon-note.png License: unknown Contributors: Marisb, Route
File:check_nat_masquerade.png Source: http://wiki.mikrotik.com/index.php?title=File:Check_nat_masquerade.png License: unknown Contributors: Janisk
File:masqurade_rule.png Source: http://wiki.mikrotik.com/index.php?title=File:Masqurade_rule.png License: unknown Contributors: Janisk
File:to_the_routes.png Source: http://wiki.mikrotik.com/index.php?title=File:To_the_routes.png License: unknown Contributors: Janisk
File:add_default_route.png Source: http://wiki.mikrotik.com/index.php?title=File:Add_default_route.png License: unknown Contributors: Janisk
File:route_add_gateway.png Source: http://wiki.mikrotik.com/index.php?title=File:Route_add_gateway.png License: unknown Contributors: Janisk
File:go_to_DNS_settings.png Source: http://wiki.mikrotik.com/index.php?title=File:Go_to_DNS_settings.png License: unknown Contributors: Janisk
File:dns_add_server.png Source: http://wiki.mikrotik.com/index.php?title=File:Dns_add_server.png License: unknown Contributors: Janisk
File:for_2_dns_servers.png Source: http://wiki.mikrotik.com/index.php?title=File:For_2_dns_servers.png License: unknown Contributors: Janisk
File:sntp_client_setup.png Source: http://wiki.mikrotik.com/index.php?title=File:Sntp_client_setup.png License: unknown Contributors: Janisk
Image:Icon-warn.png Source: http://wiki.mikrotik.com/index.php?title=File:Icon-warn.png License: unknown Contributors: Marisb, Route
File:interface_open_details.png Source: http://wiki.mikrotik.com/index.php?title=File:Interface_open_details.png License: unknown Contributors: Janisk
File:master_port.png Source: http://wiki.mikrotik.com/index.php?title=File:Master_port.png License: unknown Contributors: Janisk
File:remove_bridge_port.png Source: http://wiki.mikrotik.com/index.php?title=File:Remove_bridge_port.png License: unknown Contributors: Janisk
File:secuirtas_profle.png Source: http://wiki.mikrotik.com/index.php?title=File:Secuirtas_profle.png License: unknown Contributors: Janisk
File:creating_security_profile.png Source: http://wiki.mikrotik.com/index.php?title=File:Creating_security_profile.png License: unknown Contributors: Janisk
File:goto_wireless.png Source: http://wiki.mikrotik.com/index.php?title=File:Goto_wireless.png License: unknown Contributors: Janisk
File:wireless_general.png Source: http://wiki.mikrotik.com/index.php?title=File:Wireless_general.png License: unknown Contributors: Janisk
File:wireless_ht.png Source: http://wiki.mikrotik.com/index.php?title=File:Wireless_ht.png License: unknown Contributors: Janisk
File:enable_wireless.png Source: http://wiki.mikrotik.com/index.php?title=File:Enable_wireless.png License: unknown Contributors: Janisk
File:Brtidge_ports_view.png Source: http://wiki.mikrotik.com/index.php?title=File:Brtidge_ports_view.png License: unknown Contributors: Janisk
File:add_bridge_port.png Source: http://wiki.mikrotik.com/index.php?title=File:Add_bridge_port.png License: unknown Contributors: Janisk
File:set_up_bridge.png Source: http://wiki.mikrotik.com/index.php?title=File:Set_up_bridge.png License: unknown Contributors: Janisk
File:correct_address_1.png Source: http://wiki.mikrotik.com/index.php?title=File:Correct_address_1.png License: unknown Contributors: Janisk
File:change_passwd_current_user.png Source: http://wiki.mikrotik.com/index.php?title=File:Change_passwd_current_user.png License: unknown Contributors: Janisk
File:wifi_freq_usage1.png Source: http://wiki.mikrotik.com/index.php?title=File:Wifi_freq_usage1.png License: unknown Contributors: Janisk
File:wifi_freq_usage.png Source: http://wiki.mikrotik.com/index.php?title=File:Wifi_freq_usage.png License: unknown Contributors: Janisk
File:wifi_adv_mode.png Source: http://wiki.mikrotik.com/index.php?title=File:Wifi_adv_mode.png License: unknown Contributors: Janisk
File:Wifi_select_country.png Source: http://wiki.mikrotik.com/index.php?title=File:Wifi_select_country.png License: unknown Contributors: Janisk
File:dst-nat.png Source: http://wiki.mikrotik.com/index.php?title=File:Dst-nat.png License: unknown Contributors: Janisk
Image:image11001.gif Source: http://wiki.mikrotik.com/index.php?title=File:Image11001.gif License: unknown Contributors: Andriss
