Tuesday, May 31, 2011

Yuk, Prediksi Kesehatan dari Warna Urine

Ternyata warna urine kita bisa dijadikan alat memprediksi kondisi kesehatan kita pada saat itu, ini juga bisa dijadikan acuan bagaimana tindakan yang harus kita ambil setelahnya.

Kenali warna urine ini dan prediksi kesehatannya :
Kuning
"Urine sehat itu berwarna kuning pucat atau kuning gelap", kata konsultan ahli urologi Tim Terry. Hal ini tergantung pada tingkat hidrasi, sehingga jika urine Anda tetap berada di koridor warna kuning, Anda bisa bernapas lega.

Hijau
"Beberapa obat antiseptik dan anestesi memberikan warna semburat hijau pada urine," kata Terry. Ini karena biru metilen, pewarna yang kadang-kadang perlu diperjuangkan ginjal kita. Namun bila urine Anda berwarna hijau tidak usah terlalu khawatir.

Orange
"Ini adalah tanda disfungsi hati," jelas Terry. Jika urine Anda berwarna seperti ini biasanya dibarengi dengan tinja yang berwarna putih, bisa jadi ini karena ikterus obstruktif. Jadi segera ambil tindakan bila urine Anda berwarna orange.

Cokelat
Urine cokelat menampakkan ada masalah ginjal. "Ini bisa menjadi tanda penyakit ginjal yang serius, bahkan fistula," kata Terry. Keadaan ini biasanya karena ada kebocoran usus ke kandung kemih Anda. Segera lari ke dokter Anda untuk kasus ini.

Merah
Ini benar-benar buruk. Merah berarti ada darah dalam urine Anda, dapat mengartikan pendarahan atau kanker. "Pada orang yang berusia lebih dari 40 tahun hipotesis pertama adalah kanker kandung kemih," kata Terry. Segera hubungi dokter dan lakukan deteksi dengan cepat.

Monday, May 30, 2011

Header Already Sent Error di PHP

Tidak sedikit orang yang menjumpai web mereka yang menggunakan PHP muncul error :
PHP error: Cannot modify header information – headers already sent

Error tersebut sebenarnya cukup mudah untuk di antisipasi yaitu dengan menggunakan fungsi ob_start();

Di awal program anda silakan di masukan script berikut :


ob_start("ob_gzhandler");


Fungsi ob_start(); digunakan untuk menyimpan output (keluaran) sementara di dalam buffer jika semua output sudah terkumpul baru akan di tampilkan hasil output tersebut.

Sedangkan ob_gzhandler digunakan untuk mengkompress output agar lebih ringan proses menjalankan programmnya.

Keamanan : Download File dengan PHP

Mungkin banyak orang yang memiliki cara tersendiri dalam melakukan dowload file dengan cara yang aman. Namun saya juga punya caranya cukup sederhana dan mungkin sama dengan cara anda. Namun yang terpenting adalah file yang akan kita download kita letakan dalam folder yang nggak bisa di buka melalui web server artinya tidak berada di dalam folder DocumentRoot. Sehingga mencegah orang mendownload tanpa script yang kita buat dan juga mencegah search engine melakukan pengindexan.

Caranya cukup mudah buat script sebagai berikut.
$ref=$_SERVER["HTTP_REFERER"];
$ref1 = explode(”/”, $ref);
if ($ref1['2']==”www.webku-sendiri.com”) {

if ($_GET[f]){
$f=$_GET[f];
$m=”/home/cakep/data/$f”;
if (is_readable($m)) {
//clearstatcache();
//header(”Cache-Control: no-store, no-cache”);
header(”Content-Type: application/force-download”);
header(”Content-Transfer-Encoding: binary”);
header(”Content-Length:”. filesize($m));
header(”Content-Disposition: attachment; filename=\”$m\”");
readfile(”$m”);
}else {
echo “Gagal”;
}
}
}else {
header(”Location: login.php?”);
exit;
}

ob_end_flush();

Nah simpan file tersebut dan kasih nama misal download.php. Untuk mendownloadnya cukup panggil alamat tersebut dengan perintah http://www.webku-sendiri.com/download.php?f=namafile.doc

Sesuaikan dengan nama domain dan file anda. Untuk lebih aman lagi sebenarnya anda bisa menambahkan filter jenis file yang anda ijinkan (.jpg,.gif,.doc,docx,.xls,.xlsx, dan lain-lain).

Oke selamat mencoba untuk mengamankan file anda dengan script sederhana tersebut.

Menghindari Warning/Error Fungsi Foreach

Mungkin anda pernah sebel saat menggunakan fungsi foreach lantaran terkadang terjadi error/warning. Nah saya punya tips neh untuk Menghindari Warning/Error Fungsi Foreach. Pada umumnya suatu program dalam penggunaan foreach akan di dapati error/warning tatkala tidak ada sama sekali nilai suatu array variabel yang akan di eksekusi. Caranya cukup mudah yaitu dengan memberikan kondisi if.
$dataku=ARTIKEL::BACA();
if ($dataku){
foreach ($dataku AS $mydata) {
/* Lakukan pengolahan data, terserah sesuai kebutuhan anda*/
}
}

nah kondisi if dalam script diatas di gunakan untuk menyeleksi jika variabel $dataku ada nilainya, jika tidak ada maka foreach tidak di gunakan. Dengan begitu anda akan terhindar dari error/warning dalam menggunakan foreach.

Hapus File Dengan PHP

Berikut ini cara menghapus file secara sederhana menggunakan PHP.  Cara ini untuk menghapus file dimana data file ada di database namun file-nya itsendiri ada di dalam suatu folder (Dalam hal ini folder D:/xampp/htdocs/simpan/data/ ). Sebelumnya buatlah form yang berisikan informasi namafile , idfile .

 
$dir_base = “D:/xampp/htdocs/simpan/data/”;
$f=$_POST['namafile'];
$idfile=$_POST['idfile'];
$delfile=$dir_base.$f;

$hapus=unlink($delfile);
if ($hapus) {
/* buat perintah menghapus di datebase dengan berdasar idfile */
}

Cukup mudah bukan ? Silakan eksplorasi sendiri.

TIPS CEGAH KEBAKARAN KOMPOR GAS



Cerita sedikit pengalaman pribadi barusan.

Kronologi.

Lg dirumah.tiba2 ada ibu2 menjerit "Kebakaran-kebakaran,Kompor saya kebakaran".langsung saya lekas berlari menghampiri rumahnya.dan melihat situasi keadaan teman saya si tabung gas tersebut berada.hehe.

Tanpa pikir panjang lagi saya berlari kedapur.tidak memperdulikan api yang penting teman saya si tabung gas selamat.sampai luar

dengan segera saya copot regulator gas.kemudian saya segera berlari keluar ruangan.

setelah itu api yang berada di kompor sudah berhenti.tetapi api sudah menjalar ke atas wajan yang penuh dengan minyak goreng yang sudah terbakar.

setelah itu baru bapak2 lain tetangga ku mengambil air dan kain untuk memadamkan api di wajan terlebih dahulu.kemudian api disekitarnya.

huff.akhirnya setelah penuh dengan ketegangan.kondisi bisa aman dan terkendali.

Saya ingin berbagi tips dan trik jitu dalam menanggulangi kebakaran dan mencegah kebakaran bertambah luas,apabila sudah terjadi.

1. Jika kompor yang digunakan dalam rumah baik minyak tanah mau pun gas.jangan pernah menyiram dengan air terlebih dahulu

2.pertama yang dilakukan adalah menyelamat kan si tabung gas dengan cepat dan segera mencopot dari regulatornya kemudian dibawa keluar ruangan.

3.padamkan api jangan menggunakan air saja.tetapi justru kain di beri air dan jika ada ambil pasir serta tanah sebanyak2nya.

4.sifat minyak dan gas yang lebih ringan dari pada air.maka jika di siram hanya dengan air.maka minyak dan gas tersebut akan semakin melebar.lebih baik pertama siapkan kain basah,tanah atau pun pasir

5.perioritaskan kebakaran pada sumbernya lebih dahulu sebelum memadamkan yang lain.

6.karena jika memperioritaskan pada yanglain dulu.maka api semakin membesar dan cepat menyambar kedaerah yang lain juga.selain itu jika kita memadamkan api sebelum sumbernya di amankan.daerah tersebut sudah terlalu banyak air dan licin.sehingga malah sulit di kendalikan

7.inti sari tips saya.kebakaran yang tidak terkendali dalam penggunakan tabung gas.dikarenakan faktor kesalahan pengunannya dan cara pemadamkannya.

8.tambahan gw buat semuanya.soalnya gw rada2 trauma.jgn prnh menambahkan pengencang berulir di regulator tabung.klo gak pas lagi kejadian.tapi sulit dan bahkan gak bisa dilepas dari regulatornya.(pengalaman).

Pengencang Berulir di Regulator Tabung-INGAT TIDAK DISARANKAN UNTUK DIPASANG !!!






oleh karena itu.


cepat dan segera mencabut tabung dari regulatornya dan dibawa keluar.

jangan takut.tabung gas.sudah didesain mampu bertahan dalam kondisi panas yang cukup tinggi .

kemungkinan meledak hanya apa bila.sudah terjadi kebakaran tabung gas tidak segera dilepas.maka api merembet melalui selang.




Dibawah ini banyak tips-tips lain yang bisa digunakan juga.

Tidak sedikit terjadinya kebakaran diakibatkan oleh penggunaan gas elpiji. Kejadian seperti ini sebagian berawal dari kelalaian dalam pemasangan dan pemeliharaan tabung gas dan kompor gas, hingga terjadi kebocoran gas dan terjadilah kebakaran.

Jika dilakukan pemasangan dan pemeliharaan yang benar
  • Hindari kebocoran, karena kebocoran ini yang sering menimbulkan terjadinya kebakaran.
  • Pasang klem dengan erat dan kuat pada tabung dan kompor gas.
  • Periksa secara rutin dan teliti : slang, klem, regulator, valve dan tabung gas.
  • Karena berat djenis gas elpiji lebih berat dari udara, dianjurkan ruang dapur dibuatkan ventilasi pada permukaan lantai. Hal ini bertujuan agar jika terjadi kebocoran langsung berhubungan dengan udara bebas.
  • Bersihkan kompor gas secara rutin dari tumpahan minyak dan makanan yang melekat. Karena kotoran yang melekat dapat mengakibatkan penyumbatan dan membahayakan.
  • Jangan biarkan slang tertindih atau tertekuk, karena dapat mengakibatkan slang rentan dan bocor.
  • Bersihkan slang dari sisa makanan atau tumpahan minyak karena dapat mengundang gigitan tikus.
  • Pada saat pagi atau sebelum menyalakan kompor, perhatikan apakah tercium bau atau aroma kebocoran.
  • Jika terjadi kebocoran, jangan nyalakan saklar listrik atau menyalakan korek api.
  • Jauhkan benda mudah terbakar dari kompor gas Elpiji.
  • Jauhkan tabung gas dari sumber api.
  • Setelah pemakaian, putar regulator ke posisi Off dan pastikan aliran gas tidak ada lagi.
  • Bila terjadi kebocoran pada tabung, keluarkan tabung dari dapur atau ruangan.

Cara Mencegah Kebakaran Kompor Gas


Bila terjadi kebakaran (tingkat awal) maka :

1. Segera padamkan dengan alat pemadam kebakaran ringan (APAR) atau dengan cara sederhana menggunakan karung goni/Handuk tebal basah (untuk mengurangi panas)





2. Jangan mematikan atau menyalakan lampu listrik, bisa terjadi kebocoran karena gesekan listrik bisa membuat percikan api.

3. Jauhkan bahan-bahan yang mudah terbakar

Pada intinya, api bisa timbul karena 3 hal yaitu Bahan Bakar, Oksigen, dan Panas. maka lakukanlah pengendalian terhadap bahaya api dengan mengontrol ketiga elemen tersebut.


Inilah petunjuk praktisnya, dari makalah seminar yang dimuat sebuah blog:

Gas LPG : Solusi atau Ancaman ?


27 December 2009

Semakin hari kasus kebakaran di Indonesia semakin meningkat. Apabila kita menonton berita di TV setiap hari pasti ada berita kebakaran dimana-mana. penyebabnya antara lain ledakan tabung gas LPG atau hubungan pendek arus listrik. Contohnya di DKI Jakarta pada tahun 2009 hingga bulan november kemarin terjadi 785 kasus. (Jakartafire.org)

Salah satu penyebab nya yaitu gas LPG. Program konversi minyak tanah ke gas ini telah menjadi pertanyaan bagi sebagian masyarakat, program ini termasuk solusi atau ancaman?

Alasan pemerintah mengadakan program konversi yaitu :

1. Menghemat subsidi minyak sebesar 20 Trilyun/tahun jika program berhasil

2. Gas sulit dioplos dibandingkan minyak tanah

3. Gas lebih bersih daripada minyak tanah

4. Negara tetangga sudah menerapkannya (Malaysia & Thailand)

Namun sebagian masyarakat mengeluhkan banyaknya kasus kebakaran terjadi akibat bocornya tabung gas. Sebenernya perlu diketahui bahwa tabung gas LPG di las secara sempurna 100% sehingga tabung tidak akan mengalami kebocoran. Namun yang sebenarnya mengalami kebocoran di beberapa bagian yaitu :

1. Katup dalam keadaan terbuka (pada waktu tidak digunakan) atau katup sudah rusak

2. Saluran / pipa/ selang karet rusak, pecah, atau pemasangannya yang menuju ke regulator / kompor tidak dilakukan dengan baik

3. Regulator sudah rusak atau gelang karet pada valve rusak atau tidak ada gelang karet pada valve nya

4. Valve tidak dapat menutup (selalu terbuka)

5. Tabung penyok, berkarat, lewat batas akhir(expired)

Hal-hal tersebut bisa terjadi biasanya saat di distributor (yang nakal) maka dari itu tips nya adalah jangan lupa menimbang berat LPG (berat kosong 5 Kg berat netto 3 Kg jadi berat total 8 Kg). Tabung gas LPG 3 Kg sudah memenuhi standar safety SNI 19-1452-2001 sehingga tidak diragukan lagi keselamatannya.

Lalu Bagaimana memakai gas LPG yang aman ?

1. Kompor dan tabung gas di letakan pada tempat yang datar dan di ruangan yang memiliki sirkulasi udara yang baik

2. letakan tabung gas LPG sejauh mungkin dari kompor atau sumber api lainnya

3. Pasang regulator pada katup tabung LPG (posisi knob regulator mengarah kebawah).

4. Pastikan regulator tidak dapat terlepas dari katup tabung LPG (maka dari itu dijual beragam alat pengaman regulator denga rata-rata harganya Rp15.000)

5. periksa kemungkinan kebocoran gas dari tabung, kompor, selang, maupun regulatornya.apabila terjadi kebocoran akan tercium bau khas LPG yang menyengat seperti bau busuk

Banyaknya kasus kebakaran akibat gas LPG karena pengguna tidak mengetahui bahwa tabung gasnya bocor maka kenali Tanda-tanda kebocoran gas LPG :

1. Tercium bau gas LPG yang menyengat

2. Terdapat embunan pada tabung gas LPG, biasanya ada disekitar sambungan pengelasan tabung, neck ring, valve maupun sambungan pada foot ring

3. Terdapat bunyi mendesis pada regulator

Namun apabila yang namanya musibah sudah datang, bila terjadi kebakaran (tingkat awal) maka :
  • · Segera padamkan dengan alat pemadam kebakaran ringan (APAR) atau dengan cara sederhana menggunakan karung goni/Handuk tebal basah (untuk mengurangi panas)
  • · Jangan mematikan atau menyalakan lampu listrik bisa terjadi kebocoran karena gesekan listrik bisa membuat percikan api.
  • · Jauhkan bahan-bahan yang mudah terbakar

Pada intinya, api bisa timbul karena 3 hal yaitu Bahan Bakar, Oksigen, dan Panas. maka lakukanlah pengendalian terhadap bahaya api dengan mengontrol ketiga elemen tersebut.

Cara Mencegah Kebakaran Kompor Gas


Bila terjadi kebakaran (tingkat awal) maka :

1. Segera padamkan dengan alat pemadam kebakaran ringan (APAR) atau dengan cara sederhana menggunakan karung goni/Handuk tebal basah (untuk mengurangi panas)

2. Jangan mematikan atau menyalakan lampu listrik, bisa terjadi kebocoran karena gesekan listrik bisa membuat percikan api.

3. Jauhkan bahan-bahan yang mudah terbakar

Pada intinya, api bisa timbul karena 3 hal yaitu Bahan Bakar, Oksigen, dan Panas. maka lakukanlah pengendalian terhadap bahaya api dengan mengontrol ketiga elemen tersebut.


Gas LPG : Solusi atau Ancaman ?


27 December 2009

Semakin hari kasus kebakaran di Indonesia semakin meningkat. Apabila kita menonton berita di TV setiap hari pasti ada berita kebakaran dimana-mana. penyebabnya antara lain ledakan tabung gas LPG atau hubungan pendek arus listrik. Contohnya di DKI Jakarta pada tahun 2009 hingga bulan november kemarin terjadi 785 kasus. (Jakartafire.org)

Salah satu penyebab nya yaitu gas LPG. Program konversi minyak tanah ke gas ini telah menjadi pertanyaan bagi sebagian masyarakat, program ini termasuk solusi atau ancaman?

Alasan pemerintah mengadakan program konversi yaitu :

1. Menghemat subsidi minyak sebesar 20 Trilyun/tahun jika program berhasil

2. Gas sulit dioplos dibandingkan minyak tanah

3. Gas lebih bersih daripada minyak tanah

4. Negara tetangga sudah menerapkannya (Malaysia & Thailand)

Namun sebagian masyarakat mengeluhkan banyaknya kasus kebakaran terjadi akibat bocornya tabung gas. Sebenernya perlu diketahui bahwa tabung gas LPG di las secara sempurna 100% sehingga tabung tidak akan mengalami kebocoran. Namun yang sebenarnya mengalami kebocoran di beberapa bagian yaitu :

1. Katup dalam keadaan terbuka (pada waktu tidak digunakan) atau katup sudah rusak

2. Saluran / pipa/ selang karet rusak, pecah, atau pemasangannya yang menuju ke regulator / kompor tidak dilakukan dengan baik

3. Regulator sudah rusak atau gelang karet pada valve rusak atau tidak ada gelang karet pada valve nya

4. Valve tidak dapat menutup (selalu terbuka)

5. Tabung penyok, berkarat, lewat batas akhir(expired)

Hal-hal tersebut bisa terjadi biasanya saat di distributor (yang nakal) maka dari itu tips nya adalah jangan lupa menimbang berat LPG (berat kosong 5 Kg berat netto 3 Kg jadi berat total 8 Kg). Tabung gas LPG 3 Kg sudah memenuhi standar safety SNI 19-1452-2001 sehingga tidak diragukan lagi keselamatannya.

Lalu Bagaimana memakai gas LPG yang aman ?

1. Kompor dan tabung gas di letakan pada tempat yang datar dan di ruangan yang memiliki sirkulasi udara yang baik

2. letakan tabung gas LPG sejauh mungkin dari kompor atau sumber api lainnya

3. Pasang regulator pada katup tabung LPG (posisi knob regulator mengarah kebawah).

4. Pastikan regulator tidak dapat terlepas dari katup tabung LPG (maka dari itu dijual beragam alat pengaman regulator denga rata-rata harganya Rp15.000)

5. periksa kemungkinan kebocoran gas dari tabung, kompor, selang, maupun regulatornya.apabila terjadi kebocoran akan tercium bau khas LPG yang menyengat seperti bau busuk

Banyaknya kasus kebakaran akibat gas LPG karena pengguna tidak mengetahui bahwa tabung gasnya bocor maka kenali Tanda-tanda kebocoran gas LPG :

1. Tercium bau gas LPG yang menyengat

2. Terdapat embunan pada tabung gas LPG, biasanya ada disekitar sambungan pengelasan tabung, neck ring, valve maupun sambungan pada foot ring

3. Terdapat bunyi mendesis pada regulator

Namun apabila yang namanya musibah sudah datang, bila terjadi kebakaran (tingkat awal) maka :
  • · Segera padamkan dengan alat pemadam kebakaran ringan (APAR) atau dengan cara sederhana menggunakan karung goni/Handuk tebal basah (untuk mengurangi panas)
  • · Jangan mematikan atau menyalakan lampu listrik bisa terjadi kebocoran karena gesekan listrik bisa membuat percikan api.
  • · Jauhkan bahan-bahan yang mudah terbakar

Pada intinya, api bisa timbul karena 3 hal yaitu Bahan Bakar, Oksigen, dan Panas. maka lakukanlah pengendalian terhadap bahaya api dengan mengontrol ketiga elemen tersebut.