Image:image11002.gif Source: http://wiki.mikrotik.com/index.php?title=File:Image11002.gif License: unknown Contributors: Andriss
File:profiler.png Source: http://wiki.mikrotik.com/index.php?title=File:Profiler.png License: unknown Contributors: Marisb
Image:Supout.png Source: http://wiki.mikrotik.com/index.php?title=File:Supout.png License: unknown Contributors: Normis
Image:Supout2.png Source: http://wiki.mikrotik.com/index.php?title=File:Supout2.png License: unknown Contributors: Normis
Image:Supout3.png Source: http://wiki.mikrotik.com/index.php?title=File:Supout3.png License: unknown Contributors: Normis
Image:image2001.gif Source: http://wiki.mikrotik.com/index.php?title=File:Image2001.gif License: unknown Contributors: Andriss
Image:image2002.gif Source: http://wiki.mikrotik.com/index.php?title=File:Image2002.gif License: unknown Contributors: Andriss
Image:image2003.gif Source: http://wiki.mikrotik.com/index.php?title=File:Image2003.gif License: unknown Contributors: Andriss
Image:image2004.gif Source: http://wiki.mikrotik.com/index.php?title=File:Image2004.gif License: unknown Contributors: Andriss
Image:image2005.gif Source: http://wiki.mikrotik.com/index.php?title=File:Image2005.gif License: unknown Contributors: Andriss
Image:2009-04-06 1317.png Source: http://wiki.mikrotik.com/index.php?title=File:2009-04-06_1317.png License: unknown Contributors: Normis
File:win-web-snap.png Source: http://wiki.mikrotik.com/index.php?title=File:Win-web-snap.png License: unknown Contributors: Marisb, SergejsB
File:winbox-loader.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-loader.png License: unknown Contributors: Marisb
File:winbox-loader2.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-loader2.png License: unknown Contributors: Marisb
File:winbox-ipv6-loader.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-ipv6-loader.png License: unknown Contributors: Marisb
File:winbox-ipv6nd.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-ipv6nd.png License: unknown Contributors: Marisb
File:winbox-win-child.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-win-child.png License: unknown Contributors: Marisb
File:win-add.png Source: http://wiki.mikrotik.com/index.php?title=File:Win-add.png License: unknown Contributors: Marisb
File:win-remove.png Source: http://wiki.mikrotik.com/index.php?title=File:Win-remove.png License: unknown Contributors: Marisb
File:win-enable.png Source: http://wiki.mikrotik.com/index.php?title=File:Win-enable.png License: unknown Contributors: Marisb
File:win-disable.png Source: http://wiki.mikrotik.com/index.php?title=File:Win-disable.png License: unknown Contributors: Marisb
File:win-comment.png Source: http://wiki.mikrotik.com/index.php?title=File:Win-comment.png License: unknown Contributors: Marisb
File:win-sort.png Source: http://wiki.mikrotik.com/index.php?title=File:Win-sort.png License: unknown Contributors: Marisb
File:winbox-window-search.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-window-search.png License: unknown Contributors: Marisb
Image Sources, Licenses and Contributors
176
File:Winbox-window-sort.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-window-sort.png License: unknown Contributors: Marisb
File:Winbox-window-field.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-window-field.png License: unknown Contributors: Marisb
File:Winbox-window-detail.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-window-detail.png License: unknown Contributors: Marisb
File:Winbox-window-category.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-window-category.png License: unknown Contributors: Marisb
File:Winbox1.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Winbox1.jpg License: unknown Contributors: Normis
File:winbox-window-trafmon.png Source: http://wiki.mikrotik.com/index.php?title=File:Winbox-window-trafmon.png License: unknown Contributors: Marisb
Image:2009-04-02_1241.png Source: http://wiki.mikrotik.com/index.php?title=File:2009-04-02_1241.png License: unknown Contributors: Normis
Image:2009-04-02_1241_001.png Source: http://wiki.mikrotik.com/index.php?title=File:2009-04-02_1241_001.png License: unknown Contributors: Normis
Image:2009-04-02_1242.png Source: http://wiki.mikrotik.com/index.php?title=File:2009-04-02_1242.png License: unknown Contributors: Normis