Tips Elpiji Aman dari Pertamina

Sunday, May 29, 2011

VLAN

General Information



Summary


VLAN is an implementation of the 802.1Q VLAN protocol for MikroTik RouterOS. It allows you to have multiple Virtual LANs on a single ethernet or wireless interface, giving the ability to segregate LANs efficiently. It supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per ethernet device. VLAN priorites may also be used and manipulated. Many routers, including Cisco and Linux based, and many Layer 2 switches use VLAN to enable multiple independent, isolated networks to exist on the same physical network.

A VLAN is a logical grouping that allows end users to communicate as if they were physically connected to a single isolated LAN, independent of the physical configuration of the network. VLAN support adds a new dimension of security and cost savings permitting the sharing of a physical network infrastructure and interfaces/ports while logically maintaining separation among unrelated users.


Specifications


Packages required: system
License required: Level1 (limited to 1 vlan) , Level3
Submenu level: /interface vlan
Standards and Technologies: VLAN (IEEE 802.1Q)
Hardware usage: Not significant

Description


VLANs are simply a way of grouping a set of switch ports together so that they form a logical network, separate from any other such group. It may also be understood as breaking one physical switch into several independent parts. Within a single switch this is straightforward local configuration. When the VLAN extends over more than one switch, the inter-switch links have to become trunks, on which packets are tagged to indicate which VLAN they belong to.

You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to mark these packets as well as to accept and route marked ones.

As VLAN works on OSI Layer 2, it can be used just as any other network interface without any restrictions. VLAN successfully passes through regular Ethernet bridges.

You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface.

Currently supported Ethernet interfaces

This is a list of network interfaces on which VLAN was tested and worked. Note that there might be many other interfaces that support VLAN, but they just were not checked. Most modern Ethernet interfaces support VLAN.


  • Realtek 8139

  • Intel PRO/100

  • Intel PRO1000 server adapter

  • National Semiconductor DP83816 based cards (RouterBOARD200 onboard Ethernet, RouterBOARD 24 card)

  • National Semiconductor DP83815 (Soekris onboard Ethernet)

  • VIA VT6105M based cards (RouterBOARD 44 card)

  • VIA VT6105

  • VIA VT6102 (VIA EPIA onboard Ethernet)



This is a list of network interfaces on which VLAN was tested and worked, but WITHOUT LARGE PACKET (>1496 bytes) SUPPORT:


  • 3Com 3c59x PCI

  • DEC 21140 (tulip)




Additional Resources




VLAN Setup


Submenu level: /interface vlan

Property Description


arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol mode
disabled - the interface will not use ARP protocol
enabled - the interface will fully use ARP protocol
proxy-arp - the interface will be an ARP proxy
reply-only - the interface will only reply to the requests for to its own IP addresses, but neighbor MAC addresses will be gathered from /ip arp statically set table only

interface (name) - physical interface to the network where the VLAN is putmtu (integer; default: 1500) - Maximum Transmission Unitname (name) - interface name for referencevlan-id (integer; default: 1) - Virtual LAN identifier or tag that is used to distinguish VLANs. Must be equal for all computers that belong to the same VLAN.

Notes




MTU should be set to 1500 bytes as on Ethernet interfaces. But this may not work with some Ethernet cards that do not support receiving/transmitting of full size Ethernet packets with VLAN header added (1500 bytes data + 4 bytes VLAN header + 14 bytes Ethernet header). In this situation MTU 1496 can be used, but note that this will cause packet fragmentation if larger packets have to be sent over interface. At the same time remember that MTU 1496 may cause problems if path MTU discovery is not working properly between source and destination.


Example


To add and enable a VLAN interface named test with vlan-id=1 on interface ether1:
[admin@MikroTik] interface vlan> add name=test vlan-id=1 interface=ether1
[admin@MikroTik] interface vlan> print
Flags: X - disabled, R - running
# NAME MTU ARP VLAN-ID INTERFACE
0 X test 1500 enabled 1 ether1
[admin@MikroTik] interface vlan> enable 0
[admin@MikroTik] interface vlan> print
Flags: X - disabled, R - running
# NAME MTU ARP VLAN-ID INTERFACE
0 R test 1500 enabled 1 ether1
[admin@MikroTik] interface vlan>


Application Example



VLAN example on MikroTik Routers


Let us assume that we have two or more MikroTik RouterOS routers connected with a hub. Interfaces to the physical network, where the VLAN is to be created is ether1 for all of them (it is needed only for example simplification, it is NOT a must).

To connect computers through VLAN they must be connected physically and unique IP addresses should be assigned them so that they could ping each other. Then on each of them the VLAN interface should be created:
[admin@MikroTik] interface vlan> add name=test vlan-id=32 interface=ether1
[admin@MikroTik] interface vlan> print
Flags: X - disabled, R - running
# NAME MTU ARP VLAN-ID INTERFACE
0 R test 1500 enabled 32 ether1
[admin@MikroTik] interface vlan>

If the interfaces were successfully created, both of them will be running. If computers are connected incorrectly (through network device that does not retransmit or forward VLAN packets), either both or one of the interfaces will not be running.

When the interface is running, IP addresses can be assigned to the VLAN interfaces.

On the Router 1:
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=test
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.0.204/24 10.0.0.0 10.0.0.255 ether1
1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1
2 10.10.10.1/24 10.10.10.0 10.10.10.255 test
[admin@MikroTik] ip address>

On the Router 2:
[admin@MikroTik] ip address> add address=10.10.10.2/24 interface=test
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.0.201/24 10.0.0.0 10.0.0.255 ether1
1 10.10.10.2/24 10.10.10.0 10.10.10.255 test
[admin@MikroTik] ip address>

If it set up correctly, then it is possible to ping Router 2 from Router 1 and vice versa:
[admin@MikroTik] ip address> /ping 10.10.10.1
10.10.10.1 64 byte pong: ttl=255 time=3 ms
10.10.10.1 64 byte pong: ttl=255 time=4 ms
10.10.10.1 64 byte pong: ttl=255 time=10 ms
10.10.10.1 64 byte pong: ttl=255 time=5 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 3/10.5/10 ms
[admin@MikroTik] ip address> /ping 10.10.10.2
10.10.10.2 64 byte pong: ttl=255 time=10 ms
10.10.10.2 64 byte pong: ttl=255 time=11 ms
10.10.10.2 64 byte pong: ttl=255 time=10 ms
10.10.10.2 64 byte pong: ttl=255 time=13 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 10/11/13 ms
[admin@MikroTik] ip address>

© Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registered trademarks mentioned herein are properties of their respective owners.

Traffic Flow

General Information



Specifications


Packages required: system
License required: Level1
Submenu level: /ip traffic-flow
Hardware usage: Not significant

Related Documents




Description


MikroTik Traffic-Flow is a system that provides statistic information about packets which pass through the router. Besides network monitoring and accounting, system administrators can identify various problems that may occur in the network. With help of Traffic-Flow, it is possible to analyze and optimize the overall network performance. As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow.

Traffic-Flow supports the following NetFlow formats:


  • version 1 - the first version of NetFlow data format, do not use it, unless you have to

  • version 5 - in addition to version 1, version 5 has the BGP AS and flow sequence number information included

  • version 9 - a new format which can be extended with new fields and record types, thanks to its template-style design




General Configuration



Description


This section describes the basic configuration of Traffic-Flow.


Property Description


active-flow-timeout (time; default: 30m) - maximum life-time of a flowcache-entries (1k | 2k | 4k | 8k | 16k | 32k | 64k | 128k | 256k | 512k; default: 1k) - number of flows which can reside in the router's memory simultaneouslyenabled (yes | no) - whether to enable traffic-flow service or notinactive-flow-timeout (time; default: 15s) - how long to keep the flow active, if it is idleinterfaces (name) - names of those interfaces which will be used to gather statistics for traffic-flow. To specify more than one interface, separate them with a comma (",")

Traffic-Flow Target


Submenu level: /ip traffic-flow target

Description


With Traffic-Flow targets we specify those hosts which will gather the Traffic-Flow information from router.


Property Description


address (IP address:port) - IP address and UDP port of the host which receives Traffic-Flow statistics packets from the routerv9-template-refresh (integer; default: 20) - number of packets after which the template is sent to the receiving host (only for NetFlow version 9)v9-template-timeout - after how long to send the template, if it has not been sentversion (1 | 5 | 9) - which version format of NetFlow to use

Application Examples



Traffic-Flow Example


This example shows how to configure Traffic-Flow on a router


  1. Enable Traffic-Flow on the router:
    [admin@MikroTik] ip traffic-flow> set enabled=yes
    [admin@MikroTik] ip traffic-flow> print
    enabled: yes
    interfaces: all
    cache-entries: 1k
    active-flow-timeout: 30m
    inactive-flow-timeout: 15s
    [admin@MikroTik] ip traffic-flow>


  2. Specify IP address and port of the host, which will receive Traffic-Flow packets:
    [admin@MikroTik] ip traffic-flow target> add address=192.168.0.2:2055 \
    \... version=9
    [admin@MikroTik] ip traffic-flow target> print
    Flags: X - disabled
    # ADDRESS VERSION
    0 192.168.0.2:2055 9
    [admin@MikroTik] ip traffic-flow target>

    Now the router starts to send packets with Traffic-Flow information.



Some screenshots from NTop program, which has gathered Traffic-Flow information from our router and displays it in nice graphs and statistics. For example, where what kind of traffic has flown:



Top three hosts by upload and download each minute:



Overall network load each minute:



Traffic usage by each protocol:



© Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registered trademarks mentioned herein are properties of their respective owners.

PPTP Tunnel

General Information



Summary


PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik RouterOS implementation includes support for both PPTP client and server.

General applications of PPTP tunnels:


  • secure router-to-router tunnels over the Internet

  • linking (bridging) local Intranets or LANs

  • accessing an Intranet/LAN of a company for remote (mobile) clients (employees)



Each PPTP connection is composed of a server and a client. The MikroTik RouterOS may function as a server or client or, for various configurations, it may be the server for some connections and client for other connections. For example, the client created below could connect to a Windows 2000 server, another MikroTik Router, or another router which supports a PPTP server.