Image:2009-04-02_1242_001.png Source: http://wiki.mikrotik.com/index.php?title=File:2009-04-02_1242_001.png License: unknown Contributors: Normis
File:Webfig-1.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-1.png License: unknown Contributors: Marisb
File:Webfig-submenu.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-submenu.png License: unknown Contributors: Marisb
File:webfig-enable.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-enable.png License: unknown Contributors: Marisb
File:webfig-disable.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-disable.png License: unknown Contributors: Marisb
File:webfig-remove.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-remove.png License: unknown Contributors: Marisb
File:webfig-3.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-3.png License: unknown Contributors: Marisb
File:Webfig-upload.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-upload.png License: unknown Contributors: Marisb
File:Webfig-download.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-download.png License: unknown Contributors: Marisb
File:webfig-add-to-stsatus-page.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-add-to-stsatus-page.png License: unknown Contributors: Janisk
File:webfig-two-columns.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-two-columns.png License: unknown Contributors: Janisk
File:webfig-set-field-limits-design.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-set-field-limits-design.png License: unknown Contributors: Janisk
File:webfig-set-field-limits-done.png Source: http://wiki.mikrotik.com/index.php?title=File:Webfig-set-field-limits-done.png License: unknown Contributors: Janisk
Image:License menu.png Source: http://wiki.mikrotik.com/index.php?title=File:License_menu.png License: unknown Contributors: Normis
Image:2009-05-21 1608.png Source: http://wiki.mikrotik.com/index.php?title=File:2009-05-21_1608.png License: unknown Contributors: Normis
File:PasteLicense.png Source: http://wiki.mikrotik.com/index.php?title=File:PasteLicense.png License: unknown Contributors: SergejsB
File:ApplyLicenseWinbox.png Source: http://wiki.mikrotik.com/index.php?title=File:ApplyLicenseWinbox.png License: unknown Contributors: SergejsB
Image:Purchase1.png Source: http://wiki.mikrotik.com/index.php?title=File:Purchase1.png License: unknown Contributors: Normis
Image:Purchase2.png Source: http://wiki.mikrotik.com/index.php?title=File:Purchase2.png License: unknown Contributors: Normis
Image:Purchase3.png Source: http://wiki.mikrotik.com/index.php?title=File:Purchase3.png License: unknown Contributors: Normis
Image:Purchase4.png Source: http://wiki.mikrotik.com/index.php?title=File:Purchase4.png License: unknown Contributors: Normis
Image:Purchase5.png Source: http://wiki.mikrotik.com/index.php?title=File:Purchase5.png License: unknown Contributors: Normis
Image:Key0.png Source: http://wiki.mikrotik.com/index.php?title=File:Key0.png License: unknown Contributors: Normis
Image:Key1.png Source: http://wiki.mikrotik.com/index.php?title=File:Key1.png License: unknown Contributors: Normis
Image:Key2.png Source: http://wiki.mikrotik.com/index.php?title=File:Key2.png License: unknown Contributors: Normis
Image:Key3.png Source: http://wiki.mikrotik.com/index.php?title=File:Key3.png License: unknown Contributors: Normis
Image:Key4.png Source: http://wiki.mikrotik.com/index.php?title=File:Key4.png License: unknown Contributors: Normis
Image:Rep1.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Rep1.jpg License: unknown Contributors: Normis
Image:Rep2.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Rep2.jpg License: unknown Contributors: Normis
Image:Rep3.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Rep3.jpg License: unknown Contributors: Normis
File:Quickset-upgrade.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Quickset-upgrade.jpg License: unknown Contributors: Normis
File:Package-upgrade.png Source: http://wiki.mikrotik.com/index.php?title=File:Package-upgrade.png License: unknown Contributors: Normis
File:Changelog-upgrade.png Source: http://wiki.mikrotik.com/index.php?title=File:Changelog-upgrade.png License: unknown Contributors: Normis