Quick Setup Guide


To make a PPTP tunnel between 2 MikroTik routers with IP addresses 10.5.8.104 (PPTP server) and 10.1.0.172 (PPTP client), follow the next steps.


  • Configuration on PPTP server router:


    1. Add a user:
      [admin@PPTP-Server] ppp secret> add name=user password=passwd \
      \... local-address=10.0.0.1 remote-address=10.0.0.2


    2. Enable the PPTP server:
      [admin@PPTP-Server] interface pptp-server server> set enabled=yes




  • Configuration on PPTP client router:


    1. Add the PPTP client:
      [admin@PPTP-Client] interface pptp-client> add user=user password=passwd \
      \... connect-to=10.5.8.104 disabled=no







Specifications


Packages required: ppp
License required: Level1 (limited to 1 tunnel) , Level3 (limited to 200 tunnels) , Level5
Submenu level: /interface pptp-server, /interface pptp-client
Standards and Technologies: PPTP (RFC 2637)
Hardware usage: Not significant

Description


PPTP is a secure tunnel for transporting IP traffic using PPP. PPTP encapsulates PPP in virtual lines that run over IP. PPTP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The purpose of this protocol is to make well-managed secure connections between routers as well as between routers and PPTP clients (clients are available for and/or included in almost all OSs including Windows).

Multilink PPP (MP) is supported in order to provide MRRU (the ability to transmit full-sized 1500 and larger packets) and bridging over PPP links (using Bridge Control Protocol (BCP) that allows to send raw Ethernet frames over PPP links). This way it is possible to setup bridging without EoIP. The bridge should either have an administratively set MAC address or an Ethernet-like interface in it, as PPP links do not have MAC addresses.

PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

PPTP traffic uses TCP port 1723 and IP protocol GRE (Generic Routing Encapsulation, IP protocol ID 47), as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router.

PPTP connections may be limited or impossible to setup though a masqueraded/NAT IP connection. Please see the Microsoft and RFC links listed below for more information.


Additional Resources




PPTP Client Setup


Submenu level: /interface pptp-client

Property Description


add-default-route (yes | no; default: no) - whether to use the server which this client is connected to as its default router (gateway)allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) - the protocol to allow the client to use for authenticationconnect-to (IP address) - The IP address of the PPTP server to connect tomax-mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MRU to 1460 to avoid fragmentation of packets)max-mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MTU to 1460 to avoid fragmentation of packets)mrru (integer: 512..65535; default: disabled) - maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel
disabled - disable MRRU on this link

name (name; default: pptp-outN) - interface name for referencepassword (text; default: "") - user password to use when logging to the remote serverprofile (name; default: default) - profile to use when connecting to the remote serveruser (text) - user name to use when logging on to the remote server

Notes




Specifying MRRU means enabling MP (Multilink PPP) over single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is usefull to overcome PathMTU discovery failures. The MP should be enabled on both peers.


Example


To set up PPTP client named test2 using unsername john with password john to connect to the 10.1.1.12 PPTP server and use it as the default gateway:
[admin@MikroTik] interface pptp-client> add name=test2 connect-to=10.1.1.12 \
\... user=john add-default-route=yes password=john
[admin@MikroTik] interface pptp-client> print
Flags: X - disabled, R - running
0 X name="test2" max-mtu=1460 max-mru=1460 mrru=disabled connect-to=10.1.1.12
user="john" password="john" profile=default add-default-route=yes
allow=pap,chap,mschap1,mschap2
[admin@MikroTik] interface pptp-client> enable 0


Monitoring PPTP Client


Command name: /interface pptp-client monitor

Property Description


encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this connectionidle-time (read-only: time) - time since the last packet has been transmitted over this linkmru (read-only: integer) - effective MRU of the linkmtu (read-only: integer) - effective MTU of the linkstatus (text) - status of the client
dialing - attempting to make a connection
verifying password... - connection has been established to the server, password verification in progress
connected - self-explanatory
terminated - interface is not enabled or the other side will not establish a connection

uptime (time) - connection time displayed in days, hours, minutes and seconds

Example


Example of an established connection:
[admin@MikroTik] interface pptp-client> monitor test2
status: "connected"
uptime: 6h44m9s
idle-time: 6h44m9s
encoding: "MPPE128 stateless"
mtu: 1460
mru: 1460
[admin@MikroTik] interface pptp-client>


PPTP Server Setup


Submenu level: /interface pptp-server server

Description


The PPTP server creates a dynamic interface for each connected PPTP client. The PPTP connection count from clients depends on the license level you have. Level1 license allows 1 PPTP client, Level3 or Level4 licenses up to 200 clients, and Level5 or Level6 licenses do not have PPTP client limitations.


Property Description


authentication (multiple choice: pap | chap | mschap1 | mschap2; default: mschap2) - authentication algorithmdefault-profile - default profile to useenabled (yes | no; default: no) - defines whether PPTP server is enabled or notkeepalive-timeout (time; default: 30) - defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If no traffic and no keepalive responses has came for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnectedmax-mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU to 1460 to avoid fragmentation of packets)max-mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)mrru (integer: 512..65535; default: disabled) - maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel
disabled - disable MRRU on this link


Notes




Specifying MRRU means enabling MP (Multilink PPP) over single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is usefull to overcome PathMTU discovery failures. The MP should be enabled on both peers.


Example


To enable PPTP server:
[admin@MikroTik] interface pptp-server server> set enabled=yes
[admin@MikroTik] interface pptp-server server> print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2,mschap1
keepalive-timeout: 30
default-profile: default
[admin@MikroTik] interface pptp-server server>


PPTP Tunnel Interfaces


Submenu level: /interface pptp-server

Description


There are two types of interface (tunnel) items in PPTP server configuration - static users and dynamic connections. An interface is created for each tunnel established to the given server. Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user. Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name). Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration. Note that in both cases PPP users must be configured properly - static entries do not replace PPP configuration.


Property Description


client-address (read-only: IP address) - shows the IP address of the connected clientencoding (read-only: text) - encryption and encoding (if asymmetric, separated with '/') being used in this connectionmru (read-only: integer) - client's MRUmtu (read-only: integer) - client's MTUname (name) - interface nameuptime (read-only: time) - shows how long the client is connecteduser (name) - the name of the user that is configured statically or added dynamically

Example


To add a static entry for ex1 user:
[admin@MikroTik] interface pptp-server> add user=ex1
[admin@MikroTik] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 DR <pptp-ex> ex 1460 10.0.0.202 6m32s none
1 pptp-in1 ex1
[admin@MikroTik] interface pptp-server>

In this example an already connected user ex is shown besides the one we just added. Now the interface named pptp-in1 can be referenced from anywhere in RouterOS configuration like a regular interface.


PPTP Application Examples



Router-to-Router Secure Tunnel Example


The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet.



There are two routers in this example:


  • [HomeOffice]

    Interface LocalHomeOffice 10.150.2.254/24

    Interface ToInternet 192.168.80.1/24

  • [RemoteOffice]

    Interface ToInternet 192.168.81.1/24

    Interface LocalRemoteOffice 10.150.1.254/24



Each router is connected to a different ISP. One router can access another router through the Internet.

On the PPTP server a user must be set up for the client:
[admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht \
\... local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""
[admin@HomeOffice] ppp secret>

Then the user should be added in the PPTP server list:
[admin@HomeOffice] interface pptp-server> add user=ex
[admin@HomeOffice] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 pptp-in1 ex
[admin@HomeOffice] interface pptp-server>

And finally, the server must be enabled:
[admin@HomeOffice] interface pptp-server server> set enabled=yes
[admin@HomeOffice] interface pptp-server server> print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: default
[admin@HomeOffice] interface pptp-server server>

Add a PPTP client to the RemoteOffice router:
[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex \
\... password=lkjrht disabled=no
[admin@RemoteOffice] interface pptp-client> print
Flags: X - disabled, R - running
0 R name="pptp-out1" mtu=1460 mru=1460 mrru=disabled connect-to=192.168.80.1
user="ex" password="lkjrht" profile=default add-default-route=no
allow=pap,chap,mschap1,mschap2
[admin@RemoteOffice] interface pptp-client>

Thus, a PPTP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It enables 'direct' communication between the routers over third party networks.



To route the local Intranets over the PPTP tunnel you need to add these routes:
[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

On the PPTP server it can alternatively be done using routes parameter of the user configuration:
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""

[admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2
routes="10.150.1.0/24 10.0.103.2 1"

[admin@HomeOffice] ppp secret>

Test the PPTP tunnel connection:
[admin@RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Test the connection through the PPTP tunnel to the LocalHomeOffice interface:
[admin@RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

To bridge a LAN over this secure tunnel, please see the example in the 'EoIP' section of the manual. To set the maximum speed for traffic over this tunnel, please consult the 'Queues' section.


Connecting a Remote Client via PPTP Tunnel


The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over EoIP tunnels)

Please, consult the respective manual on how to set up a PPTP client with the software You are using.



The router in this example:


  • [RemoteOffice]

    Interface ToInternet 192.168.81.1/24

    Interface Office 10.150.1.254/24



The client computer can access the router through the Internet.

On the PPTP server a user must be set up for the client:
[admin@RemoteOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==""

[admin@RemoteOffice] ppp secret>

Then the user should be added in the PPTP server list:
[admin@RemoteOffice] interface pptp-server> add name=FromLaptop user=ex
[admin@RemoteOffice] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 FromLaptop ex
[admin@RemoteOffice] interface pptp-server>

And the server must be enabled:
[admin@RemoteOffice] interface pptp-server server> set enabled=yes
[admin@RemoteOffice] interface pptp-server server> print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: default
[admin@RemoteOffice] interface pptp-server server>

Finally, the proxy APR must be enabled on the 'Office' interface:
[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>


PPTP Setup for Windows


Microsoft provides PPTP client support for Windows NT, 2000, ME, 98SE, and 98. Windows 98SE, 2000, and ME include support in the Windows setup or automatically install PPTP. For 95, NT, and 98, installation requires a download from Microsoft. Many ISPs have made help pages to assist clients with Windows PPTP installation.


Sample instructions for PPTP (VPN) installation and client setup - Windows 98SE


If the VPN (PPTP) support is installed, select 'Dial-up Networking' and 'Create a new connection'. The option to create a 'VPN' should be selected. If there is no 'VPN' options, then follow the installation instructions below. When asked for the 'Host name or IP address of the VPN server', type the IP address of the router. Double-click on the 'new' icon and type the correct user name and password (must also be in the user database on the router or RADIUS server used for authentication).

The setup of the connections takes nine seconds after selection the 'connect' button. It is suggested that the connection properties be edited so that 'NetBEUI', 'IPX/SPX compatible', and 'Log on to network' are unselected. The setup time for the connection will then be two seconds after the 'connect' button is selected.

To install the 'Virtual Private Networking' support for Windows 98SE, go to the 'Setting' menu from the main 'Start' menu. Select 'Control Panel', select 'Add/Remove Program', select the 'Windows setup' tab, select the 'Communications' software for installation and 'Details'. Go to the bottom of the list of software and select 'Virtual Private Networking' to be installed.


Troubleshooting



Description




  • I use firewall and I cannot establish PPTP connection

    Make sure the TCP connections to port 1723 can pass through both directions between your sites. Also, IP protocol 47 should be passed through



© Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registered trademarks mentioned herein are properties of their respective owners.

L2TP Tunnel

General Information



Summary


L2TP (Layer 2 Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik RouterOS implementation includes support for both L2TP client and server.

General applications of L2TP tunnels include:


  • secure router-to-router tunnels over the Internet

  • linking (bridging) local Intranets or LANs

  • extending PPP user connections to a remote location (for example, to separate authentication and Internet access points for ISP)

  • accessing an Intranet/LAN of a company for remote (mobile) clients (employees)



Each L2TP connection is composed of a server and a client. The MikroTik RouterOS may function as a server or client or, for various configurations, it may be the server for some connections and client for other connections.


Quick Setup Guide


To make a L2TP tunnel between 2 MikroTik routers with IP addresses 10.5.8.104 (L2TP server) and 10.1.0.172 (L2TP client), follow the next steps.


  • Configuration on L2TP server router:


    1. Add a L2TP user:
      [admin@L2TP-Server] ppp secret> add name=user password=passwd \
      \... local-address=10.0.0.1 remote-address=10.0.0.2


    2. Enable the L2TP server
      [admin@L2TP-Server] interface l2tp-server server> set enabled=yes




  • Configuration on L2TP client router:


    1. Add a L2TP client:
      [admin@L2TP-Client] interface l2tp-client> add user=user password=passwd \
      \... connect-to=10.5.8.104







Specifications


Packages required: ppp
License required: Level1 (limited to 1 tunnel) , Level3 (limited to 200 tunnels) , Level5
Submenu level: /interface l2tp-server, /interface l2tp-client
Standards and Technologies: L2TP (RFC 2661)
Hardware usage: Not significant

Description


L2TP is a secure tunnel protocol for transporting IP traffic using PPP. L2TP encapsulates PPP in virtual lines that run over IP, Frame Relay and other protocols (that are not currently supported by MikroTik RouterOS). L2TP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The purpose of this protocol is to allow the Layer 2 and PPP endpoints to reside on different devices interconnected by a packet-switched network. With L2TP, a user has a Layer 2 connection to an access concentrator - LAC (e.g., modem bank, ADSL DSLAM, etc.), and the concentrator then tunnels individual PPP frames to the Network Access Server - NAS. This allows the actual processing of PPP packets to be separated from the termination of the Layer 2 circuit. From the user's perspective, there is no functional difference between having the L2 circuit terminate in a NAS directly or using L2TP.

It may also be useful to use L2TP just as any other tunneling protocol with or without encryption. The L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec (Note that it is default mode for Microsoft L2TP client) as all L2TP control and data packets for a particular tunnel appear as homogeneous UDP/IP data packets to the IPsec system.

Multilink PPP (MP) is supported in order to provide MRRU (the ability to transmit full-sized 1500 and larger packets) and bridging over PPP links (using Bridge Control Protocol (BCP) that allows to send raw Ethernet frames over PPP links). This way it is possible to setup bridging without EoIP. The bridge should either have an administratively set MAC address or an Ethernet-like interface in it, as PPP links do not have MAC addresses.

L2TP includes PPP authentication and accounting for each L2TP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

L2TP traffic uses UDP protocol for both control and data packets. UDP port 1701 is used only for link establishment, further traffic is using any available UDP port (which may or may not be 1701). This means that L2TP can be used with most firewalls and routers (even with NAT) by enabling UDP traffic to be routed through the firewall or router.


L2TP Client Setup


Submenu level: /interface l2tp-client

Property Description


add-default-route (yes | no; default: no) - whether to use the server which this client is connected to as its default router (gateway)allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) - the protocol to allow the client to use for authenticationconnect-to (IP address) - The IP address of the L2TP server to connect tomax-mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MRU to 1460 to avoid fragmentation of packets)max-mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MTU to 1460 to avoid fragmentation of packets)mrru (integer: 512..65535; default: disabled) - maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel
disabled - disable MRRU on this link

name (name; default: l2tp-outN) - interface name for referencepassword (text; default: "") - user password to use when logging to the remote serverprofile (name; default: default) - profile to use when connecting to the remote serveruser (text) - user name to use when logging on to the remote server

Notes




Specifying MRRU means enabling MP (Multilink PPP) over single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is usefull to overcome PathMTU discovery failures. The MP should be enabled on both peers.


Example


To set up L2TP client named test2 using username john with password john to connect to the 10.1.1.12 L2TP server and use it as the default gateway:
[admin@MikroTik] interface l2tp-client> add name=test2 connect-to=10.1.1.12 \
\... user=john add-default-route=yes password=john
[admin@MikroTik] interface l2tp-client> print
Flags: X - disabled, R - running
0 X name="test2" max-mtu=1460 max-mru=1460 mrru=disabled connect-to=10.1.1.12
user="john" password="john" profile=default add-default-route=yes
allow=pap,chap,mschap1,mschap2
[admin@MikroTik] interface l2tp-client> enable 0


Monitoring L2TP Client


Command name: /interface l2tp-client monitor

Property Description


encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this connectionidle-time (read-only: time) - time since the last packet has been transmitted over this linkmru (read-only: integer) - effective MRU of the linkmtu (read-only: integer) - effective MTU of the linkstatus (text) - status of the client
dialing - attempting to make a connection
verifying password... - connection has been established to the server, password verification in progress
connected - self-explanatory
terminated - interface is not enabled or the other side will not establish a connection

uptime (time) - connection time displayed in days, hours, minutes and seconds

Example


Example of an established connection:
[admin@MikroTik] interface l2tp-client> monitor test2
status: "connected"
uptime: 6h44m9s
idle-time: 6h44m9s
encoding: "MPPE128 stateless"
mtu: 1460
mru: 1460
[admin@MikroTik] interface l2tp-client>


L2TP Server Setup


Submenu level: /interface l2tp-server server

Description


The L2TP server creates a dynamic interface for each connected L2TP client. The L2TP connection count from clients depends on the license level you have. Level1 license allows 1 L2TP client, Level3 or Level4 licenses up to 200 clients, and Level5 or Level6 licenses do not have L2TP client limitations.

To create L2TP users, you should consult the PPP secret and PPP Profile manuals. It is also possible to use the MikroTik router as a RADIUS client to register the L2TP users, see the manual how to do it.


Property Description


authentication (multiple choice: pap | chap | mschap1 | mschap2; default: mschap2) - authentication algorithmdefault-profile - default profile to useenabled (yes | no; default: no) - defines whether L2TP server is enabled or notkeepalive-timeout (time; default: 30) - defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If no traffic and no keepalive responses has came for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnectedmax-mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU to 1460 to avoid fragmentation of packets)max-mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)mrru (integer: 512..65535; default: disabled) - maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel
disabled - disable MRRU on this link


Notes




Specifying MRRU means enabling MP (Multilink PPP) over single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is usefull to overcome PathMTU discovery failures. The MP should be enabled on both peers.


Example


To enable L2TP server:
[admin@MikroTik] interface l2tp-server server> set enabled=yes
[admin@MikroTik] interface l2tp-server server> print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2,mschap1
keepalive-timeout: 30
default-profile: default
[admin@MikroTik] interface l2tp-server server>


L2TP Tunnel Interfaces


Submenu level: /interface l2tp-server

Description


There are two types of interface (tunnel) items in PPTP server configuration - static users and dynamic connections. An interface is created for each tunnel established to the given server. Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user. Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name). Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration. Note that in both cases PPP users must be configured properly - static entries do not replace PPP configuration.


Property Description


client-address (read-only: IP address) - shows the IP address of the connected clientencoding (read-only: text) - encryption and encoding (if asymmetric, separated with '/') being used in this connectionmru (read-only: integer) - client's MRUmtu (read-only: integer) - client's MTUname (name) - interface nameuptime (read-only: time) - shows how long the client is connecteduser (name) - the name of the user that is configured statically or added dynamically

Example


To add a static entry for ex1 user:
[admin@MikroTik] interface l2tp-server> add user=ex1
[admin@MikroTik] interface l2tp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 DR <l2tp-ex> ex 1460 10.0.0.202 6m32s none
1 l2tp-in1 ex1
[admin@MikroTik] interface l2tp-server>

In this example an already connected user ex is shown besides the one we just added. Now the interface named l2tp-in1 can be referenced from anywhere in RouterOS configuration like a regular interface.


L2TP Application Examples



Router-to-Router Secure Tunnel Example


The following is an example of connecting two Intranets using an encrypted L2TP tunnel over the Internet.



There are two routers in this example:


  • [HomeOffice]

    Interface LocalHomeOffice 10.150.2.254/24

    Interface ToInternet 192.168.80.1/24

  • [RemoteOffice]

    Interface ToInternet 192.168.81.1/24

    Interface LocalRemoteOffice 10.150.1.254/24



Each router is connected to a different ISP. One router can access another router through the Internet.