File:Downloadpage.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Downloadpage.jpg License: unknown Contributors: Normis
Image:Winbox1.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Winbox1.jpg License: unknown Contributors: Normis
Image:Winb2.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Winb2.jpg License: unknown Contributors: Normis
Image:Up4.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Up4.jpg License: unknown Contributors: Normis
Image:Dude1.png Source: http://wiki.mikrotik.com/index.php?title=File:Dude1.png License: unknown Contributors: SergejsB
Image:Dude2.png Source: http://wiki.mikrotik.com/index.php?title=File:Dude2.png License: unknown Contributors: SergejsB
Image:Dude3.png Source: http://wiki.mikrotik.com/index.php?title=File:Dude3.png License: unknown Contributors: SergejsB
Image:Dude5.png Source: http://wiki.mikrotik.com/index.php?title=File:Dude5.png License: unknown Contributors: SergejsB
Image:Dude6.png Source: http://wiki.mikrotik.com/index.php?title=File:Dude6.png License: unknown Contributors: SergejsB
Image:Dude7.png Source: http://wiki.mikrotik.com/index.php?title=File:Dude7.png License: unknown Contributors: SergejsB
Image:Dude8.png Source: http://wiki.mikrotik.com/index.php?title=File:Dude8.png License: unknown Contributors: SergejsB
Image:Dude13.png Source: http://wiki.mikrotik.com/index.php?title=File:Dude13.png License: unknown Contributors: SergejsB
Image:Dude14.png Source: http://wiki.mikrotik.com/index.php?title=File:Dude14.png License: unknown Contributors: SergejsB
Image:CD1.png Source: http://wiki.mikrotik.com/index.php?title=File:CD1.png License: unknown Contributors: SergejsB
Image:CD3.png Source: http://wiki.mikrotik.com/index.php?title=File:CD3.png License: unknown Contributors: SergejsB
Image:CD4.png Source: http://wiki.mikrotik.com/index.php?title=File:CD4.png License: unknown Contributors: SergejsB
Image:CD6.png Source: http://wiki.mikrotik.com/index.php?title=File:CD6.png License: unknown Contributors: SergejsB
Image:CD7.png Source: http://wiki.mikrotik.com/index.php?title=File:CD7.png License: unknown Contributors: SergejsB
Image:CD8.png Source: http://wiki.mikrotik.com/index.php?title=File:CD8.png License: unknown Contributors: SergejsB
Image:CD9.png Source: http://wiki.mikrotik.com/index.php?title=File:CD9.png License: unknown Contributors: SergejsB
Image:CD10.png Source: http://wiki.mikrotik.com/index.php?title=File:CD10.png License: unknown Contributors: SergejsB
Image:CD11.png Source: http://wiki.mikrotik.com/index.php?title=File:CD11.png License: unknown Contributors: SergejsB
File:2009-01-27 1224.jpg Source: http://wiki.mikrotik.com/index.php?title=File:2009-01-27_1224.jpg License: unknown Contributors: Normis
Image:NetinstallStart.png Source: http://wiki.mikrotik.com/index.php?title=File:NetinstallStart.png License: unknown Contributors: SergejsB
Image:Nconfig.PNG Source: http://wiki.mikrotik.com/index.php?title=File:Nconfig.PNG License: unknown Contributors: SergejsB
Image:NConfig3.png Source: http://wiki.mikrotik.com/index.php?title=File:NConfig3.png License: unknown Contributors: SergejsB
Image:NetinstallC4.png Source: http://wiki.mikrotik.com/index.php?title=File:NetinstallC4.png License: unknown Contributors: SergejsB
Image:NetinstallC5.png Source: http://wiki.mikrotik.com/index.php?title=File:NetinstallC5.png License: unknown Contributors: SergejsB
Image:NetinstallC6.png Source: http://wiki.mikrotik.com/index.php?title=File:NetinstallC6.png License: unknown Contributors: SergejsB
Image Sources, Licenses and Contributors
177
Image:PasswordReset.png Source: http://wiki.mikrotik.com/index.php?title=File:PasswordReset.png License: unknown Contributors: SergejsB
File:bonding-lacp-example.png Source: http://wiki.mikrotik.com/index.php?title=File:Bonding-lacp-example.png License: unknown Contributors: Marisb
Image:bon-tlb.png Source: http://wiki.mikrotik.com/index.php?title=File:Bon-tlb.png License: unknown Contributors: Marisb
Image:bon-alb.png Source: http://wiki.mikrotik.com/index.php?title=File:Bon-alb.png License: unknown Contributors: Marisb
File:eoip-example.png Source: http://wiki.mikrotik.com/index.php?title=File:Eoip-example.png License: unknown Contributors: Marisb