On the L2TP server a user must be set up for the client:
[admin@HomeOffice] ppp secret> add name=ex service=l2tp password=lkjrht
local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""
[admin@HomeOffice] ppp secret>

Then the user should be added in the L2TP server list:
[admin@HomeOffice] interface l2tp-server> add user=ex
[admin@HomeOffice] interface l2tp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 l2tp-in1 ex
[admin@HomeOffice] interface l2tp-server>

And finally, the server must be enabled:
[admin@HomeOffice] interface l2tp-server server> set enabled=yes
[admin@HomeOffice] interface l2tp-server server> print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: default
[admin@HomeOffice] interface l2tp-server server>

Add a L2TP client to the RemoteOffice router:
[admin@RemoteOffice] interface l2tp-client> add connect-to=192.168.80.1 user=ex \
\... password=lkjrht disabled=no
[admin@RemoteOffice] interface l2tp-client> print
Flags: X - disabled, R - running
0 R name="l2tp-out1" mtu=1460 mru=1460 mrru=disabled connect-to=192.168.80.1
user="ex" password="lkjrht" profile=default add-default-route=no
allow=pap,chap,mschap1,mschap2
[admin@RemoteOffice] interface l2tp-client>

Thus, a L2TP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It enables 'direct' communication between the routers over third party networks.



To route the local Intranets over the L2TP tunnel you need to add these routes:
[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

On the L2TP server it can alternatively be done using routes parameter of the user configuration:
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""

[admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2
routes="10.150.1.0/24 10.0.103.2 1"

[admin@HomeOffice] ppp secret>

Test the L2TP tunnel connection:
[admin@RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Test the connection through the L2TP tunnel to the LocalHomeOffice interface:
[admin@RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

To bridge a LAN over this secure tunnel, please see the example in the 'EoIP' section of the manual. To set the maximum speed for traffic over this tunnel, please consult the 'Queues' section.


Connecting a Remote Client via L2TP Tunnel


The following example shows how to connect a computer to a remote office network over L2TP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over EoIP tunnels).

Please, consult the respective manual on how to set up a L2TP client with the software you are using.



The router in this example:


  • [RemoteOffice]

    Interface ToInternet 192.168.81.1/24

    Interface Office 10.150.1.254/24



The client computer can access the router through the Internet.

On the L2TP server a user must be set up for the client:
[admin@RemoteOffice] ppp secret> add name=ex service=l2tp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==""

[admin@RemoteOffice] ppp secret>

Then the user should be added in the L2TP server list:
[admin@RemoteOffice] interface l2tp-server> add name=FromLaptop user=ex
[admin@RemoteOffice] interface l2tp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 FromLaptop ex
[admin@RemoteOffice] interface l2tp-server>

And the server must be enabled:
[admin@RemoteOffice] interface l2tp-server server> set enabled=yes
[admin@RemoteOffice] interface l2tp-server server> print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: default
[admin@RemoteOffice] interface l2tp-server server>

Finally, the proxy APR must be enabled on the 'Office' interface:
[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>


L2TP Setup for Windows


Microsoft provides L2TP client support for Windows XP, 2000, NT4, ME and 98. Windows 2000 and XP include support in the Windows setup or automatically install L2TP. For 98, NT and ME, installation requires a download from Microsoft (L2TP/IPsec VPN Client).

For more information, see:

Microsoft L2TP/IPsec VPN Client Microsoft L2TP/IPsec VPN Client

On Windows 2000, L2TP setup without IPsec requires editing registry:

Disabling IPsec for the Windows 2000 Client

Disabling IPSEC Policy Used with L2TP


Troubleshooting



Description




  • I use firewall and I cannot establish L2TP connection

    Make sure UDP connections can pass through both directions between your sites.

  • My Windows L2TP/IPsec VPN Client fails to connect to L2TP server with "Error 789" or "Error 781"

    The error messages 789 and 781 occur when IPsec is not configured properly on both ends. See the respective documentation on how to configure IPsec in the Microsoft L2TP/IPsec VPN Client and in the MikroTik RouterOS. If you do not want to use IPsec, it can be easily switched off on the client side. Note: if you are using Windows 2000, you need to edit system registry using regedt32.exe or regedit.exe. Add the following registry value to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters:
    Value Name: ProhibitIpSec
    Data Type: REG_DWORD
    Value: 1




You must restart the Windows 2000 for the changes to take effect

For more information on configuring Windows 2000, see:

© Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registered trademarks mentioned herein are properties of their respective owners.

IP Security

General Information



Specifications


Packages required: security
License required: Level1
Submenu level: /ip ipsec
Standards and Technologies: IPsec
Hardware usage: consumes a lot of CPU time (Intel Pentium MMX or AMD K6 suggested as a minimal configuration)

Description


IPsec (IP Security) supports secure (encrypted, digitally signed) communications over IP networks.

Encryption

After packet is src-natted (if needed), but before putting it into interface queue, IPsec policy database is consulted to find out if packet should be encrypted. Security Policy Database (SPD) is a list of rules that have two parts:



    • Packet matching - packet source/destination, protocol and ports (for TCP and UDP) are compared to values in policy rules, one after another

    • Action - if rule matches action specified in rule is performed:





  • none - continue with the packet as if there was no IPsec

  • discard - drop the packet

  • encrypt - apply IPsec transformations to the packet




Each SPD rule can be associated with several Security Associations (SA) that determine packet encryption parameters (key, algorithm, SPI).

Note that packet can only be encrypted if there is a usable SA for policy rule. Same SA may be used for different policies, unless especially prohibited by a policy. By setting SPD rule security "level" user can control what happens when there is no valid SA for policy rule:


  • use - if there is no valid SA, send packet unencrypted (like accept rule)

  • require - drop packet, and ask IKE daemon to establish a new SA.

  • unique - same as require, but establish a unique SA for this policy (i.e., this SA may not be shared with other policy)



Decryption

When encrypted packet is received for local host (after dst-nat and input filter), the appropriate SA is looked up to decrypt it (using packet source, destination, security protocol and SPI value). If no SA is found, the packet is dropped. If SA is found, packet is decrypted. Then decrypted packet's fields are compared to the policy rule that SA is linked to. If the packet does not match the policy rule, it is dropped. If the packet is decrypted fine (or authenticated fine) it is "received once more" - it goes through dst-nat and routing (which finds out what to do - either forward or deliver locally) again.

Note that before forward and input firewall chains, a packet that was not decrypted on local host is compared with SPD reversing its matching rules. If SPD requires encryption (there is valid SA associated with matching SPD rule), the packet is dropped. This is called incoming policy check.

Internet Key Exchange

The Internet Key Exchange (IKE) is a protocol that provides authenticated keying material for Internet Security Association and Key Management Protocol (ISAKMP) framework. There are other key exchange schemes that work with ISAKMP, but IKE is the most widely used one. Together they provide means for authentication of hosts and automatic management of security associations (SA).

Most of the time IKE daemon is doing nothing. There are two possible situations when it is activated:


  • There is some traffic caught by a policy rule which needs to become encrypted or authenticated, but the policy doesn't have any SAs. The policy notifies IKE daemon about that, and IKE daemon initiates connection to remote host.

  • IKE daemon responds to remote connection.



In both cases, peers establish connection and execute 2 phases:


  • Phase 1 - The peers agree upon algorithms they will use in the following IKE messages and authenticate. The keying material used to derive keys for all SAs and to protect following ISAKMP exchanges between hosts is generated also.

  • Phase 2 - The peers establish one or more SAs that will be used by IPsec to encrypt data. All SAs established by IKE daemon will have lifetime values (either limiting time, after which SA will become invalid, or amount of data that can be encrypted by this SA, or both).



There are two lifetime values - soft and hard. When SA reaches it's soft lifetime treshold, the IKE daemon receives a notice and starts another phase 2 exchange to replace this SA with fresh one. If SA reaches hard lifetime, it is discarded.

IKE can optionally provide a Perfect Forward Secrecy (PFS), which is a property of key exchanges, that, in turn, means for IKE that compromising the long term phase 1 key will not allow to easily gain access to all IPsec data that is protected by SAs established through this phase 1. It means an additional keying material is generated for each phase 2.

Generation of keying material is computationally very expensive. Exempli gratia, the use of modp8192 group can take several seconds even on very fast computer. It usually takes place once per phase 1 exchange, which happens only once between any host pair and then is kept for long time. PFS adds this expensive operation also to each phase 2 exchange.

Diffie-Hellman Groups

Diffie-Hellman (DH) key exchange protocol allows two parties without any initial shared secret to create one securely. The following Modular Exponential (MODP) and Elliptic Curve (EC2N) Diffie-Hellman (also known as "Oakley") Groups are supported:

































Diffie-Hellman GroupNameReference
Group 1768 bit MODP groupRFC2409
Group 21024 bits MODP groupRFC2409
Group 3EC2N group on GP(2^155)RFC2409
Group 4EC2N group on GP(2^185)RFC2409
Group 51536 bits MODP groupRFC3526

IKE Traffic

To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA (that this packet perhaps is trying to establish), locally originated packets with UDP source port 500 are not processed with SPD. The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check.

Setup Procedure

To get IPsec to work with automatic keying using IKE-ISAKMP you will have to configure policy, peer and proposal (optional) entries.

For manual keying you will have to configure policy and manual-sa entries.


Policy Settings


Submenu level: /ip ipsec policy

Description


Policy table is needed to determine whether security settings should be applied to a packet.


Property Description


action (none | discard | encrypt; default: accept) - specifies what action to undertake with a packet that matches the policy
none - pass the packet unchanged
discard - drop the packet
encrypt - apply transformations specified in this policy and it's SA

dont-fragment (clear | inherit | set; default: clear) - The state of the don't fragmentIP header field
clear - clear (unset) the field, so that packets previously marked as don't fragment can be fragmented. This setting is recommended as the packets are getting larger when IPsec protocol is applied to them, so large packets with don't fragment flag will not be able to pass the router
inherit - do not change the field
set - set the field, so that each packet matching the rule will not be fragmented. Not recommended

dst-address (IP address/netmask:port; default: 0.0.0.0/32:any) - destination IP addressdynamic (read-only: flag) - whether the rule has been created dynamicallyin-accepted (integer) - how many incoming packets were passed through by the policy without an attempt to decryptin-dropped (integer) - how many incoming packets were dropped by the policy without an attempt to decryptin-transformed (integer) - how many incoming packets were decrypted (ESP) and/or verified (AH) by the policyinactive (read-only: flag) - whether the rule is inactive (it may become inactive due to some misconfiguration)ipsec-protocols (multiple choice: ah | esp; default: esp) - specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic. AH is applied after ESP, and in case of tunnel mode ESP will be applied in tunnel mode and AH - in transport modelevel (unique | require | use; default: require) - specifies what to do if some of the SAs for this policy cannot be found:
use - skip this transform, do not drop packet and do not acquire SA from IKE daemon
require - drop packet and acquire SA
unique - drop packet and acquire a unique SA that is only used with this particular policy

manual-sa (name; default: none) - name of manual-sa template that will be used to create SAs for this policy
none - no manual keys are set

out-accepted (integer) - how many outgoing packets were passed through by the policy without an attempt to encryptout-dropped (integer) - how many outgoing packets were dropped by the policy without an attempt to encryptout-transformed (integer) - how many outgoing packets were encrypted (ESP) and/or signed (AH)ph2-state (read-only: expired | no-phase2 | established) - indication of the progress of key establishing
expired - there are some leftovers from previous phase2. In general it is similar to no-phase2
no-phase2 - no keys are estabilished at the moment
estabilished - Appropriate SAs are in place and everything should be working fine

priority (integer; default: 0) - policy ordering classificator (signed integer). Larger number means higher priorityproposal (name; default: default) - name of proposal information that will be sent by IKE daemon to establish SAs for this policyprotocol (name | integer; default: all) - IP packet protocol to matchsa-dst-address (IP address; default: 0.0.0.0) - SA destination IP address (remote peer)sa-src-address (IP address; default: 0.0.0.0) - SA source IP address (local peer)src-address (IP address/netmask:port; default: 0.0.0.0/32:any) - source IP addresstunnel (yes | no; default: no) - specifies whether to use tunnel mode

Notes




All packets are IPIP encapsulated in tunnel mode, and their new IP header's src-address and dst-address are set to sa-src-address and sa-dst-address values of this policy. If you do not use tunnel mode (id est you use transport mode), then only packets whose source and destination addresses are the same as sa-src-address and sa-dst-address can be processed by this policy. Transport mode can only work with packets that originate at and are destined for IPsec peers (hosts that established security associations). To encrypt traffic between networks (or a network and a host) you have to use tunnel mode.



It is good to have dont-fragment cleared because encrypted packets are always bigger than original and thus they may need fragmentation.



If you are using IKE to establish SAs automatically, then policies on both routers must exactly match each other, id est src-address=1.2.3.0/27 on one router and dst-address=1.2.3.0/28 on another would not work. Source address values on one router MUST be equal to destination address values on the other one, and vice versa.


Example


To add a policy to encrypt all the traffic between two hosts (10.0.0.147 and 10.0.0.148), we need do the following:
[admin@MikroTik] ip ipsec policy> add sa-src-address=10.0.0.147 \
\... sa-dst-address=10.0.0.148 action=encrypt
[admin@MikroTik] ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=10.0.0.147 sa-dst-address=10.0.0.148 proposal=default
manual-sa=none priority=0

[admin@MikroTik] ip ipsec policy>

to view the policy statistics, do the following:
[admin@MikroTik] ip ipsec policy> print stats
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any
protocol=all ph2-state=no-phase2 in-accepted=0 in-dropped=0
out-accepted=0 out-dropped=0 encrypted=0 not-encrypted=0 decrypted=0
not-decrypted=0

[admin@MikroTik] ip ipsec policy>


Peers


Submenu level: /ip ipsec peer

Description


Peer configuration settings are used to establish connections between IKE daemons (phase 1 configuration). This connection then will be used to negotiate keys and algorithms for SAs.


Property Description


address (IP address/netmask:port; default: 0.0.0.0/32:500) - address prefix. If remote peer's address matches this prefix, then this peer configuration is used while authenticating and establishing phase 1. If several peer's addresses matches several configuration entries, the most specific one (i.e. the one with largest netmask) will be usedauth-method (pre-shared-key | rsa-signature; default: pre-shared-key) - authentication method
pre-shared-key - authenticate by a password (secret) string shared between the peers
rsa-signature - authenticate using a pair of RSA certificates

certificate (name) - name of a certificate on the local side (signing packets; the certificate must have private key). Only needed if RSA signature authentication method is useddh-group (multiple choice: ec2n155 | ec2n185 | modp768 | modp1024 | modp1536; default: modp1024) - Diffie-Hellman group (cipher strength)enc-algorithm (multiple choice: des | 3des | aes-128 | aes-192 | aes-256; default: 3des) - encryption algorithm. Algorithms are named in strength increasing orderexchange-mode (multiple choice: main | aggressive | base; default: main) - different ISAKMP phase 1 exchange modes according to RFC 2408. Do not use other modes then main unless you know what you are doinggenerate-policy (yes | no; default: no) - allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. This way it is possible, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration timehash-algorithm (multiple choice: md5 | sha1; default: md5) - hashing algorithm. SHA (Secure Hash Algorithm) is stronger, but slowerlifebytes (integer; default: 0) - phase 1 lifetime: specifies how much bytes can be transferred before SA is discarded
0 - SA expiration will not be due to byte count excess

lifetime (time; default: 1d) - phase 1 lifetime: specifies how long the SA will be valid; SA will be discarded after this timenat-traversal (yes | no; default: no) - use Linux NAT-T mechanism to solve IPsec incompatibility with NAT routers inbetween IPsec peers. This can only be used with ESP protocol (AH is not supported by design, as it signes the complete packet, including IP header, which is changed by NAT, rendering AH signature invalid). The method encapsulates IPsec ESP traffic into UDP streams in order to overcome some minor issues that made ESP incompatible with NATproposal-check (multiple choice: claim | exact | obey | strict; default: strict) - phase 2 lifetime check logic:
claim - take shortest of proposed and configured lifetimes and notify initiator about it
exact - require lifetimes to be the same
obey - accept whatever is sent by an initiator
strict - if proposed lifetime is longer than the default then reject proposal otherwise accept proposed lifetime

remote-certificate (name) - name of a certificate for authenticating the remote side (validating packets; no private key required). Only needed if RSA signature authentication method is usedsecret (text; default: "") - secret string (in case pre-shared key authentication is used). If it starts with '0x', it is parsed as a hexadecimal valuesend-initial-contact (yes | no; default: yes) - specifies whether to send initial IKE information or wait for remote side

Notes




AES (Advanced Encryption Standard) encryption algorithms are much faster than DES, so it is recommended to use this algorithm class whenever possible. But, AES's speed is also its drawback as it potentially can be cracked faster, so use AES-256 when you need security or AES-128 when speed is also important.



Both peers MUST have the same encryption and authentication algorithms, DH group and exchange mode. Some legacy hardware may support only DES and MD5.



You should set generate-policy flag to yes only for trusted peers, because there is no verification done for the established policy. To protect yourself against possible unwanted events, add policies with action=none for all networks you don't want to be encrypted at the top of policy list. Since dynamic policies are added at the bottom of the list, they will not be able to override your configuration. Alternatively you can use policy priorities to enforce some policies to be active always.


Example


To define new peer configuration for 10.0.0.147 peer with secret=gwejimezyfopmekun:
[admin@MikroTik] ip ipsec peer>add address=10.0.0.147/32 \
\... secret=gwejimezyfopmekun
[admin@MikroTik] ip ipsec peer> print
Flags: X - disabled
0 address=10.0.0.147/32:500 auth-method=pre-shared-key
secret="gwejimezyfopmekun" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0

[admin@MikroTik] ip ipsec peer>


Remote Peer Statistics


Submenu level: /ip ipsec remote-peers

Description


This submenu provides you with various statistics about remote peers that currently have established phase 1 connections with this router. Note that if peer doesn't show up here, it doesn't mean that no IPsec traffic is being exchanged with it. For example, manually configured SAs will not show up here.


Property Description


local-address (read-only: IP address) - local ISAKMP SA addressremote-address (read-only: IP address) - peer's IP addressside (multiple choice, read-only: initiator | responder) - shows which side initiated the connection
initiator - phase 1 negotiation was started by this router
responder - phase 1 negotiation was started by peer

state (read-only: text) - state of phase 1 negotiation with the peer
estabilished - normal working state


Example


To see currently estabilished SAs:
[admin@MikroTik] ip ipsec> remote-peers print
0 local-address=10.0.0.148 remote-address=10.0.0.147 state=established
side=initiator
[admin@MikroTik] ip ipsec>


Installed SAs


Submenu level: /ip ipsec installed-sa

Description


This facility provides information about installed security associations including the keys


Property Description


add-lifetime (read-only: time) - soft/hard expiration time counted from installation of SAaddtime (read-only: text) - time when this SA was installedauth-algorithm (multiple choice, read-only: none | md5 | sha1) - authentication algorithm used in SAauth-key (read-only: text) - authentication key presented as a hex stringcurrent-bytes (read-only: integer) - amount of data processed by this SA's crypto algorithmsdst-address (read-only: IP address) - destination address of SA taken from respective policyenc-algorithm (multiple choice, read-only: none | des | 3des | aes) - encryption algorithm used in SAenc-key (read-only: text) - encryption key presented as a hex string (not applicable to AH SAs)lifebytes (read-only: integer) - soft/hard expiration threshold for amount of processed datareplay (read-only: integer) - size of replay window presented in bytes. This window protects the receiver against replay attacks by rejecting old or duplicate packetsspi (read-only: integer) - SPI value of SA, represented in hexadecimal formsrc-address (read-only: IP address) - source address of SA taken from respective policystate (multiple choice, read-only: larval | mature | dying | dead) - SA living phaseuse-lifetime (read-only: time) - soft/hard expiration time counted from the first use of SAusetime (read-only: text) - time when this SA was first used

Example


Sample printout looks as follows:
[admin@MikroTik] ip ipsec> installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=E727605 src-address=10.0.0.148 dst-address=10.0.0.147
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key="ecc5f4aee1b297739ec88e324d7cfb8594aa6c35"
enc-key="d6943b8ea582582e449bde085c9471ab0b209783c9eb4bbd"
addtime=jan/28/2003 20:55:12 add-lifetime=24m/30m
usetime=jan/28/2003 20:55:23 use-lifetime=0s/0s current-bytes=128
lifebytes=0/0

1 E spi=E15CEE06 src-address=10.0.0.147 dst-address=10.0.0.148
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key="8ac9dc7ecebfed9cd1030ae3b07b32e8e5cb98af"
enc-key="8a8073a7afd0f74518c10438a0023e64cc660ed69845ca3c"
addtime=jan/28/2003 20:55:12 add-lifetime=24m/30m
usetime=jan/28/2003 20:55:12 use-lifetime=0s/0s current-bytes=512
lifebytes=0/0
[admin@MikroTik] ip ipsec>


Flushing Installed SA Table


Command name: /ip ipsec installed-sa flush

Description


Sometimes after incorrect/incomplete negotiations took place, it is required to flush manually the installed SA table so that SA could be renegotiated. This option is provided by the flush command.


Property Description


sa-type (multiple choice: ah | all | esp; default: all) - specifies SA types to flush
ah - delete AH protocol SAs only
esp - delete ESP protocol SAs only
all - delete both ESP and AH protocols SAs


Example


To flush all the SAs installed:
[admin@MikroTik] ip ipsec installed-sa> flush
[admin@MikroTik] ip ipsec installed-sa> print
[admin@MikroTik] ip ipsec installed-sa>


Application Examples



MikroTik Router to MikroTik Router


MT to MT


  • transport mode example using ESP with automatic keying


    • for Router1
      [admin@Router1] > ip ipsec policy add sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2 \
      \... action=encrypt
      [admin@Router1] > ip ipsec peer add address=1.0.0.2 \
      \... secret="gvejimezyfopmekun"


    • for Router2
      [admin@Router2] > ip ipsec policy add sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 \
      \... action=encrypt
      [admin@Router2] > ip ipsec peer add address=1.0.0.1 \
      \... secret="gvejimezyfopmekun"




  • transport mode example using ESP with automatic keying and automatic policy generating on Router 1 and static policy on Router 2


    • for Router1
      [admin@Router1] > ip ipsec peer add address=1.0.0.0/24 \
      \... secret="gvejimezyfopmekun" generate-policy=yes


    • for Router2
      [admin@Router2] > ip ipsec policy add sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 \
      \... action=encrypt
      [admin@Router2] > ip ipsec peer add address=1.0.0.1 \
      \... secret="gvejimezyfopmekun"




  • tunnel mode example using AH with manual keying


    • for Router1
      [admin@Router1] > ip ipsec manual-sa add name=ah-sa1 \
      \... ah-spi=0x101/0x100 ah-key=abcfed
      [admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24 \
      \... dst-address=10.2.0.0/24 action=encrypt ipsec-protocols=ah \
      \... tunnel=yes sa-src=1.0.0.1 sa-dst=1.0.0.2 manual-sa=ah-sa1


    • for Router2
      [admin@Router2] > ip ipsec manual-sa add name=ah-sa1 \
      \... ah-spi=0x100/0x101 ah-key=abcfed
      [admin@Router2] > ip ipsec policy add src-address=10.2.0.0/24 \
      \... dst-address=10.1.0.0/24 action=encrypt ipsec-protocols=ah \
      \... tunnel=yes sa-src=1.0.0.2 sa-dst=1.0.0.1 manual-sa=ah-sa1







IPsec Between two Masquerading MikroTik Routers


MT to MT with Masquerading


  1. Add accept and masquerading rules in SRC-NAT


    • for Router1
      [admin@Router1] > ip firewall nat add chain=srcnat src-address=10.1.0.0/24 \
      \... dst-address=10.2.0.0/24 action=accept
      [admin@Router1] > ip firewall nat add chain=srcnat out-interface=public \
      \... action=masquerade


    • for Router2
      [admin@Router2] > ip firewall nat chain=srcnat add src-address=10.2.0.0/24 \
      \... dst-address=10.1.0.0/24 action=accept
      [admin@Router2] > ip firewall nat chain=srcnat add out-interface=public \
      \... action=masquerade




  2. configure IPsec


    • for Router1
      [admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24 \
      \... dst-address=10.2.0.0/24 action=encrypt tunnel=yes \
      \... sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2
      [admin@Router1] > ip ipsec peer add address=1.0.0.2 \
      \... exchange-mode=aggressive secret="gvejimezyfopmekun"


    • for Router2
      [admin@Router2] > ip ipsec policy add src-address=10.2.0.0/24 \
      \... dst-address=10.1.0.0/24 action=encrypt tunnel=yes \
      \... sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1
      [admin@Router2] > ip ipsec peer add address=1.0.0.1 \
      \... exchange-mode=aggressive secret="gvejimezyfopmekun"







MikroTik router to CISCO Router


MT to CISCO

We will configure IPsec in tunnel mode in order to protect traffic between attached subnets.


  1. Add peer (with phase1 configuration parameters), DES and SHA1 will be used to protect IKE traffic


    • for MikroTik router
      [admin@MikroTik] > ip ipsec peer add address=10.0.1.2 \
      \... secret="gvejimezyfopmekun" enc-algorithm=des


    • for CISCO router
      ! Configure ISAKMP policy (phase1 config, must match configuration
      ! of "/ip ipsec peer" on RouterOS). Note that DES is default
      ! encryption algorithm on Cisco. SHA1 is default authentication
      ! algorithm
      crypto isakmp policy 9
      encryption des
      authentication pre-share
      group 2
      hash md5
      exit

      ! Add preshared key to be used when talking to RouterOS
      crypto isakmp key gvejimezyfopmekun address 10.0.1.1 255.255.255.255




  2. Set encryption proposal (phase2 proposal - settings that will be used to encrypt actual data) to use DES to encrypt data


    • for MikroTik router
      [admin@MikroTik] > ip ipsec proposal set default enc-algorithms=des


    • for CISCO router
      ! Create IPsec transform set - transformations that should be applied to
      ! traffic - ESP encryption with DES and ESP authentication with SHA1
      ! This must match "/ip ipsec proposal"
      crypto ipsec transform-set myset esp-des esp-sha-hmac
      mode tunnel
      exit




  3. Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode


    • for MikroTik router
      [admin@MikroTik] > ip ipsec policy add \
      \... src-address=10.0.0.0/24 dst-address=10.0.2.0/24 action=encrypt \
      \... tunnel=yes sa-src=10.0.1.1 sa-dst=10.0.1.2


    • for CISCO router
      ! Create access list that matches traffic that should be encrypted
      access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.0.255
      ! Create crypto map that will use transform set "myset", use peer 10.0.1.1
      ! to establish SAs and encapsulate traffic and use access-list 101 to
      ! match traffic that should be encrypted
      crypto map mymap 10 ipsec-isakmp
      set peer 10.0.1.1
      set transform-set myset
      set pfs group2
      match address 101
      exit
      ! And finally apply crypto map to serial interface:
      interface Serial 0
      crypto map mymap
      exit




  4. Testing the IPsec tunnel


    • on MikroTik router we can see installed SAs
      [admin@MikroTik] ip ipsec installed-sa> print
      Flags: A - AH, E - ESP, P - pfs
      0 E spi=9437482 src-address=10.0.1.1 dst-address=10.0.1.2
      auth-algorithm=sha1 enc-algorithm=des replay=4 state=mature
      auth-key="9cf2123b8b5add950e3e67b9eac79421d406aa09"
      enc-key="ffe7ec65b7a385c3" addtime=jul/12/2002 16:13:21
      add-lifetime=24m/30m usetime=jul/12/2002 16:13:21 use-lifetime=0s/0s
      current-bytes=71896 lifebytes=0/0
      1 E spi=319317260 src-address=10.0.1.2 dst-address=10.0.1.1
      auth-algorithm=sha1 enc-algorithm=des replay=4 state=mature
      auth-key="7575f5624914dd312839694db2622a318030bc3b"
      enc-key="633593f809c9d6af" addtime=jul/12/2002 16:13:21
      add-lifetime=24m/30m usetime=jul/12/2002 16:13:21 use-lifetime=0s/0s
      current-bytes=0 lifebytes=0/0
      [admin@MikroTik] ip ipsec installed-sa>


    • on CISCO router
      cisco# show interface Serial 0
      interface: Serial1
      Crypto map tag: mymap, local addr. 10.0.1.2
      local ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
      current_peer: 10.0.1.1
      PERMIT, flags={origin_is_acl,}
      #pkts encaps: 1810, #pkts encrypt: 1810, #pkts digest 1810
      #pkts decaps: 1861, #pkts decrypt: 1861, #pkts verify 1861
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
      local crypto endpt.: 10.0.1.2, remote crypto endpt.: 10.0.1.1
      path mtu 1500, media mtu 1500
      current outbound spi: 1308650C
      inbound esp sas:
      spi: 0x90012A(9437482)
      transform: esp-des esp-sha-hmac ,
      in use settings ={Tunnel, }
      slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap
      sa timing: remaining key lifetime (k/sec): (4607891/1034)
      IV size: 8 bytes
      replay detection support: Y
      inbound ah sas:
      inbound pcp sas:
      outbound esp sas:
      spi: 0x1308650C(319317260)
      transform: esp-des esp-sha-hmac ,
      in use settings ={Tunnel, }
      slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap
      sa timing: remaining key lifetime (k/sec): (4607893/1034)
      IV size: 8 bytes
      replay detection support: Y
      outbound ah sas:
      outbound pcp sas:







MikroTik Router and Linux FreeS/WAN


In the test scenario we have 2 private networks: 10.0.0.0/24 connected to the MT and 192.168.87.0/24 connected to Linux. MT and Linux are connected together over the "public" network 192.168.0.0/24:

MT to FreeS/WAN


  • FreeS/WAN configuration:
    config setup
    interfaces="ipsec0=eth0"
    klipsdebug=none
    plutodebug=all
    plutoload=%search
    plutostart=%search
    uniqueids=yes

    conn %default
    keyingtries=0
    disablearrivalcheck=no
    authby=rsasig

    conn mt
    left=192.168.0.108
    leftsubnet=192.168.87.0/24
    right=192.168.0.155
    rightsubnet=10.0.0.0/24
    authby=secret
    pfs=no
    auto=add


  • ipsec.secrets config file:
    192.168.0.108 192.168.0.155 : PSK "gvejimezyfopmekun"


  • MikroTik Router configuration:
    [admin@MikroTik] > /ip ipsec peer add address=192.168.0.108 \
    \... secret="gvejimezyfopmekun" hash-algorithm=md5 enc-algorithm=3des \
    \... dh-group=modp1024 lifetime=28800s

    [admin@MikroTik] > /ip ipsec proposal auth-algorithms=md5 \
    \... enc-algorithms=3des pfs-group=none

    [admin@MikroTik] > /ip ipsec policy add sa-src-address=192.168.0.155 \
    \... sa-dst-address=192.168.0.108 src-address=10.0.0.0/24 \
    \... dst-address=192.168.87.0/24 tunnel=yes




© Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registered trademarks mentioned herein are properties of their respective owners.